CapsMan datapath interfaces put not to bridge

christian178 · Mon May 20, 2024 11:18 am

Hello,

/interface wifi channel
add band=2ghz-g disabled=no name=channel1-2ghz width=20mhz
add band=5ghz-a disabled=no name=channel2-5ghz-a width=20mhz
/interface wifi datapath
add bridge=bridge2-ext bridge-horizon=1 client-isolation=yes disabled=no name=datapath1
/interface wifi security
add authentication-types="" disabled=no ft=no name=sec1
/interface wifi configuration
add channel=channel1-2ghz country=Germany datapath=datapath1 disabled=no hide-ssid=no mode=ap name=cfg1-2ghz security=sec1 security.ft=yes ssid=test2
add channel=channel2-5ghz-a country=Germany datapath=datapath1 disabled=no hide-ssid=no mode=ap name=cfg2-5ghz security=sec1 security.ft=yes ssid=test2
/interface wifi capsman
set enabled=yes interfaces=bridge1-int package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1-2ghz name-format=%I-2ghz-ax-g-n supported-bands=2ghz-ax,2ghz-g,2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=cfg2-5ghz name-format=%I-5ghz-a-an-ac-ax supported-bands=5ghz-a,5ghz-n,5ghz-ac,5ghz-ax

The Interfaces whould be provisioned perfectly.
but the CAP-Interfaces are put not to bridge "bridge2-ext".
Why?
On the Client-CAP Antennas i have nothing set as datapath, so i whould like to forward the Data to/from CapsMan.

thanks
Christian

erlinden · Mon May 20, 2024 11:50 am

Can you share the complete config?
What does the bridge-horizon do (for you)?

christian178 · Mon May 20, 2024 12:02 pm

It's a test:

CapsMan:

/interface bridge
add name=bridge1-int protocol-mode=none
add name=bridge2-ext protocol-mode=none
/interface wifi channel
add band=2ghz-g disabled=no name=channel1-2ghz-g-20mhz width=20mhz
add band=5ghz-a disabled=no name=channel2-5ghz-a-20-mhz width=20mhz
add band=2ghz-ax disabled=no name=channel3-2ghz-ax-20mhz width=20mhz
/interface wifi datapath
add bridge=bridge2-ext bridge-horizon=1 client-isolation=yes disabled=no name=datapath1-master
add bridge=bridge2-ext bridge-horizon=1 client-isolation=yes disabled=no name=datapath2-slave1
/interface wifi security
add authentication-types="" disabled=no ft=no name=sec1
/interface wifi configuration
add channel=channel1-2ghz-g-20mhz country=Germany datapath=datapath1-master disabled=no hide-ssid=no mode=ap name=cfg1-2ghz-g-20mhz security=sec1 security.ft=yes ssid=test2-g
add channel=channel2-5ghz-a-20-mhz country=Germany datapath=datapath1-master disabled=no hide-ssid=no mode=ap name=cfg2-5ghz-a-20mhz security=sec1 security.ft=yes ssid=test5-a
add channel=channel3-2ghz-ax-20mhz country=Germany datapath=datapath2-slave1 disabled=no hide-ssid=no mode=ap name=cfg3-2ghz-ax-20mhz security=sec1 security.ft=yes ssid=test2-ax
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=10.10.1.2-10.10.1.254
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1-int
/interface bridge port
add bridge=bridge1-int interface=ether1
/interface wifi access-list
add action=accept client-isolation=yes disabled=no interface=any
/interface wifi capsman
set enabled=yes interfaces=bridge1-int package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1-2ghz-g-20mhz name-format=%I-2ghz-ax-g-n slave-configurations=cfg3-2ghz-ax-20mhz supported-bands=2ghz-ax,2ghz-g,2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=cfg2-5ghz-a-20mhz name-format=%I-5ghz-a-an-ac-ax supported-bands=5ghz-a,5ghz-n,5ghz-ac,5ghz-ax
/ip address
add address=10.10.1.1/24 interface=*8 network=10.10.1.0
/ip dhcp-server
add address-pool=dhcp_pool0 interface=*8 name=dhcp1
/ip dhcp-server network
add address=10.10.1.0/24 gateway=10.10.1.1
/system note
set show-at-login=no

Bridge Horizon should forbid communication between CAP-Antennas and the Clients on this CAP-Antennas.
For HoSpot...

