HAPac3 with VLANs and QCOM-AC Capsman
Posted: Thu Jun 13, 2024 12:24 am
Hi,
I'm trying to switch my current HAPac3 + HAPac2 CAPSMAN setup from Wireless to QCOM-AC to get (amongst others) fast roaming working. I have a setup on my current system with Wireless which works and has 4 SSID's, all going to separate VLANs. Works well, but roaming with an access rule is not nice. Sometimes the switch-over is just too long. I read the documentation on https://help.mikrotik.com/docs/display/ ... ionexample: to get it going but I keep on not getting it to work. I executed the following script after a factory reset:
After provisioning locally I see the following appear:
So twice wifi2 in the interfaces and no sign of the configured wifi21 and 22
Phone connecting to MAIN_Network gets 192.168.88.252 (normal IP range for Mikrotik) and is registered on wifi1
Phone connecting to GUEST_Network gets 192.168.88.250 (normal IP range for Mikrotik) and is registered on wifi2 (seems to be the slave interface of physical interface wifi1)
So at least the documentation is off.
After playing around in the WinBox GUI I now have this setup:
But depending on the order I provision the radio's, I get different results:
The first print is after I provisioned radio 1 and later radio 2, the second is when I provisioned both at the same time. Now I'm wondering how I can be sure in which order these are provisioned after a reboot... I don't want to have random assignments to VLANs depending on the order of provisiong. I did search on the forum, but couldn't find anything yet.
Can somebody please point me to the definitive documentation on QCOM-AC in combination with CAPsMAN and Atheros8327?
I'm trying to switch my current HAPac3 + HAPac2 CAPSMAN setup from Wireless to QCOM-AC to get (amongst others) fast roaming working. I have a setup on my current system with Wireless which works and has 4 SSID's, all going to separate VLANs. Works well, but roaming with an access rule is not nice. Sometimes the switch-over is just too long. I read the documentation on https://help.mikrotik.com/docs/display/ ... ionexample: to get it going but I keep on not getting it to work. I executed the following script after a factory reset:
Code: Select all
#disable 2nd Mikrotik powered off ether5
/interface ethernet poe
set ether5 poe-out=off
#rename bridge "bridge" to "br" to follow example
/interface bridge
set bridge name=br
# do not add "vlan-filtering=yes" as this is not supported by the Atheros8327 switchchip
/interface vlan
add interface=br name=MAIN vlan-id=10
add interface=br name=GUEST vlan-id=20
/interface wifi datapath
add bridge=br name=DP_AC
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_MAIN passphrase=HaveAg00dDay
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_GUEST passphrase=HaveAg00dDay
/interface wifi configuration
add datapath=DP_AC name=MAIN_AC security=Security_MAIN ssid=MAIN_Network
add datapath=DP_AC name=GUEST_AC security=Security_GUEST ssid=GUEST_Network
/ip pool
# add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254 (as it is marked as disabled in the next set of commands)
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
# add address-pool=dhcp_pool0 disabled=yes interface=br name=dhcp1
add address-pool=dhcp_pool1 interface=MAIN name=dhcp2
add address-pool=dhcp_pool2 interface=GUEST name=dhcp3
/interface bridge port
remove [ find interface=wifi1 ]
remove [ find interface=wifi2 ]
#to remove pre-existing wifi1 and wifi2 on bridge by default config
/interface bridge vlan
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=20
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=10
/interface wifi capsman
set enabled=yes interfaces=br
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=5ghz-ac
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=2ghz-n
/ip address
#add address=192.168.1.1/24 interface=br network=192.168.1.0
add address=192.168.10.1/24 interface=MAIN network=192.168.10.0
add address=192.168.20.1/24 interface=GUEST network=192.168.20.0
/ip dhcp-server network
#add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
/system identity
set name=cAP_Controller
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no
add disabled=no master-interface=wifi1 name=wifi21
add disabled=no master-interface=wifi2 name=wifi22
#changed bridgeLocal to br as it is the same unit
/interface bridge port
add bridge=br interface=wifi1 pvid=10
add bridge=br interface=wifi21 pvid=20
add bridge=br interface=wifi2 pvid=10
add bridge=br interface=wifi22 pvid=20
/interface bridge vlan
add bridge=br untagged=wifi1,wifi2 vlan-ids=10
add bridge=br untagged=wifi21,wifi22 vlan-ids=20
/interface wifi cap
set discovery-interfaces=br enabled=yes slaves-static=yes
Code: Select all
[admin@cAP_Controller] /interface/wifi> print
Flags: M - MASTER; B - BOUND; I - INACTIVE
Columns: NAME, MASTER-INTERFACE, CONFIGURATION.SSID
# NAME MASTER-INTERFACE CONFIGURATION.SSID
0 MB wifi1 MAIN_Network
;;; DFS channel availability check (10 min)
1 MB wifi2 MAIN_Network
2 B wifi2 wifi1 GUEST_Network
3 BI wifi3 wifi2 GUEST_Network
Phone connecting to MAIN_Network gets 192.168.88.252 (normal IP range for Mikrotik) and is registered on wifi1
Phone connecting to GUEST_Network gets 192.168.88.250 (normal IP range for Mikrotik) and is registered on wifi2 (seems to be the slave interface of physical interface wifi1)
So at least the documentation is off.
