Community discussions

MikroTik App
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

3011 - VLAN - Capsman

Fri Aug 05, 2022 1:13 pm

Is it correct? Having problems with the Capsman.
Should the VLAN be in the bridge?

I have a routerBOARD 3011UiA

We use the following services:
WAN1, WAN2, WAN3 = Internet
SFP1 = uplink to switch
Capsman

I'm not sure whether I have to bridge over the switch or bridge.
QCA 8337 chipset says it is recommended over switch right? but SFP1 is not inside the switch?

Does VLAN filtering have to be on? or HW offload?
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz name=2GHZ
add band=5ghz-n/ac control-channel-width=20mhz name=5GHZ
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=FIRMA vlan-id=100 vlan-mode=use-tag
/interface bridge
add name=BRIDGE vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=sfp1 ] auto-negotiation=no
/interface pppoe-client
add add-default-route=yes interface=ether3 name=WAN3 user=1111111
/interface vlan
add interface=sfp1 name=VLAN_99_MGT vlan-id=99
add interface=sfp1 name=VLAN_100_FIRMA vlan-id=100
add interface=sfp1 name=VLAN_200_GAST vlan-id=200
add interface=sfp1 name=VLAN_300_DMZ vlan-id=300
add interface=sfp1 name=VLAN_400_TELEFON vlan-id=400
add interface=sfp1 name=VLAN_500_PRIVAT vlan-id=500
add interface=sfp1 name=VLAN_600_LTE vlan-id=600
add interface=sfp1 name=VLAN_700_BACKUP vlan-id=700
add interface=sfp1 name=VLAN_700_SONSTIGES vlan-id=800
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=bridge_FIRMA
add authentication-types=wpa2-psk encryption=aes-ccm name=bridge_GAST
add authentication-types=wpa2-psk encryption=aes-ccm name=bridge_PRIVAT
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_FIRMA ranges=10.10.252.50-10.10.252.150
add name=dhcp_pool_GAST ranges=192.168.181.50-192.168.181.150
add name=dhcp_pool_PRIVAT ranges=192.168.152.50-192.168.152.150
add name=dhcp_pool_DMZ ranges=10.16.252.245-10.16.252.253
add name=dhcp_pool_BACKUP ranges=10.11.252.245-10.11.252.253
add name=dhcp_pool_MGT ranges=10.99.178.2-10.99.178.254
/ip dhcp-server
add address-pool=dhcp_pool_FIRMA interface=VLAN_100_FIRMA name=dhcp_FIRMA
add address-pool=dhcp_pool_GAST interface=VLAN_200_GAST name=dhcp_GAST
add address-pool=dhcp_pool_PRIVAT interface=VLAN_500_PRIVAT name=dhcp_PRIVAT
add address-pool=dhcp_pool_DMZ interface=VLAN_300_DMZ name=dhcp_DMZ
add address-pool=dhcp_pool_BACKUP interface=VLAN_700_BACKUP name=dhcp_BACKUP
add address-pool=dhcp_pool_MGT interface=VLAN_99_MGT name=dhcp_MGT
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=yes interface=all signal-range=-115..-76 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=yes interface=all signal-range=-75..115 ssid-regexp=""
/caps-man configuration
add channel=*3 datapath=FIRMA mode=ap name=TEST_CONFIG security=bridge_FIRMA ssid=TEST
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/ upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=TEST_CONFIG name-format=prefix-identity
/interface bridge port
add bridge=BRIDGE interface=ether4
add bridge=BRIDGE interface=ether5
add bridge=BRIDGE interface=ether6
add bridge=BRIDGE interface=ether7
add bridge=BRIDGE interface=ether8
add bridge=BRIDGE interface=ether9
add bridge=BRIDGE interface=sfp1
/interface bridge vlan
add bridge=BRIDGE vlan-ids=100
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=WAN3 list=WAN
/ip address
add address=10.10.252.254/24 interface=VLAN_100_FIRMA network=10.10.252.0
add address=192.168.181.254/24 interface=VLAN_200_GAST network=192.168.181.0
add address=192.168.152.254/24 interface=VLAN_500_PRIVAT network=192.168.152.0
add address=10.16.252.254/24 interface=VLAN_300_DMZ network=10.16.252.0
add address=10.11.252.254/24 interface=VLAN_700_BACKUP network=10.11.252.0
add address=10.99.178.1/24 interface=VLAN_99_MGT network=10.99.178.0
/ip dhcp-client
add interface=WAN1
add interface=WAN2
/ip dhcp-server network
add address=10.10.252.0/24 dns-server=10.10.252.254 gateway=10.10.252.254
add address=10.11.252.0/24 dns-server=10.11.252.254 gateway=10.11.252.254
add address=10.16.252.0/24 dns-server=10.16.252.254 gateway=10.16.252.254
add address=10.99.178.0/24 dns-server=10.99.178.1 gateway=10.99.178.1
add address=192.168.152.0/24 dns-server=192.168.152.254 gateway=192.168.152.254
add address=192.168.181.0/24 dns-server=192.168.181.254 gateway=192.168.181.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.254.0/24 list=local
add address=10.16.0.0/16 list=local
add list=local
add address=10.10.252.0/24 list=local
add address=192.168.181.0/24 list=local
add address=192.168.152.0/24 list=local
add address=10.16.252.0/24 list=local
add address=10.11.252.0/24 list=local
add address=10.99.178.0/24 list=local
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=22
set api disabled=yes
/ip ssh
set host-key-size=4096
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=TEST
/system logging
add action=auth topics=account
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=192.168.254.0/24
add allow-address=10.16.0.0/16
/tool graphing queue
add allow-address=192.168.254.0/24
add allow-address=10.16.0.0/16
/tool graphing resource
add allow-address=192.168.254.0/24
add allow-address=10.16.0.0/16
/tool romon
set enabled=yes
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: 3011 - VLAN - Capsman