CAP-Antenna:

/interface bridge
add admin-mac=48:A9:8A:39:1B:BB auto-mac=no comment=defconf name=bridgeLocal protocol-mode=none
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: test5-a, channel: 5500/a
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: test2-g, channel: 2432/g
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system identity
set name=TEST-CAP1
/system note
set show-at-login=no

christian178 · Mon May 20, 2024 7:56 pm

After many tests i think the new WiFi CapsMan forwarding ala https://help.mikrotik.com/docs/pages/vi ... ardingMode is not working or not implement...

What you think? I can not set

There are the following datapath settings:

    local-forwarding -- controls forwarding mode
    openflow-switch -- OpenFlow switch to add interface to, as port when enabled
    vlan-mode -- VLAN tagging mode specifies if VLAN tag should be assigned to interface (causes all received data to get tagged with VLAN tag and allows interface to only send out data tagged with given tag)

Works it only with VLAN?

neki · Mon May 20, 2024 8:41 pm

Thats correct, WiFi CAPsMAN does not implement forwarding... It was decreasing throughput anyway... Nothing you want to use...

christian178 · Tue May 21, 2024 7:05 pm

Hello,

I tried to set the settings as best as I could.
Nevertheless, the new CapsMan is a little poor or, to say the least, immature.

1. Why not a new CapsMan (even if wifi) that can also operate the old wireless interfaces? Why 2 CapsMan? In the not too distant future there will be a lot more qcom and ax anyway?

2. Why can't “datapath”, "horizon" and "forbid-client-communication" be set in CapsMan? These settings have no effect there.

3. If the CapsMan provisions the Cap antenna, why can't I freely set the bridge name in the Caps-Man data path (for configuration) so that at least the master or slave interface on the Cap antenna can be installed automatically to place the bridge that was previously created there (the prerequisite is of course that the bridge created on the CAP antenna matches the freely entered name on the CapsMan (datapath). This would also work without a VLAN for VXLAN or VPLS User.

4. VLAN currently seems to me to be the only way to separate traffic from 2 SSIDs on one (1!) CAP interface?!

I think it should be possible to shift as many settings as possible to the CapsMan, even for slightly more complex setups

All in all, I'm missing instructions for the latest CapsMan at help.mikrotik.com, which shows exactly what is obviously not possible (yet) with the new CapsMan, especially with regard to slave interfaces and several SSIDs on one wifi interface and the datapath restriction (bridge, horizon, ....)

neki · Tue May 21, 2024 8:24 pm

Thing is, that you should never use multiple bridge interfaces to separate traffic... and because it's not working as you imagine it should, you think that it's broken...

Sorry but your procedure is wrong...

infabo · Tue May 21, 2024 8:39 pm

@christian "/capsman" is for legacy wireless. The old capsman. That's why none of your settings under "/capsman" show/have any effect.

After many tests i think the new WiFi CapsMan forwarding ala https://help.mikrotik.com/docs/pages/vi ... ardingMode is not working or not implement...

This doc refers to legacy capsman for wireless drivers. You want to provision/control AX devices, so all your configuration is done below "/interface/wifi/".

christian178 · Wed May 22, 2024 12:24 pm

Thing is, that you should never use multiple bridge interfaces to separate traffic... and because it's not working as you imagine it should, you think that it's broken...

Sorry but your procedure is wrong...

You're right. For VLAN Users. But no for VPLS XVLAN, EoIP and other Users...

@infabo
i write about the new CapsMan (Wifi). I have found the new Docs.
https://help.mikrotik.com/docs/display/ ... iFiCAPsMAN
Thank Youy.

infabo · Wed May 22, 2024 12:43 pm

then you possibly seen

"WiFi CAPsMAN only passes wireless configuration to the CAP, all forwarding decisions are left to the CAP itself - there is no CAPsMAN forwarding mode."
https://help.mikrotik.com/docs/display/ ... ing%20mode.

kolorasta · Sat Jul 27, 2024 4:30 pm

I loved the CAPsMAN forwarding mode... why it's not available anymore in wifi-qcom and wifi-qcom-ac?

