CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

misha · Mon Nov 23, 2020 10:46 am

Hi Guys,

Just on the beginning, I have to admit that I like Mikrotik because of its price, functionality and stability. All these are good, but confiuration is not so simple and sheds a bad light on this platform.

Here is what I have at the moment and here is what I want to get.
1. AS-IS
I have 3 AP from TP-Link which broadcast 3 SSID within 3 different VLANs, connecetd to CRS326-24G-2S+ . Everything works fine.

2. TO-BE
I have decided to change APs to cAP ac because TP-Links are equiped only with 100Mb/s Ethernet cards. So this is what I did:

1. I have added eth6, eth7, eth8 to my bridge and made them trunks. New APs are connected to them.
2. I have created bridge on each AP and created VLAN to reflect what I have on router/switch. It looks that this works fine because VLAN intefaces on each AP get IPs from DHCP servers running on router/switch.
3. I have configured CAPSMAN (CAPSMAN forwarding) in this order:
- 3 sec profiles
- 3 channels (one for each network)
- 3 datapaths (wih VLAN tagging)
- 1 rate config
- 3 configurations (for each SSID)
- 1 provissioning rule (SSID 1 as master, SSID 2 & 3 as slaves)
4. I Enabled CAP on each connected AP and they are getting info from CAPSMAN (virtual interfaces are created, but interfaces remain disabled. SSID is showing Mikrotik only on master interfaces. Please look at the picture below.

https://drive.google.com/file/d/1fvsxVW ... sp=sharing

Platform wise:
model: CRS326-24G-2S+
firmware-type: dx3230L
factory-firmware: 6.42.7
current-firmware: 6.42.7
upgrade-firmware: 6.47.7
model: RBcAPGi-5acD2nD
revision: r2
serial-number: BECD0C686AC3
firmware-type: ipq4000L
factory-firmware: 6.44
current-firmware: 6.45.9
upgrade-firmware: 6.47.7

I will appreciate your help. Please let me know if you came across this problem before and how did you fix it?

erlinden · Mon Nov 23, 2020 11:24 am

Can you please share your /caps-man export hide-sensitive?
Are you using DFS channels? That could explain why not all radios are up.

misha · Mon Nov 23, 2020 12:26 pm

Can you please share your /caps-man export hide-sensitive?
Are you using DFS channels? That could explain why not all radios are up.

First of all - thanks for prompt reply.
Here is my config:

[admin@ccedgerouter] > /caps-man export hide-sensitive
# nov/23/2020 11:28:59 by RouterOS 6.47.7
# software id = FYYF-3W4L
#
# model = CRS326-24G-2S+
# serial number = 94550991FB30
/caps-man channel
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=channel44
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=channel36
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=channel40
/caps-man datapath
add bridge=vbridge client-to-client-forwarding=yes local-forwarding=no name=dpath-128 vlan-id=128 vlan-mode=use-tag
add bridge=vbridge client-to-client-forwarding=yes local-forwarding=no name=dpath-129 vlan-id=129 vlan-mode=use-tag
add bridge=vbridge client-to-client-forwarding=no local-forwarding=no name=dpath-130 vlan-id=130 vlan-mode=use-tag
/caps-man rates
add basic=54Mbps ht-basic-mcs=mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-16 ht-supported-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23 name=basic_rates supported=\
    1Mbps,2Mbps,5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=seccfg-128
add authentication-types=wpa2-psk encryption=aes-ccm name=seccfg-129
add authentication-types=wpa2-psk encryption=aes-ccm name=seccfg-130
/caps-man configuration
add channel=channel44 channel.band=5ghz-a/n/ac country=poland datapath=dpath-128 distance=indoors hide-ssid=no installation=indoor mode=ap name=wn128.cfg rates=basic_rates rx-chains=0,1 security=seccfg-128 ssid=ngWN-CHERRY tx-chains=\
    0,1
add channel=channel40 channel.band=5ghz-a/n/ac country=poland datapath=dpath-129 distance=indoors hide-ssid=no installation=indoor mode=ap name=wn-motylek.cfg rates=basic_rates rx-chains=0,1 security=seccfg-129 ssid=ngWN-MOTYLEK \
    tx-chains=0,1
add channel=channel36 channel.band=5ghz-a/n/ac country=poland datapath=dpath-130 distance=indoors hide-ssid=no installation=indoor mode=ap name=wn-gosc.cfg rates=basic_rates rx-chains=0,1 security=seccfg-130 ssid=ngWN-GOSC tx-chains=\
    0,1
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=wn128.cfg name-format=identity slave-configurations=wn-motylek.cfg,wn-gosc.cfg

anav · Mon Nov 23, 2020 2:21 pm

Easy, replace older TPLINK with eap245. Done, up and running in 5 minutes, everyone happy!
But I see you like it the hard way, and I mean that as graphically back door as you are imagining.
Enjoy!

misha · Mon Nov 23, 2020 2:25 pm

Easy, replace older TPLINK with eap245. Done, up and running in 5 minutes, everyone happy!

