Help with this question.

Tim033 · Fri Apr 05, 2019 2:41 pm

I have the following scenario, where I want to introduce Mikrotik equipment.
On the one hand there is a pfsense router that I can not change, and that performs the work of Internet output, with an interface in vlan 798 and ip in that vlan
On the other hand I have Mikrotik equipment, which are configured in CAP mode against an MKT ROUTER that acts as CAPSMAN with a datapath defined on a bridge between the MKT interface in VLAN 798 (for example, this number of vlan) and the WLANs. This interface of the MKT also has ip (although the IP address is not necessary)
I also do a dhcp relay that allows me to associate an IP to my WLAN clients, using pfsense as dhcp server.
All this works, BUT, (there is always a but), from a WLAN client that is associated, and gets IP, I reach the Mikrotik team, in both directions. From the ROUTER MKT I reach the PFsense. But from the WLAN clients I do not reach the PFSENSE.
Two clients, associated in different CAPS (or in it) if they see each other.

It seems that the packet injection is done correctly from the WLANs of the CAPS to the CAPSMAN, but they can not reach the PFSENSE, although this should be at level 2.

Any ideas?

Extract of config for CAPSMAN:


/interface bridge
add name=bri_VL798
/interface ethernet
set [ find default-name=ether6 ] disable-running-check=no name=eth_798_WIFI_GIJON
/caps-man datapath
add arp=enabled bridge=bri_VL798 name=dp-VL798
/caps-man rates
add basic=2Mbps,11Mbps,6Mbps,36Mbps,54Mbps name=rate1 supported=2Mbps,11Mbps,6Mbps,54Mbps
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=conpassword passphrase=secret123
add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm name=RADIUS
add name=sinpassword
/caps-man configuration
add channel.band=2ghz-g/n country=spain datapath=dp-VL798 datapath.local-forwarding=no distance=indoors hw-protection-mode=cts-to-self installation=indoor mode=ap name=Cfg_BIB_2G security=sinpassword ssid=BIB-2
add channel.band=5ghz-n/ac country=spain datapath=dp-VL798 datapath.local-forwarding=no distance=indoors hw-protection-mode=cts-to-self installation=indoor mode=ap name=Cfg_BIB_5G security=sinpassword ssid=BIB-5
/interface list
add name=DISCOVERY
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool_HS ranges=192.168.109.1-192.168.109.250
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=any signal-range=-80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any signal-range=-120..-81 ssid-regexp=""
/caps-man manager
set enabled=yes package-path=/disk1/repositorio upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=eth_069_HS
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=g identity-regexp=BIB- master-configuration=Cfg_BIB_2G name-format=prefix-identity name-prefix=2G-
add action=create-dynamic-enabled hw-supported-modes=ac identity-regexp=BIB- master-configuration=Cfg_BIB_5G name-format=prefix-identity name-prefix=5G-
/interface bridge port
add bridge=bri_VL798 interface=eth_798_WIFI_GIJON
/ip address
add address=192.168.109.253/24 interface=eth_069_HS network=192.168.109.0
/ip dhcp-relay
add dhcp-server=192.168.51.254 disabled=no interface=bri_VL798 name=relay1
/ip firewall nat
add action=masquerade chain=srcnat log=yes out-interface=eth_103_WAN
/system identity
set name=CAPSMANAGER

CAPs config:

/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(20dBm), SSID: BIB-2, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5200/20-eCee/ac(23dBm), SSID: BIB-5, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface wireless cap
set caps-man-addresses=192.168.109.253 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/system identity
set name=BIB-A63
/system ntp client
set enabled=yes primary-ntp=150.214.94.5

P.S. This same configuration with a WLC cisco contractor works for me. If I replace the functionality of Cisco by MKT I find this "atypical" scenario.

mkx · Fri Apr 05, 2019 3:38 pm

The capsman config is not complete so it's impossible to tell where the problem is.

However: you're saying that pfSense is using VLAN, so I'll assume that connection between pfSense and RB (the one running capsman) should be tagged. In the exported config it is shown that ethernet interface is made member of bridge meaning that bridge bri_VL798 is carrying tagged frames. caps datapaths are merged to the same bridge ... and I'm pretty sure those are supposed to be untagged.

Tim033 · Fri Apr 05, 2019 4:27 pm

Thanks MKX, Pfsense and MKT Router are connected using a ethernet port in access mode (connect via cisco equipment) without vlan tagging.

Note that is possible make a ping between MKT and clients WLAN. (I asume that tagging in CAPSMAN datapath config is ok), and between into MKT and PFsense. Not is possible into PFSENSE and WLAN clients and viceversa.
I believe that traffic in ethernet (and bridge) are untagged.
It looks like capsman is not injecting traffic into bridge. ... May be...? I'm confused.

Thanks for your reply.

Help with this question.

Help with this question.

Re: Help with this question.

Re: Help with this question.