mkx · Sat Jul 27, 2024 7:05 pm

Could be it's due to the fact that capsman forwarding puts quite some burden on both CAP device (which is manegeable by using faster CPU) and CAPsMAN device (less manageable if there's large number of CAPs involved), reducing CAP wireless performance. The benefits (in certain use cases thex were invaluable) are probably too marginal for MT po put in necessary effort to (re)implement it with wifi drivers.

infabo · Sat Aug 17, 2024 5:40 pm

Back to OPs original question: why are ports not added to bridge? It works for local interfaces but not for caps. On CAP the bridge is always named "bridgeLocal" no matter what and wifi ports are not added (not on CAPsMAN bridge neither on the CAP local bridge).

neki · Sat Aug 17, 2024 9:44 pm

I'm not sure if I follow you correctly, but they are added just fine... Thing is, that the bridge is always local, you can not access/see bridges on other devices. So if you create a bridge on CAP, it is accesible only from CAP itself, and vice versa. That applies for datapath too, datapath.bridge is local option and only valid for master interfaces.

Even if the docs say

Virtual ('slave') interfaces are by default added to the same bridge, if any, as the corresponding master interface. Master interfaces are not by default added to any bridge.

and from "by default" you can say that this behavior can be altered, but it's not documented (or I wasn't able to find it).

EDIT:
it's done by slaves-datapath in /interface/wifi/cap menu.

dynamicCap4.png

:EDIT

If you create a bridge on CAP, you can then set datapath.bridge on CAP's master interface and wifi interfaces are then added to the bridge as dynamic ports. It works fine...

dynamicCap.png

infabo · Sat Aug 17, 2024 10:57 pm

I can't follow. You're telling me: datapath has no effect in a capsman setup???

neki · Sun Aug 18, 2024 12:04 am

Nope, datapath has effect in CAPsMAN setup. You can use it for VLAN assignment. Just the datapath.bridge is local setting.

CAPsMAN device has no means to know what bridge/s exists on CAPs.

If you are setting CAP in CAPsMAN environment you must set 3 things on the CAP itself: manager, mode and bridge

CAP

set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath.bridge=bridge1 disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath.bridge=bridge1 disabled=no

CAPsMAN

/interface wifi datapath
add disabled=no name=datapath111 vlan-id=111
add disabled=no name=datapath222 vlan-id=222

infabo · Sun Aug 18, 2024 11:15 am

and the other datapath properties? client-isolation? interface-list? These seem to have no effect either.

Mikrotik should describe their CAPsMAN concept in depth. It is not enough to have some basic configuration examples and a description of each cap/CAPsMAN configuration property on its own in docs. Nobody knows how this all plays together. And it is mega frustrating to go through trial and error just to find out how things maybe work.
As for example there are some people who manually trigger provision after a configuration profile change. Yeah, I understand why someone may get this illusion. It is described nowhere that configs are auto-provisioned on change. The whole topic of what works, what not and what wifi CAPsMAN actually covers must be outlined.

CAPsMAN is a Blackbox.

neki · Sun Aug 18, 2024 12:30 pm

They do work

dynamicCap2.png

Note that this is interface on CAPsMAN side... It's same as if you want to change frequency, it's done on CAPsMAN...

Interface was dynamically added to the list (I'm not using this, just test for you..)

dynamicCap3.png

neki · Sun Aug 18, 2024 1:29 pm

And just to correct myself, you must set two things when prepairing CAP for CAPsMAN environment: manager and bridge. Mode defaults to AP, so it can be omitted.

If we look at "Reset to CAPS mode"

:local brName  "bridgeLocal";

:if ($usingWifiPack) do={
:local addDatapath [:parse "/interface $wirelessMenu datapath
add comment=\"defconf\" name=capdp disabled=no bridge=$brName"]
[$addDatapath]
}

if ($usingWifiPack) do={
:set setCap [:parse ":foreach i in=[/interface $wirelessMenu find] do={
/interface $wirelessMenu set \$i configuration.manager=capsman datapath=capdp
}
/interface $wirelessMenu cap
set enabled=yes discovery-interfaces=$brName slaves-datapath=capdp"]
}

It's exactly what they do, with just small difference. They are creating datapath configuration profile with single setting: datapath.bridge and then appling this profile to interfaces, instead of applying datapath.bridge directly to interface, but the outcome is same.

