Ref: viewtopic.php?f=13&t=159184

Good afternoon everyone,

I am back again for a bit more info on how to setup my new toy; cAP ac. I would like to use this as my main WiFi device for the house as I can put it in a nice central location. I currently have a RB4011 (wifi version), but it has been relegated to a cozy spot in the basement next to all the rest of the home network items; thus it doesn't have great wifi coverage. I was hoping to get a bit of help in being able to get it setup and running in my home. I am in a WiFi congested area with a lot of other homes in the close area with WiFi, so I am trying to reduce the number of SSIDs that I currently have so that I can at least have one good one.

My current setup looks like the attached. It is a bit different than the original as setup in ref. I have since removed the guest and google wifi VLANS. Google smart devices don't like being on different networks than the controlling device.

So I would like to essentially move the current WiFi networks that I have on my 4011 onto the cAP ac: Home WiFi 5GHz, IoT WiFi, and Home WiFi devices.

I've thus far been able to plug the cAP ac in and get it to power on... I've plugged it into ether-5 to see if I could access it from my admin computer through WinBox. I can see it show up as Mikro Tik with an IP (within my server DHCP) but I can't seem to connect to it either through a browser or winbox.

Not sure where to go from here so I thought I would reach out to you fine people for some help. Thank you so much in advance.

JB

NCR, shouldnt that now be the Covid Capital,,,,, yuck yuck a Maritimes joke.

Just be aware that as soon as you pass the signal through a single wall the AC network will be diminished and would say behind two walls, you will need another AP for AC>
The 2Ghz network has more distance capability so one wall is not issue and two wall still useable, but that third wall, well you will want another AP.
Centralized is good and higher up ceiling is good too.

I have two CapACs on my network so will pass you some thoughts later.

Thanks anav. Appreciate the quick response.

I will probably have a few more changes to do to the network VLANs in the next few days. Hope I can pick your brain about it eventually.


Have a great night!

KK going to bed but quick look do the numbers add up????
6 vlans
but 8 pools??
6 dhcp servers
8 ip addresses
7 dhcp-server networks

DO you really need this enabled............
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface="Home Bridge" type=internal
add interface="PPPoE WAN" type=external


Since you have a block all else rule in the forward chain as last rule..........
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="VLAN Drop All Else"

you can modify your nat rule, so it is an accept rule like the others........ clear and easy to read
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="VLAN Drop All Else"

/interface bridge vlan
.................
add bridge="Home Bridge" tagged="Home Bridge" untagged="3 - Server" vlan-ids=10 (where is untagging of bridge port interface "5 - RPi" ? )

add bridge="Home Bridge" tagged="Home Bridge" untagged="Home WiFi devices" vlan-ids=15 (where is untagging of bridge port interface="Home WiFi 5GHz" ? )
vlan-ids=15
.............
add bridge="Home Bridge" tagged="Home Bridge" untagged=*1F vlan-ids=40
(where is untagging of bridge port interface="4 - Work PC" ? )
(where is untagging of bridge port interface=ether9 ? )
(where is untagging of bridge port interface=ether10 ? )


Final comment, Dont use quotation marks for NAMES of anything. Quotes are used in MT to surround COMMENTS.
You are trying to hurt my brains and eyes with this approach

Geez not even on the capac yet........... LOL

Alright, since you bring it up. Let's fix that before we go any further into the cAP work.

After working with these VLANs for about a year now (or maybe less), I've seen that we can consolidate a few for ease. I've decided to get rid of a bunch of these VLANs.

All I believe that is required att is to separate the IoT (which is currently on VLAN50) from the rest. We have it currently setup as a no-internet VLAN, but I can access it from my Admin workstation.

All the rest of the devices can collapse into 1 VLAN: 5, 10, 15, 20.

If we rather start from a fresh config, I'm cool with that, else I can just start changing the IPs of my devices so that they begin to fit in the right places.

Then we can work on the cAP?

Sure...........

Sure...........

Well, you and your thoroughness started this! I'm not gonna put a dress on a pile of crap and call it a day! ;) I know I may not have removed some of the things thoroughly, so I need some help to find all those spots.

Shhhhhh, dont say that so loud, you will gain the wrath of the entire beauty products industry.........
or as Shakespeare so eloquently put it!
"God gave you one face and you paint yourself another."

...
Final comment, Dont use quotation marks for NAMES of anything. Quotes are used in MT to surround COMMENTS.
You are trying to hurt my brains and eyes with this approach

Quotation marks are necessary where names, comments, etc contains spaces

I am not sure what you guys mean about the quotation marks. I haven't purposefully done any of the sort. Anything I have named within winbox has only been normal characters only (numbers or letters). It's because I put spaces in them is why there are so many quotation marks? We can put in some `_` to make that go away I suppose.

