Community discussions

MikroTik App
 
kristapsesterlins
just joined
Topic Author
Posts: 4
Joined: Mon Aug 16, 2021 11:37 am

CAPsMAN - Connectivity issues with private and public APs

Mon Jan 31, 2022 3:52 pm

Good Day!

CAPsMAN controller - hAP ac3 (RBD53iG-5HacD2HnD)

CAPsMAN connected devices - 5 x wAP ac (RBwAPG-5HacT2HnD)

I am trying to set up a simple private / public wireless network in our office. The issue only occurs if I copy the dynamically created "cap" interface and set up a fixed channel to the device. If I do then either the private ap is reachable, clients are able to connect or the public one is reachable BUT NOT BOTH master and slave interfaces for a single both on 2.4 and 5Ghz. Even if clients are unable to connect to the AP there is no log entry in the cap info or debug sections. I am out of ideas, maybe the is something I have misconfigured.

Please see the current configuration below. I have isolated both networks by creating a separate bridge, dhcp server and pool.

Thanks!
/interface bridge

add admin-mac=2C:C8:1B:BD:1F:BF auto-mac=no comment="Default Configuration - ether2,3,4,5 and wlan1,2" fast-forward=no name=bridge
add admin-mac=1A:B4:A0:E8:C7:78 auto-mac=no comment="Bridge - Guest AP" fast-forward=no name=bridge-guest
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
/interface bridge settings
set allow-fast-path=no

/ip address

add address=192.168.204.1/24 comment="Default Configuration - Main IP address to LAN interface (bridge)" interface=bridge network=192.168.204.0
add address=xx.xxx.xxx.130/24 comment="Default Configuration - WAN IP Address" interface=ether1 network=xx.xxx.xxx.0
add address=192.168.250.1/24 comment="Guest IP address to Guest Bridge AP" interface=bridge-guest network=192.168.250.0
add address=192.168.1.2/30 comment="IPSEC Tunnel to Remote Office" interface="Remote Office" network=192.168.1.0


/ip dhcp-server
add address-pool=dhcp-main1 bootp-support=none disabled=no interface=bridge lease-time=1d name="Main"
add address-pool=dhcp-guest1 bootp-support=none disabled=no interface=bridge-guest lease-time=12h name="Guest"

/ip dhcp-server network
add address=192.168.204.0/24 comment="Default Configuration - Main IP address to LAN interface (bridge)" dns-server=192.168.204.22,192.168.204.1 gateway=192.168.204.1
add address=192.168.250.0/24 comment="Guest IP Address to Guest AP Bridge" gateway=192.168.250.1

/ip pool
add comment="Default Configuration - LAN bridge pool" name=dhcp-main1 ranges=192.168.204.51-192.168.204.203
add comment="Guest AP bridge pool" name=dhcp-guest1 ranges=192.168.250.2-192.168.250.254

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=channel-2.4-01
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=channel-2.4-06
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=channel-2.4-11
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=channel-5-36
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=channel-5-44
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=channel-5-48

/caps-man rates
add basic=6Mbps ht-basic-mcs="" ht-supported-mcs="" name="802.11b Rates Disabled" supported=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs="" vht-supported-mcs=""

/caps-man security
add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm name="Main"
add name="Guest"

/caps-man configuration
add country=latvia datapath="Main" installation=indoor mode=ap name="Main (2.4 Ghz)" rates="802.11b Rates Disabled" security="Main" ssid="Main"
add country=latvia datapath="Main" installation=indoor mode=ap name="Main (5 Ghz)" rates="802.11b Rates Disabled" security="Main" ssid="Main"
add country=latvia datapath="Guest" installation=indoor mode=ap name="Guest (2.4 Ghz) " rates="802.11b Rates Disabled" security="Guest" ssid="Guest"
add country=latvia datapath="Guest" installation=indoor mode=ap name="Guest (5 Ghz)" rates="802.11b Rates Disabled" security="Guest" ssid="Guest"

/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name="Main"
add bridge=bridge-guest client-to-client-forwarding=no local-forwarding=no name="Guest"

