Dual-CAPsMAN (7.13+) issues

kovacspro · Wed Feb 14, 2024 8:49 am

I'm testing Dual-CAPsMAN scenarios on the new 7.13.4 version. Based on the MikroTik official YT video, they mentioned the new and the legacy CAPsMAN can work together on a device for supporting the devices with wiif-qcom/wifi-qcom-ac and the older devices with wireless packages, in one box.
I'm faced issues with this.

CAPsMAN device
CHR 7.13.4 routeros+wireless packages, started with full empty config, 1 interface ether1

# 2024-02-14 06:45:33 by RouterOS 7.13.4
# software id = 
#
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=2GHz
/caps-man datapath
add local-forwarding=yes name=datapath1
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/caps-man interface
add disabled=no l2mtu=1600 mac-address=XX:XX:XX:XX:XX:XX master-interface=none \
    name=cap1 radio-mac=XX:XX:XX:XX:XX:XX radio-name=XXXXXXXXXXXX
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
/caps-man configuration
add channel=2GHz country=hungary datapath=datapath1 distance=indoors \
    installation=indoor mode=ap name=Hedgehog2G security=security1 ssid=\
    Hedgehog2G
/disk
set slot1 slot=slot1 type=hardware
set slot2 slot=slot2 type=hardware
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5180 name=5GHz width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2437 name=2GHz width=20/40mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec1
/interface wifi configuration
add channel=5GHz country=Hungary disabled=no mode=ap name=Hedgehog_5GHz \
    security=sec1 ssid=Hedgehog5Gax
add channel=2GHz country=Hungary disabled=no mode=ap name=Hedgehog_2GHz \
    security=sec1 ssid=Hedgehog2Gax
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether1
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    Hedgehog2G name-format=identity radio-mac=XX:XX:XX:XX:XX:XX
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=ether1 \
    package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    Hedgehog_5GHz name-format=%I-5G radio-mac=XX:XX:XX:XX:XX:XX \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    Hedgehog_2GHz name-format=%I-2G radio-mac=XX:XX:XX:XX:XX:XX \
    supported-bands=2ghz-ax
/ip address
add address=192.168.1.249/24 interface=ether1 network=192.168.1.0
/system identity
set name=chr.kp.local
/system logging
add topics=wireless,debug
/system note
set show-at-login=no

CAP1 (AX)
hAP ax3 7.13.4 routeros+wifi-qcom packages, started with full empty config
controlled by the CHR WiFi CAPsMAN (the new) - works fine, till the first cold boot, Then stop working with 'no sutiable CAPsMAN' debug log messages.

# 2024-02-14 07:42:46 by RouterOS 7.13.4
# software id = K8QE-XGVD
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = Xxx
/interface bridge
add name=bridge1
/interface wifi
# no connection to CAPsMAN
add configuration.manager=capsman .mode=ap datapath.bridge=bridge1 disabled=no radio-mac=XX:XX:XX:XX:XX:XX
# no connection to CAPsMAN
add configuration.manager=capsman .mode=ap datapath.bridge=bridge1 disabled=no radio-mac=XX:XX:XX:XX:XX:XX
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether1
/interface wifi cap
set caps-man-addresses=192.168.1.249 certificate=request discovery-interfaces=bridge1 enabled=yes lock-to-caps-man=no
/ip address
add address=192.168.1.251/24 interface=bridge1 network=192.168.1.0
/ip dns
set servers=192.168.1.252
/ip route
add gateway=192.168.1.254
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=ax3.kp.local
/system logging
add topics=caps,debug
/system note
set show-at-login=no

CAP2 (a legacy 2,4 radio)
mAP lite 7.13.4 routeros+wireless packages, started with full empty config
controlled by the CHR Wireless/CAPsMAN (legacy)
Issues: The device can request the certificate and show managed by capsman. On capsman side its showing as a RemoteCAP and the Radio is showing also.
But after I provision a config I see that the interface restarts so getting the information from the CAPsMAN but shows empty SSID and capsman forwarding even thoug I've set local-forwading datapath. And the device doesn't advertise any SSID.