Next step.. I'm kind of assuming you're going to send me a large reply with what to do wrt collapsing a few of these VLAN into.. 3 is all I think I need now... Else I haven't touched the comments from above yet.

DO you really need this enabled............
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface="Home Bridge" type=internal
add interface="PPPoE WAN" type=external

you can modify your nat rule, so it is an accept rule like the others........ clear and easy to read
add action=accept chain=forward comment="allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="VLAN Drop All Else"

I do not need upnp enabled. I can/have disabled that. the port forward rule, I can add that, though I may want to wait until you give me more details on the rest of the vlans.

Ahh, I didnt know that, perhaps because in our MTUNA cert, we use underscore or dashes between characters. ;-P

All I believe that is required att is to separate the IoT (which is currently on VLAN50) from the rest. We have it currently setup as a no-internet VLAN, but I can access it from my Admin workstation

Completely aside, I'm puzzled by the idea of a an "Internet of Things" network, with no Internet access. Doesn't that just make them "Things"?

I think we can call it a IntRAnet of things. There is no reason all devices on the network need to be connected to the www individually. I just have them all connected through my home automation server.

In other news: I suppose I should ask/provide more guidance to what I'm looking for here. OP was to add the cAP AC to things, but after a deeper look, I should probably clean up my network too.

This is what I would like:

• ADMIN computer than can access all other devices. (on port 2 of RB4011, internet)
• IOT LAN (to be on a 2.4G WiFi, no internet)
• Home LAN (ports 3-8 of RB4011, 2.4G and 5G WiFi, internet)
  Only the Server (on Home LAN) has access to the IOT LAN as this is where my home automation server resides to control all the IOT devices

I am not super familiar with how I can use this cAP AC in the network. I would love for it to extend the capabilities of existing RB4011 WiFi without over-crowding the building with SSIDs. Overall, my requirement is 3 different SSID: IOT, 2.4G Home, and 5G Home.

Does that cover/give enough detail to make a start?

Yup,
Give it a whirl, then post your config here on both devices.
I will break out the popcorn and beer for the laughs!! ;-)

That's.. not... aww man!

I have no clue how to work the cAP AC. I will make an effort to break the rest of my network and get down to 3 VLANs.

Wisp mode,
Add vlans to cap bridge
add wireless rules
add bridge port and bridge vlan settings....
mostly thats it

Ok,

I think I got the VLAN figured out. Next will be to add the cAP AC.

Can you please have a look at the config so far?

So.. How exactly do I connect to the cAP AC? I see it in my leases, it has an IP and I can see it's MAC, but neither work when I try to connect to it via winbox or through the browser.

(1) Well, since I dont see any trunk ports, perhaps you could use subnets only on the setup,,,,,,,,,,,, until I realized you have the CapaC as an access port.
RUDE........ telling the smart capac its a dummy switch.

Did you not read the resource??
viewtopic.php?t=143620

(2) Also need to post your config for the capac as well............

(3) this is not efficient, figure out why.
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="VLAN Drop All Else"


Clue..........
add action=accept chain=forward comment=allow port forwarding \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop All Else"

(4) Get rid of detect internet wan rule.............not needed and can cause problems based on what I have read here on the forums.

(5) I would handle this differently especially because you have the admin rule already in place....
From
add action=accept chain=input comment="VLAN Allow Admin to Router" \
in-interface="AdminPC VLAN101" src-address=192.168.101.101
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

To
add action=accept chain=input comment="VLAN Allow Admin to Router" \
in-interface="AdminPC VLAN101" src-address=192.168.101.101
+++++++++++++++++++++++++++++++++++++++++++
add action=drop chain=input comment="Drop All Else"

Where as in the forward chain, you add any rules such as your admin access rule that you wish to allow.
I dont like the default rule because it allows ALL in the LAN to access your router, and thus why have the admin rule in place.
So get rid of it and replace it ONLY with services users need to access the router. There is mainly one possibly two for most configs.
a. DNS (ucp+tdp) and b. NTP time server.

You're making me laugh over here, assuming I actually know what I am doing or something!

The config that I have, is built from the OP Ref that you gave me, and like you said in the ref you give me, there is more than one way to do this MT stuff!

That being said, I don't know how to do it at all! I have read the resource you referenced, I suppose I could start over from scratch and build my network that way. I was hoping that I could just change what I have and add the new cAP AC to the mix. These devices are quite forgiving at least when you play around with them, but I honestly have no idea what I am doing when it comes to looking at the Firewall page.