/caps-man interface
add channel=channel-2.4-01 configuration="Main (2.4 Ghz)" disabled=no l2mtu=1600 mac-address=2C:C8:1B:BD:1F:BF master-interface=none name=cap1 radio-mac=2C:C8:1B:BD:1F:BF radio-name=2CC81BBD1FBF
add channel=channel-2.4-01 channel.frequency=2412 configuration="Guest (2.4 Ghz) " disabled=no l2mtu=1600 mac-address=2C:C8:1B:BD:1F:BF master-interface=cap1 name=cap1-1 radio-mac=00:00:00:00:00:00 radio-name=2CC81BBD1FBF
add channel=channel-5-36 channel.frequency=5180 configuration="Main (5 Ghz)" disabled=no l2mtu=1600 mac-address=2C:C8:1B:BD:1F:C0 master-interface=none name=cap2 radio-mac=2C:C8:1B:BD:1F:C0 radio-name=2CC81BBD1FC0
add channel=channel-5-36 channel.frequency=5180 configuration="Guest (5 Ghz)" disabled=no l2mtu=1600 mac-address=2C:C8:1B:BD:1F:C0 master-interface=cap2 name=cap2-1 radio-mac=00:00:00:00:00:00 radio-name=2CC81BBD1FC0
add channel=channel-2.4-11 configuration="Main (2.4 Ghz)" datapath="Main" disabled=no l2mtu=1600 mac-address=64:D1:54:AA:03:66 master-interface=none name=cap3 radio-mac=64:D1:54:AA:03:66 radio-name=64D154AA0366 rates=\
    "802.11b Rates Disabled" security="Main"
add channel=channel-2.4-11 channel.frequency=2462 configuration="Guest (2.4 Ghz) " datapath="Guest" disabled=yes l2mtu=1600 mac-address=64:D1:54:AA:03:66 master-interface=cap3 name=cap3-1 radio-mac=00:00:00:00:00:00 \
    radio-name=64D154AA0366 rates="802.11b Rates Disabled" security="Guest"
add channel=channel-5-48 configuration="Main (5 Ghz)" datapath="Main" disabled=no l2mtu=1600 mac-address=64:D1:54:AA:03:65 master-interface=none name=cap4 radio-mac=64:D1:54:AA:03:65 radio-name=64D154AA0365 rates=\
    "802.11b Rates Disabled" security="Main"
add channel=channel-5-48 channel.frequency=5260 configuration="Guest (5 Ghz)" datapath="Guest" disabled=yes l2mtu=1600 mac-address=64:D1:54:AA:03:65 master-interface=cap4 name=cap4-1 radio-mac=64:D1:54:AA:03:65 \
    radio-name=64D154AA0365 rates="802.11b Rates Disabled" security="Guest"
add channel=channel-2.4-06 configuration="Main (2.4 Ghz)" datapath="Main" disabled=no l2mtu=1600 mac-address=64:D1:54:BF:A8:33 master-interface=none name=cap5 radio-mac=64:D1:54:BF:A8:33 radio-name=64D154BFA833 rates=\
    "802.11b Rates Disabled" security="Main"
add channel=channel-2.4-06 channel.frequency=2437 configuration="Guest (2.4 Ghz) " datapath="Guest" disabled=yes l2mtu=1600 mac-address=64:D1:54:BF:A8:33 master-interface=cap5 name=cap5-1 radio-mac=00:00:00:00:00:00 \
    radio-name=64D154BFA833 rates="802.11b Rates Disabled" security="Guest"
add channel=channel-5-44 configuration="Main (5 Ghz)" datapath="Main" disabled=no l2mtu=1600 mac-address=64:D1:54:BF:A8:32 master-interface=none name=cap6 radio-mac=64:D1:54:BF:A8:32 radio-name=64D154BFA832 rates=\
    "802.11b Rates Disabled" security="Main"
add channel=channel-5-44 channel.frequency=5220 configuration="Guest (5 Ghz)" datapath="Guest" disabled=yes l2mtu=1600 mac-address=64:D1:54:BF:A8:32 master-interface=cap6 name=cap6-1 radio-mac=00:00:00:00:00:00 \
    radio-name=64D154BFA832 rates="802.11b Rates Disabled" security="Guest"
add channel=channel-2.4-06 configuration="Main (2.4 Ghz)" datapath="Main" disabled=no l2mtu=1600 mac-address=64:D1:54:88:C3:24 master-interface=none name=cap7 radio-mac=64:D1:54:88:C3:24 radio-name=64D15488C324 rates=\
