v7.13beta [testing] is released!

Z0ltan · Sat Nov 18, 2023 6:35 pm

Wave 2 driver works fine on cAP AC. But only the TV BOX /old MXQ Pro with android 5.1 - 2016/ can't be connected to the LAN via 2GHz radio anymore!

Had the same problem here, the fix was disabling management frame protection.

Santi70 · Sat Nov 18, 2023 7:50 pm

If you disable "management frame protection" you will not be able to use WPA3

Sat Nov 18, 2023 8:49 pm

Which older devices can not use anyhow...

JohnTRIVOLTA · Sat Nov 18, 2023 9:15 pm

Wave 2 driver works fine on cAP AC. But only the TV BOX /old MXQ Pro with android 5.1 - 2016/ can't be connected to the LAN via 2GHz radio anymore!

Had the same problem here, the fix was disabling management frame protection.

Thank you very much Z0ltan! I disabled the management frame protection on the 2ghz radio security settings and now it works fine.
Best regards!

maigonis · Sat Nov 18, 2023 9:27 pm

By the way, both my hAP ac2 and cAP are restarting with:
Code: Select all
13:18:02 system,error,critical router was rebooted without proper shutdown, probably kernel failure
13:18:03 system,error,critical kernel failure in previous boot
13:18:03 system,error,critical out of memory condition was detected
every few hours.

I will upload autosupout.rif as soon as I reset my password... Done: #[SUP-134525]
Not pressing anyone, just FYI, trying to help :)
My SXT's log show this same after unsuspected reboot.

As already reported, beta2 have memory leak problem.

Hominidae · Sun Nov 19, 2023 12:11 am

For mixed CAPSMAN setups (qcom-ac and qcom), does it matter which package is installed on the CAPSMAN? For now I kept my RB4011 on 7.12/wifiwave2, but I cannot get VLAN-s working on hap ac2 and wap ac

VLANs via CAPsMAN/datapath is not supported on qcom-ac models.
Just use standard VLAN / Bridge filtering method on these CAPs
I am using this just fine with hap-ac3 and now additionally tested with cap-ac and wap-ac (RB4011 on 7.12, wifiwave2, no ax-devices though).
Maybe by caring to provision a separate config without VLAN set in datapath for CAPsMAN for non-ax devices would solve that.

kevigizmo · Sun Nov 19, 2023 10:50 am

I've been doing a load of testing on my Lab and home network with the CAPsMAN & Wave2 CAPsMAN "managers"

So far the findings I've got are:

On a non-ax device it can manage both legacy CAPsMAN & the new wave2 CAPsMAN e.g. it can manage regular cAP ac's etc and cAP ax's on the same unit
Legacy CAPsMAN is under: Wireless > CAPsMAN
wave2 CAPsMAN is under: WiFi

So in my test lab I was able to:
RB4011iGS-+5HacQ2HnD acting as manager (local wireless being managed by legacy CAPsMAN)
cAP ac managed by Legacy CAPsMAN
cAP ax managed by wave2 CAPsMAN
hAP ax2 managed be wave2 CAPsMAN
hAP ac3 managed by wave2 CAPsMAN
cAP ac managed by Legacy CAPsMAN

So moved this to my home network environment:
RB4011iGS+RM acting as manager
2x Audience
1x cAP ax
All 3 above AP's managed on wave2 CAPsMAN - roaming between all 3 devices I've not seen any issues,

The only drawback I've found so far is if you want to run legacy CAPsMAN + wave2 CAPsMAN concurrently on the same unit it either needs to be a non-ax device or a device with no wireless, If you run a ax device as the manager (e.g. hAP ax2) it can't run both CAPsMAN versions, it's an either or situation - which is a little bit of a shame but this is a beta version and the first time both versions are running on same unit.. perhaps one that the team can feedback and see if they can resolve

Kev

Sit75 · Sun Nov 19, 2023 11:27 am

I am running 7.13 Beta 2 WiFi Wave 2 on hAP ac^2 and performance is excellent. One small issue I am facing, is the fact Intel WiFi AC 3165 is able to connect only as WPA-Personal (not WPA2-Personal) with AES (CCMP). If I disable WPA (WPA2 and WPA3 allowed) this card is not able to connect. Intel drivers are the most recent (from July 2023) and WPA2 is supported according Intel. It is quite obvious, this WiFi card is not so old, released 2018. In addition exactly the same WiFi card with exactly same drivers is able to connect WPA2-Personal to AP Totolink A3002RU.

Z0ltan · Sun Nov 19, 2023 2:02 pm

For mixed CAPSMAN setups (qcom-ac and qcom), does it matter which package is installed on the CAPSMAN? For now I kept my RB4011 on 7.12/wifiwave2, but I cannot get VLAN-s working on hap ac2 and wap ac
VLANs via CAPsMAN/datapath is not supported on qcom-ac models.
Just use standard VLAN / Bridge filtering method on these CAPs
I am using this just fine with hap-ac3 and now additionally tested with cap-ac and wap-ac (RB4011 on 7.12, wifiwave2, no ax-devices though).
Maybe by caring to provision a separate config without VLAN set in datapath for CAPsMAN for non-ax devices would solve that.

I tried that but it does not work. Even if I set CAPSMAN to “create enabled” to avoid having new interfaces popping up outside the bridge, I still couldn’t get the VLAN-s working by manually setting up bridge VLAN filtering and tagged / untagged traffic. Eventually I see devices removed from the VLAN config because reprovisioning renamed the interface. Could you please post your bridge config?

For the time being I removed the qcom-ac devices from the CAPSMAN and I could manually configure VLAN-s and it works; it would just be easier with CAPSMAN.

ToTheCLI · Sun Nov 19, 2023 2:26 pm

On Hap AC2 with wifi-qcom-ac package when setting Management Protection to Allowed or Required bandwidth does not exceed 20Mbps, and when disabled I get full speed (600Mbps).

Hominidae · Sun Nov 19, 2023 5:49 pm

I tried that but it does not work. Even if I set CAPSMAN to “create enabled” to avoid having new interfaces popping up outside the bridge, I still couldn’t get the VLAN-s working by manually setting up bridge VLAN filtering and tagged / untagged traffic. Eventually I see devices removed from the VLAN config because reprovisioning renamed the interface. Could you please post your bridge config?

The bridge config is to be applied on the CAP, not the router/device running capsman.
A name change of the wifi interface on the capsman router does not affect the associated VLAN, as forwarding in wifiwave2 is always local on the CAP.
As long as you do not change the provisioning config, the enumeration/naming for each wifi/SSID will be constant, starting with wifi1 to wifiX for each SSID as provisioned in capsman.
Here is my bridge config on a hap-ac3 (it is not different from a normal bridge vlan-filtering config .. capsman is running on my RB4011):

/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
add bridge=bridge interface=wifi3 pvid=30
add bridge=bridge interface=wifi4 pvid=20
add bridge=bridge interface=wifi5 pvid=99
add bridge=bridge interface=wifi6 pvid=20
add bridge=bridge interface=wifi7 pvid=99
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=1
add bridge=bridge tagged=bridge,ether1 untagged=wifi4,wifi6 vlan-ids=20
add bridge=bridge tagged=bridge,ether1 untagged=wifi3 vlan-ids=30
add bridge=bridge tagged=bridge,ether1 untagged=wifi5,wifi7 vlan-ids=99

before enabling CAP-Mode in the CAP, configure bridge vlan-filtering for the ethernet interfaces as usual.
Then enable the cap-mode and once the cap has registered with the capsman host, you will need to add the wifi interface wifi1 to wifiX to the bridge, assign them the respective VLAN-ID as PVID and set bridge-vlan config as untagged members for the wifi interfaces.
As said, wifi1 to wifiX will stay in the same order and of its assigned SSIDs, as long as you do not change the provisioning config in capsman.

evbocharov · Sun Nov 19, 2023 7:51 pm

On Hap AC2 with wifi-qcom-ac package when setting Management Protection to Allowed or Required bandwidth does not exceed 20Mbps, and when disabled I get full speed (600Mbps).

Create a ticket.
In my 4011(RB4011iGS+5HacQ2HnD + wifiwave2)
When config:
/interface wifiwave2 security add disable-pmkid=yes disabled=no management-protection=allowed

the online broadcast stops and buffering begins then continues online.

When config:
/interface wifiwave2 security add disabled=no management-protection=disabled

Is ok
SUP-134428

Z0ltan · Mon Nov 20, 2023 7:20 am

Here is my bridge config on a hap-ac3 (it is not different from a normal bridge vlan-filtering config .. capsman is running on my RB4011):
Code: Select all
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
add bridge=bridge interface=wifi3 pvid=30
add bridge=bridge interface=wifi4 pvid=20
add bridge=bridge interface=wifi5 pvid=99
add bridge=bridge interface=wifi6 pvid=20
add bridge=bridge interface=wifi7 pvid=99
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=1
add bridge=bridge tagged=bridge,ether1 untagged=wifi4,wifi6 vlan-ids=20
add bridge=bridge tagged=bridge,ether1 untagged=wifi3 vlan-ids=30
add bridge=bridge tagged=bridge,ether1 untagged=wifi5,wifi7 vlan-ids=99
before enabling CAP-Mode in the CAP, configure bridge vlan-filtering for the ethernet interfaces as usual.
Then enable the cap-mode and once the cap has registered with the capsman host, you will need to add the wifi interface wifi1 to wifiX to the bridge, assign them the respective VLAN-ID as PVID and set bridge-vlan config as untagged members for the wifi interfaces.
As said, wifi1 to wifiX will stay in the same order and of its assigned SSIDs, as long as you do not change the provisioning config in capsman.