1) From what I have read in the link, I need to make my 'ether10' (because this also has PoE) a trunk port. How to do that, I can't understand how to translate from what the configs are to what I currently have.

2) As I stated in my last post, I don't even know how to access it from anywhere. I have plugged it into my RB4011, it got an IP but I haven't been able to get to it...

3) If it were in Latin, maybe I would understand it better... Nope.

4) I don't seem to know what rule you are talking about here... I'll repost my config just in case I already had deleted it between posts...

5) So what you want me to do is change the rule after "VLAN Allow Admin to Router".. it is currently named "drop all not coming from LAN" so that all it does is chain=input action=drop; thus I have removed the !LAN interface list.... - What i did was remove the interface list part and changed the commented part to Drop All Else (is it even in the right order in the firewall rules? Those things matter right?).

Not sure if you are recommending me to do something else about those admin access bits at the end of your post.


It's been a long week. I don't really have a lot of patience for this atm, but I would like to get the AP working so that my kids can have a bit better access to do their homework/lessons/etc.

Thank you SO much so far. I very much appreciate the assistance and hope to continue making progress with this. I suppose I'm a bit frustrated at how slow it is simply since I don't have time to tinker with this much lately and just want it to work... I am currently learning piecemeal a few things. (it has taken me since the start of COVID to pick up C/C++, and I'm pretty abysmal yet).


Do I need to make a BASE_LAN like in your ref'd post? Or is my VLAN101 that base_lan?

As for the cases on that post, I am using my RB4011 as a router, switch, and AP currently... I am doing PPPoE to get the internet access, then have the VLANs created on there to do the correct switching, and finally using the 2 wireless capabilities to give my home some WiFi... Now I want to extend that (not sure of the correct terminology here, It's been 10 years since I did Network+) with an AP to different parts of my home. If I can get the 1 AP working, I may splurge for a second too and daisy chain them..

Cheers, it's Lagavulin time...

All sounds good, now that I know tis for your kids, and not your gaming addiction I will try to take it more seriously, tomorrow!!!

your gaming addiction

Haha, gaming.. yeah, no. I tried to teach myself C/C++ instead. The only 'gaming' I do is fiddling with text-based games (which many are run on C). I have a retropie running for the Kids to play Pokemon on Gameboy... if that is what you want to call gaming.

Also if watching Minecraft counts, then I suppose I do that too...

Have a good one.

So far looks good, so I have to be nitpicky LOL, the appertif.

/interface list member
add interface="PPPoE WAN" list=WAN
add interface=ether1 list=WAN
Although not active, I like putting ether1 here for completeness, its part of the makeup of the WAN and I dont think there is any harm in doing so.

Trunk port should have ingress filtering set to yes for better security.
/interface bridge port
add bridge="Home Bridge" interface="10 - cAP AC" ingress-filtering=yes

Now for the main course!! - What is missing??????

/interface bridge vlan
add bridge="Home Bridge" tagged="Home Bridge" untagged="2 - AdminPC" vlan-ids=101
add bridge="Home Bridge" tagged="Home Bridge" untagged="Home WiFi 2GHz,3 - Server" vlan-ids=15
add bridge="Home Bridge" tagged="Home Bridge" untagged="IoT WiFi" vlan-ids=50


Okay there are two schools of thought on untagged vlans...........
One is that they will be dynamically created on egress and thus not required to be explicitly stated in the bridge vlan rules.
If you were following that line of thinking which for me is technically correct but configuration stupid (harder to read and track what is going on).
Then the config below would be EMPTY, that is your clue that something is amiss.........
/interface bridge vlan
add bridge="Home Bridge" tagged="Home Bridge" untagged="2 - AdminPC" vlan-ids=101
add bridge="Home Bridge" tagged="Home Bridge" untagged="Home WiFi 2GHz,3 - Server" vlan-ids=15
add bridge="Home Bridge" tagged="Home Bridge" untagged="IoT WiFi" vlan-ids=50

Can you see or guess what is missing??????????????????????
Where is your capac ???

So at a minimum the config should be
/interface bridge vlan
add bridge="Home Bridge" tagged="Home Bridge","10 - cAP AC" vlan-ids=15,50

Since I prefer the visual (positive handover) method of configuring I would add in the untagged as well, aka what you already included except for the missing ports on vlan15
/interface bridge vlan
add bridge="Home Bridge" tagged="Home Bridge","10 - cAP AC" vlan-ids=15,50
add bridge="Home Bridge" tagged="Home Bridge" untagged="2 - AdminPC" vlan-ids=101
add bridge="Home Bridge" tagged="Home Bridge" untagged="Home WiFi 2GHz, "Home WiFi 5GHz",3 - Server","4 - Work PC" ,"7 - Synology","8 - Printer" \
vlan-ids=15
add bridge="Home Bridge" tagged="Home Bridge" untagged="IoT WiFi" vlan-ids=50

I didnt include the spares.

dessert - none, you are still using text within quotes which one should only use for comments LOL (immho)

So, I've tried adding the new bridge VLAN like you said, with 2 VLAN IDs and tagged to Home Bridge and 10 - cAP AC. I get the error: How do I edit a dynamic bridge vlan?

