Community discussions

MikroTik App
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Wed Jun 01, 2022 9:52 pm

I have the tutorial written on Markdown but I see that this doesn't use Markdown. At this point it is easier for me to just link the PDF to the tutorial. If you find this useful, I will post the tutorial on here on Friday or Saturday. Any helpful tip is appreciated. I do want some input from people that know what they are doing and see something that I need to change in my configuration.

DISCLAIMER - You have to manually add every VLAN to every CAP where you want the CAP to have access to the particular VLAN. This becomes a serious issues when you have lots of VLANs of CAPs. A script to maintain this is recommended then!


If you understand VLANS and want to skip to the good part, jump to the next post that deals with RADIUS and CAPsMAN.

Purpose

There is not a lot of clear information about how to accomplish this. There are bits and pieces for this on different places, but it seems as if there are a lot of things that are being assumed; and that make things very complicated to figure out. I figured that it is easier to understand things when people who are just figuring things out are trying to explain it. Usually newbies don't think you are an idiot if you don't know something basic. Also, there are a couple of good tutorials in this fourm (VLANs and Wireguard) and that is the most useful thing on the forum. I want to do the same thing for the ones trying to get RADIUS authentication on their wifi routers!

Disclaimer

* This is working on ROS7. DO NOT TRY ON ROS6
* I will not explain how to install the package for your ROS7 User Manager installation since there are plenty of easy examples how to accomplish that.
* This is coming from someone who does this as a hobby. I am a manager for an institution that has NOTHING to do with computers. Needles to say I am a novice but not an idiot. So take this tutorial with a grain of salt.
* I wrote this for my own and used Markdown. This forum doesn't have a way to display tables in a nice way.
* For the sake of this experiment, I will show most of the configuration. This should help you set up your own VLANs if you want; but it is not a tutorial on VLANs. I found it surprising that there are a couple of good tutorials on VLANs here. Check them out.
* I don't have spell check on this program. English is not my first language either. If you notice something, let me know and I will correct it.
* I WILL NOT TALK ABOUT FIREWALLS OR NAT HERE. NOR WILL I BE TALKING EXTENSIBLY ABOUT CAPSMAN. THAT MAY BE A PLACE WHERE YOUR CONFIGURATION BRAKES BUT I AM NOT THE ONE TO TALK ABOUT THAT!

A problem many beginners have is that they learn by trial and error. Someone told me "Newbies learn by messing thigns up." If you are stuck somewhere, it may be better for you to start from the beginning and follow some simple examples. Once you have something working, then try something else.

Initial BRIDGE and VLAN SET-UP

IF YOU UNDERSTAND THIS SECTION, JUMP TO THE RADIUS SECTION, but you may need this as a reference to what I will do later on. It will take you 2 min to read. It may be helpful!

VLAN Descriptions

| VLAN NAME | VLAN ID | SUMMARY | VLAN DESCRIPTION |
| --------- | ------- | ---------- | ------------------------------------------------------------ |
| VLAN100 | 100 | WORK | This VLAN will be used for work. The NAS will be included here since we use SMB to connect to some of the folders inside the NAS.|
| VLAN300 | 300 | GUESTS | Guest VLAN. It isolates people from our work and security VLANs|

BRIDGE and VLANS

The first think you need set up is the bridge. This is where you will be putting all the VLANs. Notice that it is not filtering anything since you want to first set up everything.
/interface bridge
add add-dhcp-option82=yes comment="VLAN bridge" dhcp-snooping=yes frame-types=admit-only-vlan-tagged igmp-snooping=yes name=br-VLANs protocol-mode=none vlan-filtering=no

/interface vlan
add comment=Work interface=br-VLANs name=VLAN100 vlan-id=100
add comment=Guests interface=br-VLANs name=VLAN300 vlan-id=300
Since I will be using DHCP; this is the list we have to get an idea of IPs.

