Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

Setup of a guest network with CAPsMAN and CAP ax APs

Post Reply
 
hubiktomas
just joined
Topic Author
Posts: 5
Joined: Sat May 27, 2023 10:49 am

Setup of a guest network with CAPsMAN and CAP ax APs

Sat Nov 02, 2024 11:55 am

Hello,

I am trying to setup my guest wifi network isolated from the main network. I am trying to achieve the isolation through guest bridge. The issue is that when connecting to the guest WiFi, I am still getting the IP assigned from the main network DHCP pool. Could anyone help me please? Here is my config:
Code: Select all
# 2024-11-02 10:38:56 by RouterOS 7.16.1
#
# model = CCR2004-16G-2S+
/interface bridge
add name=bridge-guest port-cost-mode=short
add name=bridge-main port-cost-mode=short
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface bonding
add mode=802.3ad name=bonding1 slaves=ether15,ether16
add mode=802.3ad name=bonding2 slaves=ether13,ether14
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=channel-2 width=20/40mhz
add band=5ghz-ax disabled=no name=channel-5 width=20/40/80mhz
/interface wifi datapath
add bridge=bridge-main disabled=no name=datapath-main
add bridge=bridge-guest client-isolation=yes disabled=no name=datapath-guest
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \
    encryption=ccmp ft=yes ft-over-ds=yes name=sec-main wps=disable
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no \
    encryption=ccmp ft=yes ft-over-ds=yes name=sec-guest wps=disable
/interface wifi configuration
add channel=channel-2 country=Czech datapath=datapath-main disabled=no mode=\
    ap name=main-2 security=sec-main ssid=Wifiname
add channel=channel-2 country=Czech datapath=datapath-guest disabled=no mode=\
    ap name=guest-2 security=sec-guest ssid=Wifiname_Guest
add channel=channel-5 country=Czech datapath=datapath-guest disabled=no mode=\
    ap name=guest-5 security=sec-guest ssid=Wifiname_Guest
add channel=channel-5 country=Czech datapath=datapath-main disabled=no mode=\
    ap name=main-5 security=sec-main ssid=Wifiname
/interface wifi
add configuration=main-2 disabled=no name=cap-wifi3 radio-mac=\
    48:A9:8A:BA:2C:ED
add configuration=guest-2 disabled=no mac-address=4A:A9:8A:BA:2C:ED \
    master-interface=cap-wifi3 name=cap-wifi4
add configuration=main-2 disabled=no name=cap-wifi7 radio-mac=\
    48:A9:8A:BA:27:B9
add configuration=guest-2 disabled=no mac-address=4A:A9:8A:BA:27:B9 \
    master-interface=cap-wifi7 name=cap-wifi8
add configuration=main-2 disabled=no name=cap-wifi11 radio-mac=\
    48:A9:8A:BA:2C:9D
add configuration=guest-2 disabled=no mac-address=4A:A9:8A:BA:2C:9D \
    master-interface=cap-wifi11 name=cap-wifi12
add configuration=main-2 disabled=no name=cap-wifi15 radio-mac=\
    48:A9:8A:BA:2D:11
add configuration=guest-2 disabled=no mac-address=4A:A9:8A:BA:2D:11 \
    master-interface=cap-wifi15 name=cap-wifi16
add configuration=main-2 disabled=no name=cap-wifi19 radio-mac=\
    48:A9:8A:BA:2B:C9
add configuration=guest-2 disabled=no mac-address=4A:A9:8A:BA:2B:C9 \
    master-interface=cap-wifi19 name=cap-wifi20
add configuration=main-2 disabled=no name=cap-wifi23 radio-mac=\
    48:A9:8A:BA:2A:5D
add configuration=guest-2 disabled=no mac-address=4A:A9:8A:BA:2A:5D \
    master-interface=cap-wifi23 name=cap-wifi24
add configuration=main-2 disabled=no name=cap-wifi27 radio-mac=\
    48:A9:8A:BA:2B:DD
add configuration=guest-2 disabled=no mac-address=4A:A9:8A:BA:2B:DD \
    master-interface=cap-wifi27 name=cap-wifi28
/ip pool
add name=dhcp ranges=192.168.15.100-192.168.15.254
add name=dhcp-guest ranges=192.168.16.100-192.168.16.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge-main \
    lease-time=12h name=dhcp1
add address-pool=dhcp-guest interface=bridge-guest lease-time=1h name=\
    dhcp-guest
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 1 disk-file-count=10
add disk-file-count=10 disk-file-name=firewall-log name=firewall target=disk
/interface bridge port