What PVID do I give 10 - cAP AC?
I think you can see that I have added the other untagged ports to the VLAN15. Something I am doing wrong?

No my idea was sound my execution/direction was poor.
From
/interface bridge vlan
add bridge="Home Bridge" tagged="Home Bridge","10 - cAP AC" vlan-ids=15,50 (Needs to be consolidated with existing bridge vlan rules)
add bridge="Home Bridge" tagged="Home Bridge" untagged="2 - AdminPC" vlan-ids=101
add bridge="Home Bridge" tagged="Home Bridge" untagged="Home WiFi 2GHz, "Home WiFi 5GHz",3 - Server","4 - Work PC" ,"7 - Synology","8 - Printer" \
vlan-ids=15
add bridge="Home Bridge" tagged="Home Bridge" untagged="IoT WiFi" vlan-ids=50

TO
Here is how it should look..............
/interface bridge vlan
add bridge="Home Bridge" tagged="Home Bridge" untagged="2 - AdminPC" vlan-ids=101
add bridge="Home Bridge" tagged="Home Bridge" tagged=10 -cAP AC" untagged="Home WiFi 2GHz, "Home WiFi 5GHz",3 - Server","4 - Work PC" ,"7 - Synology","8 - Printer" vlan-ids=15
add bridge="Home Bridge" tagged="Home Bridge" tagged="10 - cAP AC" untagged="IoT WiFi" vlan-ids=50

Ok, that was a bit easier to do.

I decided that one way I could get into the cAP AC was to plug my pc into port 2 of the cAP AC. Once I did that, I was able to upgrade the software to the current version. I left the 'default' configurations there. So, it's a blank slate right now... Not sure what you want me to do... I can't connect to it yet from the main network.

I've attached the config.. but really there is nothing there tbh, it's just the default.

Wisp mode,
Add vlans to cap bridge
add wireless rules
add bridge port and bridge vlan settings....
mostly thats it

Is this where I am going now? I just sort of re-do the vlans on the cAP AC?

Okay,
Yes, select wisp mode and then dont touch this again.
Yes, have to identify the vlans on the capac.

You -MIA

Me
/interface vlan
add interface=bridge-gym name=homevlan vlan-id=11
add interface=bridge-gym name=mediaVLAN40 vlan-id=40

1. Make sure ether1 is a bridge port as well ( I use ether1 to connect to the network not eth2! (this may be okay for access while configuring!)

2. Your Bridge ports
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 (ingress trunk port)
add bridge=bridge comment=defconf interface=wlan1 (ingress access port)
add bridge=bridge comment=defconf interface=wlan2 (ingress access port)

My Bridge ports
/interface bridge port
add bridge=bridge-gym comment=defconf interface=ether1
add bridge=bridge-gym comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=Gym-5AC pvid=11
add bridge=bridge-gym comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=MediaDevices pvid=40

3. Your Bridge Vlans - MIA

My Bridge Vlans
/interface bridge vlan
add bridge=bridge-gym tagged=ether1,bridge-gym untagged=Gym-5AC vlan-ids=11 (NOTE, since vlan11 is also my management VLAN - IP address of CAPAC is on this vlan, bridge is tagged)
add bridge=bridge-gym tagged=ether1 untagged=MediaDevices vlan-ids=40

PS dont forget to turn vlan filtering on.

4. I add a control interface to the standard ones
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=capwin

/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=homevlan list=LAN
add interface=Gym-5AC list=LAN
add interface=MediaDevices list=LAN
add interface=homevlan list=capwin

/ip neighbor discovery-settings (so only those on the homevlan are discovered)
set discover-interface-list=capwin
and
/tool mac-server mac-winbox
set allowed-interface-list=capwin

One thing I do is change the IP address to match my vlan11 homevlan and get it off the 192.168.88 etc......
This should be your last step.

Ok, I probably only partially understand this, so here goes my attempt at the questions I think I might have.

How do I do IP addressing and pools on the cAP AC?

Since I will have no 'admin' devices on the cAP AC, do I need to put my VLAN101? I'm not sure how to ensure that my adminpc still gets full access to it.

