Community discussions

MikroTik App
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 252
Joined: Fri Oct 02, 2020 1:42 pm

CapsMan bridges vs VLANs?

Mon Apr 11, 2022 5:59 pm

I am trying to wrap my head around VLANs and the need for them for my setups. (Just read viewtopic.php?f=13&t=143620)

My general setyup is:
1. central router
2. a number of switches
3. a number of APs

Router hosts and controls everything. WAN port is for Intenret access and and a few bridges are for grouping ports for video surveilance and AP SSID control. I use CapsMan and set bridge in Datapath, usually for two SSIDs (one routed to LAN bridge and other is separate and only allowed to the internet).

I use firewall to shape and limit/allow data from and to bridges / wan and all works fine. At least I think so?

What I am trying to understand is there any benefit of implementing VLANs for this purpose?

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CapsMan bridges vs VLANs?

Mon Apr 11, 2022 6:03 pm

Why, if your setup is working for you? Stick what works and you understand.
I find capsman, datapath etc etc. far too complicated. Vlans is easy as pie to implement.
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 252
Joined: Fri Oct 02, 2020 1:42 pm

Re: CapsMan bridges vs VLANs?

Mon Apr 11, 2022 7:47 pm

Why, if your setup is working for you? Stick what works and you understand.
I find capsman, datapath etc etc. far too complicated. Vlans is easy as pie to implement.
I am trying to improve. Trying to understand if there is a better way to do stuff than I am currently using.

I find it very simple to use datapath rules, so I am trying to understand if VLANs will function better for capsman. Maybe better throughput, etc.?

Thanks
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CapsMan bridges vs VLANs?

Mon Apr 11, 2022 8:07 pm

Why, if your setup is working for you? Stick what works and you understand.
I find capsman, datapath etc etc. far too complicated. Vlans is easy as pie to implement.
I am trying to improve. Trying to understand if there is a better way to do stuff than I am currently using.

I find it very simple to use datapath rules, so I am trying to understand if VLANs will function better for capsman. Maybe better throughput, etc.?

Thanks
My understanding from reading a gazillion posts is that capsman and datapath forwarding may be slightly better than vlans alone.
However, dressing up a pig no matter how fancy the makeup and clothes, its still a pig. I mean that in terms of wifi performance.
In other words stop chasing a few Mbps, especially if you have a working and somewhat stable setup.

Look to wifi6 and follow on variants before considering any significant improvement. You can do that right away with some other vendors but minus the flexibilty of RoS, or you can wait till MT joins the 21st century in terms of house type wifi. I did the former, out of necessity and have no regrets............... am very much looking forwaard to when MT comes out with a wifi6/wifi6E, wifi6? variant.
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 252
Joined: Fri Oct 02, 2020 1:42 pm

Re: CapsMan bridges vs VLANs?

Mon Apr 11, 2022 9:49 pm

Thanks.

Re MT new WiFi standards... I decided to go with MT devices as I usually use those for installations. They are not the fastest, but they are fast enough and price is more than acceptable. Usually 2-3x cheaper than other options.

I am also very much looking forward new MT WiFi models.
 
crosswind
newbie
Posts: 46
Joined: Tue Feb 18, 2020 3:47 pm

Re: CapsMan bridges vs VLANs?  [SOLVED]

Mon Apr 11, 2022 11:01 pm

What I am trying to understand is there any benefit of implementing VLANs for this purpose?
it sounds like you're using CAPsMAN with local-forwarding off, so CAPsMAN is sending all your wireless traffic to a single router, and you control the traffic by having each SSID go to a different bridge on that router, right? in that case, you can use VLANs, but you probably don't need to.

where VLANs are useful is when you have multiple layer 2 networks (like the multiple bridges in your configuration), and you need to maintain that separation of traffic between multiple devices.

for example: let's say you have one router and a bunch of APs, and you want to provide two SSIDs: a "users" SSID and a "guest" SSID (pretty typical setup). but your wireless users need to connect to servesr on the same L2 network, and you don't want all that traffic going to the central router and back, so you turn local forwarding on in CAPsMAN. that means instead of sending all the wireless traffic to the CAPsMAN router, the AP will add the wireless interface to its local bridge and switch the traffic itself. without VLANs, you could do this by having two bridges on each AP - one for "lan" and one for "guest" - but to connect both those bridges to the central router, you need two physical Ethernet ports on each side, one in each bridge.

now let's say your APs are something like hAP ac2, with a built-in switch, and you want to connect some surveillance device to one of the APs instead of running a cable all the way back to the central router. so you create a third bridge on the AP for the surveillance device, but now you also need a third cable from the AP to the router to carry that traffic. clearly this isn't a workable setup (unless you really enjoy running new cabling).

instead, do it like this: create one bridge on each AP, and create three VLANs: VLAN 101 for "users" SSID, VLAN 102 for "guest" SSID, and VLAN 103 for surveillance devices. then configure CAPsMAN to tag the wireless traffic appropriately for each SSID (101 or 102), and configure the bridge port with the surveillance device with PVID=103. now your single bridge has three virtual networks, which behave more or less the same as the configuration with three bridges did: the "users" traffic is in VLAN 101, the "guest" traffic is in VLAN 102, and the surveillance traffic is in VLAN 103. but now you can run a single Ethernet cable from the AP to the central router, configure it as a tagged port in each of the three VLANs, and the traffic from all three VLANs can go back to the router over the same cable. (this works because the AP will prepend a header to each Ethernet frame containing the VLAN tag, so the central router knows which VLAN the traffic is on, and the router will do the same when sending traffic to the AP.)