DHCP

First we will add our VLAN address. Since this router will be the one providing DHCP and all the other routes, this router would have to have an address added here and also, later on, you need to make sure that the br-VLANs is added to every VLAN this router is providing DHCP and routing for.

| VLAN NAME | VLAN ID | SUMMARY | IP Range |
| --------- | ------- | ---------- | ----------------------------- |
| VLAN100 | 100 | WORK | 192.168.100.100-192.168.100.200 |
| VLAN300 | 300 | GUESTS | 192.168.30.100-192.168.30.200 |
/ip address
add address=192.168.100.1/24 interface=VLAN100 network=192.168.100.0
add address=192.168.300.1/24 interface=VLAN300 network=192.168.300.0

/ip pool
add name=WorkPool ranges=192.168.100.100-192.168.100.200
add name=GuestsPool ranges=192.168.30.100-192.168.30.200

/ip dhcp-server
add address-pool=WorkPool disabled=no interface=VLAN100 lease-time=3h name=dchpWork add-arp=yes
add address-pool=GuestsPool disabled=no interface=VLAN300 lease-time=2h name=dhcpGuests add-arp=yes

/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
add address=192.168.30.0/24 gateway=192.168.30.1 netmask=24
Joining Ports to the Bridge-VLAN

The real VLAN configuration takes place below,

Trunks and others

This is where something can get complicated. Not because it is hard, but you need to reference things. It is helpful to keep some tables in mind as we move forward.

Like one can see below, the ports have to be added to the VLAN bridge. If the port is a "Trunk" then there is no need to specify the "pvid". If the port happens to be a single untagged line, or a Hybrid port, you need to specify the pvid of the untagged port here. It is important to look at the reference table if you are getting confused.


Acess Port

| Interface | Interface SUMMARY | Interface VLAN(S) |
| ---------- | ------------------------------ | ---------------------------------- |
| sfp+1 | => Main switch trunk | 100, 300 |
| sfp+2 | => Secondary switch trunk | 100, 300 |
| sfp+3 | => Sample computer | 100 |
| sfp+4 | => Sample computer | 300 |
| sfp+5 | => Front Office's fiber trunk | 100, 300 |
| ether1 | <= Wan | |

Sometimes it is easier to organize things by VLAN. If you don't know what an untagged port is, try to google it. My simple explanation is that those are the ports that carry a single VLAN. Ports or interfaces that carry several VLANs are called tagged interfaces or TRUNKS.

| VLAN Name | VLAN SUMMARY | Untagged Interfaces | Tagged Interfaces |
| --------- | ------------- | ------------------- | --------------------------------- |
| VLAN100 | WORK | sfp+3 | sfp+1, sfp+2, sfp+5 |
| VLAN300 | GUESTS | sfp+4 | sfp+1, sfp+2, sfp+5 |

Ingress Behavior

Ingress is what happens when packages come into the router.

To make everything easy we are going to start with the untagged ports. We will start by VLAN number. I used to add these by interface number, but I now find it easier to do it by VLAN id.

Untagged ports

# Access Ports
/interface bridge port

# VLAN100 - Work
add bridge=br-VLANs interface=sfp+3 pvid=100

# VLAN300 - Guest
add bridge=br-VLANs interface=sfp+4 pvid=300

Trunk Ports - Tagged

These are the tagged ports or the trunk ports. We need to also add the ingress behavior, but it is not necessary to add the pvid since the default is 1.
add bridge=br-VLANs interface=sfp+1
add bridge=br-VLANs interface=sfp+2
add bridge=br-VLANs interface=sfp+5
Bridge VLAN Table - Egress Behavior

The next thing we need to update is the actual VLAN table. Here we will declare which ports carry what and how. Usually the tagged VLANs are those that will be part of a trunk and the untagged ports are those to which we will connect other devices or computers that are not VLAN capable.

