Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

CAPsMAN with VLAN not working properly

Post Reply
 
kunago
newbie
Topic Author
Posts: 26
Joined: Sun Mar 09, 2014 1:58 pm

CAPsMAN with VLAN not working properly

Sun Mar 18, 2018 10:28 am

What I am trying to achieve and failing to do so is to have a DHCP server that would serve IPs to my LAN and to CAPsMAN clients while being in a single VLAN. All clients in this VLAN should be able to reach each other while isolated from other VLANs.

So far I was able to make it work for CAPsMAN only. With the following setup my CAPsMAN clients properly receive IPs and receive VLAN tag, while it does not work for LAN clients. Those are unreachable by any means, do not receive an IP address from DHCP server. I tried to have the LAN clients to connect directly to Mikrotik where I have the DHCP server but it does not seem to work. Those interfaces I am connecting to are in bridge and that bridge has a VLAN interface.

Could someone please help?
Code: Select all
/interface bridge
add fast-forward=no name="bridge company"
add fast-forward=no name="bridge company host"

/interface ethernet
set [ find default-name=ether1 ] name=ether01
set [ find default-name=ether2 ] name=ether02
set [ find default-name=ether3 ] name=ether03
set [ find default-name=ether4 ] name=ether04
set [ find default-name=ether5 ] name=ether05
set [ find default-name=ether6 ] name=ether06
set [ find default-name=ether7 ] name=ether07
set [ find default-name=ether8 ] name=ether08
set [ find default-name=ether9 ] name=ether09
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp1 ] name=sfp

/interface vlan
add interface="bridge company" name="VLAN company" vlan-id=8
add interface="bridge company host" name="VLAN company host" vlan-id=10

/ip address
add address=172.27.8.1/23 interface="VLAN company" network=172.27.8.0
add address=172.27.10.1/24 interface="VLAN company host" network=172.27.10.0

/caps-man datapath
add bridge="bridge company" client-to-client-forwarding=yes local-forwarding=no vlan-id=8 vlan-mode=use-tag name=company
add bridge="bridge company host" client-to-client-forwarding=no local-forwarding=no vlan-id=10 vlan-mode=use-tag name="company host"

/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=wifi1 master-configuration="2,4 GHz company" name-format=identity slave-configurations="2,4 GHz company slave - host"
add action=create-dynamic-enabled hw-supported-modes=gn identity-regexp=wifi2 master-configuration="2,4 GHz company" name-format=identity slave-configurations="2,4 GHz company slave - host"

/interface bridge port
add bridge="bridge company" hw=no interface=ether03
add bridge="bridge company" hw=no interface=ether04
add bridge="bridge company" hw=no interface=ether05
add bridge="bridge company" hw=no interface=ether06
add bridge="bridge company" hw=no interface=ether07
add bridge="bridge company" interface=ether08
add bridge="bridge company" hw=no interface=ether09
add bridge="bridge company" hw=no interface=ether10
add bridge="bridge company" hw=no interface=sfp

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes

/ip address
add address=172.27.8.1/23 interface="VLAN company" network=172.27.8.0
add address=172.27.10.1/24 interface="VLAN company host" network=172.27.10.0

/ip dhcp-client
add default-route-distance=21 dhcp-options=hostname,clientid disabled=no interface=ether01 use-peer-dns=no use-peer-ntp=no

/ip dhcp-server
add add-arp=yes address-pool="pool company" authoritative=after-2sec-delay disabled=no interface="VLAN company" lease-time=8h name="dhcp company"
add add-arp=yes address-pool="pool company host" authoritative=after-2sec-delay disabled=no interface="VLAN company host" lease-time=2h name="dhcp company host"

/ip dhcp-server network
add address=172.27.8.0/23 dns-server=172.27.8.1 gateway=172.27.8.1 netmask=23
add address=172.27.10.0/24 dns-server=172.27.10.1 gateway=172.27.10.1 netmask=24

/ip pool
add name="pool company" ranges=172.27.9.64/27
add name="pool company host" ranges=172.27.10.64/27
Top
 
lendy
just joined
Posts: 2
Joined: Mon Mar 24, 2014 1:04 pm

Re: CAPsMAN with VLAN not working properly

Fri May 29, 2020 1:26 pm

Hello,

did you find a solution for this? I have exactly the same issue...

