Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

7.18 CAPSMAN v2 VLAN provisioning problem to WAP ax

Post Reply
 
akliouev
just joined
Topic Author
Posts: 19
Joined: Wed Dec 25, 2013 9:24 am

7.18 CAPSMAN v2 VLAN provisioning problem to WAP ax

Sat Mar 29, 2025 6:11 am

Greetings,

I'm banging my head over a seemingly trivial problem that should work out of the box but for some reason donesn't...

I have a 5009 operating as CAPSMAN (running 7.18) servicing a bunch of WAP ac's and one new WAP ax (running 7.18.2). I need to serve 3 SSIDs and traffic from each have to be mapped to a specific VLAN.

The "AC" part of the network is working normally but I struggle to provision vlans for slave interfaces of the WAP ax for some reason
The example for the wifi documentation doesn't work either and also doesn't use vlan-filtering on the CAP device -- something I need in this case

My relevant CAPSMAN config is by-the-book and is as follows:
Code: Select all
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=channel-cfg-2g-ax reselect-interval=1h..2h secondary-frequency=disabled skip-dfs-channels=all width=20mhz
add band=5ghz-ax disabled=no frequency=5180,5260,5500,5580,5660,5745 name=channel-cfg-5g-ax reselect-interval=1h..2h skip-dfs-channels=all width=20/40/80mhz

/interface wifi datapath
add disabled=no name=datapath-Hygge vlan-id=10
add disabled=no name=datapath-hn vlan-id=20
add disabled=no name=datapath-guest vlan-id=40

/interface wifi security
[skipped]

/interface wifi steering
add disabled=no name=steering-Hygge rrm=yes wnm=yes
add disabled=no name=steering-hn rrm=yes wnm=yes
add disabled=no name=steering-guests rrm=yes wnm=yes

/interface wifi configuration
add channel=channel-cfg-2g-ax channel.band=2ghz-ax datapath=datapath-Hygge disabled=no mode=ap name=cfg-Hygge-2g-ax security=sec-cfg-hygge ssid=Hygge steering=steering-Hygge
add channel=channel-cfg-5g-ax channel.band=5ghz-ax datapath=datapath-Hygge disabled=no mode=ap name=cfg-Hygge-5g-ax security=sec-cfg-hygge ssid=Hygge_5G steering=steering-Hygge
add datapath=datapath-hn disabled=no mode=ap name=cfg-hn-n-ax security=sec-cfg-hn ssid=hn steering=steering-hn
add datapath=datapath-guest disabled=no mode=ap name=cfg-guest-n-ax security=sec-cfg-guest ssid=GuestWiFi steering=steering-guests

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg-Hygge-5g-ax name-format=%I-5G-AX- supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg-Hygge-2g-ax name-format=%I-2G-AX- slave-configurations=cfg-hn-n-ax,cfg-guest-n-ax supported-bands=2ghz-ax
The CAP's config is seemingly also by-the-book:
Code: Select all
/interface bridge
add name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether1
/interface bridge vlan
add bridge=bridge tagged=ether1,ether2,bridge vlan-ids=10
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=40

/interface wifi
# managed by CAPsMAN xx:xx:xx:xx:xx:xx%bridge, traffic processing on CAP
# mode: AP, SSID: Hygge, channel: 2462/ax
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath.bridge=bridge disabled=no
# managed by CAPsMAN xx:xx:xx:xx:xx:xx%bridge, traffic processing on CAP
# mode: AP, SSID: Hygge_5G, channel: 5745/ax/Ceee
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath.bridge=bridge disabled=no
/interface wifi cap
set discovery-interfaces=bridge enabled=yes slaves-datapath=cap-dp slaves-static=no
/interface wifi datapath
add bridge=bridge disabled=no name=cap-dp
When enabled, the WAP ax does get the config and provisions the master configurations correctly and seem to apply the slave configurations:
Code: Select all
/inter wifi print 
Flags: M - MASTER; D - DYNAMIC; B - BOUND; R - RUNNING
Columns: NAME, MASTER-INTERFACE, CONFIGURATION.MODE
#      NAME   MASTER-INTERFACE  CONFIGURATION.MODE
;;; managed by CAPsMAN xx:xx:xx:xx:xx:xx%bridge, traffic processing on CAP
;;; mode: AP, SSID: Hygge, channel: 2462/ax
0 M BR wifi1                    ap                
                                                  
