7.15.x CAPsMAN Setup

ErkDog · Tue Jul 23, 2024 6:55 pm

OK so after beating my head against the wall for a couple of days and finally figuring out that I had to -delete- the wireless package and use the "Wifi" menu for Capsman on current gen APs, I started making some progress on this.

But apparently I'm still missing something.

I've followed and double checked multiple different guides, but I'm not getting any SSID's on my APs.

https://ss.ecansol.com/uploads/2024/07/ ... -18-49.png
https://ss.ecansol.com/uploads/2024/07/ ... -18-57.png
https://ss.ecansol.com/uploads/2024/07/ ... -19-04.png
https://ss.ecansol.com/uploads/2024/07/ ... -19-11.png
https://ss.ecansol.com/uploads/2024/07/ ... -19-17.png
https://ss.ecansol.com/uploads/2024/07/ ... -19-30.png
https://ss.ecansol.com/uploads/2024/07/ ... -19-37.png

Router Config:

# 2024-07-23 11:46:08 by RouterOS 7.15.2
# software id = C2B3-8U34
#
# model = CCR2004-16G-2S+
# serial number = 
/interface bridge
add ingress-filtering=no name=LANBridge port-cost-mode=short priority=0x1000 \
    vlan-filtering=yes
add name=WANE1Bridge port-cost-mode=short
/interface wifi
add configuration.mode=ap name=cap-wifi1 radio-mac=D4:01:C3:D9:C3:94
add name=cap-wifi2 radio-mac=D4:01:C3:D9:C3:95
add name=cap-wifi3 radio-mac=D4:01:C3:D9:C4:88
add name=cap-wifi4 radio-mac=D4:01:C3:D9:C4:89
/interface vlan
add interface=LANBridge name=GuestWIFI vlan-id=10
/interface wifi channel
add disabled=no frequency=5180,5260,5500 name=GBA-Main5 skip-dfs-channels=all \
    width=20/40/80mhz
add disabled=no frequency=2412,2432,2472 name=GBA-Main2 skip-dfs-channels=all \
    width=20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    tkip,ccmp,gcmp,ccmp-256,gcmp-256 name=MainWPA2n3 wps=disable
/interface wifi configuration
add channel=GBA-Main5 country="United States" datapath.bridge=LANBridge \
    disabled=no manager=capsman name=GBA-Main5 security=MainWPA2n3 ssid=\
    GBA-Main5
add channel=GBA-Main2 country="United States" disabled=no name=GBA-Main2 \
    security=MainWPA2n3 ssid=GBA-MainLonger-Slower
/ip pool
add name=LANDHCPPOOL ranges=10.4.82.100-10.4.82.200
add name=GuestWifiPool ranges=172.149.164.50-172.149.164.250
/ip dhcp-server
add add-arp=yes address-pool=LANDHCPPOOL always-broadcast=yes interface=\
    LANBridge lease-time=3w30m name=LANDHCP
add add-arp=yes address-pool=GuestWifiPool always-broadcast=yes interface=\
    GuestWIFI lease-time=12h30m name=GuestWifi
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=WANE1Bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=LANBridge interface=ether2
add bridge=LANBridge interface=ether3
add bridge=LANBridge interface=ether4
add bridge=LANBridge interface=ether5
add bridge=LANBridge interface=ether6
add bridge=LANBridge interface=ether7
add bridge=LANBridge interface=ether8
add bridge=LANBridge interface=ether9
add bridge=LANBridge interface=ether10
add bridge=LANBridge interface=ether11
add bridge=LANBridge interface=ether12
add bridge=LANBridge interface=ether13
add bridge=LANBridge interface=ether14
add bridge=LANBridge interface=ether15
add bridge=LANBridge interface=ether16
add bridge=LANBridge interface=sfp-sfpplus1
add bridge=LANBridge interface=GuestWIFI
/ip firewall connection tracking
set udp-timeout=10s
/interface bridge vlan
add bridge=LANBridge tagged="ether2,ether3,ether4,ether5,ether6,ether7,ether8,\
    ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,sfp-sfpplus\
    1" vlan-ids=10
/interface wifi cap
set caps-man-addresses=10.4.82.5 discovery-interfaces=LANBridge enabled=yes
/interface wifi capsman
set enabled=yes interfaces=LANBridge package-path="" \
    require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=GBA-Main5 \
    radio-mac=00:00:00:00:00:00 slave-configurations=GBA-Main2
/ip address
