hAP ax² 3 Vlans at internal Atenna

Jaja2000 · Sat Apr 27, 2024 12:56 am

Hi, I try to add 5 Vlans to my hAP ax² and want to use 3 of them with the internal antenna. I am a bit confused using the templates you offer at https://help.mikrotik.com/docs/display/ ... iFiCAPsMAN.
Right now, 2 vlans work fine at Wlan (GUEST/PRIVATE)
But I cant see the IoT Net
What is wrong ?
Thanks for a detailed help to get the 3 ssid up and running.Thx in Advance

/interface bridge
add name=br vlan-filtering=yes

/interface vlan
add interface=br name=GUEST vlan-id=10
add interface=br name=IOT vlan-id=20
add interface=br name=MGMT vlan-id=1
add interface=br name=PRIVATE vlan-id=100
add interface=br name=SIP vlan-id=111

/interface list
add name=WAN
add name=LAN

/interface wifi datapath
add bridge=br disabled=no name=PRIVATE vlan-id=100
add bridge=br disabled=no name=GUEST vlan-id=10
add bridge=br disabled=no name=IOT vlan-id=20
add bridge=br name=DP_AC

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
name=Security_PRIVATE passphrase=xxxxxxxx
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
name=Security_GUEST passphrase=xxxxxxxxxxxxxxx
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
name=Security_IoT passphrase=xxxxxxxxxxx

/interface wifi configuration
add datapath=PRIVATE disabled=no name=PRIVATE security=Security_PRIVATE ssid=\
PRIVATE_Network
add datapath=GUEST name=GUEST security=Security_GUEST ssid=GUEST_Network
add datapath=IOT disabled=no name=IoT security=Security_IoT ssid=IoT_Network
add datapath=DP_AC name=PRIVATE_AC security=Security_PRIVATE ssid=\
PRIVATE_Network
add datapath=DP_AC name=GUEST_AC security=Security_GUEST ssid=GUEST_Network
add datapath=DP_AC disabled=no name=IoT_AC security=Security_IoT ssid=\
IoT_Network

/ip pool
add name=dhcp_pool-GUEST ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool-IoT ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool-Privat ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool-SIP ranges=192.168.111.2-192.168.111.254
add name=dhcp_pool-MGMT ranges=10.0.0.60-10.0.0.200

/ip dhcp-server
add address-pool=dhcp_pool-MGMT interface=MGMT lease-time=1d name=dhcp-MGMT
add address-pool=dhcp_pool-Privat interface=PRIVATE lease-time=1d name=\
dhcp-PRIVATE
add address-pool=dhcp_pool-GUEST interface=GUEST lease-time=1d name=\
dhcp-GUEST
add address-pool=dhcp_pool-IoT interface=IOT lease-time=1d name=dhcp-IoT
add address-pool=dhcp_pool-SIP interface=SIP lease-time=1d name=dhcp_SIP

/interface bridge vlan
add bridge=br tagged=br untagged=wifi1,wifi2,wifi3,wifi4 vlan-ids=20
add bridge=br tagged=br untagged=wifi1,wifi2,wifi3,wifi4 vlan-ids=10
add bridge=br tagged=br untagged=wifi1,wifi2,wifi3,wifi4 vlan-ids=100

/interface list member
add interface=ether1 list=WAN
add interface=GUEST list=LAN
add interface=IOT list=LAN
add interface=PRIVATE list=LAN
add interface=MGMT list=LAN

/interface wifi cap
set discovery-interfaces=br enabled=yes slaves-static=yes
/interface wifi capsman
set enabled=yes interfaces=br
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=PRIVATE_AC \
slave-configurations=GUEST_AC,IoT_AC supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=PRIVATE_AC \
slave-configurations=GUEST_AC,IoT_AC supported-bands=2ghz-n

/ip address
add address=192.168.88.1/24 interface=br network=192.168.88.0
add address=192.168.1.1/24 interface=MGMT network=192.168.1.0
add address=192.168.100.1/24 interface=PRIVATE network=192.168.100.0
add address=192.168.20.1/24 interface=IOT network=192.168.20.0
add address=192.168.10.1/24 interface=GUEST network=192.168.10.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.123,1.1.1.1 gateway=10.0.0.1 \
netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.111.0/24 gateway=192.168.111.1
add address=192.168.100.0/24 gateway=192.168.100.1

gigabyte091 · Sat Apr 27, 2024 5:50 am

Is your ax2 only AP in your network ? If yes then why are you using CAPsMAN ?

Local radio interfaces are managed locally, not via capsman, so radios on your ax2 are not configured by CAPsMAN, assuming ax2 is your CAPsMAN controller.

