- I have a hAPac as my main router. This runs CAPsMAN, and does inter vlan routing with firewall rules as router on a stick. Mainly so I can block off CCTV and IOT devices from my main network and the internet if necessary.
- ether2 is an uplink to a hAP which is configured as a perimeter firewall. This device also does PPP and uplinks to my VSDL "modem" in bridge mode.
- ether1 is the downlink to my LAN.
- I have 9 CAPs dotted around at the moment.
- WiFi Roaming - when an iphone moves from one access point to another, although it still shows connected on the phone, no internet traffic is passed for a few minutes (2 to 5). Then traffic resumes as normal. If I disconnect from the wifi and reconnect, the problem remains until the few minutes is up.
- I have several 2ghz IOT wifi devices which regularly (several times a day) disconnect temporarily and then eventually reconnect. I do not see this issue on iphones or laptops.
Thank you.
Code: Select all
# nov/10/2022 19:27:38 by RouterOS 7.4.1
# software id = NG1Y-BM7M
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6F1206C86AC7
/caps-man channel
add name=LowPower tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled \
name=2ghz tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee name=\
5ghz tx-power=20
add band=2ghz-g/n control-channel-width=5mhz extension-channel=disabled name=\
"2ghz-High Power" tx-power=20
/interface bridge
add name=bridge-51-Client-Admin
add name=bridge-52-Client-General
add name=bridge-53-Client-Kids
add name=bridge-54-Client-Guest
add name=bridge-61-IOT-Media
add name=bridge-62-IOT-HA
add name=bridge-63-IOT-CCTV
add name=bridge-71-Servers-General
add name=bridge-81-Servers-DMZ
add name=bridge-82-VOIP
add name=bridge-99-Management
add admin-mac=6C:3B:6B:44:98:40 auto-mac=no name=bridge-vlans-LocalCAP
/interface ethernet
set [ find default-name=ether1 ] comment=LAN name=ether1-LAN speed=100Mbps
set [ find default-name=ether2 ] comment=RB951G l2mtu=1526 mtu=1508 name=\
ether2-WAN-RB951G speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1526 name=ether3-Voip speed=100Mbps
set [ find default-name=ether4 ] name=ether4-SqueezeboxKitchen speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
# managed by CAPsMAN
# channel: 2462/20/gn(7dBm), SSID: wifi350, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n bridge-mode=disabled \
channel-width=20/40mhz-eC country="united kingdom" disabled=no frequency=\
auto mode=ap-bridge ssid=MikroTik station-roaming=enabled \
wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(20dBm), SSID: wifi350, local forwarding
set [ find default-name=wlan2 ] antenna-gain=0 country=no_country_set \
disabled=no frequency-mode=manual-txpower ssid=MikroTik station-roaming=\
enabled
/interface vlan
add interface=bridge-vlans-LocalCAP name=vlan51-Client-Admin vlan-id=51
add interface=bridge-vlans-LocalCAP name=vlan52-Client-General vlan-id=52
add interface=bridge-vlans-LocalCAP name=vlan53-Client-Kids vlan-id=53
add interface=bridge-vlans-LocalCAP name=vlan54-Client-Guest vlan-id=54
add interface=bridge-vlans-LocalCAP name=vlan61-IOT-Media vlan-id=61
add interface=bridge-vlans-LocalCAP name=vlan62-IOT-HA vlan-id=62
add interface=bridge-vlans-LocalCAP name=vlan63-IOT-CCTV vlan-id=63
add interface=bridge-vlans-LocalCAP name=vlan71-Servers-General vlan-id=71
add interface=bridge-vlans-LocalCAP name=vlan81-Servers-DMZ vlan-id=81
add interface=bridge-vlans-LocalCAP name=vlan82-VOIP vlan-id=82
add interface=bridge-vlans-LocalCAP name=vlan99-Management vlan-id=99
/caps-man rates
add basic=6Mbps name=GN supported=6Mbps vht-basic-mcs=""
add basic=5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps name=IOT supported=\
5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=10m name=wifi350
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=10m name=wifi35t
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=10m name=guest
/caps-man configuration
add channel=5ghz country="united kingdom" \
datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=\
71 .vlan-mode=use-tag mode=ap name=cfg_wifi350-5ghz rates=GN security=\
wifi350 ssid=wifi350
add channel=2ghz country="united kingdom" \
datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=\
54 .vlan-mode=use-tag mode=ap name=cfg_guest-2ghz rates=GN security=guest \
ssid=guest2
add channel=2ghz country="united kingdom" \
datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=\
62 .vlan-mode=use-tag mode=ap multicast-helper=full name=cfg_wifi35t-2ghz \
rates=GN security=wifi35t ssid=wifi35t
add channel=2ghz country="united kingdom" \
datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=\
71 .vlan-mode=use-tag mode=ap name=cfg_wifi350-2ghz rates=GN security=\
wifi350 ssid=wifi350
add channel=5ghz country="united kingdom" \
datapath.client-to-client-forwarding=yes .local-forwarding=yes .vlan-id=\
54 .vlan-mode=use-tag mode=ap name=cfg_guest-5ghz rates=GN security=guest \
ssid=guest
/caps-man interface
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
4C:5E:0C:86:65:E1 master-interface=none name=2G-cAP-Office-1 radio-mac=\
4C:5E:0C:86:65:E1 radio-name=4C5E0C8665E1
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
4E:5E:0C:86:65:E1 master-interface=2G-cAP-Office-1 name=2G-cAP-Office-1-1 \
radio-mac=00:00:00:00:00:00 radio-name=4E5E0C8665E1
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
4E:5E:0C:86:65:E2 master-interface=2G-cAP-Office-1 name=2G-cAP-Office-1-2 \
radio-mac=00:00:00:00:00:00 radio-name=4E5E0C8665E2
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
E4:8D:8C:8A:7B:51 master-interface=none name=\
"2G-hAP-Lite-Boiler Cupboard-1" radio-mac=E4:8D:8C:8A:7B:51 radio-name=\
E48D8C8A7B51
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
E6:8D:8C:8A:7B:51 master-interface="2G-hAP-Lite-Boiler Cupboard-1" name=\
"2G-hAP-Lite-Boiler Cupboard-1-1" radio-mac=00:00:00:00:00:00 radio-name=\
E68D8C8A7B51
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
E6:8D:8C:8A:7B:52 master-interface="2G-hAP-Lite-Boiler Cupboard-1" name=\
"2G-hAP-Lite-Boiler Cupboard-1-2" radio-mac=00:00:00:00:00:00 radio-name=\
E68D8C8A7B52
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
6C:3B:6B:44:98:47 master-interface=none name="2G-hAPac-Main Router-1" \
radio-mac=6C:3B:6B:44:98:47 radio-name=6C3B6B449847
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
6E:3B:6B:44:98:47 master-interface="2G-hAPac-Main Router-1" name=\
"2G-hAPac-Main Router-1-1" radio-mac=00:00:00:00:00:00 radio-name=\
6E3B6B449847
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
6E:3B:6B:44:98:48 master-interface="2G-hAPac-Main Router-1" name=\
"2G-hAPac-Main Router-1-2" radio-mac=00:00:00:00:00:00 radio-name=\
6E3B6B449848
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
E4:8D:8C:CE:D0:69 master-interface=none name=2G-wAP-Outside-Garage-1 \
radio-mac=E4:8D:8C:CE:D0:69 radio-name=E48D8CCED069
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
E6:8D:8C:CE:D0:69 master-interface=2G-wAP-Outside-Garage-1 name=\
2G-wAP-Outside-Garage-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
E68D8CCED069
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
E6:8D:8C:CE:D0:6A master-interface=2G-wAP-Outside-Garage-1 name=\
2G-wAP-Outside-Garage-1-2 radio-mac=00:00:00:00:00:00 radio-name=\
E68D8CCED06A
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
E4:8D:8C:CE:DD:3D master-interface=none name=2G-wAP-Outside-Shed-1 \
radio-mac=E4:8D:8C:CE:DD:3D radio-name=E48D8CCEDD3D
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
E6:8D:8C:CE:DD:3D master-interface=2G-wAP-Outside-Shed-1 name=\
2G-wAP-Outside-Shed-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
E68D8CCEDD3D
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
E6:8D:8C:CE:DD:3E master-interface=2G-wAP-Outside-Shed-1 name=\
2G-wAP-Outside-Shed-1-2 radio-mac=00:00:00:00:00:00 radio-name=\
E68D8CCEDD3E
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
E4:8D:8C:4B:12:37 master-interface=none name=2G-wAPac-Guestroom-1 \
