Community discussions

MikroTik App
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

New PPSK functionality

Sat Sep 28, 2024 8:03 am

Mikrotik finally added PPSK into ROS :D

I wonder if anybody tested this function yet ? I tried but with no luck unfortunately.

I tested on ax3 which is acting as CAPsMAN controller but his own radios are set to local and were not used until now.

I created 3 groups:
Columns: GROUP, PASSPHRASE, VLAN-ID
# GROUP        PASSPHRASE  VLAN-ID
0 TEST_VLAN20  test1234         20
1 TEST_VLAN30  test12345        30
2 TEST_VLAN88  test123456       88
Created 3 ACLs with SSID regexp where I added SSID I use for testing:
Columns: ACTION, MULTI-PASSPHRASE-GROUP, MATCH-COUNT
#  ACTION  MULTI-PASSPHRASE-GROUP  MATCH-COUNT
;;; PPSK_VLAN20
0  accept  TEST_VLAN20                     546
;;; PPSK_VLAN30
1  accept  TEST_VLAN30                        
;;; PPSK_VLAN88
2  accept  TEST_VLAN88                      20
But then, I must input password while setting up interfaces when using WPA/WPA2-PSK. If using security profile i don't know where to add groups I created...
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Sat Sep 28, 2024 10:09 am

Ok, so eliminating CAPsMAN from equation, I'm using my ax2 that was CAP for testing.

This is new config:
p# 2024-09-28 06:34:20 by RouterOS 7.17beta2
# software id = 
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=MikroTik \
    disabled=no security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=\
    yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik disabled=\
    no security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes
/interface vlan
add interface=bridge name=VLAN20 vlan-id=20
add interface=bridge name=VLAN30 vlan-id=30
add interface=bridge name=VLAN40 vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridge comment=VLAN20 disabled=no name=datapath20 vlan-id=20
add bridge=bridge comment=VLAN30 disabled=no name=datapath30 vlan-id=30
add bridge=bridge comment=VLAN40 disabled=no name=datapath40 vlan-id=40
/ip pool
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN20 name=dhcp1
add address-pool=dhcp_pool2 interface=VLAN30 name=dhcp2
add address-pool=dhcp_pool3 interface=VLAN40 name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=20
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=20,30,40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN20 list=LAN
add interface=VLAN30 list=LAN
add interface=VLAN40 list=LAN
/interface wifi access-list
add action=accept comment=VLAN20 disabled=no multi-passphrase-group=VLAN20 \
    ssid-regexp=MikroTik
add action=accept comment=VLAN30 disabled=no multi-passphrase-group=VLAN30 \
    ssid-regexp=MikroTik
add action=accept comment=VLAN40 disabled=no multi-passphrase-group=VLAN40 \
    ssid-regexp=MikroTik
/interface wifi security multi-passphrase
add disabled=no group=VLAN20 vlan-id=20
add disabled=no group=VLAN30 vlan-id=30
add disabled=no group=VLAN40 vlan-id=40
/ip address
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system logging
add topics=wireless
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
What I noticed, with this configuration when connecting with the password from the first ACL it allows to connect but can't obtain IP address because wifi interface gets untagged for VLAN1 instead of the correct VLAN.

When trying to connect with password from other two groups it says that it can't authenticate.

I left old password in security, only selected WPA/WPA2.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Sun Sep 29, 2024 6:48 am

No success for now, but after going trough ROS wiki a little bit I did few changes to my configuration:

Only one PPSK group:
[admin@MikroTik] /interface/wifi/security/multi-passphrase> p
Columns: GROUP, PASSPHRASE, VLAN-ID
# GROUP  PASSPHRASE  VLAN-ID
0 VLANS  test1234         20
1 VLANS  test12345        30
2 VLANS  test123456       40
And test security config was created:
[admin@MikroTik] /interface/wifi/security> p
Flags: X - disabled 
 0   name="PPSK" authentication-types=wpa-psk,wpa2-psk 
     multi-passphrase-group=VLANS 
but still no luck... Now interfaces don't say that password is needed when I apply security profile and when entering password router accepts it but it doesn't untag correct VLAN. It always untag VLAN1, never VLAN it's suppose to untag... Both wifi interfaces are set to VLAN1 and admit all

EDIT:

Little bit of snooping around, so this is output from registration table for each password:

test1234:
[admin@MikroTik] /interface/wifi/registration-table> pr d
Flags: A - authorized 
 0 A interface=wifi1 ssid="MikroTik" mac-address=FE:D9:AD:F0:3D:7F uptime=5s 
     last-activity=0ms signal=-39 auth-type=ft-wpa2-psk band=5ghz-ax vlan-id=20
test12345:
[admin@MikroTik] /interface/wifi/registration-table> pr d
Flags: A - authorized 
 0 A interface=wifi1 ssid="MikroTik" mac-address=FE:D9:AD:F0:3D:7F uptime=2s 
     signal=-24 auth-type=ft-wpa2-psk band=5ghz-ax vlan-id=30
test123456:
[admin@MikroTik] /interface/wifi/registration-table> pr d
Flags: A - authorized 
 0 A interface=wifi1 ssid="MikroTik" mac-address=FE:D9:AD:F0:3D:7F uptime=2s 
     signal=-24 auth-type=ft-wpa2-psk band=5ghz-ax vlan-id=40
So it seems that VLANs are assigned correctly but for some reason bridge don't untag them at all.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: New PPSK functionality

Sun Sep 29, 2024 11:18 am

The idea about setting vlan-id in wifi driver is that wifi driver handles the VLAN tags, not bridge (bridge only filters traffic according to existing VLAN tags). Which IMO means you have a few errors in your setup. One is use of multiple datapaths (just noticed you only have them defined but not used), one should be enough. Default wifi access is tagless, which should be fine. My own philosophy, when it comes to VLAN setup, is to go all-tagged though, in this case this means setting datapath.vlan-id on wifi interfaces.

Then you have to let bridge know which tagged VLANs should be allowed to pass wifi ports:
/interface bridge vlan
add bridge=bridge tagged=bridge,wifi1,wifi2 vlan-ids=20,30,40

Of course adding wifi1 and wifi2 to all relevant VLANs, including the one used for default wifi access. If you go with untagged default wifi access, then be careful PVID setting of wifiX bridge port (default is PVID=1, which is fine but you have to be aware of it as there is no "untagged" frame on bridge the switch-like entity as soon as bridge is set with vlan-filtering=yes, at least not conceptually).
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Sun Sep 29, 2024 6:24 pm

I'm an idiot... I didn't even noticed that I didn't tag wireless interfaces to VLANs... I foolishly presumed something more complicated is wrong... I did what you suggested and now PPSK is working like it's supposed to. :D :D :D

Now under bridge/vlans wifi interfaces are still dynamically untagged for VLAN1 (I presume that is because I left PVID on 1 and set to admit all) but correct VLAN gets untagged and there is internet connectivity (I presume this is where wireless assign correct PVID based on password I input)

Thank you @mkx for your help :D :D :D
If you go with untagged default wifi access, then be careful PVID setting of wifiX bridge port (default is PVID=1, which is fine but you have to be aware of it as there is no "untagged" frame on bridge the switch-like entity as soon as bridge is set with vlan-filtering=yes, at least not conceptually).
I never leave any port on PVID 1 when using "admit only untagged", when I'm using VLANs i never left any port on PVID1. I generally untag them for mgmt network and disable them if they are not used.

I disabled datapath i created and still everything is working like it should. How can I have only one datapath for multiple VLANs ? I didn't know that is possible ? I can add only one VLAN per datapath.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: New PPSK functionality

Sun Sep 29, 2024 7:29 pm

Do you actually have to add multiple VLAN IDs in datapath? My impression is that datapath VLAN ID is a default, but if other mechanisms set it differently (e.g. ppsk settings or radius reply) then wifi-qcom (the non-ac) driver will apply that exception to appropriate frames. Resulting tagged (or untagged without vlan-id set on datapath) frames will flow over configured bridge (as per single datapath config). And we already know now how to properly configure bridge port now, right?
I always had an impression that things under /interface/wifi/datapath were only profiles and only got used if one of wifi interfaces (either physical or virtual) was explicitly configured to use one of them. And it's only possible to assign one profile of a kind to any interface IIRC.

What I don't even imagine is how all of this would be provisioned via CAPsMAN. It could be that that wouldn't be a problem either if bridge on CAP isn't vlan-enabled (and it hence simply doesn't care about 802.1Q headers) ... meaning that a single datapath is enough.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Sun Sep 29, 2024 8:06 pm

vlan-id (none | integer 1..4095)
Default VLAN ID to assign to client devices connecting to this interface (only relevant to interfaces in AP mode).
When a client is assigned a VLAN ID, traffic coming from the client is automatically tagged with the ID and only packets tagged with with this ID are forwarded to the client.
Default: none

802.11ac chipsets do not support this type of VLAN tagging , but they can be configured as VLAN access ports in bridge settings.
Guess you are right here, only one datapath seems to be required and that default VLAN can be 1, then when client get VLAN ID by for eg. PPSK then only packets with that VLAN ID will be forwarded.