;;; managed by CAPsMAN xx:xx:xx:xx:xx:xx%bridge, traffic processing on CAP
;;; mode: AP, SSID: Hygge_5G, channel: 5745/ax/Ceee
1 M BR wifi2                    ap                
                                                  
;;; managed by CAPsMAN xx:xx:xx:xx:xx:xx%bridge, traffic processing on CAP
;;; mode: AP, SSID: hn
2  DBR wifi3  wifi1                               
                                                  
;;; managed by CAPsMAN xx:xx:xx:xx:xx:xx%bridge, traffic processing on CAP
;;; mode: AP, SSID: GuestWiFi
3  DBR wifi4  wifi1
BUT fails to assign the slave interfaces to the configured VLANs :
Code: Select all
/interface/bridge/port print
Flags: I - INACTIVE; D - DYNAMIC
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, HORIZON
#    INTERFACE  BRIDGE  HW   PVID  PRIORITY  HORIZON
0 I  ether2     bridge  yes     1  0x80      none   
1    ether1     bridge  yes     1  0x80      none   
2  D wifi1      bridge         10  0x80      none   
3  D wifi2      bridge         10  0x80      none   
4  D wifi3      bridge          1  0x80      none   
5  D wifi4      bridge          1  0x80      none
It's supposed to be a "textbook" usecase for ax devices and it doesn't work :-( Looks like I'm missing some little tweak but I'm all out of google-fu....
Can anybody point me to the right direction?
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 3016
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: 7.18 CAPSMAN v2 VLAN provisioning problem to WAP ax

Sat Mar 29, 2025 9:48 am

Seems that you did just fine. What I did (near similar config) is this:
Code: Select all
interface bridge
add admin-mac=XX:XX:XX:XX:XX auto-mac=no frame-types=admit-only-vlan-tagged name=bridgeLocal protocol-mode=none \
    vlan-filtering=yes
/interface vlan
add interface=bridgeLocal name=MGT-VLAN vlan-id=99
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN XX:XX:XX:XX:XX%MGT-VLAN, traffic processing on CAP
# mode: AP, SSID: ssid, channel: 2462/ax
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=capdp disabled=no
# managed by CAPsMAN XX:XX:XX:XX:XX%MGT-VLAN, traffic processing on CAP
# mode: AP, SSID: ssid, channel: 5700/ax/Ce/D
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf frame-types=admit-only-vlan-tagged interface=ether1
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=50
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=51
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=99
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=53
/interface wifi cap
set discovery-interfaces=MGT-VLAN enabled=yes slaves-datapath=capdp
The difference? Using a specific (management) VLAN for communication with CAPsMAN and allow only tagged frames on the bridge and ether1 (I'm not using ethter2).

As you mention running wAP ac's as well, are you sure that the correct configuration is provisioned to the AX's?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13704
Joined: Thu Mar 03, 2016 10:23 pm

Re: 7.18 CAPSMAN v2 VLAN provisioning problem to WAP ax

Sat Mar 29, 2025 11:57 am

BUT fails to assign the slave interfaces to the configured VLANs :
Code: Select all
/interface/bridge/port print

Can you check also output of /interface/bridge/vlan/print on wAP ax?

Setting PVID to value of vlan-id by CAPsMAN on CAP wifi interface is superfluous as wifi-qcom driver sctually does the VLAN tagging. On my CAPsMAN-controlled wAP ax, all interfaces are set as tagged members of corresponding VLANs (but all have PVID set as well, including slave SSIDs).
One difference I see between your and my CAPsMAN configuration is that I have "action=create-enabled" in provisioning.
Top
 
akliouev
just joined
Topic Author
Posts: 19
Joined: Wed Dec 25, 2013 9:24 am

Re: 7.18 CAPSMAN v2 VLAN provisioning problem to WAP ax

Sat Mar 29, 2025 12:16 pm

Thanks for the suggestions but it seems like something is off with this WAP ax:

The provisioning rules for AX devices are correct -- I've got a CAP ax, reset it into CAP mode and it jumped right in to the network with the correct VLAN IDs on both master and slave interfaces. Had to switch on vlan filtering on the bridge and add my vlans with my ethernet ports as "tagged"

Did exactly the same thing with the WAP ax -- reset to CAP mode, enable vlan filtering and add vlans and my ethernet ports.
WAP ax does jump right in on the same provisioning rule, creates slave interfaces but puts them to vlan 1 for some reason. The master interfaces are working correctly -- assigned to the correct VLAN and clients are to be found in the correct network. Slaves can be joined but have no connectivity.

Making the slaves static and assigning them to the correct vlans (something I had to do for the fleet of AC devices in this network) doesn't help -- clients can join the slave SSIDs but there's still no connectivity :-(

@mkx -- the results are in my original post : the slaves (wifi3 and wifi4) are dynamic and have PID=1

Will try to netinstall the WAP ax and try again later I guess...
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 3016
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: 7.18 CAPSMAN v2 VLAN provisioning problem to WAP ax

Sat Mar 29, 2025 12:25 pm

Can you share the complete config of both wAP AX and cAP AX?
Are all devices running the same RouterOS version? And is firmware upgraded as well?

Apart from the problems (have you tried a re-provision of the radio?):
Code: Select all
 /interface wifi channel
add band=5ghz-ax disabled=no frequency=5180,5260,5500,5580,5660,5745 name=channel-cfg-5g-ax reselect-interval=1h..2h skip-dfs-channels=all width=20/40/80mhz
Why set DFS frequencies and then set skip-dfs-channels=all?
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 13704
Joined: Thu Mar 03, 2016 10:23 pm

Re: 7.18 CAPSMAN v2 VLAN provisioning problem to WAP ax

Sat Mar 29, 2025 12:49 pm

@mkx -- the results are in my original post : the slaves (wifi3 and wifi4) are dynamic and have PID=1

If they are, they are hidden from me. I'm asking about output of /interface/bridge/vlan/print ... while I can see output of /interface/bridge/port/print in your initial post.
Top
 
akliouev
just joined
Topic Author
Posts: 19
Joined: Wed Dec 25, 2013 9:24 am

Re: 7.18 CAPSMAN v2 VLAN provisioning problem to WAP ax

Sun Mar 30, 2025 1:35 pm

The WAP ax was disconnected and relocated to the "lab area" of the site
After powering it back on today, removing the statically assigned slave wifi interfaces from the bridge, removing the "static slaves" in the settings of CAP it magically started to work as expected even before I've netinstalled it. I guess the reboot worked it's magic as I can't figure out any other rational explanation...

Here's some readings from the WAP ax:

First to answer the SW version questions:
Code: Select all
/sys routerboard print 
       routerboard: yes            
        board-name: wAP ax         
             model: wAPG-5HaxD2HaxD
     serial-number: REDACTED    
     firmware-type: ipq5000        
  factory-firmware: 7.15.2         
  current-firmware: 7.18.2         
  upgrade-firmware: 7.18.2
If they are, they are hidden from me. I'm asking about output of /interface/bridge/vlan/print ... while I can see output of /interface/bridge/port/print in your initial post.