After playing around in the WinBox GUI I now have this setup:
Code: Select all
# 2024-06-12 23:21:42 by RouterOS 7.15.1
# software id = ****-****
#
# model = RBD53iG-5HacD2HnD
# serial number = ************
/interface bridge
add admin-mac=**:**:**:**:**:E5 auto-mac=no comment=defconf name=br
add disabled=yes name=bridgeLocal
/interface ethernet
set [ find default-name=ether5 ] poe-out=off
/interface vlan
add interface=br name=GUEST vlan-id=20
add interface=br name=MAIN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=br name=DP_AC
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=\
Security_MAIN
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=\
Security_GUEST
/interface wifi configuration
add datapath=DP_AC disabled=no name=MAIN_AC security=Security_MAIN ssid=\
MAIN_Network
add datapath=DP_AC disabled=no name=GUEST_AC security=Security_GUEST ssid=\
GUEST_Network
/interface wifi
set [ find default-name=wifi1 ] configuration=MAIN_AC disabled=no
add configuration=GUEST_AC disabled=no mac-address=DE:2C:6E:32:CB:E9 \
master-interface=wifi1 name=wifi2
# DFS channel availability check (10 min)
set [ find default-name=wifi2 ] configuration=MAIN_AC disabled=no
add configuration=GUEST_AC disabled=no mac-address=DE:2C:6E:32:CB:EA \
master-interface=wifi2 name=wifi3
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=br name=defconf
add address-pool=dhcp_pool1 interface=MAIN name=dhcp2
add address-pool=dhcp_pool2 interface=GUEST name=dhcp3
/disk settings
set auto-media-interface=br auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=br comment=defconf interface=ether2
add bridge=br comment=defconf interface=ether3
add bridge=br comment=defconf interface=ether4
add bridge=br comment=defconf interface=ether5
add bridge=br interface=*7 pvid=10
add bridge=br interface=*D pvid=20
add bridge=br interface=*8 pvid=10
add bridge=br interface=*E pvid=20
add bridge=br interface=*1C
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=20
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=10
add bridge=br untagged=*7,*8 vlan-ids=10
add bridge=br untagged=*D,*E vlan-ids=20
/interface list member
add comment=defconf interface=br list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi cap
set certificate=request discovery-interfaces=br enabled=yes slaves-static=yes
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=br \
package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=MAIN_AC \
slave-configurations=GUEST_AC supported-bands=5ghz-ac
add action=create-enabled disabled=no master-configuration=MAIN_AC \
slave-configurations=GUEST_AC supported-bands=2ghz-n
/ip address
add address=192.168.88.1/24 comment=defconf interface=br network=192.168.88.0
add address=192.168.10.1/24 interface=MAIN network=192.168.10.0
add address=192.168.20.1/24 interface=GUEST network=192.168.20.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=cAP_Controller
/system note
set show-at-login=no
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
p\" && disabled=no)] do={\r\
\n /interface/wifi wps-push-button \$iface;}\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user group
add name=fail2ban-group policy="ssh,read,write,!local,!telnet,!ftp,!reboot,!po\
licy,!test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"
add name=Fail2BAN-API policy="read,write,api,!local,!telnet,!ssh,!ftp,!reboot,\
!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
add name=hass-group policy="reboot,read,write,policy,test,api,!local,!telnet,!\
ssh,!ftp,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
Code: Select all
[admin@cAP_Controller] /interface/wifi> print
Flags: M - MASTER; B - BOUND; I - INACTIVE
Columns: NAME, MASTER-INTERFACE, CONFIGURATION.SSID
# NAME MASTER-INTERFACE CONFIGURATION.SSID
0 MB wifi1 MAIN_Network
;;; DFS channel availability check (10 min)
1 MB wifi2 MAIN_Network
2 B wifi3 wifi1 GUEST_Network
3 BI wifi4 wifi2 GUEST_Network
[admin@cAP_Controller] /interface/wifi> print
Flags: M - MASTER; B - BOUND; I - INACTIVE
Columns: NAME, MASTER-INTERFACE, CONFIGURATION.SSID
# NAME MASTER-INTERFACE CONFIGURATION.SSID
0 MB wifi1 MAIN_Network
1 B wifi2 wifi1 GUEST_Network
2 MBI wifi2 MAIN_Network
3 BI wifi3 wifi2 GUEST_Network
Can somebody please point me to the definitive documentation on QCOM-AC in combination with CAPsMAN and Atheros8327?