add bridge=bridge-main interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridge-main disabled=yes interface=ether13 internal-path-cost=10 \
    path-cost=10
add bridge=bridge-main disabled=yes interface=ether14 internal-path-cost=10 \
    path-cost=10
add bridge=bridge-main disabled=yes interface=ether15 internal-path-cost=10 \
    path-cost=10
add bridge=bridge-main disabled=yes interface=ether16 internal-path-cost=10 \
    path-cost=10
add bridge=bridge-main interface=sfp-sfpplus2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge-main interface=sfp-sfpplus1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge-main interface=bonding1 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=bonding2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge-main list=LAN
add interface=wireguard1 list=LAN
add interface=bridge-guest list=LAN
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge-main \
    package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=main-2 \
    slave-configurations=guest-2 supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=main-5 \
    slave-configurations=guest-5 supported-bands=5ghz-ax
/interface wireguard peers
add allowed-address=172.18.0.2/32 interface=wireguard1 name=peer1 \
    persistent-keepalive=30s public-key=\
    "MYKEY"
/ip address
add address=192.168.15.1/24 comment="default configuration" interface=\
    bridge-main network=192.168.15.0
add address=192.168.16.1/24 interface=bridge-guest network=192.168.16.0
add address=172.18.0.1/24 interface=wireguard1 network=172.18.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.15.2 comment=Switch mac-address=18:FD:74:A4:8D:C4 server=\
    dhcp1
add address=192.168.15.3 comment=AP1 mac-address=48:A9:8A:BA:2C:EA server=\
    dhcp1
add address=192.168.15.4 comment=AP2 mac-address=48:A9:8A:BA:27:B6 server=\
    dhcp1
add address=192.168.15.20 comment=NAS mac-address=90:09:D0:20:C3:E1 server=\
    dhcp1
add address=192.168.15.5 comment=AP3 mac-address=48:A9:8A:BA:2C:9A server=\
    dhcp1
add address=192.168.15.6 comment=AP4 mac-address=48:A9:8A:BA:2D:0E server=\
    dhcp1
add address=192.168.15.7 comment=AP5 mac-address=48:A9:8A:BA:2B:C6 server=\
    dhcp1
add address=192.168.15.8 comment=AP6 mac-address=48:A9:8A:BA:2A:5A server=\
    dhcp1
add address=192.168.15.9 comment=AP7 mac-address=48:A9:8A:BA:2B:DA server=\
    dhcp1
/ip dhcp-server network
add address=192.168.15.0/24 dns-server=192.168.15.1 domain=\
    sakarka.hubikova.cz gateway=192.168.15.1 netmask=24
add address=192.168.16.0/24 comment=guest dns-server=8.8.8.8,8.8.4.4 gateway=\
    192.168.16.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="accept connections to router WebFig" \
    dst-port=80 protocol=tcp
add action=accept chain=input comment="accept connections to OpenVPN" \
    dst-port=1194 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="accept connections to WireGuard" \
    dst-port=13231 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop all from WAN" in-interface-list=WAN
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="isolate guest and main network" \
    in-interface=bridge-guest out-interface=bridge-main
add action=drop chain=forward comment="isolate guest and main network" \
    in-interface=bridge-main out-interface=bridge-guest
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.15.20 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=5001 in-interface-list=\
    WAN protocol=tcp to-addresses=192.168.15.20 to-ports=5001
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=yes distance=1 dst-address=192.168.254.0/24 gateway=\
    192.168.15.10 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=Gate
/system logging
set 0 topics=info,!firewall
add action=disk topics=critical
add action=disk topics=error
add action=firewall topics=firewall
add action=disk topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6869
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Setup of a guest network with CAPsMAN and CAP ax APs

