Community discussions

MikroTik App
 
prezesihno
just joined
Topic Author
Posts: 3
Joined: Sun Jun 05, 2022 1:26 pm

Capsman as dhcp relay

Sun Jun 05, 2022 1:54 pm

Hi,

I have some problems with correct configuration my quite simple network.
I would like to use Mikrotik RB3011 as a DHCP Server and CAPS Manager and what is more important I have different device as a GATEWAY (UTM Firewall).

Is it possible to have capsman not as a gateway to Internet ? Configuration without UTM worked very well, but actually I have problems with WIFI users.

I have attached diagram of network.
mikrotik_utm.jpg
Simple describe:
- network without VLANs
- UTM have few addresses on one interface (something like router on a stick)
- UTM routes/or not between subnets
- DHCP relay is set to Mikrotik
- Mikrotik is a DHCP Server for all subnets
- Mikrotik controls wifi networks with capsman and caps connected via LAN

Actually status:
- wired network is working well
- capsman is configured, caps are connected, remote caps are running, wifi networks are running

Main problem is:
Wifi users are connected, getting correct network settings from DHCP Server but they cannot connect to gateway. They can only ping/connect to dhcp server.
It looks like Mikrotik cannot route packets from capsman to gateway.
I can ping from mikrotik 10.0.0.1, but I cannot ping 10.0.1.1 and 10.0.2.1


Mikrotik is set in bridge mode. Is that correct ?

I tried to set "local forwarding", but it caused every user get ip address from wired network.

What can be reasons these kind of behaviour ?

Thank you in advance
You do not have the required permissions to view the files attached to this post.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Capsman as dhcp relay

Mon Jun 06, 2022 5:41 am

Caps forwarding should be off and you should be using VLANs.
 
prezesihno
just joined
Topic Author
Posts: 3
Joined: Sun Jun 05, 2022 1:26 pm

Re: Capsman as dhcp relay

Mon Jun 06, 2022 10:08 am

Thank for reply.

But are there any other options ?

Few switches are unmanaged and there are some risks with using vlans.
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: Capsman as dhcp relay

Mon Jun 06, 2022 11:10 am

First, show the settings of the RB3011
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Capsman as dhcp relay

Mon Jun 06, 2022 12:26 pm

Thank for reply.

But are there any other options ?

Few switches are unmanaged and there are some risks with using vlans.
The only thing that needs tags are the wireless.

If the wired network is 1.
And the wireless and guest are 10 and 20...

It would work.
 
prezesihno
just joined
Topic Author
Posts: 3
Joined: Sun Jun 05, 2022 1:26 pm

Re: Capsman as dhcp relay

Sun Jun 12, 2022 10:16 pm

Ok, I tried as much as I could. I read so many tutorials, but I after a few days cannot get it to work :(

Actually I did as simple as possible testing environment.
schema_network.jpg
Actually:
- vlans wired seems to work (im not sure if configuration is fully correct, it doesnt look good but works)
- capsman is working, cap gets ip from VLAN55 and client can connect to wireless network but without getting IP address

Both "routers" are RB750Gr3.

