Community discussions

MikroTik App
 
plani
newbie
Topic Author
Posts: 35
Joined: Sat Jan 02, 2021 12:32 pm

No client to client connection

Fri Oct 29, 2021 9:46 pm

HI all,
I have a running network with VLANs, thanks to this forum. Part of this network are 2 Mikrotik AccessPoints (1x cAP and 1x wAP) managed bei capsman on my central router (RB3011). Assigning WiFi-Clients to VLANs inclulding according DHC-Lease and everything works just fine....at least I thought untill today. After spending quite some time to get a wifi-connected printer to run I found out that I can't ping a Wifi-Client from another wifi-client, and as such, can't print from a wifi-client to a wifi-printer. Going through the capsman-config, I couldn't find anything that might help, withholding myself from trial-and-error chances. The only thing I did was to add "client-to-client-forwarding=yes" to the client, but without success.

Any ideas or leads what I'm doing wrong. Please find below the export from /caps-man on the central router (RB3011):
# oct/29/2021 20:30:28 by RouterOS 6.46.8
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled name=\
    channel24
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee name=\
    channel51 skip-dfs-channels=yes
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN100 \
    vlan-id=100 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN200 \
    vlan-id=200 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN300 \
    vlan-id=300 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=securityprofile-WLAN100 passphrase=password1
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=securityprofile-WLAN200 passphrase=password2
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=securityprofile-WLAN300 passphrase=password3
/caps-man configuration
add channel=channel24 country=germany datapath=datapath-LAN100 installation=\
    indoor mode=ap name=cfg-ppwnp-24 security=securityprofile-WLAN100 ssid=ppwnp
add channel=channel51 country=germany datapath=datapath-LAN100 hide-ssid=yes \
    installation=indoor mode=ap name=cfg-ppwnp-51 security=\
    securityprofile-WLAN100 ssid=ppwnp
add channel=channel24 country=germany datapath=datapath-LAN200 installation=\
    indoor mode=ap name=cfg-ppwnk-24 security=securityprofile-WLAN200 ssid=ppwnk
add channel=channel51 country=germany datapath=datapath-LAN200 installation=\
    indoor mode=ap name=cfg-ppwnk-51 security=securityprofile-WLAN200 ssid=ppwnk
add channel=channel24 country=germany datapath=datapath-LAN300 installation=\
    indoor mode=ap name=cfg-ppwn-24 security=securityprofile-WLAN300 ssid=ppwn
add channel=channel51 country=germany datapath=datapath-LAN300 installation=\
    indoor mode=ap name=cfg-ppwn-51 security=securityprofile-WLAN300 ssid=ppwn
/caps-man access-list
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes \
    comment="Samsung Note9 -> VLAN100" disabled=no interface=all \
    mac-address=77:77:77:77:77:77 vlan-id=100 vlan-mode=use-tag
add action=accept comment="Laptop alt" interface=all mac-address=\
    88:88:88:88:88:88 vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment=\
    "Samsung S20 -> VLAN100" interface=all mac-address=\
    99:99:99:99:99:99 vlan-id=100 vlan-mode=use-tag
add action=accept comment="Instar 6014 WLAN --> VLAN80" interface=all \
    mac-address=AA:AA:AA:AA:AA:AA vlan-id=80 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment=\
    "Laptop2 WLAN -> VLAN100" interface=all mac-address=\
    BB:BB:BB:BB:BB:BB vlan-id=100 vlan-mode=use-tag
add action=accept comment="Laptop1 -> VLAN100" interface=all \
    mac-address=CC:CC:CC:CC:CC:CC vlan-id=100 vlan-mode=use-tag
add action=accept comment="Pi-Box WiFi -> VLAN100" interface=all mac-address=\
    DD:DD:DD:DD:DD:DD vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment=\
    "Samsung Tab -> VLAN100" interface=all mac-address=EE:EE:EE:EE:EE:EE \
    vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment=\
    "Canon CP910 Fotodrucker" interface=all mac-address=FF:FF:FF:FF:FF:FF \
    vlan-id=100 vlan-mode=use-tag
/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    cfg-ppwn-24 name-format=prefix-identity name-prefix=2.4g \
    slave-configurations=cfg-ppwnp-24,cfg-ppwnk-24
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    cfg-ppwn-51 name-format=prefix-identity name-prefix=5g slave-configurations=\
    cfg-ppwnp-51,cfg-ppwnk-51
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    cfg-ppwn-24 name-format=prefix-identity name-prefix=2.4g \
    slave-configurations=cfg-ppwnp-24,cfg-ppwnk-24
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    cfg-ppwn-51 name-format=prefix-identity name-prefix=5g slave-configurations=\
    cfg-ppwnp-51,cfg-ppwnk-51
I'm happy to provide an further config if required.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: No client to client connection

