Community discussions

MikroTik App
 
GZ15
just joined
Topic Author
Posts: 15
Joined: Thu Sep 29, 2011 10:29 pm

Wifiwave2 CAPsMAN won't provision its own Wi-Fi interfaces (hAP ax2) [SOLVED]

Tue May 16, 2023 10:47 am

This thread is solved, see solution at the bottom.

-----

Hi,

I am trying to set up two hAP ax2 APs via CAPsMAN.
I have followed the Wiki and to some extent also mirrored the previous configurations I did with "legacy" CAPsMAN (with several working deployments).

The issue I have is that one of the APs (which also acts as the router for the network) won't provision its own Wi-Fi interfaces. In WinBox I can see that the interfaces are indeed recognized by CAPsMAN but won't get any SSID.
The other AP (standalone) gets provisioned just fine.

I tried setting up provisioning rules in a generic way (without a specific MAC address) which provisions the standalone AP just fine. Adding specific rules for the MAC addresses of the Wi-Fi Interfaces on the router didn't help.

I have also tried disabling the firewall just to make sure nothing is getting in the way of local provisioning, that didn't help either though.

Any idea what might be wrong?

Both APs have RouterOS 7.9 installed.

The configs of the router / AP:

/interface/wifiwave2/export 
# may/16/2023 09:33:18 by RouterOS 7.9
# software id = NV1W-R82C
#
# model = C52iG-5HaxD2HaxD
/interface wifiwave2
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
/interface wifiwave2 datapath
add bridge=bridge-internal client-isolation=no disabled=no interface-list=LAN name=datapath-internal
add bridge=bridge-guests client-isolation=yes disabled=no interface-list=LAN name=datapath-guests
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no name=security-internal
add authentication-types=wpa2-psk disabled=no name=security-guests
/interface wifiwave2 configuration
add country=Czech datapath=datapath-internal disabled=no mode=ap name=config-internal security=security-internal ssid=CompanyName
add country=Czech datapath=datapath-guests disabled=no mode=ap name=config-guests security=security-guests ssid=CompanyName-Guests
/interface wifiwave2
add configuration=config-internal disabled=no name=cap-wifi1
add configuration=config-guests disabled=no mac-address=XX:XX:XX:XX:XX:X1 master-interface=cap-wifi1 name=cap-wifi2
add configuration=config-internal disabled=no name=cap-wifi3
add configuration=config-guests disabled=no mac-address=XX:XX:XX:XX:XX:X2 master-interface=cap-wifi3 name=cap-wifi4
/interface wifiwave2 cap
set caps-man-addresses=127.0.0.1 enabled=yes
/interface wifiwave2 capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-enabled disabled=no master-configuration=config-internal slave-configurations=config-guests
add action=create-enabled disabled=yes master-configuration=config-internal radio-mac=YY:YY:YY:YY:YY:Y1 slave-configurations=config-guests
add action=create-enabled disabled=yes master-configuration=config-internal radio-mac=YY:YY:YY:YY:YY:Y2 slave-configurations=config-guests
Let me know if I can provide more info / exports.

Any help is appreciated.

Thanks!

-----

Notes:
1) XX:XX:XX:XX:XX:X1 and XX:XX:XX:XX:XX:X2 are MAC addresses of the standalone AP Wi-Fi interfaces
2) YY:YY:YY:YY:YY:Y1 and YY:YY:YY:YY:YY:Y2 are MAC addresses of the main router / AP Wi-Fi Interfaces (i.e. those which are not being provisioned)
Last edited by GZ15 on Tue May 23, 2023 10:17 am, edited 2 times in total.
 
erlinden
Forum Guru
Forum Guru
Posts: 1920
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Wifiwave2 CAPsMAN won't provision its own Wi-Fi interfaces (hAP ax2)

Tue May 16, 2023 11:23 am

Can you share the config as well? Especially the firewall part.
 
GZ15
just joined
Topic Author
Posts: 15
Joined: Thu Sep 29, 2011 10:29 pm

Re: Wifiwave2 CAPsMAN won't provision its own Wi-Fi interfaces (hAP ax2)

Tue May 16, 2023 12:22 pm

The entire config is pretty much the RouterOS 7.8 default at least with regadrs to the firewall.