In my case datapath is clearly not needed and i didn't test capsman yet... I have spare hap ax lite that could act as a CAP for testing purposes.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Tue Oct 01, 2024 7:54 am

Tested PPSK with CAPsMAN and it's working like a charm. Only modification is to tag port where CAPs are connected, create datapath with PVID1 and interface bridge and add that into configuration.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: New PPSK functionality

Tue Oct 01, 2024 8:33 am

Tested PPSK with CAPsMAN and it's working like a charm. Only modification is to tag port where CAPs are connected, create datapath with PVID1 and interface bridge and add that into configuration.

How does /interface/bridge/vlan/print look like on CAP device?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Tue Oct 01, 2024 8:35 am

On CAP device it's empty
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: New PPSK functionality

Tue Oct 01, 2024 8:41 am

Ah, so bridge is ignorant about VLANs on CAP device ... just as I thought. So as long as L2MTU is higher than around 1518, it'll blindly pass ethernet frames left and right without ever looking at VLAN ID in 802.1Q headers ... which means you have to be careful about vlan-id setting on datapath (it might mean that wifi-qcom driver will tad frames with VLAN ID 1 and that wouldn't go nicely with default settings or router where everything has pvid set to 1).
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Tue Oct 01, 2024 8:57 am

What do you suggest in such case then ? That would be the case when user don't use VLANs at all. Is datapath even needed in that case ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: New PPSK functionality

Tue Oct 01, 2024 9:20 am

You always need one datapath (simply to add CAPsMAN-provisioned wifi radio to CAP's bridge) ... either as datapath profile or static datapath. settings on wifi interface directly (which with CAPsMAN-provisioned CAPs isn't an option obviously). And I guess if CAP is simply configured to be CAPsMAN-driven CAP (e.g. by pressing the button at the right moment for the right duration), then it doesn't matter how bridge is configured. In worst case user will connect some PCs to free ether ports and if those PCs will be running windows (with their inadequate NIC drivers who simply strip off 802.1Q headers), they might get confused a bit (e.g. they might end up with multiple IPv6 prefixes, some of them not being usable due to wrong VLAN).
OTOH if admin wants/needs something less straight-forward on CAP location, then admin will have to manually configure bridge anyway. In this case it's probably safe to enable vlan-filtering on bridge ... and it would be interesting to see if wifi interface is added to bridge (by CAPsMAN) together with correct tagged VLAN membership. If not, then it might be necessary to manually add wifi interface to correct VLANs (but I don't know how that would survive reboots).

So it seems we'll need some more experimenting (somehow I feel you're eager to do it yourself :wink:)
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Tue Oct 01, 2024 10:36 am

OTOH if admin wants/needs something less straight-forward on CAP location, then admin will have to manually configure bridge anyway. In this case it's probably safe to enable vlan-filtering on bridge ... and it would be interesting to see if wifi interface is added to bridge (by CAPsMAN) together with correct tagged VLAN membership.
Enabling VLAN filtering on CAPs bridge results in this:
[admin@MikroTik] > interface bridge pr d
Flags: X - disabled, R - running 
 0 R ;;; defconf
     name="bridgeLocal" mtu=auto actual-mtu=1500 l2mtu=1560 arp=enabled 
     arp-timeout=auto mac-address=78:9A:18:0C:1B:DB protocol-mode=rstp 
     fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=78:9A:18:0C:1B:DB 
     ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s 
     transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 
     frame-types=admit-all ingress-filtering=yes dhcp-snooping=no 
     port-cost-mode=long mvrp=no max-learned-entries=auto
[admin@MikroTik] > interface bridge port pr  
Flags: I - INACTIVE; D - DYNAMIC; H - HW-OFFLOAD
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, HORIZON
#     INTERFACE  BRIDGE       HW   PVID  PRIORITY  HORIZON
;;; defconf
0   H ether1     bridgeLocal  yes     1  0x80      none   
;;; defconf
1   H ether2     bridgeLocal  yes     1  0x80      none   
;;; defconf
2 I H ether3     bridgeLocal  yes     1  0x80      none   
;;; defconf
3 I H ether4     bridgeLocal  yes     1  0x80      none   
4  D  wifi1      bridgeLocal          1  0x80      none 
And this is when I force my device to connect to CAP (by disabling local wireless interfaces on CAPsMAN) and after tagging bridgelocal and ether1 for VLANs i have:
[admin@MikroTik] > interface bridge vlan pr d
Flags: X - disabled, D - dynamic 
 0 D ;;; added by pvid
     bridge=bridgeLocal vlan-ids=1 tagged=wifi1 
     untagged=bridgeLocal,ether2,ether1 mvrp-forbidden="" current-tagged=wifi1 
     current-untagged=bridgeLocal,ether2,ether1 

 1   bridge=bridgeLocal vlan-ids=20,30,40 tagged=bridgeLocal,ether1 untagged="" 
     mvrp-forbidden="" current-tagged=bridgeLocal,ether1 current-untagged="" 

 2 D ;;; added by wifi
     bridge=bridgeLocal vlan-ids=30 tagged=wifi1 untagged="" mvrp-forbidden="" 
     current-tagged=wifi1 current-untagged=""  
Tested with all VLANs, works like a charm.

