Community discussions

MikroTik App
 
8577
newbie
Topic Author
Posts: 40
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

CAPsMAN with vlans question

Sat Oct 01, 2022 4:13 am

I am working on this rb5009 that has run great for a good bit, and my wi-fi router seems to have bit the dust. I couldn't find my old notes on how i set this up a few years back, so I have been following the docs here: https://help.mikrotik.com/docs/display/ ... with+VLANs

I want to connect the cAP's to VLAN's so I can separate the traffic, among 2 VLANs, I am using a small mAP as a test cap, and I thought I had it correct, but the cap never shows up in remote cap in capsman. I can see it in neighbors, but it never shows up as a cap.

If anyone has any tips on what I have wrong here, would be a huge help. It seems the example in the docs shows untagged ports going to the AP's from a switch, so I even tried it plugged into a trunk port on the router. I tried it with untagged and tagged. Going to dig again to see if I can find my notes, I know I am missing a step, just not sure which just yet. I think the cap needs to have pvid set on the bridge, but I didn't see that in the docs.

Here are the configs for reference:
Router config
# sep/30/2022 21:00:06 by RouterOS 7.4
# software id = GJYP-PF1L
#
# model = RB5009UG+S+
# serial number = xxxxx
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add comment=Users interface=bridge name=VLAN10 vlan-id=10
add comment=CCTV interface=bridge name=VLAN20 vlan-id=20
add comment=Guest interface=bridge name=VLAN30 vlan-id=30
add comment=SRV interface=bridge name=VLAN40 vlan-id=40
add comment=MGMT interface=bridge name=VLAN99 vlan-id=99
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
/interface list
add comment=DJ name=WAN
add comment=DJ name=LAN
add comment=DJ name=VLAN
add comment=DJ name=MGMT
/caps-man datapath
add interface-list=all local-forwarding=yes name=datapath1 vlan-id=20 vlan-mode=use-tag
/caps-man configuration
add country="united states" datapath=datapath1 datapath.local-forwarding=yes .vlan-id=20 .vlan-mode=use-tag distance=\
    indoors installation=indoor mode=ap name=cfg1 security.authentication-types=wpa-psk,wpa2-psk .encryption=aes-ccm \
    ssid=Mikrotik-2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.120.2-192.168.120.254
add comment=MGMT name=VLAN99_POOL ranges=192.168.0.10-192.168.0.240
add comment=Users name=VLAN10_POOL ranges=192.168.1.15-192.168.1.220
add comment=CCTV name=VLAN20_POOL ranges=192.168.2.10-192.168.2.240
add comment=Guest name=VLAN30_POOL ranges=192.168.3.10-192.168.3.240
add name=vpn-pool ranges=192.168.5.10-192.168.5.25
/ip dhcp-server
add address-pool=dhcp_pool1 interface=ether8 name=dhcp1
add address-pool=VLAN10_POOL interface=VLAN10 name=VLAN10_DHCP
add address-pool=VLAN20_POOL interface=VLAN20 name=VLAN20_DHCP
add address-pool=VLAN30_POOL interface=VLAN30 name=VLAN30_DHCP
add address-pool=VLAN99_POOL interface=VLAN99 name=VLAN99_DHCP
add address-pool=vpn-pool disabled=yes interface=bridge name=vpn-DHCP
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether4
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1
/interface bridge port
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge comment=Trunk frame-types=admit-only-vlan-tagged interface=ether7
add bridge=bridge comment=Access frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridge comment=Access frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=Access frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=20
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether5,ether6,ether7 vlan-ids=30,40,99
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether5,ether6,ether7 untagged=ether2,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether5,ether6,ether7 untagged=ether4 vlan-ids=20

CAP config
# model = RBmAP2nD
# serial number = DE500E06D2E7
/interface bridge
add admin-mac=2C:C8:1B:ED:D3:FA auto-mac=no comment=defconf name=bridgeLocal \
    vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=ether1 enabled=yes interfaces=wlan1
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/system clock
set time-zone-name=America/New_York

Thank you
 
dhoulbrooke
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Sun Apr 19, 2015 7:24 am
Location: Whakatāne, New Zealand

Re: CAPsMAN with vlans question

Sat Oct 01, 2022 11:36 am

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether4

At the moment you're only accepting management traffic to the CAPsMAN on ether4 and this appears to be dedicated to CCTV/VLAN20. So maybe double check that you have the right interface there.
 
