Community discussions

MikroTik App
 
User avatar
zero01101
just joined
Topic Author
Posts: 7
Joined: Tue Aug 17, 2021 8:46 pm
Location: chicagoish
Contact:

RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Sun Jan 16, 2022 7:18 pm

greetings all,

my apologies for the intrusion, but i'm stymied. i've got an RB4011iGS+5HacQ2HnD running routerOS 6.48.6 handling 300mbps comcast cable internet, and decided to finally throw an AP or two at my setup. in preparation, i figured it'd probably be wise to set up CAPsMAN for the internal WLAN interfaces for familiarity and ensuring that existing devices will play nice, but once operational, wifi speed essentially gets cut in half (at least on 5ghz). wired networking is unaffected, naturally.

i promise i've read many, many, many, many threads and posts but am likely too simple to notice the flaw(s?) in my plans - i also admit i'm not even slightly knowledgeable regarding wireless networking beyond the absolute minimum basics required to make internet magically happen through the air.

wifi topology is pretty straightforward; arris cable modem feeds into RB4011 eth01, which internally powers the only wifi access point(s) in my home.

when CAP is disabled in the wireless interfaces, i can pretty effectively saturate my connection: Image

immediately after enabling CAP and reconnecting to wifi, tested speed is significantly lower: Image

i know the wiki states "creating many slave interfaces can decrease the overall performance of access point" but i'd surely think that 2 virtual SSIDs per radio wouldn't be _that_ detrimental... particularly since this is the exact same configuration that i was enjoying 300mbps with mere minutes ago, the only difference being CAPsMAN's involvement