radio-mac=E4:8D:8C:4B:12:37 radio-name=E48D8C4B1237
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
E6:8D:8C:4B:12:37 master-interface=2G-wAPac-Guestroom-1 name=\
2G-wAPac-Guestroom-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
E68D8C4B1237
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
E6:8D:8C:4B:12:38 master-interface=2G-wAPac-Guestroom-1 name=\
2G-wAPac-Guestroom-1-2 radio-mac=00:00:00:00:00:00 radio-name=\
E68D8C4B1238
add configuration=cfg_wifi350-2ghz disabled=no l2mtu=1600 mac-address=\
6C:3B:6B:6C:A1:6E master-interface=none name=2G-wAPac-Kitchen-1 \
radio-mac=6C:3B:6B:6C:A1:6E radio-name=6C3B6B6CA16E
add configuration=cfg_guest-2ghz disabled=no l2mtu=1600 mac-address=\
6E:3B:6B:6C:A1:6E master-interface=2G-wAPac-Kitchen-1 name=\
2G-wAPac-Kitchen-1-1 radio-mac=00:00:00:00:00:00 radio-name=6E3B6B6CA16E
add configuration=cfg_wifi35t-2ghz disabled=no l2mtu=1600 mac-address=\
6E:3B:6B:6C:A1:6F master-interface=2G-wAPac-Kitchen-1 name=\
2G-wAPac-Kitchen-1-2 radio-mac=00:00:00:00:00:00 radio-name=6E3B6B6CA16F
add configuration=cfg_wifi350-5ghz disabled=no l2mtu=1600 mac-address=\
6C:3B:6B:44:98:46 master-interface=none name="5G-hAPac-Main Router-1" \
radio-mac=6C:3B:6B:44:98:46 radio-name=6C3B6B449846
add configuration=cfg_guest-5ghz disabled=no l2mtu=1600 mac-address=\
6E:3B:6B:44:98:46 master-interface="5G-hAPac-Main Router-1" name=\
"5G-hAPac-Main Router-1-1" radio-mac=00:00:00:00:00:00 radio-name=\
6E3B6B449846
add configuration=cfg_wifi350-5ghz disabled=no l2mtu=1600 mac-address=\
E4:8D:8C:4B:12:36 master-interface=none name=5G-wAPac-Guestroom-1 \
radio-mac=E4:8D:8C:4B:12:36 radio-name=E48D8C4B1236
add configuration=cfg_guest-5ghz disabled=no l2mtu=1600 mac-address=\
E6:8D:8C:4B:12:36 master-interface=5G-wAPac-Guestroom-1 name=\
5G-wAPac-Guestroom-1-1 radio-mac=00:00:00:00:00:00 radio-name=\
E68D8C4B1236
add configuration=cfg_wifi350-5ghz disabled=no l2mtu=1600 mac-address=\
6C:3B:6B:6C:A1:6D master-interface=none name=5G-wAPac-Kitchen-1 \
radio-mac=6C:3B:6B:6C:A1:6D radio-name=6C3B6B6CA16D
add configuration=cfg_guest-5ghz disabled=no l2mtu=1600 mac-address=\
6E:3B:6B:6C:A1:6D master-interface=5G-wAPac-Kitchen-1 name=\
5G-wAPac-Kitchen-1-1 radio-mac=00:00:00:00:00:00 radio-name=6E3B6B6CA16D
/interface ethernet switch port
set 1 default-vlan-id=0 vlan-mode=fallback
set 2 default-vlan-id=0 vlan-mode=fallback
set 3 default-vlan-id=0 vlan-mode=fallback
set 4 default-vlan-id=0 vlan-mode=fallback
set 5 default-vlan-id=0 vlan-mode=fallback
/interface list
add name=List-LAN
add name="List-All Client"
add name="List-All Servers"
add name="List-All Clients exc. Kids"
add name=mactel
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
temp2wifi350 supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
tempwifi350 supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=tempguest supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=KitchenOffice supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=wifi350-wds supplicant-identity=""
/interface wireless
add keepalive-frames=disabled mac-address=6E:3B:6B:44:98:4A master-interface=\
wlan2 mode=station-wds multicast-buffering=disabled name=wlan3 \
security-profile=wifi350-wds ssid=wifi350-wds station-roaming=enabled \
wds-cost-range=0 wds-default-bridge=bridge-71-Servers-General \
wds-default-cost=0 wds-mode=dynamic-mesh wps-mode=disabled
Code: Select all
/caps-man access-list
add action=accept comment=OfficeSqueezebox disabled=yes mac-address=\
00:04:20:1E:3F:F6 ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add action=accept comment="Playroom Squeezebox" disabled=yes mac-address=\
00:04:20:1E:3F:5A ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add comment="Kitchen Squeezebox" disabled=yes mac-address=00:04:20:26:98:36 \
ssid-regexp="" vlan-id=71 vlan-mode=use-tag
add action=accept comment="Al's phone" disabled=yes mac-address=\