Second, you untagged all VLANs for all wireless interfaces. Why ?

Jaja2000 · Sat Apr 27, 2024 5:21 pm

Thx for Reply,

I plan at least one cAP ax, which I already ordered. Should be arrive on Tuesday. For that I want to use my ax2 as CAPsMAN controller.
The untaggt Vlans are a mistake!
Sorry I am a newbie on WLan setup. Actually I use a hex router which I want to migrate when my internal Antenna and a cap AX is up and running.
The wlan setup is a mystery for me and the blow my mind.
Thx for your support !

gigabyte091 · Sat Apr 27, 2024 6:47 pm

So when your AP arrive I think it would be the best to write here what are you trying to achieve.

So how many SSIDs, VLANs etc and then we start from that.

Jaja2000 · Sat Apr 27, 2024 8:59 pm

ok thx, as you kike !
but I already have all the info in the configuration setup.
5 Vlans:

/interface vlan
add interface=br name=GUEST vlan-id=10
add interface=br name=IOT vlan-id=20
add interface=br name=MGMT vlan-id=1
add interface=br name=PRIVATE vlan-id=100
add interface=br name=SIP vlan-id=111

3 ssids (I have no idea what the DP_AC good for. I catched that from the user guide)

/interface wifi configuration
add datapath=PRIVATE disabled=no name=PRIVATE security=Security_PRIVATE ssid=\
PRIVATE_Network
add datapath=GUEST name=GUEST security=Security_GUEST ssid=GUEST_Network
add datapath=IOT disabled=no name=IoT security=Security_IoT ssid=IoT_Network
add datapath=DP_AC name=PRIVATE_AC security=Security_PRIVATE ssid=\
PRIVATE_Network
add datapath=DP_AC name=GUEST_AC security=Security_GUEST ssid=GUEST_Network
add datapath=DP_AC disabled=no name=IoT_AC security=Security_IoT ssid=\
IoT_Network

and very easy:

PRIVATE_Network use VLAN100
GUEST_Network use VLAN10
IoT_Network use VLAN20

the other Vlans are only for eth. connection.

Jaja2000 · Tue Apr 30, 2024 7:15 pm

the cap ac is up and running (standalone) default config is still there.
Its connected to my ax2 via eth4
Pls advise what I have to do to setup the internal and the caps wlan,
Thx in advance!

neki · Tue Apr 30, 2024 8:36 pm

First of all, are you planning to use older AC devices or newer AX? It seems like you have only AX devices but you follow AC guide, but it should work anyway...

gigabyte091 · Tue Apr 30, 2024 10:03 pm

Do you have cAP ac or ax ? You mentioned ax, not ac... Anyway, if you have cAP ac you can install wifi package and use CAPsMAN v2

anav · Tue Apr 30, 2024 10:26 pm

Have fun with capsman on this one LOL......... More hair pulled out, turned grey, whilst a non-capsman config is up and running in 15 minutes.

Heck i could probably do it in 10 minutes if drunk.

Jaja2000 · Tue Apr 30, 2024 11:52 pm

now I totally confused.
I have a ax2. First I ordered a Cap (with mips) Then I was told, that I have to use the one with the arm Cpu. So I ordered the AC one. I thought that I have to de install the wireless package and install the qcom package. This is maybe wrong !

Is it possible to use the ax router with the Cap AC in a good way ? Is the ax much better ?

I am confused with the syntax and numbering. Maybe I should send this one back as well and order the cAPGi-5HaxD2HaxD which should be the cAP ax.

maybe in the meantime somebody could help me to setup my ax2 in the right way. Thx for your support !

neki · Wed May 01, 2024 1:04 am

I would definetly return the AC and bought the AX one. If you have some free return policy and can afford the AX go for it. Not because of the configuration complications but because of newer technology, there is huge difference between 802.11ax and 802.11ac.

I will try to help you with the config (if anav lets me..)

gigabyte091 · Wed May 01, 2024 7:11 am

@anav here doesn't like CAPsMAN

I agree with neki, if possible return ac and buy ax, if not, ac will suffice.

As for preparing configuration, you have all VLANs you need ?

What I do is I prepare hybrid port, so untagged mgmt vlan and other vlans tagged.

Create datapaths for desired VLANs.

I can see you have a lot of that configured already.

Jaja2000 · Wed May 01, 2024 11:12 am

ok, I will move to the cAp-AX . Till delivery I will set up the internal radio and Vlan. I reset all config and just install the wifi-qcam package. The Ax2 is connected to my hex router, which is the master till the ax2 works fine. As mentioned in my earlier post, I need 5 Vlans, 3 of them are used in the wireless environment.
What will be the best way to start ?
Thx for help !

gigabyte091 · Wed May 01, 2024 1:50 pm

Best way to start is to define which device will be your CAPsMAN controller.