i created exports before and after enabling CAP on the wireless tables, the (anonymized) "CAP enabled" config is as follows:
# jan/16/2022 09:54:05 by RouterOS 6.48.6
# software id = P715-DLE2
#
# model = RB4011iGS+5HacQ2HnD
# serial number = Fxxxxxxxxxxx
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=XX name=\
    2.4g tx-power=18
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=XXXX name=\
    5g tx-power=18
/interface bridge
add admin-mac=2C:C8:1B:xx:xx:xx auto-mac=no comment=defconf name=bridge pvid=\
    100 vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(15dBm), SSID: djabacus.net, CAPsMAN forwarding
set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    distance=indoors frequency=auto installation=indoor mode=ap-bridge name=\
    2g ssid=djabacus.net wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(15dBm)+5775/80(27dBm), SSID: 5g.djabacus.net, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
    mode=ap-bridge name=5g ssid=5g.djabacus.net wireless-protocol=802.11
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
    speed=1Gbps
/interface vlan
add interface=bridge name=guestVlan vlan-id=140
add interface=bridge name=iotVlan vlan-id=150
add interface=bridge name=mainVlan vlan-id=100
add interface=bridge name=serverVlan vlan-id=130
add interface=bridge name=wifiVlan vlan-id=120
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
    wifipath
/caps-man configuration
add channel=2.4g country="united states3" datapath=wifipath datapath.bridge=\
    bridge datapath.local-forwarding=no datapath.vlan-id=140 \
    datapath.vlan-mode=use-tag installation=any name=guest2g_cap_config \
    security.authentication-types=wpa-psk,wpa2-psk ssid=guest.djabacus.net
add channel=2.4g country="united states3" datapath=wifipath datapath.bridge=\
    bridge datapath.local-forwarding=no datapath.vlan-id=150 \
    datapath.vlan-mode=use-tag installation=any name=iot2g_cap_config \
    security.authentication-types=wpa-psk,wpa2-psk ssid=iot.djabacus.net
add channel=2.4g country="united states3" datapath=wifipath datapath.bridge=\
    bridge datapath.local-forwarding=no datapath.vlan-id=120 \
    datapath.vlan-mode=use-tag installation=any name=wifi2g_cap_config \
    security.authentication-types=wpa-psk,wpa2-psk ssid=djabacus.net
add channel=5g country="united states3" datapath=wifipath datapath.bridge=\
    bridge datapath.local-forwarding=no datapath.vlan-id=120 \
    datapath.vlan-mode=use-tag installation=any name=wifi5g_cap_config \
    security.authentication-types=wpa-psk,wpa2-psk ssid=5g.djabacus.net
add channel=5g country="united states3" datapath=wifipath datapath.bridge=\
    bridge datapath.local-forwarding=no datapath.vlan-id=140 \
    datapath.vlan-mode=use-tag installation=any name=guest5g_cap_config \
    security.authentication-types=wpa-psk,wpa2-psk ssid=guest.djabacus.net
add channel=5g country="united states3" datapath=wifipath datapath.bridge=\
    bridge datapath.local-forwarding=no datapath.vlan-id=150 \
    datapath.vlan-mode=use-tag installation=any name=iot5g_cap_config \
    security.authentication-types=wpa-psk,wpa2-psk ssid=iot.djabacus.net
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
add name=VLAN
add name="TRUSTED LAN"
add name="UNTRUSTED LAN"
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    name=guestSecProfile supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys \
    name=iotSecProfile supplicant-identity=""
/interface wireless
add disabled=no mac-address=2E:C8:1B::xx:xx:xx master-interface=2g name=\
    "guest 2g" security-profile=guestSecProfile ssid=guest.djabacus.net
add disabled=no mac-address=2E:C8:1B::xx:xx:xx master-interface=5g name=\
    "guest 5g" security-profile=guestSecProfile ssid=guest.djabacus.net
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B::xx:xx:xx \
    master-interface=2g multicast-buffering=disabled name="iot 2g" \
    security-profile=iotSecProfile ssid=iot.djabacus.net wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=2E:C8:1B::xx:xx:xx \
    master-interface=5g multicast-buffering=disabled name="iot 5g" \
    security-profile=iotSecProfile ssid=iot.djabacus.net wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip firewall layer7-protocol
add name="crappy youtube test" regexp="^.+(ytstatic.l.google.com|youtube-ui.l.\
    google.com|youtubei.googleapis.com|youtube.googleapis.com|youtube.com|www.\
    youtube.com|m.youtube.com|ytimg.com|s.ytimg.com|ytimg.l.google.com|youtube\
    .l.google.com|i.google.com|googlevideo.com|youtu.be|youtube-nocookie.com).\
    *\$"
/ip pool
add name=mainPool ranges=192.168.101.10-192.168.101.254
add name=wifiPool ranges=192.168.120.10-192.168.120.254
add name=serverPool ranges=192.168.130.50-192.168.130.254
add name=guestPool ranges=192.168.140.50-192.168.140.254
add name=iotPool ranges=192.168.150.50-192.168.150.254
/ip dhcp-server
add address-pool=mainPool disabled=no interface=mainVlan name=mainDhcp
add address-pool=serverPool disabled=no interface=serverVlan name=serverDhcp
add address-pool=wifiPool disabled=no interface=wifiVlan name=wifiDhcp
add address-pool=guestPool disabled=no interface=guestVlan name=guestDhcp
add address-pool=iotPool disabled=no interface=iotVlan name=iotDhcp
/system logging action
set 3 remote=192.168.130.11
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