8577
newbie
Topic Author
Posts: 40
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: CAPsMAN with vlans question

Sat Oct 01, 2022 4:16 pm

moderator note: do not quote preceding post, use "post Reply".
Ok, thank you, makes sense.

I went ahead and disabled the VLAN port on my router:
add bridge=bridge comment=Access disabled=yes frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=20

Now the test cAP works fine and gives clients a dhcp addess and they connect through fine now.

In the process of all this, I come to find out my switch is not filtering vlans, so I need to address that before I can hang my caps on the switch interfaces it seems. Did not realize this had changed and really threw me off.
# model = CRS112-8P-4S
# serial number = 9B210B746392
/interface bridge
add name=bridge protocol-mode=none
Thanks for the tip on the interface! Now off to fix this switch.
 
tdw
Forum Guru
Forum Guru
Posts: 1544
Joined: Sat May 05, 2018 11:55 am

Re: CAPsMAN with vlans question

Sat Oct 01, 2022 5:10 pm

When sorting out your switch take note that CRS1xx/2xx do not support hardware-offload with a VLAN-aware bridge (i.e. where the bridge has vlan-filtering=yes)

You can use a VLAN-aware bridge but the performance will not be good, an example of the correct method to keep hardware offload is https://wiki.mikrotik.com/wiki/Manual:C ... Based_VLAN
 
8577
newbie
Topic Author
Posts: 40
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: CAPsMAN with vlans question

Sat Oct 01, 2022 5:43 pm

moderator note: do not quote preceding post, use "post Reply".
Thanks tdw, I think I remember reading that before. My switch appears to be using switched VLAN configuration.
Below is the config for reference. I tried using ether7, and ether8 as cAP interfaces by disabling the vlan tagging, and disabling those interfaces in the switch (and bridge), and even tried making one into a trunk, but the cAP never shows up when connected to the switch.

I have the CAPsMAN working fine in capsman forwarding connected to the router interface. It would be ideal if I can use the switch as it has POE to power the cAPs from.