Will it be ax2 or hex ?

When you define that then start creating VLANs and test them so you are sure you are getting IP address, you have internet connection etc.

Prepare your desired port for your CAP device. So mgmt VLAN untagged, other VLANs tagged.

Define SSIDs, passwords, channels and so on.

Rudios · Wed May 01, 2024 1:57 pm

I would do the following
Add the needed datapaths, 1 for each VLAN

/interface wifi datapath
add name=PRIVATE vlan-id=100
add name=GUEST vlan-id=10
add name=IOT vlan-id=20

Then, use these datapaths on your WiFi configuration.
No need to manually put them into the bridge afterwards

Jaja2000 · Wed May 01, 2024 2:56 pm

Thx .. thats a good start.
Before I post the config. Some Statements and general questions.

- The hex will leave, when the ax2 is running fine. Right now the ax2 is connect via eth1 (called to-Modem) to the hex.
- I changed some Vlan IDs, because in the near future there are dhcpserver at both routers at the same No. Maybe not necessary, but its easier for me to set it up.

Questions: I see only Wifi1 and wifi2. I can only connect one Datapath (done Private/IoT) to them . What is my miss understanding? I add some things to

/interface wifi
/ip dhcp-server network

. But sure with missing things or other mistakes.

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=eth1-to-Modem
set [ find default-name=ether4 ] name=eth4-to-CAP-AX
set [ find default-name=ether5 ] name=eth5-to-Switch

/interface vlan
add interface=bridge1 name=GUEST vlan-id=10
add interface=bridge1 name=IOT vlan-id=22
add interface=bridge1 name=MGMT vlan-id=1
add interface=bridge1 name=PRIVATE vlan-id=123
add interface=bridge1 name=SIP vlan-id=111

/interface list
add name=WAN
add name=LAN

/interface wifi datapath
add disabled=no name=PRIVATE vlan-id=123
add name=GUEST vlan-id=10
add name=IOT vlan-id=22

/interface wifi
set [ find default-name=wifi1 ] configuration.country=Germany .mode=ap .ssid=test-wifi1 datapath=PRIVATE disabled=no security.encryption=ccmp passphrase=12345678
set [ find default-name=wifi2 ] configuration.country=Germany .mode=ap .ssid=test-wifi2 datapath=IOT disabled=no security.encryption=ccmp .passphrase=12345678
	
/ip pool
add name=dhcp_pool-GUEST ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool-IoT ranges=192.168.22.2-192.168.22.254
add name=dhcp_pool-Privat ranges=192.168.123.2-192.168.123.254
add name=dhcp_pool-SIP ranges=192.168.111.2-192.168.111.254
add name=dhcp_pool-MGMT ranges=10.0.0.60-10.0.0.200
/ip dhcp-server

add address-pool=dhcp_pool-MGMT interface=MGMT lease-time=1d name=dhcp-MGMT
add address-pool=dhcp_pool-Privat interface=PRIVATE lease-time=1d name=dhcp-PRIVATE
add address-pool=dhcp_pool-GUEST interface=GUEST lease-time=1d name=dhcp-GUEST
add address-pool=dhcp_pool-IoT interface=IOT lease-time=1d name=dhcp-IoT
add address-pool=dhcp_pool-SIP interface=SIP lease-time=1d name=dhcp_SIP

/interface bridge port
add bridge=bridge1 disabled=yes interface=eth1-to-Modem
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=eth4-to-CAP-AX
add bridge=bridge1 interface=eth5-to-Switch
										
/interface list member
add interface=eth1-to-Modem list=WAN
add interface=bridge1 list=LAN
			  																						 
/ip address
add address=192.168.200.1/24 interface=bridge1 network=192.168.200.0
add address=10.0.0.72/24 interface=eth1-to-Modem network=10.0.0.0
add address=192.168.1.1/24 interface=MGMT network=192.168.1.0
add address=192.168.123.1/24 interface=PRIVATE network=192.168.123.0
add address=192.168.22.1/24 interface=IOT network=192.168.22.0
add address=192.168.10.1/24 interface=GUEST network=192.168.10.0
add address=192.168.111.1/24 interface=SIP network=192.168.111.0

/ip dhcp-client
add disabled=yes interface=eth1-to-Modem

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.123,1.1.1.1 gateway=10.0.0.1 netmask=24
			  
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.22.0/24 gateway=192.168.22.1
add address=192.168.111.0/24 gateway=192.168.111.1
add address=192.168.123.0/24 gateway=192.168.123.1
					 
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
														
/system identity
set name="Mikro hAP-AX2"

anav · Wed May 01, 2024 4:06 pm

The beauty of simplicity, no capsman, works with any MT AP, the setup remains the SAME, regardless, ac, ax etc. !!
Gigabyte, I am just jealous of your capsman skills!

gigabyte091 · Wed May 01, 2024 5:56 pm

@Jaja2000

Where do you see only wifi1 and wifi2 ?