Thanks I will give this a try tonight; mine was similar with the exception of leaving the bridge out as tagged port (perhaps that was the mistake here). One interesting thing to note is that the wifix interfaces were dynamically added to the bridge when I was using CAPSMAN and I could neither add them manually nor set the pvid values for a dynamically added bridge port.

raffav · Mon Nov 20, 2023 8:30 pm

I have TP-Link smart plug (kasa version) and I'm unable to connect using cap ax as well
The only way is to force 2.4 to be 2.4n only..but still some refuse to connect..
I try bunch os security options and still not connected or it keeps connecting and disconnecting.....
So at the moment I'm using my cap AC only for 2.4 using old driver (7.12)
And cap ax for 5 GHz (7.12)
Smart plug Is connect using WPA2

daaf · Mon Nov 20, 2023 8:33 pm

With the introduction of the :serialize and :deserialize commands, a world of possibilities opens up for the consumption of the Rest API, however the size of a string variable limits this. Example: https://stat.ripe.net/data /looking-glass/data.json?resource=140.78.0.0/16 cannot be processed due to the size of the returned response.

Do you plan any type of solution or expansion in the size of the variables?

eworm · Mon Nov 20, 2023 9:40 pm

With the introduction of the :serialize and :deserialize commands, a world of possibilities opens up for the consumption of the Rest API, however the size of a string variable limits this. Example: https://stat.ripe.net/data /looking-glass/data.json?resource=140.78.0.0/16 cannot be processed due to the size of the returned response.

Do you plan any type of solution or expansion in the size of the variables?

Currently fetch can not pass more than ~ 64 kB of data. This is a known and expected limitation.

That's what I've been told in SUP-132297, but they also said that the limit could be lifted on more requests. So please open your issue on this!

rextended · Mon Nov 20, 2023 9:52 pm

Currently fetch can not pass more than ~ 64 kB of data. This is a known and expected limitation.

But you can still use my method for put on memory from a file one var of any size, until the memory is depleted...
viewtopic.php?p=1012747#p1012747

Amm0 · Mon Nov 20, 2023 10:25 pm

Currently fetch can not pass more than ~ 64 kB of data. This is a known and expected limitation.
But you can still use my method for put on memory from a file one var of any size, until the memory is depleted...
viewtopic.php?p=1012747#p1012747

True on the data to file... but that still breaks :deserialize, as subject to 64kB limit & a partial fragment of file isn't valid JSON e.g. the first { or [ needs have matching at ] }

rextended · Mon Nov 20, 2023 10:35 pm

I not tested "deserialize", is just about "Currently fetch can not pass more than ~ 64 kB of data."

anav · Tue Nov 21, 2023 2:49 am

What?, You didnt test for deserialize, like thats on page 1 of the Fetch Manual. :-)
Lest not forget at least the 10 references to that subject , in "Dummies Guide to Testing Scripts"

You guys kill me with real networking skills! We are not worthy.

akakua · Tue Nov 21, 2023 11:36 am

On my RBD52G-5HacD2HnD and RB4011iGS+5HacQ2HnD with the wifi-qcom-ac package, I discovered that when the first user connects, the wireless interface goes through the RSTP listening and learning states, despite the Edge property being set to auto. In such a situation, you can forget about seamless roaming.

whatever · Tue Nov 21, 2023 11:44 am

Unfortunately it has been like that in old capsman as well. It's the reason why I disable STP on all my APs.

dcavni · Tue Nov 21, 2023 1:34 pm

I have one older WapAC, that is on MIPSBE architecture. If i see correctly there is no Wave2 drivers in 7.13beta2 for this device even if it has AC Wifi?

Kindis · Tue Nov 21, 2023 1:37 pm

Yes only ARM devices will get it no MIPSBE

iustin · Tue Nov 21, 2023 2:41 pm

Trying to understand how 802.11ac CAP device interfaces should be configured now.

Currently: I have capsman setup to create-dynamic-enabled, and a datapath config that enables vlan and set vlan IDs.

In the future, vlan IDs won't be settable for 802.11ac chipsets, but instead they need to be manually added to the bridge. That also means that create-dynamic-enabled doesn't work anymore, and instead, create-enabled should be used? Does this also mean that many more settings need to be configured locally? (I haven't use create-enabled before)

BrateloSlava · Tue Nov 21, 2023 3:12 pm

Trying to understand how 802.11ac CAP device interfaces should be configured now...

So far I have not encountered any problems with this (create-dynamic-enabled) configuration.

iustin · Tue Nov 21, 2023 3:40 pm

Trying to understand how 802.11ac CAP device interfaces should be configured now...

So far I have not encountered any problems with this (create-dynamic-enabled) configuration.

It's not visible from your post, but do you use VLANs? Without VLANs, yes, it's not a problem. The problem only appears (as I understand things) when VLANs are involved, since they can't be passed anymore via datapath, and instead need to be manually set when joining the interfaces to the bridge (statically). Hence my confusion…

Simonej · Tue Nov 21, 2023 4:10 pm

@BrateloSlava, there is no evidence on your post about Datapath and in case VLANs are involved with AC devices, only one Wi-Fi network is allow to use.
My workaround consist in having the AP configured in standalone mode with interfaces assigned to the bridge, VLAN-ID + configuration.manager=capsman-or-local , as soon as CAPsMAN is activated the master provisioning profile took over the AP config, and because wifi1 and wifi2 interfaces were assigned to the bridge with PVID, client are able to connect.
Problems occurs when more than one Wi-Fi network is needed, due to the slave profiles are creating virtual interfaces that are disappearing after reboot, haven't found any workaround for this except assigning the interfaces to bridge manually.

dcavni · Tue Nov 21, 2023 4:43 pm

I'm having similar problem. Main 2.4 and 5 Ghz Interface get configuration from Capsman server automaticly but i also created seperate IOT Wifi with 2,4 Ghz interface as Master and i add it manualy to bridge on CAP. The problem is, that when i reboot Capsman server this interface disappears (because it's created dynamicly) and status in bridge on the CAP device goes to Unknown. So now i must fix this on every reboot or power failure. Any solutions?

Simonej · Tue Nov 21, 2023 4:54 pm

Maybe create static interfaces instead of dynamic

dcavni · Tue Nov 21, 2023 4:57 pm

I have static interfaces created directly under Wifi menu, i don't use provisioning because somehow i cannot separate devices by their capability (supported bands don't apply) so i then get SSID of 2 Ghz network on 5 Ghz interface.

daaf · Tue Nov 21, 2023 5:11 pm

But you can still use my method for put on memory from a file one var of any size, until the memory is depleted...
viewtopic.php?p=1012747#p1012747
True on the data to file... but that still breaks :deserialize, as subject to 64kB limit & a partial fragment of file isn't valid JSON e.g. the first { or [ needs have matching at ] }

I have used the rextended method (modified by downloading the file with /tool/fetch and loading it with /file/read), and I was able to load a .json file downloaded with /tool/fetch, the file was 240KB and :deserialize processed it No problem. However, I asked to open a ticket to see if they remove that limitation from /tool/fetch.

CTassisF · Tue Nov 21, 2023 6:02 pm

In v7.13beta2, NAT PMP logs are too verbose:

Screenshot 2023-11-21 at 12.56.27.png

I hope this changes before the stable release.

I also noticed that the comments of dynamically-generated NAT PMP firewall rules are mentioning the external (WAN) IPv4 address while UPnP comments show the internal (LAN) IPv4 address.

BrateloSlava · Tue Nov 21, 2023 6:34 pm

@iustin @Simonej
As already written earlier, VLAN support is only through bridge ports.

dcavni · Tue Nov 21, 2023 7:06 pm

So, the only way to separate guest traffic from main wifi is by using VLAN on bridge where capsman is running?

pe1chl · Tue Nov 21, 2023 8:06 pm

In v7.13beta2, NAT PMP logs are too verbose:
I hope this changes before the stable release.

When you don't like it, of course you can change your System->Logging configuration.
Just add !natpmp to the configuration of the info topic.

iustin · Tue Nov 21, 2023 9:06 pm

@iustin @Simonej
As already written earlier, VLAN support is only through bridge ports.

I already wrote that I know that. My question is: does this mean that create-enable-dynamic doesn't work anymore? How is one supposed to configure interfaces (create-enabled probably)?

Simonej · Tue Nov 21, 2023 9:22 pm

Based on my tests, nothing is changed from when CAPsMANv2 was introduced, we can understand about the VLAN "passtrough" limitation, they should fix at least the interface naming change to allow us to create a script to fix the VLAN assignment or make the slaves provision profile to obtain VLAN ID already assigned to created virtual interfaces.

Tue Nov 21, 2023 10:48 pm

Previously, the defaults for path-cost and internal-path-cost were both set to 10. To ensure that the STP setup remains unchanged after an upgrade, these values were retained and are now included in the export.

If instead you wish to have your switch take the new behavior, you can clear the old defaults with:

/interface/bridge
set port-cost-mode=long
/interface/bridge/port
unset value-name=path-cost [find where path-cost=10]
unset value-name=internal-path-cost [find where internal-path-cost=10]

My article on clearing this type of configuration flotsam is here.

Tue Nov 21, 2023 11:01 pm

I'm getting new intermittent /export noise from a CRS328 here:

#error exporting "/ip/hotspot/walled-garden" (timeout)

Being a wired-only switch, it has no hotspot or walled garden configured.

Repeating this backup attempt over SSH caused the error to disappear, and five more repeats didn't cause it to recur. However, I did get this a few times on stderr:

Script Error: missing value(s) of argument(s) numbers

guipoletto · Wed Nov 22, 2023 12:35 am

If instead you wish to have your switch take the new behavior, you can clear the old defaults with:
Code: Select all
unset value-name=path-cost [find where path-cost=10]

Wait, there is an "unset" command?
this is neat, this is cool \o/

Why isn't this avaliable for all settings, or even for whole subsections?
"/routing unset [find]" woud be so nice when coming from 6.x, and having default BGP,OSPF, and now BFD (even from 7.x -> 7.13) configs appear from nowhere

infabo · Wed Nov 22, 2023 12:59 am

unset is pretty awkward. it is not allowed/supported for all value-names. I would find it better to have some kind of "reset" command, so I can reset a value-name to it's ROS default value. Although there is a reset command on CLI - I did not find out yet what this is actually used for.

