Community discussions

MikroTik App
 
a752412341
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 14, 2015 8:01 pm

wifi roaming to another CAP, no traffic passed for a few minutes.

Thu Nov 10, 2022 10:17 pm

My home router config has "grown organically" over 10 years, and there's probably lots of bad config in there. I am the walking definition of a little knowledge being a dangerous thing!

  • I have a hAPac as my main router. This runs CAPsMAN, and does inter vlan routing with firewall rules as router on a stick. Mainly so I can block off CCTV and IOT devices from my main network and the internet if necessary.
  • ether2 is an uplink to a hAP which is configured as a perimeter firewall. This device also does PPP and uplinks to my VSDL "modem" in bridge mode.
  • ether1 is the downlink to my LAN.
  • I have 9 CAPs dotted around at the moment.
The problems I have are:-
  • WiFi Roaming - when an iphone moves from one access point to another, although it still shows connected on the phone, no internet traffic is passed for a few minutes (2 to 5). Then traffic resumes as normal. If I disconnect from the wifi and reconnect, the problem remains until the few minutes is up.
  • I have several 2ghz IOT wifi devices which regularly (several times a day) disconnect temporarily and then eventually reconnect. I do not see this issue on iphones or laptops.
Here are snippets of config from the main router. I suspect I'd benefit from redoing the whole lot from scratch, but if there is anything obvious to try, I'd much appreciate a comment!
Thank you.
# nov/10/2022 19:27:38 by RouterOS 7.4.1
# software id = NG1Y-BM7M
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6F1206C86AC7
/caps-man channel
add name=LowPower tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    name=2ghz tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee name=\
    5ghz tx-power=20
add band=2ghz-g/n control-channel-width=5mhz extension-channel=disabled name=\
    "2ghz-High Power" tx-power=20
/interface bridge
add name=bridge-51-Client-Admin
add name=bridge-52-Client-General
add name=bridge-53-Client-Kids
add name=bridge-54-Client-Guest
add name=bridge-61-IOT-Media
add name=bridge-62-IOT-HA
add name=bridge-63-IOT-CCTV
add name=bridge-71-Servers-General
add name=bridge-81-Servers-DMZ
add name=bridge-82-VOIP
add name=bridge-99-Management
add admin-mac=6C:3B:6B:44:98:40 auto-mac=no name=bridge-vlans-LocalCAP
/interface ethernet
set [ find default-name=ether1 ] comment=LAN name=ether1-LAN speed=100Mbps
set [ find default-name=ether2 ] comment=RB951G l2mtu=1526 mtu=1508 name=\
    ether2-WAN-RB951G speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1526 name=ether3-Voip speed=100Mbps
set [ find default-name=ether4 ] name=ether4-SqueezeboxKitchen speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
# managed by CAPsMAN
# channel: 2462/20/gn(7dBm), SSID: wifi350, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n bridge-mode=disabled \
    channel-width=20/40mhz-eC country="united kingdom" disabled=no frequency=\
    auto mode=ap-bridge ssid=MikroTik station-roaming=enabled \
    wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: wifi350, local forwarding
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set \
    disabled=no frequency-mode=manual-txpower ssid=MikroTik station-roaming=\
    enabled
/interface vlan
add interface=bridge-vlans-LocalCAP name=vlan51-Client-Admin vlan-id=51
add interface=bridge-vlans-LocalCAP name=vlan52-Client-General vlan-id=52
add interface=bridge-vlans-LocalCAP name=vlan53-Client-Kids vlan-id=53
add interface=bridge-vlans-LocalCAP name=vlan54-Client-Guest vlan-id=54
add interface=bridge-vlans-LocalCAP name=vlan61-IOT-Media vlan-id=61
add interface=bridge-vlans-LocalCAP name=vlan62-IOT-HA vlan-id=62
add interface=bridge-vlans-LocalCAP name=vlan63-IOT-CCTV vlan-id=63
add interface=bridge-vlans-LocalCAP name=vlan71-Servers-General vlan-id=71
add interface=bridge-vlans-LocalCAP name=vlan81-Servers-DMZ vlan-id=81
add interface=bridge-vlans-LocalCAP name=vlan82-VOIP vlan-id=82
add interface=bridge-vlans-LocalCAP name=vlan99-Management vlan-id=99
/caps-man rates
add basic=6Mbps name=GN supported=6Mbps vht-basic-mcs=""
add basic=5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps name=IOT supported=\
    5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=10m name=wifi350
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=10m name=wifi35t
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=10m name=guest
/caps-man configuration
add channel=5ghz country="united kingdom" \
    datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=\
    71 .vlan-mode=use-tag mode=ap name=cfg_wifi350-5ghz rates=GN security=\
    wifi350 ssid=wifi350
add channel=2ghz country="united kingdom" \
    datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=\
    54 .vlan-mode=use-tag mode=ap name=cfg_guest-2ghz rates=GN security=guest \
    ssid=guest2
add channel=2ghz country="united kingdom" \
    datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=\
    62 .vlan-mode=use-tag mode=ap multicast-helper=full name=cfg_wifi35t-2ghz \
    rates=GN security=wifi35t ssid=wifi35t
add channel=2ghz country="united kingdom" \
    datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=\
    71 .vlan-mode=use-tag mode=ap name=cfg_wifi350-2ghz rates=GN security=\
    wifi350 ssid=wifi350
add channel=5ghz country="united kingdom" \
    datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=\
    54 .vlan-mode=use-tag mode=ap name=cfg_guest-5ghz rates=GN security=guest \
    ssid=guest
/caps-man interface
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
    4C:5E:0C:86:65:E1 master-interface=none name=2G-cAP-Office-1 radio-mac=\
    4C:5E:0C:86:65:E1 radio-name=4C5E0C8665E1
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
    4E:5E:0C:86:65:E1 master-interface=2G-cAP-Office-1 name=2G-cAP-Office-1-1 \
    radio-mac=00:00:00:00:00:00 radio-name=4E5E0C8665E1
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
    4E:5E:0C:86:65:E2 master-interface=2G-cAP-Office-1 name=2G-cAP-Office-1-2 \
