Community discussions

 
warllo
just joined
Topic Author
Posts: 11
Joined: Thu Mar 26, 2015 3:26 pm

CapsMan data path not working

Fri Sep 13, 2019 7:14 pm

Hi,

I have clients that are not able to complete a speed test due to the upload failing. The download works great, affected clients are also unable to browse. Hoping someone could provide some input. Here is my config. As a workaround I have enabled Local Forwarding on the datapath1 and this resolves the issue.
# sep/13/2019 12:02:11 by RouterOS 6.45.6
# software id = 
#
#
#
/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=Ce \
    frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2442 name=channel6
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2472 name=channel11
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=Ceee \
    frequency=5180 name=channel157
/interface bridge
add comment="Primary LAN Bridge" name=PrimaryLan
/interface ethernet
set [ find default-name=ether1 ] auto-negotiation=no comment=WAN-DHCP \
    disable-running-check=no speed=1Gbps
set [ find default-name=ether2 ] comment=LAN disable-running-check=no
/caps-man datapath
add bridge=PrimaryLan local-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa2-psk comment= encryption=aes-ccm name=\
    2.4
add authentication-types=wpa2-psk comment= encryption=aes-ccm name=5
/caps-man configuration
add channel=channel1 country="united states3" datapath=datapath1 mode=ap \
    name=config1 security=2.4 ssid=Mikrotik-Test
add channel=channel157 country="united states3" datapath=datapath1 name=\
    config2 security=2.4 ssid=test5
/caps-man interface
add arp=enabled channel=channel157 configuration=config2 datapath=datapath1 \
    disabled=no l2mtu=1600 mac-address=CC:2D:E0:1D:6A:BA master-interface=\
    none mtu=1500 name=cap3 radio-mac=CC:2D:E0:1D:6A:BA radio-name=\
    CC2DE01D6ABA
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=PrimaryLan ranges=192.168.2.90-192.168.2.200
/ip dhcp-server
add address-pool=PrimaryLan disabled=no interface=PrimaryLan name=PrimaryLan
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=config1 name-format=\
    prefix name-prefix=Mikrotik-
add action=create-dynamic-enabled master-configuration=config2 name-format=\
    prefix name-prefix=Mikrotik- radio-mac=CC:2D:E0:1D:6A:BB
/interface bridge port
add bridge=PrimaryLan interface=ether2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=PrimaryLan list=LAN
/ip address
add address=192.168.2.1/24 interface=PrimaryLan network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1,1.1.1.1 gateway=192.168.2.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip dns static
add address=192.168.2.6 name=nextcloud.warllo.org
add address=192.168.2.6 name=ha.warllo.rog
add address=192.168.2.6 name=vpn.warllo.org
add address=192.168.2.6 name=dock.warllo.org
add address=192.168.2.6 name=plex.warllo.org
add address=192.168.2.6 name=collabora.warllo.org
add address=192.168.2.6 name=fire.warllo.org
add address=192.168.2.6 name=graph.warllo.org
add address=192.168.2.6 name=jelly.warllo.org
add address=192.168.2.6 name=vsc.warllo.org
add address=192.168.2.6 name=dockera.warllo.org
/ip firewall address-list
add address=192.168.2.2-192.168.2.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
    "DEFAULT: Accept established, related, and untracked traffic." \
    connection-state=established,related,untracked
add action=accept chain=input comment="DEFAULT: Accept ICMP traffic." log=yes \
    protocol=icmp
add action=drop chain=input comment="DEFAULT: Drop invalid traffic." \
    connection-state=invalid
add action=drop chain=input comment=\
    "DEFAULT: Drop all other traffic not coming from LAN." in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "DEFAULT: Accept established, related, and untracked traffic." \
    connection-state=established,related,untracked
add action=drop chain=forward comment="DEFAULT: Drop invalid traffic." \
    connection-state=invalid
add action=drop chain=forward comment=\
    "DEFAULT: Drop all other traffic from WAN that is not DSTNATed." \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="HTTP to Web Server" dst-port=80 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.2.6 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS to Web Server" dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.2.6 to-ports=443
add action=dst-nat chain=dstnat comment="OVPN to AS Server" dst-port=1194 \
    in-interface=ether1 protocol=udp to-addresses=192.168.2.6 to-ports=1194
add action=dst-nat chain=dstnat comment="OPVNAS Web Interface" dst-port=943 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.2.6 to-ports=943
add action=dst-nat chain=dstnat comment="Plex to Plex Server" dst-port=32400 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.2.6 to-ports=32400
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api-ssl disabled=yes
/ip smb users
add name=warllo read-only=no
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=PrimaryLan type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=America/Chicago
/system logging
add action=disk topics=firewall
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 server-dns-names=time.google.com
 
Amm0
newbie
Posts: 48
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: CapsMan data path not working

Sat Sep 14, 2019 7:37 pm

Perhaps CAPsMAN needs to add the dynamically created CAP interface to an "Interface List", the default firewall will drop !LAN traffic. But not sure.

Out of curiosity, any reason you don't want to use local forwarding? CAPsMAN still controls the configuration with local forwarding so you get the same centralized management control. I've never been quite sure of the benefits of DTLS tunneling L2 packets (e.g. CAPsMAN data paths and RFC 5416)– people smarter than me may. Local forwarding with VLANs exposed for the CAPs to use seems more manageable to me.
 
warllo
just joined
Topic Author
Posts: 11
Joined: Thu Mar 26, 2015 3:26 pm

Re: CapsMan data path not working

Sun Sep 15, 2019 6:34 pm

Thanks for the reply I will try adding the caps interface to the lan lists. I was not using local forwarding as I want to apply mangle rules and queues to the traffic coming from the wireless network.
 
warllo
just joined
Topic Author
Posts: 11
Joined: Thu Mar 26, 2015 3:26 pm

Re: CapsMan data path not working

Mon Sep 16, 2019 5:08 pm

I checked the LAN Interface list and the CAP interfaces were already added dynamically. Hoping for some other suggestions.

Who is online

Users browsing this forum: No registered users and 15 guests