on the central router, configure the same single bridge with three VLANs, and then create three VLAN interfaces (/interface/vlan) called "vlan101", "vlan102" and "vlan103". these work like normal Ethernet or bridge interfaces, but they only see the traffic in the particular VLAN they're configured in. now you can assign 192.168.1.1/24 to vlan101, 192.168.2.1/24 to vlan102, and 192.168.3.1/24 to vlan103, and process the traffic normally in the router as if each VLAN was its own physical network.

tl;dr: VLANs are like having multiple bridges, except the traffic for all the bridges can be carried between devices over a single Ethernet port.
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 252
Joined: Fri Oct 02, 2020 1:42 pm

Re: CapsMan bridges vs VLANs?

Mon Apr 11, 2022 11:28 pm

tl;dr: VLANs are like having multiple bridges, except the traffic for all the bridges can be carried between devices over a single Ethernet port.
You are completely right - I am using CapsMan with local-forwarding off. From your (Very clear!! Thank you!) explanation it is clear that I don't need VLANs for my use, and what they are actually for.

This explanation is very MikroTik centric, and because of that very understandable - at least for me. Finally the VLAN story "clicked" in my head.

Other thing that comes to mind is - how I could make redundant main router? Or maybe offload CapsMan forwarding to another router? From what I know (not too much), that shouldn't be possible with caps-man bridge based forwarding? - In that case VLANs are a way to go?

Thanks!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21483
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: CapsMan bridges vs VLANs?

Mon Apr 11, 2022 11:57 pm

I purchased other wifi5 APs for my house and mother in law that perform much better and at the same price point.
BUT, no flexible RoS, which is really really nice - performance for others came before my Ros preference. Thats why I say I am looking very much forward to WIFI6+ products from MT,
they have finally stopped going off on their own proprietary wifi standard schema and thus assuming their WIFI6+ products will be as stable
and fast as everyone elses but way better to config as required!!!
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12736
Joined: Thu Mar 03, 2016 10:23 pm

Re: CapsMan bridges vs VLANs?

Tue Apr 12, 2022 8:28 am

Other thing that comes to mind is - how I could make redundant main router? Or maybe offload CapsMan forwarding to another router? From what I know (not too much), that shouldn't be possible with caps-man bridge based forwarding? - In that case VLANs are a way to go?

CAPsMAN can be any device in your LAN (and with appropriate config even in different network), doesn't have to be main router. However, break-out of wifi traffic is CAPsMAN, you can't have control plane of CAPsMAN (i.e. CAP device provisioning) separate from user plane (traffic forwarding) if local forwarding is disabled. If CAPsMAN is not hosted on the main router and you still want to keep separation, you need something between CAPsMAN device and main router ... that something can be either multiple physical links (one per wifi network / SSID) or VLANs run over single physical link. Or a single dedicated physical link might do with some diligent configuration (the VLAN solution allows switches between these two devices).

You have to be aware that CAPsMAN forwarding is CPU intensive for both CAP devices as well as (or mainly) for CAPsMAN device. Traffic between CAP and CAPsMAN is ciphered and encapsulated into normal IP packets. Both ciphering/deciphering and fragmentation/defragmentation can be pretty CPU intensive. Which means that CAPsMAN forwarding can be a bottleneck if CAPsMAN device is underpowered. Using local forwarding with VLANs removes this bottle neck, but also removes some traffic controls which are available if all wireless traffic flows via same bridge.
 
User avatar
atomicduck
Member Candidate
Member Candidate
Topic Author
Posts: 252
Joined: Fri Oct 02, 2020 1:42 pm

Re: CapsMan bridges vs VLANs?

Tue Apr 12, 2022 10:25 am

You have to be aware that CAPsMAN forwarding is CPU intensive for both CAP devices as well as (or mainly) for CAPsMAN device. Traffic between CAP and CAPsMAN is ciphered and encapsulated into normal IP packets. Both ciphering/deciphering and fragmentation/defragmentation can be pretty CPU intensive. Which means that CAPsMAN forwarding can be a bottleneck if CAPsMAN device is underpowered. Using local forwarding with VLANs removes this bottle neck, but also removes some traffic controls which are available if all wireless traffic flows via same bridge.
I use relatively powerful routers (mostly 3011, some 4011 and currently I am configuring one 1100ahx4), and have switched to CAP ac variants for most AP needs now. - Is there a way to quantify bottlenecking? I never see CPU being maxed out, but I suspect that the CPU meter is not entirely accurate.

Just checked 3011 with a largish number of APs and CPU does seem suspiciously low?

Image
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12736
Joined: Thu Mar 03, 2016 10:23 pm

Re: CapsMan bridges vs VLANs?

Tue Apr 12, 2022 11:26 am

The problem of CPU graph is two-fold: 1) it displays 5-minute average and 2) it displays average over all CPU cores while certain operations are bound to single core. So when evaluating different options you should run CPU profiler to see real-time performance per CPU core.

Who is online

Users browsing this forum: almdandi, Bing [Bot], erlinden, Google [Bot], GoogleOther [Bot], McSee, Torrox, vodokotlic, yllwfsh and 70 guests