Community discussions

MikroTik App
 
User avatar
thn80
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jan 24, 2023 8:25 pm
Location: Germany

Wifiwave2 CAPsMAN Datapath/VLAN not working

Thu Jun 01, 2023 11:06 pm

Hello,

I am trying to setup two Mikrotik devices, with one device being the CAPsMAN and the other device being the CAP.
My smartphone can see the SSID and also tries to connect. However, the smartphone tries connecting for some seconds and then aborts. I highly assume that the reason is about a problem in the connection of the SSID to my VLAN 61. If I configure the CAP device to retrieve an IP via DHCP directly on VLAN 61, it works. But I think that the smartphone does not get an IP configuration (via DHCP) when it tries to connect to the SSID.

My CAPsMAN configuration:
# Exported via: /interface wifiwave2 export hide-sensitive 

/interface wifiwave2 channel
add band=2ghz-ax disabled=no name=2GHz skip-dfs-channels=10min-cac width=20/40mhz
add band=5ghz-ax disabled=no name=5GHz skip-dfs-channels=10min-cac width=20/40/80mhz

/interface wifiwave2 datapath
add bridge=bridge_primary disabled=no name=VLAN_GUESTS vlan-id=61

/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 group-key-update=5m management-protection=allowed name=MySecurityTemplate wps=disable

/interface wifiwave2 configuration
add channel=2GHz country=Germany datapath=VLAN_GUESTS disabled=no mode=ap name=WiFi_2GHz security=MySecurityTemplate ssid="MySSID"
add channel=5GHz country=Germany datapath=VLAN_GUESTS disabled=no mode=ap name=WiFi_5GHz security=MySecurityTemplate ssid="MySSID"

/interface wifiwave2 capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=VLAN_20 package-path="" require-peer-certificate=no upgrade-policy=none

/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=WiFi_2GHz supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=WiFi_5GHz supported-bands=5ghz-ax

My CAP configuration:
# /interface wifiwave2 export hide-sensitive 

/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: MySSID, channel: 5700/ax/eeCe
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: MySSID, channel: 2427/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no

/interface wifiwave2 cap
set certificate=request discovery-interfaces=VLAN_20 enabled=yes lock-to-caps-man=yes
I skipped the VLAN configuration on the bridge here, because the CAP device can successfully connect to other devices on this VLAN, only the SSID seems to not reach the VLAN.

Shouldn't the Datapath config be enough for connecting an SSID to a VLAN? :-?
/interface wifiwave2 datapath
add bridge=bridge_primary disabled=no name=VLAN_GUESTS vlan-id=61
Thanks a lot in advance,

Thomas
 
User avatar
thn80
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jan 24, 2023 8:25 pm
Location: Germany

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Fri Jun 02, 2023 12:40 pm

Any ideas about the problem?
Do you miss some important information in my post?
 
alibloke
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Jun 03, 2016 12:13 am

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Fri Jun 02, 2023 1:03 pm

On your caps set the datapath to your bridge:
set datapath.bridge=[your bridge]
 
User avatar
thn80
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jan 24, 2023 8:25 pm
Location: Germany

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Fri Jun 02, 2023 1:11 pm

On your caps set the datapath to your bridge:
set datapath.bridge=[your bridge]
On the CAPsMAN the datapath is part of the provisioned WiFi configuration. Is it really necessary to additionally specify it on the CAPs?
Maybe, I don't get the point of CAPsMAN, but isn't its job to completely manage the WiFis on the CAPsMAn and simply provisioning them to the CAPs?
 
User avatar
Hominidae
Member
Member
Posts: 309
Joined: Thu Oct 19, 2017 12:50 am

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Fri Jun 02, 2023 1:32 pm

Any ideas about the problem?
Do you miss some important information in my post?
...are these WW2-ax or WW2-ac devices? I remember, that there is a bug with WW2-ac devices and VLAN assignment via CAPsMAN (Edit: see here https://help.mikrotik.com/docs/display/ ... properties).
 