add disabled=no interface=mainVlan
add disabled=no interface=guestVlan
add disabled=no interface=iotVlan
add disabled=no interface=wifiVlan
add disabled=no interface=serverVlan
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=a,an,ac \
    master-configuration=wifi5g_cap_config name-format=prefix-identity \
    name-prefix=wifi5g_cap_ slave-configurations=\
    guest5g_cap_config,iot5g_cap_config
add action=create-dynamic-enabled hw-supported-modes=b,g,gn \
    master-configuration=wifi2g_cap_config name-format=prefix-identity \
    name-prefix=wifi2g_cap_ slave-configurations=\
    guest2g_cap_config,iot2g_cap_config
/interface bridge filter
# guest 5g not ready
# in/out-bridge-port matcher not possible when interface (guest 5g) is not slave
add action=drop chain=forward in-interface="guest 5g"
# guest 5g not ready
# in/out-bridge-port matcher not possible when interface (guest 5g) is not slave
add action=drop chain=forward out-interface="guest 5g"
# guest 2g not ready
# in/out-bridge-port matcher not possible when interface (guest 2g) is not slave
add action=drop chain=forward in-interface="guest 2g"
# guest 2g not ready
# in/out-bridge-port matcher not possible when interface (guest 2g) is not slave
add action=drop chain=forward out-interface="guest 2g"
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether8 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=100
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10 pvid=100
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=sfp-sfpplus1
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=5g pvid=120
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=2g pvid=120
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface="guest 5g" pvid=140
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface="guest 2g" pvid=140
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface="iot 5g" pvid=150
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface="iot 2g" pvid=150
/ip neighbor discovery-settings
set discover-interface-list="TRUSTED LAN"
/interface bridge vlan
add bridge=bridge comment="hopefully just normal" tagged=bridge,sfp-sfpplus1 \
    untagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10 \
    vlan-ids=100
add bridge=bridge comment="hopefully wifi vlan" tagged=bridge untagged=5g,2g \
    vlan-ids=120
add bridge=bridge comment="hopefully server/VM vlan" tagged=\
    bridge,sfp-sfpplus1 vlan-ids=130
add bridge=bridge comment="hopefully guest wifi vlan" tagged=bridge untagged=\
    "guest 5g,guest 2g" vlan-ids=140
add bridge=bridge comment="hopefully iot vlan" tagged=bridge,sfp-sfpplus1 \
    untagged="iot 2g,iot 5g" vlan-ids=150
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=mainVlan list=LAN
add interface=serverVlan list=LAN
add interface=wifiVlan list=LAN
add interface=mainVlan list=MGMT
add interface=mainVlan list=VLAN
add interface=serverVlan list=VLAN
add interface=wifiVlan list=VLAN
add interface=serverVlan list="TRUSTED LAN"
add interface=mainVlan list="TRUSTED LAN"
add interface=wifiVlan list="TRUSTED LAN"
add interface=guestVlan list="UNTRUSTED LAN"
add interface=bridge list="TRUSTED LAN"
add interface=iotVlan list="UNTRUSTED LAN"
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=127.0.0.1 discovery-interfaces=bridge \
    enabled=yes interfaces=5g,2g
/ip address
add address=192.168.101.1/24 interface=mainVlan network=192.168.101.0
add address=192.168.120.1/24 interface=wifiVlan network=192.168.120.0
add address=192.168.130.1/24 interface=serverVlan network=192.168.130.0
add address=192.168.140.1/24 interface=guestVlan network=192.168.140.0
add address=192.168.150.1/24 interface=iotVlan network=192.168.150.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.130.5 mac-address=EC:8E:B5::xx:xx:xx server=serverDhcp
add address=192.168.130.11 client-id=\
    ff::xx:xx:xx mac-address=\
    3A:CD:DB::xx:xx:xx server=serverDhcp
add address=192.168.130.12 client-id=1:8a::xx:xx:xx mac-address=\
    8A:F8:AD::xx:xx:xx server=serverDhcp
add address=192.168.150.11 client-id=1:2c::xx:xx:xx mac-address=\
    2C:AA:8E::xx:xx:xx server=iotDhcp
add address=192.168.150.12 client-id=1:2c::xx:xx:xx mac-address=\
    2C:AA:8E::xx:xx:xx server=iotDhcp
add address=192.168.150.251 comment="garage door" mac-address=\
    24:18:C6::xx:xx:xx server=iotDhcp
add address=192.168.150.250 comment="christmas lights switch" mac-address=\
    B4:E6:2D::xx:xx:xx server=iotDhcp
add address=192.168.150.248 comment="philips hue hub" mac-address=\
    00:17:88::xx:xx:xx server=iotDhcp
add address=192.168.150.13 client-id=1:2c::xx:xx:xx mac-address=\
    2C:AA:8E::xx:xx:xx server=iotDhcp
add address=192.168.130.4 client-id=1:b8::xx:xx:xx mac-address=\
    B8:69:F4::xx:xx:xx server=serverDhcp
add address=192.168.101.10 client-id=1:d4::xx:xx:xx mac-address=\
    D4:76:A0::xx:xx:xx server=mainDhcp
add address=192.168.130.18 client-id=\
    ff::xx:xx:xx mac-address=\
    26:F7:6F::xx:xx:xx server=serverDhcp
add address=192.168.130.19 mac-address=A2:FC:68::xx:xx:xx server=serverDhcp
add address=192.168.150.246 mac-address=F4:F5:D8::xx:xx:xx server=iotDhcp
add address=192.168.150.245 mac-address=E4:F0:42::xx:xx:xx server=iotDhcp
add address=192.168.150.244 client-id=ff::xx:xx:xx \
    comment=ecobee mac-address=44:61:32::xx:xx:xx server=iotDhcp