One thing I noticed. When I forget network (so I can connect with another password) first time entering password it displays an error on the phone to enter password again. When I enter password second time it connects immediately.
So it seems we'll need some more experimenting (somehow I feel you're eager to do it yourself :wink:)
Of course, my goal is always to learn more, otherwise I would use some other brand that is plug and play but where is the fun in that... :lol:
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: New PPSK functionality

Tue Oct 01, 2024 11:17 am

One thing I noticed. When I forget network (so I can connect with another password) first time entering password it displays an error on the phone to enter password again. When I enter password second time it connects immediately.
I can think of several reasons for that but not necessarily any of them is actually true:
  • PPSK machinery has to add wifi interface to a new VLAN ID ... and bridge (having RSTP enabled) takes a few seconds to actually enable it. During that time, wifi station times out waiting for anything meaningful to happen
    After a station with non-default PSK (and hence custom VLAN ID) connects to AP, does wifi interface become member of that non-default VLAN?
  • wifi driver VLAN handling machinery misses a few early frames to be handled by non-default VLAN ID
    I'm not sure how this would explain the fact that second entering of password then works
  • etc.

I guess the most probable cause is the last item from my list above :wink:

It's always so fun when somebody else does the testing ... not. :-|
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Tue Oct 01, 2024 11:41 am

After a station with non-default PSK (and hence custom VLAN ID) connects to AP, does wifi interface become member of that non-default VLAN?
No, error message is displayed almost immediately so nothing is visible in bridge/vlans.

Anything else to test ? :lol:
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: New PPSK functionality

Wed Oct 02, 2024 5:27 pm

After a station with non-default PSK (and hence custom VLAN ID) connects to AP, does wifi interface become member of that non-default VLAN?
No, error message is displayed almost immediately so nothing is visible in bridge/vlans.
I was asking about the state of CAP after second try (you wrote that client succeeds to connect after you enter passphrase second time) ...
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Wed Oct 02, 2024 5:38 pm

No, there is nothing visible on CAP or CAPsMAN VLANs, wireless interface never show up when this error occurs. It's probably to fast to show in winbox.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: New PPSK functionality

Wed Oct 02, 2024 11:01 pm

Let me rephrase my last question ...

If I understand your comment in one of previous posts, this is what happens:
When you try to connect station using "non-standard" password, connection initially fails. When you try to do it second time (a few seconds later), entering very same non-standard password, connection actually succeeds. So then your wifi connection works.

Or did I get things wrong?

After that, what does /interface/bridge/vlan/print show? Still nothing about wifi interface and VID belonging to that non-standard password?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Thu Oct 03, 2024 7:32 am

What do you mean by "non-standard" password ?

So I have three passwords, test1234 for VLAN20, test12345 for VLAN30 and test123456 for VLAN40.

If I go to forget network so I can connect with another password, select SSID, phone prompts me to input password, I input another password and first try I get following on my phone:

WhatsApp Image 2024-10-03 at 06.19.19_46b4a7a4.jpg
And in logs I get this:
 
2024-10-03 06:14:14 wireless,debug FE:D9:AD:F0:3D:7F@cap-wifi1 associated, signal strength -20
2024-10-03 06:14:14 wireless,debug FE:D9:AD:F0:3D:7F@cap-wifi1 disassociated, connection lost, signal strength -18
/interface/bridge/vlan/print shows that wifi1 is tagged for vlan1 until I input password again, then it gets untagged for the correct VLAN.

I waited about a minute after forgetting network before connecting again and same thing happens.

What I also noticed, devices were turned off for the night and when I plugged them in on hap ax lite dhcp client was missing and connection couldn't be established... rebooting hap ax solved the problem...
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: New PPSK functionality

Thu Oct 03, 2024 11:55 pm

Another thing to try: set disable-running-check=yes on all wifi interfaces and see if wireless station behaves any different. Alternate tedt would be to connect second station using same PPSK passphrase while first one is successfully connected (if the "running check" is the culprit, then second and subsequent stations should connect just fine on the first try).
But there might still be some bug in the PPSK code so if it keeps happening, you may want to open a trouble ticket with support@mikrotik.