Wed Nov 22, 2023 1:46 am

Although there is a reset command on CLI - I did not find out yet what this is actually used for.

My article showed one for removing a bogus LTE setting on non-LTE devices.

But yes, RouterOS's CLI is somewhat less than fully orthogonal.

eworm · Wed Nov 22, 2023 1:55 am

Also some properties support unsetting/resetting with exclamation mark, like this:

/interface/bridge/port/set !internal-path-cost !path-cost [ find ];

buset1974 · Wed Nov 22, 2023 7:57 am

Is it possible MT can make /ip services works in multiple vrf like cisco.
because in v7 /ip service can only choose for 1 vrf only

thx

mkamau · Wed Nov 22, 2023 10:19 am

noting memory issues after upgrade to 7.13.1 and console errors with cpu hitting 100% and rebooting the device.
2023-11-21 13:37:12 system,error,critical kernel failure in previous boot
2023-11-21 13:37:12 system,error,critical out of memory condition was detected
system/routerboard/print
routerboard: yes
model: RB2011UiAS
revision: r2
serial-number: C6910C517E06
firmware-type: ar9344
factory-firmware: 6.46.4
current-firmware: 7.13beta2
upgrade-firmware: 7.13beta2

iustin · Wed Nov 22, 2023 12:59 pm

Although there is a reset command on CLI - I did not find out yet what this is actually used for.

My article showed one for removing a bogus LTE setting on non-LTE devices.

But yes, RouterOS's CLI is somewhat less than fully orthogonal. 😛

Wow, that article is very useful. Thank you very much!

ToTheCLI · Wed Nov 22, 2023 7:35 pm

On Hap AC2 with wifi-qcom-ac package when setting Management Protection to Allowed or Required bandwidth does not exceed 20Mbps, and when disabled I get full speed (600Mbps).
Create a ticket.
In my 4011(RB4011iGS+5HacQ2HnD + wifiwave2)
When config:
/interface wifiwave2 security add disable-pmkid=yes disabled=no management-protection=allowed

the online broadcast stops and buffering begins then continues online.

When config:
/interface wifiwave2 security add disabled=no management-protection=disabled

Is ok
SUP-134428

After I sent supout, I found this in log

created new share: pub

script error: action timed out - try again, if error continues contact MikroTik support and send a supout file (13)

Is this normal?
The hapac2 is only used as an AP never seen this in log before

Screenshot 2023-11-22 203114.png

doneware · Wed Nov 22, 2023 7:39 pm

can we finally have proper IPv6 support for the :resolve command?

if i try to resolve an FQDN that only has AAAA record, it works:

[admin@mikrotik] > :put [:resolve domain-name=test.0vrly.eu server=2001:4c48:1::1 server-port=53]                        
2001:4c48:1::1
[admin@mikrotik] > :put [:resolve domain-name=test.0vrly.eu server=2001:4c48:1::1 server-port=53]
2001:4c48:1::1
[admin@mikrotik] > :put [:resolve domain-name=test.0vrly.eu server=2001:4c48:1::1 server-port=53]
2001:4c48:1::1

but if it has both A and AAAA records, we never get to the quad-A:

[admin@mikrotik] > :put [:resolve domain-name=dns.google.com server=2001:4c48:1::1 server-port=53]      
8.8.8.8
[admin@mikrotik] > :put [:resolve domain-name=dns.google.com server=2001:4c48:1::1 server-port=53]
8.8.4.4
[admin@mikrotik] > :put [:resolve domain-name=dns.google.com server=2001:4c48:1::1 server-port=53]      
8.8.8.8
[admin@mikrotik] > :put [:resolve domain-name=dns.google.com server=2001:4c48:1::1 server-port=53]
8.8.4.4

i mean, can we get q=AAAA as a command line argument to :resolve?
or it could just return an array with all resolved addresses.

[admin@mikrotik] > :put [:typeof [:resolve domain-name=dns.google.com server=2001:4c48:1::1 server-port=53]]
ip
[admin@mikrotik] > :put [:typeof [:resolve domain-name=test.0vrly.eu server=2001:4c48:1::1 server-port=53]]               
ip6

but i'd love to have q=XXXX - this would open up a great deal of possibilities on the automation side. i don't care too much if it simply returns a string. i can convert it to address if needed, that part works just fine.

oh, and one more thing. please give the same treatment to /tool/fetch
currently it won't fall back to IPv6 if ipv4 is not available. i don't care if we don't get the full blown "happy eyeballs" algorithm - the routers i've seen til this day did not have eyes anyway - but if fetch would have something like af=4 or af=6 that would force it to v4 or v6, that'd be great

eworm · Wed Nov 22, 2023 7:57 pm

oh, and one more thing. please give the same treatment to /tool/fetch
currently it won't fall back to IPv6 if ipv4 is not available. i don't care if we don't get the full blown "happy eyeballs" algorithm - the routers i've seen til this day did not have eyes anyway - but if fetch would have something like af=4 or af=6 that would force it to v4 or v6, that'd be great

Well, currently fetching IPv6-only (having AAAA record, but no A record) fails anyway... 😜
Reported as SUP-134908.

doneware · Wed Nov 22, 2023 8:46 pm

Reported as SUP-134908.

i also opened a request earlier today SUP-135280

pe1chl · Wed Nov 22, 2023 9:33 pm

oh, and one more thing. please give the same treatment to /tool/fetch
currently it won't fall back to IPv6 if ipv4 is not available. i don't care if we don't get the full blown "happy eyeballs" algorithm - the routers i've seen til this day did not have eyes anyway - but if fetch would have something like af=4 or af=6 that would force it to v4 or v6, that'd be great

And of course the "check for upgrades / download upgrades" that probably uses the same routines as /tool/fetch...

Amm0 · Wed Nov 22, 2023 9:56 pm

oh, and one more thing. please give the same treatment to /tool/fetch
currently it won't fall back to IPv6 if ipv4 is not available. i don't care if we don't get the full blown "happy eyeballs" algorithm - the routers i've seen til this day did not have eyes anyway - but if fetch would have something like af=4 or af=6 that would force it to v4 or v6, that'd be great
And of course the "check for upgrades / download upgrades" that probably uses the same routines as /tool/fetch...

Certainly +1 for some "af=4|6" in :resolve — although perhaps "type=" which allow other RRs an IPv6 via type=AAAA.
But @pe1chl and @doneware raise a good point that IPv6 support in :resolve would NOT help to "force" internal services DNS queries to using a AAAA / IPv6 lookup (e.g. packages, fetch, WG peer, etc.), which likely just a plain gethostbyname(). Perhaps some setting in /ip/dns for "preferred" addr-family (IPv4 v. IPv6)...

Wed Nov 22, 2023 11:16 pm

Is it possible MT can make /ip services works in multiple vrf like cisco.
because in v7 /ip service can only choose for 1 vrf only

thx

+1

sszbv · Wed Nov 22, 2023 11:59 pm

OMG I just replaced all my accesspoints (cap ac and cap ac xl) by cap ax... just to get roaming :)
Anyway, this is great news!!! Now I can re-use the old caps.

I see something in the changelog that makes me unhappy though:

*) defconf - use device factory preset credentials when using CAPs mode;

This will make my life miserable :(

And another thing, the vlan id in the datapath for ac devices, it can't be that hard to automatically add the pvid to the interface locally. It can be done manually as shown in earlier posts. It's also done when using the old capsman.
I hope this will become possible at some point in time :)

mkx · Thu Nov 23, 2023 8:10 am

*) defconf - use device factory preset credentials when using CAPs mode;

This will make my life miserable :(

Why's that? defconf is just default config ... and one can change it as it fits.

Hominidae · Thu Nov 23, 2023 10:05 am

Trying to understand how 802.11ac CAP device interfaces should be configured now.

Currently: I have capsman setup to create-dynamic-enabled, and a datapath config that enables vlan and set vlan IDs.

In the future, vlan IDs won't be settable for 802.11ac chipsets, but instead they need to be manually added to the bridge. That also means that create-dynamic-enabled doesn't work anymore, and instead, create-enabled should be used? Does this also mean that many more settings need to be configured locally? (I haven't use create-enabled before)

The way AFAIU this setting works, is for naming on the capsman host, not on the CAP.
The CAP would always enumerate the interfaces, starting from wifi1 to wifiN and enumeration will depend on the sequence of how the SSIDs are configured in provisioning settings on the capsman host.
For example, I have 3x SSIDs for 2.4GHz and 2 SSIDs for 5GHz, hence I will end up wifi interfaces wifi1, wifi2, ..., wifi7 on each CAP.
This is the list of wifi interfaces that need to be added to the bridge on the CAP and - as long as you do not change provisioning - will stay in the same order. So for ac chipsets, you can set individual PVIDs for each wifi interface in the bridges of each CAP.
With two CAPs in use, the capsman host will list 2x7 wifi interfaces aadn enumeration can chanage based to identity settings....but you don't need to do anything with these for the bridge on the capsman host, as CAPS will use local forwarding only, anyway.

Thu Nov 23, 2023 10:18 am

*) defconf - use device factory preset credentials when using CAPs mode;

This will make my life miserable

Nothing changes in your workflow. When booting into CAP mode with the button, you don't need to connect to the CAP device. It gets all of it's wireless config from CAPsMAN. That is the whole point of the CAP, is that you do not connect to it for management at all. All config comes from CAPsMAN, so it does not matter whether it has a password or not.

