Community discussions

MikroTik App
 
twik
just joined
Topic Author
Posts: 3
Joined: Fri Nov 29, 2024 9:56 am

CAPsMAN and VLAN filtering

Fri Nov 29, 2024 10:57 am

Hello,

I have this device setup:
Router -> Switch -> Access points

I have configured the access points with CAPsMAN with private and guest network.

Subnets:
- Bridge: 192.168.88.0/24
- Private wifi: 192.168.30.0/24
- Guest wifi: 192.168.20.0/24

I have the need that we need to get a printer that is plugged into wired one of the access points on the same subnet as the private wifi to be able to connect to it easily with Mac Bonjour. I created bridge vlans with vlan filtering and got it to work on the router, switch and the access point. But when I active vlan filtering on the switch and access points, the wifi stops networking.

Has anyone any clue? I have tried with ChatGTP and read a bunch of forum topics without success.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6752
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: CAPsMAN and VLAN filtering

Fri Nov 29, 2024 11:16 am

You do not specify which router, which switch, which APs (capsman behavior w.r.t. VLAN is quite different when talking about legacy wireless or wave2 wifi)
You do not specify how things are connected.
And you do not show your config, what you already tried.

So I doubt anyone can have a clue, without simply guessing away.
 
twik
just joined
Topic Author
Posts: 3
Joined: Fri Nov 29, 2024 9:56 am

Re: CAPsMAN and VLAN filtering

Fri Nov 29, 2024 12:41 pm

Got it! Was hoping for some obvious error :)

Router: RB5009UPr+S+
Switch: CRS328-24P-4S+
Access points: C53UiG+5HPaxD2HPaxD

Access points are wired to the Switch. The switch wired to the router.
So when I activate vlan filtering on the swtich, the wifi stops working.

Config for router, switch and ac.
# ROUTER CONFIG
####################################