** NOTE: We used to add the untagged interfaces here, but it is NOT NECESSARY since Mikrotik does this automatically in the new RouterOS versions. The only ports that we will be adding are the trunk (or untagged) ports.**

Egress Behavior - Trunk ports
/interface bridge vlan
add bridge=br-VLANs comment="Work VLAN" tagged=br-VLANs,sfp+1,sfp+2,sfp+5 vlan-ids=100
add bridge=br-VLANs comment="Guest VLAN" tagged=br-VLANs,sfp+1,sfp+2,sfp+5 vlan-ids=300
Finishing the Bridge-VLAN

As mentioned somewhere above, once the VLANs setup is finished, we proceed to enable the bridge VLAN-filtering. This is specially useful for ingress-filtering. We will also enable "*igmp-snooping*" which controls multicast streams and prevents multicast flooding and it is implemented in RouterOS starting with version 6.41. Notice below that to add some security, we are also adding the frame-type option.

VLAN Security

We will make sure that every port in our switch can only admit untagged packets and priority tagged. This will be applied to EVERY untagged port. We are just updating the settings so this is just to finish this in an easy way.
/interface bridge port

# Untagged Ports

set [find interface=sfp+3] ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged
set [find interface=sfp+4] ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged

# Tagged Ports
set [find interface=sfp+1] frame-types=admit-only-vlan-tagged
set [find interface=sfp+2] frame-types=admit-only-vlan-tagged
set [find interface=sfp+5] frame-types=admit-only-vlan-tagged

# FINISH VLAN CONFIG

/interface/bridge
set [find name=br-VLANs] vlan-filtering=yes
Last edited by tuxtlequino on Thu Oct 05, 2023 11:11 pm, edited 4 times in total.
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

PART II - RADIUS AND CAPsMAN

Wed Jun 01, 2022 10:03 pm

NOTE: I added a firewall rule that I forgot that was necessary and changed the /user-manager/user/group default auth to make sure you could use this to login into Mikrotik. Let me know if I am forgetting something!

RADIUS Pre-Requisites

I AM ASSUMING YOU ARE USING THE SAME ROUTER CONFIG AS ABOVE IF YOU ARE FOLLOWING STEP BY STEP. I think that you can figure out this just with the info below, but check above if run into an issue.

There are several things that need to be enabled in order to set RADIUS. I will not explain how to install the package for your ROS7 installation since there are plenty of easy examples how to accomplish that. The first thing you need to do is make sure that you can access your main router from the main router. More on this will be explained below.

Possible Firewall Problems

Making sure you can connect to your own router services

This is important. Depending on what type of firewall you have, you may not even be able to reach your own router. That will cause you to have problems reaching your RADIUS server or some of the CAPsMAN configuration. Make sure you can do the following before going any further,
/ping 127.0.0.1
Although I don't mean to offer an explanation to firewall filters since I would be the least qualified person on this, I will include the following for the sake of completeness. You may not be able to connect to your own router due to this firewall rule that is part of the default configuration on some routers.
/ip/firewall/filter
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!WITH_INTERNET
There is a very helpful post to explain why this rule was there, and how to get your router working. Just search "defconf: drop all not coming from LAN" on google and you should be able to get a link to the post on this forum and the replies.

To make a long story short, they recommended to add the following rule,
/ip/firewall/filter
add action=accept chain=input src-address-type=local dst-address-type=local
I put that rule above the one dropping all the traffic not coming from LAN and this configuration works for me. You may also not be able to connect to your own radius server. So make sure you don't only add the rule above but that your router has a rule to allow access to the RADIUS server. NOTICE THAT I AM USING THE LOOPBACK IP.
/ip/firewall/filter
add action=accept chain=input comment="Allow RADIUS access" dst-address=127.0.0.1 dst-port=1812,1813,3799 protocol=udp src-address=127.0.0.1
Again, I am not responsible for any damage following this advice and putting that rule on your router may cause. I am just including this for the sake of completeness and offer all the information here. Read the post I mentioned about to see what is happening and try to figure out yourself.