Fri Aug 05, 2022 11:16 pm

 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: 3011 - VLAN - Capsman

Sat Aug 20, 2022 6:01 pm

Is this so ok?
/caps-man channel
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XX \
    frequency=5180,5200,5220,5240,5745,5765,5785,5805,5825 name=5Ghz-Channels \
    skip-dfs-channels=yes
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412,2437,2462 name=2.4Ghz-Channels
/interface bridge
add name=BRIDGE protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether10 ] name=WAN3_LTE
set [ find default-name=ether4 ] name=WAN4
set [ find default-name=sfp1 ] auto-negotiation=no
/interface vlan
add comment=MGT interface=sfp1 name=VLAN_99 vlan-id=99
add interface=sfp1 name=VLAN_100 vlan-id=100
add interface=sfp1 name=VLAN_200 vlan-id=200
add comment=DMZ interface=sfp1 name=VLAN_300 vlan-id=300
add comment=HOTSPOT interface=sfp1 name=VLAN_400 vlan-id=400
add interface=sfp1 name=VLAN_500 vlan-id=500
add interface=sfp1 name=VLAN_600 vlan-id=600
add interface=sfp1 name=VLAN_700 vlan-id=700
add interface=sfp1 name=VLAN_800 vlan-id=800
add interface=sfp1 name=VLAN_900 vlan-id=900
add interface=sfp1 name=VLAN_1000 vlan-id=1000
/caps-man datapath
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    FIRMA vlan-id=100 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no local-forwarding=no name=\
    GAST vlan-id=200 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=no local-forwarding=no name=\
    HOTSPOT vlan-id=400 vlan-mode=use-tag
add bridge=BRIDGE client-to-client-forwarding=yes local-forwarding=no name=\
    PRIVAT vlan-id=500 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=FIRMA
add authentication-types=wpa2-psk encryption=aes-ccm name=GAST
add authentication-types=wpa2-psk encryption=aes-ccm name=HOTSPOT
add authentication-types=wpa2-psk encryption=aes-ccm name=PRIVAT
/caps-man configuration
add channel=5Ghz-Channels country=germany datapath=FIRMA mode=ap name=V012GHZ \
    security=FIRMA ssid=WLAN_FIRMA_SSID
add channel=2.4Ghz-Channels country=germany datapath=FIRMA mode=ap name=\
    V015GHZ security=FIRMA ssid=WLAN_FIRMA_SSID
add channel=5Ghz-Channels country=germany datapath=GAST mode=ap name=V022GHZ \
    security=GAST ssid=WLAN_GAST_SSID
add channel=2.4Ghz-Channels country=germany datapath=GAST mode=ap name=\
    V025GHZ security=GAST ssid=WLAN_GAST_SSID
add channel=5Ghz-Channels country=germany datapath=HOTSPOT mode=ap name=\
    V042GHZ security=HOTSPOT ssid=WLAN_HOTSPOT_SSID
add channel=2.4Ghz-Channels country=germany datapath=HOTSPOT mode=ap name=\
    V045GHZ security=HOTSPOT ssid=WLAN_HOTSPOT_SSID
add channel=5Ghz-Channels country=germany datapath=PRIVAT mode=ap name=\
    V052GHZ security=PRIVAT ssid=WLAN_PRIVAT_SSID
add channel=2.4Ghz-Channels country=germany datapath=PRIVAT mode=ap name=\
    V055GHZ security=PRIVAT ssid=WLAN_PRIVAT_SSID
/interface list
add name=VLAN
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MGT ranges=10.99.1.5-10.99.1.253
add name=FIRMA ranges=192.168.113.10-192.168.113.250
add name=GAST ranges=10.178.1.10-10.178.1.100
add name=DMZ ranges=10.178.2.10-10.178.2.20
add name=HOTSPOT ranges=10.178.3.10-10.178.3.100
add name=PRIVAT ranges=192.168.114.10-192.168.114.100
add name=LTE ranges=10.178.4.10-10.178.4.20