    radio-mac=00:00:00:00:00:00 radio-name=4E5E0C8665E2
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
    E4:8D:8C:8A:7B:51 master-interface=none name=\
    "2G-hAP-Lite-Boiler Cupboard-1" radio-mac=E4:8D:8C:8A:7B:51 radio-name=\
    E48D8C8A7B51
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
    E6:8D:8C:8A:7B:51 master-interface="2G-hAP-Lite-Boiler Cupboard-1" name=\
    "2G-hAP-Lite-Boiler Cupboard-1-1" radio-mac=00:00:00:00:00:00 radio-name=\
    E68D8C8A7B51
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
    E6:8D:8C:8A:7B:52 master-interface="2G-hAP-Lite-Boiler Cupboard-1" name=\
    "2G-hAP-Lite-Boiler Cupboard-1-2" radio-mac=00:00:00:00:00:00 radio-name=\
    E68D8C8A7B52
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
    6C:3B:6B:44:98:47 master-interface=none name="2G-hAPac-Main Router-1" \
    radio-mac=6C:3B:6B:44:98:47 radio-name=6C3B6B449847
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
    6E:3B:6B:44:98:47 master-interface="2G-hAPac-Main Router-1" name=\
    "2G-hAPac-Main Router-1-1" radio-mac=00:00:00:00:00:00 radio-name=\
    6E3B6B449847
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
    6E:3B:6B:44:98:48 master-interface="2G-hAPac-Main Router-1" name=\
    "2G-hAPac-Main Router-1-2" radio-mac=00:00:00:00:00:00 radio-name=\
    6E3B6B449848
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
    E4:8D:8C:CE:D0:69 master-interface=none name=2G-wAP-Outside-Garage-1 \
    radio-mac=E4:8D:8C:CE:D0:69 radio-name=E48D8CCED069
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
    E6:8D:8C:CE:D0:69 master-interface=2G-wAP-Outside-Garage-1 name=\
    2G-wAP-Outside-Garage-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
    E68D8CCED069
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
    E6:8D:8C:CE:D0:6A master-interface=2G-wAP-Outside-Garage-1 name=\
    2G-wAP-Outside-Garage-1-2 radio-mac=00:00:00:00:00:00 radio-name=\
    E68D8CCED06A
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
    E4:8D:8C:CE:DD:3D master-interface=none name=2G-wAP-Outside-Shed-1 \
    radio-mac=E4:8D:8C:CE:DD:3D radio-name=E48D8CCEDD3D
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
    E6:8D:8C:CE:DD:3D master-interface=2G-wAP-Outside-Shed-1 name=\
    2G-wAP-Outside-Shed-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
    E68D8CCEDD3D
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
    E6:8D:8C:CE:DD:3E master-interface=2G-wAP-Outside-Shed-1 name=\
    2G-wAP-Outside-Shed-1-2 radio-mac=00:00:00:00:00:00 radio-name=\
    E68D8CCEDD3E
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
    E4:8D:8C:4B:12:37 master-interface=none name=2G-wAPac-Guestroom-1 \
    radio-mac=E4:8D:8C:4B:12:37 radio-name=E48D8C4B1237
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
    E6:8D:8C:4B:12:37 master-interface=2G-wAPac-Guestroom-1 name=\
    2G-wAPac-Guestroom-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
    E68D8C4B1237
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
    E6:8D:8C:4B:12:38 master-interface=2G-wAPac-Guestroom-1 name=\
    2G-wAPac-Guestroom-1-2 radio-mac=00:00:00:00:00:00 radio-name=\
    E68D8C4B1238
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
    6C:3B:6B:6C:A1:6E master-interface=none name=2G-wAPac-Kitchen-1 \
    radio-mac=6C:3B:6B:6C:A1:6E radio-name=6C3B6B6CA16E
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
    6E:3B:6B:6C:A1:6E master-interface=2G-wAPac-Kitchen-1 name=\
    2G-wAPac-Kitchen-1-1 radio-mac=00:00:00:00:00:00 radio-name=6E3B6B6CA16E
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
    6E:3B:6B:6C:A1:6F master-interface=2G-wAPac-Kitchen-1 name=\
    2G-wAPac-Kitchen-1-2 radio-mac=00:00:00:00:00:00 radio-name=6E3B6B6CA16F
add configuration=cfg_wifi350-5ghz disabled=no l2mtu=1600 mac-address=\
    6C:3B:6B:44:98:46 master-interface=none name="5G-hAPac-Main Router-1" \
    radio-mac=6C:3B:6B:44:98:46 radio-name=6C3B6B449846
add configuration=cfg_guest-5ghz disabled=no l2mtu=1600 mac-address=\
    6E:3B:6B:44:98:46 master-interface="5G-hAPac-Main Router-1" name=\
    "5G-hAPac-Main Router-1-1" radio-mac=00:00:00:00:00:00 radio-name=\
    6E3B6B449846
add configuration=cfg_wifi350-5ghz disabled=no l2mtu=1600 mac-address=\
    E4:8D:8C:4B:12:36 master-interface=none name=5G-wAPac-Guestroom-1 \
    radio-mac=E4:8D:8C:4B:12:36 radio-name=E48D8C4B1236
add configuration=cfg_guest-5ghz disabled=no l2mtu=1600 mac-address=\
    E6:8D:8C:4B:12:36 master-interface=5G-wAPac-Guestroom-1 name=\
    5G-wAPac-Guestroom-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
    E68D8C4B1236
add configuration=cfg_wifi350-5ghz disabled=no l2mtu=1600 mac-address=\
    6C:3B:6B:6C:A1:6D master-interface=none name=5G-wAPac-Kitchen-1 \
    radio-mac=6C:3B:6B:6C:A1:6D radio-name=6C3B6B6CA16D
add configuration=cfg_guest-5ghz disabled=no l2mtu=1600 mac-address=\
    6E:3B:6B:6C:A1:6D master-interface=5G-wAPac-Kitchen-1 name=\
    5G-wAPac-Kitchen-1-1 radio-mac=00:00:00:00:00:00 radio-name=6E3B6B6CA16D
/interface ethernet switch port
set 1 default-vlan-id=0 vlan-mode=fallback
set 2 default-vlan-id=0 vlan-mode=fallback
set 3 default-vlan-id=0 vlan-mode=fallback
set 4 default-vlan-id=0 vlan-mode=fallback
set 5 default-vlan-id=0 vlan-mode=fallback
/interface list
add name=List-LAN
add name="List-All Client"
add name="List-All Servers"
add name="List-All Clients exc. Kids"
add name=mactel
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    temp2wifi350 supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    tempwifi350 supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=tempguest supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=KitchenOffice supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=wifi350-wds supplicant-identity=""
/interface wireless
add keepalive-frames=disabled mac-address=6E:3B:6B:44:98:4A master-interface=\
    wlan2 mode=station-wds multicast-buffering=disabled name=wlan3 \
    security-profile=wifi350-wds ssid=wifi350-wds station-roaming=enabled \
    wds-cost-range=0 wds-default-bridge=bridge-71-Servers-General \
    wds-default-cost=0 wds-mode=dynamic-mesh wps-mode=disabled

