Community discussions

MikroTik App
 
pedkoschi
just joined
Topic Author
Posts: 5
Joined: Sat Jun 11, 2022 1:51 pm

Questions about setup of CAP/CAPsMAN

Sat Jun 18, 2022 10:31 pm

Hi all,

I want to ask some few questions that came up during my setup of CAP/CAPsMAN

In a test environment (all devices running ROS 7.3.1), I connect 3x hAP ac routers directly to a CAPsMAN
(at the moment an old RB450G, will be exchanged for an RB5009 as soon as it is available)
ether5 from each CAP is connected to ether1,ether2,ether3 respectively to CAPsMAN.

Step #1: The default setup is very simple.
Local forwarding on the CAPs is disabled, which means that the CAPSsMAN manages everything,
in particular the routing of the WLAN/HOTSPOT data to the appropriate bridge,
which is important for the assignment to the appropriate DHCP server.

in this setup I have 3 bridges :
bridgeCAP (internal CAP/CAPSsMAN network 192.168.15.0/24)
bridgeWLAN (WLAN network 192.168.10.0/24)
bridgeHOTSPOT (Hotspot network 192.168.14.0/24)
in each network CAPsMAN has assigned ip address .1 (e.g 192.168.15.1), CAP[n] ip 1[n] (e.g CAP1 > 192.168.15.11)


Step #2 Extending the setup so both 'local forwarding' enabled and disabled work just by changing the parameters in the datapth config:
For CAPsMAN:
created vlan interface 'bridgeCAP-99' (VLAN 99) attached to bridgeCAP
created vlan interface 'bridgeWLAN-11' (VLAN 11) attached to bridgeWLAN
created vlan interface 'bridgeHOTSPOT-12' (VLAN 12) attached to bridgeHOTSPOT

created vlan interface ether1-VLAN99,ether1-VLAN11,ether1-VLAN12 attached to ether1
(accordingly for ether2 and ether3)

bridged all VLAN 99 ports >> bridgeCAP
bridged all VLAN 11 ports >> bridgeWLAN
bridged all VLAN 12 ports >> bridgeHOTSPOT

enabled vlan filtering for all affected bridges
configured vlan table (tagged/untagged ports for every bridge/vlan)

For CAP:
created bridge 'bridgeVLANs'
created vlan interface bridgeVLANs-VLAN99,bridgeVLANs-VLAN11,bridgeVLANs-VLAN12 attached to bridgeVLANs

created vlan interface ether5-VLAN99,ether5-VLAN11,ether5-VLAN12 attached to ether5.

bridged all vlan ports >> bridgeVLANs
moved wlan1, wlan2 interfaces to bridgeVLANs

enabled vlan filtering for bridgeVLANs
configured vlan table

Finally in CAPsMAN datapth config I set the following:
for WLAN: vlan mode: use tag, vlan id: 11, local forwarding: yes
for HOTSPOT: vlan mode: use tag, vlan id: 12, local forwarding: yes

Unbelievable, Step#2 works 3x faster but still at 1/3 wire speed:)

The data flow for wlan data (CAP1) is:
WLAN-data(tagged vlan id 11) > bridgeVLANs-VLAN11 > ether5-VLAN11 > ether5 > wire > ether1 > ether1-VLAN11 > bridgeWLAN-11

Now my questions are:

#1 Originally all bridges/ports were configured to admit only vlan tagged packets.
I was able to ping interface bridgeVLANs-VLAN11 (192.168.10.1) from CAPs interface ether5-VLAN11 (192.168.10.11)
but as soon as I have assigned the ip to the bridge (bridgeWLAN instead of bridgeWLAN-VLAN11) this is no longer the case.
Why? I have no explanation for that.
I need the ip assigned to the bridge, because dhcp server doesnt work with slave interfaces.
Workaround: port bridgeWLAN-VLAN11 is now untagged and the bridge admits all traffic, which means that vlan tags are added/removed unnecessarily for all packets that pass the bridge.
However, the ping works now regardless of whether the ip is assigned to the interface or the bridge.