I just need to figure out what switch port configuration I need to see the cAPs on the switch interfaces. Here is the unmodified switch config, I put settings back until I figure this out. The caps run fine on the router, I just need to feed them external power.
# sep/01/2022 14:50:45 by RouterOS 6.48.5
# software id = QYMG-SSQH
#
# model = CRS112-8P-4S
# serial number = xxxxxx
/interface bridge
add name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=1000M-full
set [ find default-name=ether2 ] advertise=1000M-full
set [ find default-name=ether3 ] advertise=1000M-full
set [ find default-name=ether4 ] advertise=1000M-full
set [ find default-name=ether5 ] advertise=1000M-full
set [ find default-name=ether6 ] advertise=1000M-full
set [ find default-name=ether7 ] advertise=1000M-full
set [ find default-name=ether8 ] advertise=1000M-full
set [ find default-name=sfp9 ] advertise=1000M-full
set [ find default-name=sfp10 ] advertise=1000M-full
set [ find default-name=sfp11 ] advertise=1000M-full
set [ find default-name=sfp12 ] advertise=1000M-full
/interface vlan
add interface=bridge name=MGMT vlan-id=99
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/system logging action
set 3 remote=192.168.1.246
/user group
set full policy=\
    local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether5
add bridge=bridge interface=ether6
add bridge=bridge interface=ether7
add bridge=bridge interface=ether8
add bridge=bridge interface=sfp9
add bridge=bridge interface=sfp10
add bridge=bridge interface=sfp11
add bridge=bridge interface=sfp12
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp10,sfp9,sfp12,sfp11 vlan-id=10
add tagged-ports=sfp10,sfp9,sfp12,sfp11 vlan-id=20
add tagged-ports=sfp10,sfp9,sfp12,sfp11 vlan-id=30
add tagged-ports=switch1-cpu,sfp10,sfp9,sfp12,sfp11 vlan-id=99
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether5
add customer-vid=0 new-customer-vid=20 ports=ether6
add customer-vid=0 new-customer-vid=30 ports=ether7
add customer-vid=0 new-customer-vid=30 ports=ether8
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=20 ports=ether4
add customer-vid=0 new-customer-vid=10 ports=ether1
/interface ethernet switch vlan
add ports=ether1,ether2,sfp10,sfp9,sfp12,sfp11 vlan-id=10
add ports=ether3,ether4,ether5,ether6,sfp10,sfp9,sfp12,sfp11 vlan-id=20
add ports=ether7,ether8,sfp10,sfp9,sfp12,sfp11 vlan-id=30
add ports=switch1-cpu,sfp10,sfp9,sfp12,sfp11 vlan-id=99
/ip address
add address=192.168.0.2/24 interface=MGMT network=192.168.0.0
/ip dns
set servers=192.168.1.244
/ip route
add distance=1 gateway=192.168.0.1
/system clock
set time-zone-name=America/Los_Angeles
/system logging
set 0 action=remote prefix=Sw
set 1 action=remote prefix=Sw
set 2 action=remote prefix=Sw
set 3 action=remote prefix=Sw
 
8577
newbie
Topic Author
Posts: 40
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: CAPsMAN with vlans question

Sat Oct 01, 2022 5:47 pm

Just realized, I didn't change the capsman interface when I tested the cAP connected on the switch.
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether4
I need to change this to ether5 (the trunk port that connects to switch). I think this may be the issue. Will update.
 
8577
newbie
Topic Author
Posts: 40
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: CAPsMAN with vlans question

Sat Oct 01, 2022 6:16 pm

moderator note: do not quote preceding post, use "post Reply".
Well that wasn't the issue. According to the docs for capsman the interface the cAP is connected, needs to be tagged for the correct vlan if I am reading it correct. Will try tagging those interfaces.
 
dhoulbrooke
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Sun Apr 19, 2015 7:24 am
Location: Whakatāne, New Zealand

Re: CAPsMAN with vlans question

Sat Oct 01, 2022 7:01 pm

I need to change this to ether5 (the trunk port that connects to switch). I think this may be the issue. Will update.

Looking at the switch config you will most likely need to add one of your vlan interfaces as a CAPsMAN interface. As all traffic coming from your switch is VLAN tagged.
 
8577
newbie
Topic Author
Posts: 40
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: CAPsMAN with vlans question

Sat Oct 01, 2022 7:52 pm



Looking at the switch config you will most likely need to add one of your vlan interfaces as a CAPsMAN interface. As all traffic coming from your switch is VLAN tagged.
I tried that with no luck. Since the config is specifying to use tag, I currently have it set to "use tag" to VLAN 30, with local forwarding enabled in the datapath. So I set the interface the cAP is connected to as tagged for VLAN 30. So it will pass tagged traffic. Then I have capsman listening on VLAN30 interface.