User avatar
thn80
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jan 24, 2023 8:25 pm
Location: Germany

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Fri Jun 02, 2023 2:20 pm

...are these WW2-ax or WW2-ac devices? I remember, that there is a bug with WW2-ac devices and VLAN assignment via CAPsMAN (Edit: see here https://help.mikrotik.com/docs/display/ ... properties).
The CAPsMAn is a RB5009 with the Wifiwave2 package installed.
The CAP is a "cAP ax".
 
alibloke
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Jun 03, 2016 12:13 am

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Fri Jun 02, 2023 2:38 pm

Maybe, I don't get the point of CAPsMAN, but isn't its job to completely manage the WiFis on the CAPsMAn and simply provisioning them to the CAPs?
Does it work?
 
User avatar
thn80
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jan 24, 2023 8:25 pm
Location: Germany

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Fri Jun 02, 2023 2:41 pm

Does it work?
I have to check it later today and will come back with the result. (But even if it will work, I don't understand the concept of Wifiwave2 and what has to be configured where for CAPsMAN usage)
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Fri Jun 02, 2023 2:52 pm

In broad lines:

In contrast with legacy wifi/capsman, wifiwave2 and new capsman are very intertwined, that's a fact.
But they work more or less in the same way (as opposed to legacy wifi and old capsman, completely different environments. Old capsman structure was , as far as I can see, the base for wifiwave2 and new capsman. Still with me ? :lol: ).

How does it go:
You specify a configuration which needs to be used.
You can choose to isolate channel and security settings etc. in the separate tabs but be aware left tabs have preference over settings on the right side.
So if you set a security setting in configuration tab, it will not be taken anymore from security tab.

Then:
For dedicated ap, you assign that configuration to the interface. Be aware 2.4GHz and 5GHz interfaces require different settings ! (frequency, band, ...)
For capsman, you first need to enable the function on the controller. And the AP needs to be in CAPS mode so it will request config from the controller.
And then you assign the same configuration to the radio. Not the physical interface, but the radio which will announce itself to be controlled by capsman.

Sounds complicated but once you do it a couple of times, it is very logical (to me, it is :lol: ).
Again, very high level and a lot of things deeper in which can be tweaked further.
 
User avatar
thn80
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jan 24, 2023 8:25 pm
Location: Germany

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Fri Jun 02, 2023 11:50 pm

Does it work?
I have tried it and got it working via the following steps:
  • In datapath of the CAP set the bridge to my bridge (but not set the VLAN-ID in the same menu, otherwise the WiFi client will only see the tagged VLAN)
  • Add the WiFi interface on the CAP to Bridge/VLAN as untagged.
  • Additionally the logs showed that I ran into the "rejected, can't find PMKSA" issue. After disabling WPA3 it works.
So, thanks a lot for your help so far :-D
Sounds complicated but once you do it a couple of times, it is very logical (to me, it is :lol: ).
Again, very high level and a lot of things deeper in which can be tweaked further.
However, I still have some problems in understanding the benefits of CAPsMAN :cry: (even after the very detailled explanation). It is not "very logical" to me, yet (but hopefully soon 8) ).
  • Is my experience correct, that the VLAN-ID in the datapath only provides tagged VLANs to the WiFi clients and not untagged VLANs?
  • If I have to add the bridge to the datapath on the CAPs and have to add the WiFi interfaces manually to the bridge on the CAPs, what is the huge benefit of CAPsMAN? Is it more about seamless roaming instead of simple configuration at one place?
  • How can I change the WiFi interface names on the CAPsMAN? With the old Wireless (not Wifiwave2) I have seen that the interface names can be generated out of the CAP identity, some prefic, etc. Is this also possible with Wifiwave2? I cannot find how to do this in Wifiwave2, maybe I overlook something.
  • How do I have to add Slave WiFi interfaces? Has this to be done on the CAPsMAN or on the CAPs?
As you can see, I am still a bit confused about the CAPsMAN and Wifiwave2 :?