    "802.11b Rates Disabled" security="Main"
add channel=channel-2.4-06 channel.frequency=2437 configuration="Guest (2.4 Ghz) " datapath="Guest" disabled=yes l2mtu=1600 mac-address=64:D1:54:88:C3:24 master-interface=cap7 name=cap7-1 radio-mac=00:00:00:00:00:00 \
    radio-name=64D15488C324 rates="802.11b Rates Disabled" security="Guest"
add channel=channel-5-44 configuration="Main (5 Ghz)" datapath="Main" disabled=no l2mtu=1600 mac-address=64:D1:54:88:C3:23 master-interface=none name=cap8 radio-mac=64:D1:54:88:C3:23 radio-name=64D15488C323 rates=\
    "802.11b Rates Disabled" security="Main"
add channel=channel-5-44 channel.frequency=5220 configuration="Guest (5 Ghz)" datapath="Guest" disabled=yes l2mtu=1600 mac-address=64:D1:54:88:C3:23 master-interface=cap8 name=cap8-1 radio-mac=00:00:00:00:00:00 \
    radio-name=64D15488C323 rates="802.11b Rates Disabled" security="Guest"
add channel=channel-2.4-01 configuration="Main (2.4 Ghz)" datapath="Main" disabled=no l2mtu=1600 mac-address=64:D1:54:87:6B:7C master-interface=none name=cap9 radio-mac=64:D1:54:87:6B:7C radio-name=64D154876B7C rates=\
    "802.11b Rates Disabled" security="Main"
add channel=channel-2.4-01 channel.frequency=2412 configuration="Guest (2.4 Ghz) " datapath="Guest" disabled=yes l2mtu=1600 mac-address=64:D1:54:87:6B:7C master-interface=cap9 name=cap9-1 radio-mac=00:00:00:00:00:00 \
    radio-name=64D154876B7C rates="802.11b Rates Disabled" security="Guest"
add channel=channel-5-36 configuration="Main (5 Ghz)" datapath="Main" disabled=no l2mtu=1600 mac-address=64:D1:54:87:6B:7B master-interface=none name=cap10 radio-mac=64:D1:54:87:6B:7B radio-name=64D154876B7B rates=\
    "802.11b Rates Disabled" security="Main"
add channel=channel-5-36 channel.frequency=5180 configuration="Guest (5 Ghz)" datapath="Guest" disabled=yes l2mtu=1600 mac-address=64:D1:54:87:6B:7B master-interface=cap10 name=cap10-1 radio-mac=00:00:00:00:00:00 \
    radio-name=64D154876B7B rates="802.11b Rates Disabled" security="Guest"
add channel=channel-2.4-11 configuration="Main (2.4 Ghz)" datapath="Main" disabled=no l2mtu=1600 mac-address=48:8F:5A:35:86:5A master-interface=none name=cap11 radio-mac=48:8F:5A:35:86:5A radio-name=488F5A35865A rates=\
    "802.11b Rates Disabled" security="Main"
add channel=channel-2.4-11 channel.frequency=2462 configuration="Guest (2.4 Ghz) " datapath="Guest" disabled=yes l2mtu=1600 mac-address=48:8F:5A:35:86:5A master-interface=cap11 name=cap11-1 radio-mac=00:00:00:00:00:00 \
    radio-name=488F5A35865A rates="802.11b Rates Disabled" security="Guest"
add channel=channel-5-48 configuration="Main (5 Ghz)" datapath="Main" disabled=no l2mtu=1600 mac-address=48:8F:5A:35:86:59 master-interface=none name=cap12 radio-mac=48:8F:5A:35:86:59 radio-name=488F5A358659 rates=\
    "802.11b Rates Disabled" security="Main"
add channel=channel-5-48 channel.frequency=5260 configuration="Guest (5 Ghz)" datapath="Guest" disabled=yes l2mtu=1600 mac-address=48:8F:5A:35:86:59 master-interface=cap12 name=cap12-1 radio-mac=00:00:00:00:00:00 \
    radio-name=488F5A358659 rates="802.11b Rates Disabled" security="Guest"