/caps-man access-list
add action=accept comment=OfficeSqueezebox disabled=yes mac-address=\
    00:04:20:1E:3F:F6 ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add action=accept comment="Playroom Squeezebox" disabled=yes mac-address=\
    00:04:20:1E:3F:5A ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add comment="Kitchen Squeezebox" disabled=yes mac-address=00:04:20:26:98:36 \
    ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add action=accept comment="Al's phone" disabled=yes mac-address=\
    14:1A:A3:98:4B:57 ssid-regexp="" vlan-id=62 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s disabled=yes interface=any \
    signal-range=-80..0 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=yes interface=any \
    signal-range=-120..-83 ssid-regexp=""
add action=accept allow-signal-out-of-range=3s disabled=no interface=any \
    signal-range=-86..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=3s disabled=no interface=any \
    signal-range=-120..-87 ssid-regexp=""
/interface vlan
add interface=*154 name=vlan71-eoip vlan-id=71
/caps-man manager
# bad package path
set enabled=yes package-path=/pub upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    cfg_wifi350-5ghz name-format=prefix-identity name-prefix=5G \
    slave-configurations=cfg_guest-5ghz
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    cfg_wifi350-2ghz name-format=prefix-identity name-prefix=2G \
    slave-configurations=cfg_guest-2ghz,cfg_wifi35t-2ghz
/interface bridge port
add bridge=bridge-51-Client-Admin ingress-filtering=no interface=\
    vlan51-Client-Admin
add bridge=bridge-52-Client-General ingress-filtering=no interface=\
    vlan52-Client-General
add bridge=bridge-53-Client-Kids ingress-filtering=no interface=\
    vlan53-Client-Kids
add bridge=bridge-54-Client-Guest ingress-filtering=no interface=\
    vlan54-Client-Guest
add bridge=bridge-61-IOT-Media ingress-filtering=no interface=\
    vlan61-IOT-Media
add bridge=bridge-62-IOT-HA ingress-filtering=no interface=vlan62-IOT-HA
add bridge=bridge-63-IOT-CCTV ingress-filtering=no interface=vlan63-IOT-CCTV
add bridge=bridge-71-Servers-General ingress-filtering=no interface=\
    vlan71-Servers-General
add bridge=bridge-81-Servers-DMZ ingress-filtering=no interface=\
    vlan81-Servers-DMZ
add bridge=bridge-82-VOIP ingress-filtering=no interface=vlan82-VOIP
add bridge=bridge-99-Management ingress-filtering=no interface=\
    vlan99-Management
add bridge=bridge-vlans-LocalCAP ingress-filtering=no interface=ether1-LAN
add bridge=bridge-82-VOIP hw=no ingress-filtering=no interface=ether3-Voip
add bridge=bridge-71-Servers-General hw=no ingress-filtering=no interface=\
    ether4-SqueezeboxKitchen
add bridge=bridge-71-Servers-General ingress-filtering=no interface=\
    vlan71-eoip
add bridge=bridge-vlans-LocalCAP ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge-51-Client-Admin list=List-LAN
add interface=bridge-52-Client-General list=List-LAN
add interface=bridge-51-Client-Admin list="List-All Client"
add interface=bridge-52-Client-General list="List-All Client"
add interface=bridge-53-Client-Kids list="List-All Client"
add interface=bridge-54-Client-Guest list="List-All Client"
add interface=bridge-71-Servers-General list="List-All Servers"
add interface=bridge-81-Servers-DMZ list="List-All Servers"
add interface=*D4 list=mactel
add interface=bridge-71-Servers-General list=List-LAN
add interface=bridge-99-Management list=List-LAN

