Community discussions

MikroTik App
 
openair030
just joined
Topic Author
Posts: 23
Joined: Thu Jul 14, 2022 3:35 pm
Location: Berlin

Conceptual: What benefit does Capsman bring me besides configuration?

Wed Aug 10, 2022 10:43 pm

I'm not in production yet, still sitting on all these boxes and designing the network.

I know what Capsman does for me in the configuration part of the APs. My "user data" gets forwarded local.

However, I'm trying to understand what experience a client will have when "roaming" (changing between APs) and if I want/need to have a centralized dhcp.

Main question is:
Does having a capsman speed up authenticating to the next AP when moving around between several APs?
The benefit for the client (keeping IP) for a centralized dhcp is obvious.

I'm wondering if taking this effort would give clients the ability to have "uninterrupted" connections while moving around - since we have several WLAN-VoIP-Phones.

If this does not work I don't need to have constant IPs through my APs and can omit the effort of a complex vlan construction and just forward the user data nat'ed to the gateway (using the basic ap configuration).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Conceptual: What benefit does Capsman bring me besides configuration?

Wed Aug 10, 2022 10:53 pm

You wont get a mesh network seamless roaming if that is what you are asking.
What AP a client attaches to is mostly predicated on how the client responds, not the router or AP.
Capsman may make life complex for you.
How many access points will you be running.

In my experience NOT using capsman gives me the benefit of an easy simpler configuration.
 
openair030
just joined
Topic Author
Posts: 23
Joined: Thu Jul 14, 2022 3:35 pm
Location: Berlin

Re: Conceptual: What benefit does Capsman bring me besides configuration?

Thu Aug 11, 2022 12:44 am

In the end 17.
However, what can't be changed is that they're on one L2 backbone unswitched.
At the moment there is one adsl and there will come another gateway later (maybe 5G or adsl).
There are some IP-VoIP phones also on that L2 with their pbx

The basic concept is somewhat like:
AP mngmnt from outside with ip/vlan required (from that L2 backbone)
2.4 GHz indoor for operations, streaming, office
5GHz outdoor for public and operations

I don't mind configuring device by device over ssh (with some text clippings on my desktop). Mostly only some outside IP changes per device.
The remainder of the configuration would quite similar. Sometimes I have some individual eth 2-5 port setting on indoor APs in a room.

streaming and public ssids are straightforward nat'ed (or dropped) and go out.

In operations and office ssid I have the usual 'walk around and skype, ip-call (e.g.!) disconnects' problem.
If I can get the experience for the users that it feels like roaming I'd take most efforts.
If it does not work anyway I can set up a much simpler system.

For operations and office there are three main areas with office printers et.al.
Here I have to deploy static routing rules on all devices (n-1) anyway. I wonder if I can make these two ssids a mesh themselves. Thus using mesh for the devices not for APs interconnecting them.

If capsman gives me more than setting the password of ssids and a vlan tag on incoming packets I'd like to understand what else it does for me.

Is there any magic that speeds up switching to the next AP with/without capsman?
If the client will ask anyway for dhcp (however this is answered/handled by me) when connecting to the next AP because it is a new AP for them - then I don't see an advantage and can turn on dhcp on all APs instead of handling it centralized.
otoh, if capsman gives me magic to avaoid that I'd be glad to use it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Conceptual: What benefit does Capsman bring me besides configuration?

Thu Aug 11, 2022 3:22 am

I am more concerned with the performance of the wifi.
YOu would be well advised to wait for the MT wifi 6 products, or get current wifi 6 ones already available.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Conceptual: What benefit does Capsman bring me besides configuration?  [SOLVED]

Thu Aug 11, 2022 12:29 pm

There are some pros and some cons. @anav covered cons (since he doesn't use CAPsMAN he's a vocal advocate against using it :-P ), but I'll enumerate them anyways:
  • configuration is still complex if one wants to optimize things, CAPsMAN doesn't do any automagic ...
  • wifiwave2 driver (which unleashes power of select ac wireless chips) is not compatible with CAPsMAN (yet)
  • certain advanced wireless settings are not available in CAPsMAN, they are only there on CAPs themselves (wifiwave2 driver currently supports similar set of optimisation knobs as CAPsMAN though, it might indicate the direction in which things are moving)
  • if using capsman forwarding, both CAPsMAN device and CAPs can become bottlenecks limiting wireless performance. This is due to tunneling (and encryption) of all traffic between wireless interfaces and wired network
  • CAP configuration apart from wireless interfaces must be provisioned by other means (mostly this means by hand) before attempting to get CAP managed by CAPsMAN. Complexity of it is proportional to complexity of LAN setup, can be as simple as pressing the button on CAP for certain amount of time (which configures a ROS device to CAP mode) or very complex (LAN with VLANs or wireless backhaul)
  • if CAPsMAN "disapears" for relatively short time, all CAP devices disable wireless interfaces (regardless the forwarding mode)
Possibly there are other drawbacks.