Wireless interface on CAPsMAN controller is not controlled by CAPsMAN, it's managed locally. Only remote CAPs are controlled by CAPsMAN.

Hex is working as router and ax2 is working as router ? What hex device do you have ? What do you mean until ax2 is running fine ?

Why do you want to configure devices so many times ? Just wait until cAP ax arrives.

@anav

What capsman skills ??

anav · Wed May 01, 2024 8:42 pm

Even better the config you make without capsman on the capac is IDENTICAL to the setup for the capsman AX, minor wifi setting difference but everything else the same. Copy and paste into terminal and go!

Oh my bad, you paid for the pain misery and frustration advice..... Enjoy!

Jaja2000 · Wed May 01, 2024 10:38 pm

@gigabyte091
You ask: Where do you see only wifi1 and wifi2 ?
see

Clipboarder.2024.05.01.png

my old router is a hEX (5x Gigabit Ethernet, Dual Core 880MHz CPU, 256MB RAM, USB)
This one will be replaced by the ax2.

Because of bad experience and a little knowledge about routers, I will be absolute safe, that everything including the new wlan is working fine, before i disable the hex.
At the hex I run some Cisco APs which will be replaced

The reason, why I start now and don't wait until the delivery of the new cap is because I have to learn and understand a lot and that takes a while.....

As you can see for example in my config, I have problems with easy thinks like to configure the /interface wifi. I will be happy if the internal wlan works till I receive teh new cAP

neki · Thu May 02, 2024 2:37 am

wifi1 and wifi2 are native interfaces of your radios, wifi1 is for 5Ghz and wifi2 is for 2,4Ghz. You have to add slave interfaces. Simply click on the plus sign and then select master.
You will probably want both 5G and 2G for private and guest networks and 2G for IoT, that means that you will create one additional interface for 5G (master wifi1) and two for 2G (master wifi2). And make sure that both master interfaces have manager: local on configuration tab.

gigabyte091 · Thu May 02, 2024 9:00 am

@anav,

Didn't you test CAPsMAN already ?? If my memory serves me right you did mentioned that you will try CAPsMAN.

I think wireguard and firewall rules causes much more frustration to the user than a simple CAPsMAN

@Jaja2000, @neki here gave you good advice. Good thing you want to learn. When cAP ax arrive you will set it up in no time, no matter what @anav here says.

It's not that scary...

Jaja2000 · Thu May 02, 2024 9:44 am

ok .. thx .. next step:
now I see the 5 ssid´s, but I cant connect to them I loose the connections after a few seconds. I think this could be a dhcp or bridging mistake. Pls advise
Here is what I have right now:

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=eth1-to-Modem
set [ find default-name=ether4 ] name=eth4-to-CAP-AX
set [ find default-name=ether5 ] name=eth5-to-Switch

/interface vlan
add interface=bridge1 name=GUEST vlan-id=10
add interface=bridge1 name=IOT vlan-id=22
add interface=bridge1 name=MGMT vlan-id=1
add interface=bridge1 name=PRIVATE vlan-id=123
add interface=bridge1 name=SIP vlan-id=111

/interface list
add name=WAN
add name=LAN

/interface wifi datapath
add disabled=no name=PRIVATE vlan-id=123
add name=GUEST vlan-id=10
add name=IOT vlan-id=22

/interface wifi
set [ find default-name=wifi1 ] configuration.country=Germany .manager=local .mode=ap .ssid=test-wifi1 datapath=PRIVATE disabled=no security.encryption=ccmp .passphrase=12345678
set [ find default-name=wifi2 ] configuration.country=Germany .manager=local .mode=ap .ssid=test-wifi2 datapath=IOT disabled=no security.encryption=ccmp .passphrase=12345678
add configuration.mode=ap .ssid=Gast-2.4 datapath=GUEST disabled=no mac-address=4A:A9:8A:D3:A5:84 master-interface=wifi1 name=wifi3-guest-slave-2.4 security.passphrase=12345678
add configuration.mode=ap .ssid=IoT datapath=IOT disabled=no mac-address=4A:A9:8A:D3:A5:85 master-interface=wifi1 name=wifi4-IoT-slave-2.4 security.passphrase=12345678
add configuration.mode=ap .ssid=Gast-5g datapath=GUEST disabled=no mac-address=4A:A9:8A:D3:A5:86 master-interface=wifi2 name=wifi5-guest-slave-5g security.passphrase=12345678

