I am running hap ac3 as main router, and have hap ax2 as device for wlan coverage
Capsman is running on hap ac3, and have have successfully provisioned hap ax2 interfaces without any issues.
But i have issue when i want to add local interfaces from hap ac3 into local capsman.
First thing i was try to set on local wifi interface is on /interface/wifi/ wifi1 and wifi2 manger=capsman or local, but after i do that in winbox see that device is managed by capsman as comment but for some reason devices are not connected back to the radios.
Second thing that was try to set on existing (already working profile for local interfaces) datapath and bridge but it is same situation.
Interesting thing is that i see MAC address of local interface in /interface/wifi/radios/ but for some reason traffic is not fowarding over that interface.
On that hap ac3 i have setuped up address for CapsManManger 127.0.0.1 and have firewall rules that allows traffic.
Code: Select all
[admin@Mikrotik hAP ac3] /interface/wifi> export compact
# 2024-01-12 17:50:44 by RouterOS 7.13.1
# model = RBD53iG-5HacD2HnD
/interface wifi channel
add frequency=2412,2437,2462 name=ch-2ghz width=20/40mhz
add frequency=5180,5200,5220,5240 name=ch-5ghz skip-dfs-channels=all width=20/40/80mhz
add disabled=no frequency=2412,2437,2462 name=cap-2GHz width=20/40mhz
add disabled=no name=cap-5GHz skip-dfs-channels=all width=20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=common-auth wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=guest-auth
/interface wifi configuration
add channel=ch-2ghz disabled=no name=common-conf security=common-auth security.connect-priority=0 .ft=yes .ft-over-ds=yes .wps=push-button ssid=WIFI_SSID
add channel=ch-5ghz country=Croatia disabled=no name=common-conf-5Ghz security=common-auth security.connect-priority=0 .ft=yes .ft-over-ds=yes .wps=push-button ssid=WIFI_SSID
add channel=cap-2GHz disabled=no name=cap-cfg-2GHz security=common-auth security.connect-priority=0 .ft=yes .ft-over-ds=yes .wps=push-button ssid=WIFI_SSID tx-power=5
add channel=cap-5GHz country=Croatia disabled=no name=cap-cfg-5GHz security=common-auth security.connect-priority=0 .ft=yes .ft-over-ds=yes .wps=push-button ssid=WIFI_SSID tx-power=5
/interface wifi
set [ find default-name=wifi1 ] channel=ch-2ghz channel.frequency=2412,2437,2462 configuration=common-conf configuration.manager=local .mode=ap disabled=no security.ft=yes .wps=disable
set [ find default-name=wifi2 ] channel.frequency=5180,5200,5220,5240 configuration=common-conf-5Ghz configuration.manager=local .mode=ap .tx-power=14 disabled=no security.ft=yes .wps=\
disable
/interface wifi datapath
add bridge=bridge-LAN disabled=no name=datapath1
/interface wifi cap
set caps-man-addresses=127.0.0.1 certificate=request enabled=yes
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=all package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi configuration
add channel=cap-2GHz country=Croatia datapath.bridge=*33 disabled=no name=cap-cfg-guest-2GHz security=guest-auth security.ft=yes .ft-over-ds=yes ssid=WIFI_SSID_guest
add channel=cap-5GHz country=Croatia datapath.bridge=*33 disabled=no name=cap-cfg-guest-5GHz security=guest-auth security.ft=yes .ft-over-ds=yes ssid=WIFI_SSID_guest
add channel=ch-2ghz country=Croatia datapath.bridge=*33 disabled=no name=common-conf-guest-2GHz security=guest-auth security.ft=yes .ft-over-ds=yes ssid=WIFI_SSID_guest
add channel=ch-5ghz country=Croatia datapath.bridge=*33 disabled=no name=common-conf-guest-5GHz security=guest-auth security.ft=yes .ft-over-ds=yes ssid=WIFI_SSID_guest
/interface wifi datapath
add bridge=*33 disabled=no name=guest-wifi
/interface wifi provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=common-conf
add action=create-dynamic-enabled disabled=yes master-configuration=common-conf-5Ghz
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg-5GHz radio-mac=48:A9:8A:68:34:CB supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg-5GHz radio-mac=48:A9:8A:68:34:CB supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg-5GHz radio-mac=48:A9:8A:68:34:CB supported-bands=5ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg-2GHz radio-mac=48:A9:8A:68:34:CC supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg-2GHz radio-mac=48:A9:8A:68:34:CC supported-bands=2ghz-g
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg-2GHz radio-mac=48:A9:8A:68:34:CC supported-bands=2ghz-n
#Local interaface provisioning setup below,2.4G only for test:
add action=create-enabled disabled=no master-configuration=common-conf radio-mac=2C:C8:1B:A5:9F:D9 supported-bands=2ghz-g
add action=create-enabled disabled=no master-configuration=common-conf radio-mac=2C:C8:1B:A5:9F:D9 supported-bands=2ghz-n
/ip firewall filter
add action=accept chain=forward src-address=192.168.98.0/24
add action=accept chain=input src-address=192.168.98.0/24
add action=accept chain=forward dst-address=192.168.201.0/24
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept local CAPsMAN config" dst-address-type=local src-address-type=local
add action=accept chain=input comment="Capsman local" protocol=udp src-port=5246,5247
add action=accept chain=input dst-port=5246,5247 protocol=udp
add action=drop chain=forward comment=Korina disabled=yes src-address=192.168.88.66
add action=drop chain=output comment=Korina disabled=yes src-address=192.168.88.66
add action=drop chain=input comment=Korina disabled=yes src-address=192.168.88.66
add action=accept chain=input comment=Wireguard disabled=yes dst-port=13231 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=Wireguard dst-port=443 in-interface-list=WAN protocol=udp
add action=accept chain=input src-address=192.168.89.0/24
add action=accept chain=forward src-address=192.168.89.0/24
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="Block VPN-pool to local LAN " dst-address-list=Local_LAN src-address-list=vpn-pool
add action=drop chain=input comment="Block VPN-pool to local LAN " dst-address-list=Local_LAN src-address-list=vpn-pool
add action=accept chain=input comment="L2TP/IPsec VPN" dst-port=500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="L2TP/IPsec VPN" dst-port=1701 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="L2TP/IPsec VPN" dst-port=4500 in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface=ether1-WAN protocol=ipsec-esp
add action=accept chain=input in-interface=ether1-WAN protocol=ipsec-ah
add action=accept chain=input comment="VPN network allow" src-address=192.168.150.0/24
add action=accept chain=forward comment="VPN network allow" src-address=192.168.150.0/24
add action=drop chain=input comment="Block ICMP on WAN input" connection-nat-state=!srcnat connection-state=!established,related in-interface=ether1-WAN protocol=icmp
add action=accept chain=input comment="Allow EoIP/GRE input" protocol=gre
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Allow Eoip/GRE" protocol=gre
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack, disable radi queue" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