By "non-standard password" I was referring to any of passwords set in multi-passphrase section. I thought you still have PSK set in "normal" security profile, but while looking at your config again it seems there isn't one. Eh.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Fri Oct 04, 2024 7:32 am

Here is export from the CAPsMAN:
add configuration=cfg1-2.4-ch11 disable-running-check=yes disabled=no name=\
    cap-wifi1 radio-mac=78:9A:18:0C:1B:DF
set [ find default-name=wifi1 ] channel.frequency=5180 configuration=\
    cfg3-5-ch36 configuration.mode=ap disable-running-check=yes
set [ find default-name=wifi2 ] channel.frequency=2462 configuration=\
    cfg1-2.4-ch11 configuration.mode=ap disable-running-check=yes
But still the same thing happens. One thing to mention, everytime i set phone to connect with device mac and there is address reservation in dhcp server for each vlan.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2301
Joined: Mon May 14, 2012 9:30 pm

Re: New PPSK functionality

Fri Oct 04, 2024 6:45 pm

Aim Small Miss Small...

Just start out with 50 different passwords going into the default IP SCOPE/SUBNET.

Connect 50 devices using those different passwords... is it stable?

Then work your way up to VLANs per password.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Fri Oct 04, 2024 7:25 pm

Right now I'm testing at work with few devices, just to see if there are any bugs or instabilities and to get familiar with this function.

For now, other than this small problem everything is working just fine.

Then, when 7.17 goes stable I will configure my home network with PPSK (43 various wireless clients and 4 VLANs)
 
gotsprings
Forum Guru
Forum Guru
Posts: 2301
Joined: Mon May 14, 2012 9:30 pm

Re: New PPSK functionality

Fri Oct 04, 2024 8:15 pm

Right now I'm testing at work with few devices, just to see if there are any bugs or instabilities and to get familiar with this function.

For now, other than this small problem everything is working just fine.

Then, when 7.17 goes stable I will configure my home network with PPSK (43 various wireless clients and 4 VLANs)
Back when I substituted Access Control List for D-PSK I put 40 devices on my network on one AP with the passwords they already had from my Ruckus network.

It ran stable for weeks. Which led me to make the stupid decision to try to put Tik wireless in Washington DC... painful lesson.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Fri Oct 04, 2024 8:44 pm

I always have two Unifu*k L6 lite ready to replace Mikrotik if they screw up wireless again. (Flashbacks from 7.9...)

Honestly, now when I disabled wpa3 at home ap's i can't say anything bad about Mikrotik wireless for now. And I have quite a few devices connected.

Ofcourse, I can't compare my network with 40 devices with large corporate building with hundreds of clients connected at the same time.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: New PPSK functionality

Fri Oct 04, 2024 10:03 pm

When Mikrotik gets this wireless issues sorted, other than re-wording log messages, then they will be competitive again. As for now, they are still wearing their Teflon coat...
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Fri Oct 04, 2024 10:14 pm

Yea, they are miles behind other vendors with their wireless products... I don't know why they even bother with wireless at this point.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: New PPSK functionality

Fri Oct 04, 2024 10:37 pm

I don't think this is true. They may not be able to compete with enterprise grade wireless gear. But could very easy compete or outperform any gear in the < 300€ price range. That's were their devices are located price-wise.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Sat Oct 05, 2024 6:34 am

But they need to put a lot of work in firmware to make it more stable and reliable. Also I would like to see more device like audience but wifi6/7.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2301
Joined: Mon May 14, 2012 9:30 pm

Re: New PPSK functionality

Sat Oct 05, 2024 1:48 pm

I don't think this is true. They may not be able to compete with enterprise grade wireless gear. But could very easy compete or outperform any gear in the < 300€ price range. That's were their devices are located price-wise.
ACV2 wireless protocol was released by Mikrotik in 2023. Other manufactures 2016.

I had to give up on Mikroitk wireless back in 2019 after they confirmed what I was seeing. They promised to get back to me "if or when" they had a fix. They never did.

Moved on to WiFi6 back in 2020. Indoor and out.

Mikrotik doesn't have wifi 6 outdoors to this day.

D-PSK is something Ruckus had 15 years ago?

Cambium added it as DPSK back in 2020.

Now I will grant that I have to pay more to get the radios I need. But manufactures start lowering my cost when I do enough of them. Ruckus has always been more expensive. Cambium get really close to Tik/UniF--k pricing. But you have to start with one question: "Does it work?" If the answer is "no"... price doesn't matter.
Last edited by gotsprings on Sat Oct 05, 2024 8:51 pm, edited 1 time in total.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: New PPSK functionality

Sat Oct 05, 2024 7:46 pm

Speaks the professional.

According to your talking nobody should dare to improve when someone else already got the solution. Ruckus had PPSK in 2009? How could Cambium dare to develop and ship DPSK in 2020 when Ruckus already had the patent on it? And so ages later. Boo boo Cambium.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2301
Joined: Mon May 14, 2012 9:30 pm

Re: New PPSK functionality

Sat Oct 05, 2024 8:10 pm

Speaks the professional.