Thanks in advance,

Thomas
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Sat Jun 03, 2023 9:54 am

  • Is my experience correct, that the VLAN-ID in the datapath only provides tagged VLANs to the WiFi clients and not untagged VLANs?
  • If I have to add the bridge to the datapath on the CAPs and have to add the WiFi interfaces manually to the bridge on the CAPs, what is the huge benefit of CAPsMAN? Is it more about seamless roaming instead of simple configuration at one place?
  • How can I change the WiFi interface names on the CAPsMAN? With the old Wireless (not Wifiwave2) I have seen that the interface names can be generated out of the CAP identity, some prefic, etc. Is this also possible with Wifiwave2? I cannot find how to do this in Wifiwave2, maybe I overlook something.
  • How do I have to add Slave WiFi interfaces? Has this to be done on the CAPsMAN or on the CAPs?

The way I understood how it works:
1- VLAN id is added from wifi radio to bridge. Tagged, as far as I know. Clients will not (should not ?) see VLAN tag

2- When I toyed with those VLAN settings on wifiwave2-capsman it was 7.8-chain. At that point you had to set the CAPS bridge to disable VLAN filtering. And then it worked "out of the box via CAPSMAN".
Haven't tried anymore with 7.9 nor 7.10. One normal week, then a week holidays but I do plan to tackle that part again afterwards since I need a solution for a customer where I am installing it. VLAN or separate subnets and firewall rules.
Hopefully at that time there is a version where it will just work like it did with old capsman :D

3- Not via GUI (I haven't found it there yet), it's in CLI (also only found out this week).
See manual
https://help.mikrotik.com/docs/display/ ... ovisioning
Section Capsman Provision, setting for name-format.

4- It's Capsman
Tab Provisioning and then in the provisioning rule look at Slave Configurations, just below master, so hard to miss.
Add as many as you want with the drop-down arrow (but keep it a bit practical :lol: )
Which means you can finetune this per radio (or use regex expressions to bundle APs based on identity or so)
But you need to have created those configurations upfront and keep in mind, a slave config can not change anything on the radio from master interface.
I make slave configs only having SSID and security, nothing else, since the rest will come from master.
 
User avatar
thn80
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 60
Joined: Tue Jan 24, 2023 8:25 pm
Location: Germany

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Sat Jun 03, 2023 11:07 am

2- When I toyed with those VLAN settings on wifiwave2-capsman it was 7.8-chain. At that point you had to set the CAPS bridge to disable VLAN filtering. And then it worked "out of the box via CAPSMAN".
Would it make sense to add additional bridges for the different VLANs and setting them to "Disable VLAN Filtering", just to make the configuration via CAPsMAN a bit simpler? I'm just afraid, that additional bridges could bring performance drawbacks with them.
3- Not via GUI (I haven't found it there yet), it's in CLI (also only found out this week).
See manual
https://help.mikrotik.com/docs/display/ ... ovisioning
Section Capsman Provision, setting for name-format.
This seems to be another unfinished point in the new CAPsMAN :cry:
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Sat Jun 03, 2023 11:12 am

Unless you REALLY know why, only use 1 bridge.
 
washdogg87
just joined
Posts: 7
Joined: Thu Nov 14, 2019 2:58 pm

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Sun Jun 04, 2023 11:17 am

If it makes you feel any better I went on the same journey myself and ended up wondering what had happened to CAPsMAN vs the way it works with the non-wifiwave2 devices.