#2 There is one slave interface on ether5 for each vlan.
For simplicity i thought to use only one tagged interface (let's name it ether5-VLAN99-11-12) because we can configure the vlan table to pass all allowed VLANs.
Every VLAN that goes through that interface should end up on the corresponding interface (bridgeVLANs-VLAN99, bridgeVLANs-VLAN11, bridgeVLANs-VLAN12) like this

Data flow for WLAN:
WLAN-data(tagged vlan id 11) > bridgeVLANs-VLAN11 > ether5-VLAN99-11-12 > ether5 > wire > ether1 > ether1-VLAN11 > bridgeWLAN-11

Data flow for HOTSPOT:
HOTSPOT-data(tagged vlan id 12) > bridgeVLANs-VLAN12 > ether5-VLAN99-11-12 > ether5 > wire > ether1 > ether1-VLAN12 > bridgeWLAN-12

What am I doing wrong that this doesn't work?

#3 Not surprisingly, the CPU on the CAPsMAN is running at 100%.
Basically, we only need a way to send the WLAN data to the right bridge on CAPsMAN side (in local forwarding mode).
If I would use a tunnel (e.g. eoip), it would be sufficient to send the WLAN data through a special gateway (through the eoip tunnel) on CAP side.
and to make the other tunnel endpoint member of the correct bridge on the CAPsMAN side.
It would of course be necessary to check whether this is faster at all, but vlan interfaces, VLAN filtering, VLAN table entries, all of that would be unnecessary.
Hardware offloading would be possible again. All together will lower the CPU load.
I guess the data flow can currently only be controlled via the VLAN IDs in the datapath configuration.
May I request this feature? Is it a good or bad idea if i am going to request this feature?

If desired, I can share the config files (I have to remove the unnecessary stuff first)

Thanks for the support (and for better ideas on the topic)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Questions about setup of CAP/CAPsMAN

Sun Jun 19, 2022 9:42 am

On a CAP, if you permit local forwarding, all interfaces get connected to the same bridge, so to isolate them at L2, you must use VLAN tagging, which is what you do. Unless you need to do tagging/untagging on Ethernet ports, you don't have to use vlan-filtering there.

With local forwarding disabled, you can attach each CAPsMAN interface on the CAPsMAN to another bridge, but then you have to either modify the datapath to stop the VLAN tagging, or you have to use a single common bridge like on the CAPs; here again, you only need to enable vlan-filtering if you want to do tagging/untagging on ethernet ports. But if you do this, you have to create an /interface vlan for each VLAN, attached to the common bridge, and attach all the IP configuration for that VLAN to the respective /interface vlan. One of the networks can be run tagless, which means that the IP configuration for it will be attached directly to the bridge.

Now this last part behaves different when vlan-filtering is enabled and when it is not. When it is not, a tagless frame is indeed tagless all the way through the network; when vlan-filtering is enabled, tagless frames are tagged with a pvid value at ingress to the bridge, and the default pvid value is 1. At egress, the tag is removed again if the VID of a frame matches the pvid of the egress port and this has not been overridden by other settings. But this is out of the scope of CAPsMAN.

Let this soak in and then repeat the question if still relevant. I got actually a bit lost once you've mentioned EoIP tunnels. What is the target topology? A bunch of APs with their own independent connectivity to the backbone/internet but controlled by a common CAPsMAN?
 
pedkoschi
just joined
Topic Author
Posts: 5
Joined: Sat Jun 11, 2022 1:51 pm

Re: Questions about setup of CAP/CAPsMAN

Sun Jun 19, 2022 10:34 pm

Thanks sindy for the answer,

In the case of disabled local forwarding i decided to use different bridges in the datapath config without using vlans,
as you wrote, this is your first variant. No problem or question here.

If local forwarding is activated, basically everything works. I only saw room for two improvements there, but it didn't work.
I have uploaded a working configuration so that you can better understand what changes I want to make from there.