Configs:
R1
/interface bridge
add name=ETH2-vlan-trunk
add name=bridge1 pvid=20 vlan-filtering=yes
add name=eth5-vlan20
/interface vlan
add interface=ether2 name=vlan10 vlan-id=10
add interface=ether2 name=vlan20 vlan-id=20
add interface=ether2 name=vlan30 vlan-id=30
add interface=ether2 name=vlan55-wifi vlan-id=55
add interface=ether2 name=vlan155-wifi_guest vlan-id=155
/caps-man datapath
add bridge=bridge1 local-forwarding=yes name=wifi vlan-id=55 vlan-mode=\
    use-tag
add bridge=ETH2-vlan-trunk local-forwarding=yes name=wifi_guest vlan-id=155 \
    vlan-mode=use-tag
/caps-man configuration
add channel.frequency=2412 datapath=wifi installation=indoor \
    mode=ap name=wifi rates.basic=\
    5.5Mbps,11Mbps,6Mbps,9Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    security.authentication-types=wpa2-psk security.passphrase=123456789 \
    ssid=test_wifi tx-chains=0,1,2,3
add channel.frequency=2412 datapath=wifi_guest installation=\
    indoor mode=ap name=guest rates.basic=\
    5.5Mbps,11Mbps,6Mbps,9Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    security.authentication-types=wpa2-psk security.passphrase=987654321 \
    ssid=test_wifi_guest tx-chains=0,1,2,3
/caps-man security
add encryption=aes-ccm name=wifi passphrase=12345678
add encryption=aes-ccm name=wifi_guest passphrase=87654321
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.55.2-192.168.55.254
add name=dhcp_pool3 ranges=192.168.155.2-192.168.155.254
add name=dhcp_pool4 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=vlan10 name=dhcp-vlan10
add address-pool=dhcp_pool1 disabled=no interface=vlan20 name=dhcp-vlan20
add address-pool=dhcp_pool2 disabled=no interface=vlan55-wifi name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=vlan155-wifi_goscie name=\
    dhcp3
add address-pool=dhcp_pool4 disabled=no interface=bridge1 name=dhcp4
/caps-man access-list
add allow-signal-out-of-range=10s disabled=no ssid-regexp="" vlan-id=55 \
    vlan-mode=use-tag
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled identity-regexp=AP_CAP \
    master-configuration=wifi slave-configurations=guest
/interface bridge port
add bridge=bridge1 interface=ether4 pvid=20
add bridge=ETH2-vlan-trunk interface=ether2
add bridge=eth5-vlan20 interface=ether5
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=ETH2-vlan-trunk tagged=ETH2-vlan-trunk,vlan10,vlan20 vlan-ids=\
    10,20,55,155
add bridge=eth5-vlan20 untagged=ether5,eth5-vlan20 vlan-ids=20
/ip address
add address=192.168.10.1/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.1/24 interface=vlan20 network=192.168.20.0
add address=192.168.55.1/24 interface=vlan55-wifi network=192.168.55.0
add address=192.168.155.1/24 interface=vlan155-wifi_goscie network=\
    192.168.155.0
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.55.0/24 gateway=192.168.55.1
add address=192.168.88.0/24 gateway=192.168.88.1
add address=192.168.155.0/24 gateway=192.168.155.1
/ip firewall filter
add action=drop chain=forward dst-address=192.168.20.0/24 src-address=\
    192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.10.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.155.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.20.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.55.0/24 to-addresses=0.0.0.0
/system identity
set name=R1-ROUTER 
R2
/interface bridge
add name=bridge-vlan10
add name=bridge-vlan20
add name=bridge-vlan55
add name=bridge-vlan155
/interface vlan
add interface=ether2 name=vlan10 vlan-id=10
add interface=ether2 name=vlan20 vlan-id=20
add interface=ether2 name=vlan55 vlan-id=55
add interface=ether2 name=vlan155 vlan-id=155

/interface bridge port
add bridge=bridge-vlan10 interface=ether3
add bridge=bridge-vlan10 interface=vlan10
add bridge=bridge-vlan20 interface=ether4
add bridge=bridge-vlan20 interface=vlan20
add bridge=bridge-vlan55 interface=vlan55
add bridge=bridge-vlan155 interface=vlan155
add bridge=bridge-vlan55 interface=ether5
/interface bridge vlan
add bridge=bridge-vlan55 tagged=vlan10,vlan20 untagged=vlan55,vlan155 \
vlan-ids=55
/ip address
add address=192.168.10.2/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.2/24 interface=vlan20 network=192.168.20.0
/system identity
set name="R2 - vlan access"[/code]
AP_CAP
/interface vlan
add interface=ether1 name=vlan55 vlan-id=55
add interface=ether1 name=vlan155 vlan-id=155
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge port
add bridge=bridge-vlan55 interface=wlan1
add bridge=bridge-vlan55 interface=vlan55 pvid=55
add bridge=bridge-vlan155 interface=vlan155 pvid=155
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=wlan1 list=LAN
add interface=wlan2 list=LAN
/interface wireless cap
# 
set caps-man-addresses=192.168.55.1 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add disabled=no interface=bridge1
add disabled=no interface=ether1
/ip firewall filter
add action=accept chain=forward log=yes
/system identity
set name=AP_CAP
/system logging
add topics=firewall
Thank You in advance for help.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Capsman as dhcp relay

Sun Jun 12, 2022 10:50 pm

- vlans wired seems to work (im not sure if configuration is fully correct, it doesnt look good but works)

VLAN setup is a mess and wouldn't surprise me if fixing it would allow everything to work properly.

How to configure VLANs properly: read this great tutorial.

Who is online

Users browsing this forum: No registered users and 24 guests