And I think that they are using "bridgeLocal" to point out, that it exists solely on the CAP itself.

infabo · Sun Aug 18, 2024 3:39 pm

Well, then set "datapath.bridge = bridge" as well. and then show me your winbox window again. On CLI it prints for me, the cap-wifi3 is "datapath.bridge=bridge". And we all know, this version of CAPsMAN has no local forwarding. So what the heck is it doing?

neki · Sun Aug 18, 2024 4:01 pm

Set it where and which bridge?

If you want to set on CAPsMAN datapath.bridge=bridgeCreatedOnCAP, then it's misconfiguration because only valid options are bridges created on CAPsMAN and vice versa...

infabo · Sun Aug 18, 2024 4:47 pm

I set

/interface/wifi/datapath/add bridge=bridge name=foo

on the CAPsMAN. Foo is used in a configuration profile.

misconfiguration?

neki · Sun Aug 18, 2024 6:12 pm

If you use it for CAPsMAN, then yes... Configuration profile has no means to know where you will later use it.

infabo · Sun Aug 18, 2024 6:55 pm

Can you quote where this is stated in ROS docs? https://help.mikrotik.com/docs/display/ROS/WiFi

Thanks.

neki · Sun Aug 18, 2024 7:30 pm

Nope

...but it's logical

infabo · Sun Aug 18, 2024 10:06 pm

lol. It is logical when you configure on CAPsMAN datapath a vlan-id it distributes and applies on CAPs. But setting bridge on the same datapath profile it just applies to the CAPsMAN locally and not on the caps. And isolate-clients applies on CAPs. And interface lists apply on the caps man locally and not on the caps.

Is this the summary?

neki · Sun Aug 18, 2024 11:23 pm

It really is...

The wifi interface on a CAP needs to know where to send/receive data. Hence, you need to assign bridge to it. That bridge must exists on the CAP because the physical interface is there too.

Let's say that we have 8 CAPs. You can share other settings between those CAPs, but each CAP has to have its own bridge. Does it make sense?

And now, there are two points of view...
You may expect to "see" all those bridges on CAPsMAN, but for what? (I know, this not what you are expecting)
Or you would like to "see" bridge created on CAPsMAN on CAPs, but how would you connect physical wifi interfaces on CAPs to rest of the network? You need bridge for that right?

So it really seems logical...

TomSF · Sat Aug 31, 2024 8:46 pm

Trying to figure out another issue, I found myself asking the same question about why no wifi caps interfaces on the bridge of the capsman router. Following this thread, I think I understand why. It seemed wrong because wireless capsman does put caps wireless interfaces on the capsman bridge. On the otherhand, wifi capsman does add cap wifi interfaces to the LAN interface list (assuming your configuration tells it to) and I have LAN on the bridge so it seems that it implicitly has cap wifi interfaces on the capsman bridge. The inconsistency between wifi and wireless capsman is confusing but everything works.

infabo · Sun Sep 01, 2024 11:04 am

Implicitly yes. The CAPs are connect on ethernet ports of Wifi Capsman device. And Ethernet ports are usually on the bridge.

TomSF · Fri Sep 06, 2024 10:14 pm

Things didn't end up working as I think they should. For historical reasons I had a guest SSID, although I no longer had it on its own subnet. Wireless capsman sets those virtual APs up on its managed CAPs, adds them to the capsman bridge and everything works fine. I just discovered that wifi capsman creates them up OK but the DHCP server on that subnet does not give an IP address to anybody connected to the guest SSID, only to those connected to the real APs. The virtual APs have been added to the LAN address list but not to the bridge and the DHCP server references the LAN address list, but it does not work. I manually added all the wifi APs to the bridge that the DCHP server was serving but still no IP address for guests. I am guessing the reason is that the local forwarding on the wifi CAPs is not forwarding DHCP requests to capsman, but that is just a guess. Taking the path of least resistance, I got rid of the guest SSID.

CapsMan datapath interfaces put not to bridge

CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Re: CapsMan datapath interfaces put not to bridge

Who is online