add address=10.4.82.5/24 interface=LANBridge network=10.4.82.0
add address=172.149.164.5/24 interface=GuestWIFI network=172.149.164.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add interface=WANE1Bridge use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.4.82.0/24 caps-manager=10.4.82.5 dns-server=10.4.82.5 gateway=\
    10.4.82.5 netmask=24 ntp-server=10.4.82.5
add address=172.149.164.0/24 dns-server=172.149.164.5 gateway=172.149.164.5 \
    netmask=24 ntp-server=172.149.164.5
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall address-list
add address=x.sn.mynetname.net list=WANIPs
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input src-address=10.4.82.0/24
add action=accept chain=input src-address=216.66.48.0/26
add action=accept chain=input src-address=50.238.252.4/30
add action=accept chain=input src-address=50.238.252.24/30
add action=accept chain=input src-address=10.8.8.0/24
add action=accept chain=input dst-port=53 protocol=tcp src-address=\
    172.140.164.0/24
add action=accept chain=input dst-port=53 protocol=udp src-address=\
    172.140.164.0/24
add action=accept chain=input dst-port=123 protocol=tcp src-address=\
    172.140.164.0/24
add action=accept chain=input dst-port=123 protocol=udp src-address=\
    172.140.164.0/24
add action=drop chain=input dst-port=21 protocol=tcp
add action=drop chain=input dst-port=21 protocol=udp
add action=drop chain=input dst-port=22 protocol=tcp
add action=drop chain=input dst-port=22 protocol=udp
add action=drop chain=input dst-port=23 protocol=tcp
add action=drop chain=input dst-port=23 protocol=udp
add action=drop chain=input dst-port=53 protocol=tcp
add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input dst-port=80 protocol=tcp
add action=drop chain=input dst-port=80 protocol=udp
add action=drop chain=input dst-port=443 protocol=tcp
add action=drop chain=input dst-port=443 protocol=udp
add action=drop chain=input dst-port=8291 protocol=tcp
add action=drop chain=input dst-port=8291 protocol=udp
add action=drop chain=input dst-port=8728 protocol=tcp
add action=drop chain=input dst-port=8728 protocol=udp
add action=drop chain=input dst-port=8729 protocol=tcp
add action=drop chain=input dst-port=8729 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="WANE1Bridge Masq" out-interface=\
    WANE1Bridge
add action=dst-nat chain=dstnat dst-address-list=WANIPs dst-port=18291 \
    protocol=tcp to-addresses=10.4.82.6 to-ports=8291
add action=dst-nat chain=dstnat dst-address-list=WANIPs dst-port=18291 \
    protocol=udp to-addresses=10.4.82.6 to-ports=8291
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=LANBridge type=internal
add interface=WANE1Bridge type=external
/system clock
set time-zone-name=America/New_York
/system identity
set name=GBARouter
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes broadcast-addresses=10.4.82.255 enabled=yes manycast=yes \
    multicast=yes
/system ntp client servers
add address=time.ecansol.net
add address=1.us.pool.ntp.org
add address=2.us.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key
/tool romon
set enabled=yes

AP Config:

# 2024-07-23 11:53:32 by RouterOS 7.15.2
# software id = LLCS-ZK4I
#
# model = cAPGi-5HaxD2HaxD
# serial number = 
/interface bridge
add name=APBridge port-cost-mode=short
/interface bridge port
add bridge=APBridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=APBridge interface=ether2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/interface wifi cap
set caps-man-addresses=10.4.82.5 certificate=none discovery-interfaces=\
    APBridge enabled=yes
/ip dhcp-client
add interface=APBridge
/system clock
set time-zone-name=America/New_York
/system identity
set name=AP1
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.4.82.5
/tool romon
set enabled=yes

