Community discussions

MikroTik App
 
SReich
just joined
Topic Author
Posts: 1
Joined: Thu Nov 04, 2021 4:42 pm

CapAC - Wifi clients cannot talk to eachother

Thu Nov 04, 2021 5:54 pm

Hi,

I have a feeling this might be a basic/stupid mistake, so apologies in advance.
My setup is simple with a Hex PoE router and a CapAC in bridge mode.
Now I want a to have some clients, a couple of management devices and a couple of servers so I made subnets for each category and added them to the DHCP pool.
The different clients get IPs in their assigned subnets.
I can connect to clients on the same subnet having enabled client-to-client forwarding on the AC. I however can not reach clients on a different subnet.

Example from 192.168.30.98:
$ ip route show dev wlp3s0
default via 192.168.88.1 proto dhcp metric 600 
192.168.30.0/24 proto kernel scope link src 192.168.30.98 metric 600 
192.168.88.1 proto dhcp scope link metric 20600 

$ ping 192.168.20.10
PING 192.168.20.10 (192.168.20.10) 56(84) bytes of data.
From 192.168.30.1 icmp_seq=2 Redirect Host(New nexthop: 10.20.168.192)
From 192.168.30.1 icmp_seq=3 Redirect Host(New nexthop: 10.20.168.192)
From 192.168.30.1 icmp_seq=4 Redirect Host(New nexthop: 10.20.168.192)

$ ping 192.168.30.97
PING 192.168.30.97 (192.168.30.97) 56(84) bytes of data.
64 bytes from 192.168.30.97: icmp_seq=1 ttl=64 time=62.2 ms
64 bytes from 192.168.30.97: icmp_seq=2 ttl=64 time=19.2 ms
64 bytes from 192.168.30.97: icmp_seq=3 ttl=64 time=22.4 ms
64 bytes from 192.168.30.97: icmp_seq=4 ttl=64 time=2.74 ms
64 bytes from 192.168.30.97: icmp_seq=5 ttl=64 time=4.02 ms
Here is the router config. The AC was just reset into capsman mode and should not have any config not seen here.
# nov/04/2021 16:48:20 by RouterOS 7.1beta6
# software id = 9X9L-WUC2
#
# model = RB960PGS
# serial number = D52F0EF7EF1B
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2437,2462 name=2ghz reselect-interval=1h
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XX frequency=5180,5200,5220,5240,5745,5765,5785,5805,5825 name=5gz reselect-interval=1h
/interface bridge
add admin-mac=2C:C8:1B:60:CE:29 auto-mac=no comment=defconf name=bridge
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=no name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk name=weak
add authentication-types=wpa2-psk name=stronger
/caps-man configuration
add channel=2ghz country=norway datapath=datapath1 name=2ghz security=stronger ssid=mikrotik_2g
add channel=5gz country=norway datapath=datapath1 name=5ghz security=stronger ssid=mikrotik_5g
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=dynamic-keys name="test profile 1" supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=mgmt ranges=192.168.30.10-192.168.30.100
add name=clients ranges=192.168.10.10-192.168.10.100
add name=servers ranges=192.168.20.10-192.168.20.100
/ip dhcp-server
add address-pool=clients disabled=no interface=bridge name=defconf
/routing table
add fib name=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,gn master-configuration=2ghz
add action=create-dynamic-enabled hw-supported-modes=ac,an master-configuration=5ghz
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=192.168.10.1/24 comment=clients interface=bridge network=192.168.10.0
add address=192.168.30.1/24 comment=mgmt interface=bridge network=192.168.30.0
add address=192.168.20.1/24 comment=servers interface=bridge network=192.168.20.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=mgmt mac-address=7C:7A:91:0D:60:BA server=defconf
add address=mgmt client-id=1:18:f:76:3:a0:d4 mac-address=18:0F:76:03:A0:D4 server=defconf
add address=192.168.20.10 client-id=ff:4:fd:b3:12:0:1:0:1:25:8f:86:b:d4:3b:4:fd:b3:12 mac-address=D4:3B:04:FD:B3:12 server=defconf
/ip dhcp-server network
add address=192.168.10.0/24 comment=clients gateway=192.168.88.1
add address=192.168.20.0/24 comment=servers gateway=192.168.88.1
add address=192.168.30.0/24 comment=mgmt gateway=192.168.88.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Oslo
/system package update
set channel=development
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
So I want to know how I can reach 192.168.20.0/24 from clients in 192.168.30.0/24.
Thanks in advance.

Who is online

Users browsing this forum: Google [Bot] and 43 guests