/ip pool
add name=dhcp_pool-GUEST ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool-IoT ranges=192.168.22.2-192.168.22.254
add name=dhcp_pool-Privat ranges=192.168.123.2-192.168.123.254
add name=dhcp_pool-SIP ranges=192.168.111.2-192.168.111.254
add name=dhcp_pool-MGMT ranges=10.0.0.60-10.0.0.200

/ip dhcp-server
add address-pool=dhcp_pool-MGMT interface=MGMT lease-time=1d name=dhcp-MGMT
add address-pool=dhcp_pool-Privat interface=PRIVATE lease-time=1d name=dhcp-PRIVATE
add address-pool=dhcp_pool-GUEST interface=GUEST lease-time=1d name=dhcp-GUEST
add address-pool=dhcp_pool-IoT interface=IOT lease-time=1d name=dhcp-IoT
add address-pool=dhcp_pool-SIP interface=SIP lease-time=1d name=dhcp_SIP

/interface bridge port
add bridge=bridge1 disabled=yes interface=eth1-to-Modem
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=eth4-to-CAP-AX
add bridge=bridge1 interface=eth5-to-Switch
/interface list member
add interface=eth1-to-Modem list=WAN
add interface=bridge1 list=LAN

/ip address
add address=192.168.200.1/24 interface=bridge1 network=192.168.200.0
add address=10.0.0.72/24 interface=eth1-to-Modem network=10.0.0.0
add address=192.168.1.1/24 interface=MGMT network=192.168.1.0
add address=192.168.123.1/24 interface=PRIVATE network=192.168.123.0
add address=192.168.22.1/24 interface=IOT network=192.168.22.0
add address=192.168.10.1/24 interface=GUEST network=192.168.10.0
add address=192.168.111.1/24 interface=SIP network=192.168.111.0

/ip dhcp-client
add disabled=yes interface=eth1-to-Modem

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.123,1.1.1.1 gateway=10.0.0.1 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.22.0/24 gateway=192.168.22.1
add address=192.168.111.0/24 gateway=192.168.111.1
add address=192.168.123.0/24 gateway=192.168.123.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

gigabyte091 · Thu May 02, 2024 9:55 am

None of them works ? Did you check are your devices are getting IP addresses assigned ?

Datapath will work for remote CAP but on local interface you should untag desired wireless interface with VLAN you need. Not sure if datapath will work with local interface.

neki · Thu May 02, 2024 11:26 am

Do you have VLANs defined on the bridge?

Jaja2000 · Thu May 02, 2024 11:39 am

@ gigabyte091
yes, none of them worked! A laptop at eth2 doesn't get a IP as well. Something is wrong in my DHCP setup.
I don't see any leases when I connect a device

I reached the ax2 in winbox via IP 10.0.0.72 ( LAN at eth1 )

@neki I have forgotten.
Now I add

/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=eth5-to-Switch vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=eth5-to-Switch vlan-ids=22
add bridge=bridge1 tagged=bridge1 untagged=eth5-to-Switch vlan-ids=123
add bridge=bridge1 tagged=bridge1 untagged=eth5-to-Switch vlan-ids=111

but still the same problem

at eth5 in the future a switch will be connected. Actually all traffic should use eth1

neki · Thu May 02, 2024 12:04 pm

Basicaly, you want end devices untagged and network devices tagged. Another thing is, that you don't have frame-types set on bridge ports. Turn off VLAN filtering on the bridge first, or you can cut yourself off and also remove/disable one of the port from bridge, so you can connect back over MAC if something goes wrong..

Lets say that you will connect cAP to eth4 and switch to eth5, all VLANs should be tagged on those ports and frame-types should be set to admit-only-vlan-tagged on those ports..

Jaja2000 · Thu May 02, 2024 1:41 pm

I think I understand that I have to use untagged Ports eth2,eth3. And tagged to eth4,eth5 witch will be connected to the switch and the Cap in the future.
I add

add bridge=bridge1 interface=eth1-to-Modem
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
    eth4-to-CAP-AX
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
    eth5-to-Switch

and turn off the vlan Filtering as you mentioned.
eth2 and eth3 works fine now, but the devices at this ports get their IP from the hexrouter.
This steps doesn't change anything at my problem right now. I cant get a connection via Wlan

gigabyte091 · Thu May 02, 2024 2:22 pm

Don't use datapath, simply configure SSID, security, channel and frequency. Then untag desired wifi interface to desired VLAN.