In the reverse situation (as it was) it was like this - you have a password protected AP, but somebody can come and boot into CAP mode and then there is no more password, anyone could get into your AP this way.

iustin · Thu Nov 23, 2023 11:08 am

Trying to understand how 802.11ac CAP device interfaces should be configured now.

Currently: I have capsman setup to create-dynamic-enabled, and a datapath config that enables vlan and set vlan IDs.

In the future, vlan IDs won't be settable for 802.11ac chipsets, but instead they need to be manually added to the bridge. That also means that create-dynamic-enabled doesn't work anymore, and instead, create-enabled should be used? Does this also mean that many more settings need to be configured locally? (I haven't use create-enabled before)
The way AFAIU this setting works, is for naming on the capsman host, not on the CAP.
The CAP would always enumerate the interfaces, starting from wifi1 to wifiN and enumeration will depend on the sequence of how the SSIDs are configured in provisioning settings on the capsman host.
For example, I have 3x SSIDs for 2.4GHz and 2 SSIDs for 5GHz, hence I will end up wifi interfaces wifi1, wifi2, ..., wifi7 on each CAP.
This is the list of wifi interfaces that need to be added to the bridge on the CAP and - as long as you do not change provisioning - will stay in the same order. So for ac chipsets, you can set individual PVIDs for each wifi interface in the bridges of each CAP.
With two CAPs in use, the capsman host will list 2x7 wifi interfaces aadn enumeration can chanage based to identity settings....but you don't need to do anything with these for the bridge on the capsman host, as CAPS will use local forwarding only, anyway.

Thank you, this is the first answer that goes into details, much appreciated. I dislike that I have to rely on “don’t change config then mapping is stable” - not sure why capsman can’t simply add the interfaces itself, or tell the cap to do it, it doesn’t seem to need hardware support? But I can live with it….

Ullinator · Thu Nov 23, 2023 12:36 pm

*) defconf - use device factory preset credentials when using CAPs mode;

This will make my life miserable :(
Nothing changes in your workflow. When booting into CAP mode with the button, you don't need to connect to the CAP device. It gets all of it's wireless config from CAPsMAN. That is the whole point of the CAP, is that you do not connect to it for management at all. All config comes from CAPsMAN, so it does not matter whether it has a password or not.

In the reverse situation (as it was) it was like this - you have a password protected AP, but somebody can come and boot into CAP mode and then there is no more password, anyone could get into your AP this way.

Hi Normis,
I think that's a bold statement. :-/
Even in CAP mode, you have to change the manager on the interfaces locally to "CAPsMAN" on the CAPs and also the "Datapath".
Therefore, you must have local access to the CAP in CAPS mode.
Only with the old CAPsMAN for AC devices was it possible without any local config, no longer with the CAPsMAN for AX devices

Thu Nov 23, 2023 12:38 pm

Ullinator, that is not true. Nothing has to be changed on the CAP even in new capsman. Make a new topic, if you are not sure how to use it. There should be no reason to manually configure CAP clients.

ivicask · Thu Nov 23, 2023 1:59 pm

Ullinator, that is not true. Nothing has to be changed on the CAP even in new capsman. Make a new topic, if you are not sure how to use it. There should be no reason to manually configure CAP clients.

What about routerboard upgrades, i always need to log into cap and turn automatic routerboard upgrades on reboot, can you maybe in future automate/improve this process so its done automatically from capsman manager?(or just set it ON by default maybe?)

iustin · Thu Nov 23, 2023 2:33 pm

Ullinator, that is not true. Nothing has to be changed on the CAP even in new capsman. Make a new topic, if you are not sure how to use it. There should be no reason to manually configure CAP clients.

This is a bit different, but I thought - yes, you need to configure wifi-qcom-ac CAP devices manually regarding VLANs? Per https://help.mikrotik.com/docs/display/ ... stfeatures, my understanding is that one needs to log in to the CAP and manually configure the bridge, as it's not possible to push the config from CapsMan?

sinisa · Thu Nov 23, 2023 6:48 pm

Ullinator, that is not true. Nothing has to be changed on the CAP even in new capsman. Make a new topic, if you are not sure how to use it. There should be no reason to manually configure CAP clients.
This is a bit different, but I thought - yes, you need to configure wifi-qcom-ac CAP devices manually regarding VLANs? Per https://help.mikrotik.com/docs/display/ ... stfeatures, my understanding is that one needs to log in to the CAP and manually configure the bridge, as it's not possible to push the config from CapsMan?

I was just about to write this...

Also, if there are multiple SSID-s, going to multiple bridges (which used to be defined on CAPsMAN only and used via CAPsMAN Forwarding), situation is much more complicated, this is something that worked "out-of-the-box" with old CAPsMAN.

We need some automatic solution for this, like for example: CAPsMAN should instruct CAP to create: VLAN on Discovery interface, bridge with new VLAN as one of the ports, Datapath going to this new bridge, SSID with new Datapath, all with some Comments or some other info so the CAP knows not to save them to config or to ignore them when booting and request them again from CAPsMAN (I know, not a trivial task, but only in this way "reset to CAP mode" has any meaning for anything but most trivial implementations, and those don't even need CAPsMAN)

Ullinator · Thu Nov 23, 2023 7:13 pm

Ullinator, that is not true. Nothing has to be changed on the CAP even in new capsman. Make a new topic, if you are not sure how to use it. There should be no reason to manually configure CAP clients.

Normis, you´re half right ;-) I´ve testet it with an CAP AX and CAP AC. In CAPS-mode everything is deployed from the CAPsMAN, but it´s different if you connect it manually to the CAPsMAN (why?)
And it works in the same way with an AC-device. But if you use VLAN´s on AC´s, you have to delete the datapath on the CAP itself, otherwise: no working VLAN´s :-(
So I hope you bring the same features to the old AC-devices as you already did with the AX onces.!? :-D
Thank you :-)

pe1chl · Thu Nov 23, 2023 7:28 pm

We need some automatic solution for this, like for example: CAPsMAN should instruct CAP to create: VLAN on Discovery interface, bridge with new VLAN as one of the ports, Datapath going to this new bridge, SSID with new Datapath, all with some Comments or some other info so the CAP knows not to save them to config or to ignore them when booting and request them again from CAPsMAN (I know, not a trivial task, but only in this way "reset to CAP mode" has any meaning for anything but most trivial implementations, and those don't even need CAPsMAN)

Remember with a fixed assignment of SSID to bridge port as untagged member of some VLAN it is NEVER going to work in an acceptable way! WiFi interfaces need to be able to be member of a tagged VLAN, or else we will never be able to assign a VLAN to a user via user-manager, either with MAC-based RADIUS authentication or with WPAx-EAP. That would make wifiwave2 forever be a toy in any enterprise(-like) environment.
So any development effort spent on this matter is better spent at the WiFi level rather than tricks at the bridge level!

Guscht · Thu Nov 23, 2023 7:40 pm

What about routerboard upgrades, i always need to log into cap and turn automatic routerboard upgrades on reboot

I have automated this step via a smol script. Shame on MT for not offering this as an option for decades...

And shame on MT for making everything so incredible overcomplicated. Every vendor is trying to help admins and make thing easier. MT-SADISTS: WE WILL GIVE YOU DEPRESSION....

merlinthemagic7 · Fri Nov 24, 2023 12:02 am

2c.

Would be quite nice if we would be able to lift the limitation on AC interfaces doing vlan tagging based on RADIUS attributes. e.g. lifting the restriction that errors out with: "can not assign VLAN, maximum VLAN count for interface reached".

Dont get me wrong, thank you for enabling the WAVE2 potential of the AC2 units.I know you guys are working with ~300Kb of storage at this point (AC2) and i feel this is equivalent to the efforts required to save scarce memory back in the 70s: "how do we make the program fit in RAM on this PDP11?"

Its a selfish request, as my life gets so much easier with a unified configuration schema. AC and AX both using the newer profile based config would simplify matters quite a bit.

Regardless, breaking up the wireless package to accommodate older hardware is exactly the kind of move I expect from Mikrotik, A move unlikely to increase revenue or market share in the short term, but because as engineers we cannot leave all those potential performance gains sitting idle.

sinisa · Fri Nov 24, 2023 11:33 am

We need some automatic solution for this, like for example: CAPsMAN should instruct CAP to create: VLAN on Discovery interface, bridge with new VLAN as one of the ports, Datapath going to this new bridge, SSID with new Datapath, all with some Comments or some other info so the CAP knows not to save them to config or to ignore them when booting and request them again from CAPsMAN (I know, not a trivial task, but only in this way "reset to CAP mode" has any meaning for anything but most trivial implementations, and those don't even need CAPsMAN)
Remember with a fixed assignment of SSID to bridge port as untagged member of some VLAN it is NEVER going to work in an acceptable way! WiFi interfaces need to be able to be member of a tagged VLAN, or else we will never be able to assign a VLAN to a user via user-manager, either with MAC-based RADIUS authentication or with WPAx-EAP. That would make wifiwave2 forever be a toy in any enterprise(-like) environment.
So any development effort spent on this matter is better spent at the WiFi level rather than tricks at the bridge level!

That was just an idea, considering that VLANs don't work on ac equipment. I can (and will) create some scripts to automate this for me, but that will be anything but "no configuration needed"...

DenisPDA · Fri Nov 24, 2023 12:07 pm

Problem with CRL update (Next Update)
Now I have to update it with a script

7.13b2.JPG

pe1chl · Fri Nov 24, 2023 2:12 pm

That was just an idea, considering that VLANs don't work on ac equipment. I can (and will) create some scripts to automate this for me, but that will be anything but "no configuration needed"...