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes require-peer-certificate=yes upgrade-policy=require-same-version

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge

/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=g master-configuration="Main (2.4 Ghz)" slave-configurations="Guest (2.4 Ghz) "
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration="Main (5 Ghz)" slave-configurations="Guest (5 Ghz)"

/ip firewall filter

ip firewall filter
add action=accept chain=input comment="Default Configuration - Work with connection state - established, related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Default Configuration - enable ICMP access" protocol=icmp
add action=accept chain=input comment="IPSEC Policy Matcher" in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="IPSEC Policy Matcher" dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="IPSEC Policy Matcher" protocol=gre
add action=accept chain=input comment="Default Configuration - Address list (whitelist) for IP addresses which are allowed to access the router" src-address-list=lan-address
add action=accept chain=input comment="Default Configuration - Accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow LAN DNS Queries (UDP)" connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS Queries (TCP)" connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="Default Configuration - Drop connection state - invalid" connection-state=invalid log-prefix=invalid
add action=reject chain=input comment="Reject - ICMP Admin Prohibited" in-interface-list=LAN reject-with=icmp-admin-prohibited
add action=drop chain=input comment="Default Configuration - Drop everything else." log-prefix=drop-everything
add action=accept chain=forward comment="Default Configuration - Accept all that matches IPSec in policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Default Configuration - Accept all that matches IPSec out policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "26.01.2022 - Disabled, Does not work with QoS\r\
    \n\r\
    \nDefault Configuration - Packets with connection state - established,related are added to FastTrack for faster data throughput, firewall will work with new connections only" disabled=yes
add action=accept chain=forward comment="Default Configuration - Forward packets with connection state - established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Default Configuration - Drop connection state - invalid" connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment="28.01.2022 - Added Remote Office To LAN interface List.\r\
    \n\r\
    \nDefault Configuration - Drop tries to reach not public addresses from LAN" dst-address-list=blacklist-rfc in-interface-list=LAN log-prefix=lan-blacklist-rfc out-interface-list=!LAN
add action=drop chain=forward comment="Default Configuration - Drop incoming packets that are not NAT`ed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log-prefix=not-nat
add action=drop chain=forward comment="Default Configuration - Drop incoming from WAN which is not public IP" in-interface-list=WAN log-prefix=wan-blacklist-rfc src-address-list=blacklist-rfc
add action=drop chain=forward comment="Default Configuration - Drop packets from LAN that do not have LAN IP" in-interface-list=LAN log=yes log-prefix=not-lan src-address-list=!lan-address
add action=drop chain=forward comment="Drop Connections Between Main and Guest" dst-address=192.168.250.0/24 log-prefix=drop-main-guest src-address=192.168.204.0/24
add action=drop chain=forward comment="Drop Connections Between Main and Guest" dst-address=192.168.204.0/24 log-prefix=drop-guest-main src-address=192.168.250.0/24
add action=jump chain=forward comment="Default Configuration - Jump to ICMP filters" jump-target=icmp protocol=icmp
add action=accept chain=icmp comment="Default Configuration - echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="Default Configuration - net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="Default Configuration - host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="Default Configuration - host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="Default Configuration - allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="Default Configuration - allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="Default Configuration - allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="Default Configuration - deny all other types"

/ip firewall nat
add action=masquerade chain=srcnat comment="Default Configuration - Change the source IP to the WAN IP (Masquerade)" ipsec-policy=out,none out-interface-list=WAN


 
kristapsesterlins
just joined
Topic Author
Posts: 4
Joined: Mon Aug 16, 2021 11:37 am

Re: [SOLVED] CAPsMAN - Connectivity issues with private and public APs  [SOLVED]

Mon Jan 31, 2022 4:40 pm

The issue has been resolved with the help of folks at Mikrotik IRC. I have removed the static interfaces and deployed them with a dynamic configuration.

I still do not understand why it won't work if I copy the dynamically created interfaces but I will leave it as it is.
/caps-man configuration

add channel.control-channel-width=20mhz channel.extension-channel=disabled channel.reselect-interval=19h12m country=latvia datapath="Main" installation=indoor mode=ap name="Main (2.4 Ghz)" rates="802.11b Rates Disabled" security=\
    "Main" ssid="Main"
add channel.extension-channel=XX channel.reselect-interval=19h12m country=latvia datapath="Main" installation=indoor mode=ap name="Main (5 Ghz)" rates="802.11b Rates Disabled" security="Main" ssid="Main"
add channel.control-channel-width=20mhz channel.extension-channel=disabled channel.reselect-interval=19h12m country=latvia datapath="Guest" installation=indoor mode=ap name="Guest (2.4 Ghz) " rates=\
    "802.11b Rates Disabled" security="Guest" ssid="Guest"
add channel.extension-channel=XX channel.reselect-interval=19h12m country=latvia datapath="Guest" installation=indoor mode=ap name="Guest (5 Ghz)" rates="802.11b Rates Disabled" security="Guest" ssid=\
    "Guest"

Who is online

Users browsing this forum: dwnldr, holvoetn and 27 guests