Jaja2000 · Thu May 02, 2024 4:30 pm

@gigabyte091 hmm in #12 you told me that I have to setup datapath ..

and ..

Then untag desired wifi interface to desired VLAN.

where can I do that ?

gigabyte091 · Thu May 02, 2024 5:20 pm

And that's why I told you to wait until you have all devices to complete your setup.

Now you are not using CAPsMAN and you are using local interface of your device. So under Bridge -> Ports you will find your wifi interfaces. Open desired interface and set PVID to your desired PVID under VLAN tab.

anav · Thu May 02, 2024 5:24 pm

I was going to visit Croatia, but I am afraid I will not see any of the people. They will all be inside their houses trying to fix capsman on their home routers. Who will serve beer???

Jaja2000 · Thu May 02, 2024 6:16 pm

And that's why I told you to wait until you have all devices to complete your setup.

Now you are not using CAPsMAN and you are using local interface of your device. So under Bridge -> Ports you will find your wifi interfaces. Open desired interface and set PVID to your desired PVID under VLAN tab.

its still confusing. You can´t use CapsMan for local devices and add afterwords the Caps ? Actually I have had only the eth ports at the bridge ... I added the wifi Interfaces and ... wow .. I can connect with all ssid ... but .... still no internet ... what else have i forgotten ?

Clipboarder.2024.05.02-002.png

neki · Thu May 02, 2024 6:22 pm

@gigabyte091 hmm in #12 you told me that I have to setup datapath ..
and ..

Then untag desired wifi interface to desired VLAN.
where can I do that ?

you should use datapath, if you will use AX devices there is no problem in doing that, and it will handle the VLANs in the bidge automatically..

I was going to visit Croatia, but I am afraid I will not see any of the people. They will all be inside their houses trying to fix capsman on their home routers. Who will serve beer???

I knew that those post are getting monetized.. how else could you afford beer in croatia, and even more.. served one...

neki · Thu May 02, 2024 6:29 pm

what does it mean that you dont have internet? what if you try ping 1.1.1.1 or 8.8.8.8? ....if that works, its DNS

probably not allowed request forwarding or how its called...

edit:
allow-remote-requests

gigabyte091 · Thu May 02, 2024 6:44 pm

CAPsMAN can't manage local wireless interfaces, only remote CAPs. Datapath will work when you connect your remote CAP but on local interface it will not work like that. I tested today just to check.

@anav, I'm sure there is a lot of potential Wireguard users that are willing to trade ice cold beer for some small configuration. But don't worry, I believe that 95% of users here in Croatia are happy with whatever ISP provide them

But then... who knows... from this year our ISP must provide us with all information needed to use our own routers if we want.

@neki, depends where you go, for eg. in Dubrovnik I believe that you need to sell one of your kidneys to buy a beer

But yes, everything here is getting more and more expensive so you are not far from the truth here

Jaja2000 · Thu May 02, 2024 7:02 pm

that is the message at my mobile "without internet connected" very strange.
My laptop works fine in all SSids. What could be the difference in connection ?

CAPsMAN can't manage local wireless interfaces, only remote CAPs. Datapath will work when you connect your remote CAP but on local interface it will not work like that. I tested today just to check.

i see .. so I have to learn something new then.

neki · Thu May 02, 2024 7:16 pm

CAPsMAN can't manage local wireless interfaces, only remote CAPs. Datapath will work when you connect your remote CAP but on local interface it will not work like that. I tested today just to check.

You will have to check again...

ldp.png

Point is, that in datapath profile, you set up the VLAN and then you have one place where is this value set. But then you have to set localy, in configuration profile where you link the datapath profile, the bridge, this has to be done on each device, because the bridge is local for each device...

neki · Thu May 02, 2024 7:23 pm

that is the message at my mobile "without internet connected" very strange.
My laptop works fine in all SSids. What could be the difference in connection ?
CAPsMAN can't manage local wireless interfaces, only remote CAPs. Datapath will work when you connect your remote CAP but on local interface it will not work like that. I tested today just to check.
i see .. so I have to learn something new then.

Try it from router itself, open terminal and ping google.com

gigabyte091 · Thu May 02, 2024 7:26 pm

Hmmm... Will check it again... I've missed something then... I did setup datapath and on remote cap it's working but local interfaces on device running capsman no...