According to your talking nobody should dare to improve when someone else already got the solution. Ruckus had PPSK in 2009? How could Cambium dare to develop and ship DPSK in 2020 when Ruckus already had the patent on it? And so ages later. Boo boo Cambium.
It was more a reference to "years behind the competition".

And EPSK from Cambium was an upgrade from Ruckus.

In Ruckus... The keys were pregenerated. Then you had to assign them to users.

When I told Cambium "could we make it so I can make any password I want? I can do it with access control list in MIKROTIK."

So they built me what I asked for.

And lets not skip over that my cost on a cap AX, is real Close to my cost on a XV2-21X.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Mon Oct 07, 2024 3:17 pm

I sent supout files to mikrotik support so they can check if there is a bug with PPSK.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Tue Oct 15, 2024 7:17 am

Tested with another phone, S23 Ultra and when random MAC address is used it says incorrect password for any password I tried. When connecting with real MAC address phone is able to connect to the wifi. After that you can connect with random mac address without a problem
 
WeWiNet
Long time Member
Long time Member
Posts: 610
Joined: Thu Sep 27, 2018 4:11 pm

Re: New PPSK functionality

Wed Oct 16, 2024 1:01 pm

Gigabyte,
thanks for the setup you shared, very helpful.

I tried to make this work. But as you exported without "show sensitive", the config does not show where you enter the passphrases or
security config within the Wifi interface.
If I run through this, and added the VLAN pass phrases missing, that works. But how is this linked
to the security profile within the Wifi interface.
For now I have an error in the Wifi interface: "must specify passphrase for PSK"

Could you share the Wifi AP setup with the full information please? Or give me a hint how to fix this?
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Wed Oct 16, 2024 2:29 pm

Problem is that in security tab, when you go to create new security profile you don't have option in winbox yet to specify multi-passphrase-group so you have to do it in CLI.

So best thing is to create security profile in cli:

for eg:
/interface/wifi/security add name=anynameyouwant authentication-types=wpa-psk,wpa2-psk multi-passphrase-group=yourgroupname 


or, if you have existing security profile:
/interface/wifi/security set 0 multi-passphrase-group=yourgroupname
If you have multiple security profiles then input:
/interface/wifi/security p
Then CLI will print you every security profile you have, and first thing in line will be number of profile, so if you have multiple security profiles use the number of the profile you want to change.

I will post config tomorrow as I'm testing this at the office.
 
WeWiNet
Long time Member
Long time Member
Posts: 610
Joined: Thu Sep 27, 2018 4:11 pm

Re: New PPSK functionality

Wed Oct 16, 2024 5:58 pm

Thank you Gigabyte,

Looking forward for the full config tomorrow!
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Thu Oct 17, 2024 7:04 am

Here is the config:
# 2024-10-17 06:01:55 by RouterOS 7.17beta2
# software id = xxxx-xxxx			
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=VLAN20 vlan-id=20
add interface=bridge name=VLAN30 vlan-id=30
add interface=bridge name=VLAN40 vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridge disabled=no name=datapath vlan-id=1
/interface wifi security
add authentication-types=wpa-psk,wpa2-psk multi-passphrase-group=VLANS name=\
    PPSK
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-MikroTik-32e5ca96 rrm=\
    yes wnm=yes
/interface wifi configuration
add channel.band=2ghz-ax .frequency=2462 .width=20mhz country=Croatia \
    datapath=datapath disabled=no mode=ap name=cfg1-2.4-ch11 security=PPSK \
    security.ft=yes .ft-over-ds=yes ssid=MikroTik steering=steering1
add channel.band=2ghz-ax .frequency=2412 .width=20mhz country=Croatia \
    datapath=datapath disabled=no mode=ap name=cfg2-2.4-ch1 security=PPSK \
    security.ft=yes .ft-over-ds=yes ssid=MikroTik steering=steering1
add channel.band=5ghz-ax .frequency=5180 .width=20/40/80mhz country=Croatia \
    datapath=datapath disabled=no mode=ap name=cfg3-5-ch36 security=PPSK \
    security.ft=yes .ft-over-ds=yes ssid=MikroTik steering=steering1
/interface wifi
add configuration=cfg1-2.4-ch11 disable-running-check=yes disabled=no name=\
    cap-wifi1 radio-mac=78:9A:18:0C:1B:DF
set [ find default-name=wifi1 ] channel.frequency=5180 configuration=\
    cfg3-5-ch36 configuration.mode=ap disable-running-check=yes disabled=no
set [ find default-name=wifi2 ] channel.frequency=2462 configuration=\
    cfg1-2.4-ch11 configuration.mode=ap disable-running-check=yes disabled=no
/ip pool
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN20 name=dhcp1
add address-pool=dhcp_pool2 interface=VLAN30 name=dhcp2
add address-pool=dhcp_pool3 interface=VLAN40 name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=20
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=*7
add bridge=bridge comment=defconf interface=*8
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=20,30,40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
add interface=VLAN20 list=LAN
add interface=VLAN30 list=LAN
add interface=VLAN40 list=LAN
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg1-2.4-ch11 \
    slave-configurations=cfg2-2.4-ch1 supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=cfg3-5-ch36 \
    supported-bands=5ghz-ax
/interface wifi security multi-passphrase
add disabled=no group=VLANS vlan-id=20
add disabled=no group=VLANS vlan-id=30
add disabled=no group=VLANS vlan-id=40
/ip address
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
/ip dhcp-client
add comment=defconf interface=ether5
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/system logging
add topics=bridge
add topics=caps
add topics=wireless
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
WeWiNet
Long time Member
Long time Member
Posts: 610
Joined: Thu Sep 27, 2018 4:11 pm