#1 on CAPsMAN, old config:
add admin-mac=06:59:C4:F9:FB:69 auto-mac=no name=bridgeWLAN protocol-mode=\
    none pvid=11 vlan-filtering=yes

add bridge=bridgeWLAN tagged=\
    ether1-VLAN11,ether2-VLAN11,ether3-VLAN11,bridgeWLAN-11 untagged=\
    bridgeWLAN vlan-ids=11
new config:
add admin-mac=06:59:C4:F9:FB:69 auto-mac=no frame-types=\
    admit-only-vlan-tagged name=bridgeWLAN protocol-mode=none pvid=11 \
    vlan-filtering=yes

add bridge=bridgeWLAN tagged=\
    ether1-VLAN11,ether2-VLAN11,ether3-VLAN11,bridgeWLAN-11,bridge-WLAN \
    vlan-ids=11
Result: ip address assigned to bridge-WLAN is not accessible.I think this should work.



#2 on CAP

remove interfaces ether5-vlan11-WLAN,ether5-vlan12-HOTSPOT,ether5-vlan99

new config:
/interface vlan
add interface=ether5 name=ether5-vlan11-12-99 vlan-id=99

/interface bridge port
add bridge=bridgeVLANs ingress-filtering=no interface=ether5-vlan11-12-99 \
    pvid=99

/interface bridge vlan
add bridge=bridgeVLANs tagged=\
    ether5-vlan11-12-99,bridgeVLANs-vlan11,bridgeVLANs,wlan1,wlan2 vlan-ids=\
    11
add bridge=bridgeVLANs tagged=\
    ether5-vlan11-12-99,bridgeVLANs-vlan12,bridgeVLANs,wlan1,wlan2 vlan-ids=\
    12
add bridge=bridgeVLANs tagged=\
    ether5-vlan11-12-99,bridgeVLANs-vlan99,bridgeVLANs untagged=wlan1,wlan2 \
    vlan-ids=99
Result: only vlan99 will pass interface ether5-vlan11-12-99.
I'm not sure if this should work or not,
i hoped that vlan11,vlan12 and vlan99 will pass the interface because it is allowed in bridge's vlan table.


I'm sorry to confuse you with the eoip idea.
Let me try to explain by example:

Please forget everything that concerns vlan's in this config.
lets create one eoip for CAP (WLAN) and another one for HOTSPOT

on CAPsMAN:
/interface eoip
add mac-address=02:9A:60:D6:B4:1D mtu=1500 name=eoip-HOTSPOT_AP2 remote-address=\
    192.168.16.12 tunnel-id=212
add mac-address=02:9A:60:D6:B4:1D mtu=1500 name=eoip-WLAN_AP2 remote-address=\
    192.168.16.12 tunnel-id=211
put them to the corresponding bridge:
/interface bridge port
add bridge=bridgeWLAN interface=eoip-WLAN_AP2
add bridge=bridgeHOTSPOT interface=eoip-HOTSPOT_AP2
on CAP
/interface eoip
add mac-address=02:F6:39:74:A4:37 mtu=1500 name=eoip-HOTSPOT remote-address=\
    192.168.16.1 tunnel-id=212
add mac-address=02:F6:39:74:A4:37 mtu=1500 name=eoip-WLAN remote-address=\
    192.168.16.1 tunnel-id=211
/interface vlan

/interface bridge port
add bridge=SomeBridge interface=eoip-WLAN
add bridge=SomeBridge interface=eoip-HOTSPOT
add bridge=SomeBridge interface=wlan1
add bridge=SomeBridge interface=wlan2
The problem: how can I send WLAN data through the intreface eiop-WLAN and HOTSPOT data through eiop-HOTSPOT without vlans?
If that would work at all, could it be included in the datapath config so it can be managed on CAPsMAN?