add address=192.168.130.41 client-id=\
    ff::xx:xx:xx mac-address=\
    16:5D:26::xx:xx:xx server=serverDhcp
add address=192.168.130.20 mac-address=32:12:61::xx:xx:xx server=serverDhcp
add address=192.168.130.9 client-id=1:6e::xx:xx:xx comment=\
    "nginx reverse proxy" mac-address=6E:55:01::xx:xx:xx server=serverDhcp
add address=192.168.130.61 client-id=\
    ff::xx:xx:xx mac-address=\
    B6:37:1F::xx:xx:xx server=serverDhcp
add address=192.168.101.4 client-id=1:b8::xx:xx:xx mac-address=\
    B8:69:F4::xx:xx:xx server=mainDhcp
add address=192.168.101.22 client-id=1:dc::xx:xx:xx mac-address=\
    DC:2C:6E::xx:xx:xx server=mainDhcp
add address=192.168.101.23 client-id=1:dc::xx:xx:xx mac-address=\
    DC:2C:6E::xx:xx:xx server=mainDhcp
/ip dhcp-server network
add address=192.168.101.0/24 gateway=192.168.101.1
add address=192.168.120.0/24 gateway=192.168.120.1
add address=192.168.130.0/24 gateway=192.168.130.1
add address=192.168.140.0/24 gateway=192.168.140.1
add address=192.168.150.0/24 gateway=192.168.150.1
/ip dns
set servers=192.168.130.11,192.168.130.16,192.168.130.17
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="DROP INVALID"
add action=accept chain=input comment="mgmt vlan allowed for everything" \
    in-interface-list=MGMT
add action=accept chain=input comment="server vlan allowed for everything" \
    in-interface=serverVlan
add action=accept chain=input comment="wifi vlan allowed for everything" \
    in-interface=wifiVlan
add action=accept chain=input comment="allow VLAN DHCP" dst-port=67 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="allow VLAN UDP DNS" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="allow VLAN TCP DNS" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="allow VLAN TCP DNS over TLS" dst-port=\
    853 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="capsman self cap" dst-port=5246,5247 \
    protocol=udp src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log=yes log-prefix="DROP NOT LAN INPUT RULE"
add action=drop chain=input comment="drop wan explicitly" in-interface-list=\
    WAN log=yes log-prefix="DROP WAN"
add action=accept chain=output comment="self-CAPsMAN i think" dst-address=\
    127.0.0.1 log=yes log-prefix="wtf capsman" protocol=udp src-address=\
    127.0.0.1 src-port=5246,5247
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment="VLAN internet access" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="trusted lan can do everything" \
    in-interface-list="TRUSTED LAN" log-prefix=omgfirewall
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="wireguard\?" dst-address=\
    192.168.130.5 dst-port=51820 in-interface=ether1 log=yes log-prefix=\
    wireguardFirewallPls protocol=udp
add action=accept chain=forward comment=\
    "allow port forwarding DSTNAT - enable if needed for server" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix="DROP INVALID FWD"
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "DROP NON DSTNAT WAN FWD"
add action=accept chain=forward comment="guest lan gotta get DNS i suppose" \
    dst-port=53 in-interface-list="UNTRUSTED LAN" protocol=udp
add action=accept chain=forward comment=\
    "guest lan gotta get DNS over TLS too i suppose" dst-port=853 \
    in-interface-list="UNTRUSTED LAN" protocol=tcp
add action=accept chain=forward comment="let untrusted talk back to trusted" \
    connection-state=established,related in-interface-list="UNTRUSTED LAN" \
    out-interface-list="TRUSTED LAN"
add action=drop chain=forward comment="block guest vlan from other vlans" \
    in-interface-list="UNTRUSTED LAN" log-prefix="bad guest" \
    out-interface-list="TRUSTED LAN"
add action=drop chain=forward comment="block guest vlan from modem" \
    dst-address=192.168.100.1 in-interface-list="UNTRUSTED LAN" log-prefix=\
    "bad guest"
add action=accept chain=forward comment=\
    "i guess i have to tell it that guests can talk to the internet at least" \
    connection-state=new in-interface-list="UNTRUSTED LAN" \
    out-interface-list=WAN
add action=drop chain=forward comment="just drop everything not listed above" \
    log=yes log-prefix="DROP EVERYTHING ELSE FWD"
/ip firewall mangle
add action=passthrough chain=forward comment="debiphone download" disabled=\
    yes dst-address=192.168.120.236
add action=passthrough chain=forward comment="obelisk download" disabled=yes \
    dst-address=192.168.120.241
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="laptop wireguard" dst-port=51820 \
    in-interface-list=WAN log=yes log-prefix=wireguardPls protocol=udp \
    to-addresses=192.168.130.5 to-ports=51820
add action=dst-nat chain=dstnat comment="omv-plex remote access" dst-port=\
    32400 in-interface-list=WAN log=yes log-prefix=PLEX_REMOTE protocol=tcp \
    to-addresses=192.168.130.13 to-ports=32400
add action=dst-nat chain=dstnat comment="fg40f tls acme" dst-port=443 \
    in-interface-list=WAN log=yes log-prefix=fg40f-tls-acme protocol=tcp \
    to-addresses=192.168.101.10 to-ports=443
add action=dst-nat chain=dstnat comment="fg40f insec acme" dst-port=80 \
    in-interface-list=WAN log=yes log-prefix=fg40f-insec-acme protocol=tcp \
    to-addresses=192.168.101.10 to-ports=80
add action=dst-nat chain=dstnat comment="fg40f sslvpn" dst-port=4443 \
    in-interface-list=WAN log=yes log-prefix=fg40f-sslvpn protocol=tcp \