/caps-man configuration
add country="united states" datapath.bridge=bridge local-forwarding=yes vlan-id=30 .vlan-mode=use-tag distance=\
    indoors installation=indoor mode=ap name=cfg1 security.authentication-types=wpa-psk,wpa2-psk .encryption=aes-ccm \
    ssid=Mikrotik-2
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=VLAN30
    
    
On cAP
/interface bridge
add admin-mac=2C:C8:1B:ED:D3:FA auto-mac=no comment=defconf name=bridgeLocal \
    vlan-filtering=yes
    
On the switch I have the cAP in ether7, set to tag for vlan30
/interface ethernet switch egress-vlan-tag
add tagged-ports=sfp10,sfp9,sfp12,sfp11 vlan-id=10
add tagged-ports=sfp10,sfp9,sfp12,sfp11 vlan-id=20
add tagged-ports=ether7,sfp10,sfp9,sfp12,sfp11 vlan-id=30
add tagged-ports=switch1-cpu,sfp10,sfp9,sfp12,sfp11 vlan-id=99
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=20 ports=ether5
add customer-vid=0 new-customer-vid=20 ports=ether6
add customer-vid=0 disabled=yes new-customer-vid=30 ports=ether7
add customer-vid=0 new-customer-vid=30 ports=ether8
add customer-vid=0 new-customer-vid=10 ports=ether2
add customer-vid=0 new-customer-vid=20 ports=ether3
add customer-vid=0 new-customer-vid=20 ports=ether4
add customer-vid=0 new-customer-vid=10 ports=ether1
/interface ethernet switch vlan
add ports=ether1,ether2,sfp10,sfp9,sfp12,sfp11 vlan-id=10
add ports=ether3,ether4,ether5,ether6,sfp10,sfp9,sfp12,sfp11 vlan-id=20
add ports=ether7,ether8,sfp10,sfp9,sfp12,sfp11 vlan-id=30
add ports=switch1-cpu,sfp10,sfp9,sfp12,sfp11 vlan-id=99

Will keep at it, may have to wireshark the issue. Not sure what else I am missing.
 
8577
newbie
Topic Author
Posts: 40
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: CAPsMAN with vlans question

Sat Oct 01, 2022 10:18 pm

I followed this for the capsman steps: https://help.mikrotik.com/docs/display/ ... ardingMode

and I followed this to check my switch config: https://help.mikrotik.com/docs/pages/vi ... tBasedVLAN

With no luck. Does anyone know if cAP's will work on a switch that doesn't do bridge vlan filtering? I would think it would work either way, as I have tried with no tagging (as access port) and with tagging and a vlan defined on the CAP. I never see it show up in ip neighbor on either the switch or the router. But it works fine if I connect it to the router that is doing bridge vlan filtering. When I set the switch interface as non-tagged, a normal dhcp client device gets an address and can ping through to the router. But the cap fails to get an address. I need to do more reading up here. Thanks for the help everyone!
 
8577
newbie
Topic Author
Posts: 40
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: CAPsMAN with vlans question

Sun Oct 02, 2022 2:59 am

Latest cap config - tried to tie capsman and cap together on vlan30, created trunk port on cap - yet still no communication. May need to add a firewall rule next on the capsman router.

/interface bridge
add admin-mac=2C:C8:1B:ED:D3:FA auto-mac=no comment=defconf name=bridgeLocal \
    vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridgeLocal name=vlan-30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 vlan-ids=30
add bridge=bridgeLocal tagged=ether1 vlan-ids=10,20
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes interfaces=\
    wlan1
Interface (ether8 to cap) on switch after latest changes,
/interface ethernet switch vlan
add ports=ether1,ether2,sfp10,sfp9,sfp12,sfp11 vlan-id=10
add ports=ether3,ether4,ether5,ether6,sfp10,sfp9,sfp12,sfp11 vlan-id=20
add ports=ether7,ether8,sfp10,sfp9,sfp12,sfp11 vlan-id=30

 
dhoulbrooke
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Sun Apr 19, 2015 7:24 am
Location: Whakatāne, New Zealand

Re: CAPsMAN with vlans question

Sun Oct 02, 2022 4:21 am

Does anyone know if cAP's will work on a switch that doesn't do bridge vlan filtering?

Yup have done so before on a CRS1xx. Usually in a method similar to what you are doing now with the CAP on a trunk port.

