Multiple SSID capsman and caps not in the same subnet

tonify · Wed Feb 17, 2021 7:09 pm

Hi,

Anyone can give me some hint to set up multiple SSID in a network which the capsman and cap is not in the same subnet?
As I can see in the datapath is all about Layer2 protocol.
My Capsman is sit in the router. And my caps are connect to another switch in a standalone vlans.
There is not trunk port between the router and switch. The routing between the router and switch is by BGP

Below is the diagram of my network.

sindy · Wed Feb 17, 2021 8:06 pm

The fact that the CAPsMAN and the CAP(s) are not in the same subnet is not really important; what is important is the expected traffic pattern in the network. You say that the routing between the router and the switch is by BGP (which is an overkill) and worst of all, it implies that the CRS328 has to do routing which is conceptually incorrect, although an 800 MHz ARM CPU may be sufficient for a home network (many Mikrotik devices sold as routers actually have weaker CPUs).

An important parameter of datapath is local-forwarding:

if you set it to yes, the wireless interface is made a member port of the bridge specified in /interface wireless cap on the CAP device itself
if you set it to no, the wireless interface is made a member port of a bridge on the CAPsMAN device specified in the bridge item of the datapath (to make this possible, the wireless frames are transported between the CAPsMAN device and the CAP, encrypted, as UDP packets)

So even if the link between the 4011 and the 328 is not a trunk one, you can still set up the two "wireless" subnets at the 4011 if that fits your traffic pattern. The packet from a visitor's wireless CPE to the internet has to get to the 4011 one way or the other in order to reach internet; the question is whether you plan a significant amount of traffic between VLANs 103 on one hand and VLANs 101,102 on the other one, and whether a firewall should control this traffic. So for a very low or very high amount of this inter-vlan traffic, or if some heavy firewalling of this traffic is required, routing it at the 4011 may make more sense; for some "moderate" amount of inter-vlan traffic, handling it directly at the 328 may be a better choice as it avoids sending it forth and back through the link between the 4011 and the 328.

So first decide which approach you prefer, and then we can move to implementing the chosen one.

tonify · Wed Feb 17, 2021 11:00 pm

Hi Sindy,

I know the approach with my hardware is a bit non sense.

However, the reason I bought the 4011 and 328 was I want to use MikroTik to build a layer3 switch network like where I was worked. And later I will buy another router and try VRRP.

So would you please guide me how to set up capsman With multiple ssid in this way?

Thanks for the instructions today！ Learned 2 things already.

Cheers!

Tony

sindy · Thu Feb 18, 2021 9:47 am

So for a case where the wireless interfaces are created at the CAPsMAN machine, this is a real life configuration adopted to your network.
To simplify things and save a bit of CPU, the home and guest subnets are linked to individual bridge interfaces, so no VLANs are used for them.

CAPsMAN:

/interface bridge
add name=br-home protocol-mode=none
add name=br-guest protocol-mode=none

/ip address
add interface=br-home address=192.168.3.254/24
add interface=br-guest address=192.168.4.254/24

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2432,2452,2472 name=2G4
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce frequency=5180,5200,5220,5240,5260,5280,5300,5320 name=5G

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=home passphrase=pwd-for-home
add authentication-types=wpa2-psk encryption=aes-ccm name=guest passphrase=pwd-for-guest

/caps-man configuration
add channel=2G4 country="wonderland" datapath=home distance=indoors installation=indoor mode=ap name=home-2G security=home ssid=home
add channel=5G country="wonderland" datapath=home distance=indoors installation=indoor mode=ap name=home-5G security=home ssid=home
add country="wonderland" datapath=guest distance=indoors installation=indoor mode=ap name=guest-2G security=guest ssid=guest
add country="wonderland" datapath=guest distance=indoors installation=indoor mode=ap name=guest-5G security=guest ssid=guest

/caps-man datapath
add bridge=br-home local-forwarding=no name=home
add bridge=br-guest local-forwarding=no name=guest

/caps-man manager
set enabled=yes

/caps-man provisioning
add action=create-enabled hw-supported-modes=b,g,gn master-configuration=home-2G slave-configurations=guest-2G
add action=create-enabled hw-supported-modes=a,an,ac master-configuration=home-5G slave-configurations=guest-5G

(plus the DHCP server configurations for 192.168.3.0/24 and 192.168.4.0/24 and some firewall rules if required)

CAP:

/interface wireless cap
set enabled=yes interfaces=wlan1,wlan2 caps-man-addresses=192.168.0.1

(how do you define the CAP's own IP address and routing is up to you; the own address just must not be in 192.168.3.0/24 or 192.168.4.0/24).