Sat Oct 30, 2021 12:17 pm

Are printer and device in the same IP scope?
Aka
Printer 192.168.1.25
Devices 192.168.1.101
 
plani
newbie
Topic Author
Posts: 35
Joined: Sat Jan 02, 2021 12:32 pm

Re: No client to client connection

Sat Oct 30, 2021 12:38 pm

Yes, same /24 IP-Addressrange and the the same vlan.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: No client to client connection

Sat Oct 30, 2021 5:18 pm

You changed the config to "client to client forwarding = yes". Delete the interfaces in cap. Remove the remote radio.

Make sure your provision reads create enable.

Wait a few seconds and the caps will reprovision.

See if it works then.
 
plani
newbie
Topic Author
Posts: 35
Joined: Sat Jan 02, 2021 12:32 pm

Re: No client to client connection

Sun Oct 31, 2021 7:59 pm

Still doesn't work. What I did was basically clean up the config by removing the unneeded SSIDs and restarting the APs in order to reprovision as @gotsprings mentioned.

My concept is to have 3-4 APs in the end, managed centrally by capsman on the RB3011. Clients connecting to the Wifi will be in VLAN300, except if the MAC-Adress is assigned in the access-list a different VLAN. This works so far, except that wifi-clients can't directly connect to wifi-clients. In the datapath
client-to-client-forwarding=yes
and
local-forwarding=yes 
have been set.

On the APs the vlan-config is:
 /interface bridge vlan print detail   
 ....
 5   bridge=bridge vlan-ids=100 tagged=ether1,ether2,wlan1,wlan2 untagged="" 
     current-tagged=ether1,wlan2,wlan1 current-untagged="" 

 6   bridge=bridge vlan-ids=200 tagged=ether1,ether2,wlan1,wlan2 untagged="" 
     current-tagged=ether1,wlan2,wlan1 current-untagged="" 

 7   bridge=bridge vlan-ids=300 tagged=ether1,ether2,wlan1,wlan2 untagged="" 
     current-tagged=ether1,wlan2,wlan1 current-untagged=""
...
Here is the updated capsman-export:

[admin@CoreRouter] > /caps-man export hide-sensitive 
# oct/31/2021 18:49:53 by RouterOS 6.46.8
# software id = X2B6-3S02
#
# model = RB3011UiAS
# serial number =....
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled name=channel24
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee name=channel51 skip-dfs-channels=yes

/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN100 vlan-id=100 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN200 vlan-id=200 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-LAN300 vlan-id=300 vlan-mode=use-tag

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=securityprofile-WLAN300

/caps-man configuration
add channel=channel24 country=germany datapath=datapath-LAN300 installation=indoor mode=ap name=cfg-ppwn-24 security=securityprofile-WLAN300 ssid=ppwn
add channel=channel51 country=germany datapath=datapath-LAN300 installation=indoor mode=ap name=cfg-ppwn-51 security=securityprofile-WLAN300 ssid=ppwn