Re: New PPSK functionality

Thu Oct 17, 2024 11:14 am

Thanks for the config

Seems the access list entry is now missing, and all my trails still end up in client not able to connect (wrong password). Its and S23+
Could you please re-post only the complete export of /interface/wifi with show-sensitive

That would be awesome...
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Thu Oct 17, 2024 12:02 pm

Here you go:
# 2024-10-17 11:00:11 by RouterOS 7.17beta2
# software id = 
#
# model = 
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=VLAN20 vlan-id=20
add interface=bridge name=VLAN30 vlan-id=30
add interface=bridge name=VLAN40 vlan-id=40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridge disabled=no name=datapath vlan-id=1
/interface wifi security
add authentication-types=wpa-psk,wpa2-psk multi-passphrase-group=VLANS name=\
    PPSK
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-MikroTik-32e5ca96 rrm=\
    yes wnm=yes
/interface wifi configuration
add channel.band=2ghz-ax .frequency=2462 .width=20mhz country=Croatia \
    datapath=datapath disabled=no mode=ap name=cfg1-2.4-ch11 security=PPSK \
    security.ft=yes .ft-over-ds=yes ssid=MikroTik steering=steering1
add channel.band=2ghz-ax .frequency=2412 .width=20mhz country=Croatia \
    datapath=datapath disabled=no mode=ap name=cfg2-2.4-ch1 security=PPSK \
    security.ft=yes .ft-over-ds=yes ssid=MikroTik steering=steering1
add channel.band=5ghz-ax .frequency=5180 .width=20/40/80mhz country=Croatia \
    datapath=datapath disabled=no mode=ap name=cfg3-5-ch36 security=PPSK \
    security.ft=yes .ft-over-ds=yes ssid=MikroTik steering=steering1
/interface wifi
add configuration=cfg1-2.4-ch11 disable-running-check=yes disabled=no name=\
    cap-wifi1 radio-mac=
set [ find default-name=wifi1 ] channel.frequency=5180 configuration=\
    cfg3-5-ch36 configuration.mode=ap disable-running-check=yes disabled=no
set [ find default-name=wifi2 ] channel.frequency=2462 configuration=\
    cfg1-2.4-ch11 configuration.mode=ap disable-running-check=yes disabled=no
/ip pool
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN20 name=dhcp1
add address-pool=dhcp_pool2 interface=VLAN30 name=dhcp2
add address-pool=dhcp_pool3 interface=VLAN40 name=dhcp3
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 pvid=20
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=*7
add bridge=bridge comment=defconf interface=*8
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3 vlan-ids=20,30,40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
add interface=VLAN20 list=LAN
add interface=VLAN30 list=LAN
add interface=VLAN40 list=LAN
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg1-2.4-ch11 \
    slave-configurations=cfg2-2.4-ch1 supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=cfg3-5-ch36 \
    supported-bands=5ghz-ax
/interface wifi security multi-passphrase
add disabled=no group=VLANS passphrase=test1234 vlan-id=20
add disabled=no group=VLANS passphrase=test12345 vlan-id=30
add disabled=no group=VLANS passphrase=test123456 vlan-id=40
/ip address
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
add address=192.168.40.1/24 interface=VLAN40 network=192.168.40.0
/ip dhcp-client
add comment=defconf interface=ether5
/ip dhcp-server lease

/ip dhcp-server network
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
add address=192.168.40.0/24 gateway=192.168.40.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Zagreb
/system logging
add topics=bridge
add topics=caps
add topics=wireless
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
WeWiNet
Long time Member
Long time Member
Posts: 610
Joined: Thu Sep 27, 2018 4:11 pm

Re: New PPSK functionality

Thu Oct 17, 2024 4:08 pm

thank you

I see you dropped the access list entries and added the "disable-running-check=yes"
Now works like a charm (don't really got it where my error was)!