And Switch config:

# 2024-07-23 11:54:18 by RouterOS 7.15.2
# software id = 3F5F-CPKM
#
# model = CRS328-24P-4S+
# serial number = 
/interface bridge
add admin-mac=D4:01:C3:C2:23:40 auto-mac=no ingress-filtering=no name=\
    LANBridge priority=0x6000 vlan-filtering=yes
/interface vlan
add interface=LANBridge name=GuestWIFI vlan-id=10
/port
set 0 name=serial0
/interface bridge port
add bridge=LANBridge comment=defconf interface=ether1
add bridge=LANBridge comment=defconf interface=ether2
add bridge=LANBridge comment=defconf interface=ether3
add bridge=LANBridge comment=defconf interface=ether4
add bridge=LANBridge comment=defconf interface=ether5
add bridge=LANBridge comment=defconf interface=ether6
add bridge=LANBridge comment=defconf interface=ether7
add bridge=LANBridge comment=defconf interface=ether8
add bridge=LANBridge comment=defconf interface=ether9
add bridge=LANBridge comment=defconf interface=ether10
add bridge=LANBridge comment=defconf interface=ether11
add bridge=LANBridge comment=defconf interface=ether12
add bridge=LANBridge comment=defconf interface=ether13
add bridge=LANBridge comment=defconf interface=ether14
add bridge=LANBridge comment=defconf interface=ether15
add bridge=LANBridge comment=defconf interface=ether16
add bridge=LANBridge comment=defconf interface=ether17
add bridge=LANBridge comment=defconf interface=ether18
add bridge=LANBridge comment=defconf interface=ether19
add bridge=LANBridge comment=defconf interface=ether20
add bridge=LANBridge comment=defconf interface=ether21
add bridge=LANBridge comment=defconf interface=ether22
add bridge=LANBridge comment=defconf interface=ether23
add bridge=LANBridge comment=defconf interface=ether24
add bridge=LANBridge comment=defconf interface=sfp-sfpplus1
add bridge=LANBridge comment=defconf interface=sfp-sfpplus2
add bridge=LANBridge comment=defconf interface=sfp-sfpplus3
add bridge=LANBridge comment=defconf interface=sfp-sfpplus4
/interface bridge vlan
add bridge=LANBridge tagged="ether1,ether2,ether3,ether4,ether5,ether6,ether7,\
    ether8,ether9,ether10,ether11,ether12,ether13,ether14,ether15,ether16,ethe\
    r17,ether18,ether19,ether20,ether21,ether22,ether23,ether24,sfp-sfpplus1,s\
    fp-sfpplus2,sfp-sfpplus3,sfp-sfpplus4" vlan-ids=10
/ip address
add address=10.4.82.6/24 interface=LANBridge network=10.4.82.0
/ip dns
set servers=10.4.82.5
/ip firewall filter
add action=accept chain=input src-address=10.4.82.0/24
add action=accept chain=input src-address=10.8.8.0/24
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.4.82.5 routing-table=main \
    suppress-hw-offload=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=GBASwitch
/system note
set show-at-login=no
/system routerboard settings
set boot-os=router-os enter-setup-on=delete-key
/tool romon
set enabled=yes

erlinden · Tue Jul 23, 2024 7:46 pm

At least reset the accesspoint to CAPS Mode. Do you see any radios on /wifi/radios (that is on the CAPsMAN)?

Currently on smartphone, going through the config isn't easy.

ErkDog · Tue Jul 23, 2024 11:40 pm

When I try resetting manually into CAPsWAN mode on the APs they never picked up and reported in properly. Plus you have to get into the AP to reset the PW and stuff anyway. So I had to get into them and set the PW and specify CAPsWAN controller manually to get them to start talking to the CAPsWAN Controller at all.

