We have a CAPsMAN system with 5 active cap and a capsmanager (ccr1009-7G-1C). There are many windows and iOS clients who disconnecting after 10-15 mins. Sometimes SSID not listed or the clients can not connect..
I am out of ideas what could cause the problem.. I'll paste my code below. And they can't measure more then 30Mb/s on WiFi.
It's pretty scuffed, but can not take out the device from prod and the previous sysadmin doesn't realy cared about the system..
Code: Select all
# mar/07/2022 10:13:32 by RouterOS 6.48.3
# software id = F9VM-XBST
#
# model = CCR1009-7G-1C
# serial number = 84A107B1CF12
/interface bridge
add dhcp-snooping=yes name=br_dev
add name=br_office
add arp=proxy-arp name=bridge1
add name=bridge_guest protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
/caps-man datapath
add bridge=bridge1 local-forwarding=yes name=dp-1
add bridge=bridge_guest local-forwarding=no name=dp-guest
add bridge=br_dev local-forwarding=no name=dp_dev
add bridge=br_office local-forwarding=no name=dp_office
/caps-man configuration
add channel.band=2ghz-g/n channel.control-channel-width=20mhz \
channel.extension-channel=disabled channel.frequency=2412,2437,2462 \
country="new zealand" datapath=dp_office mode=ap name=\
"Config - 1 - 6 -11" rates.ht-basic-mcs=mcs-0 \
security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
aes-ccm security.group-encryption=aes-ccm ssid=...
/caps-man rates
add basic=6Mbps name=baisc6 supported=\
6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=metri_sec
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm name=sec-guest
/caps-man configuration
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz \
channel.frequency=2412,2437,2462 country=hungary datapath=dp-guest mode=\
ap name=MetriVendeg security=sec-guest ssid="... - Vendeg"
add channel.band=2ghz-g/n channel.control-channel-width=20mhz \
channel.extension-channel=disabled channel.frequency=2412,2437,2462 \
country="new zealand" datapath=dp_dev mode=ap name=metri_dev rates=baisc6 \
security=metri_sec ssid="... - DEV"
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=vendeg.....hu hotspot-address=192.168.5.1 name=hsprof1
/ip pool
add name=vpn ranges=10.0.0.2-10.0.0.100
add name=questwifi ranges=192.168.5.100-192.168.5.200
add name=dhcp ranges=192.168.0.100-192.168.0.140
add name=l2tp-pool ranges=192.168.10.10-192.168.10.20
add name=dhcp_pool5 ranges=192.168.6.200-192.168.6.250
add name=dhcp_pool6 ranges=192.168.7.10-192.168.7.200
/ip dhcp-server
add address-pool=questwifi disabled=no interface=bridge_guest lease-time=1h \
name=guest_dhcp
add address-pool=dhcp_pool5 disabled=no interface=br_dev lease-time=6h name=\
dhcp_office
add address-pool=dhcp_pool6 disabled=no interface=br_office lease-time=6h \
name=dhcp2
/ip hotspot
add address-pool=questwifi interface=bridge_guest name=hotspot1 profile=\
hsprof1
/ppp profile
add bridge=bridge1 local-address=vpn name=openvpn remote-address=dhcp
add bridge=bridge1 change-tcp-mss=yes dns-server=1.1.1.1,8.8.8.8 \
local-address=dhcp name=l2tp-profile remote-address=dhcp
add bridge=bridge1 change-tcp-mss=yes dns-server=1.1.1.1,8.8.8.8 \
local-address=dhcp name=pptp-profile remote-address=dhcp
/queue type
add kind=pcq name=pcq-upload-5M pcq-classifier=src-address pcq-rate=6M
add kind=pcq name=pcq-download-5M pcq-classifier=dst-address pcq-rate=6M
/queue simple
add disabled=yes name=VendegKorlatPerIP queue=pcq-upload-5M/pcq-download-5M \
target=192.168.5.0/24
/system logging action
add name=syslogserver remote=192.168.0.214 src-address=192.168.0.200 target=\
remote
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
16:DE:AB:19:AC:19 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
signal-range=-80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
signal-range=-120..-81 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
40:D6:3C:71:64:FA ssid-regexp=""
add action=accept allow-signal-out-of-range=1m comment=smarton disabled=no \
mac-address=14:18:C3:3B:9E:9E ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment=smarton disabled=no \
mac-address=14:18:C3:3B:9E:9E ssid-regexp=""
add action=accept allow-signal-out-of-range=10s comment=nnimrod disabled=no \
mac-address=70:66:55:9E:C0:F9 ssid-regexp=""
add allow-signal-out-of-range=10s comment=cza disabled=no mac-address=\
00:28:F8:CE:EE:EC ssid-regexp=""
add allow-signal-out-of-range=10s comment=csa disabled=no mac-address=\
5C:51:4F:8D:86:8C ssid-regexp=""
add allow-signal-out-of-range=10s comment=nm disabled=no mac-address=\
70:66:55:9E:C0:F9 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes
add action=create-dynamic-enabled master-configuration=MetriVendeg \
name-format=prefix-identity name-prefix=cap_ slave-configurations=\
"Config - 1 - 6 -11,metri_dev"
add action=create-dynamic-enabled disabled=yes
add action=create-dynamic-enabled disabled=yes
/interface bridge port
add bridge=bridge1 hw=no interface=ether1
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
add bridge=bridge1 hw=no interface=ether6
add bridge=bridge1 hw=no interface=ether7
add bridge=bridge1 hw=no interface=combo1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set default-profile=l2tp-profile enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=combo1 list=LAN
/interface ovpn-server server
set certificate=...VPNCA enabled=yes mode=ethernet \
require-client-certificate=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=pptp-profile \
enabled=yes
/ip address
add address=192.168.0.201/24 comment=defconf interface=ether2 network=\
192.168.0.0
add address=185.63.46.107/24 disabled=yes interface=ether1 network=\
185.63.46.0
add address=192.168.5.1/24 interface=bridge_guest network=192.168.5.0
add address=192.168.0.200/24 disabled=yes interface=ether2 network=\