IP CLOUD

Enable IP CLOUD since you need to have a domain name. Again, I belive this is part of ROS7 and may not be available on ROS6
/ip cloud
set ddns-enabled=yes
Then print the domain name that you will be using to create your Let's Encrypt certificate.
/ip/cloud print

          ddns-enabled: yes
  ddns-update-interval: none
           update-time: yes
        public-address: 8.8.8.8
              dns-name: yourname.sn.mynetname.net
                status: updated
Let's Encrypt

Make sure that you have a http server running and accesible from your new dns-name. The easy way to do this is to enable the http service that comes in your mikrotik.
/ip/service enable www
Just know that if you cannot connect to this http service due to a firewall, you will not go anywhere on your certificate. But once you have access to port 80 on your router, you will be using that DNS-name you got above to do the following,
/certificate
set crl-use=yes
enable-ssl-certificate dns-name=yourname.sn.mynetname.net
If that works you now have a good certificate. It will let you know if it was successful or not. Only then you can now can do the following,

/certificate/print

Flags: K - PRIVATE-KEY; T - TRUSTED
Columns: NAME, COMMON-NAME, SUBJECT-ALT-NAME, FINGERPRINT
#    NAME                                      COMMON-NAME                    SUBJECT-ALT-NAME                   FINGERPRINT
0 KT letsencrypt-autogen_1999-01-01T01:01:01Z  yourname.sn.mynetname.net  DNS:yourname.sn.mynetname.net  777777777777777777777777777777777777777777

That is ALL!
You now have a good certificate. You will use the name of your certificate later in the process, so make sure you have that NAME available.

I would also recommend you to disable the www service in your mikrotik router and make sure your firewall is working well now and blocking port 80 if it is not necessary on your config. Once that is done can move to the next step
/ip/service disable www

User Manager

We will be using the new User-Manager to create users and enter the users assigned VLANID that will be used by CAPsMAN to dynamically allocate to the right VLAN. You first need to make sure that you have that installed! Also notice that you will be using YOUR certificate name.
# Enabling User Manager 
/user-manager
set enabled=yes certificate=letsencrypt-autogen_1999-01-01T01:01:01Z

# Adding user
/user-manager user
add attributes=Mikrotik-Wireless-VLANIDtype:2,Mikrotik-Wireless-VLANID:300 name=test password=123456789 shared-users=3

# The default encryption for this server
/user-manager user group
set [ find default-name=default ] inner-auths=peap-mschap2 outer-auths=mschap2,eap-tls,eap-peap,eap-mschap2

/user-manager router
add address=127.0.0.1 name=CAPsMAN shared-secret=1234

User

Notice that I decided to go with these attributes (Mikrotik-Wireless-VLANIDtype:2,Mikrotik-Wireless-VLANID:300) instead of (Tunnel-Medium-Type:6,Tunnel-Medium-Type:13,Tunnel-Private-Group-ID:300). Some people say that you can try the tunnel way and use the same configuration for DotX and wireless. Also in the documentation I read that you should try "Mikrotik-Wireless-VLANIDtype:0" instead of "Mikrotik-Wireless-VLANIDtype:2," but this is what worked with me. If you feel like expanding your knowledge after you get this to work, you are free to see if the tunnel attributes work or if it makes a difference to use VLANIDtype:0

User Group

Again, this is what I worked with me. If you don't know what you are doing (like me most of the time) I suggest you start with this, read about the other options and see what breaks your installation.

Router

Since you are using the same router to configure everything, the address will be a loopback. If your router cannot lookback, you will be having a really hard time diagnosing what in the world is your problem (it may have happened to me :)


Radius Client

Now, you need to create a client that can connect to your RADIUS server that in your case is actually the user-manager package. It is easy!
/radius
add address=127.0.0.1 service=login,wireless timeout=1s secret=1234

BONUS
Notice that I am also using this RADIUS client to authenticate into Mikrotik. This is how you get it done.
/user aaa
set accounting=yes default-group=read use-radius=yes

CAPsMAN

How to connect and use CAPsMAN is covered in detail by many youtube videos. I will just include what you need to make this work assuming your had CAPsMAN working without Dynamic VLANs.
# Enable caps-man
/caps-man manager
set certificate=letsencrypt-autogen_1999-01-01T01:01:01Z enabled=yes

# Security
/caps-man security
add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=RADIUS

# DataPath
/caps-man datapath
add bridge=br-VLANs name="Dynamic VLANs" vlan-mode=use-tag

# Configuration
/caps-man configuration
add country="united states" datapath="Dynamic VLANs" installation=indoor mode=ap name=Test security=RADIUS ssid=testing
Honestly, I just watched a couple of videos about CAPsMAN, but I found them kind of easy to understand once you figure out the details. I belive that the configuration above is self-explanatory.