From what I've read, 'improvements are coming...' so hopefully I think for now we have to wait. Looking forward to it!
 
ormandj
just joined
Posts: 18
Joined: Tue Jun 15, 2021 12:25 am

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Thu Jun 15, 2023 6:37 pm

Has anybody on 7.10 figured out the 'right' way to do this? The help documentation: https://help.mikrotik.com/docs/display/ ... ionexample: (anchor link isn't working, "CAPsMAN - CAP VLAN configuration example:" is what to look for) isn't very clear. I'm not quite sure I understand adding the datapath on the cap devices, then the slave-datapath setting in the cap section, when I'm defining the datapath/etc configuration on the capsman side. It does not appear to work, either way.

To be clear, I am configuring capsman on my router, which is connected to a switch, which then the caps are connected to. I want the various SSIDs on the caps to be associated with various VLAN IDs (tagged on switch port uplinked to APs). slaves-datapath has a blank description on the help site, so I have no idea what that's supposed to do.

[Edit: You have to disable bridge vlan-filtering on the caps. I did have to do the slave-datapath and the datapath definition on the caps, I have no idea why, but it appears to work with those set.]
 
User avatar
carl0s
Member Candidate
Member Candidate
Posts: 179
Joined: Thu Jun 25, 2009 7:18 pm

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Tue Sep 12, 2023 1:31 am

I can't make this work :-(

Am I supposed to do the VLAN ID in the datapath on the cap itself? And set up Bridge VLANs on the cap itself and add the wifi interfaces into the bridge on the cap itself?

Shouldn't capsman take care of the full Cap configuration?

What about on the Capsman though. Do I add the same cap interfaces into bridge vlans on there? Nothing seems to work for me anyway.

Also, the provisioning doesn't add the cap interfaces into a bridge on the capsman controller. Is that because it's not doing forwarding?

I am trying to end up with a configuration where I can plug an CAP ax into any of the bridged eth2 - eth5 ports and have a guest wifi and standard wifi come down the one cable as separate VLANs.

I can make it work with local interfaces on the Capsman controller (hap AX2), but not the cap.
 
User avatar
carl0s
Member Candidate
Member Candidate
Posts: 179
Joined: Thu Jun 25, 2009 7:18 pm

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Tue Sep 12, 2023 2:58 am

Hmm, I got it working.

Seems that on the CAP, you have to make sure you create the datapath and add it to bridge, but without specifying VLAN.
Create another datapath for slave config for other vlan/guest wifi, add to the same bridge, again no need to specify actual VLAN ID
Turn off vlan filtering on the CAP bridge, don't put in any VLAN configuration on the CAP bridge.

Since I am using the Capsman as the main router with DHCP, I have to add the VLAN Interfaces into the lan-bridge on the capsman.
On capsman bridge>vlan, create an entry for my two VLANs (one entry for both VLANs will do), add each of the LAN ports that the caps devices might be plugged in to, into the tagged list, and also either the bridge itself, or just the VLAN interfaces. Edit: Actually, no, it seems I have to add the lan-bridge or the slave/guest doesn't get DHCP. Seems weird but it works. Adding the VLAN Interfaces and physical LAN ports isn't enough.

Confirm in the bridge > hosts tab on capsman that the wifi client device is showing there with the correct VLAN ID.

I'm still a bit sketchy with this but I will spend more time trying to learn it.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1154
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Tue Sep 12, 2023 6:05 am

Only place where I defined datapath is on CAPsMAN controller, I never touched CAPs or any settings on them.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Tue Sep 12, 2023 6:10 am

It does need to be there but default CAP settings should take care of it.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1154
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Tue Sep 12, 2023 4:34 pm

I only specified datapath, created hybrid ports where untagged is management and tagged other VLANs so i presume that everything is done by ROS
 
User avatar
carl0s
Member Candidate
Member Candidate
Posts: 179
Joined: Thu Jun 25, 2009 7:18 pm

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Tue Sep 12, 2023 9:21 pm

What I don't really understand is why I have to add the lan-bridge itself into the list of vlan tagged interfaces.
I would have thought I would just need the ethernet interfaces, and then the virtual vlan interfaces that the DHCP server and IP address is bound to. but that doesn't work.

