7.13 WiFi-CAPsMAN, Access list to assign VLANs and FT issue

accarda · Tue Dec 26, 2023 9:57 am

Hi all,
I was experimenting with some different settings to enable WiFi on AX APs, using CAPsMAN and assigning VLANs through Access List MAC address definition on a single SSID.
In term of VLAN assignment I can see that each device, based on their MAC address, gets assigned a properly VLAN as configured on the single SSID available through WiFi APs.
However the fast transitioning from APs to APs does not seem to work properly, when compared to a more standard setup with CAPsMAN, datapath setting each VLANs and multiple SSID per VLAN.

This is what I have done so far on CAPsMAN controller:

/interface wifi datapath
add bridge=bridge disabled=no name=DPath

/interface wifi security
add authentication-types=wpa3-psk disabled=no ft=yes ft-over-ds=yes name=WPA3_5G

/interface wifi access-list
add action=accept comment=dev1 disabled=no mac-address=xx:xx:xx:xx:xx:xx vlan-id=8
add action=accept comment=dev2 disabled=no mac-address=yy:yy:yy:yy:yy:yy vlan-id=7
add action=accept comment=dev3 disabled=no mac-address=zz:zz:zz:zz:zz:zz vlan-id=9

/interface wifi configuration
add channel=5G_Ch36 country=Italy datapath=DPath disabled=no mode=ap name=rb1apx_5G_Main security=WPA3_5G ssid=SSID \
    tx-power=10
add channel=5G_Ch100 country="Italy" datapath=DPath disabled=no mode=ap name=rb2apx_5G_Main security=WPA3_5G ssid=\
    SSID tx-power=10
add channel=5G_Ch100 country="Italy" datapath=DPath disabled=no mode=ap name=rb3apx_5G_Main security=WPA3_5G ssid=\
    SSID tx-power=5
add channel=5G_Ch36 country=Italy datapath=DPath disabled=no mode=ap name=rb4apx_5G_Main security=WPA3_5G ssid=SSID \
    tx-power=5

/interface wifi provisioning
add action=create-dynamic-enabled comment=rb1apx disabled=no master-configuration=rb1apx_5G_Main name-format=%I-5G radio-mac=MAC1
add action=create-dynamic-enabled comment=rb2apx disabled=no master-configuration=rb2apx_5G_Main name-format=%I-5G radio-mac=MAC2
add action=create-dynamic-enabled comment=rb3apx disabled=no master-configuration=rb3apx_5G_Main name-format=%I-5G radio-mac=MAC3
add action=create-dynamic-enabled comment=rb4apx disabled=no master-configuration=rb4apx_5G_Main name-format=%I-5G radio-mac=MAC4

About each CAP the config is basically pretty much standard:

/interface bridge
add admin-mac=MAC auto-mac=no comment=defconf name=bridge port-cost-mode=short vlan-filtering=yes

/interface vlan
add interface=bridge name=vlan-mgmt vlan-id=100

/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1

/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=100

/interface wifi cap
set discovery-interfaces=vlan-mgmt enabled=yes

/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: SSID, channel: 5500/ax/Ceee
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5500 .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.manager=capsman .mode=ap .ssid=MikroTik-CCEF5A datapath=\
    datapath datapath.bridge=bridge disabled=no security.authentication-types=wpa2-psk,wpa3-psk
    
/interface wifi datapath
add bridge=bridge disabled=no name=datapath

So I'm not really sure whether this is still an on-going development by MikroTik or something that would never make FT working properly when using the single SSID setup and VLANs.
Anyone else has tested such config or have an opinion on this ?
Thanks.

accarda · Tue Dec 26, 2023 1:41 pm

Apparently only WiFi6 clients do not roam to the next APs with this setup, while old WiFi5 devices switch from one AP to the other while moving around.
I have tried with some iPhone/iPad (WiFi5 only) and they get the correct VLAN and can roam while moving; when I try with an iPhoneSE (which supports 802.11ax) it won't roam automatically.

whatever · Tue Dec 26, 2023 3:42 pm

Check ft-preserve-vlanid setting documentation, it defaults to yes.

ft-preserve-vlanid (no | yes )

no - when a client connects to this AP via 802.11r fast BSS transition, it is assigned a VLAN ID according to the access and/or interface settings
yes (default) - when a client connects to this AP via 802.11r fast BSS transition, it retains the VLAN ID, which it was assigned during initial authentication

The default behavior is essential when relying on a RADIUS server to assign VLAN IDs to users, since a RADIUS server is only used for initial authentication.

accarda · Tue Dec 26, 2023 4:09 pm

Thanks for the hint, but I saw that option when I initially set CAPsMAN and decided to leave it at default as I want to keep the VLAN id based on initial assignment.
Even if I'm not using RADIUS but the Access list, VLANs get assigned when client is authorized and I can see VLAN id is properly retained during transition from AP to AP (on those devices which roams).
I was reading several notes on Internet and it seems 802.11k/r/v is not widely supported by clients, so that could be the main reason why some of my devices do not roam automatically.
The iPhoneSE is not roaming at all and it stays connected to the same AP (even after I tried ft-preserve-vlanid no); one Windows11 PC did change, but not through roaming (checked ROS log and it said disconnected / connected event, not the roaming one).
On iPhoneXS and iPadPro (they are WiFi5 AC devices) they roam properly and very fast, while keeping VLANs per default settings.
I haven't tried to play with other parameters, like 802.11w as I'm using WPA3 with PSK and all my clients are Ok with it.
So it might be some device not willing to move; for Apple iOS I'm on latest version on all of them, so that should not be the issue.