Add CAP interfaces to bridge

Now you just need to make sure that your CAP devices are connected to your bridge carrying the VLANs. I will review what we had above in the VLAN setup and below tell you why that is necessary.
/interface bridge vlan
add bridge=br-VLANs comment="Work VLAN" tagged=br-VLANs,sfp+1,sfp+2,sfp+5 vlan-ids=100
add bridge=br-VLANs comment="Guest VLAN" tagged=br-VLANs,sfp+1,sfp+2,sfp+5 vlan-ids=300
As you can see, the interfaces need to be tagged in order to be able to get DHCP and routing. So, you need to add your CAP interfaces to the VLANs you want to use. If your cap interfaces are not added to your bridge, you will not get anywhere. You can find what cap interfaces you have in the interface gui or by doing the following,
/caps-man/interface print

Flags: M - MASTER; B - BOUND; R - RUNNING
Columns: NAME, RADIO-MAC, MASTER-INTERFACE
#     NAME  RADIO-MAC          MASTER-INTERFACE
0 MB  cap1  77:77:77:77:77:77  none
1 MBR cap2  77:77:77:77:77:77  none
In this particular case, I have two CAP interfaces named **cap1 and cap2**,

Again, if you don't add your cap interfaces to your bridge; you will connect to the CAP but will get no IP or get the IP of the bridge (since that is VLANID=1, that is not recommended anyway). That is why this step is very important.

Using my configuration as an example, I will modify the table above to show where I want those cap interfaces to go.

| VLAN Name | VLAN SUMMARY | Untagged Interfaces | Tagged Interfaces |
| --------- | ------------- | ------------------- | --------------------------------- |
| VLAN100 | WORK | sfp+3 | sfp+1, sfp+2, sfp+5,cap1,cap2 |
| VLAN300 | GUESTS | sfp+4 | sfp+1, sfp+2, sfp+5.cap1,cap2 |


Here I will just add these two caps to WORK and GUESTS like this,
/interface/bridge/vlan
set [find vlan-ids=100] tagged=br-VLANs,sfp+1,sfp+2,sfp+5,cap1,cap2
set [find vlan-ids=300] tagged=br-VLANs,sfp+1,sfp+2,sfp+5,cap1,cap2
And that is all.


Again, this is a tutorial by a newbie and I may not be the person to ask something outside this particular example, but I wanted to have some sort of documentation for myself and for those that are struggling to find a simple way to do this. It seems as if this forum is a mess to find anything; and people just hate to explain things to a newbie. Part of the problem is that many newbies are lazy and think that a forum is a place for people to do their homework and set up their configs and are not interesting in learning. Hopefully this will help someone.
Last edited by tuxtlequino on Thu Jun 02, 2022 9:09 am, edited 7 times in total.
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

PDF document

Wed Jun 01, 2022 10:05 pm

If you rather read this on a PDF, here is the file.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Larsa
Forum Guru
Forum Guru
Posts: 1025
Joined: Sat Aug 29, 2015 7:40 pm
Location: The North Pole, Santa's Workshop

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Wed Jun 01, 2022 11:30 pm

Really useful information, nice work! :thumbsup: :thumbsup:

Just a suggestion but maybe you should move this thread to a forum called "Useful user articles"
--

BR
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Thu Jun 02, 2022 12:47 am

Really useful information, nice work! :thumbsup: :thumbsup:

Just a suggestion but maybe you should move this thread to a forum called "Useful user articles"
--

BR
Thank you Larsa. I am not joking when I say that I am new to this. I have no clue how to move this to that place in the forum. It is not very intuitive to do anything like that in this editor. Any admin reading this; you are more than welcome to move it there. I have no problem with that.
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Thu Jun 02, 2022 2:25 am

@tuxtlequino …. Your Excellent presentation will help many …
 
mwa
just joined
Posts: 1
Joined: Mon Nov 01, 2021 6:57 am

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Fri Aug 12, 2022 10:14 am

Hi,

I also try to use dynamic VLANs with radius authorization. Instead of the integrated user manager I use a freeradius server with active directory user authentification. Every thing works so far. Even with tunneling datapath which is necessary in our setup.