I don't think it is possible to write a script that creates the functionality of the old wireless package: to have a different VLAN for different clients connected to the same SSID (via access list or user-manager)... this has to be solved by MikroTik in the WiFi driver or some special MACVLAN-like device they put between the WiFi and the main bridge, that can tag/untag packets with different VLAN tag depending on client MAC.

sinisa · Fri Nov 24, 2023 3:39 pm

I don't think it is possible to write a script that creates the functionality of the old wireless package: to have a different VLAN for different clients connected to the same SSID (via access list or user-manager)... this has to be solved by MikroTik in the WiFi driver or some special MACVLAN-like device they put between the WiFi and the main bridge, that can tag/untag packets with different VLAN tag depending on client MAC.

My use case is a lot simpler that that, no RADIUS, no user-manager, only 4 SSIDs connected to 4 bridges, each connected to different VLAN, having different firewall rules on main router (RB1100AHx4 in my case).
That works in (now) old CAPsMAN2 (does anyone remember even older v1?) with CAPsMAN forwarding, but not in Wave2 CAPsMAN (which they call WiFi to add to confusion).

So yes, scripting is possible, but script has to run AFTER CAP is connected to CAPsMAN to be able to add WiFi interfaces to appropriate bridges (created in advance). Another script to check for CAPsMAN connection and undo everything first script did on disconnect/reboot. Not trivial, but doable. Lots of places for race conditions :)

Kindis · Fri Nov 24, 2023 3:41 pm

So they issue that AC interfaces do not get VLAN assigned on the bridge is still present in this release? If so is there a plan to fix this?

JohnTRIVOLTA · Fri Nov 24, 2023 5:28 pm

Something strange happens. If i set the 5ghz radio on the cAP AC with local settings i will achieve over 400mb/ps download, but when i use capsman wave2 i will only get 150~170 mb/ps. The tests are provided with cuple cAP ACs in different buildings on3-4m. distance and clear LOS!

Hominidae · Fri Nov 24, 2023 7:24 pm

@JohnTRIVOLTA ...this is my cap-AC and ww2+capsman on a RB4011, client is a Samsung S20FE, 4 meters away:

Screenshot_20231118_215506_Chrome.jpg

...I think yours is a specific, local problem with your setup.

JohnTRIVOLTA · Fri Nov 24, 2023 10:58 pm

...I think yours is a specific, local problem with your setup.

Yes, I think I understand what the problem is in this case. I use pppoe in vlan on built backbone with vlans to transport L2 traffic /network/ with eoip on both ends - CCR2116 and cAP ACs. I noticed that in the tests, only one processor core works, and the more complex the configuration - two tunnels in this case, the less traffic passes.

pe1chl · Fri Nov 24, 2023 11:15 pm

My use case is a lot simpler that that, no RADIUS, no user-manager, only 4 SSIDs connected to 4 bridges, each connected to different VLAN, having different firewall rules on main router (RB1100AHx4 in my case).

I had that before, but the problem is it does not scale: for every new network you need to add, you need to broadcast another SSID and waste more radiotime doing so. 4 SSIDs is about the maximum you can reasonably do.
I was so happy that I had a good solution to have many different networks in a scalable way (easy to add another VLAN)... but now it seems to be a dead end, even now that my hAP ac2 is supported in the new WiFi driver.

pe1chl · Sat Nov 25, 2023 12:26 pm

For every device in my network I have a winbox session open which I carefully configured with the windows opened that I like.
Each with columns selected and set to the correct width.
On a devices running 7.12 I have configured the "wireless" window to be open, tab "registration" selected, and the columns selected.
After upgrade a new connection opens with the "wifi" menu on the AAA tab instead. But it is empty because I did not install the new wifi driver, package wireless is installed.
When I close this and open Wireless->Wireless instead, the column settings for "registration" are lost (set to default).
Well, I reconfigured it and set the correct settings again, then saved the session, but when I close and re-open the issue repeats.
(is again opened with the wrong wireless window, the wrong, tab, and after closing and opening wireless the columns again are wrong)
Please fix...

Hominidae · Sat Nov 25, 2023 2:45 pm

Yes, I think I understand what the problem is in this case. I use pppoe in vlan on built backbone with vlans to transport L2 traffic /network/ with eoip on both ends - CCR2116 and cAP ACs.

Yes, ppoe is not multi-thread in ROS, AFAIK...so this imposes a bottleneck.
But then this problem should not be related to ww2 drivers in any way, shouldn't it?
Even more so, since CAPs are only using local forwarding in capsman on ww2, too.

sp670 · Sat Nov 25, 2023 7:59 pm

I got RB3011 as Caps manager, 2 Cap ACs and 2 Wap ACs (Old version, MIPSBE) as access point.
I've got them all upgrade to 7.13 beta2 by now, 2 Cap ACs with wifi-qcom-ac package worked well. Performance test showed that the download speed could hit 700Mbps+, that's a very good performance among all Wi-Fi5 access points.
But the old version Wap AC with MIPSBE chipset couldn't be upgraded to wave2 package by now, keep the same download speed with the old wireless driver.
So there is a question, is there a plan to let the MIPSBE chipset access point to have a wave2 package in the future ? Or the MIPSBE chipset access point can't have wave2 support anymore ?

iustin · Sat Nov 25, 2023 8:33 pm

I think that the situation is not very clear yet on Mikrotik's side either. Even for supported devices, there are questions like: are the lost features (vlan-id in datapath) permanent (due to HW limitations), or just temporary (needs more work)? It's also not clear exactly how some configurations should look like (at least to me).

So I think Mikrotik needs a bit more time to sort out everything. It's only beta2 so far, not even a rc :)

Kindis · Sat Nov 25, 2023 10:30 pm

This I would love to know as well. The vlan.id is till in the wiki for wifi (new) and in old for wifiwave2 but I wonder now that a hell of a lot more devices can run new CapsMAN if this will not be fixed especially as forwarding is no longer present and vlan is needed. I have emailed and asked and hope for the best.

Kindis · Sat Nov 25, 2023 10:31 pm

@sp670 I do not think the MIPSBE chipset supports wave2 as this is needed.

sinisa · Sat Nov 25, 2023 11:14 pm

I had that before, but the problem is it does not scale: for every new network you need to add, you need to broadcast another SSID and waste more radiotime doing so. 4 SSIDs is about the maximum you can reasonably do.
I was so happy that I had a good solution to have many different networks in a scalable way (easy to add another VLAN)... but now it seems to be a dead end, even now that my hAP ac2 is supported in the new WiFi driver.

In my case, 4 SSIDs config is already over-complicated (historic reasons, will go down soon hopefully), usually only 2 are required: Private and Public/Guest. But this is not about limitations of WiFi networking, but about AUTOMATIC configuration upon factory reset to CAP mode, which is now only possible in simplest cases with no more than 1 Datapath (I'm even not convinced about this, but will test tomorrow with my home network of 2 hAP ac2s).

dcavni · Sun Nov 26, 2023 10:42 am

Just one quick question. Can i run both Capsmans on 7.12 on 5009? I'm having some problems with 7.13 b2.

Sun Nov 26, 2023 11:08 am

Nope.
Only as of 7.13b this should be possible.

npeca75 · Sun Nov 26, 2023 12:10 pm

In my case, 4 SSIDs config is already over-complicated

which could be very easy to solve with OpenWRT / dynamic VLANs per passphrase.
So, one SSID and numerous passwords for each vlan
this setup work very nicely on OWRT / hap ac2 / DumbAP

i opened this question few month ago on forum, but there is no much noise

solution is very simple
if MT once allow in capsman that access-list fall-trough on 00:00:00:00:00:00 entry's until private-passphrase= match, we could all delete bunch of SSID's

but ...

dcavni · Sun Nov 26, 2023 12:23 pm

Nope.
Only as of 7.13b this should be possible.

Thank you for answer. I will just leave all CAPS on 7.13 and install 7.12.1 with Wave2 package back on 5009. So i will get speed of Wave2 drivers and stability of 7.12.1 :) Now i only must remove remaining old MIPS and SMIPS devices from network and exchange them with something else.

kravemir · Sun Nov 26, 2023 6:44 pm

OMFG!!!! I had to check it out before believing - 5009 as wifi capsman, 2x cap ax and now 3x wap ac, all in the same capsman - FINALLLY!!!
working without issues, had to manually uninstall old wireless package after check for upgrade.

Yes, this is a very great! And, quite nice of MikroTik - making old hardware to be compatible with the new generation of wireless software / system / CAPsMAN.

I've just experimented with my wAP ac (RBwAPG-5HacD2HnD) - it's winter, not a mission critical, because nobody is really spending time outside now. I upgraded to 7.12 and then to 7.13beta2, uninstalled old wireless package and installed the new wifi-qcom-ac package. And, after a bit of setup, it works!

Looks like I'm buying another wAP ac to cover the rest of the garden, once the winter passes.

I am using hAP ax³ (C53UiG+5HPaxD2HPaxD) as CAPsMAN - on 7.12 (I know, there's 7.12.1 now) with WifiWave2. I'm quite glad-surprised, that the wAP ac with the new WiFi driver works with WifiWave2 on hAP ax³, and I really don't want to experiment with it (installing beta software), because it's mission critical - used on daily basis.

I'm attaching the wAP config - if somebody is interested. I'm not sharing hAP ax³, because I've got some amount of private stuff in there - it's my primary/edge router. However, there's nothing special done for wAP ac, the CAP was configured as hAP ax² CAP running WifiWave2. I'm using "CAPsMAN static" interface provisioning, because of the driver limitation:

802.11ac chipsets do not support this type of VLAN tagging , but they can be configured as VLAN access ports in bridge settings.

iustin · Sun Nov 26, 2023 11:39 pm

I'm attaching the wAP config - if somebody is interested. I'm not sharing hAP ax³, because I've got some amount of private stuff in there - it's my primary/edge router. However, there's nothing special done for wAP ac, the CAP was configured as hAP ax² CAP running WifiWave2. I'm using "CAPsMAN static" interface provisioning, because of the driver limitation:
802.11ac chipsets do not support this type of VLAN tagging , but they can be configured as VLAN access ports in bridge settings.