Jaja2000 · Thu May 02, 2024 9:07 pm

that is the message at my mobile "without internet connected" very strange.
My laptop works fine in all SSids. What could be the difference in connection ?
i see .. so I have to learn something new then.
Try it from router itself, open terminal and ping google.com

We are on the right way. I can ping all DNS Server, but I cant ping google.com
get the message:

[Sainlogic@Mikro hAP-AX2] > ping googgle.com
invalid value for argument address:
    invalid value of mac-address, mac address required
    invalid value for argument ipv6-address
    while resolving ip-address: could not get answer from dns server

neki · Thu May 02, 2024 10:01 pm

what does the DNS tab say? IP - DNS, are there any dynamic servers? Suppose that you didn't fill static one... and what about the allow remote requests?

jaclaz · Thu May 02, 2024 10:49 pm

Try running in terminal:
/put [:resolve google.com]

gigabyte091 · Fri May 03, 2024 7:39 am

CAPsMAN can't manage local wireless interfaces, only remote CAPs. Datapath will work when you connect your remote CAP but on local interface it will not work like that. I tested today just to check.
You will have to check again...
ldp.png

Point is, that in datapath profile, you set up the VLAN and then you have one place where is this value set. But then you have to set localy, in configuration profile where you link the datapath profile, the bridge, this has to be done on each device, because the bridge is local for each device...

Still nope... Tried that and wifi1 interface get untagged on default VLAN.

Jaja2000 · Fri May 03, 2024 8:49 am

thx .. I get closer and closer. The 3 client Wifi works fine.

But the Wifi1 and Wifi2 still get no Internet Access!!

I forgot the following entry:

/ip dns
set allow-remote-requests=yes servers=10.0.0.123,8.8.8.8,1.1.1.1

that solve the problem so far.

Do I still need entries there ?

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.133,1.1.1.1,8.8.8.8 gateway=\
    10.0.0.1 netmask=24
add address=192.168.1.0/24 dns-server=10.0.0.133,8.8.8.8,1.1.1.1 gateway=\
    192.168.1.1
add address=192.168.10.0/24 dns-server=10.0.0.133,1.1.1.1,8.8.8.8 gateway=\
    192.168.10.1
add address=192.168.22.0/24 dns-server=10.0.0.133,1.1.1.1,8.8.8.8 gateway=\
    192.168.22.1
add address=192.168.111.0/24 dns-server=10.0.0.133,8.8.8.8,1.1.1.1 gateway=\
    192.168.111.1
add address=192.168.123.0/24 dns-server=10.0.0.133,8.8.8.8,1.1.1.1 gateway=\
    192.168.123.1

neki · Fri May 03, 2024 9:58 am

10.0.0.133 is some stand alone server? PiHole?

Jaja2000 · Fri May 03, 2024 11:57 am

yes, AdGuard

UPDATE: Found the Problem
I have forgotten do delete the VLAN ID at the Datapath at the wifi interfaces. This was not necessary for the clients, but the masters dont
like the entry.
Sorry cant delete the image. I use WPA2 PSK / CCMP ... think thats fine for now.

Jaja2000 · Fri May 03, 2024 2:20 pm

next and last step regarding the Antenna is to enable vlan Filtering witch I disabled during configuration as you advise.
What do I have to check before enable it ?
I plan to use Eth1 (to Modem ) Eth4 (to Cap) and Eth5 (to switch) as trunk ports
Eth2 should be used only to my Fritzbox (Vlan11)
Eth3 should be a service Port to admin the Router (VLAN1)

neki · Fri May 03, 2024 8:44 pm

Thing is, that with VLAN filtering off all VLAN related settings are ignored... So if you fcked up and you have all ports in the bridge you will lock yourself out.

I don't know how committed you are, but I would save the config now, as "partialy working" and start over.. Update the OS to last stable, update firmware (System - RouterBOARD), reset to default config, save the default config and reset again without default config and set everything up step by step..

And again, I do really think that you should use datapath, in this case you probably still had VLAN untagged at the bridge (it was set at two places and there was conflict in this setup). If you use datapath, wlan interface is added dynamically as tagged and if you set same interface as untagged manually it won't like that...
With datapath you can set this at one place, otherwise you will have to set it up on each device in the network...

Edit:
Another thing... you shouldn't use VLAN 1 (if you are not using it for compatibility with other vendors...)

Jaja2000 · Sat May 04, 2024 9:01 am

ok,

never mind. If the internal wifi works, I can set up the external afterwards with capsman, if this setups are compatible. I have to setup max 2 caps so this is to handle.

