CapsMan to Cap setup

engragy · Sun Sep 04, 2022 3:15 am

Hello everyone ...
i have a HEX routerboard model: RB750Gr3 and a CAP model: RBcAP2nD.
I'm trying to setup the router (RB750) as a CapsMan and connect the only CAP i have.

the router:

is connectd to internet through pppoe client

have a separate subnet (172.16.0.0/24) that should hold a server

configs:

/interface bridge
add name=caps-bridge1
/interface bridge port
add bridge=caps-bridge1 interface=ether2
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] name=ether5-lan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-out1 password=my_pass user=my_user

/ip address
add address=172.16.1.1/24 comment=wired-subnet interface=ether5-lan network=172.16.1.0
add address=192.168.1.2/24 comment=wan-connection interface=ether1-wan network=192.168.1.0
add address=172.16.0.1/24 comment=server-network interface=ether5-lan network=172.16.0.0
add address=192.168.0.1/24 comment="bridge (caps-connection)" interface=caps-bridge1 network=192.168.0.0

/ip dhcp-client
add comment=defconf disabled=no interface=ether1-wan

/ip pool
add name=wired-subnet-pool1 ranges=172.16.1.2-172.16.1.30
add name=caps-pool ranges=192.168.0.2-192.168.0.254

/ip dhcp-server
add address-pool=wired-subnet-pool1 disabled=no interface=ether5-lan name=wired-subnet-dhcp1
add address-pool=caps-pool disabled=no interface=caps-bridge1 name=caps-dhcp-srv1
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=172.16.1.1 gateway=172.16.1.1
add address=192.168.0.0/24 dns-server=8.8.8.8,192.168.0.1 gateway=192.168.0.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,172.16.0.1,172.16.1.1,192.168.0.1

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=channel2
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=channel3
/caps-man datapath
add bridge=caps-bridge1 local-forwarding=no name=users_datapath1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1 passphrase=my-wifi-pass
/caps-man configuration
add channel=channel1 country=egypt datapath=users_datapath1 distance=indoors installation=indoor mode=ap name=cfg1 rx-chains=0,1 security=security1 ssid=my-ssid tx-chains=0,1
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=require-same-version
/caps-man manager interface
add disabled=no interface=caps-bridge1
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="bypass fasttrack - access wan modem" dst-address=192.168.1.1
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=pppoe-out1

/ip route
add check-gateway=ping distance=1 gateway=pppoe-out1

engragy · Sun Sep 04, 2022 3:16 am

the Cap:

should be controlled by CapsMan -- (done)

should access internet the pppoe gatway in the router -- (using winbox on cap i can ping 8.8.8.8 but as client connected to cap's AP i can't reach internet)

should access server on local subnet 172.16.0.0/24 subnet -- (using winbox i can bing 172.16.0.3 but as a client connected to cap's AP i can't reach server http page )

Configs:

/interface bridge
add comment=defconf name=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether1

/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(18dBm), SSID: lasik-port-said, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-7F3A1F wireless-protocol=802.11

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/interface wireless cap
set certificate=request discovery-interfaces=bridge enabled=yes interfaces=wlan1

/ip dhcp-client
add comment=defconf disabled=no interface=bridge

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=bridge

so in the end i am able to connect CapsMan to the Cap i have, but with problems as i couldn't access internet or a subnet from the Cap - AP (even though when i winbox to Cap i can connect to internet and get packages updates and also ping the desired subnet). could someone advise ?

CapsMan to Cap setup

CapsMan to Cap setup

Re: CapsMan to Cap setup

Who is online