# 2024-02-14 15:29:02 by RouterOS 7.13.4
# software id = 0FL5-52KG
#
# model = RBmAPL-2nD
# serial number = CF290C430EA8
/interface bridge
add name=bridge1 port-cost-mode=short
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(18dBm), SSID: Hedgehog2G, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridge1 interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=wlan1
/interface wireless cap
# 
set bridge=bridge1 caps-man-addresses=192.168.1.249 certificate=request discovery-interfaces=bridge1 enabled=yes \
    interfaces=wlan1 lock-to-caps-man=yes
/ip address
add address=192.168.1.248/24 interface=bridge1 network=192.168.1.0
/ip dns
set servers=192.168.1.252
/ip route
add gateway=192.168.1.254
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=map.kp.local
/system note
set show-at-login=no

The certificates are fine.

Wed Feb 14, 2024 11:56 am

When setting up dual capsman environments, it is recommended to clear all certificates related to capsman.
Have you already tried that ?

kovacspro · Wed Feb 14, 2024 12:17 pm

Yes.
I built this test environment from resetted, 'no defaults' state. I also tried to remove all certs (old and new capsmane related too) and generate new ones again and again in different order but no effect...
I have been testing. If I reboot the CHR with a working CAPsMANv2 with enabled legacy CAPsMAN, then the AX lost the connection and starting 'no suitable capsman' logs when the CHR started again too.
Then I disable the legacy CAPsMAN and reboot both device, the CAP1 (ax) started working again.

It seems the CAP1 try to connect the legacy one, not the new one, even though I checked 'Lock to capsman'. I tried without locking, no difference.

Wed Feb 14, 2024 12:32 pm

I have a dual test setup at home (using Hex, AX2 and mAP).
Will check this evening if I can see potential issues.

kovacspro · Wed Feb 14, 2024 12:38 pm

I have a dual test setup at home (using Hex, AX2 and mAP).
Will check this evening if I can see potential issues.

Thanks!

kovacspro · Wed Feb 14, 2024 5:57 pm

UPDATE: If I put CAP2 (mAP lite legacy 2,4GHz) into CAP mode from reset configuration, it starts working with the provisioned config from CHR's legacy capsman.
The other issue still there.

Ca6ko · Wed Feb 14, 2024 6:35 pm

I understand correctly that you have configured 2 old Capsman one on CHR the other on mAP lite.
PS. After resetting to CAP mode, the second capsman was deleted

In this case on CAP ax manager search is enabled on the interface and not by IP address? (When interface search is enabled, IP search does not work. Leave the interface field blank)
/interface wifi cap
set caps-man-addresses=192.168.1.249 certificate=request discovery-interfaces=bridge1 enabled=yes lock-to-caps-man=no

On CHR, Capsman is blocked on all interfaces, what is allowed after on ether1 is irrelevant the rules work from top to bottom.
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether1

There may be other problems
Check if the radio MAC is the same as CAP ax or better yet try to put all zeros.
On CHR,
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
Hedgehog_5GHz name-format=%I-5G radio-mac=XX:XX:XX:XX:XX:XX \
supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
Hedgehog_2GHz name-format=%I-2G radio-mac=XX:XX:XX:XX:XX:XX \
supported-bands=2ghz-ax

kovacspro · Wed Feb 14, 2024 7:45 pm

I understand correctly that you have configured 2 old Capsman one on CHR the other on mAP lite.
PS. After resetting to CAP mode, the second capsman was deleted

In this case on CAP ax manager search is enabled on the interface and not by IP address? (When interface search is enabled, IP search does not work. Leave the interface field blank)
/interface wifi cap
set caps-man-addresses=192.168.1.249 certificate=request discovery-interfaces=bridge1 enabled=yes lock-to-caps-man=no

On CHR, Capsman is blocked on all interfaces, what is allowed after on ether1 is irrelevant the rules work from top to bottom.
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether1

There may be other problems
Check if the radio MAC is the same as CAP ax or better yet try to put all zeros.
On CHR,
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
Hedgehog_5GHz name-format=%I-5G radio-mac=XX:XX:XX:XX:XX:XX \
supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
Hedgehog_2GHz name-format=%I-2G radio-mac=XX:XX:XX:XX:XX:XX \
supported-bands=2ghz-ax

Not exactly. I run old CAPsMAN and new on the CHR also. That's why it's a dual-capsman config.
hAP ax3 and mAP lite devices the CAPs.