Sat Nov 02, 2024 12:57 pm

You only need 1 bridge when using VLAN.
See here:
https://help.mikrotik.com/docs/spaces/R ... ionexample:
Top
 
hubiktomas
just joined
Topic Author
Posts: 5
Joined: Sat May 27, 2023 10:49 am

Re: Setup of a guest network with CAPsMAN and CAP ax APs

Sat Nov 02, 2024 3:11 pm

Hello,

I understand. However is it possible to isolate guest and main network using separate bridges? I think my setup is almost done, I am probably just missing some stupid detail which I cannot see now.

Thanks.
Top
 
neki
Member Candidate
Member Candidate
Posts: 250
Joined: Thu Sep 07, 2023 10:20 am

Re: Setup of a guest network with CAPsMAN and CAP ax APs

Sat Nov 02, 2024 3:43 pm

It is not possible. You are following wrong guides... You must look for guides for WiFi CAPsMAN, not Wireless CAPsMAN. WiFi CAPsMAN has only one mode: local forwarding, so guides that were suggesting manager forwarding mode (and bridge isolation) are not meant for you, they are for old Wireless CAPsMAN.

Bridges are always relevant only for device where they were created on. That means that CAPs have no idea what bridges exists on CAPsMAN and vice versa.
Top
 
hubiktomas
just joined
Topic Author
Posts: 5
Joined: Sat May 27, 2023 10:49 am

Re: Setup of a guest network with CAPsMAN and CAP ax APs

Sat Nov 02, 2024 6:53 pm

Oh. Thank you very much for clarification. So the Bridge selector in the Datapath tab is useless? I used to have the old CAPsMAN where I had it configured that way and it worked. So I did not really follow any specific guide, but configured the wifi in a similar manner after the RouterOS upgrade to the new version (6 -> 7).
Top
 
neki
Member Candidate
Member Candidate
Posts: 250
Joined: Thu Sep 07, 2023 10:20 am

Re: Setup of a guest network with CAPsMAN and CAP ax APs

Sat Nov 02, 2024 7:47 pm

It's not useless, just relevant only locally :)
Top
 
hubiktomas
just joined
Topic Author
Posts: 5
Joined: Sat May 27, 2023 10:49 am

Re: Setup of a guest network with CAPsMAN and CAP ax APs

Sat Nov 02, 2024 8:49 pm

Ok, thanks. So this is some change introduced with the new CAPsMAN? In the old one the separation using bridges worked. Anyway, I am trying to follow this https://help.mikrotik.com/docs/spaces/R ... i-CAPsMAN: I do not have experience with VLANs, but is it sufficient to create just one VLAN for guest WiFi and leave the rest just on the main bridge? I do not know if I need to play with the ports somehow. In my setup I have my CAPs connected to PoE switch CRS328-24P-4S+ ports ether16 to ether22 and my main router CCR2004-16G-2S+ serves as a CAPsMAN. Switch and router are connected to each other using interface bonding1. On the switch I was trying to add ether ports with CAPs to the VLAN using this:
Code: Select all
/interface bridge vlan
add bridge=bridge tagged=bridge,ether16,ether17,ether18,ether19,ether20,ether21,ether22 vlan-ids=100
But apparently I am missing something as I am not able to get IP address on my guest network. Could you please help me to fix it? The goal is to have just guest network separated with just access to the internet, no access to local network or other connected clients. The main network should be unified with the wired LAN, same address pool, main WiFi clients should be able to communicate with each other and also with wired network devices. Thank you very much.