Here it is:
/export                     
# may/16/2023 11:16:32 by RouterOS 7.9
# software id = NV1W-R82C
#
# model = C52iG-5HaxD2HaxD
/interface bridge
add name=bridge-guests
add admin-mac=ZZ:ZZ:ZZ:ZZ:ZZ:ZZ auto-mac=no name=bridge-internal
/interface wifiwave2
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 datapath
add bridge=bridge-internal client-isolation=no disabled=no interface-list=LAN name=datapath-internal
add bridge=bridge-guests client-isolation=yes disabled=no interface-list=LAN name=datapath-guests
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no name=security-internal
add authentication-types=wpa2-psk disabled=no name=security-guests
/interface wifiwave2 configuration
add country=Czech datapath=datapath-internal disabled=no mode=ap name=config-internal security=security-internal ssid=CompanyName
add country=Czech datapath=datapath-guests disabled=no mode=ap name=config-guests security=security-guests ssid=CompanyName-Guests
/interface wifiwave2
add configuration=config-internal disabled=no name=cap-wifi1
add configuration=config-guests disabled=no mac-address=XX:XX:XX:XX:XX:X1 master-interface=cap-wifi1 name=cap-wifi2
add configuration=config-internal disabled=no name=cap-wifi3
add configuration=config-guests disabled=no mac-address=XX:XX:XX:XX:XX:X2 master-interface=cap-wifi3 name=cap-wifi4
/ip pool
add name=pool-internal ranges=192.168.170.100-192.168.170.200
add name=pool-guests ranges=172.18.18.100-172.18.18.199
/ip dhcp-server
add address-pool=pool-internal interface=bridge-internal lease-time=10m name=dhcp-server-internal
add address-pool=pool-guests interface=bridge-guests lease-time=10m name=dhcp-server-guests
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-internal comment=defconf interface=ether2
add bridge=bridge-internal comment=defconf interface=ether3
add bridge=bridge-internal comment=defconf interface=ether4
add bridge=bridge-internal comment=defconf interface=ether5
add bridge=bridge-internal interface=*6
add bridge=bridge-internal interface=*7
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=15360
/interface list member
add comment=defconf interface=bridge-internal list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge-guests list=LAN
/interface wifiwave2 cap
set caps-man-addresses=127.0.0.1 enabled=yes
/interface wifiwave2 capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-enabled disabled=no master-configuration=config-internal slave-configurations=config-guests
add action=create-enabled disabled=yes master-configuration=config-internal radio-mac=YY:YY:YY:YY:YY:Y1 slave-configurations=config-guests
add action=create-enabled disabled=yes master-configuration=config-internal radio-mac=YY:YY:YY:YY:YY:Y2 slave-configurations=config-guests
/ip address
add address=192.168.170.1/24 comment=defconf interface=bridge-internal network=192.168.170.0
add address=172.18.18.1/24 interface=bridge-guests network=172.18.18.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=172.18.18.0/24 dns-server=172.18.18.1 gateway=172.18.18.1
add address=192.168.170.0/24 comment=defconf dns-server=192.168.170.1 gateway=192.168.170.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.170.0/24 list=range_internal
add address=172.18.18.0/24 list=range_guests
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=reject chain=forward comment="Drop traffic from guest network" dst-address-list=range_internal reject-with=icmp-admin-prohibited src-address-list=range_guests
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set winbox port=58291
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=2a07:b242:1000:1100::/56 comment="Viktor Hubina Rychly Drat" list=admins
add address=2a02:8304:29::/48 comment="Viktor Hubina WereHUB" list=admins
add address=2a03:3b40:266::/48 comment="Viktor Hubina vpsFree tunel" list=admins
add address=2001:470:598c::/48 comment="Viktor Hubina HE doma" list=admins
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=CompanyName-router
/system logging
add topics=caps
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.nic.cz
add address=tik.cesnet.cz
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thanks!
 
GZ15
just joined
Topic Author
Posts: 15
Joined: Thu Sep 29, 2011 10:29 pm

Re: Wifiwave2 CAPsMAN won't provision its own Wi-Fi interfaces (hAP ax2)

Thu May 18, 2023 2:21 pm

Hi, any ideas where to go from here?

