Community discussions

MikroTik App
 
massinia
Member Candidate
Member Candidate
Topic Author
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

CAPsMAN and VLAN for guests

Sat Jan 21, 2023 9:12 pm

Hi, I'm trying to add a wireless network for guests, surely I'm doing something wrong with the VLANs...

The main network works while the guest network does not assign IP addresses.

If I disable the main network the guest network works fine with VLAN 10

Thanks in advance for the help.
# jan/21/2023 20:00:58 by RouterOS 7.7
# software id = 4QHG-AAAA
#
# model = RB952Ui-5ac2nD
# serial number = 71AF08AAAAAAA
/caps-man configuration
add channel.skip-dfs-channels=yes country=us datapath.client-to-client-forwarding=yes .local-forwarding=yes installation=indoor mode=ap multicast-helper=full name=cfg1 \
    security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=MikroTik
add channel.skip-dfs-channels=yes country=us datapath.client-to-client-forwarding=no .local-forwarding=yes .vlan-id=10 .vlan-mode=use-tag installation=indoor mode=ap multicast-helper=full \
    name=cfg2 security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid="MikroTik Guests"
/interface bridge
add admin-mac=CC:2D:E0:29:EC:EF auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-Ce/gn(18dBm), SSID: MikroTik, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-29ECF4 \
    wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(21dBm), SSID: MikroTik, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-29ECF3 \
    wireless-protocol=802.11
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.0.0.2-10.0.0.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=vlan10 name=dhcp1
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 slave-configurations=cfg2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
# 
# 
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.0.0.1/24 interface=vlan10 network=10.0.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8 gateway=10.0.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Rome
/system routerboard settings
set auto-upgrade=yes cpu-frequency=750MHz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] > 
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CAPsMAN and VLAN for guests  [SOLVED]

Sat Jan 21, 2023 11:46 pm

You haven't specified which bridge the CAP should attach interfaces to, the main wireless network only works because the interfaces are (incorrectly) added to the bridge.

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2

/interface wireless cap
set bridge=bridge caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
 
massinia
Member Candidate
Member Candidate
Topic Author
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: CAPsMAN and VLAN for guests

Sun Jan 22, 2023 10:37 am

Thanks, it works perfectly!
I have read many guides with wrong setups, without your help I would not have succeeded.

I also had to disable VLAN Filtering for the bridge.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CAPsMAN and VLAN for guests

Sun Jan 22, 2023 3:11 pm

I have read many guides with wrong setups, without your help I would not have succeeded.
Unfortunately many third-party guides and videos are incomplete or just wrong, often using outdated methods which are not applicable to newer firmware releases. The official Mikrotik help pages and old wiki provide basic skeleton examples of many things, but not step-by-step guides.

I also had to disable VLAN Filtering for the bridge.
That effectively turns the bridge into an unmanaged switch so tagged guest VLAN traffic appears on all ports. Another look through your config shows the bridge VLAN configuration is incomplete, to use VLAN filtering in you setup you also need

/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10


so that the tagged guest traffic is connected to the /interface vlan
 
massinia
Member Candidate
Member Candidate
Topic Author
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: CAPsMAN and VLAN for guests

Sun Jan 22, 2023 4:02 pm

That effectively turns the bridge into an unmanaged switch so tagged guest VLAN traffic appears on all ports.
Another look through your config shows the bridge VLAN configuration is incomplete, to use VLAN filtering in you setup you also need

/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=10
Now I get it! :D
Now i have also reactivated the VLAN filter for the bridge.
You also helped me understand the VLANs too :lol:

One last thing and then I won't disturb anymore...

All cAPs in the main network are in local forwarding mode, it is normal that wireless clients cannot communicate between them is are connected to a different cAP?
Practically, clients of CAP_1 can't see clients of CAP_2 and viceversa.
Image

It is exactly what i need, I just want to understand if it is correct as I did.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: CAPsMAN and VLAN for guests

Sun Jan 22, 2023 4:23 pm

The datapath.client-to-client-forwarding setting only applies to clients connected to the same CAP.

With your settings:
1. Client A and Client B connected to the same CAP with SSID 'Mikrotik' can communicate
2. Client A and Client B connected to the same CAP with SSID 'Mikrotik Guest' cannot communicate (blocked by datapath.client-to-client-forwarding=no)
3. Client A and Client B connected to different CAPs with SSID 'Mikrotik' can communicate
4. Client A and Client B connected to different CAPs with SSID 'Mikrotik Guest' can communicate
5. Client A connected with SSID 'Mikrotik', Client B connected with SSID 'Mikrotik Guest' can communicate

To block #4 you would need a bridge filter to prevent layer2 guest VLAN packets between CAPs.
To block #5 you would need an IP firewall filter to prevent layer3 forwarding between main and guest networks.
 
massinia
Member Candidate
Member Candidate
Topic Author
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: CAPsMAN and VLAN for guests

Sun Jan 22, 2023 5:08 pm

I'll do more tests!

Thanks again for your help.

Who is online

Users browsing this forum: BioMax and 38 guests