# 2024-11-29 11:19:29 by RouterOS 7.14.3
# model = RB5009UPr+S+
/interface bridge
add admin-mac=78:9A:18:D0:8C:88 auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface wireguard
add listen-port=13231 mtu=1420 name=WG
/interface vlan
add interface=bridge name=vlan_bg_30 vlan-id=30
add interface=bridge name=vlan_guest_20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=5ghz-ax disabled=no name=5g
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2,4 width=20mhz
add band=5ghz-ax disabled=no name="5g tech"
/interface wifi datapath
add bridge=bridge disabled=no name=lan
add bridge=bridge disabled=no name=guest_20 vlan-id=20
add bridge=bridge disabled=no name=bg_30 vlan-id=30
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name=lan
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name=\
    guest
/interface wifi configuration
add channel=5g channel.band=5ghz-ax country=[Country] datapath=bg_30 disabled=no \
    name=wifi-5g security=lan ssid=companyname
add channel=2,4 channel.band=2ghz-ax country=[Country] datapath=bg_30 disabled=\
    no mode=ap name=wifi-2,4 security=lan ssid=companyname
add channel=5g channel.band=5ghz-ax country=[Country] datapath=guest_20 \
    disabled=no name=wifi-guest-5g security=guest ssid=companyname-guest
add channel=2,4 channel.band=2ghz-ax country=[Country] datapath=guest_20 \
    disabled=no mode=ap name=wifi-guest-2,4 security=guest ssid=\
    companyname-guest
add channel="5g tech" channel.band=5ghz-ax country=[Country] datapath=lan \
    disabled=no name=wifi-tech-5g security=lan ssid=companyname-tech
add channel=2,4 channel.band=2ghz-ax country=[Country] datapath=lan disabled=no \
    mode=ap name=wifi-tech-2.4 security=lan ssid=companyname-tech
/interface wifi
add configuration=wifi-5g disabled=no name=cap7 radio-mac=18:FD:74:FE:97:91
add configuration=wifi-guest-5g disabled=no mac-address=1A:FD:74:FE:97:91 \
    master-interface=cap7 name=cap8
add configuration=wifi-tech-5g disabled=no mac-address=1A:FD:74:FE:97:92 \
    master-interface=cap7 name=cap9
add configuration=wifi-2,4 configuration.mode=ap disabled=no name=cap10 \
    radio-mac=18:FD:74:FE:97:92
add configuration=wifi-guest-2,4 disabled=no mac-address=1A:FD:74:FE:97:93 \
    master-interface=cap10 name=cap11
add configuration=wifi-tech-2.4 disabled=no mac-address=1A:FD:74:FE:97:94 \
    master-interface=cap10 name=cap12
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.5-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool1 interface=vlan_guest_20 lease-time=10m name=dhcp1
add address-pool=dhcp_pool2 interface=vlan_bg_30 lease-time=10m name=dhcp2
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether4,bridge vlan-ids=30
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\
    none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=wifi-5g \
    name-format=cap slave-configurations=wifi-guest-5g,wifi-tech-5g \
    supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=wifi-2,4 \
    name-format=cap slave-configurations=wifi-guest-2,4,wifi-tech-2.4 \
    supported-bands=2ghz-ax
/interface wireguard peers
add allowed-address=192.168.40.2/32 comment=Tobias interface=WG private-key=\
    "wHficbRgpq5OJRPy77HVreaKxd/TAPUFljj3x+EfJVo=" public-key=\
    "4U40wNy/Fp4oweGa5WRi8rfNZFcrK3+icWnypWE0zw4="
add allowed-address=192.168.40.3/32 comment="P\C3\A4r" interface=WG \
    private-key="aKVd306oaKOCyADjYAGQB9/pbTRWp/naKZ0IEH/PkHs=" public-key=\
    "QvxmTLXKu5aiWPxTcaz5aLc4xbz45+kFqawqqx7hTis="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.20.1/24 interface=vlan_guest_20 network=192.168.20.0
add address=192.168.30.1/24 interface=vlan_bg_30 network=192.168.30.0
add address=192.168.40.1/24 interface=WG network=192.168.40.0
add address=[IP]/26 interface=ether1 network=213.136.57.0
/ip arp
add address=192.168.88.130 interface=bridge mac-address=00:25:90:5E:B7:D8
add address=192.168.88.102 interface=bridge mac-address=2A:FF:25:5F:17:43
add address=192.168.30.14 interface=vlan_bg_30 mac-address=00:41:0E:4A:F7:02
add address=192.168.88.131 interface=bridge mac-address=D6:07:2E:B1:EE:99
add address=192.168.88.83 interface=bridge mac-address=94:DD:F8:04:F7:A4
add address=192.168.88.139 interface=bridge mac-address=D8:3A:DD:B6:D4:81
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.88.139 client-id=1:d8:3a:dd:b6:d4:81 mac-address=\
    D8:3A:DD:B6:D4:81 server=defconf
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=[IP],[IP]
/ip firewall filter
add action=accept chain=forward comment="Allow companyname to printer" \
    dst-address=192.168.88.83 src-address=192.168.30.0/24
add action=accept chain=forward comment="Allow WireGuard to bridge" \
    dst-address=192.168.88.0/24 src-address=192.168.40.0/24
add action=accept chain=input comment="Allow Winbox from VPN subnet" \
    dst-port=8291 protocol=tcp src-address=192.168.40.0/24
add action=drop chain=forward comment="Block companyname to bridge" dst-address=\
    192.168.88.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="Block companyname-guest to bridge" \
    dst-address=192.168.88.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="Block companyname-guest to companyname" \
    dst-address=192.168.30.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="Block companyname-guest to VPN" \
    dst-address=192.168.40.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="Block companyname to VPN" dst-address=\
    192.168.40.0/24 src-address=192.168.30.0/24
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=13231 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
    new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat comment="Access bridge from VPN" dst-address=\
    192.168.88.0/24 src-address=192.168.40.0/24
/ip route
add disabled=no dst-address=10.6.12.0/24 gateway=138.199.55.3 routing-table=\
    main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
# SWITCH CONFIG
####################################