Well. I purchased cAP ac already. I had to do it as you wrote, but I thought that Milkrotik - Mikrotik will be fine connection.
But it is not.

anav · Mon Nov 23, 2020 2:30 pm

Dont take me too seriously, the capac after much fiddling around can give some satisfaction but the problem is every once in a while odd things happen with no explanation.
Not consistent behaviour and the signal/performance is not up to par with similar offering I noted above.\

I have two capacs in the house and they work for the most part but had to install one eap245 for my daughter studying at med school, no inconsistency or dropouts allowed!!!
So content with stability and performance I ended up buying two more for the mother-in-laws house. WHY?? You guessed, there is nothing worse than the 9pm phone call stating, my internet is not working what did you do .....................

The two capacs in the house are all connected and working but many times my IOT devices drop off line and sometimes I have to manually reset them. Not once with the TP LINK unit .............

My recommendation is to not use capsman and config the capacs separately until you are really comfortable with tweaking them and then venture into capsman.
This link is so easy to follow in that regard............
viewtopic.php?f=13&t=143620

misha · Mon Nov 23, 2020 3:01 pm

You are right. My kids are also learning from home. Both me and my wife do 90% of work remotely therefore connection stability is a key. But this discussion does not bring me closer to the solution. I just want to make these CAPs working. It is so freaking hard to do it.

I used to configure Cisco devices for leaving. This was just a real pleasure. Even commands were the same across all platforms. Here is different. Entire VLAN config is so wierd. But compare to WiFi and Capsman it is all so simple. I don't know why people make complicated things in 21st centrury.

Any thoughts how to make CAPs working?

biomesh · Mon Nov 23, 2020 7:00 pm

First off, I would get rid of the rates config. This is going to complicate things before you get the basics working. I would set the channels to only be band 5ghz-n/ac. You will rarely see any 5ghz a devices. You are also not using local forwarding on the datapaths, which means that the capsman device will have to process all of the data. On a crs326 device which does not have a very powerful cpu, this is asking for trouble. Set local-forwarding=yes on your datapath entries. For your security profile, make sure you set the encryption and group-encryption to aes-ccm. Your configuration entries have duplicate settings(channel.band). It is best to let them inherit from the other config objects that have been set. So for these I would use:

/caps-man configuration
add channel=channel44 country=poland datapath=dpath-128 mode=ap name=wn128.cfg security=seccfg-128 ssid=ngWN-CHERRY

If you still have problems with this, you might need to get some debug wireless logs from the capsman device and possibly from the cap itself.

kenakapheus · Mon Nov 23, 2020 7:17 pm

The interfaces being disabled on the CAP is normal in CAPs Mode.
The Interfaces should instead appear on the CAPsMAN.

If the VLAN configuration on the Bridge correct? Currently all Traffic will be tunneled back and go thru 'vbridge' on the CAPsMAN. If that is not what you want you should enable local-forwarding.

misha · Mon Nov 23, 2020 7:32 pm

Hi,

thanks for the reply. I was waiting for it like kids for Santa. But this time I have to wait longer than that as I am still at the same spot.
I have figured it out that I should have just one frequency. Changed that already but still noting.
I have also tried to do the local forwarding and indeed interfaces are coming up but wierd SSID (mikrotik came up only on master wlan interface.)
I have also tried to limit my provisioning rule just for one SSID - same thing.

What I did not try, but I am not sure how this may have an effect, is:
* change firewall rules on my CSR (in my opinion this is not required as I do have connectivity)
* review VLAN setup on CSR and CAPs.