But one big problem arises if connection between Capsman and cap get lost. The cap interfaces which are added as tagged interface in all the needed VLANs are removed. But more over instead of the manual added cap interface the bridge VLANs contains in my case (CCR2116) ether13 as VLAN interface for every removed cap interface. Even after connection to the cap and correct provisioning the cap interface is not automatically added again to the bridge VLANs and still ether13 is a tagged member of the VLANs.

To correct the problem I have to manually remove ether13 interface from all bridge VLANs and even manually add the cap interfaces to the bridge VLAN. With over 50 caps that can not be a solution.

So has anyone a real solution for this?
 
azzurro
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Mon Jan 17, 2022 2:55 am

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Tue Feb 07, 2023 11:55 am

Nice writeup, thank you! It would also be interesting to see dynamic VLANs without CAPsMAN, i.e. only with one router and its integrated WiFi capabilities. I wonder how much that would differ from this tutorial.
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Thu Feb 09, 2023 9:36 pm

To correct the problem I have to manually remove ether13 interface from all bridge VLANs and even manually add the cap interfaces to the bridge VLAN. With over 50 caps that can not be a solution.

So has anyone a real solution for this?
I posted that question some time ago about this limitation, but this is a well known ROS problem. Maybe you can find the threads and ask if there are any updates.
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Thu Feb 09, 2023 9:40 pm

Nice writeup, thank you! It would also be interesting to see dynamic VLANs without CAPsMAN, i.e. only with one router and its integrated WiFi capabilities. I wonder how much that would differ from this tutorial.
I don't believe that it is possible since there is no way to set the datapath dynamically without CAPsMAN (that I know of.) If you find out of a way to accomplish it, please let me know in this post.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Sun Feb 12, 2023 12:42 am

Well setting a dynamic VLAN without CAPsMAN on a WLAN interface for clients, has always been there.

1: WLAN handles VLAN tag
- The WLAN interface can be set to use a VLAN number and tag per virtual WLAN or SSID. All traffic for that SSID will be in that specific VLAN. The bridge filter method for VLAN is NOT necessary in this case. All VLAN's concerned are presented to that WLAN, that WLAN works as a VLAN capable trunk port. The WLAN driver is doing the tagging/untagging for the set VLANid.
- By using access lists, a connection can be given a different VLAN number. (eg. based on client MAC address). VLAN selection based on Access List is quite straight forward. Just make sure the access list entry is active for the duration of the session (eg not signal strength dependend) . If the connection has no match in the access list, then the WLAN/SSID default definition is used.

2: Bridge handles VLAN tag
For a fixed VLAN id for a WLAN SSID, then often the newer bridge VLAN filter method is used. The bridge will tag/untag the correponding VLAN id. The filtered traffic is offered as untagged to the WLAN interface, and the wireless VLAN mode setting will be "no tag".
Actually in this case the WLAN interface will ignore the VLAN tags, and if there are any tags on the packets, the VLAN tags will be transmitted. So in a PtP connection VLANs are transmitted over the WLAN interface.

RADIUS defined EAP authentication, should set the VLAN defined for that user or MAC address.
The needed "Attributes" are not identified so far. The list is in User Manager, would "Mikrotik-Wireless-VLANID" work ?
This is only possible when the WLAN driver handles the VLAN tags. (case 1)
In the wifiwave2 driver, this was missing, but there seems to be a comeback, slowly.
*) wifiwave2 - added option to set per-client vlan-id in access list (only supported on 802.11ax interfaces) (CLI only);
See also: viewtopic.php?t=191008

CAPsMAN, as a 'CAPWAP' or related implementation, has it's own problems and performance issues with the WLAN driver. So I'm not using, and not planning to use CAPsMAN.
Today "local forwarding" is needed for a performing implementation, and still some tuning parameters are hidden or absent. (AMPDU aggregation, WMM working, AP bridge mode, ....)
So CAPsMAN with local forwarding is reduced to centralised management, with limited parameters, some extra, but without the full benefit of central client handling (not documented at least)
The data is local forwarding, not going to the CAPsMAN manager, so the CAP must handle the VLAN selection.

