Config for lab environment:
mAP as CAPSMAN, 7.1rc6
mAPLite as CAP, 7.1rc6
Ultimate target is to transfer the setup to a SXT LTE acting as CAPSMAN and 2 CAPs devices for Guest access in a vacation home in France which is for rent part of the year but has limited LTE volume (90Gb per month).
mAP is connected via eth1 to Hex and then to ISP. eth2 setup as DHCP with 192.168.92.0/24 subnet. No problem here.
mAP Lite is reset to factory conditions and then set in CAPS mode. Connection to mAP using eth2 and PoE. This part also works.
Separate interface for Guest network, VLAN=10, DHCP server in 192.168.100.0/24 range.
CAPSMAN with regular SSID and 1 slave Guest network on VLAN10. All traffic going back to CAPSMAN. Works as intended.
Hotspot has been set on mAP, using RADIUS.
Userman package loaded, 1 user defined, profile made, limitations made.
Caveat: loopback bridge interface created for Radius/Userman communication since I read somewhere simply providing the local IP of bridge or 127.0.0.1 sometimes causes issues ? True/false ?
The TX/RX limitations work (give or take) as long as you keep in mind the directions are switched (download = TX and upload = RX). I don't really see the logic here that but that's what it is.
However, I don't seem to be able to get the volume limit active (bytes, kb, mb, gb,... whatever).
Whatever I put in, I always seem to be able to get passed that volume. Or is another unit in play which provides the limit ?
I can go with a tablet connected to that Guest to hotspot.local (DNS name I used) and it shows me the status page for that device/user. Obviously with down/upload going way beyond what I intended.
What also bothers me, WHERE can you as admin easily see the limits of a user ?
I don't see anything in userman/session, I do see something in Hotspot/Active or Hotspot/Hosts.
Is that the place to be ?
Next things to test are disconnects, connects, multiple devices using same user, ... etc etc.
But I first want to get the fundamentals right. And if volume limitation does not properly work, it's not ok.
Since everything is basically done on mAP, I've provided it's config.
mAP Lite doesn't seem to be relevant given the fact it runs under capsman control here.
Comments more then welcome but please clarify WHY things need to be changed in a certain way. I'm still learning a lot myself.
Pointers to relevant documentation/setup guides also more then welcome.
Be gentle please
Code: Select all
# nov/23/2021 16:13:25 by RouterOS 7.1rc6
# software id = 2H6H-TEI8
#
# model = RBmAP2nD
# serial number = DE4F0E7FE8F1
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz name=2.4
/interface bridge
add name=Loopback
add admin-mac=2C:C8:1B:C0:6C:52 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-C06C54 wireless-protocol=802.11
/interface vlan
add interface=bridge name=Guest vlan-id=10
/caps-man datapath
add bridge=bridge name=default
add bridge=bridge name=Guest vlan-id=10 vlan-mode=use-tag
/caps-man rates
add basic=1Mbps,2Mbps,5.5Mbps name=Guest supported=1Mbps,2Mbps,5.5Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=MikroTik
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=Guest
add name=NoSecurity
/caps-man configuration
add channel=2.4 country=france datapath.bridge=bridge distance=indoors \
hide-ssid=no hw-retries=4 name=config2.4 security=MikroTik ssid=\
MikroTik2.4
add channel=2.4 country=france datapath=Guest name=Guest rates=Guest \
security=NoSecurity ssid=Guest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=hotspot.local hotspot-address=192.168.100.1 html-directory=\
flash/hotspot name=hsprof1 use-radius=yes
/ip pool
add name=default-dhcp ranges=192.168.92.10-192.168.92.20
add name=Guest ranges=192.168.100.100-192.168.100.199
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=Guest interface=Guest name=Guest
/ip hotspot
add address-pool=Guest disabled=no interface=Guest name=hotspot1 profile=\
hsprof1
/queue simple
add disabled=yes limit-at=1M/2M max-limit=1M/2M name=Guest target=Guest
/user-manager limitation
add download-limit=5000000B name=10M_5Mbps rate-limit-burst-rx=3000000B \
rate-limit-burst-time-rx=15s rate-limit-burst-time-tx=15s \
rate-limit-burst-tx=6000000B rate-limit-rx=2000000B rate-limit-tx=\
5000000B reset-counters-interval=daily transfer-limit=10000000B \
upload-limit=9000000B uptime-limit=4d
/user-manager profile
add name=Profile1 name-for-users=Profile1 override-shared-users=unlimited
/user-manager user
add name=User2
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
config2.4 slave-configurations=Guest
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
/ip address
add address=192.168.92.1/24 comment=defconf interface=bridge network=\
192.168.92.0
add address=192.168.100.1/24 interface=Guest network=192.168.100.0
add address=10.10.0.1 interface=Loopback network=10.10.0.1
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.92.0/24 comment=defconf dns-server=192.168.92.1 gateway=\
192.168.92.1
add address=192.168.100.0/24 dns-server=208.67.222.222,208.67.220.220 \
gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=192.168.100.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=reject chain=input dst-address=192.168.92.0/24 in-interface=Guest \
reject-with=icmp-network-unreachable src-address=192.168.100.0/24
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
"accept from local network (Lab Environment)" src-address=192.168.2.0/24
add action=drop chain=input comment="drop all coming from WAN" \
in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.100.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.100.0/24
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot user
add name=dexter
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/radius
add address=10.10.0.1 service=hotspot
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=Map2nD
/system ntp client
set enabled=yes
/system ntp client servers
add address=45.87.76.3
add address=185.111.204.220
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/user-manager
set enabled=yes use-profiles=yes
/user-manager profile-limitation
add limitation=10M_5Mbps profile=Profile1
/user-manager router
add address=10.10.0.1 name=LocalRouter
/user-manager user-profile
add profile=Profile1 user=User2