This works:
Note that the local WiFi interfaces, although they are in the bridge, they are currently disabled while I test the CAP config.

Image

This doesn't work:
Note that the local WiFi interfaces, although they are in the bridge, they are currently disabled while I test the CAP config.

Image

Full config. Note that the local WiFi interfaces, although they are in the bridge, they are currently disabled while I test the CAP config.
/interface bridge
add admin-mac=48:A9:8A:64:FE:6E auto-mac=no \
    ingress-filtering=no name=bridge-LAN vlan-filtering=yes
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out-internet \
    use-peer-dns=yes user=username
/interface vlan
add interface=bridge-LAN name=GuestWiFi-VLAN30 vlan-id=30
add interface=bridge-LAN name=Private-WiFi-VLAN20 vlan-id=20
/interface list
add name=WAN
add name=LAN
/interface wifiwave2 datapath
add disabled=no name=Guest vlan-id=30
add disabled=no name=Private vlan-id=20
/interface wifiwave2 configuration
add country="United Kingdom" datapath=Guest disabled=no name=Guest ssid=Guest
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Private
/interface wifiwave2 configuration
add country="United Kingdom" datapath=Private disabled=no name=Private \
    security=Private ssid=Private
/interface wifiwave2
set [ find default-name=wifi2 ] configuration=Private configuration.manager=\
    local .mode=ap name="2GHz Private"
set [ find default-name=wifi1 ] configuration=Private configuration.manager=\
    local .mode=ap name="5GHz Private"
add configuration=Private disabled=no name=cap-wifi1
add configuration=Guest disabled=no mac-address=4A:A9:8A:A2:98:4B \
    master-interface=cap-wifi1 name=cap-wifi2
add configuration=Private disabled=no name=cap-wifi3
add configuration=Guest disabled=no mac-address=4A:A9:8A:A2:98:4C \
    master-interface=cap-wifi3 name=cap-wifi4
add configuration=Guest configuration.mode=ap mac-address=4A:A9:8A:64:FE:73 \
    master-interface="2GHz Private" name="2GHz Guest"
add configuration=Guest configuration.mode=ap mac-address=4A:A9:8A:64:FE:72 \
    master-interface="5GHz Private" name="5GHz Guest"
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=Private-Pool ranges=192.168.98.11-192.168.98.200
add name=Guest-Pool ranges=192.168.99.11-192.168.99.200
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-LAN lease-time=10m name=\
    defconf
add address-pool=Private-Pool interface=Private-WiFi-VLAN20 lease-time=10m \
    name=Private-DHCP
add address-pool=Guest-Pool interface=GuestWiFi-VLAN30 lease-time=10m name=\
    Guest-DHCP
/interface bridge port
add bridge=bridge-LAN interface=ether2
add bridge=bridge-LAN interface=ether3
add bridge=bridge-LAN interface=ether4
add bridge=bridge-LAN interface=ether5
add bridge=bridge-LAN interface="5GHz Private"
add bridge=bridge-LAN interface="2GHz Guest"
add bridge=bridge-LAN interface="5GHz Guest"
add bridge=bridge-LAN interface="2GHz Private"
add bridge=bridge-LAN interface=ether1
add bridge=bridge-LAN interface=Private-WiFi-VLAN20
add bridge=bridge-LAN interface=GuestWiFi-VLAN30
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether1,ether2,ether3,ether4,ether5 \
    vlan-ids=20,30
/interface list member
add interface=bridge-LAN list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out-internet list=WAN
/interface wifiwave2 cap
set caps-man-addresses=127.0.0.1 discovery-interfaces=all
/interface wifiwave2 capsman
set enabled=yes interfaces=bridge-LAN package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-enabled disabled=no master-configuration=Private \
    slave-configurations=Guest
/ip address
add address=192.168.88.1/24 interface=bridge-LAN network=\
    192.168.88.0
add address=192.168.99.1/24 interface=GuestWiFi-VLAN30 network=192.168.99.0
add address=192.168.98.1/24 interface=Private-WiFi-VLAN20 network=\
    192.168.98.0
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=\
    192.168.88.1
add address=192.168.98.0/24 dns-server=8.8.8.8 gateway=192.168.98.1
add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
Last edited by carl0s on Tue Sep 12, 2023 9:28 pm, edited 3 times in total.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Tue Sep 12, 2023 9:25 pm