/interface wireless cap
# 
set bridge=bridge-vlans-LocalCAP discovery-interfaces=bridge-99-Management \
    enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.31.253/24 interface=ether2-WAN-RB951G network=\
    192.168.31.0
add address=192.168.51.254/24 interface=bridge-51-Client-Admin network=\
    192.168.51.0
add address=192.168.52.254/24 interface=bridge-52-Client-General network=\
    192.168.52.0
add address=192.168.53.254/24 interface=bridge-53-Client-Kids network=\
    192.168.53.0
add address=192.168.54.254/24 interface=bridge-54-Client-Guest network=\
    192.168.54.0
add address=192.168.61.254/24 interface=bridge-61-IOT-Media network=\
    192.168.61.0
add address=192.168.62.254/24 interface=bridge-62-IOT-HA network=192.168.62.0
add address=192.168.63.254/24 interface=bridge-63-IOT-CCTV network=\
    192.168.63.0
add address=192.168.71.254/24 interface=bridge-71-Servers-General network=\
    192.168.71.0
add address=192.168.81.254/24 interface=bridge-81-Servers-DMZ network=\
    192.168.81.0
add address=192.168.82.254/24 interface=bridge-82-VOIP network=192.168.82.0
add address=192.168.99.254/24 interface=bridge-99-Management network=\
    192.168.99.0
 
Marino
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sun Jun 14, 2015 7:26 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Fri Nov 11, 2022 10:27 pm

The wifi roaming traffic flow delay might be an ARP issue. Try enabling arp-proxy in the ARP Datapath settings in CAPSMAN.
 
a752412341
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 14, 2015 8:01 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sat Nov 12, 2022 12:29 am

Oh, wow, thank you. I tried that and it works, roaming between APs now works again without a delay.

Is this a resolution or a band-aid?! Do I have a misconfiguration elsewhere? I've not come across proxy-arp before in the example CAPSMAN configs.

Thanks again.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sat Nov 12, 2022 12:32 am

as you are using local forwarding (from each Wireless Access-point perspective) maybe the source of the problem is on your LAN switches which refuse to accept the Movement of client mac-address fron one Wireless Access-point to another

i asume you have managed switches becasue you are using vlans, sometimes a security feature on managed switches can be responsible for that problem
 
a752412341
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 14, 2015 8:01 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sat Nov 12, 2022 12:39 am

Thank you.

The switches are Mikrotik CSS326s, Here's the VLAN page. Does that look correct?
Screenshot 2022-11-11 223718.png
I also have several bridges configured on the router (this config originated in 2013), one for each vlan. Should I be looking to consolidate down to 1 bridge, with the vlans hanging off it?
You do not have the required permissions to view the files attached to this post.
 
a752412341
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 14, 2015 8:01 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sat Nov 12, 2022 1:02 am

LAN switches which refuse to accept the Movement of client mac-address fron one Wireless Access-point to another
Could I test this by plugging a pc into a physical switch port and then moving it to another port on the same vlan and checking traffic flow?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sat Nov 12, 2022 1:12 am

LAN switches which refuse to accept the Movement of client mac-address fron one Wireless Access-point to another
Could I test this by plugging a pc into a physical switch port and then moving it to another port on the same vlan and checking traffic flow?

i suggest you to follow using switch hosts Tab the MAC address of the wireless device trying to roam, to see if you see that MAC efectively moving from ethernet port of previous Access-point to the ethernet port of second Access-point

please backup your switch configuration before making any change

check on System TAB and enable IVL (independent vlan lookup) so you can see VLAN tag on Hosts table of switch
also check if your port isolation configuration can be related
also check DHCP & PPPoE Snooping configuration

edited at 23:29 UTC
 
Marino
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sun Jun 14, 2015 7:26 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sat Nov 12, 2022 1:09 pm

Oh, wow, thank you. I tried that and it works, roaming between APs now works again without a delay.

Is this a resolution or a band-aid?! Do I have a misconfiguration elsewhere? I've not come across proxy-arp before in the example CAPSMAN configs.

Thanks again.
In my view it's a resolution. Just leave it like that. It also saves you mac address lookups passes on your network. Especially when you connect wireless devices on different AP's and roam with one of the devices.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sat Nov 12, 2022 3:38 pm

It also saves you mac address lookups passes on your network.
MAC address lookups (ARP who has) are only done by L3 devices looking for L2 address of L3 peers when they want to communicate with each other. Since wireless roaming (if network is set up correctly) doesn't change clients' L2 addresses (as seen by the rest of network), roaming doesn't cause any of MAC address lookups. From this perspective using proxy-arp on APs can actually cause problems.

Client roaming does cause ARP tables changes ... however entries in ARP tables expire sooner than in a "few minutes" ... either that or they don't expire at all. If pauses are literally "few minutes", then this is ample enough to debug things to see where things are breaking.

And yes, check if ARP tables change as they should and in timely manner.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sat Nov 12, 2022 4:00 pm

Could I test this by plugging a pc into a physical switch port and then moving it to another port on the same vlan and checking traffic flow?

Possibly not ... when you unplug anything from physical switch port, switch will detect link down (and possibly purge related entries in ARP table even before inactivity timer expiry). Similarly when you plug some active device in physical switch port, switch will detect link up and enter (possibly lengthy) procedure of enabling the port. Which can take quite some time if any of xSTP protocols (or proprietary variants) are active. Again, it would surprise me though if this could explain pauses with duration of "few minutes".