And now pros:
  • it allows centralized setup of wireless interfaces on all connected CAP devices
  • it allows centralized monitoring of connected wireless stations
  • it allows safe transport of traffic of different SSIDs over plain L2 switched backhaul if capsman forwarding is enabled
  • it allows kind of cloud setup because CAP to CAPsMAN communication can work over routed networks (uses IP connections). It is relatively secure as connections are encrypted.
  • it allows automatic ROS upgrades on CAPs
  • when WiFi roaming gets done in Mikrotik universe (it's being worked on in wifiwave2 driver and I firmly believe it'll land on further devices this way or another in some (hopefully) not so distant future), one will very likely have to use CAPsMAN to distribute all those data about contributing BSSIDs and exchange of PMKs and PTKs when station roams from one AP to another (wifiwave2 handles this but only within same AP, i.e. when station roams between 2.4 GHz BSSID and 5GHz BSSID). I guess same functionality could be achieved without using CAPsMAN (e.g. by some kind of broadcasting data about contributing BSSIDs from APs and unicast exchange of PMKs and PTKs), but there are cases where it wouldn't work well ...
    Currently CAPsMAN doesn't enhance station roaming in any way!

[edit]
And a random answer ... regarding DHCP: whether DHCP hanshake happens or not after station roams to different AP is up to station ... but based on wireless setup (and is not related to using CAPsMAN). If station connects to different BSSID (AP) operating same SSID (and same security settings, e.g. same PSK with WPA2-PSK), then station will assume same L2 network and won't perform DHCP handshake. If station connects to different SSID, it has to assume different L2 network and has to perform DHCP handshake (even if it's actually same L2 network, some network admins like to name SSIDs according to frequency band).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Conceptual: What benefit does Capsman bring me besides configuration?

Thu Aug 11, 2022 5:08 pm

Lets unpack this weak and misleading post.
There are some pros and some cons. @anav covered cons (since he doesn't use CAPsMAN he's a vocal advocate against using it :-P ), but I'll enumerate them anyways:
You have skewed logic my friend. I dont use Capsman because its a pita and a waste of most new users time and I am a reasonable example of a non-it trained person on these forums. Keep in mind that I don't mind working through issues and have for many other topics and I just don't see any value in capsman when WITHOUT my MT devices work and I dont need to waste an iota of my precious time on it.
Further, have you bothered to do analysis and stats on the forum posts vis-a-vis capsman. Its one of the most numerious topics replete with unhappy, confused, and desperate posters, mostly new users who seemed to have wasted so much time trying to get it to work.
My goal is to a. get a working config, b. ensure folks have a positive MT experience full stop.

Your list of pro's is highly exaggerated Ive left the ones that matter in place, the others are bogus or debatable for the homeowner and anything conditional should not be considered LOL. They are all useful for the IT network guy who looks after clients large group of devices although I will argue that value diminished due to lacklustre wifi performance which should be ameliorated with the MT wifi 6 offerings!!
And now pros:
  • it allows safe transport of traffic of different SSIDs over plain L2 switched backhaul if capsman forwarding is enabled
  • ability to do some filtering not possible in normal firewall rules, but rarely needed.
Possibly there are other drawbacks.
The biggest ones you failed to mention. HUGE WASTE of an admins time trying to learn capsman. Albeit this is because the user tries to take on too much at one time.
Its difficult enough to get a basic config, including WIFI (without capsman) done for the first few times. Much better to get a solid foundation in a working config and then do much reading from the MT docs, various threads on capsman in the forums etc......
The time, frustration often spills out into the family circle as one is screwing up the internet connectivity for many!! NOT trivial.
The sheer volume of posts with people with issues is staggering as previously noted. MT may have a useful service but its interface sucks as witnessed by the posts!

Note: When I get my first MT wifi 6 product, I will endeavour to give capsman 2.0 a try.
I expect MT to revamp capsman, for wifi6, making it a better service addition and a more friendly user experience.
Last edited by anav on Fri Aug 12, 2022 4:29 am, edited 1 time in total.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Conceptual: What benefit does Capsman bring me besides configuration?