    to-addresses=192.168.101.10 to-ports=4443
add action=dst-nat chain=dstnat comment="fg40f remote https" dst-port=16443 \
    in-interface-list=WAN log=yes log-prefix=fg40f-sec protocol=tcp \
    to-addresses=192.168.101.10 to-ports=16443
add action=dst-nat chain=dstnat comment="fg40f remote http" dst-port=16280 \
    in-interface-list=WAN log=yes log-prefix=fg40f-insec protocol=tcp \
    to-addresses=192.168.101.10 to-ports=16280
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/routing igmp-proxy interface
add alternative-subnets=192.168.120.0/24 interface=serverVlan upstream=yes
add interface=mainVlan
add interface=wifiVlan
/system clock
set time-zone-name=America/Chicago
/system identity
set name=rb4011
/system leds
add interface=2g leds="2g_signal1-led,2g_signal2-led,2g_signal3-led,2g_signal4\
    -led,2g_signal5-led" type=wireless-signal-strength
add interface=2g leds=2g_tx-led type=interface-transmit
add interface=2g leds=2g_rx-led type=interface-receive
/system logging
set 0 action=remote topics=info,!firewall
set 1 action=remote
set 2 action=remote
set 3 action=remote
add action=remote prefix=syslog-firewall topics=firewall,info
add action=echo topics=critical
add topics=error
add topics=info,!firewall,!wireless,!dhcp
add topics=warning
add action=remote prefix=syslog-wireless topics=wireless,info
add action=remote prefix=syslog-dhcp topics=dhcp,info
add topics=critical
add action=remote prefix=syslog-caps topics=caps
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/system package update
set channel=long-term
/system scheduler
add interval=1d name=backup-config-to-ftp on-event=backup-ros-config policy=\
    ftp,read,write,policy,test,password,sensitive start-date=dec/29/2021 \
    start-time=23:45:00
/system script
add dont-require-permissions=yes name=backup-ros-config owner=djabacus \
    policy=ftp,read,write,policy,test,password,sensitive source="#\r\
    \n# Backup ROS to FTP\r\
    \n#\r\
    \n# Define variables\r\
    \n:local ftphost \"192.168.130.13\"\r\
    \n:local ftpuser \"REDACTED\"\r\
    \n:local ftppassword \"REDACTED\"\r\
    \n:local ftppath \"/baseShare/rosbkup/\"\r\
    \n:local backupfilename \"rOS_v\"\r\
    \n:local localbackuppath \"cfgbkp\"\r\
    \n#\r\
    \n# Get date and time\r\
    \n#\r\
    \n{\r\
    \n:local curDate [/system clock get date]\r\
    \n:local curTime [/system clock get time]\r\
    \n:local systemName [/system identity get name]\r\
    \n:local systemFirmware [/system routerboard get current-firmware]\r\
    \n:local curMonth [:pick \$curDate 0 3]\r\
    \n :set curMonth ( [ :find key=\"\$curMonth\" in=\"jan,feb,mar,apr,may,jun\
    ,jul,aug,sep,oct,nov,dec\" from=-1 ] / 4 + 1)\r\
    \n if ( \$curMonth < 10 ) do={\r\
    \n  :set curMonth ( \"0\".\$curMonth )\r\
    \n } else={\r\
    \n  :set curMonth \$curMonth\r\
    \n }\r\
    \n:local curDay   [:pick \$curDate 4 6]\r\
    \n:local curYear  [:pick \$curDate 7 13]\r\
    \n:local curHour  [:pick \$curTime 0 2]\r\
    \n:local curMin   [:pick \$curTime 3 5]\r\
    \n:local now (\"\$curYear\".\"\$curMonth\".\"\$curDay\" .\"-\".\"\$curHour\
    \".\"\$curMin\")\r\
    \n#\r\
    \n# Make config backup locally\r\
    \n#\r\
    \n:log warn message=\"local backup started\";\r\
    \nexport file=\"\$localbackuppath/\$now_\$systemName_\$backupfilename_\$sy\
    stemFirmware\"\r\
    \n/system backup save name=\"\$localbackuppath/\$now_\$systemName_\$backup\
    filename_\$systemFirmware\"\r\
    \n:log warn message=\"local backup finished\";\r\
    \n#\r\
    \n# Copy config backup to FTP\r\
    \n#\r\
    \n:log warn message=\"config backup to FTP started\";\r\
    \n/tool fetch address=\"\$ftphost\" src-path=\"\$localbackuppath/\$now_\$s\
    ystemName_\$backupfilename_\$systemFirmware.backup\" user=\"\$ftpuser\" mo\
    de=ftp password=\"\$ftppassword\" dst-path=\"\$ftppath/\$systemName/\$now_\
    \$systemName_\$backupfilename_\$systemFirmware.backup\" upload=yes\r\
    \n/tool fetch address=\"\$ftphost\" src-path=\"\$localbackuppath/\$now_\$s\
    ystemName_\$backupfilename_\$systemFirmware.rsc\" user=\"\$ftpuser\" mode=\
    ftp password=\"\$ftppassword\" dst-path=\"\$ftppath/\$systemName/\$now_\$s\
    ystemName_\$backupfilename_\$systemFirmware.rsc\" upload=yes\r\
    \n:log warn message=\"config backup to FTP finished\";\r\
    \n#\r\
    \n# Remove locally created files\r\
    \n#\r\
    \n:log warn message=\"removing local backup\";\r\
    \nfile remove \"\$localbackuppath/\$now_\$systemName_\$backupfilename_\$sy\
    stemFirmware.backup\"\r\
    \nfile remove \"\$localbackuppath/\$now_\$systemName_\$backupfilename_\$sy\
    stemFirmware.rsc\"\r\
    \n:log warn message=\"local backup removed\";\r\
    \n#\r\
    \n}"
/tool graphing interface
add allow-address=192.168.120.0/24
add allow-address=192.168.101.0/24
add allow-address=192.168.130.0/24
/tool graphing resource
add allow-address=192.168.101.0/24
add allow-address=192.168.120.0/24
add allow-address=192.168.130.0/24
/tool mac-server
set allowed-interface-list="TRUSTED LAN"
/tool mac-server mac-winbox
set allowed-interface-list="TRUSTED LAN"
/tool romon
set enabled=yes
i also diffed the two configurations and these were the only changes between the two (CAP disabled on left, enabled on right)
Image
--
Image
--
Image