"Step by Step tutorial on Enabling Dynamic VLANs using the new User Manager on ROS7" would be of interest to some people.
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Sun Feb 12, 2023 12:46 am

Well setting a dynamic VLAN without CAPsMAN on a WLAN interface for clients, has always been there.
Wow, I didn't know that. Thank you for the info.

Maybe if you are interested, you could try putting an example of doing that with this configuration. It will be super helpful.
 
tihovsky
newbie
Posts: 47
Joined: Mon Aug 13, 2012 11:11 pm

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Sat Mar 25, 2023 4:50 pm

Apologies for reopening this old thread, but it seems that still even today on 7.8 Capsman dynamic VLANs work only if I manually add all Capsman WiFi interfaces into the bridge VLAN, where I want to redirect clients using Access List by specifying VLAN mode as tagged and specifying that bridged VLAN ID.

Is there any way to have this done automatically eg. dynamically through the provisioning rule or am I missing something?
It is not a problem to add them all manually for smaller implementations, but for my example of 250 CAPs making sure that no VLAN/s are missed becomes an issue.

Thx!
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Sat Mar 25, 2023 7:14 pm

I understand. It is a big issue. For your particular case a script would be the best way to setup things. For that reason it may not be the best solution to a lot of people. MikroTik seems to be geared towards the enthusiast and thinkers who want to save money.

I would start a new thread and ask how to accomplish this using a script that reads from a list of CAPs and VLANs and does the initial configuration. One to remove or add a CAP. And one to add or remove a VLAN. That is since you have that many CAPs and VLANs
 
tihovsky
newbie
Posts: 47
Joined: Mon Aug 13, 2012 11:11 pm

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Sun Mar 26, 2023 6:30 pm

Well if I had more time I could probably write thos scripts, but due to project delivery now is not the best of times :)

Wouldn't be an issue if this was documented somewhere so we don't run into such issues too late in the project but I couldn't find that info.
What I noticed that I managed to add 198 WiFi interfaces into the bridge VLANS prior to Winbox disabling button to add more.

There is another way where these can be edited in a simpler editor like manner inside of the Terminal window, but in that case Winbox will mark tagged ports in red if their number goes above 198 so likely this will not function regardless that I use CCR1036 which should be capable enough.

So to create a list of all specific WiFi interfaces provisioned by Capsman where you want to redirect clients you can use:
/caps-man/interface/print proplist=name where name~"_string_to_find_in_WiFi_interface_name_as_provisioned"

List can be copy pasted from the terminal (ctrl or shit + select) and later be parsed in Notepad++ with ctrl+select to edit in column mode for removal of trailing items.
After that, removing CR/LF and replacing them with comma using Replace should be done.
Not sure if there is a better way to remove trailing numbers and flags in the first place, but this works.

Later this command opens up an editor, where they can be copy pasted (in addition to bridge entry and ports for trunking to the other devices):
/interface/bridge/vlan/edit [find vlan-ids=xxx] tagged

This could be a workable solution for below ~198 (or so) APs so I add if it can help someone.
Of course, if manual maintenance of these bridged tagged VLAN interfaces is an option for them.

Thx!
 
tihovsky
newbie
Posts: 47
Joined: Mon Aug 13, 2012 11:11 pm

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Sat May 13, 2023 10:00 pm

As an update I believe Capsman limits in documentation should be updated with the findings below after Mikrotik staff reviews to confirm.
All related to 7.8.

So I noticed a single CCR1036 is not enough to handle 250 dual band APs with 4 SSIDs on each with three of those having ~600 clients with Capsman forwarding, no certificates used.