I think I have the vlans right for 15 and 50... Are my ports done correctly on the bridge?

How exactly does the WiFi work, do I need to give it a different SSID and then have multiple SSIDs saved on my devices within the home so they can bounce between the different ones, or is there a way to have 1 (per network) that is the same so I don't have to reconfigure devices?

See attached..

How did you get access to your cAP AC through your switch? I'm fuzzy on how to assign IPs to it from the RB4011?

Just a side note.. I seem to have lost my printer in the mix. Everything else seems to be working fine, but the printer doesn't get an IP from the network. I know it used to be on 5, and now it's on 15, but for some reason after restarting, etc, it doesn't want to show up anymore.

No DHCP, its all done on the router, on the capac you setup the vlans, the bridge stuff and the wireless and a few things to manage the capac.
I am confused by your use of ether2, on both my capacs I used ether1 as that is the port designed to accept POE incoming (data from router or switch).?????
What I do is when initially configuring the Capac, I do all my settings including capwin etc.
I connect directly to my management vlan like you did via ether1 or ether2, think you had it working on ether2?

Then the capac should get an IP address from the management vlan
I make this static on the router, so that when its connected to the switch its all setup.
I confirm the IP ADDRESS setting on the capac.

For the setup ensure that you have
/interface vlan
add interface=bridge name=vlan101 vlan-id=101
add interface=bridge name=vlan15 vlan-id=15
add interface=bridge name=vlan50 vlan-id=50

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=capwin

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=yes interface=ether2 (correct) but please make it ether1 unless you dont use POE LOL.
add bridge=bridge comment=defconf ingress-filtering=yes interface="IoT WiFi" WRONG this is an access port (are all your devices capable of reading vlan tags, NO!!!
add bridge=bridge comment=defconf ingress-filtering=yes interface= "Home WiFi 5GHz" \ WRONG, same reason.

Format for access ports ex.
add bridge=bridge-gym comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=MediaDevices pvid=40

/ip neighbor discovery-settings
set discover-interface-list=capwin

/interface bridge vlan
add bridge=bridge tagged=bridge,etherx vlan-ids=101
add bridge=bridge taggex=etherx untagged="Home WiFi 5GHz,Home WiFi 2GHz,ether2" vlan-ids=15
add bridge=bridge tagged=etherx untagged="IoT WiFi" vlan-ids=50

NOTE: on the capac, only the bridge is tagged when identifying the base/management vlan!!!!


/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=etherx list=WAN
add interface=manabment_vlan list=capwin

/ip address
add address=needs to be changed to static IP on router for your device comment=defconf disabled=yes interface=etherx \
network=etc,

/tool mac-server mac-winbox
set allowed-interface-list=capwin

Ok, how is this looking? I'm awfully slow at this.

Can you explain the last part about /ip address? Where do you want me to assign a static IP to the cAP AC from within my RB4011? I no longer see it in my leases within DHCP...

Not sure why, because I reset it back to normal, but it still never showed up like the original time.

Printer is still a mystery to me.. it doesn't show up either, just gets the 169 ip..

ok, so my printer somehow defaulted to manual IP. I switched it back to DHCP and there it was!

haha. silly things.

These things are never fast and mistakes will be repeated LOL.

(1) Having seen this cause issue when selected to WAN, if you must have it, set it to LAN.
/interface detect-internet
set detect-interface-list=WAN

(2) Assuming you are providing DNS services through your router you will need to allow them just prior to the drop all rule on the input chain
allow dns tcp and udp from LAN

(3) Looking at some firewall filter rules.......all look good actually.

Just curious you want to allow a single address on vlan15 to access all of vlan50 but then the next rule is
You want all of vlan50 to be able to access that single address in vlan15.

Are you saying
- you want the single user in vlan15 to reach out and access any vlan50 user/device (and by that I mean originate a new connection)
- you want every user/device in vlan 50 to reach out and be able access that same user in vlan 15 (and by that I mean originate a new connection)
Originate means start a new conversation.
Typically if you just had the first rule, this would mean the single user in vlan15 could query any device in vlan50 and the return traffic from those queries will be sent back and be allowed to reach the single user. Therefore if you thought you needed the second rule to allow returns during the same conversation, you actually do not.
So just confirming that you want the single user exposed to any device/user on vlan50 at any time any port etc..........

(4) What is strange to me is this rule...... but it doesnt even contain your managment vlan???
/tool mac-server mac-winbox
set allowed-interface-list=Admin
add interface="Home Devices VLAN15" list=Admin
add interface="IoT VLAN50" list=Admin

I thought the only rule in admin would be as follows which would make sense?????
add interface=AdminPC VLAN101 list=admin

(5) Finally my big beef is you dont sent vlan101 to the capac.
Dont you want the capac to have vlan101 associated IP address???
By the way this assumes you also have wifi on your rb4011 correct as well as on the capac.