Ooh, this is very useful. Just to see if I understood right - your main "wifi-2.4G" and "wifi-5G" are running on the default VLAN (pvid 1), and the "-guest" variant on VLAN 31, right?

Could you share just the capsman config from your hAP ax³ if you can? (In old capsman, it would be "/capsman export", not sure in new one where it is). I'd like to understand the radios and provisioning rules you're using.

Thanks!

sszbv · Mon Nov 27, 2023 10:37 am

*) defconf - use device factory preset credentials when using CAPs mode;

This will make my life miserable :(
Nothing changes in your workflow. When booting into CAP mode with the button, you don't need to connect to the CAP device. It gets all of it's wireless config from CAPsMAN. That is the whole point of the CAP, is that you do not connect to it for management at all. All config comes from CAPsMAN, so it does not matter whether it has a password or not.

In the reverse situation (as it was) it was like this - you have a password protected AP, but somebody can come and boot into CAP mode and then there is no more password, anyone could get into your AP this way.

Well, as some others pointed out already, maybe it's true for the way you use the caps.
On the old capsman, with the tunnel from cap to capsman, it works fine with the default config. Then you can do all the vlan handling on the capsman router. But for the new version of capsman when you need multiple ssids and vlans, in my experience, I need to put my own config into the cap.

Anyway, I don't like devices in a network that I can't login to. Like, someone can take the cap and read the password from the sticker, change it and abuse it. So I'll have to change the password, meaning more work when placing the caps. Either doing netinstall/flashfig beforehand, or making pictures of the capstickers during placement and maintaining some sort of administration for them incase a cap is reset.
With 4 caps this is no issue, but with 40 caps it becomes troublesome.

But, I'll probably learn to live with it.
The pros of using MikroTik caps are still outweighing the cons, so I'll stick to them :)

You are doing a great job with the new capsman and the seperate driverpackages!
Also in general, v7 is becoming really good!

sszbv · Mon Nov 27, 2023 10:47 am

I've just experimented with my wAP ac (RBwAPG-5HacD2HnD) - it's winter, not a mission critical, because nobody is really spending time outside now. I upgraded to 7.12 and then to 7.13beta2, uninstalled old wireless package and installed the new wifi-qcom-ac package. And, after a bit of setup, it works!

Wait what? wAP ac is mipsbe with AR9300, but the wifi-qcom-package works on it?
That's pretty cool!

Anyone tested it on mANTBox 52 15s?
I should have one lying around here somewhere... will try it when I find it.

Mon Nov 27, 2023 10:55 am

Wait what? wAP ac is mipsbe with AR9300, but the wifi-qcom-package works on it?
That's pretty cool!

Sorry to burst your bubble but this is about wAP AC arm version...
https://mikrotik.com/product/wap_ac

eworm · Mon Nov 27, 2023 10:59 am

Wait what? wAP ac is mipsbe with AR9300, but the wifi-qcom-package works on it?
That's pretty cool!

There are two versions of wAP ac - MIPSBE and ARM. The ARM version works with new drivers, the MIPSBE version does not.

Mon Nov 27, 2023 11:08 am

What's new in 7.13beta3 (2023-Nov-24 13:52):

*) bridge - added automatic "path-cost" values depending on interface rate;
*) bridge - fixed HW offload enable with multiple switches (introduced in v7.13beta1);
*) bridge - improved HW offload enable;
*) certificate - fixed CRL check (introduced in v7.13beta1);
*) certificate - fixed host certificate verification if host is IP address (introduced in v7.13beta1);
*) certificate - fixed manual URL addition for CRL (introduced in v7.13beta2);
*) certificate - improved CRL signature verification and download error messages;
*) certificate - use error topic for CRL update failures;
*) console - added "read" command under "file" menu;
*) console - added unset option for "ssid-regex" and "allow-signal-out-of-range" properties under "interface/wifi/access-list" menu;
*) console - fixed misaligned columns (introduced in v7.13beta1);
*) console - improved stability when removing script;
*) defconf - fixed bogus wifi password on certain Audience devices;
*) defconf - use "WISP Bridge" default configuration mode for RBGrooveGA-52HPacn device;
*) fetch - added "http-auth-scheme" parameter, allows to select HTTP basic or digest authentication;
*) fetch - added raw logging;
*) ospf - fixed LSA Type3 advertisement for OSPFv2;
*) qos-hw - added initial congestion avoidance support for 98DX224S, 98DX226S, and 98DX3236 switch chips (CLI only);
*) qsfp - fixed supported rates for breakout cables (introduced in v7.12);
*) sfp - added "1G-baseT" link mode for modules that supports "2.5G-baseT" mode;
*) sfp - allow 2.5G rates only in forced link mode;
*) sfp - fixed SFP and combo interface handling for CRS328-4C-20S-4S+ device (introduced in 7.13beta1);
*) sfp - ignore "rx-loss" in forced link mode;
*) sfp - ignore irrelevant extended compliance code for SFP modules;
*) sfp - show 10M and 100M supported rates for RJ45 copper modules;
*) ssh - added cipher and hash function acceleration for ARM64 and x86 architectures;
*) supout - include missing wireless information (introduced in v7.13beta1);
*) wifi - enable protected interworking ANQP responses;
*) wifi-qcom - added fast-path for received packets;
*) winbox - fixed memory allocation (introduced in v7.13beta2);

sszbv · Mon Nov 27, 2023 11:25 am

Wait what? wAP ac is mipsbe with AR9300, but the wifi-qcom-package works on it?
That's pretty cool!

Sorry to burst your bubble but this is about wAP AC arm version...
https://mikrotik.com/product/wap_ac

Ha I thought so...
mantbox is ARM though, that might work

ToTheFull · Mon Nov 27, 2023 11:26 am

Thanks.
Winbox, The channel box still isn't fixed.

CTassisF · Mon Nov 27, 2023 2:18 pm

Upgraded to 7.13beta3 and noticed that if I reboot my CAPsMAN (RB5009), all the wireless interfaces of my CAPs (hAP ax3 and hAP ac3) will show as “busy” and not work.

Rebooting the CAPs after rebooting the CAPsMAN solves the issue.

SUP-135728

alibloke · Mon Nov 27, 2023 4:02 pm

I was just stung by that, it doesn't appear to affect legacy "wireless" capsman.

BrateloSlava · Mon Nov 27, 2023 4:05 pm

There is no WiFi network after the update. Screenshot from the controller.
Operation is restored after two reboots of the wireless points and the controller.

pe1chl · Mon Nov 27, 2023 5:03 pm

How is that relevant in this situation? Nothing has been broken, upgrade is transparent. Just ignore the capsman menu, you will get used to it.

(that was a reply to the confusing situation that now a device which uses the "wireless" driver has two different menus for wireless config)

Well, actually something has been broken: the saved session for for winbox gets confused, it opens the wrong window and forgets the settings.
Maybe the old and new wireless windows have the same ID in the saved session?

Ullinator · Mon Nov 27, 2023 5:29 pm

There is no WiFi network after the update. Screenshot from the controller.
Operation is restored after two reboots of the wireless points and the controller.

The same for me:

hc_102.jpg

Even the change of the "Controller" from CAPsMAN or local" to "CAPsMAN" only changed nothing.
When the CAP lost even short the connection to the CAPsMAN the connection is broken with the error picture in the Screenshot.
That´s not good.... :-/
Only the reboot of all CAPs solves the situation, until the next connection lost...

kravemir · Mon Nov 27, 2023 7:09 pm

I'm attaching the wAP config - if somebody is interested. I'm not sharing hAP ax³, because I've got some amount of private stuff in there - it's my primary/edge router. However, there's nothing special done for wAP ac, the CAP was configured as hAP ax² CAP running WifiWave2. I'm using "CAPsMAN static" interface provisioning, because of the driver limitation:

Ooh, this is very useful. Just to see if I understood right - your main "wifi-2.4G" and "wifi-5G" are running on the default VLAN (pvid 1), and the "-guest" variant on VLAN 31, right?

Yes. Normal/private network is on the default/untagged VLAN 1. Guest is on 31.

Could you share just the capsman config from your hAP ax³ if you can? (In old capsman, it would be "/capsman export", not sure in new one where it is). I'd like to understand the radios and provisioning rules you're using.

I'm attaching WifiWave2 part of the hAP ax³ config - CAPsMAN, that is driving the wAP ac and hAP ax².

The hAP ac³ is currently unused, because I've replaced it with hAP ax², that doesn't hit the eye that much, as the big and bulky hAP ac³.

The 802.11r/k/v roaming works too - without any extra effort - just added another CAP reusing configuration - working with my previous setup focused on seamless fast roaming. Logs like:

3E:XX:XX:XX:XX:XX@K-NET.hAP-ax2.1-5G2 roamed to 3E:XX:XX:XX:XX:XX@K-NET.wAP.1-5G2, signal strength -77

Also, posting (attachments?) on this forum is a bit annoying. I'm behind CGNAT, and probably some other clients behind the same public IP are executing malicious things. I need to switch to mobile hotspot, in order to post a reply, because forum.mikrotik.com complains with false-positive spam detection:

Your IP 46.XX.XXX.XXX has been blocked because it is blacklisted. For details please see http://www.spamhaus.org/query/bl?ip=46.XX.XXX.XXX.

Checking FAQ of my ISP - clients get only private dynamic IP - sharing same public IP. Public dynamic IP is not used at all. Public static IP is not offered, yet.

iustin · Mon Nov 27, 2023 8:36 pm

Thank you very much for taking the effort to share this, much appreciated.

Last question: I see you're using "add action=create-disabled", interesting. Do you need to enable them only once (after they're initially created when joining)? Or after each reboot?

kravemir · Mon Nov 27, 2023 9:16 pm

Last question: I see you're using "add action=create-disabled", interesting. Do you need to enable them only once (after they're initially created when joining)? Or after each reboot?