Looking at your most recent attempt you also need to change the discovery interface on the CAP so that it is attempting to find the CAPsMAN on the right VLAN. ie this:
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1
Should be this:
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=vlan-30 enabled=yes interfaces=wlan1

With this on the CAPsMAN:
/caps-man manager interface
add disabled=no interface=VLAN30

And if you are firewalling on the CAPsMAN you may need a firewall rule similar to the below allow access:
/ip firewall filter
add action=accept chain=input comment="Accept CAPsMAN" dst-port=5246-5247 protocol=udp 
 
8577
newbie
Topic Author
Posts: 40
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: CAPsMAN with vlans question

Sun Oct 02, 2022 3:43 pm


Yup have done so before on a CRS1xx. Usually in a method similar to what you are doing now with the CAP on a trunk port.

Looking at your most recent attempt you also need to change the discovery interface on the CAP so that it is attempting to find the CAPsMAN on the right VLAN. ie this:
Thanks a bunch dhoulbrooke, made those changes and still no joy. This one is being extra stubborn.

Just won't connect it seems. I am trying to get a way to read the log on the cap, what's really strange is I can't even mac-telnet from the router or the switch to the cap to see log output. Makes me think I have a layer 2 issue of some sort.

Latest revised configs attached. Make note I have capsman listening on ether4 for the capsman forwarded CAP off the router (cap that is working), and on vlan30 for the local forward CAP on the switch. Im sure the main issue is between the chair and the keyboard at this point lol Wondering if I need to wipe the config off the CAP and start fresh, will try that at some point just to rule it out. Thanks for taking the time to help, is much appreciated!
You do not have the required permissions to view the files attached to this post.
 
8577
newbie
Topic Author
Posts: 40
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: CAPsMAN with vlans question

Sun Oct 02, 2022 6:09 pm

I may have found the culprit? I see this in the logs: "_warn: VLAN30_DHCP offering lease 192.168.3.239 for 2C:C8:1B:ED:D3:FA without success"

That is the MAC of the cap I am trying to add. Maybe a vlan tag mismatch, will travel down this new rabbit hole and see what I find.
 
dhoulbrooke
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Sun Apr 19, 2015 7:24 am
Location: Whakatāne, New Zealand

Re: CAPsMAN with vlans question  [SOLVED]

Mon Oct 03, 2022 4:38 am

No problem :)

OK getting closer - this should get your CAP up.

CAP:
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=30

Without bridgeLocal in there VLAN 30 is not passed on to the CPU on the CAP. I'd missed that you were doing bridge VLAN filtering on the CAP in the config that you sent through earlier.
 
8577
newbie
Topic Author
Posts: 40
Joined: Fri Mar 20, 2020 8:25 pm
Location: US

Re: CAPsMAN with vlans question

Mon Oct 03, 2022 4:35 pm

No problem :)

OK getting closer - this should get your CAP up.

CAP:
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=30

Without bridgeLocal in there VLAN 30 is not passed on to the CPU on the CAP. I'd missed that you were doing bridge VLAN filtering on the CAP in the config that you sent through earlier.
That was it! So egress frames were going out without any tag if I am following the logic. The bridge/cpu tagging always throws me off. Now I can add in the additional vlans 10 and 20 for cameras and private wifi.

I owe you a coffee, Thanks so much for your time dhoulbrooke.

For reference here is the correct CAP config:
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridgeLocal \
    vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(28dBm), SSID: Mikrotik-2, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridgeLocal name=vlan-30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=30
/interface wireless cap
#
set bridge=bridgeLocal discovery-interfaces=vlan-30 enabled=yes interfaces=\
    wlan1
/ip dhcp-client
add comment=CAPsMAN disabled=no interface=vlan-30
/system clock
set time-zone-name=America/New_York

Who is online

Users browsing this forum: SaS, seriosha and 18 guests