Today I try to enable the vlan Filtering. The good news, I can still access the router. The bad news. None of the Wlan Interfaces works now ! (no routing to DNS server)

/interface bridge
add name=bridge1 pvid=5 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=eth1-to-Modem
set [ find default-name=ether4 ] name=eth4-to-CAP-AX
set [ find default-name=ether5 ] name=eth5-to-Switch

/interface vlan
add interface=bridge1 name=GUEST vlan-id=10
add interface=bridge1 name=IOT vlan-id=22
add interface=bridge1 name=MGMT vlan-id=5
add interface=bridge1 name=PRIVATE vlan-id=123
add interface=bridge1 name=SIP vlan-id=111

/interface list
add name=WAN
add name=LAN

/ip pool
add name=dhcp_pool-GUEST ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool-IoT ranges=192.168.22.2-192.168.22.254
add name=dhcp_pool-Privat ranges=192.168.123.2-192.168.123.254
add name=dhcp_pool-SIP ranges=192.168.111.2-192.168.111.254
add name=dhcp_pool-MGMT ranges=10.0.0.60-10.0.0.200

/interface bridge port
add bridge=bridge1 interface=eth1-to-Modem pvid=5
add bridge=bridge1 interface=ether2 pvid=123
add bridge=bridge1 interface=ether3 pvid=5
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=\
    eth4-to-CAP-AX pvid=5
add bridge=bridge1 interface=eth5-to-Switch pvid=5
add bridge=bridge1 interface=wifi1-5GHz pvid=123
add bridge=bridge1 interface=wifi2-2.4GHz pvid=123
add bridge=bridge1 interface=wifi3-guest-2.4 pvid=10
add bridge=bridge1 interface=wifi4-IoT-2.4 pvid=22
add bridge=bridge1 interface=wifi5-guest-5g pvid=10

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,eth4-to-CAP-AX,eth5-to-Switch untagged=\
    eth1-to-Modem vlan-ids=10
add bridge=bridge1 tagged=bridge1,eth4-to-CAP-AX,eth5-to-Switch untagged=\
    eth1-to-Modem vlan-ids=22
add bridge=bridge1 tagged=bridge1,eth4-to-CAP-AX,eth5-to-Switch vlan-ids=123
add bridge=bridge1 tagged=bridge1,eth4-to-CAP-AX,eth5-to-Switch vlan-ids=111

/interface list member
add interface=eth1-to-Modem list=WAN
add interface=bridge1 list=LAN

/ip address
add address=192.168.200.1/24 interface=bridge1 network=192.168.200.0
add address=10.0.0.72/24 interface=eth1-to-Modem network=10.0.0.0
add address=192.168.1.1/24 interface=MGMT network=192.168.1.0
add address=192.168.123.1/24 interface=PRIVATE network=192.168.123.0
add address=192.168.22.1/24 interface=IOT network=192.168.22.0
add address=192.168.10.1/24 interface=GUEST network=192.168.10.0
add address=192.168.111.1/24 interface=SIP network=192.168.111.0

/ip dhcp-client
add disabled=yes interface=eth1-to-Modem

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.133,1.1.1.1,8.8.8.8 gateway=\
    10.0.0.1 netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.22.0/24 gateway=192.168.22.1
add address=192.168.111.0/24 gateway=192.168.111.1
add address=192.168.123.0/24 gateway=192.168.123.1

/ip dns
set allow-remote-requests=yes servers=10.0.0.133,8.8.8.8,1.1.1.1

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

gigabyte091 · Sun May 05, 2024 8:23 am

Why is your bridge at PVID 5 ?? Leave that at 1...

If you use DNS then why not forward requests to it ?

add chain=dstnat action=dst-nat to-addresses=10.0.0.133 protocol=tcp src-address=!10.0.0.133 in-interface-list=LAN dst-port=53 
add chain=dstnat action=dst-nat to-addresses=10.0.0.133 protocol=udp src-address=!10.0.0.133 in-interface-list=LAN dst-port=53

That way all DNS requests are forwarded to Pihole.

Jaja2000 · Tue May 07, 2024 9:10 pm

That does not work for me. I start again from scratch and figured out some mistakes. Like, that I have forgot to add the bridge itself as a tagged interface in all VLANs in which the Mikrotik itself also has an IP and the bridge interface should not be assigned and IP in a VLAN setup but should be used as a separate management VLAN.
as well add

/ip address
add address=10.0.0.200/24 interface=ether1 network=10.0.0.0
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-table=main \
    suppress-hw-offload=no

now I can reach the AX router from the od hex network but from my AX2 I can now ping all dns server, but when I

ping google.com

i get:

[admin@MikroTik] > ping google.com
invalid value for argument address:
invalid value of mac-address, mac address required
invalid value for argument ipv6-address
while resolving ip-address: could not get answer from dns server

so something is wrong with my routing.
Either I have to set a route from my hex to the ax2, My route is wrong or I need a NAT entry.
Hope somebody can help. Thx

Who is online