Right now CAPS have the same VLAN configuration, which looks as follows:

[admin@capCEBC69] /interface vlan> print
Flags: X - disabled, R - running 
 #   NAME                   MTU ARP             VLAN-ID INTERFACE                
 0 R VLAN100               1500 enabled             100 ether1                   
 1 R VLAN128               1500 enabled             128 ether1                   
 2 R VLAN129               1500 enabled             129 ether1                   
 3 R VLAN130               1500 enabled             130 ether1

[admin@capCEBC69] /interface bridge> vlan print
Flags: X - disabled, D - dynamic 
 #   BRIDGE           VLAN-IDS  CURRENT-TAGGED          CURRENT-UNTAGGED         
 0   cbridge          100       cbridge                
                                ether1                 
 1   cbridge          130       cbridge                
                                ether1                 
 2   cbridge          129       cbridge                
                                ether1                 
 3   cbridge          128       cbridge                
                                ether1                 
 4 D cbridge          1                                 cbridge                  
                                                        ether1                   
[admin@capCEBC69] /interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE                         BRIDGE                        HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0     ether1                            cbridge                       yes    1     0x80         10                 10       none
 1     dynamic                           cbridge                       yes    1     0x80         10                 10       none
[admin@capCEBC69] /interface bridge> print
Flags: X - disabled, R - running 
 0 R name="cbridge" mtu=auto actual-mtu=1500 l2mtu=1598 arp=enabled arp-timeout=auto mac-address=48:8F:5A:CE:BC:69 
     protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m priority=0x8000 max-message-age=20s 
     forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all 
     ingress-filtering=no dhcp-snooping=no 
[admin@capCEBC69] /interface bridge>

Attaching my current config:

[admin@ccedgerouter] > caps-man export hide-sensitive  
# nov/23/2020 18:32:14 by RouterOS 6.47.7
# software id = FYYF-3W4L
#
# model = CRS326-24G-2S+
# serial number = 94550991FB30
/caps-man channel
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=channel44
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=channel36
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=channel40
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=dpath-128 vlan-id=128 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=dpath-129 vlan-id=129 vlan-mode=use-tag
add client-to-client-forwarding=no local-forwarding=yes name=dpath-130 vlan-id=130 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=seccfg-128
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=seccfg-129
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=seccfg-130
/caps-man configuration
add channel=channel44 country=etsi datapath=dpath-128 distance=indoors hide-ssid=no installation=indoor mode=ap name=wn128.cfg rx-chains=0,1 security=seccfg-128 ssid=ngWN-CHERRY tx-chains=0,1
add channel=channel44 country=etsi datapath=dpath-129 distance=indoors hide-ssid=no installation=indoor mode=ap name=wn-motylek.cfg rx-chains=0,1 security=seccfg-129 ssid=ngWN-MOTYLEK tx-chains=0,1
add channel=channel44 country=etsi datapath=dpath-130 distance=indoors hide-ssid=no installation=indoor mode=ap name=wn-gosc.cfg rx-chains=0,1 security=seccfg-130 ssid=ngWN-GOSC tx-chains=0,1
add channel=channel44 country=poland datapath=dpath-128 mode=ap name=wn128.cfg2 rx-chains=0,1 security=seccfg-128 ssid=ngWN-CHERRY tx-chains=0,1
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes master-configuration=wn128.cfg name-format=identity slave-configurations=wn-motylek.cfg,wn-gosc.cfg
add action=create-dynamic-enabled master-configuration=wn128.cfg2

Any thoughts?
I came across HT TX and RX Chains topic. This may have an effect but not sure. Tried leardy to changed it to one, two in different configurations. My understading is: if this device has two chans, it should be marked 0 and 1 for Tx and Rx. Is that right?

biomesh · Mon Nov 23, 2020 10:35 pm

The vlans should not be created on the caps(the only exception would be to create a management vlan interface). The capsman provisioning will tag packets on those SSIDs with the vlan tag based on your datapath config.

You don't need to set the tx/rx chains - if you leave it at defaults both chains are enabled.

Can you post full configs(export) from both the cap and the capsman device?

You will need at least 2 config profiles in capsman. One for the 5GHz radio and one for the 2GHz radio. So far I have only seen the 5GHz config.

misha · Tue Nov 24, 2020 10:36 am

Hi All,

firstly - I did it. Thanks for your help and insights. Mikrotik works like charm, but there are a couple of things that are misleading. First - my networks are still showing disabled but they are broadcasted and I can connect to them. This is so strange and made me think that system does not work.

Secondly, in order to have both radios enabled, there must be two provisioning rules with supported modes as a differentiator.

Thridly - no need to build trunk. That was an issue but it became noticed when I connected to the wifi network and couldn't get IP from the router's dhcp. So I get rid of this too.

Finally - this is all so simple. I came to a final setup after watching this video: https://www.youtube.com/watch?v=eBFNINqmajk

I will let you know how this works after a week of trials. So far so good.
Thinking about how to optimize channels in order to get the best bandwidth.

Cheers!

CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Re: CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Re: CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Re: CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Re: CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Re: CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Re: CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Re: CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Re: CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Re: CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Re: CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Re: CAPSMAN issue (cAP ac & CRS326-24G-2S+) - wlan interfaces not coming up

Who is online