What I think:
because your virtual VLAN interfaces are attached to bridge.
How else would you be able to get there ? You need to pass that bridge before you can get to the virtual interface.
Curious to know what others will say about it.
 
User4011
newbie
Posts: 38
Joined: Tue Jun 29, 2021 12:36 am

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Thu Nov 23, 2023 4:07 am

I only specified datapath, created hybrid ports where untagged is management and tagged other VLANs so i presume that everything is done by ROS
On CAP, on Router running CAPSMAN??

There is no official documentation to this. Mikrotik video shows just how easy it is to connect a CAP AX device to the POE of your router with Wifiwave2, configure your CAPSMAN on your router and Reset your CAP AX into Caps Mode (out of the box) and it's supposed to them magically appear in Wireless Tables > Remote Cap tab.

Well, that's a joke.

Assuming ROS 7.12 on both Router and CAP AX, Please tell us in detail exactly how you managed this.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5325
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Thu Nov 23, 2023 6:26 am

In my setup:

Router: normal VLAN setup (see for reference excellent guide from pcunite).
Cap: added VLAN itf to bridge with pvid of mgmt vlan. Set cap to listen to this VLAN-itf for controller.
And that was all. No VLAN filtering activated, no ports defined, nada.

When you have a hybrid VLAN setup (=pvid 1 still being used across the board), I'm guessing you have to do nothing on cap.

Important side remark: IF you have switches in between (I do have CSS610), make sure they are passing the VLANs you need ! Or it will be no-go in any case for those VLANs.
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1154
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Wifiwave2 CAPsMAN Datapath/VLAN not working

Thu Nov 23, 2023 7:24 am

Here you go, my old setup that is working (now I use RB5009 instead of ax3) and between CAP and controller there is a CSS610 switch

