Community discussions

MikroTik App
 
Kaldek
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Sat Jul 11, 2015 2:40 pm

CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sat Apr 22, 2023 7:57 am

I have a couple of cAP ax units arriving in a few weeks so I wanted to prep my network for the Wifiwave2 package with CAPsMANv2.

It's pretty straightforward but requires some extra work, particularly if you have multiple SSIDs and those SSIDs are on VLANs other than VLAN 1. In the example below we have two SSIDs, with the first /master SSID on VLAN 1 (PVID 1) and the second/slave SSID on VLAN 10. Note that I do not go into detail what the SSID names are nor do I define the Master and Slave configurations here, as it's outside the scope of this post.

With CAPsMANv1, all the bridge port additions and VLAN settings on access points were configured automatically. In CAPsMANv2, they currently ( as of v7.8 ) are not. This is particular to radios that only support 802.11ac as I have not yet tested radios with 802.11ax support. The documentation seems to suggest that it *does* take care of it automatically on those radios, but it's best to be aware of the potential issue.
Image

If you try to define VLANs in the datapath settings within a configuration profile, and then assign this configuration to an access point that only supports 802.11ac, you will receive an error of "vlan-id configured but interface does not support assigning vlans". The configuration I provide below resolves this issue (assuming you also remove the VLAN ID from the CAPsMAN configuration profile, as I have not tested this if you leave the setting in).

CAPsMAN config
Note that we do not define VLANs for the access point's WiFi interfaces here. This is all configured on the CAP (access point).
/interface wifiwave2 provisioning add action=create-enabled disabled=no master-configuration=config_MASTER slave-configurations=config_SLAVE
/interface wifiwave2 add configuration=config_MASTER configuration.mode=ap disabled=no name=cap-wifi1
/interface wifiwave2 add configuration=config_SLAVE configuration.mode=ap disabled=no master-interface=cap-wifi1 name=cap-wifi2

CAP (access point) config
In this example, the access point connection to other switches is ether1. On your device the slave interface (wifi6) could be named wifi5 or something else. It's dynamically created. The point being that you must manually add the interface as a port on the bridge, including its PVID.
interface/wifiwave2/set wifi1,wifi2 configuration.manager=capsman
/interface wifiwave2 cap set caps-man-addresses=<IP_OF_CAPsMAN> enabled=yes

/interface bridge add name=bridge vlan-filtering=yes

/interface bridge port add bridge=bridge interface=ether1
/interface bridge port add bridge=bridge interface=wifi1
/interface bridge port add bridge=bridge interface=wifi6 pvid=10
 
/interface bridge vlan add bridge=bridge tagged=bridge,ether1 vlan-ids=10
Some disclaimers are necessary. This configuration leaves out a whole bunch of potential settings such as radio channels and security settings. It's not intended to provide guidance on those, which is why they are not here. That is not to say that you should not correctly define these settings to meet the needs of your radio environment.
Last edited by Kaldek on Mon May 01, 2023 11:29 am, edited 1 time in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sat Apr 22, 2023 4:16 pm

The only current way to get vlan and dynamic interfaces working on caps with capsman 2 is to disable vlan filtering on cap bridge.
Then it will work.

Will be fixed in a subsequent release, I was told by support.
 
Kaldek
Member Candidate
Member Candidate
Topic Author
Posts: 111
Joined: Sat Jul 11, 2015 2:40 pm

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sun Apr 23, 2023 12:57 am

The only current way to get vlan and dynamic interfaces working on caps with capsman 2 is to disable vlan filtering on cap bridge.
Then it will work.
That's a short statement with a lot potential ramifications. For example, the PVID setting applied to ports in the bridge has no effect unless Bridge VLAN filtering is turned on. Without this, I don't even know how I would go about making sure that the secondary/slave interface was added to the right VLAN so that packets from the cap are tagged as they are sent to the router. Did you receive guidance on this? It sounds extremely complex to manage.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sun Apr 23, 2023 9:17 am

As said: Was instructed so by support.
I couldn't get it working so made a ticket.
After a bit of back and forth this is what they told me.
And it works.
Confirmed by other users, see 7.9rc thread.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sun Apr 23, 2023 11:49 am

The only current way to get vlan and dynamic interfaces working on caps with capsman 2 is to disable vlan filtering on cap bridge.
Then it will work.