ErkDog · Wed Jul 24, 2024 5:24 am

I was hoping to install these tomorrow if anyone has any ideas.

Thanks,

ErkDog · Wed Jul 24, 2024 9:58 pm

I don't mean to keep bumping this, but like if Documentation was clear on this new system then I wouldn't need help and this would just work, but it's not and it doesn't

rmauer · Thu Jul 25, 2024 2:39 am

I see a few things that differ from my setup.
I have a 4011 and 2x cAPax

In your config:

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=GBA-Main5 \
    radio-mac=00:00:00:00:00:00 slave-configurations=GBA-Main2

My config:

/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=2G supported-bands=2ghz-ax,2ghz-g,2ghz-n
add action=create-enabled disabled=no master-configuration=5G supported-bands=5ghz-a,5ghz-n,5ghz-ac,5ghz-ax

Try removing the mac address. If a mac is in there it will try to match it when provisioning.
I would assume all zeros would match all, but maybe not. Mine work when blank.

rmauer · Thu Jul 25, 2024 2:45 am

Beyond that, if you SSIDs show up after reprovisioning
I notice on your AP configs the wifi interfaces are not in the bridge.
Recently i had a setup that would show the SSIDs and you could connect but not get an IP or pass any traffic.
Turned out the wifi interfaces on the APs were not in the bridge.
This is my cAPax bridge config:

/interface bridge port
add bridge=bridgeAll interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridgeAll interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridgeAll interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridgeAll interface=wifi2 internal-path-cost=10 path-cost=10

rmauer · Thu Jul 25, 2024 3:06 am

For reference i will post my relevant config

Router:

# 2024-07-25 00:57:32 by RouterOS 7.15.2
# software id = QRB2-MWET
#
# model = RB4011iG

/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=2.4-auto width=20mhz
add disabled=no frequency=5180,5260,5500,5765,5825 name=5-ch-auto skip-dfs-channels=all width=20/40/80mhz
add disabled=no frequency=2412 name=2.4-ch1 width=20mhz
add disabled=no frequency=2437 name=2.4-ch6 width=20mhz
add disabled=no frequency=2462 name=2.4-ch11 width=20mhz
add disabled=no frequency=5180 name=5-ch-36 width=20mhz
add disabled=no frequency=5260 name=5-ch-52 width=20mhz
add disabled=no frequency=5500 name=5-ch-100 width=20mhz
add disabled=no frequency=5765 name=5-ch-153 width=20mhz
add disabled=no frequency=5825 name=5-ch-165 width=20mhz

/interface wifi security
add authentication-types=wpa2-psk disabled=no encryption=ccmp,gcmp passphrase=REDACTED ft=yes ft-over-ds=yes group-encryption=ccmp name=sec1 wps=disable

/interface wifi configuration
add channel=2.4-auto country="United States" disabled=no mode=ap name=2G security=sec1 security.ft=yes .ft-mobility-domain=0x1 .ft-over-ds=yes ssid="REDACTED" tx-power=15
add channel=5-ch-auto country="United States" disabled=no mode=ap name=5G security=sec1 security.ft=yes .ft-mobility-domain=0x1 .ft-over-ds=yes ssid="REDACTED" tx-power=18
    
/interface wifi
add configuration=5G disabled=no name=cap-wifi1 radio-mac=48:A9:8A:6A:02:78
add configuration=5G disabled=no name=cap-wifi2 radio-mac=48:A9:8A:6A:03:AC
add channel.frequency=2412 configuration=2G configuration.mode=ap disabled=no name=cap-wifi3 radio-mac=48:A9:8A:6A:02:79
add channel.frequency=2462 configuration=2G configuration.mode=ap disabled=no name=cap-wifi4 radio-mac=48:A9:8A:6A:03:AD

/interface wifi capsman
set enabled=yes interfaces=VLAN1-Home-Network package-path="" require-peer-certificate=no upgrade-policy=none