Only once, they remain enabled after reboot.

JohnTRIVOLTA · Mon Nov 27, 2023 9:17 pm

I observe strange bit rate between cAP ac and Huawei Nova 5T on 2GHz band - 400mb/ps!

whatever · Mon Nov 27, 2023 10:02 pm

It's documented at https://help.mikrotik.com/docs/display/ ... i-Benefits

400Mb/s maximum data rate in the 2.4GHz band for IPQ4019 interfaces

Probably some proprietary extension of the standard from qcom.

Znevna · Mon Nov 27, 2023 10:20 pm

MCS-SNR-RSSI-Chart.png

MCS 8/9 (256-QAM) is not proprietary, just optional, check: https://en.wikipedia.org/wiki/IEEE_802. ... 3#Optional or some other source.
A few years late, but better late than never?..

JohnTRIVOLTA · Mon Nov 27, 2023 10:23 pm

It's documented at https://help.mikrotik.com/docs/display/ ... i-Benefits
400Mb/s maximum data rate in the 2.4GHz band for IPQ4019 interfaces
Probably some proprietary extension of the standard from qcom.

cAP AC is IPQ4018 based and support max 300mbps data rate in the 2.4GHz band: Specifications - https://mikrotik.com/product/cap_ac

Znevna · Mon Nov 27, 2023 10:27 pm

cAP AC is IPQ4018 based and support max 300mbps data rate in the 2.4GHz band[...]

yes yes.. with the MikroTik drivers, not with the Wave2 capable ones.

JohnTRIVOLTA · Mon Nov 27, 2023 10:31 pm

cAP AC is IPQ4018 based and support max 300mbps data rate in the 2.4GHz band[...]
yes yes.. with the MikroTik drivers, not with the Wave2 capable ones.

Clear. They haven't updated the specs yet!

Znevna · Mon Nov 27, 2023 10:37 pm

And they probably won't. cAP ac and hAP ac2 are in the same boat, too little memory (RAM) for the full featured drivers.
They could ship some -smallbuffers version of drivers for these devices, but doubt that this will see any light.

JohnTRIVOLTA · Mon Nov 27, 2023 10:43 pm

And they probably won't. cAP ac and hAP ac2 are in the same boat, too little memory (RAM) for the full featured drivers.
They could ship some -smallbuffers version of drivers for these devices, but doubt that this will see any light.

The cAP AC have 256MB and I think they are enough.

Znevna · Mon Nov 27, 2023 10:47 pm

But the same specs page you linked above lists 128MB ... hmm. You ok?

anav · Mon Nov 27, 2023 10:55 pm

But the same specs page you linked above lists 128MB ... hmm. You ok?

Even the capax/hap ax3 have 128MB - meaning the 128MB is sufficient........
Edit. looking at storage not ram, my bad.

JohnTRIVOLTA · Mon Nov 27, 2023 10:56 pm

But the same specs page you linked above lists 128MB ... hmm. You ok?

I bought over 100 of them and they were all 256MB! I think they wrote it wrong, it's even commented if I'm not messing around in threads back.

anav · Mon Nov 27, 2023 10:57 pm

Dont tell anyone, they might want them back LOL

Ahh confusion due to RAM vs Storage.......... I was looking at Storage.........
Capax hapax3 hapax2 have 1Gb of RAM.
hapac3 has 256Mb of RAM

perhaps your thinking hapac3 or hex devices........

Znevna · Mon Nov 27, 2023 11:03 pm

But the same specs page you linked above lists 128MB ... hmm. You ok?
I bought over 100 of them and they were all 256MB! I think they wrote it wrong, it's even commented if I'm not messing around in threads back.

There were a few (?) golden batches for hAP ac2 and cAP ac with 256MB (of RAM, anav, of RAM!) but those are history already. It's not something you can currently buy.
Unless someone keeps old stocks of them somewhere in some basement.
They were spotted in the forum before :)

mkx · Mon Nov 27, 2023 11:05 pm

But the same specs page you linked above lists 128MB ... hmm. You ok?
I bought over 100 of them and they were all 256MB!

hAP ac2 (I believe it's almost identical inside apart from number of ether ports) has officially 128MB RAM. However, some early batches came with 256MB RAM (I happen to have one of those). Are your cAP acs early birds as well?

iustin · Mon Nov 27, 2023 11:07 pm

In all this discussion, the sad part is that the cap AX is "large", and there's no "small" size of it. I just wish they made cap AC with more ram and flash, but same size.

JohnTRIVOLTA · Mon Nov 27, 2023 11:10 pm

I bought over 100 of them and they were all 256MB!
hAP ac2 (I believe it's almost identical inside apart from number of ether ports) has officially 128MB RAM. However, some early batches came with 256MB RAM (I happen to have one of those). Are your cAP acs early birds as well?

Yes, factory software is ROS 6.40.3 :)

Znevna · Mon Nov 27, 2023 11:12 pm

Yeah, those are like the golden goose when it comes to the Wave2 drivers.
But again, you can't buy them anymore, new.
Unless MikroTik decides to renew the series with an upgrade.

heindelange · Tue Nov 28, 2023 7:20 am

Thanks.
Winbox, The channel box still isn't fixed.

There appear to be 2 channel options. Perhaps a duplicate, or one channel refers to old CAPSMAN. Try selecting both if you've not come right yet.

MT Channel.png

BrateloSlava · Tue Nov 28, 2023 8:15 am

A "busy" error occurs spontaneously when connecting wireless points to the controller. There is no dependence. I'm returning to beta1.

kravemir · Tue Nov 28, 2023 9:02 am

In all this discussion, the sad part is that the cap AX is "large", and there's no "small" size of it. I just wish they made cap AC with more ram and flash, but same size.

What about using wAP ac as ceiling access point? It's small, white and neat - rounded edges.

EDIT: doesn't solve the problem - it's small, but not 802.11ax either.

rpingar · Tue Nov 28, 2023 9:27 am

very slow bgp advertisment on CCR2216 and very big (~5m ipv4 prefixes and ~800k ipv6 prefixes, over 376 bgp sessions) route table; [one core at 100% all the time]
ticket SUP-133971 opened and rtrace provided;

very slow= 150k prefixes sent in 45min, full route sent in 1h 30min.

thenetworks · Tue Nov 28, 2023 9:38 am

*) qos-hw - 98DX224S, 98DX226S ve 98DX3236 anahtar yongaları için başlangıç tıkanıklığı önleme desteği eklendi (yalnızca CLI);
Hello,

When is hardware queue supported where we can limit IP based tx/rx for simple queue.

we want it so much

MartinsG · Tue Nov 28, 2023 11:20 am

Hi! did updated hap ax3, hap ax2 and hap ac3 from 7.13beta1 ->7.13beta3. Hap ax3 act as CAPsMAN.
now i have this in capsman.

/interface/wifi> print
Flags: M - MASTER; D - DYNAMIC; B - BOUND; I - INACTIVE, R - RUNNING
Columns: NAME, MASTER-INTERFACE
 #      NAME                MASTER-INTERFACE  
;;; busy
 0 MDBI 2Ghz-2a_TV1                       
 1  DBI 2Ghz-2a_TV2     2Ghz-2a_TV1   
;;; busy
 2 MDBI 2Ghz-E1                    
 3  DBI 2Ghz-E2  2Ghz-E1
;;; busy
 4 MDBI 2Ghz-L-ac31                     
 5  DB  2Ghz-ax31           wifi2             
;;; busy
 6 MDBI 5Ghz-2_TV1                       
 7  DBI 5Ghz-2_TV2     5Ghz-2_TV1   
;;; busy

This is something new. And restarts don't help. And these busy caps don't accept any clients. Nothing in log, strange enough.

MartinsG · Tue Nov 28, 2023 11:38 am

After full restart of all caps "busy" went away. All good for now.

BrateloSlava · Tue Nov 28, 2023 11:44 am

After full restart of all caps "busy" went away. All good for now.

Unfortunately, rebooting “fixes” the problem only partially - temporarily. And when she next appears is not clear.

ToTheFull · Tue Nov 28, 2023 11:55 am

Thanks.
Winbox, The channel box still isn't fixed.
There appear to be 2 channel options. Perhaps a duplicate, or one channel refers to old CAPSMAN. Try selecting both if you've not come right yet.MT Channel.png

Yes fully aware of that, but if you now close the windows and re-open it the channel will be once again blank. Or at least on my hAP ax2 it is!

Edit: take a look here.... viewtopic.php?p=1036305#p1036305

Ullinator · Tue Nov 28, 2023 4:10 pm

After full restart of all caps "busy" went away. All good for now.
Unfortunately, rebooting “fixes” the problem only partially - temporarily. And when she next appears is not clear.

I´ve opened a Support Ticket regarding this new issue with 7.13Beta3:
SUP-135880
Let´s see what MT will say ;-)

3dfx · Tue Nov 28, 2023 6:07 pm

I have no idea if it has any relation with the beta, but one RB951Ui-2HnD lost its wireless card after installation of 7.13beta2.
I had to Netinstall in order to restore the wireless. Unfortunately I didn't make a Supout.rif file... Sorry for that...

Tue Nov 28, 2023 6:41 pm

Just noticed on AX2 ... all ethernet ports have POE tab ??

EDIT: my bad. Ether1 only and that's correct.

Ullinator · Tue Nov 28, 2023 6:51 pm

Unfortunately, rebooting “fixes” the problem only partially - temporarily. And when she next appears is not clear.
I´ve opened a Support Ticket regarding this new issue with 7.13Beta3:
SUP-135880
Let´s see what MT will say ;-)

I got a very very fast answer to my ticket, where Guntis gave me an actual ALPHA240 LINK, in which the bug should be fixed.
https://box.mikrotik.com/d/bcb3e36516aa440ea07d/
And yes, the problem seems to be fixed, no more "busy" errors on my CAPsMAN :-)

nichky · Wed Nov 29, 2023 6:04 am

providing default route via VRF-BGP is totally broken on v7.