Will be fixed in a subsequent release, I was told by support.
Even without capsman, that's the way to have dynamic VLAN assignment by the driver (access list or RADIUS attribute based). The wireless driver must have access to all the needed VLAN's as tagged. So disabling vlan filtering will make the bridge as a dump switch and forward all tagged packets to and from the wireless driver untouched. I expect defining the wireless driver port on the bridge as trunk or hybrid should work as well.
Makes sense to me. Don't see how this "per device or authenticated user" VLAN will ever work with VLAN's handled only by the bridge, unless they are static.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sun Apr 23, 2023 3:07 pm

I understand what you say.

But when you do not use capsman and you want to use vlan on that device, it is completely different.
Then you need to treat the wifi port just like any other ports.
Also when using static interfaces for capsmanv2, it works that way (wifi1 and wifi2 interfaces).

Only when using slave interfaces and/or dynamic created interfaces, it needs to be without vlan filtering on bridge.
And there is only 1 setting on the bridge to do the filtering: on or off for everything.
At least, that's what my testing showed. I have disabled this workaround, waiting for the final solution.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sun Apr 23, 2023 9:22 pm

Yep. Correct. What I wanted to indicate, is that the bridge VLAN and the wifi interface VLAN must be set to untag ( and tag in the receiving direction) the traffic just once.

Either done in the bridge (VLAN filtering on, wifi interface untagged) or it is done in the wifi driver (so the traffic from and to the bridge is tagged, either by adding the wifi interface as tagged to the VLAN, or by disabling the VLAN handling by the bridge (VLAN filtering not enabled)) If CAPsMAN v2 , which is always doing local forwarding, is not able to set the wifi interface as tagged for that VLAN in the bridge, then this will not work with bridge VLAN filtering enabled. (Bridge default is adding interfaces as untagged)

You know I'm not an CAPsMAN fan or user, and this again is for me an indication CAPsMAN limits the configuration options.
 
hifigraz
just joined
Posts: 6
Joined: Tue Aug 25, 2020 11:01 am

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Wed Jun 21, 2023 6:34 pm

I can confirm, that this issue still exists.
 
brg3466
Member Candidate
Member Candidate
Posts: 177
Joined: Sat Aug 01, 2015 7:29 am

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Tue Aug 22, 2023 7:07 am

The only current way to get vlan and dynamic interfaces working on caps with capsman 2 is to disable vlan filtering on cap bridge.
Then it will work.

Will be fixed in a subsequent release, I was told by support.
Has this been solved ? Now it is 7.11 stable, and have you tried enabling vlan filtering on CAP bridge ?
 
kravemir
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sun Aug 13, 2023 10:55 am
Location: Slovakia
Contact:

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sat Sep 09, 2023 10:26 am

But when you do not use capsman and you want to use vlan on that device, it is completely different.
Then you need to treat the wifi port just like any other ports.
Also when using static interfaces for capsmanv2, it works that way (wifi1 and wifi2 interfaces).

Only when using slave interfaces and/or dynamic created interfaces, it needs to be without vlan filtering on bridge.
And there is only 1 setting on the bridge to do the filtering: on or off for everything.
At least, that's what my testing showed. I have disabled this workaround, waiting for the final solution.

Can confirm, that creating static interfaces with CAPsMAN action, allows to add these created wifi interfaces to bridge as any other port. However, one must also not set datapath, otherwise the wifi interface will be added to the bridge as dynamic port - can't set VLAN settings for it. Works well also for slave interfaces.

You know I'm not an CAPsMAN fan or user, and this again is for me an indication CAPsMAN limits the configuration options.

Well, CAPsMAN is required for successful roaming according to the docs - https://help.mikrotik.com/docs/display/ROS/WifiWave2:

For a client device to successfully roam between 2 APs, the APs need to be managed by the same instance of RouterOS. For information on how to centrally manage multiple APs, see CAPsMAN

Which is somewhat in a contradiction with the first half of this statement from the docs:

WifiWave2 CAPsMAN only passes wireless configuration to the CAP, all forwarding decisions are left to the CAP itself - there is no CAPsMAN forwarding mode.