i am fully expecting this to be a shameful, embarrassing oversight on my end and readily await being yelled at for making such an obvious, noobish mistake and will probably be a little disappointed if i get out of this unscathed ;)

thanks in advance for any assistance or even just giving this a glance!
-tim
Last edited by zero01101 on Mon Jan 17, 2022 6:19 am, edited 1 time in total.
 
User avatar
zero01101
just joined
Topic Author
Posts: 7
Joined: Tue Aug 17, 2021 8:46 pm
Location: chicagoish
Contact:

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Sun Jan 16, 2022 11:48 pm

not sure if this post ever got approved or not, but some progress has been made; removing
tx-power=18
from the 5g CAPsMAN channel brought me up to a fairly reliable ~260mbps in the same speedtests, but specifying
datapath.local-forwarding=yes
on all the CAPsMAN configurations basically disabled the SSID defined by the master configuration in provisioning - they were still broadcast, but wouldn't deliver IP addresses over DHCP, and debug logging didn't show anything until the client gave up and tried a previously saved virtual SSID - yet the slave configs continued working, which probably means i've really screwed something up nicely.

anyway, it's certainly a definite speed increase, but it's still lower than i was getting minutes before simply without CAPsMAN at all, and i'm going to be getting gigabit service fairly soon - is that maybe just some kind of overhead, like a ~10% speed decrease just because CAPsMAN, or am i potentially only looking at 260mbps wifi, regardless of provider?
 