My full router config is this one:
Code: Select all
# 2024-11-02 18:40:08 by RouterOS 7.16.1
#
# model = CCR2004-16G-2S+
/interface bridge
add name=bridge-main port-cost-mode=short vlan-filtering=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=bridge-main name=vlan-guest vlan-id=100
/interface bonding
add mode=802.3ad name=bonding1 slaves=ether15,ether16
add mode=802.3ad name=bonding2 slaves=ether13,ether14
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=channel-2 width=20/40mhz
add band=5ghz-ax disabled=no name=channel-5 width=20/40/80mhz
/interface wifi datapath
add bridge=bridge-main disabled=no name=datapath-main
add bridge=bridge-main client-isolation=yes disabled=no name=datapath-guest vlan-id=100
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no encryption=ccmp ft=yes ft-over-ds=yes name=sec-main wps=disable
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no encryption=ccmp ft=yes ft-over-ds=yes name=sec-guest wps=disable
/interface wifi configuration
add channel=channel-2 country=Czech datapath=datapath-main disabled=no mode=ap name=main-2 security=sec-main ssid=Main
add channel=channel-2 country=Czech datapath=datapath-guest disabled=no mode=ap name=guest-2 security=sec-guest ssid=Guest
add channel=channel-5 country=Czech datapath=datapath-guest disabled=no mode=ap name=guest-5 security=sec-guest ssid=Guest
add channel=channel-5 country=Czech datapath=datapath-main disabled=no mode=ap name=main-5 security=sec-main ssid=Main
/ip pool
add name=dhcp ranges=192.168.15.100-192.168.15.254
add name=dhcp-guest ranges=192.168.16.100-192.168.16.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge-main lease-time=12h name=dhcp1
add address-pool=dhcp-guest interface=vlan-guest lease-time=1h name=dhcp-guest
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
set 1 disk-file-count=10
add disk-file-count=10 disk-file-name=firewall-log name=firewall target=disk
/interface bridge port
add bridge=bridge-main interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridge-main disabled=yes interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridge-main disabled=yes interface=ether14 internal-path-cost=10 path-cost=10
add bridge=bridge-main disabled=yes interface=ether15 internal-path-cost=10 path-cost=10
add bridge=bridge-main disabled=yes interface=ether16 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=bonding1 internal-path-cost=10 path-cost=10
add bridge=bridge-main interface=bonding2 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge-main list=LAN
add interface=wireguard1 list=LAN
add interface=*14 list=LAN
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge-main,*14 package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=main-2 slave-configurations=guest-2 supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=main-5 slave-configurations=guest-5 supported-bands=5ghz-ax
/interface wireguard peers
add allowed-address=172.18.0.2/32 interface=wireguard1 name=peer1 persistent-keepalive=30s public-key="KEY"
/ip address
add address=192.168.15.1/24 comment="default configuration" interface=bridge-main network=192.168.15.0
add address=192.168.16.1/24 interface=vlan-guest network=192.168.16.0
add address=172.18.0.1/24 interface=wireguard1 network=172.18.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.15.3 comment=AP1 mac-address=48:A9:8A:BA:2C:EA server=dhcp1
add address=192.168.15.4 comment=AP2 mac-address=48:A9:8A:BA:27:B6 server=dhcp1
add address=192.168.15.5 comment=AP3 mac-address=48:A9:8A:BA:2C:9A server=dhcp1
add address=192.168.15.6 comment=AP4 mac-address=48:A9:8A:BA:2D:0E server=dhcp1
add address=192.168.15.7 comment=AP5 mac-address=48:A9:8A:BA:2B:C6 server=dhcp1
add address=192.168.15.8 comment=AP6 mac-address=48:A9:8A:BA:2A:5A server=dhcp1
add address=192.168.15.9 comment=AP7 mac-address=48:A9:8A:BA:2B:DA server=dhcp1
/ip dhcp-server network
add address=192.168.15.0/24 dns-server=192.168.15.1 domain=domain.cz gateway=192.168.15.1 netmask=24
add address=192.168.16.0/24 comment=guest dns-server=8.8.8.8,8.8.4.4 gateway=192.168.16.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop all from WAN" in-interface-list=WAN
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="isolate guest and main network" in-interface=vlan-guest out-interface=bridge-main
add action=drop chain=forward comment="isolate guest and main network" in-interface=bridge-main out-interface=vlan-guest
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.15.20 to-ports=443
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=yes distance=1 dst-address=192.168.254.0/24 gateway=192.168.15.10 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system identity
set name=Gate
/system logging
set 0 topics=info,!firewall
add action=disk topics=critical
add action=disk topics=error
add action=firewall topics=firewall
add action=disk topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
And switch config this one:
Code: Select all
# 2024-11-02 19:36:25 by RouterOS 7.16.1
#
# model = CRS328-24P-4S+
/interface bridge
add admin-mac=18:FD:74:A4:8D:C4 auto-mac=no comment=defconf name=bridge port-cost-mode=short vlan-filtering=yes
/interface bonding
add mode=802.3ad name=bonding1 slaves=ether23,ether24
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/port
set 0 name=serial0
/system logging action
set 1 disk-file-count=10
add disk-file-count=10 disk-file-name=flash/firewall-log name=firewall target=disk
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether11 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether12 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether13 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether14 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether15 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether16 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether17 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether18 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether19 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether20 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether21 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether22 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=ether23 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf disabled=yes ingress-filtering=no interface=ether24 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus4 internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=bonding1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether16,ether17,ether18,ether19,ether20,ether21,ether22 vlan-ids=100
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip dhcp-client
add interface=bridge
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=Switch
/system logging
set 0 topics=info,!firewall
add action=disk topics=critical
add action=disk topics=error
add action=firewall topics=firewall
add action=disk topics=warning
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
Top
 