The same can happen on wifi AP: default config is to detect wireless interface inactivity (wireless interface becomes inactive if it doesn't have any client connected) and if it's inactive, bridge toggles it as "down". When the first wireless client connects, interface state changes to not-inactive and consequently bridge toggles it as "up" which triggers the mentioned "port up" procedures. It is possible to disable "inactivity detection" by setting disable-running-check=yes property on wireless interfaces (both physical and virtual). But again: this doesn't explain pauses lasting "few minutes".

If the pauses are not really lasting that long, please write a better approximation of pause lengths because different problems can cause pauses of different lengths and knowing exact length can help debugging the problem.
 
Marino
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sun Jun 14, 2015 7:26 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sat Nov 12, 2022 4:21 pm

It also saves you mac address lookups passes on your network.
MAC address lookups (ARP who has) are only done by L3 devices looking for L2 address of L3 peers when they want to communicate with each other. Since wireless roaming (if network is set up correctly) doesn't change clients' L2 addresses (as seen by the rest of network), roaming doesn't cause any of MAC address lookups. From this perspective using proxy-arp on APs can actually cause problems.
What if there's a layer 2 device in place and the access point is on another port?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sat Nov 12, 2022 4:40 pm

Without any proxy ARP mish mash, both devices talking (e.g. wireless client and NAS server) will keep using same MAC addresses when talking to each other even if wireless client roams between APs connected to same L2 network (this is an important detail, some people miss it). If wireless client moves to another AP, wired network will eventually see same MAC address, but some ARP tables need to change (because MAC address becomes accessible behind different port). If some switch doesn't update ARP table, then it'll keep pushing frames through (now) wrong port and those frames will never reach correct AP and thus won't reach client. What normally happens is that switch will update ARP table if it receives frame with known src-MAC-address through different ingress port, but that requires wireless client to send packet to NAS server (as per example). If traffic from certain MAC address ceases, then switch will drop corresponding ARP table entry after expiry timer expires. Any frames targeting "forgoten" MAC will be pushed out via all eligible ports (e.g. all that are members of the correct VLAN) except through ingress pirt (to avoid loops) and this "flooding" will continue until switch sees a frame with matching src-mac-address arrive via one of its ports, at this moment it'll create correct entry in ARP table.
Sure thing, switch can analyse ARP who has interchanges to learn surrounding topology, but typically doesn't take part in them.

The same principle applies to all switches and bridges ... APs typically bridge wireless and wired interfaces, hence it applies to them as well.
 
a752412341
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 14, 2015 8:01 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sun Nov 13, 2022 4:17 am

Thank you for all the comments, I have done some more testing as follows:-

Setup:-
I disabled proxy-arp on all 2GHz and 5GHz SSIDs my iphone uses (SSIDs are the same)
I disabled the CAPsMAN provisioning rule for my 5ghz SSIDs and restarted CAPsMAN - so I'm just testing on 2.4 for now. As an aside my iphone kept the same mac address across 2GHz and 5GHz which surprised me.
There are 3 access points around the house (more outside, but I didn't connect to those during this test). One is my main router (hAP ac)running CAPsMAN, the other 2 are wAPacs.
Timeline as follows
0:00 - Started off connected to wAPac1-kitchen. Internet access ok. Moved iphone to guest room. Connects to wAPac 2-Guestroom. Switches show the move to the new AP on a different port. Internet ok. CAPsMAN log shows associated with new AP. All Good. :)



0:02 - moved back to kitchen. Connects back to original waPac1-Kitchen. Internet access ok. Switches show the move back to the kitchen AP. CAPsMAN log shows associated back with original AP. All Good :)

0:04 - moved to living room. Connects to main router AP (which runs CAPsMAN) . Internet access NOT ok. pages time out. Switches show the move to the main router. CAPsMAN log shows associated with main Router. :(

0:06 - internet page has loaded, but very slow. :(

0:08 - internet speed returns to normal. No additional entries to the CAPS log. :?

0:09 - moved back to kitchen. Not connected to any AP. "disassoc" messages in log despite good signal. (see screenshot) :(
Screenshot 2022-11-13 013438.png
0:13 - connects to kitchen. Internet access ok. Speed ok. :)

Summary:
  • I can roam between my other CAPs with no problems, but if I try and connect to the CAP in my main router, then there are problems.
  • I think the switches are behaving properly and the mac addresses are moving around as I roam.
  • Apologies, I think I misled yesterday when I said proxy-arp fixed the problem. It hasn't. In my quick test yesterday my phone didn't try and connect to my main router, which is why it didn't display the problems.
Here's my capsman, and interface config from my main router, as I surmise the problem is there? Any pointers much appreciated.