Thanks
 
theijma
just joined
Posts: 2
Joined: Thu May 18, 2023 7:14 pm

Re: Wifiwave2 CAPsMAN won't provision its own Wi-Fi interfaces (hAP ax2)

Thu May 18, 2023 7:18 pm

Hi,

Just had the same issue, but on a hAP AC^3. With me the interfaces were provisioned by issuing the following command:
/interface/wifiwave2/radio/provision [find local=yes]
Provisioning the CAP wasn't doing anything, but directly provisioning the radios worked for me.
 
GZ15
just joined
Topic Author
Posts: 15
Joined: Thu Sep 29, 2011 10:29 pm

Re: Wifiwave2 CAPsMAN won't provision its own Wi-Fi interfaces (hAP ax2)

Sat May 20, 2023 11:01 am

Hi theijma,

thanks for your reply. It seems to have worked, though it's still a bit confusing to me as forcefully provisioning the interfaces does the following:

1) Created 2 more interfaces, i.e. 2x2 = 4 in total; two for 2 GHz and two for 5 GHz (both internal and guests)
2) Removes the "Manager" value from all the wireless interfaces
3) Manually sets the Configuration to "config-internal" and "config-guests" respectively
4) Does not show "Managed by CAPsMAN" on any of the interfaces

While for this particular client it does not really matter I wonder if this setup is "true CAPsMAN" in a sense that you get all the centrally managed features, most notably the seamless transition between APs.

I have also filled out a support ticket with MikroTik and I'll update here if I get any response.

Thanks!
 
theijma
just joined
Posts: 2
Joined: Thu May 18, 2023 7:14 pm

Re: Wifiwave2 CAPsMAN won't provision its own Wi-Fi interfaces (hAP ax2)

Sat May 20, 2023 11:13 am

Yeah noticed all the differences as apposed to a 'true CAP' configuration yesterday as well. Didn't notice any downsides yet though. So it works for me.

Very curious what MikroTik's reply will be. Thanks for sharing.
 
GZ15
just joined
Topic Author
Posts: 15
Joined: Thu Sep 29, 2011 10:29 pm

Re: Wifiwave2 CAPsMAN won't provision its own Wi-Fi interfaces (hAP ax2)  [SOLVED]

Tue May 23, 2023 10:16 am

Hi thejima and everyone else stumbling upon this thread,

so I have received a response from the MikroTik support essentially confirming that the manual provisioning is the way to go.

tl;dr:
  • CAPsMAN server device won't manage its own interfaces (i.e. you won't see the red "Managed by CAPsMAN" text above the interfaces)
  • You can manually provision the interfaces on a CAPsMAN server device.

To cite:
You can press provision under radio rules, and the local interface will get provisioned with the configuration defined in the provisioning rule, if there is a matching rule. Or you can set the configuration on local interfaces manually - to use the same configuration profile, as remote CAPs do.

This will give you the same configuration as if the interface was managed by CAPsMAN. CAPsMAN cannot directly manage its own (local) interfaces via CAPsMAN service, but setting the same configuration profile as you would provision, will achieve the same result.
and
CAPsMAN interfaces won't have the "managed by CAPsMAN" message.

"When a device is running WifiWave2 CAPsMAN, it cannot set its own wireless interfaces as CAPs. This is a known limitation, due to how the driver works, there is a "hidden" (system level) provision rule for local interfaces, which makes them incompatible with local CAPsMAN.

Though you can just pass the same configuration manually for local WifiWave2 interfaces, as you would via provisioning rules - just use "/interface/wifiwave2/ set wifiX configuration=X", which could be argued that it is more simple to do, than configuring "/interface/wifiwave2/cap" and setting "configuration.manage=r" to capsman-or-local/capsman.
The end result is the same, as WifiWave2 CAP interfaces and regular WifiWave2 interfaces use the same exact system, it's not divided into separate menus as original CAPsMAN and regular wireless was."

Marking this thread as solved.

Who is online

Users browsing this forum: GoogleOther [Bot], mikrochad and 20 guests