@mkx -- my bad -- missed that you requested the PORT not the VLAN
Here's the bridges port status, requested by @mkx (). As you can see now everything is as supposed to be:
Code: Select all
/inter bridge/port/print 
Flags: I - INACTIVE; D - DYNAMIC
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, HORIZON
#    INTERFACE  BRIDGE       HW   PVID  PRIORITY  HORIZON
;;; defconf
0    ether1     bridgeLocal  yes     1  0x80      none   
;;; defconf
1 I  ether2     bridgeLocal  yes     1  0x80      none   
2  D wifi1      bridgeLocal         10  0x80      none   
3  D wifi7      bridgeLocal         20  0x80      none   
4  D wifi9      bridgeLocal         40  0x80      none   
5  D wifi2      bridgeLocal         10  0x80      none
And finally the redacted config (nothing to write home about really -- defaults with some tagging on the ethernet ports):
Code: Select all
/export
# 2025-03-30 13:03:03 by RouterOS 7.18.2
# software id = AZ4Z-X6DG
#
# model = wAPG-5HaxD2HaxD
# serial number = REDACTED
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridgeLocal \
    vlan-filtering=yes
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN CC:CC:CC:CC:CC:CC%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: Hygge, channel: 2412/ax
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
    disabled=no
# managed by CAPsMAN CC:CC:CC:CC:CC:CC%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: Hygge_5G, channel: 5745/ax/Ceee
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
    disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1,ether2 vlan-ids=10
add bridge=bridgeLocal tagged=bridgeLocal,ether1,ether2 vlan-ids=20
add bridge=bridgeLocal tagged=bridgeLocal,ether1,ether2 vlan-ids=40
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp \
    slaves-static=no
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system logging
add topics=caps,debug
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool romon
set enabled=yes
For comparison, here's the same from the CAP ax that worked right out of the box:
Code: Select all
/sys router print 
       routerboard: yes             
        board-name: cAP ax          
             model: cAPGi-5HaxD2HaxD
     serial-number: REDACTED     
     firmware-type: ipq6000         
  factory-firmware: 7.14.1          
  current-firmware: 7.14.1          
  upgrade-firmware: 7.18.2
Code: Select all
/interface/bridge/port print
Flags: I - INACTIVE; D - DYNAMIC
Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, HORIZON
#    INTERFACE  BRIDGE       HW   PVID  PRIORITY  HORIZON
;;; defconf
0    ether1     bridgeLocal  yes     1  0x80      none   
;;; defconf
1 I  ether2     bridgeLocal  yes     1  0x80      none   
2  D wifi1      bridgeLocal         10  0x80      none   
3  D wifi2      bridgeLocal         10  0x80      none   
4  D wifi3      bridgeLocal         20  0x80      none
Code: Select all
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridgeLocal vlan-filtering=yes
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN CC:CC:CC:CC:CC:CC%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: Hygge_5G, channel: 5745/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
# managed by CAPsMAN CC:CC:CC:CC:CC:CC%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: Hygge, channel: 2412/ax
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1,ether2 vlan-ids=10
add bridge=bridgeLocal tagged=bridgeLocal,ether1,ether2 vlan-ids=20
add bridge=bridgeLocal tagged=bridgeLocal,ether1,ether2 vlan-ids=40
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system identity
set name=RoundAP-AX-8
/system note
set show-at-login=no
/tool romon
set enabled=yes
...
Code: Select all
 /interface wifi channel
add band=5ghz-ax disabled=no frequency=5180,5260,5500,5580,5660,5745 name=channel-cfg-5g-ax reselect-interval=1h..2h skip-dfs-channels=all width=20/40/80mhz
Why set DFS frequencies and then set skip-dfs-channels=all?

To answer @erlinden's question on DFS channels -- it's temporary in order to make the APs light up in 5Ghz ASAP for debugging. The installation is indoors and I'll enable 10min CAC as soon as I'll polish out all the gremlins
Thanks for your time!
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 3016
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: 7.18 CAPSMAN v2 VLAN provisioning problem to WAP ax

Sun Mar 30, 2025 1:59 pm

Could it be that you used "create enabled" at some point? Otherwise, there shouldn't be any static slaves (especially they should not remain any after a reboot).

Glad it is solved! And welcome to the mysteries of CAPsMAN 8)
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 23419
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: 7.18 CAPSMAN v2 VLAN provisioning problem to WAP ax

Sun Mar 30, 2025 10:45 pm

Yup, hair turned grey, or loss of hair, skin aged, and suddenly it works. to bad the OP has no clue why, nothing learned. caps SUCKETH the big bone.
Top
 
gotsprings
Forum Guru
Forum Guru
Posts: 2335
Joined: Mon May 14, 2012 9:30 pm

Re: 7.18 CAPSMAN v2 VLAN provisioning problem to WAP ax

Mon Mar 31, 2025 8:02 pm

I have actually had a working caps-man system with the new AX stuff. When I tried to get AC going... Problems of plenty
Top
Post Reply
  4. RouterOS
  5. Wireless Networking