[admin@hAPac-Main Router] /caps-man> export hide-sensitive 
# nov/13/2022 02:06:14 by RouterOS 7.4.1
# software id = NG1Y-BM7M
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/caps-man channel
add name=LowPower tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled name=2ghz tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee name=5ghz tx-power=20
add band=2ghz-g/n control-channel-width=5mhz extension-channel=disabled name="2ghz-High Power" tx-power=20
/caps-man rates
add basic=6Mbps name=GN supported=6Mbps vht-basic-mcs=""
add basic=5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps name=IOT supported=5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=wifi350
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=wifi35t
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=guest
/caps-man configuration
add channel=5ghz country="united kingdom" datapath.arp=proxy-arp .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=71 .vlan-mode=use-tag mode=ap name=cfg_wifi350-5ghz rates=GN \
    security=wifi350 ssid=wifi350
add channel=2ghz country="united kingdom" datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=54 .vlan-mode=use-tag mode=ap name=cfg_guest-2ghz rates=GN security=guest \
    ssid=guest2
add channel=2ghz country="united kingdom" datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=62 .vlan-mode=use-tag mode=ap multicast-helper=full name=cfg_wifi35t-2ghz \
    rates=GN security=wifi35t ssid=wifi35t
add channel=2ghz country="united kingdom" datapath.arp=proxy-arp .client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=71 .vlan-mode=use-tag mode=ap name=cfg_wifi350-2ghz rates=GN \
    security=wifi350 ssid=wifi350
add channel=5ghz country="united kingdom" datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=54 .vlan-mode=use-tag mode=ap name=cfg_guest-5ghz rates=GN security=guest \
    ssid=guest
/caps-man access-list
add action=accept comment=OfficeSqueezebox disabled=yes mac-address=00:04:20:1E:3F:F6 ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add action=accept comment="Playroom Squeezebox" disabled=yes mac-address=00:04:20:1E:3F:5A ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add comment="Kitchen Squeezebox" disabled=yes mac-address=00:04:20:26:98:36 ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add action=accept comment="phone" disabled=yes mac-address=14:1A:A3:98:4B:57 ssid-regexp="" vlan-id=62 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s disabled=yes interface=any signal-range=-80..0 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=yes interface=any signal-range=-120..-83 ssid-regexp=""
add action=accept allow-signal-out-of-range=3s disabled=no interface=any signal-range=-86..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=3s disabled=no interface=any signal-range=-120..-87 ssid-regexp=""
/caps-man manager
# bad package path
set enabled=yes package-path=/pub upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=cfg_wifi350-5ghz name-format=prefix-identity name-prefix=5G slave-configurations=cfg_guest-5ghz
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg_wifi350-2ghz name-format=prefix-identity name-prefix=2G slave-configurations=cfg_guest-2ghz,cfg_wifi35t-2ghz

[admin@hAPac-Main Router] /interface> export hide-sensitive 
# nov/13/2022 02:10:12 by RouterOS 7.4.1
# software id = NG1Y-BM7M
#
# model = RouterBOARD 962UiGS-5HacT2HnT
/interface bridge
add name=bridge-51-Client-Admin
add name=bridge-52-Client-General
add name=bridge-53-Client-Kids
add name=bridge-54-Client-Guest
add name=bridge-61-IOT-Media
add name=bridge-62-IOT-HA
add name=bridge-63-IOT-CCTV
add name=bridge-71-Servers-General
add name=bridge-81-Servers-DMZ
add name=bridge-82-VOIP
add name=bridge-99-Management
add admin-mac=6C:3B:6B:44:98:40 auto-mac=no name=bridge-vlans-LocalCAP
/interface ethernet
set [ find default-name=ether1 ] comment="downlink to switches" name=ether1-LAN speed=100Mbps
set [ find default-name=ether2 ] comment=RB951G-uplink l2mtu=1526 mtu=1508 name=ether2-WAN-RB951G speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1526 name=ether3-Voip speed=100Mbps
set [ find default-name=ether4 ] name=ether4-SqueezeboxKitchen speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n bridge-mode=disabled channel-width=20/40mhz-eC country="united kingdom" frequency=auto mode=ap-bridge ssid=MikroTik station-roaming=enabled \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set frequency-mode=manual-txpower ssid=MikroTik station-roaming=enabled
/interface vlan
add interface=bridge-vlans-LocalCAP name=vlan51-Client-Admin vlan-id=51
add interface=bridge-vlans-LocalCAP name=vlan52-Client-General vlan-id=52
add interface=bridge-vlans-LocalCAP name=vlan53-Client-Kids vlan-id=53
add interface=bridge-vlans-LocalCAP name=vlan54-Client-Guest vlan-id=54
add interface=bridge-vlans-LocalCAP name=vlan61-IOT-Media vlan-id=61
add interface=bridge-vlans-LocalCAP name=vlan62-IOT-HA vlan-id=62
add interface=bridge-vlans-LocalCAP name=vlan63-IOT-CCTV vlan-id=63
add interface=bridge-vlans-LocalCAP name=vlan71-Servers-General vlan-id=71
add interface=bridge-vlans-LocalCAP name=vlan81-Servers-DMZ vlan-id=81
add interface=bridge-vlans-LocalCAP name=vlan82-VOIP vlan-id=82
add interface=bridge-vlans-LocalCAP name=vlan99-Management vlan-id=99
/interface ethernet switch port
set 1 default-vlan-id=0 vlan-mode=fallback
set 2 default-vlan-id=0 vlan-mode=fallback
set 3 default-vlan-id=0 vlan-mode=fallback
set 4 default-vlan-id=0 vlan-mode=fallback
set 5 default-vlan-id=0 vlan-mode=fallback
/interface list
add name=List-LAN
add name="List-All Client"
add name="List-All Servers"
add name="List-All Clients exc. Kids"
add name=mactel
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=temp2wifi350 supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=tempwifi350 supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=tempguest supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=KitchenOffice supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=wifi350-wds supplicant-identity=""
/interface wireless
add keepalive-frames=disabled mac-address=6E:3B:6B:44:98:4A master-interface=wlan2 mode=station-wds multicast-buffering=disabled name=wlan3 security-profile=wifi350-wds ssid=wifi350-wds \
    station-roaming=enabled wds-cost-range=0 wds-default-bridge=bridge-71-Servers-General wds-default-cost=0 wds-mode=dynamic-mesh wps-mode=disabled
/interface vlan
add interface=*154 name=vlan71-eoip vlan-id=71
/interface bridge port
add bridge=bridge-51-Client-Admin ingress-filtering=no interface=vlan51-Client-Admin
add bridge=bridge-52-Client-General ingress-filtering=no interface=vlan52-Client-General
add bridge=bridge-53-Client-Kids ingress-filtering=no interface=vlan53-Client-Kids
add bridge=bridge-54-Client-Guest ingress-filtering=no interface=vlan54-Client-Guest
add bridge=bridge-61-IOT-Media ingress-filtering=no interface=vlan61-IOT-Media
add bridge=bridge-62-IOT-HA ingress-filtering=no interface=vlan62-IOT-HA
add bridge=bridge-63-IOT-CCTV ingress-filtering=no interface=vlan63-IOT-CCTV
add bridge=bridge-71-Servers-General ingress-filtering=no interface=vlan71-Servers-General
add bridge=bridge-81-Servers-DMZ ingress-filtering=no interface=vlan81-Servers-DMZ
add bridge=bridge-82-VOIP ingress-filtering=no interface=vlan82-VOIP
add bridge=bridge-99-Management ingress-filtering=no interface=vlan99-Management
add bridge=bridge-vlans-LocalCAP ingress-filtering=no interface=ether1-LAN
add bridge=bridge-82-VOIP hw=no ingress-filtering=no interface=ether3-Voip
add bridge=bridge-71-Servers-General hw=no ingress-filtering=no interface=ether4-SqueezeboxKitchen
add bridge=bridge-71-Servers-General ingress-filtering=no interface=vlan71-eoip
add bridge=bridge-vlans-LocalCAP ingress-filtering=no interface=ether5
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge-51-Client-Admin list=List-LAN
add interface=bridge-52-Client-General list=List-LAN
add interface=bridge-51-Client-Admin list="List-All Client"
add interface=bridge-52-Client-General list="List-All Client"
add interface=bridge-53-Client-Kids list="List-All Client"
add interface=bridge-54-Client-Guest list="List-All Client"
add interface=bridge-71-Servers-General list="List-All Servers"
add interface=bridge-81-Servers-DMZ list="List-All Servers"
add interface=*D4 list=mactel
add interface=bridge-71-Servers-General list=List-LAN
add interface=bridge-99-Management list=List-LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=vpn enabled=yes keepalive-timeout=disabled require-client-certificate=yes
/interface wireless cap
set bridge=bridge-vlans-LocalCAP discovery-interfaces=bridge-99-Management interfaces=wlan1,wlan2
[admin@hAPac-Main Router] /interface> 