add name=BACKUP01 ranges=10.178.5.5-10.178.5.10
add name=BACKUP02 ranges=10.178.6.10-10.178.6.20
add name=TELEFON ranges=10.178.7.10-10.178.7.100
add name=IOT ranges=10.178.8.10-10.178.8.20
/ip dhcp-server
add address-pool=MGT interface=VLAN_99 name=MGT
add address-pool=FIRMA interface=VLAN_100 name=FIRMA
add address-pool=GAST interface=VLAN_200 name=GAST
add address-pool=DMZ interface=VLAN_300 name=DMZ
add address-pool=HOTSPOT interface=VLAN_400 name=HOTSPOT
add address-pool=PRIVAT interface=VLAN_500 name=PRIVAT
add address-pool=LTE interface=VLAN_600 name=LTE
add address-pool=BACKUP01 interface=VLAN_700 name=BACKUP01
add address-pool=BACKUP02 interface=VLAN_800 name=BACKUP02
add address-pool=TELEFON interface=VLAN_900 name=TELEFON
add address-pool=IOT interface=VLAN_1000 name=IOT
/port
set 0 name=serial0
/user group
add name=sys policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox\
    ,password,web,sniff,sensitive,api,romon,dude,rest-api"
add name=dude policy="dude,!local,!telnet,!ssh,!ftp,!reboot,!read,!write,!poli\
    cy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
/caps-man access-list
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
    signal-range=-115..-76 ssid-regexp=""
add action=accept interface=all signal-range=-75..115
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    V012GHZ name-format=prefix-identity slave-configurations=\
    V022GHZ,V042GHZ,V052GHZ
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    V015GHZ name-format=prefix-identity slave-configurations=\
    V025GHZ,V045GHZ,V055GHZ
/interface bridge port
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether5
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether6
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether7
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether8
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=ether9
add bridge=BRIDGE frame-types=admit-only-vlan-tagged interface=sfp1
/interface bridge vlan
add bridge=BRIDGE tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=99
add bridge=BRIDGE tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=100
add bridge=BRIDGE tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=200
add bridge=BRIDGE tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=300
add bridge=BRIDGE tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=400
add bridge=BRIDGE tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=500
add bridge=BRIDGE tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=600
add bridge=BRIDGE tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=700
add bridge=BRIDGE tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=800
add bridge=BRIDGE tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=900
add bridge=BRIDGE tagged=BRIDGE,ether5,ether6,ether7,ether8,ether9,sfp1 \
    vlan-ids=1000
/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN
add interface=WAN3_LTE list=WAN
add interface=WAN4 list=WAN
add interface=VLAN_99 list=VLAN
add interface=VLAN_100 list=VLAN
add interface=VLAN_200 list=VLAN
add interface=VLAN_300 list=VLAN
add interface=VLAN_400 list=VLAN
add interface=VLAN_500 list=VLAN
add interface=VLAN_600 list=VLAN
add interface=VLAN_700 list=VLAN
add interface=VLAN_800 list=VLAN
add interface=VLAN_900 list=VLAN