Thank you
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Questions about setup of CAP/CAPsMAN

Sun Jun 19, 2022 11:46 pm

#1 on CAPsMAN, old config:
...
new config:
...
Result: ip address assigned to bridge-WLAN is not accessible.I think this should work.
Let's stop at this one alone. You use three distinct identifiers - bridgeWLAN, bridge-WLAN, and bridgeWLAN-11 in the "new config". Supposing bridge-WLAN (with the dash) is a typo and it should have read bridgeWLAN, it means that you have declared the router-facing port of the virtual switch to be a tagged one for VLAN 11, so you cannot attach the IP configuration directly to the bridge-facing interface of the router. Specifying pvid=11 for the bridge only makes tagless ingress frames get tagged with VID 11, and only does so unless frame-types is set to admit-only-vlan-tagged - with that setting, the pvid value is ignored. For egress, setting pvid to 11 only causes frames tagged with VID 11 to get untagged if you don't override that by placing the router-facing port of the bridge to the tagged list under /interface bridge vlan, which is what you've done.

So if you want it like this, i.e. the router-facing port of the bridge behaving as a trunk one for VLAN 11 in both directions, you have to attach an /interface vlan with vlan-id=11 to bridgeWLAN (the bridge-facing interface of the router) and attach the IP configuration to it.

For an explanation what "virtual switch", "router-facing port of a bridge" and "bridge-facing interface of a router" mean, have a look here.

#2 on CAP
new config:
...
I'm not sure if this should work or not,
i hoped that vlan11,vlan12 and vlan99 will pass the interface because it is allowed in bridge's vlan table.
Same mistake here as described above. You've put ether5-vlan11-12-99 to the tagged list for vlan-ids=99 and at the same time set pvid for ether5-vlan11-12-99 to 99 under /interface bridge port, so for VLAN 99, it behaves as trunk for egress and as an access port for ingress because ingress-filtering is set to no.

As for why VLANs 11 and 12 do not work - I can't see anything wrong in what you've posted, these should be handled in trunk mode in both directions at ether5-vlan11-12-99. But as VLAN 99 does work, there may be some unusual configuration on whatever is connected to that port from outside, making VLAN 99 pass through in both directions.

Regarding placing wlan1 and wlan2 to the VLAN lists manually, I'm afraid it's not necessary and maybe it even breaks something. CAPsMAN creates one virtual wireless interface for each SSID and creates the appropriate configuration in /interface bridge port and /interface bridge vlan dynamically.

I'm sorry to confuse you with the eoip idea.
Let me try to explain by example:
...
The problem: how can I send WLAN data through the intreface eiop-WLAN and HOTSPOT data through eiop-HOTSPOT without vlans?
If that would work at all, could it be included in the datapath config so it can be managed on CAPsMAN?
You cannot. If you connect both the EoIP tunnels to the same bridge, and connect both wireless interfaces to it, the only way to tell the bridge to only allow traffic between eoip1 and wlan1, and between eoip2 and wlan2, would be a complex set of /interface bridge filter rules. But since the membership of wlan1 and wlan2 in the bridge is dynamically created under control of CAPsMAN, and the interfaces are created dynamically, the bridge filter rules would get brooken each time the CAPsMAN configuration would change.

But most important, I still can't see the point in using two EoIP tunnels between the devices if you can use a single EoIP tunnel with VLANs (supposing that there is no L2-transparent network between the devices).
 
pedkoschi
just joined
Topic Author
Posts: 5
Joined: Sat Jun 11, 2022 1:51 pm

Re: Questions about setup of CAP/CAPsMAN

Sat Jul 02, 2022 2:48 am

Hi,
sorry for late responce..
Yes it should read bridgeWLAN.

After many tests and paket sniffing its working now, thanks.
Uploaded my working config for Capsman and Cap .
Currently Its based on using vlans , but there is also an (disabled) eiop-tunnel as example for vlan disabaled networks.
(Eoip-config is working about 20% slower)

I have also tried L2TP , but that will crash (endless reboot loop) both devices.. I will report it tomorrow.

Thank you.
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], onnyloh, tim427 and 88 guests