neki
Member Candidate
Member Candidate
Posts: 250
Joined: Thu Sep 07, 2023 10:20 am

Re: Setup of a guest network with CAPsMAN and CAP ax APs

Sat Nov 02, 2024 9:58 pm

You can't go with VLANs just half the way. You must use them everywhere or don't use them... Don't worry, you can do it ;)

You need VLAN interfaces for all VLANs on main device, then the DHCP server is bond to VLAN interface of each VLAN.

Like this:
Code: Select all
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
add interface=bridge1 name=vlan20 vlan-id=20
add interface=bridge1 name=vlan30 vlan-id=30
add interface=bridge1 name=vlan40 vlan-id=40

/ip pool
add name=pool10 ranges=10.50.10.200-10.50.10.210
add name=pool20 ranges=10.50.20.100-10.50.20.200
add name=pool30 ranges=10.50.30.100-10.50.30.200
add name=pool40 ranges=10.50.40.100-10.50.40.200

/ip dhcp-server
add address-pool=pool10 interface=vlan10 lease-time=8h name=server10
add address-pool=pool20 interface=vlan20 lease-time=8h name=server20
add address-pool=pool30 interface=vlan30 lease-time=8h name=server30
add address-pool=pool40 interface=vlan40 lease-time=8h name=server40

At this point it would be also wise to disable one of the ports on the bridge, so you will be able to connect over MAC if something goes wrong.
Top
 
hubiktomas
just joined
Topic Author
Posts: 5
Joined: Sat May 27, 2023 10:49 am

Re: Setup of a guest network with CAPsMAN and CAP ax APs

Sun Nov 03, 2024 9:29 am

So it is not possible to have VLAN with some ID and DHCP assigned to that and then the rest of the network without any VLAN with DHCP assigned directly to the bridge? I mean just the guest network traffic will be tagged with VLAN and the rest not. Not sure if it is clear what I mean.
Top
 
dani9
just joined
Posts: 20
Joined: Tue Dec 14, 2021 12:18 am

Re: Setup of a guest network with CAPsMAN and CAP ax APs

Thu Nov 28, 2024 3:53 pm

Example with 1 router/ap: https://tangentsoft.com/mikrotik/wiki?n ... ns%20VLANs
Forum Thread: viewtopic.php?t=204963

It just works with 1 router/ap! It is mentioned with a VPN you could Tunnel your Guest traffic to your Gateway for multiple cap's.
Top
Post Reply
  4. RouterOS
  5. Wireless Networking