Tue Dec 26, 2023 4:15 pm

Check this post out.

accarda · Tue Dec 26, 2023 4:51 pm

Thank you @andriys for that mention.
I have now included also connect-priority=0/1 in my security settings; however that iPhone devices is still sitting on the same AP as when initially connected.
I will try to play little bit more with TX power to reduce it, but what I guess it will happen is that by lowering the RXed signal, phone will be disconnected earlier and will reconnect to better AP signal, but it won't use the roaming feature as far as I'm seeing from the log.

accarda · Tue Dec 26, 2023 5:16 pm

As quick test I have reverted CAPsMAN config without using Access list to define VLANs and stick to VLAN per SSID as shown in MikroTik doc:
CAPsMAN - CAP VLAN example https://help.mikrotik.com/docs/display/ ... onexample:

I have tried on single VLAN/SSID and on that iPhone the same behavior as when using Access list, just to check that this is not related to that particular config, but more on device behavior.
In both setup each VLAN is properly tagged on the AP and it's assigned to the client correctly.
So for now as far as FT I might have to live with these device's behavior.

accarda · Thu Dec 28, 2023 7:06 am

At this point all about VLAN assignment works fine using Access list and single SSID (which was my main goal with this setup); I mitigated the roaming issue on that single iPhone by applying the RSSI threshold to it within the Access list, so that AP kicks it out when no longer in range.
However is still strange that such client is not able to get support from 802.11k/v/r as it's indicated by Apple as one that should work.

yurembo · Tue May 14, 2024 12:17 pm

At this point all about VLAN assignment works fine using Access list and single SSID (which was my main goal with this setup); I mitigated the roaming issue on that single iPhone by applying the RSSI threshold to it within the Access list, so that AP kicks it out when no longer in range.
However is still strange that such client is not able to get support from 802.11k/v/r as it's indicated by Apple as one that should work.

Hello! Did you do some additional configurations to make it work? I'm still facing the same issue "client was disconnected because could not assign vlan". My CAPsMAN controller is hap AX3 and clients are wAP and CAP. So basically it is a mix of AC and AX.

mazay · Wed Feb 19, 2025 2:06 am

I know it's pretty old but I wasn't able to figure this out. The setup suggested in the doc didn't work for me. Devices was losing connection when roaming between AX and AC access points.

So far the only working solution for me was setting up the AX device similarly to the AC - with static slaves and manual VLAN assignments, which is a shame.

Wed Feb 19, 2025 8:05 am

I toyed with it in the past and the main key for me was to use different configurations for AX and AX devices because the datapath settings are different as well.
With vlan for ax, no vlan but settings on device for Ac.

mazay · Wed Feb 19, 2025 11:36 am

Yeah, that's what the doc suggests but it appears to be causing issues with ft, even with

ft-preserve-vlanid=no

pts0 · Thu Feb 20, 2025 12:32 pm

Is really solved this issue ?
I got VLAN on one WLAN, ax devices in wifi and when enabling ft-preserve-vlanid=yes with mac air i didn't get an IP -> just connect and just after disconnect,

 wireless,info F0:99:19:D3:XX:XX@5ghz-wlan-ap03-k1m-2F disconnected, connection lost, signal strength -35

when is set ft=no then it works.
The strange behaivor is that with ipad works with the ft active

name="c0de-5GHz" mode=ap ssid="c0de" country=Switzerland security=sec-c0de
     security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp,gcmp,ccmp-256,gcmp-256 .group-key-update=5m .passphrase="XXXXXXX" .dh-groups=19,20,21 .ft=yes .ft-mobility-domain=0x28
     .ft-over-ds=no .ft-preserve-vlanid=no .connect-priority=0/1
     datapath=vlan28
     datapath.bridge=bridge .client-isolation=yes .vlan-id=28 .interface-list=dynamic
     channel=5GHz
     channel.band=5ghz-ax .skip-dfs-channels=all

somebody have same issue with 7.17.2 ?

mkx · Thu Feb 20, 2025 5:39 pm

... when enabling ft-preserve-vlanid=yes ...

Do you use any feature which actually requires this setting? Such as: RADIUS which assigns VLAN ID per user or ACLs which assign VLAN ID per station or PPSK?

This setting has potential to screw mobility while without it roaming action might succeed. And it explicitly doesn't work on APs running wifi-qcom-ac which can't handle VLAN tags.

7.13 WiFi-CAPsMAN, Access list to assign VLANs and FT issue [SOLVED]

7.13 WiFi-CAPsMAN, Access list to assign VLANs and FT issue

Re: 7.13 WiFi-CAPsMAN and Access list to assign VLANs

Re: 7.13 WiFi-CAPsMAN and Access list to assign VLANs

Re: 7.13 WiFi-CAPsMAN and Access list to assign VLANs

Re: 7.13 WiFi-CAPsMAN and Access list to assign VLANs

Re: 7.13 WiFi-CAPsMAN and Access list to assign VLANs

Re: 7.13 WiFi-CAPsMAN and Access list to assign VLANs

Re: 7.13 WiFi-CAPsMAN, Access list to assign VLANs and FT issue [SOLVED]

Re: 7.13 WiFi-CAPsMAN, Access list to assign VLANs and FT issue

Re: 7.13 WiFi-CAPsMAN, Access list to assign VLANs and FT issue

Re: 7.13 WiFi-CAPsMAN, Access list to assign VLANs and FT issue

Re: 7.13 WiFi-CAPsMAN, Access list to assign VLANs and FT issue

Re: 7.13 WiFi-CAPsMAN, Access list to assign VLANs and FT issue

Re: 7.13 WiFi-CAPsMAN, Access list to assign VLANs and FT issue