/interface bridge vlan
add bridge="Home Bridge" tagged="Home Bridge",10 - cAP AC untagged="2 - AdminPC" \
vlan-ids=101
add bridge="Home Bridge" tagged="Home Bridge,10 - cAP AC" untagged=\
"Home WiFi 2GHz,3 - Server" vlan-ids=15
add bridge="Home Bridge" tagged="Home Bridge,10 - cAP AC" untagged="IoT WiFi" \
vlan-ids=50

(next up will look at capac and quick confirmation yes 101 is expected there so the above needs to be done LOL)

(1) Dont understand the entry here....... What are you trying to accomplish with ether2??
The default address still exists 192.168.88.x which is what is defined by default for ether 2 which is in direct conflict with the vlan subnet on vlan15 for starters....... so remove that ether2 bit from the vlan rule and the rest looks good.
Also remove ether2 from the bridge, unless you need it to connect to the capac temporarily
( I mean here - /interface bridge port
add bridge=bridge comment=defconf interface=ether2 )


/interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=101
add bridge=bridge tagged=ether1 untagged="5GHz,JBHLMH Home 2GHz,ether2" \
vlan-ids=15
add bridge=bridge tagged=ether1 untagged="IoT 2GHz" vlan-ids=50

Getting close to success!!!

Completely aside, I'm puzzled by the idea of a an "Internet of Things" network, with no Internet access. Doesn't that just make them "Things"?

..

I think we can call it a IntRAnet of things. There is no reason all devices on the network need to be connected to the www individually. I just have them all connected through my home automation server.

I must admit my comment was tongue in cheek. The origin of the "Internet of Things" term was a concept of zillions of things all separately connected to the Internet, with all the issues of address space and security for devices outside any private network. Of course now it almost exclusively refers to things connected on the inside of a firewall, so not on the Internet, but having access to it. Moving them behind a home automation server so they don't even have Internet access is a logical next step.

I guess we'll need a new term for the original IoT devices, that are truly on the Internet outside anyone's network or firewall and having to make their own independent security arrangement.

OK, so things are looking good.

I can now access the cAP AC from winbox while it is connected to the RB4011. I can get the internet from the wifi provisioned from the cAP AC.

What I can't seem to do anymore is access my synology(on 15.20)(through http) or my server(on 15.10)(with vnc or my homeautomation server through http) on any device..
I can however access Plex on my new chromecast with googletv (plex server is on the 'server' but the files are on the synology)...
edit: I can access the synology from my server...
edit 2: I can't access it from the chromecast anymore. I seem to have lost all access to my devices on vlan50 and even can't access those on the same vlan15


Before we jump into the attempt at solving the network access issues, I'd like to make sure the cAP AC is doing its thing correctly. I have attached the two configs from today. Please let me know if that is how it's supposed to look? Did I do the upd/tcp firewall rules correctly?

Will do, in the meantime add a network diagram so I can see how those devices are physically connected.

In terms of the router, I see that you are not activing add all the ports defined (future use I assume).
In the input chain firewall rules I found this incomplete
add action=accept chain=input comment="TCP for cAP AC" in-interface-list=LAN \
protocol=tcp
add action=accept chain=input comment="UDP for cAP AC" in-interface-list=LAN \
protocol=udp

what does the LAN have to do with CAPAC for example but more so the rule if used should be stating what particular services you want ALL lan users to be able to access the router for.
typically its DNS port 53 (perhaps you forgot to add that when configuring??)

Only thing I noted on capac is your effing quotation marks DO GET IN THE WAY!!!!! and also to remove eth2 from this line.
add bridge=bridge tagged=ether1 untagged=\
"JBHLMH Home 5GHz,JBHLMH Home 2GHz,ether2"

I believe it should be:
interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=101
add bridge=bridge tagged=ether1 untagged=\
"JBHLMH Home 5GHz","JBHLMH Home 2GHz" vlan-ids=15
add bridge=bridge tagged=ether1 untagged="IoT 2GHz" vlan-ids=50

OR even better :-) :-) (but you would have to change the interface names everywhere else to match.

interface bridge vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=101
add bridge=bridge tagged=ether1 untagged=\
JBHLMH_Home_5GHz,JBHLMH_Home_2GHz vlan-ids=15
add bridge=bridge tagged=ether1 untagged=IoT_2GHz vlan-ids=50

Here is a rough network diagram...

