Community discussions

MikroTik App
 
anatolykryzhanovsky
just joined
Topic Author
Posts: 3
Joined: Wed Jul 21, 2021 3:15 pm

Capsman, mtu, ping corrupted

Thu Jan 13, 2022 1:50 pm

good day everyone
we bought mikrotik hardware several year ago and made simple setup but where is a problem which we cannot solve. now i have some time so i decide return to that question.

we have following hardware: x86 PC with routeros, 5 x cAP ac
x86 running on 6.45.6 version, and all cAP's running on 7.1.1

all of them connected to same network through L2 switch.
we have two wifi network (each in 2.4GHz and 5GHz) (for guest and for employee). The guest network use build-in DNS server, employee user external DNS server.

so capsman host config there:
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz name=2G
add band=5ghz-a/n/ac extension-channel=Ceee frequency=5180 name=5G

/interface bridge
add arp=reply-only igmp-snooping=yes name=bridge-guest
add arp=proxy-arp mtu=1500 name=bridge-office

/interface ethernet
set [ find default-name=ether4 ] arp=proxy-arp name=LAN

/caps-man datapath
add bridge=bridge-office client-to-client-forwarding=yes local-forwarding=no name=datapath-office
add bridge=bridge-guest client-to-client-forwarding=no local-forwarding=no name=datapath-guest

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=office passphrase=<redacted>
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=guest passphrase=<redacted>

/caps-man configuration
add channel=2G country=russia datapath=datapath-office datapath.bridge=bridge-office mode=ap name=office-2g rx-chains=0,1,2 security=office ssid=office tx-chains=0,1,2
add channel=5G country=russia datapath=datapath-office datapath.bridge=bridge-office mode=ap name=office-5g rx-chains=0,1,2 security=office ssid=office-5g tx-chains=0,1,2
add channel=2G country=russia datapath=datapath-guest datapath.bridge=bridge-guest mode=ap name=guest-2g rx-chains=0,1,2 security=guest ssid=guest tx-chains=0,1,2
add channel=5G country=russia datapath=datapath-guest datapath.bridge=bridge-guest mode=ap name=guest-5g rx-chains="" security=guest ssid=guest-5g tx-chains=""
add channel=5gtest datapath=datapath-office name=test rx-chains=0,1,2 security=office ssid=test tx-chains=0,1,2

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=guest-pool ranges=192.168.100.2-192.168.100.50

/ip dhcp-server
add add-arp=yes address-pool=guest-pool disabled=no interface=bridge-guest name=guest-dhcp

/caps-man access-list
add allow-signal-out-of-range=10s disabled=no mac-address=D6:74:15:42:0D:52 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=-84..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="Reject bad connections" disabled=no signal-range=-120..-85 ssid-regexp=""
add allow-signal-out-of-range=10s disabled=no mac-address=50:8F:4C:71:CB:0B ssid-regexp=""

/caps-man manager
set enabled=yes

/caps-man manager interface
add disabled=no interface=bridge-office

/caps-man provisioning
add action=create-dynamic-enabled comment="provision profile for office wifi (both 2g and 5g)" hw-supported-modes=gn master-configuration=office-2g name-prefix=2g slave-configurations=guest-2g
add action=create-dynamic-enabled comment="provision profile for guest wifi (both 2g and 5g)" hw-supported-modes=ac,an master-configuration=office-5g name-prefix=5g slave-configurations=guest-5g

/interface bridge port
add bridge=bridge-office interface=LAN

/interface bridge settings
set use-ip-firewall-for-pppoe=yes

/ip address
add address=192.168.0.1/24 interface=bridge-office network=192.168.0.0
add address=192.168.100.1/24 interface=bridge-guest network=192.168.100.0

/ip dhcp-relay
add dhcp-server=192.168.0.10 name="lan dhcp"
add dhcp-server=192.168.0.10 disabled=no name=relay1
add dhcp-server=192.168.0.10 disabled=no interface=bridge-office name="bridge relay"

/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1

/ip dns
set allow-remote-requests=yes servers=192.168.0.10

/ip firewall address-list
add address=192.168.100.0/24 list=GuestNet
add address=192.168.0.0/24 list=OfficeNet

/ip firewall mangle
add action=mark-routing chain=output dst-port=53 new-routing-mark=dns passthrough=yes protocol=udp

/ip firewall nat
add action=dst-nat chain=dstnat comment="hairpin nat for guest wifi to public resources" dst-address=178.35.138.66 dst-port=80,443 protocol=tcp src-address=192.168.100.0/24 to-addresses=192.168.0.6
add action=masquerade chain=srcnat comment="hairpin nat for guest wifi to public resources" dst-address=192.168.0.6 dst-port=80,443 protocol=tcp src-address=192.168.100.0/24
add action=masquerade chain=srcnat disabled=yes src-address=192.168.0.0/24
add action=accept chain=srcnat disabled=yes out-interface=*1

/ip route rule
add comment="enable public resources for guest " dst-address=192.168.0.6/32 src-address=192.168.100.0/24 table=main
add action=unreachable comment="forbid guest to office" dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=unreachable comment="forbid office to guest" disabled=yes dst-address=192.168.100.0/24 src-address=192.168.0.0/24

and this is configuration from cAP ac:
/interface bridge
add name=bridge

/interface wireless

/interface lte apn
set [ find default=yes ] ip-type=ipv4

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=security-guest supplicant-identity=""

/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254

/ip dhcp-server
add address-pool=dhcp_pool0 name=dhcp1

/system logging action
set 3 remote=192.168.0.6 remote-port=30514

/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether1
add bridge=bridge ingress-filtering=no interface=wlan-office-2g
add bridge=bridge ingress-filtering=no interface=wlan-office-5g

/ip settings
set max-neighbor-entries=8192

/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192

/interface wireless cap
# 
set caps-man-addresses=192.168.0.1 discovery-interfaces=bridge enabled=yes \
    interfaces=wlan-office-2g,wlan-office-5g

/ip dhcp-client
add interface=bridge

/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
now i'm try to open site, which location in private LAN from ipad which connected to employee wifi. Small files loaded without problem but after i authorize on it and there are new header (authorization) page loading failed.
then i try to ping my ipad from routeros i got following results:
- package size <=1478 - all ok
- page size > 1479 - corrupted

so as i see there is problem with mtu size
i try to set l2 mtu on capsman datapath to 1598, but nothing changed

then i remove cAP ac from capsman control and setup it manually all works fine!

so can you help me and correct setup?
 
dave864
Frequent Visitor
Frequent Visitor
Posts: 75
Joined: Fri Mar 11, 2016 2:37 pm

Re: Capsman, mtu, ping corrupted

Sun Jan 16, 2022 12:02 am

I get 1472 on wi-fi to the router. Ping payload.
1464 to Google DNS.
Looks ok I'm terms of it working. But I'll probably tweak the wi-fi to match my internet size.

There isn't much point having large packet sizes as you're limited to your ISP beyond your network.

You are aware that the packet sizes in ping is not the mtu right? There is overhead.

1472 + 28 = 1500 mtu.

Who is online

Users browsing this forum: baragoon, m4rk3J, petardo and 7 guests