192.168.0.0
add address=192.168.6.254/24 interface=br_dev network=192.168.6.0
add address=192.168.7.254/24 interface=br_office network=192.168.7.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=bridge1
/ip dhcp-server lease
add address=192.168.0.103 client-id=1:f4:8c:eb:ef:a5:17 mac-address=\
F4:8C:EB:EF:A5:17
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=1.1.1.1,8.8.8.8 domain=...vendeg \
gateway=192.168.5.1 netmask=24
add address=192.168.6.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.6.254
add address=192.168.7.0/24 gateway=192.168.7.254
/ip dns
set allow-remote-requests=yes servers=192.168.0.200,8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.0.219 name=mail.....hu
/ip firewall address-list
add address=192.168.5.2-192.168.5.254 list=guest_iplist
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=input comment="Drop Invalid connections" \
connection-state=invalid
add action=accept chain=input dst-port=53 protocol=tcp src-address=\
192.168.0.0/24
add action=accept chain=forward comment=metri_dev_accept dst-address=\
192.168.0.0/24 src-address=192.168.6.0/24
add action=accept chain=forward comment=metri_office_accept dst-address=\
192.168.0.0/16 src-address=192.168.7.0/24
add action=accept chain=forward comment=metri_office_accept dst-address=\
192.168.7.0/24 src-address=192.168.0.0/16
add action=accept chain=forward comment=metri_dev_accept dst-address=\
192.168.61.0/24 src-address=192.168.6.0/24
add action=accept chain=forward comment=metri_dev_accept dst-address=\
192.168.6.0/24 src-address=192.168.61.0/24
add action=accept chain=forward src-address=192.168.5.0/24
add action=accept chain=forward comment=\
"allow already established connections" connection-state=established
add action=accept chain=forward src-address=192.168.6.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
192.168.0.0/24
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=1723 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=gre
add action=drop chain=forward dst-address=192.168.5.0/24 src-address=\
192.168.0.0/24
add action=accept chain=forward comment=metri_dev_accept dst-address=\
192.168.6.0/24 src-address=192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=\
192.168.5.0/24
add action=accept chain=input comment="Allow Established connections" \
connection-state=established
add action=accept chain=input comment="Allow ICMP" protocol=icmp
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=accept chain=input in-interface=!ether1 src-address=192.168.0.0/24
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=accept chain=input in-interface=!ether1 src-address=192.168.5.0/24
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=accept chain=input in-interface=!ether1 src-address=\
192.168.88.0/24
add action=drop chain=input comment="Drop everything else"
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid protocol=tcp
add action=accept chain=forward comment="allow related connections" \
connection-state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\
tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
udp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
protocol=icmp
add action=accept chain=icmp comment=\
"host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 \
protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
0.0.0.0/0
add action=masquerade chain=srcnat comment=metrivendeg dst-address=0.0.0.0/0 \
src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment=metri_dev dst-address=0.0.0.0/0 \
src-address=192.168.6.0/24
add action=masquerade chain=srcnat comment=metri_office dst-address=0.0.0.0/0 \
src-address=192.168.7.0/24
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=37777 in-interface=ether1 protocol=\
tcp to-addresses=192.168.0.215 to-ports=37777
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=8888 in-interface=ether1 protocol=\
tcp to-addresses=192.168.0.215 to-ports=80
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=37778 in-interface=ether1 protocol=\
udp to-addresses=192.168.0.215 to-ports=37778
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=554 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.215 to-ports=554
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=5222 in-interface=ether1 protocol=\
tcp to-addresses=192.168.0.246 to-ports=5222
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=25 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.219 to-ports=25
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.219 to-ports=80
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=110 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.219 to-ports=110
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=143 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.219 to-ports=143
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.219 to-ports=443
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=465 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.219 to-ports=465
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=587 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.219 to-ports=587
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=993 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.219 to-ports=993
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge1)
add action=dst-nat chain=dstnat dst-port=995 in-interface=ether1 protocol=tcp \
to-addresses=192.168.0.219 to-ports=995
add action=dst-nat chain=dstnat disabled=yes dst-port=8080 in-interface=\
ether1 protocol=tcp to-addresses=192.168.0.219 to-ports=8080
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=192.168.5.0/24
/ip hotspot user
add name=admin
add limit-uptime=5m name=teszt1
/ip route
add distance=1 gateway=192.168.0.200