On CHR in old CAPsMAN (Wireless\CAPsMAN) the 'forbid=yes' at the top is mistake, yeah. But its strange because now the mAP lite works fine, got the config from CHR. Strange...

kovacspro · Wed Feb 14, 2024 7:49 pm

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
Hedgehog_5GHz name-format=%I-5G radio-mac=XX:XX:XX:XX:XX:XX \
supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
Hedgehog_2GHz name-format=%I-2G radio-mac=XX:XX:XX:XX:XX:XX \
supported-bands=2ghz-ax

MAC addresses matching. I just masked out my MACs. Para...

But as I tested, I found the 00:00:00:00:00:00 doesn't work in new CAPsMAN anymore.

Wed Feb 14, 2024 7:55 pm

All zeroes MAC: you need to set the field blank

kovacspro · Wed Feb 14, 2024 8:49 pm

I checked Interfaces in old CAPsMAN and I think order doesn't matter here because no # column. I learned on MTCNA, order only matters if # is there.

Wed Feb 14, 2024 10:13 pm

I'm not seeing anything really out of the ordinary on the wave2 capsman part.
Only difference I see it that I don't use any certificates at all (don't know why I should on a completely internal LAN).
Maybe you can try that as well, if it works, you know where the problem is.

killersoft · Wed Feb 14, 2024 10:20 pm

I am running DUAL capsman at the moment to support dozens of legacy devices || AC || and new AX devices.

So far no issues on 7.13.4 as a controller.
There are some things to navigate/additions on the new wifi side of capsman world, but have now got over that hurdle.

I have 1 controller a CRS317, I use VLANs for MANAGEMENT(capsman listens to this vlan) + DATA pathing.

kovacspro · Wed Feb 14, 2024 10:24 pm

I'm not seeing anything really out of the ordinary on the wave2 capsman part.
Only difference I see it that I don't use any certificates at all (don't know why I should on a completely internal LAN).
Maybe you can try that as well, if it works, you know where the problem is.

Do you use a bridge interface as CAPsMAN listening interface? Or you select all for listening?

/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=all package-path="" require-peer-certificate=no upgrade-policy=none

Wed Feb 14, 2024 10:26 pm

Errmm ... no.
Did I mention it is a lab test setup ?

Dedicated EOIP interface between AX2 and Hex to "simulate" capsman forwarding.
Shouldn't make a difference.

/interface wifi capsman
set enabled=yes interfaces=EOIP_AX2 package-path="" require-peer-certificate=no upgrade-policy=none

kovacspro · Wed Feb 14, 2024 10:28 pm

I am running DUAL capsman at the moment to support dozens of legacy devices || AC || and new AX devices.

So far no issues on 7.13.4 as a controller.
There are some things to navigate/additions on the new wifi side of capsman world, but have now got over that hurdle.

I have 1 controller a CRS317, I use VLANs for MANAGEMENT(capsman listens to this vlan) + DATA pathing.

Good to hear that.
CAPsMAN v1 and v2 is listening on the same interface?

killersoft · Thu Feb 15, 2024 1:33 am

Yes, that is correct.
I have just one VLAN ( a management vlan I like to call it !), that both capsmans(WiFi & Wireless) on the same physical controller unit work on.

All the clients both legacy + new ax devices use that vlan to connect back on for caps management.

Dual-CAPsMAN (7.13+) issues

Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Re: Dual-CAPsMAN (7.13+) issues

Who is online