Thank you
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21918
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: CAPsMAN with VLAN not working properly

Fri May 29, 2020 10:13 pm

/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes

did you try it without setting ip firewall =yes. Its not usual to apply this on vlans (by that I mean on the bridge , most just use the firewall filter rules.....)
Top
 
alexanwar
just joined
Posts: 23
Joined: Tue Aug 07, 2018 10:38 am

Re: CAPsMAN with VLAN not working properly

Tue Jun 02, 2020 1:01 pm

since you're using capsman forwarding and it works on your wifi clients, i think your capsman config is correct, the issue is not on the capsman but on the vlan passing between bridges.

on your config:
Code: Select all
/interface vlan
add interface="bridge company" name="VLAN company" vlan-id=8
add interface="bridge company host" name="VLAN company host" vlan-id=10
since you're using "bridge company" as trunk port, all the vlan must be set on it, like this:
Code: Select all
/interface vlan
add interface="bridge company" name="VLAN company" vlan-id=8
add interface="bridge company" name="VLAN company host" vlan-id=10
this will make all ports assigned to "bridge company" to act as trunk port so you can plug it on any port. this useful if you have multiple device to be attached.

then attach the vlan to the proper bridge:
Code: Select all
/interface bridge port
add bridge="bridge company" interface="VLAN company host"
this will link the bridge and the vlan.

the dhcp server and ip address should be set to the bridge instead to the vlan interface, like this:
Code: Select all
/ip address
add address=172.27.8.1/23 interface="bridge company" network=172.27.8.0
add address=172.27.10.1/24 interface="bridge company host" network=172.27.10.0
/ip dhcp-server
add add-arp=yes address-pool="pool company" authoritative=after-2sec-delay disabled=no interface="bridge company" lease-time=8h name="dhcp company"
add add-arp=yes address-pool="pool company host" authoritative=after-2sec-delay disabled=no interface="bridge company host" lease-time=2h name="dhcp company host"
make sure you disable vlan filtering on the all bridge settings too.

for capsman forwarding, you don't need to use vlan tag in the datapath, so optionally you can later it like this:
Code: Select all
/caps-man datapath
add bridge="bridge company" client-to-client-forwarding=yes local-forwarding=no
add bridge="bridge company host" client-to-client-forwarding=no local-forwarding=no
do the same on the other devices.
this will link your wifi client and lan/ethernet client on the same bridge so it become one broadcast domain.

for better performance, activate hardware offload on the bridge port and disable use ip firewall on the bridge settings.
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12982
Joined: Thu Mar 03, 2016 10:23 pm

Re: CAPsMAN with VLAN not working properly

Tue Jun 02, 2020 5:02 pm

since you're using "bridge company" as trunk port, all the vlan must be set on it, like this:
Code: Select all
/interface vlan
add interface="bridge company" name="VLAN company" vlan-id=8
add interface="bridge company" name="VLAN company host" vlan-id=10
Correct.
then attach the vlan to the proper bridge:
Code: Select all
/interface bridge port
add bridge="bridge company" interface="VLAN company host"
this will link the bridge and the vlan.
Wrong! The VLAN interface (or rather its tagged end) is already part of "bridge company" and one should never add both ends of VLAN interface to same bridge.
the dhcp server and ip address should be set to the bridge instead to the vlan interface
Due to error made in the previously quoted code, this is wrong again. And the rest of the post is wrong as well ... if one is using VLANs on bridge, then vlan-filtering should be enabled.

