CAP interfaces not being tagged correctly with bridge VLAN filtering enabled

dcowsill · Thu Mar 01, 2018 10:56 pm

Hey guys,

I have found a few discussions on this topic but no real solutions.

In my lab I have configured a hEX r3 and a hAP ac with a CRS125 in between. Each device has a management VLAN interface (99) which handles MikroTik discovery and device management. They also handle a public and private VLAN for use by users.

The problem appears to be that when a CAP interface is added to a bridge with VLAN filtering turned on it's tagged with PVID 1 in spite of any configuration you set in the datapath or configuration in CAPsMAN. You can see this same problem at work when you add a single wireless interface to the bridge. If you set the VLAN tagging mode and VLAN ID using /interface wireless, the setting is ignored. If you set it using /interface bridge port instead, it becomes effective.

I've left out the irrelevant bits and the switch's configuration since it's pretty standard stuff. If you want you can imagine the hAP ac connected to ether2 on the hEX r3 since that's effectively what's going on.

Since the switch and the hAP are handling the tagging of packets, a VLAN filtering bridge is, strictly speaking, optional in this topology. For other topologies though there should be a way to have a VLAN filtering bridge and CAPsMAN coexist happily on the same device.

Router's config:

/interface bridge
add admin-mac=64:D1:54:62:52:FE auto-mac=no name=bridge vlan-filtering=yes

/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=99

/interface bridge vlan
add bridge=bridge comment=internal-vlan tagged=bridge,ether2 untagged=\
    ether3,ether4 vlan-ids=100
add bridge=bridge comment=public-vlan tagged=bridge,ether2 vlan-ids=200
add bridge=bridge comment=management-vlan tagged=bridge,ether2 untagged=\
    ether5 vlan-ids=99

/interface vlan
add interface=bridge name=internal-vlan vlan-id=100
add interface=bridge name=management-vlan vlan-id=99
add interface=bridge name=public-vlan vlan-id=200

/caps-man datapath
add bridge=bridge name=internal-dp vlan-id=100 vlan-mode=use-tag
add bridge=bridge name=public-dp vlan-id=200 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    lab-internal
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=lab-public
/caps-man configuration
add datapath=internal-dp datapath.vlan-id=100 datapath.vlan-mode=use-tag \
    mode=ap name=cfg-internal security=lab-internal ssid=lab-internal
add datapath=public-dp datapath.vlan-id=200 datapath.vlan-mode=use-tag mode=\
    ap name=cfg-public security=lab-public ssid=lab-public
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=management-vlan
/caps-man provisioning
add action=create-enabled master-configuration=cfg-internal name-format=\
    identity slave-configurations=cfg-public

/ip address
add address=192.168.1.254/24 interface=internal-vlan network=192.168.1.0
add address=192.168.2.254/24 interface=public-vlan network=192.168.2.0
add address=10.255.255.1/24 interface=management-vlan network=10.255.255.0

And the hAP ac:

/interface bridge
add fast-forward=no name=bridge vlan-filtering=yes

/interface vlan
add interface=bridge name=management-vlan vlan-id=99

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=200
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=200
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=200
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=99

/interface bridge vlan
add bridge=bridge comment=management-vlan tagged=bridge,ether1 untagged=\
    ether5 vlan-ids=99
add bridge=bridge comment=internal-vlan tagged=bridge,ether1 vlan-ids=100
add bridge=bridge comment=public-vlan tagged=bridge,ether1 untagged=\
    ether2,ether3,ether4 vlan-ids=200

/interface wireless cap
set bridge=bridge caps-man-addresses=10.255.255.1 discovery-interfaces=\
    management-vlan enabled=yes interfaces=wlan1,wlan2 static-virtual=yes

/ip address
add address=10.255.255.3/24 interface=management-vlan network=10.255.255.0

ladegro · Sun Apr 07, 2019 9:28 pm

This had me search for a solution for days if not weeks! Very frustrating to have a non-working config and not knowing where you made the mistake. As it appears, the mistake is in the software. Thanks for describing this, wondering if/when mikrotik will offer a solution. Still present with firmware 6.44.2.

One problem with disabling vlan filtering on the CAP bridge, seems to be that I can no longer assign untagged VLANs to any of the CAP ethernet ports? In my setup I'm having a CCR1009 as router and have a HAP-AC connected as CAP but also using its ethernet ports to assign VLANs. Both devices connected with a trunk port with all tagged VLANs. Or should this still be possible?

anav · Sun Apr 07, 2019 10:22 pm

I dont use capsman.
In any case for vlans the best reference is
viewtopic.php?f=13&t=143620

Yes, just leave the pvid of the bridge of as the default on the hapAC, that is the correct thing to do.
You tag and untag access ports and trunk ports as per usual.
There is no need to tag the bridge on the hapac as its not routing packets for these wlans or any associated wired access ports.

However after reviewing the reference I would state that you tag the bridge for hapac for the managment vlan
add bridge=bridge tagged=bridge,ether1 vlan-ids=99 (assuming ether1 is coming from the switch AKA a trunk port.
bridge port for eth1
/interface bridge port
add bridge=bridge ----> ingress-filtering=yes frame-types=admit-only-vlan-tagged interface=ether1 (trunk port)

plus setting the hapac IP address....

/interface vlan add interface=bridge name=management_vlan vlan-id=99
/ip address add address=192.168.X.Y/24 interface=management-vlan

# The Router's IP this AP will use
/ip route add distance=1 gateway=192.168.X.1

mkx · Sun Apr 07, 2019 11:38 pm

My experience is that capsman configuration ends at configuring wireless interfaces. If wired interfaces need any non-default configuration, one needs to do it manually without regard to capsman config. If, for example, one needs VLANs, the whole setup (minus wifi) needs to be done on caps device itself (including enabling vlan-filtering). On capsman one sets vlan-id=VID and vlan-mode=use-tag under datapath. Such wifi interface will become tagged bridge port on caps device and the rest of vlan setup on caps device (such as trunk uplink port) has to be done beforehand ...

The above works for local-forwarding=yes ... in that case it doesn't seem important how gets connected the cap interface on capsman device.

CAP interfaces not being tagged correctly with bridge VLAN filtering enabled

CAP interfaces not being tagged correctly with bridge VLAN filtering enabled

Re: CAP interfaces not being tagged correctly with bridge VLAN filtering enabled

Re: CAP interfaces not being tagged correctly with bridge VLAN filtering enabled

Re: CAP interfaces not being tagged correctly with bridge VLAN filtering enabled