You do not have the required permissions to view the files attached to this post.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: wifi roaming to another CAP, no traffic passed for a few minutes.  [SOLVED]

Sun Nov 13, 2022 5:03 am

i think you have done a good testing isolating the problem on main router and radio

i think your problem resides in the way you build your bridge-vlan structure and that is creating some strange bridge behavior

you are doing it like it was done in 6.40 version and before, 3 years ago with 6.41 MikroTIk introduced a new way of doing it called Bridge VLAN Filtering

befor trying to rebuild your bridge vlan structure try disabling RSTP/STP on all bridges
protocol-mode=none
to see if that helps, if not you must rebuilt your structure

for that rebuild i suggest use a single bridge and all vlan will be configured on it

info about this and other layer2 mis configuration problems
https://help.mikrotik.com/docs/display/ ... linterface

guides about Bridge VLAN Filtering
https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering
https://help.mikrotik.com/docs/display/ ... NFiltering

PD

in the other topic you opened things are going toward bridge issues too
 
Nomore
just joined
Posts: 1
Joined: Sun Aug 07, 2022 9:10 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Sun Nov 13, 2022 9:19 pm

I have exactly the same problem, except that my system is much more simple and only consists of the main router and the second one configured as CPE with the same wireless SSID. Almost every time my phone switches from one AP to another, I get "connected without Internet" message, and it starts working normally in a few minutes (sometimes faster if I disable and re-enable WiFi on the phone). All the devices permanently connected to either AP - wired or wirelessly - work perfectly fine. That's how it's been for several years now and firmware updates make no difference.
So I'll be watching this thread to see if anyone comes up with the solution.
 
a752412341
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 67
Joined: Sat Feb 14, 2015 8:01 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Tue Nov 15, 2022 2:32 pm

Thank you all for your help. I've been reading up...!

I reconfigured and consolidated down to one bridge last night, and that seems to have done the trick. Wifi access seems more stable. Will test for another couple of days.