CAPsMAN:
# 2023-11-23 05:13:16 by RouterOS 7.13beta1
# software id = 
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/disk
set usb1 type=hardware
set usb2 type=hardware
add parent=usb2 partition-number=1 partition-offset=512 partition-size=\
    "62 264 442 368" type=partition
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=
set [ find default-name=ether2 ] comment=
set [ find default-name=ether3 ] comment=
set [ find default-name=ether4 ] comment=
set [ find default-name=ether5 ] comment=
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    disabled .width=20/40/80mhz comment="5 GHz" configuration.country=Croatia \
    .manager=local .mode=ap .ssid=Mikrotik mtu=1500 \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2412 \
    .skip-dfs-channels=disabled .width=20mhz comment="2.4 GHz" \
    configuration.country=Croatia .manager=local .mode=ap .ssid=Mikrotik \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface wireguard
add comment=back-to-home-vpn listen-port=XXXXX mtu=1420 name=back-to-home-vpn
/interface veth
add address=10.10.88.250/24 comment=DNS gateway=10.10.88.1 gateway6="" name=\
    veth1-adguard
/interface vlan
add interface=bridge name=VLAN10_TEA_PC vlan-id=10
add interface=bridge name=VLAN20_SECURITY vlan-id=20
add interface=bridge name=VLAN30_IOT vlan-id=30
add interface=bridge name=VLAN40_IPTV vlan-id=40
add interface=bridge name=VLAN88_HOME vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=HOME
/interface wifi configuration
add channel.band=5ghz-ax .frequency=5220 .width=20/40/80mhz country=Croatia \
    disabled=no mode=ap name=cfg1-5 security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes ssid="Gazdin WiFi"
add channel.band=2ghz-ax .frequency=2437 .width=20mhz country=Croatia \
    disabled=no mode=ap name=cfg2-2.4 security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes ssid="Gazdin WiFi"
add channel.band=2ghz-ax .frequency=2412 .width=20mhz country=Croatia \
    disabled=no mode=ap name=cfg3-2.4@2412MHz security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes ssid="Gazdin WiFi"
add channel.band=5ghz-ax .frequency=5745 .width=20/40/80mhz country=Croatia \
    disabled=no mode=ap name=cfg4-5@5745MHz security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes ssid="Gazdin WiFi"
/interface wifi
add channel.frequency=5745 comment=AP_Kat_5GHz configuration=cfg4-5@5745MHz \
    configuration.mode=ap disabled=no name=cap-wifi1 radio-mac=\
    XX:XX:XX:XX:XX:XX
add channel.frequency=2412 comment=AP_Kat_2.4GHz configuration=\
    cfg3-2.4@2412MHz configuration.mode=ap disabled=no name=cap-wifi2 \
    radio-mac=XX:XX:XX:XX:XX:XX
add channel.frequency=5220 comment=AP_Prizemlje_5GHz configuration=cfg1-5 \
    configuration.mode=ap disabled=no name=cap-wifi3 radio-mac=\
    XX:XX:XX:XX:XX:XX
add channel.frequency=2437 comment=AP_Prizemlje_2.4GHz configuration=cfg2-2.4 \
    configuration.mode=ap disabled=no name=cap-wifi4 radio-mac=\
    XX:XX:XX:XX:XX:XX
add comment=Test configuration.mode=ap .ssid=Test datapath.client-isolation=\
    no mac-address=XX:XX:XX:XX:XX:XX master-interface=cap-wifi1 name=\
    cap-wifi7 security.authentication-types=wpa2-psk,wpa3-psk
/interface wifi datapath
add bridge=bridge client-isolation=no disabled=no interface-list=LAN name=\
    datapath_VLAN30 vlan-id=30
add bridge=bridge client-isolation=no disabled=no interface-list=LAN name=\
    datapath_VLAN20 vlan-id=20
add bridge=bridge client-isolation=no disabled=no interface-list=LAN name=\
    datapath_VLAN88 vlan-id=88
/interface wifi
add comment=IoT_WiFi configuration.mode=ap .ssid=IoT datapath=datapath_VLAN30 \
    disabled=no mac-address=4A:A9:8A:C0:2E:27 master-interface=cap-wifi4 \
    name=cap-wifi5 security.authentication-types=wpa-psk,wpa2-psk
add comment=WiFi_CCTV configuration.mode=ap .ssid=WiFi_CCTV datapath=\
    datapath_VLAN20 disabled=no mac-address=XX:XX:XX:XX:XX:XX \
    master-interface=cap-wifi4 name=cap-wifi6 security.authentication-types=\
    wpa-psk,wpa2-psk
/ip pool
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.5
add name=dhcp_pool2 ranges=10.10.20.2-10.10.20.150
add name=dhcp_pool3 ranges=10.10.30.2-10.10.30.254
add name=dhcp_pool4 ranges=10.10.40.2-10.10.40.50
add name=dhcp_pool5 ranges=10.10.88.2-10.10.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN10_TEA_PC lease-time=1d name=\
    dhcp_VLAN10
add address-pool=dhcp_pool2 interface=VLAN20_SECURITY lease-time=1d name=\
    dhcp_VLAN20
add address-pool=dhcp_pool3 interface=VLAN30_IOT lease-time=1d name=\
    dhcp_VLAN30
add address-pool=dhcp_pool4 interface=VLAN40_IPTV lease-time=1d name=\
    dhcp_VLAN40
add address-pool=dhcp_pool5 interface=VLAN88_HOME lease-time=1d name=\
    dhcp_VLAN88
/port
set 0 name=serial0
/container
add interface=veth1-adguard logging=yes root-dir=usb2-part1 start-on-boot=yes \
    workdir=/opt/adguardhome/work
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb2-part1/pull
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 \
    internal-path-cost=10 path-cost=10 pvid=88
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 \
    internal-path-cost=10 path-cost=10 pvid=88
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi1 \
    internal-path-cost=10 path-cost=10 pvid=88
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi2 \
    internal-path-cost=10 path-cost=10 pvid=88
add bridge=bridge comment=DNS frame-types=\
    admit-only-untagged-and-priority-tagged interface=veth1-adguard \
    internal-path-cost=10 path-cost=10 pvid=88
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=wifi1,wifi2,ether4,ether5 \
    vlan-ids=88
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether2 vlan-ids=30
add bridge=bridge tagged=bridge,ether2 vlan-ids=40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN10_TEA_PC list=LAN
add interface=VLAN20_SECURITY list=LAN
add interface=VLAN30_IOT list=LAN
add interface=VLAN40_IPTV list=LAN
add interface=VLAN88_HOME list=LAN
add interface=VLAN88_HOME list=HOME
add interface=veth1-adguard list=LAN
add interface=*F list=LAN
add interface=*11 list=LAN
/interface wifi access-list
add action=accept allow-signal-out-of-range=30s disabled=no interface=any \
    mac-address=XX:XX:XX:XX:XX:XX signal-range=-67..0
add action=reject allow-signal-out-of-range=1s disabled=no interface=any \
    mac-address=XX:XX:XX:XX:XX:XX signal-range=-120..-68
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
    no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1-5 \
    slave-configurations=cfg4-5@5745MHz supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg2-2.4 \
    slave-configurations=cfg3-2.4@2412MHz supported-bands=2ghz-ax
/interface wireguard peers