Thu Aug 11, 2022 8:44 pm

Unlike @anav, who tends to reduce everybody's problems to his own use cases and starts from there, I tried to give some ideas which (IMHO) apply to OP's case (who, BTW, doesn't seem to be a complete noob). And I dismissed the subjective arguments (such as the one about waste of time).

When it comes to my own installations ... I'm pretty much in @anav's ballpark. But I did set up a working CAPsMAN environment (albeit with a single CAP, not working at the moment because CAP device is used as lab device for v7 while CAPsMAN is on production gateway/FW) so I can speak with an iota of actual experience.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Conceptual: What benefit does Capsman bring me besides configuration?

Thu Aug 11, 2022 11:39 pm

On the Pro and Cons of CAPsMAN, ... they are very interesting. Some additional comments
And now pros:
it allows centralized setup of wireless interfaces on all connected CAP devices
it allows centralized monitoring of connected wireless stations
it allows safe transport of traffic of different SSIDs over plain L2 switched backhaul if capsman forwarding is enabled
it allows kind of cloud setup because CAP to CAPsMAN communication can work over routed networks (uses IP connections). It is relatively secure as connections are encrypted.
it allows automatic ROS upgrades on CAPs
DUDE does "it allows centralized monitoring of connected wireless stations" . Dude-> RouterOS Info -> Registration table gives a very good overview of all wifi connections (Aggregation of all registration tables). Many exemples of this RouterOS Info is in my other posts. Idem dito for many other tables (ARP, Resources, Addresses, Neighbors, ... Queues and routes of the edge ROS)
DUDE does "it allows automatic ROS upgrades on CAPs" it is the repository for all ROS.npk you like, and can upgrade or Force Upgrade a monitored ROS device (Cap or not), via the DUDE client in the map.
DUDE is a centralised monitoring, but no SPOF, it may be down or may be rebooted. It's for all ROS devices, not limited to CAP. Non-MT is gathered via SNMP.)


The Pro that CAPsMAN would bring to me is a central point to e.g. deny access for a specific MAC on all APs in one command.
Centralisation of traffic has it's benefits, but that is now done in the edge-router to internet, what is made as redundant as ROS allows.
Routed tunnels between CAPs and CAPsMAN could be usefull, but not in my setups. (Different SSID are on different VLAN)
Cloud is not my solution, even as I run my own VPN Hub, with local DUDE's on the sites. Cloud dependency is one bridge too far.

One Con I really suspect is the reduced A-MPDU aggregation introduced by the CAPsMAN tunnel. I have seen numbers as low as 2048 bytes for AMSDU/MPDU. This would reduce the max throughput for the whole wifi channel , certainly for those with a high interface rate, due to the large airtime for overhead. Not clear if that is caused by a AMSDU setting done by CAPsMAN or because the tunnel is delivering the MPDU too slow for the larger aggregation in A-MPDU.
Not a CAPsMAN user, so I cannot test deeper on this A-MPDU handicap.

I do hope, that when wifiwave2 is made ready for CAPsMAN that then the registration table is again as informative as the current one with the classic driver, and that DUDE can show all registrations.
If not, then there is no place for wifiwave2 in my deployments. I could have kept the non-MT AP's that I have thrown in the bin. (They even had 'airtime fairness", but needed different tools for central monitoring.)
Klembord-2.jpg
You do not have the required permissions to view the files attached to this post.
 
openair030
just joined
Topic Author
Posts: 23
Joined: Thu Jul 14, 2022 3:35 pm
Location: Berlin

Re: Conceptual: What benefit does Capsman bring me besides configuration?

Fri Aug 12, 2022 11:58 am

Guys, thank you for the enlighting conversation.

Perhaps informative: I'm coding on Apple for +20yrs and my main prfession is event technology.
I love configuring devices by RS232. Many of them ;)

However as feedback (also for MT and the posters):
I had absolutely no problem understanding capsman in the first place. That was exactly the object orientated concept you'll find in most modern languages.

Same for webfig or ssh. I found everthing I was looking for instantly.
The tree structure of the commands is easy to understand and again I found everything I was looking for.

The documentation is mostly fine.
I seldom cases I did not find proper reference. I'd appreciate to have the reference complete on it's own (too). Since e.g. the switch chip commands do not have a complete reference on their pages. I'd guess that a pure reference should be easy to doxy (or alike). That way I learned dBase. With a reference book.

Wireless is completely new to me (as event technology guys always lay cables). Also the more complex logic of routing and switching with more than two routers.