14:1A:A3:98:4B:57 ssid-regexp="" vlan-id=62 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s disabled=yes interface=any \
signal-range=-80..0 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=yes interface=any \
signal-range=-120..-83 ssid-regexp=""
add action=accept allow-signal-out-of-range=3s disabled=no interface=any \
signal-range=-86..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=3s disabled=no interface=any \
signal-range=-120..-87 ssid-regexp=""
/interface vlan
add interface=*154 name=vlan71-eoip vlan-id=71
/caps-man manager
# bad package path
set enabled=yes package-path=/pub upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
cfg_wifi350-5ghz name-format=prefix-identity name-prefix=5G \
slave-configurations=cfg_guest-5ghz
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
cfg_wifi350-2ghz name-format=prefix-identity name-prefix=2G \
slave-configurations=cfg_guest-2ghz,cfg_wifi35t-2ghz
/interface bridge port
add bridge=bridge-51-Client-Admin ingress-filtering=no interface=\
vlan51-Client-Admin
add bridge=bridge-52-Client-General ingress-filtering=no interface=\
vlan52-Client-General
add bridge=bridge-53-Client-Kids ingress-filtering=no interface=\
vlan53-Client-Kids
add bridge=bridge-54-Client-Guest ingress-filtering=no interface=\
vlan54-Client-Guest
add bridge=bridge-61-IOT-Media ingress-filtering=no interface=\
vlan61-IOT-Media
add bridge=bridge-62-IOT-HA ingress-filtering=no interface=vlan62-IOT-HA
add bridge=bridge-63-IOT-CCTV ingress-filtering=no interface=vlan63-IOT-CCTV
add bridge=bridge-71-Servers-General ingress-filtering=no interface=\
vlan71-Servers-General
add bridge=bridge-81-Servers-DMZ ingress-filtering=no interface=\
vlan81-Servers-DMZ
add bridge=bridge-82-VOIP ingress-filtering=no interface=vlan82-VOIP
add bridge=bridge-99-Management ingress-filtering=no interface=\
vlan99-Management
add bridge=bridge-vlans-LocalCAP ingress-filtering=no interface=ether1-LAN
add bridge=bridge-82-VOIP hw=no ingress-filtering=no interface=ether3-Voip
add bridge=bridge-71-Servers-General hw=no ingress-filtering=no interface=\
ether4-SqueezeboxKitchen
add bridge=bridge-71-Servers-General ingress-filtering=no interface=\
vlan71-eoip
add bridge=bridge-vlans-LocalCAP ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=bridge-51-Client-Admin list=List-LAN
add interface=bridge-52-Client-General list=List-LAN
add interface=bridge-51-Client-Admin list="List-All Client"
add interface=bridge-52-Client-General list="List-All Client"
add interface=bridge-53-Client-Kids list="List-All Client"
add interface=bridge-54-Client-Guest list="List-All Client"
add interface=bridge-71-Servers-General list="List-All Servers"
add interface=bridge-81-Servers-DMZ list="List-All Servers"
add interface=*D4 list=mactel
add interface=bridge-71-Servers-General list=List-LAN
add interface=bridge-99-Management list=List-LAN
Code: Select all
/interface wireless cap
#
set bridge=bridge-vlans-LocalCAP discovery-interfaces=bridge-99-Management \
enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.31.253/24 interface=ether2-WAN-RB951G network=\
192.168.31.0
add address=192.168.51.254/24 interface=bridge-51-Client-Admin network=\
192.168.51.0
add address=192.168.52.254/24 interface=bridge-52-Client-General network=\
192.168.52.0
add address=192.168.53.254/24 interface=bridge-53-Client-Kids network=\
192.168.53.0
add address=192.168.54.254/24 interface=bridge-54-Client-Guest network=\
192.168.54.0
add address=192.168.61.254/24 interface=bridge-61-IOT-Media network=\
192.168.61.0
add address=192.168.62.254/24 interface=bridge-62-IOT-HA network=192.168.62.0
add address=192.168.63.254/24 interface=bridge-63-IOT-CCTV network=\
192.168.63.0
add address=192.168.71.254/24 interface=bridge-71-Servers-General network=\
192.168.71.0
add address=192.168.81.254/24 interface=bridge-81-Servers-DMZ network=\
192.168.81.0
add address=192.168.82.254/24 interface=bridge-82-VOIP network=192.168.82.0
add address=192.168.99.254/24 interface=bridge-99-Management network=\
192.168.99.0