User avatar
pukkita
Trainer
Trainer
Posts: 3071
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Mon Jan 17, 2022 3:26 pm

specifying datapath.local-forwarding=yes on all the CAPsMAN configurations basically disabled the SSID defined by the master configuration in provisioning - they were still broadcast, but wouldn't deliver IP addresses over DHCP, and debug logging didn't show anything until the client gave up and tried a previously saved virtual SSID - yet the slave configs continued working, which probably means i've really screwed something up nicely.
If you enable local-forwarding mode, you need to make sure cAPs have proper L3 configuration, i.e. have IPs and proper routing.... i.e. add a dhcp-client on cAPs so that they get IP and default route...

local forwarding is what you want for maximum speeds, it also "spreads the load" as the forwarding is done using each cAP CPU resources.

Regarding speeds, if they don't go back to expected, check via Tools > Profile that CPU is not being maxed out while doing the tests.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
zero01101
just joined
Topic Author
Posts: 7
Joined: Tue Aug 17, 2021 8:46 pm
Location: chicagoish
Contact:

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Tue Jan 18, 2022 2:52 am

If you enable local-forwarding mode, you need to make sure cAPs have proper L3 configuration, i.e. have IPs and proper routing.... i.e. add a dhcp-client on cAPs so that they get IP and default route...

local forwarding is what you want for maximum speeds, it also "spreads the load" as the forwarding is done using each cAP CPU resources.

Regarding speeds, if they don't go back to expected, check via Tools > Profile that CPU is not being maxed out while doing the tests.
hey, thanks for the reply - the CAPs mentioned are the two wireless interfaces built-in to the RB4011iGS+5HacQ2HnD, so they're probably as L3-configured as they're going to get seeing as they exist strictly within my primary router ;) CPU usage never really goes anywhere outlandish, and my tests from the last day or so have been very erratic but much closer to the original 300 i was nearly getting previously (regularly 230-270mbps now on 5ghz via CAPsMAN). for the time being though, i think i'm just going to leave the internal radios out of CAPsMAN's control and manage those separately.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11786
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Tue Jan 18, 2022 4:09 am

Wise move!
Why add overhead for no good reason.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
gotsprings
Forum Guru
Forum Guru
Posts: 1494
Joined: Mon May 14, 2012 9:30 pm

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Tue Jan 18, 2022 1:51 pm

Let routerOS route.
Pick a different wifi vendor.

Anything over 150Megs as a WAN speed... I would highly advise looking to a different wifi vendor.

Caps-man is not the limitation... The Mikrotik WiFi driver is.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
User avatar
pukkita
Trainer
Trainer
Posts: 3071
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Fri Jan 21, 2022 4:41 pm

If you enable local-forwarding mode, you need to make sure cAPs have proper L3 configuration, i.e. have IPs and proper routing.... i.e. add a dhcp-client on cAPs so that they get IP and default route...

local forwarding is what you want for maximum speeds, it also "spreads the load" as the forwarding is done using each cAP CPU resources.

Regarding speeds, if they don't go back to expected, check via Tools > Profile that CPU is not being maxed out while doing the tests.
hey, thanks for the reply - the CAPs mentioned are the two wireless interfaces built-in to the RB4011iGS+5HacQ2HnD, so they're probably as L3-configured as they're going to get seeing as they exist strictly within my primary router ;)
Ouch! for a moment forgot they were built in only sorry!

But still applies, I wouldn't assume that, not after all the vlans, slave SSIDs / firewall/bridge/vlan filter rules you threw at it.

The fact that "misbehaves" when provisioning when set to local forwarding points to this in fact... running 4011 as CAPsMAN master with external CAPs and also using built-in radios without issue, local forwarding, virtual SSIDs, etc...