I personally do not have so many concerns about wifi performance.
Easy said:
On weekdays there'll be using <50 People the wireless. In the metal containers there'll be always only five or ten devices allowed anyway (only so called dj/vj but not audience).

Operations, office and streaming together will not be more than 20-30 clients at all at one time.

When there is a soccer worldcup there'll be 200-400 people(!) around and I'll limit tx to 1 MBit for freewifi (so that they don't stream the match on the big screens). But they still have 7+3 AP to connect to. I've heared the don't do more than 50 clients on one AP rule and I'll monitor this to see how many clients are really fine.
Over the thumb this is still enough as long as the clients distribute evenly on the APs (and geo.layout of the APs hopefully will do with a 3*2 rectangle).

On Sundays we have a flea market in front of the door (but within range of teh outdoor wifi) that is atteded by 1000-2000 People.
Here we took the strategic decision that we'll not cater that. Then we'd have had to buy high density APs for much more money to serve people that are not our customers.
On Sunday we'll turn free wifi off (== no Trial) and offer only hotspot login. The other ssids are wpa2 anyway.


My concern is different:
I'm more concerned about the cpu power of single devices.

I wouldn't use a hAPac3 with a quad core to capsman all traffic in capsman forwarding. The backbone would handle it but one device to manage traffic of up to 500 clients on all APs together?

Same applies if I take the approach to say my 7 Omni5 can be together one caspman entity. Then a 700 MHz single core cpu must handle a bit more traffic compared to local forwarding.

That is why I want it local forwarding:
Not wasting cpu power for things that can be configured, switched or routed. Firewall is fine since it works mainly on new connections, not established ones.

The dynamic queues a wireless client sets up if I give them a tx limit in their capsman settings concern me more. Since it can be at least 100 cueues to work down with every packet. To be honest I'm a burned child when it comes down to large queue lists.

If it is necessary I'd have no problem to put in a PC with an unlimited (L6?) license but for now I don't see the need.

Overall I have a good feeling for the wireless side of the project.

Thanks for the detailed explanation of when a dhcp hadshake is redone and why. I got it that was the information I needed because it will last give the office users that "roaming" experience.

For me capsman can do it's part of the show. Mainly for a hotspot, ACLs and ssid passwords.
For all other configs I'll have some scripts on my Mac and do it over terminal/ssh automated. That's what I do in other situations anyway. Nice scripts with loops and if clauses. After a week it runs fully automated.


I still have some architectural questions about my setup but will spread them to finer granulated questions here.
Thank you guys.

my 2ct are: command plain reference and (high level problems) these hovering tool tips in webfig would have been nice at some points in the past.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Conceptual: What benefit does Capsman bring me besides configuration?

Fri Aug 12, 2022 1:13 pm

Using the wrong devices for wifi events IMHO.......... but if you are having success, then stick with the plan.
 
openair030
just joined
Topic Author
Posts: 23
Joined: Thu Jul 14, 2022 3:35 pm
Location: Berlin

Re: Conceptual: What benefit does Capsman bring me besides configuration?

Fri Aug 12, 2022 8:32 pm

What is a wifi event?
We sell food and beverages to the people. They don't want to use their phones besides texting :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Conceptual: What benefit does Capsman bring me besides configuration?

Fri Aug 12, 2022 8:40 pm

I was thinking conferences, concerts etc, where heavy use of wifi is very possible. If its just eating perhaps not so much......
 
openair030
just joined
Topic Author
Posts: 23
Joined: Thu Jul 14, 2022 3:35 pm
Location: Berlin

Re: Conceptual: What benefit does Capsman bring me besides configuration?

Fri Aug 12, 2022 11:39 pm

Let's put it this way: It's an generic open air pub / beer garden and some freight containers for hire (private party).
Only the lonely ones and some laptop-lurkes (as I call them) use the wifi.

I have the usage stats of the one(1) dd-wrt AP they have and it's 5GByte(ish) Traffic per day at the moment.
The offices are less.

As said above: We took that no-high-density-aps-decision as first. It simply never would have broke even and we don't need wifi to attract people.

I have three areas with some demand where I put an ac3 that will cope with the 20ish clients around it.
All these disco containers (farady's cage to be exact) just get some AP for the 3-5 clients in there. I just took the hAP lite here to have only one manufacturer. I'd say it's fine for that task.

Only the (new) outdoor free wifi with that Omni5 is unpredictable besides that there aren't more than 60ish guests around the place.

I'm quite confident about this. As said I do fear more hitting processing limits of some small cpu.
For switches you get the max. throughput - for routers not.

Who is online

Users browsing this forum: No registered users and 45 guests