add interface=VLAN_1000 list=VLAN
/ip address
add address=10.99.1.254/24 interface=VLAN_99 network=10.99.1.0
add address=192.168.113.254/24 interface=VLAN_100 network=192.168.113.0
add address=10.178.1.254/24 interface=VLAN_200 network=10.178.1.0
add address=10.178.2.254/24 interface=VLAN_300 network=10.178.2.0
add address=10.178.3.254/24 interface=VLAN_400 network=10.178.3.0
add address=192.168.114.254/24 interface=VLAN_500 network=192.168.114.0
add address=10.178.4.254/24 interface=VLAN_600 network=10.178.4.0
add address=10.178.5.254/24 interface=VLAN_700 network=10.178.5.0
add address=10.178.6.254/24 interface=VLAN_800 network=10.178.6.0
add address=10.178.7.254/24 interface=VLAN_900 network=10.178.7.0
add address=10.178.8.254/24 interface=VLAN_1000 network=10.178.8.0
/ip dhcp-client
add interface=WAN1
add interface=WAN2
add interface=WAN3
/ip dhcp-server network
add address=10.99.1.0/24 dns-server=10.99.1.254 gateway=10.99.1.254
add address=10.178.1.0/24 dns-server=10.178.1.254 gateway=10.178.1.254
add address=10.178.2.0/24 dns-server=10.178.2.254 gateway=10.178.2.254
add address=10.178.3.0/24 dns-server=10.178.3.254 gateway=10.178.3.254
add address=10.178.4.0/24 dns-server=10.178.4.254 gateway=10.178.4.254
add address=10.178.5.0/24 dns-server=10.178.5.254 gateway=10.178.5.254
add address=10.178.6.0/24 dns-server=10.178.6.254 gateway=10.178.6.254
add address=10.178.7.0/24 dns-server=10.178.7.254 gateway=10.178.7.254
add address=10.178.8.0/24 dns-server=10.178.8.254 gateway=10.178.8.254
add address=192.168.113.0/24 dns-server=192.168.113.254 gateway=\
    192.168.113.254
add address=192.168.114.0/24 dns-server=192.168.114.254 gateway=\
    192.168.114.254
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=10.99.1.0/24 list=local
add address=192.168.113.0/24 list=local
add address=10.178.1.0/24 list=local
add address=10.178.2.0/24 list=local
add address=10.178.3.0/24 list=local
add address=192.168.114.0/24 list=local
add address=10.178.4.0/24 list=local
add address=10.178.5.0/24 list=local
add address=10.178.6.0/24 list=local
add address=10.178.7.0/24 list=local
add address=10.178.8.0/24 list=local
add list=local
/ip ssh
set forwarding-enabled=both host-key-size=4096 strong-crypto=yes
/lcd pin
set pin-number=1761
/radius
add address=10.99.254.1 service=login
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=NAME
/system ntp client
set enabled=yes
/system ntp client servers
add address=1.de.pool.ntp.org
add address=2.de.pool.ntp.org
add address=3.de.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes silent-boot=yes
/system watchdog
set automatic-supout=no ping-start-after-boot=1w watchdog-timer=no
/tool romon
set enabled=yes
/user aaa
set interim-update=5m use-radius=yes
/user settings
set minimum-categories=3 minimum-password-length=8
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: 3011 - VLAN - Capsman

Sat Aug 20, 2022 6:18 pm

Have you already found this topic:
viewtopic.php?t=143620

In my opinion the best reference for VLAN on MikroTik.
 
dima1002
Member Candidate
Member Candidate
Topic Author
Posts: 160
Joined: Fri Jan 26, 2018 8:40 pm

Re: 3011 - VLAN - Capsman

Sat Aug 20, 2022 6:53 pm

Yes I had seen that. After that I did it didn't I?

Who is online

Users browsing this forum: GoogleOther [Bot] and 63 guests