For local forwarding on CAPs, it would look as follows:

CAPsMAN:

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2432,2452,2472 name=2G4
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ce frequency=5180,5200,5220,5240,5260,5280,5300,5320 name=5G

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=home passphrase=pwd-for-home
add authentication-types=wpa2-psk encryption=aes-ccm name=guest passphrase=pwd-for-guest

/caps-man configuration
add channel=2G4 country="wonderland" datapath=home distance=indoors installation=indoor mode=ap name=home-2G security=home ssid=home
add channel=5G country="wonderland" datapath=home distance=indoors installation=indoor mode=ap name=home-5G security=home ssid=home
add country="wonderland" datapath=guest distance=indoors installation=indoor mode=ap name=guest-2G security=guest ssid=guest
add country="wonderland" datapath=guest distance=indoors installation=indoor mode=ap name=guest-5G security=guest ssid=guest

/caps-man datapath
add bridge=bridge local-forwarding=yes name=home
add bridge=bridge local-forwarding=yes name=guest vlan-mode=use-tag vlan-id=104

/caps-man manager
set enabled=yes

/caps-man provisioning
add action=create-enabled hw-supported-modes=b,g,gn master-configuration=home-2G slave-configurations=guest-2G
add action=create-enabled hw-supported-modes=a,an,ac master-configuration=home-5G slave-configurations=guest-5G

CAP:
The assumption here is that VLAN 103 is available tagless on the CAP-facing ports of the 328, so CAP's own address is in 192.168.3.0/24 as on your drawing. The VLAN-related settings below are relevant for vlan-filtering=yes on the bridge, but you actually don't need this mode with this simple setup. If you keep vlan-filtering=no, the pvid settings in /interface bridge port section are irrelevant, and so is the whole section /interface bridge vlan; if you opt to use vlan-filtering=yes, first set all the /interface bridge ... settings without it (i.e. with the default no) and then, as the last step, do /interface bridge set bridge vlan-filtering=yes. Otherwise you'll lock yourself out.

/interface bridge
add name=bridge pvid=103

/interface bridge port
add bridge=bridge interface=ether1 pvid=103

/interface bridge vlan
add bridge=bridge vlan-ids=103
add bridge=bridge vlan-ids=104 tagged=bridge,ether1

/ip dhcp-client
add interface=bridge

/interface wireless cap
set enabled=yes interfaces=wlan1,wlan2 caps-man-addresses=192.168.0.1

CRS328:
Also here, setting vlan-filtering to yes may be a dangerous step if sfpplus1 is a member port of the bridge.

/interface bridge
add name=bridge vlan-filtering=yes

/interface bridge vlan
add bridge=bridge vlan-ids=103 tagged=bridge
add bridge=bridge vlan-ids=104 tagged=bridge,ether19,ether20,ether21,ether22,ether23,ether24

/interface bridge port
add bridge=bridge interface=ether19 pvid=103
add bridge=bridge interface=ether20 pvid=103
add bridge=bridge interface=ether21 pvid=103
add bridge=bridge interface=ether22 pvid=103
add bridge=bridge interface=ether23 pvid=103
add bridge=bridge interface=ether24 pvid=103

/interface vlan
add name=bridge.home.103 vlan-id=103 interface=bridge
add name=bridge.guest.104 vlan-id=104 interface=bridge

/ip address
add interface=bridge.home.103 address=192.168.3.254/24
add interface=bridge.guest.104 address=192.168.4.254/24

(plus the DHCP server configurations for 192.168.3.0/24 and 192.168.4.0/24 and some firewall rules if required)

If you set caps-manager=192.168.0.1 in the /ip dhcp-server network row responsible for assigning IP configuration to the CAPs, you don't need to configure it statically on the CAPs, so it becomes more or less a zero-touch configuration on the CAP devices if you use the reset button to boot them into CAP mode. There is just some non-intuitive step you have to take to make them stay in CAP mode on the next power cycle, it has been discussed here on the forum about half a year ago.

tonify · Thu Feb 18, 2021 12:41 pm

Hi Sindy,

Thank you very much for the detail tutorial.
I will read it carefully and try this today.

Tony

Multiple SSID capsman and caps not in the same subnet

Multiple SSID capsman and caps not in the same subnet

Re: Multiple SSID capsman and caps not in the same subnet

Re: Multiple SSID capsman and caps not in the same subnet

Re: Multiple SSID capsman and caps not in the same subnet

Re: Multiple SSID capsman and caps not in the same subnet