Really, read this tutorial to understand how VLANs should be done in ROS.

If one wants to use HW offload for VLAN-enabled networking, then config is different (and previous post is not accurate at all for that kind of setup as well).
Top
 
alexanwar
just joined
Posts: 23
Joined: Tue Aug 07, 2018 10:38 am

Re: CAPsMAN with VLAN not working properly

Wed Jun 03, 2020 12:36 am

since you're using "bridge company" as trunk port, all the vlan must be set on it, like this:
Code: Select all
/interface vlan
add interface="bridge company" name="VLAN company" vlan-id=8
add interface="bridge company" name="VLAN company host" vlan-id=10
Correct.
then attach the vlan to the proper bridge:
Code: Select all
/interface bridge port
add bridge="bridge company" interface="VLAN company host"
this will link the bridge and the vlan.
Wrong! The VLAN interface (or rather its tagged end) is already part of "bridge company" and one should never add both ends of VLAN interface to same bridge.
the dhcp server and ip address should be set to the bridge instead to the vlan interface
Due to error made in the previously quoted code, this is wrong again. And the rest of the post is wrong as well ... if one is using VLANs on bridge, then vlan-filtering should be enabled.

Really, read this tutorial to understand how VLANs should be done in ROS.

If one wants to use HW offload for VLAN-enabled networking, then config is different (and previous post is not accurate at all for that kind of setup as well).
thanks for pointing out, i just realize that i made a typo. it should be:
Code: Select all
/interface bridge port
add bridge="bridge company host" interface="VLAN company host"
instead :P
it works, but as you said, it's not a best practice. so, do you have any suggestion on this issue? i'm interest to learn & fix my mistake too :)
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12982
Joined: Thu Mar 03, 2016 10:23 pm

Re: CAPsMAN with VLAN not working properly

Wed Jun 03, 2020 8:50 am

so, do you have any suggestion on this issue? i'm interest to learn & fix my mistake too :)

I posted a link to a fine tutorial which gives good insight into the recommended practice of doing VLANs in ROS.
Top
 
alexanwar
just joined
Posts: 23
Joined: Tue Aug 07, 2018 10:38 am

Re: CAPsMAN with VLAN not working properly

Wed Jun 03, 2020 10:01 am

i used that method on 1100 and 4011 since the cpu is strong enough to handle the traffic, but on 750 or 951 it bang the cpu to 100% on lan traffic since no hardware offload can be enabled. the trick i made maybe not a best practice but at least it can let hardware offload enabled on the primary bridge.

well then, i'll try to find a way to enable hardware offload to work on the scenario of this topic ;)
Top
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12982
Joined: Thu Mar 03, 2016 10:23 pm

Re: CAPsMAN with VLAN not working properly

Wed Jun 03, 2020 11:16 am

If one wants to have VLANs HW offloaded, then one should use the old way to configure it. Basic VLAN philosophy is same regardless where VLANs are configured (on bridge or on switch chip), only configuration commands are different. For old school there's manual page, which covers VLANs for ether ports. One has to slightly change configuration of other bridged interfaces (e.g. wlan interfaces) ... and layers above L2 (VLAN interfaces, IP,...) are exactly the same either way.

Beware that not all Routerboard devices are capable of HW offloaded VLANs, only devices with switch chips can do it ... and not even all of those, for example RB4011 and RB750Gr4 are out of this scope.
Top
 
alexanwar
just joined
Posts: 23
Joined: Tue Aug 07, 2018 10:38 am

Re: CAPsMAN with VLAN not working properly

Wed Jun 03, 2020 1:04 pm

yes, device with multiple switch chip like 4011 and 1100ah4x may cause headache also. i guess it's better to use layer 3 switch if wirespeed is needed, router only for wan & outgoing traffic only.

still miss the old days way when routeros still support master/slave port :D
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 10 guests
  4. RouterOS
  5. Wireless Networking