/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=2G supported-bands=2ghz-ax,2ghz-g,2ghz-n
add action=create-enabled disabled=no master-configuration=5G supported-bands=5ghz-a,5ghz-n,5ghz-ac,5ghz-ax

AP:

# 2024-07-24 19:43:23 by RouterOS 7.15.2
# software id = T1EX-6STN
#
# model = cAPGi-5HaxD2Hax
/interface bridge
add ingress-filtering=no name=bridgeAll port-cost-mode=short protocol-mode=none vlan-filtering=yes

/interface wifi
# managed by CAPsMAN
# mode: AP, SSID:REDACTED, channel: 5825/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID:REDACTED, channel: 2462/ax
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no

/interface bridge port
add bridge=bridgeAll interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridgeAll interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridgeAll interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridgeAll interface=wifi2 internal-path-cost=10 path-cost=10

/interface bridge vlan
add bridge=bridgeAll tagged=bridgeAll,ether1 vlan-ids=1003

/interface wifi cap
set caps-man-addresses=172.16.1.1 discovery-interfaces=bridgeAll enabled=yes

/ip dhcp-client
add interface=bridgeAll

Hopefully this helps.
I found that after making changes to the capmans config in your router going to the menu:
WiFi > Remote CAP and/or Radios
Then selecting the CAP or radio interface then hitting the provision button on the top bar will force it take the config
I am not an expert at this at all. I just have a setup that somehow works.

ErkDog · Thu Jul 25, 2024 7:23 am

Thanks I'll try some of this now.

ErkDog · Thu Jul 25, 2024 7:26 am

Taking the 00 MAC out helped a bit I have this now:

https://ss.ecansol.com/uploads/2024/07/ ... -26-26.png

But no broadcasting SSIDs

ErkDog · Thu Jul 25, 2024 7:30 am

https://ss.ecansol.com/uploads/2024/07/ ... -29-20.png

https://ss.ecansol.com/uploads/2024/07/ ... -29-38.png

The APs are hitting Wifi CAPsMAN on the router but don't appear to be pulling / applying config

ErkDog · Thu Jul 25, 2024 8:13 am

Well I hit the 'provision' button in a couple of places, now all the radios and wifi interfaces went away altogether

infabo · Thu Jul 25, 2024 10:38 am

Connect to one of your CAPs and enter

/system/reset-configuration caps-mode=yes

Wait for reboot finished and the AP should show up. If yes, do the same for the others. If not, let's troubleshoot further.

ErkDog · Fri Jul 26, 2024 2:07 am

@infaboo that has yielded positive traction in some regards:

https://ss.ecansol.com/uploads/2024/07/ ... -04-23.png

It picked up the 5Ghz stuff and is broadcasting, but it's trying to apply the "Fast (5GHz)" network to the 2.4Ghz radios as well.

But of course now, all the APs say "Mikrotik" for identity and I can't ROMON to any of them to fix that, or well turn ROMON back on, lol.

I suppose one could argue that isn't a big deal if CAPsMAN is handling everything on them.

I have this for configs: https://ss.ecansol.com/uploads/2024/07/ ... -07-37.png

and this for Provisioning: https://ss.ecansol.com/uploads/2024/07/ ... -07-51.png

ErkDog · Fri Jul 26, 2024 2:12 am

Well I'm even closer - https://ss.ecansol.com/uploads/2024/07/ ... -11-40.png

I set the 2Ghz as a slave under the 5Ghz master so it provisions all 6 radios now (3 x 2)

BUT it's on 5GHZ Bands, lol. Perhaps I should limit the frequency window. Let's try that.

ErkDog · Fri Jul 26, 2024 2:22 am

I realized it was just using the 'Slow' SSID as a sub / slave of the master and creating virtual interfaces.

I'm getting no supported channels on the 2Ghz radios, cause it's trying to apply GBAFast/5GHz profile to those too

https://ss.ecansol.com/uploads/2024/07/ ... -22-06.png

ErkDog · Fri Jul 26, 2024 2:27 am

HAH Got it, had to set band selection in the 2 provisioning rules.

