Community discussions

MikroTik App
 
rapiertg
just joined
Topic Author
Posts: 19
Joined: Fri Feb 26, 2016 8:26 pm

New capsman and eoip cap help

Sun Jan 26, 2025 3:44 pm

Hello,

I have one of ap's outside so I put it on very restricted vlan (let's assume 66) and all other vlans were tunneled thru for security reasons. This was ofc very easy with old capsman. Now when that is not possible with new capsman I want to create something similiar using eoip. But it seems I don't get the idea, all tries end up with cap not able to communicate or creating some weird loop where my network get screwed. Could someone please give some basic overview what needs to be done?

All vlans are on same bridge but traffic between all networks and restricted is filtered.

mgmt network (192.168.1.1/24)
home-wifi vlan (192.168.11.1/24)
quest-wifi vlan (192.168.29.1/24)
restricted vlan (192.168.66.1/24) ---------------------- EOIP ----------------------- cap dhcp (192.168.66.20/24)

Should I create another address on cap in mgmt (assume 192.168.1.10/24), put it in local Ip in and remote as 192.168.66.1 in eoip settings? Going this way I after bridging everything my whole network started to be extremely unstable...

Any help will be appreciated
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13282
Joined: Thu Mar 03, 2016 10:23 pm

Re: New capsman and eoip cap help

Sun Jan 26, 2025 4:03 pm

As far as my experience goes, there are two things:
  1. capsman has to listen on interface where cap will eventually try to connect (see next bullet). Most often that's management interface but can ve multiple. They are set in /interface/wifi/capsman/set interfaces=<interface1>,<interface2> ...
  2. cap device needs a way to connect to capsman. Most often it auto-discovers capsman on same L2 subnet and it needs /interface/wifi/cap/set discovery-interface=<interface>. It can also use unicast IP connectivity (over routed networks), for that instead of setting discovery-interface one would set caps-man-addresses=<IP address>.
    In later case CAP has to be able to connect to CAPsMAN via IP (your firewall has to allow that connection).
If in your case CAPsMAN is running on device which also terminates EoIP tunnel, you could use the first way (bullet #1 above) by adding eoip interface to the list of interfaces where CAPsMAN is listening for connections.
If you want a bit more complex setup (e.g. guest WiFi on remote cap), you may want to add VLANs on top of eoip ... which would allow you to extend mgmt VLAN to remote cap and use that VLAN for CAP<->CAPsMAN communication.
 
rapiertg
just joined
Topic Author
Posts: 19
Joined: Fri Feb 26, 2016 8:26 pm

Re: New capsman and eoip cap help

Sun Jan 26, 2025 5:34 pm

Thanks @mkx! Getting all vlans into cap is definitelly what I want. But I think I am stuck on getting functional eoip, didn't even got to the point of setting up vlans, connecting to capsman, etc. I probably understood eoip idea wrong, however I struggled a bit more and I find out that:

1. if I create eoip between 192.168.66.1 (firewall) <> 192.168.66.20 (cap) eoip is up
2. And this may be the initial problem I didn't get initially - I created 192.168.1.20 address on a cap device and assigned it to eoip interface
3. Now I bridged eoip with main bridge on both devices
4. Seems I can ping 192.168.1.20 from firewall and 192.168.1.1 from cap

So it seems it does what I need:

192.168.1.1 -> 192.168.66.1 -> eoip <- 192.168.66.20 <- 192.168.1.20

So was it about creating this mgmt address on eoip interface on cap? I tried before but assigned it to ethernet or bringe... never to eoip. I would now need someone to tell me if I did not do any stupid thing ;)


EDIT: I probably did because my network is now unstable (some pages opening long, some don't at all - usually this happens when I get some success on getting traffic thru eoip)
EDIT2: When I force MTU on eiop to 1500 it seems network is good again
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11361
Joined: Mon Dec 04, 2017 9:19 pm

Re: New capsman and eoip cap help

Sun Jan 26, 2025 9:19 pm

3. Now I bridged eoip with main bridge on both devices
...
EDIT2: When I force MTU on eiop to 1500 it seems network is good again
These two are related.

In its role of IP interface, the bridge indicates an MTU to the networking stack. In its role of a virtual switch, it connects multiple L2 interfaces with potentially different MTU capacities, so to prevent the IP stack from sending packets that would not fit to one of the interfaces, the MTU of the bridge is set to the minimum of the MTUs of the member interfaces.

Unless you specify the MTU of the EoIP interface manually, it is calculated as the MTU of the path towards the remote-address minus the EoIP header size, to prevent fragmentation of the EoIP transport packets.

As you've made the EoIP interface a member port of the main bridge, you have at least reduced the MTU of the main bridge, or even created a self-locking mechanism that eventually adjusted the MTU of the EoIP down to the 576 bytes or what the minimal allowed MTU is.

By setting the MTU of the EoIP to 1500 manually, you have prevented the above from happening; the price you pay for that is that now the EoIP transport packets carrying payload IP packets that are larger than (1500 - EoIP header) bytes get fragmented.

In a LAN, fragmentation is not a big issue, it just increases the packet rate. If you were sending the EoIP transport packets over internet (which should only be done in combination with encryption, which further complicates things), you might get packet loss because far too many networks drop non-first fragments.
 
rapiertg
just joined
Topic Author
Posts: 19
Joined: Fri Feb 26, 2016 8:26 pm

Re: New capsman and eoip cap help

Sun Jan 26, 2025 10:51 pm

@sindy makes sense, thanks.

However I was too fast in saying it is working good. I can hardly reach other devices in this network from another side of the eoip tunnel, with a lot of lost packages. Capsman cannot even establish connection. When investigated further I noticed that on both devices ARP entries are constantly changing between ether1 and eoip interface.

Is it even possible to do what I want to achieve? EOIP glue together L2 networks and in my use-case they are already connected so maybe that is not the right way?
 
User avatar
sindy
Forum Guru
Forum Guru
Posts: 11361
Joined: Mon Dec 04, 2017 9:19 pm

Re: New capsman and eoip cap help

Sun Jan 26, 2025 10:58 pm

It is definitely doable, but start from posting the export of the current configurations and also the network diagram - somehow, I cannot understand why you should need the EoIP (or VPLS, or VXLAN) stuff at all unless the connection of that AP passes through a 3rd party network.