# 1970-06-27 15:43:07 by RouterOS 7.14.3
# model = CRS328-24P-4S+
/interface bridge
add admin-mac=D4:01:C3:38:FD:84 auto-mac=no comment=defconf name=bridge
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment="Open landscape" interface=ether10
add bridge=bridge comment=defconf interface=ether11
add bridge=bridge comment="Tech Room" interface=ether12
add bridge=bridge comment=defconf interface=ether13
add bridge=bridge comment=defconf interface=ether14
add bridge=bridge comment=defconf interface=ether15
add bridge=bridge comment=defconf interface=ether16
add bridge=bridge comment=defconf interface=ether17
add bridge=bridge comment=defconf interface=ether18
add bridge=bridge comment=defconf interface=ether19
add bridge=bridge comment=defconf interface=ether20
add bridge=bridge comment=defconf interface=ether21 pvid=30
add bridge=bridge comment=defconf interface=ether22
add bridge=bridge comment=defconf interface=ether23
add bridge=bridge comment=defconf interface=ether24
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=sfp-sfpplus2
add bridge=bridge comment=defconf interface=sfp-sfpplus3
add bridge=bridge comment=defconf interface=sfp-sfpplus4
/interface bridge vlan
add bridge=bridge tagged=ether1,ether12 vlan-ids=20
add bridge=bridge tagged=ether1,ether12 vlan-ids=30
add bridge=bridge untagged=ether1 vlan-ids=1
/ip address
add address=192.168.88.2/24 comment=defconf interface=bridge network=\
    192.168.88.0
# ACCESS POINT CONFIG
####################################

# 2024-11-29 11:31:10 by RouterOS 7.14.3
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add admin-mac=18:FD:74:FE:97:8C auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: companyname, channel: 5720/ax/eeeC
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
    disabled=no
# managed by CAPsMAN
# mode: AP, SSID: companyname, channel: 2462/ax
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
    disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf frame-types=admit-only-vlan-tagged \
    interface=ether4 pvid=30
add bridge=bridgeLocal comment=defconf interface=ether5 pvid=30
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal untagged=wifi2,wifi1 \
    vlan-ids=30
add bridge=bridgeLocal tagged=ether1,bridgeLocal untagged=*97,*98 vlan-ids=20
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
 
holvoetn
Forum Guru
Forum Guru
Posts: 6752
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: CAPsMAN and VLAN filtering

Fri Nov 29, 2024 5:07 pm

You did not specify which is the port from your RB5009 going to the switch ?
Which port on the switch does it come in ?

Which ports on switch are feeding CAP devices ?

Also, it is generally advised NOT to use VLAN1. Use VLAN all the way or don't use it all.
 
twik
just joined
Topic Author
Posts: 3
Joined: Fri Nov 29, 2024 9:56 am

Re: CAPsMAN and VLAN filtering

Fri Nov 29, 2024 5:30 pm

ether4 on RB5009 to the swith.
ether10 and ether12 from the switch to CAP devices.

With VLAN1, I guess you mean the ID 1, right?
 
holvoetn
Forum Guru
Forum Guru
Posts: 6752
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: CAPsMAN and VLAN filtering

Fri Nov 29, 2024 5:55 pm

And still you don't answer all questions...
ether4 on RB5009 to the swith.
ether10 and ether12 from the switch to CAP devices.
Which incoming port on the switch ?
From your switch config I see there is a trunk specified for ether1 and 12 for VLANs 20 and 30.
/interface bridge vlan
add bridge=bridge tagged=ether1,ether12 vlan-ids=20
add bridge=bridge tagged=ether1,ether12 vlan-ids=30
add bridge=bridge untagged=ether1 vlan-ids=1
Nowhere there is 10.
Is there your problem, perhaps ? Are you having issues on both caps or only 1 ?
With VLAN1, I guess you mean the ID 1, right?
Yes.

Who is online

Users browsing this forum: No registered users and 5 guests