It is correct to add the bridge as tagged to each vlan isn't it? I have IP address based firewall rules that control the access between vlans.
eg.
add bridge=bridge1 comment=Client-Guest tagged=bridge1,ether1-LAN vlan-ids=54
[admin@hAPac-Main Router] /interface> export hide-sensitive 
# nov/15/2022 12:23:27 by RouterOS 7.4.1
# software id = NG1Y-BM7M
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 
/interface bridge
add ingress-filtering=no name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="downlink to switches" name=ether1-LAN speed=100Mbps
set [ find default-name=ether2 ] comment=RB951G-uplink l2mtu=1526 mtu=1508 name=ether2-WAN-RB951G speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1526 name=ether3-Voip speed=100Mbps
set [ find default-name=ether4 ] name=ether4-SqueezeboxKitchen speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(7dBm), SSID: wifi350, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n bridge-mode=disabled channel-width=20/40mhz-eC country="united kingdom" disabled=no frequency=auto mode=ap-bridge ssid=MikroTik \
    station-roaming=enabled wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: wifi350, local forwarding
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set disabled=no frequency-mode=manual-txpower ssid=MikroTik station-roaming=enabled
/interface vlan
add interface=bridge1 name=vlan51-Client-Admin vlan-id=51
add interface=bridge1 name=vlan52-Client-General vlan-id=52
add interface=bridge1 name=vlan53-Client-Kids vlan-id=53
add interface=bridge1 name=vlan54-Client-Guest vlan-id=54
add interface=bridge1 name=vlan61-IOT-Media vlan-id=61
add interface=bridge1 name=vlan62-IOT-HA vlan-id=62
add interface=bridge1 name=vlan63-IOT-CCTV vlan-id=63
add interface=bridge1 name=vlan71-Servers-General vlan-id=71
add interface=bridge1 name=vlan81-Servers-DMZ vlan-id=81
add interface=bridge1 name=vlan82-VOIP vlan-id=82
add interface=bridge1 name=vlan99-Management vlan-id=99
/interface ethernet switch port
set 1 default-vlan-id=0 vlan-mode=fallback
set 2 default-vlan-id=0 vlan-mode=fallback
set 3 default-vlan-id=0 vlan-mode=fallback
set 4 default-vlan-id=0 vlan-mode=fallback
set 5 default-vlan-id=0 vlan-mode=fallback
/interface list
add name=List-LAN
add name="List-All Client"
add name="List-All Servers"
add name="List-All Clients exc. Kids"
add name=mactel
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" supplicant-identity=MikroTik
/interface wireless
add keepalive-frames=disabled mac-address=6E:3B:6B:44:98:4A master-interface=wlan2 mode=station-wds multicast-buffering=disabled name=wlan3 security-profile=*5 ssid=wifi350-wds \
    station-roaming=enabled wds-cost-range=0 wds-default-bridge=*37 wds-default-cost=0 wds-mode=dynamic-mesh wps-mode=disabled
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1-LAN
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged hw=no interface=ether3-Voip pvid=82
add bridge=*37 disabled=yes ingress-filtering=no interface=ether4-SqueezeboxKitchen
add bridge=*132 disabled=yes ingress-filtering=no interface=ether5
/interface bridge vlan
add bridge=bridge1 comment=Client-Admin tagged=ether1-LAN vlan-ids=51
add bridge=bridge1 comment=Client-General tagged=bridge1,ether1-LAN vlan-ids=52
add bridge=bridge1 comment=Client-Kids tagged=bridge1,ether1-LAN vlan-ids=53
add bridge=bridge1 comment=Client-Guest tagged=bridge1,ether1-LAN vlan-ids=54
add bridge=bridge1 comment=IOT-Media tagged=bridge1,ether1-LAN vlan-ids=61
add bridge=bridge1 comment=IOT-HA tagged=bridge1,ether1-LAN vlan-ids=62
add bridge=bridge1 comment=IOT-CCTV tagged=bridge1,ether1-LAN vlan-ids=63
add bridge=bridge1 comment=General tagged=bridge1,ether1-LAN vlan-ids=71
add bridge=bridge1 comment=DMZ tagged=bridge1,ether1-LAN vlan-ids=81
add bridge=bridge1 comment=VOIP tagged=bridge1,ether1-LAN untagged=ether3-Voip vlan-ids=82
add bridge=bridge1 comment=Management tagged=bridge1,ether1-LAN vlan-ids=99
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=vlan71-Servers-General list=List-LAN
add interface=vlan99-Management list=List-LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 default-profile=vpn enabled=yes keepalive-timeout=disabled require-client-certificate=yes
/interface wireless cap
# 
set bridge=bridge1 discovery-interfaces=vlan99-Management enabled=yes interfaces=wlan1,wlan2
[admin@hAPac-Main Router] /interface> 

 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Tue Nov 15, 2022 11:21 pm

It is correct to add the bridge as tagged to each vlan isn't it?

It is correct to add the bridge interface as tagged to each vlan that router has to interact with.

If device is used as switch or AP and doesn't interact with some vlan, then bridge interface doesn't have to be member of that vlan.
 
Marino
Frequent Visitor
Frequent Visitor
Posts: 65
Joined: Sun Jun 14, 2015 7:26 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Wed Nov 16, 2022 9:40 pm

Without any proxy ARP mish mash, both devices talking (e.g. wireless client and NAS server) will keep using same MAC addresses when talking to each other even if wireless client roams between APs connected to same L2 network (this is an important detail, some people miss it). If wireless client moves to another AP, wired network will eventually see same MAC address, but some ARP tables need to change (because MAC address becomes accessible behind different port). If some switch doesn't update ARP table, then it'll keep pushing frames through (now) wrong port and those frames will never reach correct AP and thus won't reach client. What normally happens is that switch will update ARP table if it receives frame with known src-MAC-address through different ingress port, but that requires wireless client to send packet to NAS server (as per example). If traffic from certain MAC address ceases, then switch will drop corresponding ARP table entry after expiry timer expires. Any frames targeting "forgoten" MAC will be pushed out via all eligible ports (e.g. all that are members of the correct VLAN) except through ingress pirt (to avoid loops) and this "flooding" will continue until switch sees a frame with matching src-mac-address arrive via one of its ports, at this moment it'll create correct entry in ARP table.
Sure thing, switch can analyse ARP who has interchanges to learn surrounding topology, but typically doesn't take part in them.

The same principle applies to all switches and bridges ... APs typically bridge wireless and wired interfaces, hence it applies to them as well.
Thanks for sharing and great explanation, much appreciated!
 
kurio
newbie
Posts: 25
Joined: Sun Dec 22, 2013 6:15 pm

Re: wifi roaming to another CAP, no traffic passed for a few minutes.

Wed Jan 31, 2024 7:19 pm

The wifi roaming traffic flow delay might be an ARP issue. Try enabling arp-proxy in the ARP Datapath settings in CAPSMAN.
Hello,
How to do this in Capsman wifiwave2?

Who is online

Users browsing this forum: Ponytred and 20 guests