/ip address
add address=10.10.10.1/24 comment="VLAN10 _TEA_PC" interface=VLAN10_TEA_PC \
    network=10.10.10.0
add address=10.10.20.1/24 comment=VLAN20_SECURITY interface=VLAN20_SECURITY \
    network=10.10.20.0
add address=10.10.30.1/24 comment=VLAN30_IOT interface=VLAN30_IOT network=\
    10.10.30.0
add address=10.10.40.1/24 comment=VLAN40_IPTV interface=VLAN40_IPTV network=\
    10.10.40.0
add address=10.10.88.1/24 comment=VLAN88_HOME interface=VLAN88_HOME network=\
    10.10.88.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease

/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.40.0/24 gateway=10.10.40.1
add address=10.10.88.0/24 dns-server=10.10.88.250 gateway=10.10.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="Prekid prometa od VLAN10 na VLAN88" \
    in-interface=VLAN10_TEA_PC out-interface=VLAN88_HOME
add action=drop chain=forward comment="Prekid prometa od VLAN20 na VLAN88" \
    in-interface=VLAN20_SECURITY out-interface=VLAN88_HOME
add action=drop chain=forward comment="Prekid prometa od VLAN30 na VLAN88" \
    in-interface=VLAN30_IOT out-interface=VLAN88_HOME
add action=drop chain=forward comment="Prekid prometa od VLAN40 na VLAN88" \
    in-interface=VLAN40_IPTV out-interface=VLAN88_HOME
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=hAP_ax3_router
/system note
set show-at-login=no
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=HOME
/tool romon
set enabled=yes
CAP:
# 2023-11-23 05:13:51 by RouterOS 7.13beta1
# software id = 
#
# model = cAPGi-5HaxD2HaxD
# serial number = 
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridgeLocal \
    port-cost-mode=short
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Gazdin WiFi, channel: 5220/ax/eeCe
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
    disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Gazdin WiFi, channel: 2437/ax
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
    disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=cAPax_AP_Priz
/system note
set show-at-login=no
/system package update
set channel=testing
/tool romon
set enabled=yes

Who is online

Users browsing this forum: phascogale and 31 guests