As it seems so, that WifiWave2 CAPsMAN is not just passing configuration, but also does some communication between CAPsMAN a CAPs in order to get roaming (802.11r) to work successfully.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sat Sep 09, 2023 12:03 pm

Well, CAPsMAN is required for successful roaming according to the docs - https://help.mikrotik.com/docs/display/ROS/WifiWave2:

For a client device to successfully roam between 2 APs, the APs need to be managed by the same instance of RouterOS. For information on how to centrally manage multiple APs, see CAPsMAN
.
Yes, but this "same instance of RouterOS" is only needed for Fast Roaming (FT, 802.11r) AFAIK. Because Roaming works between independent MT AP's, but needs the authentication time before restarting the data flow. If the AP's are on the same L2 network, the (DHCP) IP address remains valid, and is not renewed. The NATted session in the edge router towards Internet remains the same. This is an acceptable delay for many applications, but not for "Voice".

(I expect the authentication to be done in the CAPsMAN controller the only RouterOS instance that matters here. 802.11r standard tells about pre-authenticating different instances, but not with Mikrotik ?)
Klembord-2.jpg
source: (https://www.tanaza.com/wifi-fast-roaming/)
You do not have the required permissions to view the files attached to this post.
 
kravemir
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Sun Aug 13, 2023 10:55 am
Location: Slovakia
Contact:

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sat Sep 09, 2023 8:48 pm

Because Roaming works between independent MT AP's, but needs the authentication time before restarting the data flow. If the AP's are on the same L2 network, the (DHCP) IP address remains valid, and is not renewed. The NATted session in the edge router towards Internet remains the same. This is an acceptable delay for many applications, but not for "Voice".

This makes sense. A re-connection to a different AP on the same L2 network should result in device still being available under the same MAC address in same L2 broadcast domain, just at different physical/wire/wireless location. Therefore L3 should remain unaffected, or at least things that didn't timeout until the device got re-connected.

Yes, but this "same instance of RouterOS" is only needed for Fast Roaming (FT, 802.11r) ...

(I expect the authentication to be done in the CAPsMAN controller the only RouterOS instance that matters here. 802.11r standard tells about pre-authenticating different instances, but not with Mikrotik ?)
What about 802.11k and 802.11v? Do those still work?

Without centralized AP configuration via CAPsMAN, my devices were holding onto distant AP with weak signal for too long. Practically, until the signal was completely lost, even if the closest AP was literally 1 meter away, and the connection speed was like 1Mbit with many packets lost (iperf3 testing to a host connected on gigabit ethernet - almost full gigabit speed via wire).

Has this been solved ? Now it is 7.11 stable, and have you tried enabling vlan filtering on CAP bridge ?
No, it hasn't been solved. At least, not for hAP ac³. Though, I'm thinking to replace it with hAP ax², as hAP ac³ is way too big black thing, that attracts lots of attention.
 
jrosetto
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Fri Feb 19, 2016 9:15 pm

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Tue Jan 30, 2024 8:12 pm

Tried again today to see if the VLAN issue was fixed but no joy.

In my setup I have a hAP AC2 and 2x cAP AC units. I was able to do the workaround for the cAP AC's but the hAP AC2 will not accept the workaround being the router as well so I have had degraded wifi signal for some time now.

Please add this feature back
Getting to the point of considering rolling back to 7.12 over this
 
User avatar
robmaltsystems
Long time Member
Long time Member
Posts: 555
Joined: Fri Jun 21, 2019 12:04 pm

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sun Mar 10, 2024 8:27 pm

*sigh* on step forward, one step back. Experimenting with upgrading to CAPsMANv2 with legacy cAP ac devices. Tempted to go back to legacy wireless driver! Earlier posts here suggest this will be fixed in later versions but a year later and I've hit the same problem. Is there a definitive article on how to get a guest VLAN working? The suggestions early one are for the wave2 syntax so bit reluctant to even try if it's all changed.

Is the workaround to configure the VLAN on the cAP ac itself? I thought that all the settings were disabled when using CAPsMAN?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sun Mar 10, 2024 8:49 pm

When not using any other vlan port on cap, you can use datapath settings in capsman controller.
Nothing to be done on cap.
 
User avatar
robmaltsystems
Long time Member
Long time Member
Posts: 555
Joined: Fri Jun 21, 2019 12:04 pm

Re: CAPsMANv2 configuration for secondary SSIDs on different VLANs

Sun Mar 10, 2024 9:40 pm

Brain is too frazzled for this weekend. Will come back more VLAN stuff after a night off! :D

Who is online

Users browsing this forum: Azarath, mikrochad, mstanciu and 27 guests