So now I'm just left with a few questions.

1) I wanted to do bridging direct to LAN without routing through CAPsMAN how do I do that now? (Or will this break roaming?)
2) Is all the Roaming stuff 802.11r/v/q/s/lmnop stuff automatic or does it require provisioning or rules of some sort?

Thanks,
Matt

ErkDog · Fri Jul 26, 2024 2:32 am

Sorry I lied, technically I have a 3rd question, "How to setup Guest Wifi on a VLAN" especially since I've seen 50 things say "OMG VLAN STUFF DIFFERENT in 7.15.x" I -believe- I have everything setup on the router and switch right for the VLAN and DHCP.

I just added GBAGuest as a slave config w/ diff security profile. The SSID appears and works w/ the correct password, but it's not dumping me to the VLAN and I'm still on PVID 1

rmauer · Fri Jul 26, 2024 4:26 am

In the wiki page: https://wiki.mikrotik.com/wiki/Manual:CAPsMAN

It says the there is an option that can be put in the configuration profile:
datapath.client-to-client-forwarding (yes | no; Default: no)

I have never seen this option available. Doing torch and pcaps, it appears my CAPs are locally forwarding by default in my setup.

Someone else may want to chime in if they know for sure but it appears to me that local forwarding is default in capsmanv2.
I dont see any options related to local or capman forward mode in either winbox or the cli on my capsman

ips · Fri Jul 26, 2024 9:19 am

1) I wanted to do bridging direct to LAN without routing through CAPsMAN how do I do that now? (Or will this break roaming?)

It is "automatic". The CAP mode configure bridge on the CAPs. Nothing passes to the CAPsMAN server.

2) Is all the Roaming stuff 802.11r/v/q/s/lmnop stuff automatic or does it require provisioning or rules of some sort?

You may want to add

ft=yes ft-over-ds=yes

to your security profiles. It might break old clients. In my case, even if this option is disabled I get roaming (please check the logs).

Sorry I lied, technically I have a 3rd question, "How to setup Guest Wifi on a VLAN" especially since I've seen 50 things say "OMG VLAN STUFF DIFFERENT in 7.15.x" I -believe- I have everything setup on the router and switch right for the VLAN and DHCP.

I just added GBAGuest as a slave config w/ diff security profile. The SSID appears and works w/ the correct password, but it's not dumping me to the VLAN and I'm still on PVID 1

The documentation at https://help.mikrotik.com/docs/display/ROS/WiFi shows an example under the section "CAPsMAN - CAP VLAN configuration example". Please follow the "wifi-qcom" part (not the wifi-qcom-ac one).

ErkDog · Fri Jul 26, 2024 10:53 am

The 'tunneling' through capsman may have been a v1 thing I was reading then.

I'll try that wiki article tomorrow. Thanks for suggestions all. The biggest problem is there are three versions of capsman now and the documentation for the 'wifi' version in 7.15 is fragmented at best.

And v2 stuff seems to work but still with slight modifications.

Thanks,
Matt

neki · Fri Jul 26, 2024 10:58 am

In the wiki page: https://wiki.mikrotik.com/wiki/Manual:CAPsMAN

It says the there is an option that can be put in the configuration profile:
datapath.client-to-client-forwarding (yes | no; Default: no)

I have never seen this option available. Doing torch and pcaps, it appears my CAPs are locally forwarding by default in my setup.

Someone else may want to chime in if they know for sure but it appears to me that local forwarding is default in capsmanv2.
I dont see any options related to local or capman forward mode in either winbox or the cli on my capsman

You are refering to ROSv6 wiki, that is not relevant for ROSv7

Forwarding mode is obsolete and no longer supported in ROSv7

ips · Fri Jul 26, 2024 11:10 am

The 'tunneling' through capsman may have been a v1 thing I was reading then.