/caps-man access-list
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes comment="Samsung Note9 -> VLAN100" disabled=no interface=all mac-address=AA:AA:AA:AA:AA:AA vlan-id=100 vlan-mode=use-tag
add action=accept comment="laptop old" interface=all mac-address=BB:BB:BB:BB:BB:BB vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment="Samsung S20 -> VLAN100" interface=all mac-address=CC:CC:CC:CC:CC:CC vlan-id=100 vlan-mode=use-tag
add action=accept comment="Camera --> VLAN80" interface=all mac-address=DD:DD:DD:DD:DD vlan-id=80 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment="Laptop1 WLAN -> VLAN100" interface=all mac-address=EE:EE:EE:EE:EE:EE vlan-id=100 vlan-mode=use-tag
add action=accept comment="Lenovo  Laptop -> VLAN100" interface=all mac-address=FF:FF:FF:FF:FF:FF vlan-id=100 vlan-mode=use-tag
add action=accept comment="Pi-Box WiFi -> VLAN100" interface=all mac-address=22:22:22:22:22:22 vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment="Samsung Tab S6 -> VLAN100" interface=all mac-address=33:33:33:33:33:33 vlan-id=100 vlan-mode=use-tag
add action=accept client-to-client-forwarding=yes comment="Canon CP910 " interface=all mac-address=44:44:44:44:44:44 vlan-id=100 vlan-mode=use-tag

/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version

/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg-ppwn-24 name-format=prefix-identity name-prefix=2.4g
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=cfg-ppwn-51 name-format=prefix-identity name-prefix=5g
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg-ppwn-24 name-format=prefix-identity name-prefix=2.4g
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=cfg-ppwn-51 name-format=prefix-identity name-prefix=5g
So my questions:
1) When using
local-forwarding=yes
in the radio-config, what effect does the
client-to-client-forwarding=yes
have in the access list?
2) Could the issue be related to tagging/untaggin vlans on wifi1/2?
3) Any clues what I should be looking for?

Any help appreciated.
 
plani
newbie
Topic Author
Posts: 35
Joined: Sat Jan 02, 2021 12:32 pm

Re: No client to client connection  [SOLVED]

Wed Nov 03, 2021 8:51 pm

So, I finally found the solution and will post it here for others having the same issue.

The solution is that in your capsman configuration you need to set multicast-help=full. Not sure if I can explain why, but finally found the solution on google/stackexchange.
/caps-man configuration set multicast-helper=full
After setting this and re-provisioning the interfaces everything works fine, meaning: I have WiFi-Clients that are assigned to a VLAN by the acess-list in capsman and these clients can now be reached by each other (WiFi-Client to WiFi-Client)

Hope that helps,
have a nice week,
plani
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: No client to client connection

Thu Nov 04, 2021 12:35 am

So, I finally found the solution and will post it here for others having the same issue.

The solution is that in your capsman configuration you need to set multicast-help=full. Not sure if I can explain why, but finally found the solution on google/stackexchange.
/caps-man configuration set multicast-helper=full
After setting this and re-provisioning the interfaces everything works fine, meaning: I have WiFi-Clients that are assigned to a VLAN by the acess-list in capsman and these clients can now be reached by each other (WiFi-Client to WiFi-Client)

Hope that helps,
have a nice week,
plani
I don't have any setting for Multicast helper on a couple hundred caps that talk one client to the next.
/caps-man configuration
add country="united states3" datapath.client-to-client-forwarding=yes \
    datapath.local-forwarding=yes keepalive-frames=enabled mode=ap name=\
    MainWireless security.authentication-types=wpa2-psk security.encryption=\
    aes-ccm security.group-encryption=aes-ccm security.passphrase=password \
    ssid=Example
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: No client to client connection

Thu Nov 04, 2021 7:37 am

@plani never detailed what kind of client-to-client connections are failing. From the sollution he found one could assume tha devices are using broadcasts (bonjour or some such) to find each other. And for broadcasts flowing smoothly over wireless the setting mentioned does help.

Who is online

Users browsing this forum: KingRichard and 28 guests