This now opens a whole new horizon...
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Thu Oct 17, 2024 6:19 pm

If you can, test with multiple phones just to see if you get the same pattern.

Do you get password error when forgetting network then connecting to another profile ? But when you enter same password second time everything is fine.

And check if you have the same problem connecting with the clients that have random mac address enabled.
 
WeWiNet
Long time Member
Long time Member
Posts: 610
Joined: Thu Sep 27, 2018 4:11 pm

Re: New PPSK functionality

Fri Oct 18, 2024 2:58 pm

I see no problem so far with random mac address. But with various clients you see that there is first a message like "wrong password" or "can't connect"
but then few seconds later the device is connected.

Where I am struggling now is that the VLAN handling and tagging has so much changed since earlier releases that I am lost how to add ethernet parts into the VLANs and seperate them.
Now there are multiple dynamic VLAN added automatically, you do NOT need to add Wifi as tagged port into bridges and so on...
And I also don't understand why I do need this while I am not using Capsman, only a single ax3.
/interface/wifi/datapath add bridge=bridge name=datapath vlan-id=1
Without that nothing works (can't even connect to the AP).

So confusing... :?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6650
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: New PPSK functionality

Fri Oct 18, 2024 3:43 pm

Rules for MT Admin:

1- You shall not use vlan 1
2- DON'T use vlan 1
3- Don't use Quickset
4- ...
 
WeWiNet
Long time Member
Long time Member
Posts: 610
Joined: Thu Sep 27, 2018 4:11 pm

Re: New PPSK functionality

Fri Oct 18, 2024 4:35 pm

Hi holvoeten,

Not using Quickset at all, just trying to make PPSK (VLAN on wifi) work within the system to get rid of all my SSIDs.

VLAN PVID 1 is part of proposed config from Gygabyte, and without his datapath thing nothing works... (at least for me)
It can well be I miss something else here, but as my VLAN experience stopped with ROS6, I am lost.
 
gigabyte091
Forum Guru
Forum Guru
Topic Author
Posts: 1494
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: New PPSK functionality

Fri Oct 18, 2024 9:51 pm

I tested it with VLAN1 as datapath is needed and @mkx explained that earlier in the post.

I always thought that datapath is needed for every VLAN we have but clearly I was wrong so when testing datapath with VLAN1 worked without a problem.
 
4wifi
just joined
Posts: 6
Joined: Tue Mar 07, 2023 3:41 am

Re: New PPSK functionality

Sat Nov 30, 2024 1:56 am

This all works really well and is super easy to configure. I do have 1 question though and that is whether anyone has any idea if it will be pushed in the the "wireless" package any time soon to work on WiFi 4 and WiFi 5 access points and with CAPsMAN on those devices.

I have a large number of networks which would benefit greatly from being able to utilise this feature but replacing all the access points with AX ones is just not going to happen within their budgets.
 
User avatar
infabo
Forum Guru
Forum Guru
Posts: 1459
Joined: Thu Nov 12, 2020 12:07 pm

Re: New PPSK functionality

Sat Nov 30, 2024 9:39 am

wifi-qcom-ac for some also could work.
 
4wifi
just joined
Posts: 6
Joined: Tue Mar 07, 2023 3:41 am

Re: New PPSK functionality

Sun Dec 01, 2024 10:40 pm

yes, it should. We have a lot of clients using MIPSBE based devices which will not work with that package though.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: New PPSK functionality

Mon Dec 02, 2024 9:00 am

yes, it should.
Not really ... wifi-qcom-ac is only available for routers with ARM architecture ... AC devices of other architectures are "doomed" to run legacy wireless driver ... which doesn't support any new functionality (like PPSK) and I believe it never will.
 
4wifi
just joined
Posts: 6
Joined: Tue Mar 07, 2023 3:41 am

Re: New PPSK functionality

Mon Dec 02, 2024 9:07 am

Not really
Was already noting that it would work for "some" devices. ARM/ARM64 ones. The MIPSBE devices would be great if they added it or released a 2.4Ghz only version of the mANT 15s since 5Ghz really is pretty useless in Caravan and RV parks for client devices.

Anyways, it is good that "some" devices now work with it, will be a game changer for me as can easily integrate it with the Hotspot system too to take advantage of those features but authenticate against PPSK passphrases.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12911
Joined: Thu Mar 03, 2016 10:23 pm

Re: New PPSK functionality

Mon Dec 02, 2024 9:24 am

The MIPSBE devices would be great if they added it ...
When they first released wifiwave2 package, it's been said that wave2 requires lots of CPU power and lots of RAM. Old hAP ac lacks both (yeah, hAP ac2 with 128MB RAM can run wifi drivers, but barely so ... minimum RAM for wifiwave2 was set at 256MB initially).

Who is online

Users browsing this forum: sinisa and 12 guests