I'll try that wiki article tomorrow. Thanks for suggestions all. The biggest problem is there are three versions of capsman now and the documentation for the 'wifi' version in 7.15 is fragmented at best.

And v2 stuff seems to work but still with slight modifications.

Thanks,
Matt

Actually there are *two* different CAPsMANs (not versions): the wireless one and the wifi one.

rmauer · Mon Jul 29, 2024 4:33 pm

You are refering to ROSv6 wiki, that is not relevant for ROSv7

Forwarding mode is obsolete and no longer supported in ROSv7

I went looking around and found this: https://help.mikrotik.com/docs/
The new documentation site. I have been linked to it a few times in the past. I guess I didn't realize the wiki was no longer maintained.
I will bookmark the docs site.

ErkDog, I don't know if you have seen this page yet, it might be worth reading through: https://help.mikrotik.com/docs/display/ROS/CAPsMAN

infabo · Mon Jul 29, 2024 10:36 pm

https://mikrotik.com/support

ErkDog · Fri Aug 02, 2024 5:55 pm

Thanks all, I haven't had a chance to revisit this to try to get guest VLAN / wifi working.

I'll check out that last article tomorrow.

So 'help.mikrotik' is for v7 documentation?

I mean the main problem is that any time you google anything for Mikrotik you get 3-4 different pages, each one for a different version of ROS and/or CAPsMAN / wireless / wifi lol.

It would be awesome if the various documentations made it more clear -exactly- what ROS & CAPsMAN implementation they were for.

ErkDog · Fri Aug 02, 2024 6:00 pm

See this is one of the things I'm talking about:

datapath.bridge (list; Default: ) Bridge to which particular interface should be automatically added as port. Required only when local-forwarding is not used.

Apparently forwarding is depreciated and no longer a thing in 7.15.x/wifi so why is there flavor text talking about local-forwarding if local forwarding is always done now? Just confusing.

ErkDog · Fri Aug 02, 2024 6:01 pm

datapath.local-forwarding (yes | no; Default: no) Controls forwarding mode. If disabled, all L2 and L3 data will be forwarded to CAPsMAN, and further forwarding decisions will be made only then.
Note, if disabled, make sure that each CAP interface MAC Address that participates in the same broadcast domain is unique (including local MAC's, like Bridge-MAC).

If this is depreciated and no longer a thing, then why is the option still listed in the 7.15.x / wifi documentation!?!?!??

ErkDog · Fri Aug 02, 2024 6:09 pm

I feel like this: https://help.mikrotik.com/docs/display/ ... iFiCAPsMAN

Is the page I should be looking at for 7.15.x / Wifi "capsman" for "ax" devices.

Can anyone confirm?

neki · Fri Aug 02, 2024 11:28 pm

Yep, that's the one...

ErkDog · Sun Aug 04, 2024 5:27 am

OK so if I'm reading this page right, I have to do specific config on -each- CAP in order for wifi to work on a VLAN.

That 100% defeats the purpose of using CAPsWAN to begin with if I have to mess w/ each AP.

So how do I add a WiFi SSID that's on a VLAN without doing AP specific configuration?

Thanks,
Erk

erlinden · Sun Aug 04, 2024 11:13 am

OK so if I'm reading this page right, I have to do specific config on -each- CAP in order for wifi to work on a VLAN.

No, you don't.

What is shown is a config if you want to do it manually from scratch. If you either reset it to CAPS Mode through the reset button or the menu option it will give you the same state (and doesn't require any manual adjustments).

For ac devices, using the wifi-qcom-ac driver this is indeed the case.

Parking4754 · Sun Aug 18, 2024 1:34 pm

OK so after beating my head against the wall for a couple of days and finally figuring out that I had to -delete- the wireless package and use the "Wifi" menu for Capsman on current gen APs, I started making some progress on this.

Thank you for this, all the examples I found failed to mentioned this

7.15.x CAPsMAN Setup

7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Re: 7.15.x CAPsMAN Setup

Who is online