It would take 30 min or more to have all APs provisioned after reboot (or disconnect) of Capsman and I realized that dynamic provisioning worked less reliable than "create enabled / disabled".
Dynamic provisioning would cause too much use and repetitive removal and deprovisioning of all APs which after couple of times I gave up waiting for.
Interesting thing was CPU use never went above 3-5% and profiling didn't help much but it became suspicious that Capsman does not use all cores.

So I added two CCR1072 to serve as additional Capsmans which resolved the issue as now APs split between the three and everything works much more reliably.
Even if I move all APs to a single CCR1072 it is still able to hold all 250 of them connected but only if I don't remove a lots of APs as a single action or disablle/re-create lots of interfaces like 10-20 or so..
Note overall traffic is not much, talking 50 Mbps or so thus with increase in use speed it might get worse.
However, presently things work more reliable and seems that WiFi latency for the clients is also reduced as a result of the changes.

Then I notice that Capsman adds and removes virtual interfaces into the bridge as per need, depending if any clients are connected to it or not.
Together with my prior findings of max ~200 interfaces in the bridge VLAN limit, this poses another real limit for the use.
In my use case I will survive considering number of virtual interfaces gets spread across multiple Capsmans, but it still limits me from migrating to a real server with CHR.
Also it forces me to maintain same config on all Capsmans and overall it is more expensive as a solution.

So a couple of items that I conclude, for others to be aware of:
- Capsman seems to be single-threaded application so using faster cores would be preferred over devices with many slower cores.
- Capsman CPU usage can become a problem, where I wouldn't recommend more than 100 APs on CCR 1072 and it seems regardless if local or capsman forwarding.
- Disconnects and reboots of Capsman require at least 30 min to reconnect/reprovision all APs if > 200. No option to speed it up to my knowledge, but more Capsmans would help doing it in parallel.
- If more than 200 virtual WiFi interfaces is used simultaneously on a single Capsman with capsman forwarding, a bridge max 200 interfaces per VLAN limit will be hit.
Note, this would require a single client to be connected to each of the 200 virtual WiFi interfaces but still it is a limit that can likely happen depending on the implementation.
Not sure what happens at that point, but cannot assume anything good as even Winbox prevents adding of more than 200 interfaces to a single bridge VLAN.
- Re-balancing APs doesn't seem like a Capsman option, and it can be done manually with a simple script but sometimes APs reconnect to the same Capsman from which they are disconnected
- Option to prioritize APs between Capsmans is a configuration on the AP and not Capsman so to change it requires manual change on each AP. It cannot be done by IP but can be done by the Capsman name or Certificate common name.
- Grouping APs and Interfaces into provisioning groups would be more handy than to assign provisioning rules by MACs which is at best clumsy solution.
- Based on prior mentions in the thread, SSID VLAN dynamic driving is possible, but not really an option for larger implementations.

Believe some of these would need to end up in wiki, so less surprises for the proper larger scale implementations going forward.
Nevertheless I am happy that I could circumvent major issues in the above described ways so it helps others until fixed.
 
khatsalano
just joined
Posts: 1
Joined: Wed Mar 29, 2023 4:39 pm

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Thu Oct 05, 2023 9:17 pm

Just a remark: 192.168.300.100-192.168.300.200 network is something out of this world. Please update the post/pdf, this is not a valid network address :) The ".300." part there that is.
 
tuxtlequino
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 68
Joined: Tue Feb 16, 2016 12:46 am

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Thu Oct 05, 2023 11:10 pm

Haha. I cannot believe I didn't notice and nobody else pointed it out. Thank you very much. Will change!
 
dajnou
just joined
Posts: 1
Joined: Fri Jan 26, 2024 12:37 am

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Wed Feb 21, 2024 7:06 pm

Hello guys,
Im kinda new to the mikrotik.
Im doing similar configuration, but i cant get access or i cant see the attributes for the user manager.
Is there any solution on how to fix it?

Thanks
 
holvoetn
Forum Guru
Forum Guru
Posts: 5321
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Wed Feb 21, 2024 8:59 pm

Have you installed user-manager package on your device ? It is in extra packages zip file.

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], johnson73, mbovenka, rplant and 82 guests