So accesses no longer seem to be working correctly.

I'm not actually certain I did the static IP for the cAP AC correctly either.

Well in your bridge vlan settings you didnt include all the etherports for vlan15 !!!
/interface bridge vlan
add bridge="Home Bridge" tagged="Home Bridge,10 - cAP AC" untagged=\
"2 - AdminPC" vlan-ids=101
add bridge="Home Bridge" tagged="Home Bridge,10 - cAP AC" untagged=\
"Home WiFi 2GHz,3 - Server" vlan-ids=15
add bridge="Home Bridge" tagged="Home Bridge,10 - cAP AC" untagged="IoT WiFi" \
vlan-ids=50

where is "4 - Work PC"
where is "7 - Synology"
where is "8 - Printer"

Alright, I have done what you said wrt naming on BOTH devices. I meant to change that a bit sooner, but I forgot to.

Name changing with no spaces done.

Changed the udp tcp rules, which is set with dst port 53, is that right?

Here are the configs.

Sorry, I uploaded the wrong RB4011 config...

So, I would like to say that yesterday looks like a messy day. I posted a bunch of messy things, made some errors, and overall caused more confusion than anything.

I'm just posting from my phone here, so I don't have any good files or insights to give.

However, I did get much of my things working again. And I will mention what I did.

Rules: I turned on all the rules that are currently in the configs of the rb4011, seems that I DO need that one where the vlan50 needs to connect back to the server. I host mqtt on my server, and devices on vlan50 were not able to push notifications to my server without that rule.

Interface list: for some reason, I had disabled the admin from vlan50 and vlan15, so I wasn't able to access anything from my adminpc, derp...

Question: I am unsure how to name my SSIDs. I am trying for as seamless as possible for a while home WiFi. By adding this cAP AC, am suppose I am just introducing another set of SSIDs that I will need to tell my devices to connect to?

I think that's good for now. Happy Friday. It's become summer here this weekend, so enjoy the weather while it lasts!

Same here, I managed to find a siding person to help me with a disaster area where chipmunk invaded.
It was butt ugly but new insulation new foam board and new tyvek paper done and siding back on SUCCESS.

(1) All looks good, but not sure why you are not completing the vlan config with the rest of the access ports for vlan15 (Ports 4,7,8 etc)?

/interface bridge vlan
add bridge=Home_Bridge tagged=Home_Bridge,10-cAP_AC untagged=\
Home_WiFi_2GHz,3-Server ?????????? vlan-ids=15

(2) I dont have this on my router or its turned off, not sure of its purpose.
/interface detect-internet
set detect-interface-list=WAN

(3) Yes, I see you have some interface lists disabled, why? This will affect your firewall rules.
add disabled=yes interface=Home_Devices_VLAN15 list=Admin
add disabled=yes interface=IoT_VLAN50 list=Admin

(4) You can get rid of this line, I dont think its actually relevant in any of your rules???
/interface list member
add interface=AdminPC_VLAN101 list=Admin wait a sec...... see next text

OKAY I found a reason. So that you can access winbox (via TOOLS macserver). BUT WAIT, look at your INPUT CHAIN RULE, you only allow the admin VLAN access to the router, while THIS macwinbox rule allows both vlan 50 and vlan15 to winbox (because you used interface list ADMIN.
SO that is confusing to me.
/tool mac-server mac-winbox
set allowed-interface-list=Admin

SO>>>>>>>>>lets do this create another interface list called control first, then add ONLY the admin vlan101 to that list as a member, then set the TOOLS macwinbox server interface list to control, then delete the vlan101 list member from the interface admin in that order!!
/interface list
add name=control

/interface list member
add interface=AdminPC_VLAN101 list=control

(5) You are not port forwarding and you have a drop all else rule following it as the last rule, so you can remove this rule.
/ip firewall filter
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN

LATER if you decide to port forward then all you need to do is add the following rule before the last rule........
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN

(6) Okay I see you gave the the single IP in vlan 15 access to the ENTIRE subnet of VLAN50 BUT HAVE disabled the entire subnet from being able to access the single IP address unsolicited (ie starting a brand new conversation). This is correct assuming that the only traffic from the Vlan50 to Vlan15 should be answering a query, continuing a conversation that the IP on VLAN15 started!!
add action=accept chain=forward comment="Server Access" dst-address-list=LAB \
in-interface=Home_Devices_VLAN15 src-address=192.168.15.10
add action=accept chain=forward comment="VLAN IoT Access" disabled=yes \
dst-address=192.168.15.10 in-interface=IoT_VLAN50

What I find amusing is that you created a firewall address list for the first rule but used the vlan interface for the second rule.......
I assumed you were just playing around to see what you could do................ otherwise the first rule could look like
add action=accept chain=forward comment="Server Access" src-address=192.168.15.0 \
in-interface=Home_Devices_VLAN15 out-interface=IoT_VLAN50

A new day, and new successes.