I got ticket opened.
I've been advised to provide more details, as soon as i provided, i haven't received any response

mkx · Wed Nov 29, 2023 8:27 am

Still getting CRL fetch failed: http error: Network unreachable for: http://x1.c.lencr.org/

It's not ROS problem, it's web site problem:

$ telnet x1.c.lencr.org 80
Trying 23.205.191.135...
Connected to e8652.dscx.akamaiedge.net.
Escape character is '^]'.
HEAD / HTTP/1.0

HTTP/1.0 400 Bad Request
Server: AkamaiGHost
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 209
Expires: Wed, 29 Nov 2023 06:25:19 GMT
Date: Wed, 29 Nov 2023 06:25:19 GMT
Connection: close

Connection closed by foreign host.

nichky · Wed Nov 29, 2023 12:08 pm

==duplicate==

Wed Nov 29, 2023 12:09 pm

What is that site? http://x1.c.lencr.org/
It doesn't work for me too. Try other sites maybe

eworm · Wed Nov 29, 2023 12:12 pm

What is that site? http://x1.c.lencr.org/
It doesn't work for me too. Try other sites maybe ;)

Have a look at Let's Encrypt R3 intermediate certificate... The url is its crl endpoint.

spippan · Wed Nov 29, 2023 5:18 pm

And they probably won't. cAP ac and hAP ac2 are in the same boat, too little memory (RAM) for the full featured drivers.
They could ship some -smallbuffers version of drivers for these devices, but doubt that this will see any light.
The cAP AC have 256MB and I think they are enough.

there was a 256MB batch which shipped for a short period. (edit: typo)
no longer on sale. i think, MT even said it was a production mistake somehow.
also got 2 hAP ac2 - one with 256MB and one with 128MB

29-11-2023.png

iustin · Wed Nov 29, 2023 5:19 pm

A cAP ac with 32MB flash and 256MB RAM would be instant buy, too bad it doesn't exist…

spippan · Wed Nov 29, 2023 5:21 pm

redistribute default route via VRF-BGP is completely broken on v7.

I have opened ticket with MikroTik support.

i've been told to provide more details (how it works on v6).
Once i've done that, almost five days i'm waiting for response

VRF route leaking via (i)BGP on ROS v7.xx.x is a complete CF and broken. does not work.
got 4 CCR1072 and around 24 CCR2006 collecting dust because of that.
also 40 RB4011 are on hold too because of that missing core "feature" which was working on v6

rpingar · Wed Nov 29, 2023 6:25 pm

after 36h of operation our pppoe-concetrator running 7.13beta3 crashed, lasting a lot of frized dinamic ppper interace.
![SUP-136050]: pppoe server crash 7.13beta3 |opened with screenshot, autosupout generated on crash, and rtrace generated immediatly after for some minutes.

forteller · Wed Nov 29, 2023 11:45 pm

Is it reasonable to expect RTL8156 support in v7.13? I can see RTL8153 added in 7.12 and RTL8152 has been added in recent beta, but I think RTL8156 would be much more interesting for whole userbase. Come to think about it, I used RTL8153 when 7.10 was most recent version and it was detected properly with ether9 added to list of devices, so it was supported according to my limited testing.

hova888 · Thu Nov 30, 2023 12:09 am

Hap ac2 v7.13, when I do first test after boot router a speedtest the download drops 180->9 Mbit/s, upload speed 2 Mbit/s, second test only 2 Mbit/s download/upload for 2.4GHz or 5GHz and lan ports.
upd: Resetting the router settings helped solve my problem.

marlab · Thu Nov 30, 2023 10:51 am

I still cannot get VLANs working with v7.13beta for the new CAPsMAN and CAP on hAP ac2 with virtual access points . When I attach a bridge (connected with VLAN) as part of datapath - the traffic is not getting through. When adding the virtual AP to the bridge, the AP is shown as inactive on the Bridge/Ports screen. It all works fine when there are no VLANs involved though...

mkx · Thu Nov 30, 2023 11:02 am

I still cannot get VLANs working for hAP Ac2 and virtual access points for v7.13beta.

Yup, it's documented behaviour. See new WiFi manual under "Replacing 'wireless' package" -> "Lost features"

here are quite a few of us hoping that this feature will come back (or rather, will be introduced to wifi driver).

marlab · Thu Nov 30, 2023 11:22 am

Yup, it's documented behaviour. See new WiFi manual under "Replacing 'wireless' package" -> "Lost features"

here are quite a few of us hoping that this feature will come back (or rather, will be introduced to wifi driver).

True, just it also says:

VLAN configuration in the wireless settings (Per-interface VLANs can be configured in bridge settings)

So my understanding is this should work when using a bridge that has been already attached to a VLAN?

pe1chl · Thu Nov 30, 2023 11:24 am

Yeah, under "Lost features" it says:

VLAN configuration in the wireless settings (Per-interface VLANs can be configured in bridge settings)

but that really does not describe the full situation. It might seem a minor thing when described like that ("just one time move the VLAN you configured on the wireless interface to the bridge settings") but of course the VLAN setting on the wireless interface could be dynamically determined, and this static solution does not cover that.

Thu Nov 30, 2023 11:43 am

redistribute default route via VRF-BGP is completely broken on v7.

I have opened ticket with MikroTik support.

i've been told to provide more details (how it works on v6).
Once i've done that, almost five days i'm waiting for response
VRF route leaking via (i)BGP on ROS v7.xx.x is a complete CF and broken. does not work.
got 4 CCR1072 and around 24 CCR2006 collecting dust because of that.
also 40 RB4011 are on hold too because of that missing core "feature" which was working on v6

Can you both email support@mikrotik.com with details.
They are actively working on L3VPN so once they pinpoint the problem it is likely to be fixed quickly.

mkx · Thu Nov 30, 2023 11:46 am

So my understanding is this should work when using a bridge that has been already attached to a VLAN?

Depends how you deal with VLANs on bridge.

Essentially: if you have bridge with VLAN filtering enabled, then currently the only option si to (manually?) add wifi interface to bridge as port with PVID set. If VLAN filtering is not enabled on bridge, then one has to play dirty games.

The lost functionality was that wireless interface itself handled VLAN tags, so it was added as trunk bridge port without PVID set. Wireless interface could have vlan-id set (property of wireless interface!), or vlan-id was set in ACL or vlan-id was set via radius.
None of these options are available in wave2/wifi driver. My pain is the first one[*], the second (and third) are pains for @pe1chl.

[*]On my hAP ac2 I'm running bridge as VLAN-unaware brdige and I'm doing the VLANs in hardware with switch chip settings (ROS v7 still can not HW offload L2 operations on Qualcomm switch chips, which is one of most painful points IMO, Qualcomm was the best supported switch chip in v6), so I was relying on the VLAN feature of wireless driver to do the job. Now I have to resort to ugly messup of multiple bridges (one per VLAN) ... which of course only helps with my problem but doesn't address problem of @pe1chl at all.

marlab · Thu Nov 30, 2023 12:36 pm

So my understanding is this should work when using a bridge that has been already attached to a VLAN?
Depends how you deal with VLANs on bridge

Essentially: if you have bridge with VLAN filtering enabled, then currently the only option si to (manually?) add wifi interface to bridge as port with PVID set. If VLAN filtering is not enabled on bridge, then one has to play dirty games.

Thanks, that was my understanding too. Just as I wrote, when adding wifi interface to bridge as port - it is shown as inactive. Here as the wifi interface it looks fine

e1.jpg

But then, at the bridge port it is shown as inactive

e2.jpg

Thu Nov 30, 2023 2:03 pm

If there is no client connected to the wireless interface, it will show as inactive.

Guscht · Thu Nov 30, 2023 2:05 pm

Question about this totally messed up VLAN-thing:
I am right, if I have both, cAP-ac and cAP-ax and I have to configure SSIDs/VLANs in a centralised way, I have to run both CAPsMANs?
CAPsMAN-old "Wireless" for VLANing with cAP-ac and CAPsMAN-new "WiFi" for VLANing with cAP-ax??

This whole "configure per interface" - which implies I have to touch every device, every bridge, every internface - is total brainfuck imho.

But if the 2-CAPsMAN-Solution is a possible way, its still ugly, totally ugly, ugly in a 90s Win98-first-edition way. But it would be working solution at least.

marlab · Thu Nov 30, 2023 3:21 pm

If there is no client connected to the wireless interface, it will show as inactive.

That would be easy, wouldn't it? :)
I've checked that of course. It isn't activated once I connect a client to the AP.

e3.jpg

For whatever reason all APs from CAPs are shown as inactive at the bridge port screen...

What's interesting, they do not have a role assigned either, unlike all other dynamic APs coming from AX devices.

buset1974 · Thu Nov 30, 2023 8:04 pm

providing default route via VRF-BGP is totally broken on v7.

I got ticket opened.
I've been advised to provide more details, as soon as i provided, i haven't received any response

Dear MT,

Can u check this issue please.
So many people using your hardware as enterprise things not just a home things

Thx

Thu Nov 30, 2023 8:56 pm

Dear MT,

Can u check this issue please.
So many people using your hardware as enterprise things not just a home things

Thx

What are you doing with a beta version on enterprise environment then ??

Fri Dec 01, 2023 10:40 am

Try "/certificate crl flush"
If CRL still does not update, create and send a new supout.rif file to support@mikrotik.com

Still having issues with CRL

See attached

log.txt
supout.rif.txt

TIA

aivarsm · Fri Dec 01, 2023 11:42 am

i cannot add D53G-5HacD2HnD-TC&RG502Q-EA with ac drivers to hAP-AX capsMan.

Fri Dec 01, 2023 12:02 pm

Version 7.13rc2 has been released.
viewtopic.php?t=201989