Anyway, yes why bother with CAPsMAN for the built in interfaces if no more cAPs...
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11786
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Sat Jan 22, 2022 1:07 am

\Anyway, yes why bother with CAPsMAN for the built in interfaces if no more cAPs...
Masochist?
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
zero01101
just joined
Topic Author
Posts: 7
Joined: Tue Aug 17, 2021 8:46 pm
Location: chicagoish
Contact:

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Sat Jan 22, 2022 4:57 pm

Ouch! for a moment forgot they were built in only sorry!
no worries at all, i greatly appreciate the responses from everyone :) my gigabit service was installed a few days ago and i picked up an inexpensive hAPac2 to use as an actual, external CAP, and to be honest, yeah wifi never really got anywhere above 300mbps down anyway over the 4011's internal wireless interface OR the new hAP (which is only dual-chain 5ghz i believe anyhow), even though the RB4011 should be capable of 1733mbps per the specs, but i guarantee my weirdo 4-antenna MU-MIMO adapter isn't actually able to receive at such speeds... and anyway, i simply slapped an ethernet cable between the hAP and my main use desktop anyway to enjoy my new gigabits, and my wife is unfazed unless the wifi just doesn't work so i'm pretty set for the time being :D
\Anyway, yes why bother with CAPsMAN for the built in interfaces if no more cAPs...
Masochist?
i mean maybe just a little ;)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11786
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Sat Jan 22, 2022 5:00 pm

I am very sorry that you picked up an hapac2 for wifi.
The also inexpensive tplink eap245 is actually a stable WIFI 5 product with decent speeds.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
zero01101
just joined
Topic Author
Posts: 7
Joined: Tue Aug 17, 2021 8:46 pm
Location: chicagoish
Contact:

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Sat Jan 22, 2022 5:07 pm

I am very sorry that you picked up an hapac2 for wifi.
lmao

i mean it's not THAT bad for just stretching a few SSIDs a bit further, but once i have an actual need for highly performant wifi, i concede that i'll probably have to abandon my 100% mikrotik networking stack plans :( i just figured if they're not going to give me a stacked switch management interface, managed wifi was a solid consolation prize ¯\_(ツ)_/¯
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 11786
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Sat Jan 22, 2022 5:58 pm

No doubt the concept kicks ass compared to any other competitor, but at the end of the day capsman is not for the user its for the admin, and the users have to be happy be it your co-workers or your family.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
pukkita
Trainer
Trainer
Posts: 3071
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Sun Jan 23, 2022 1:14 pm

i just figured if they're not going to give me a stacked switch management interface, managed wifi was a solid consolation prize ¯\_(ツ)_/¯
Regarding Stacked Switch Management interface, are you aware of https://help.mikrotik.com/docs/display/ ... t+Extender feature?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
gotsprings
Forum Guru
Forum Guru
Posts: 1494
Joined: Mon May 14, 2012 9:30 pm

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Sun Jan 23, 2022 5:55 pm

I am always surprised by how many "sys admins" are actually desktop support engineers.

That can't track a connection across one switch... So they hear that word "stack" and think it sounds cool. They have one interface when configuring so that cuts down on the amount of mistakes they can make...

But they don't get that the physical uplink between the switches can be a bottle neck.

"But they are stacked!"

Uggg
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
User avatar
zero01101
just joined
Topic Author
Posts: 7
Joined: Tue Aug 17, 2021 8:46 pm
Location: chicagoish
Contact:

Re: RB4011 internal WLAN - enabling CAPsMAN instantly halves speed

Sun Jan 23, 2022 9:28 pm

Regarding Stacked Switch Management interface, are you aware of https://help.mikrotik.com/docs/display/ ... t+Extender feature?

wow, i sure wasn't; i know i had seen it in the docs/wiki before but paid it no mind, but that's certainly fascinating...

I am always surprised by how many "sys admins" are actually desktop support engineers.

lol oh i'm certainly none of the above ;) i'd just had familiarity with the aruba stack we have at work as well as fortilink stacks and it just seemed like an oversight that mikrotik didn't have a competing offering; i will gladly admit it is indeed 100% because "it sounds cool" and i'm laaaaaaazy, so keeping track of one winbox instance is simpler than 3 :D and completely agreed on the stack itself being a potential bottleneck, but i've never even gotten close to saturating the 10gb link between my RB4011 and CRS326, so this was simply a grievance of convenience :)

Who is online

Users browsing this forum: No registered users and 8 guests