1. Ok, I had done that Wed and, as stated, was making a mess of posting things as my mind was a bit upside down.
2. I think this was just me at the beginning seeing what buttons did... It's now off.
3. Re-enabled.
4. Yes! That makes a LOT more sense. Done.
5. I would like to do some port-forwarding, but for now I just want things inside to work right. Clean house before we invite the guests.
6. I decided on the latter. I can see how both do the same, I have deleted the LAB list.

I do believe we have been able to get things cleaned up and sorted. Last few things I suppose is about the actual OP.

1. I did a quick scan of my 2GHz and 5GHz and was able to find a mere 125 and 26 items respectively, yelling into the ether...
2. I know I can 'name' my SSID the same, but if they are not on the same channel, they just show up as diff networks. Is there a way to use all this mikrotik power/capability and create some sort of seamless WiFi in the house? Similar to like in a public WiFi situation where you can walk around and jump from one AP to the next without having to re-authenticate?

I don't know enough about the latter to do this myself, and I only have the 1 AP, seems that most ppl dont' use CAPsMAN for just one device, not that I know what that would help me with either! I would need to learn about it.

Cheers,

One thing I just tried to do... I tried to update my cAP AC, through packages, and I got the error "Could not resolve dns name"

I'm assuming this has something to do with my VLANs and stuff. I tried looking around a bit but wasn't able to find a good answer.

I manually installed it, but wasn't sure if I should consider this an issue or not.

Hmm thats interesting, will try on mine.........

Yes when I try to upload an update it gives me the same error.
So the differences below have nothing to do with it, at least I think.
However certainly ether1 is not the interface for that Vlansubnet.......... and if you correct it should remove that can not run on slave line........

Client setting should have no bearing (moot)

I do note the following on your capac
/ip address
add address=192.168.101.2/24 interface=ether1 network=192.168.101.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1


On mine!
/ip address
add address=192.168.XX.YY/24 interface=homevlan network=192.168.XX.0
/ip dhcp-client
add disabled=no interface=bridge-gym

Okay this sage advice from master yoda............... or SIndy by another name,
States:
FACT1 - the capac is a bridge for the clients, but itself it is an end device, which needs a route and DNS just like any other end device
FACT2 - if you had the IP address of the DNS server configured, but no route, the capac would get the DNS names resolved to IP addresses but would not be able to contact these IP addresses

Thus, the following
Go to Winbox put in
IP DNS and the gateway address of your management vlan (101)
IP Route gateway= gateway address of your management vlan

/ip dns
set allow-remote-requests=yes servers=192.168.XX.1

/ip route
add distance=1 gateway=192.168.XX.1

I'm not sure what I've done.. but it seems that if I turn on the dhcp-client (on the cAP AC), I can't get an IP when I connect to it. Is it supposed to be activated? When I turn it on now, it just has a status of 'searching' all the time.

I changed the interface of the address to my adminvlan (101), and it seems to still be working, but not sure about the whole DHCP-client thing.

also, my route lists.. do you want me to manually add one? right now I currently have one (DAC) that seems to be working. If I add a 0.0.0.0 with my adminvlan, it also seems to not cause issues, but that seems redundant, no?

the capac is not getting DHCP from the router, and thus you can disable that rule.
I just checked mine and it was like yours still searching but doesnt affect anything.
So I disabled it just now and no ill effects that I see.

Like you couldnt get packages until I manually added the rule.

Happy Sunday to everyone!

It looks like we are winding down to the last little bits of this config. I have my WiFi all sorted out the way I want it with the cAP AC upstairs and my RB4011 downstairs. Everything seems to get a good connection now!

Minor issue: It seems that my firewall isn't working as it used to when I had all those extra VLANs. I was browsing with my cell (on VLAN15) and was able to connect to a device on VLAN50. This is something that shouldn't be able to happen; only VLAN101 and my server should be able to access VLAN50. How do you propose this happen, I do an input drop rule for incoming VLAN15 to outgoing VLAN50? I am not that great at the firewall logic yet, so hoping to get some help with that. Also, where in the stack of rules would this go?

RB4011 config is in a previous post in this thread. no sense reposting the same config again.

Thank you!! Have a great day.

Aha!

You accidentally removed the drop all else rule (the last rule in the Forward Chain), it is no longer there??
add action=drop chain=forward comment="drop all else"