Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

Capsman in wifiwave2 don't provision correctly.  [SOLVED]

Post Reply
 
silvestr
just joined
Topic Author
Posts: 12
Joined: Sun Aug 06, 2023 2:56 pm

Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 3:39 pm

Screenshot 2023-08-06 at 15.34.55.png
Screenshot 2023-08-06 at 15.35.10.png
When I provision my radio interfaces to be managed by capsman Wi-Fi disappears from discovery. And inside in interfaces wifi1 and wifi2 showed as disabled.
Here is my config:
Code: Select all
# 2023-08-06 15:27:04 by RouterOS 7.10.2
# software id = 7SS0-SMSP
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = ************
/interface bridge
add admin-mac=*********** auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 channel
add band=2ghz-ax comment="Config for 2GHz channel" disabled=no name=Channel-2GHz width=20mhz
add band=5ghz-ax comment="Configuration for 5Ghz" disabled=no name=Channel-5Ghz skip-dfs-channels=disabled width=20/40/80mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=******
/interface wifiwave2 configuration
add channel=Channel-5Ghz comment=WiFi-5Ghz country=Ukraine disabled=no manager=capsman-or-local mode=ap name=WiFi-5Ghz security=****** ssid=*****
add channel=Channel-2GHz comment=WiFi-2Ghz country=Ukraine disabled=no manager=capsman-or-local mode=ap name=WiFi-2Ghz security=****** ssid=*****
/interface wifiwave2
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration=WiFi-5Ghz disabled=no
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration=WiFi-2Ghz disabled=no
/ip pool
add name=ax3-address-pool ranges=192.168.1.10-192.168.1.128
/ip dhcp-server
add address-pool=ax3-address-pool interface=bridge lease-time=10h name=dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
/ip firewall connection tracking
set enabled=no
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
/interface wifiwave2 cap
set caps-man-addresses=127.0.0.1 certificate=request discovery-interfaces=LAN enabled=yes lock-to-caps-man=yes
/interface wifiwave2 capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=LAN package-path="" require-peer-certificate=yes upgrade-policy=suggest-same-version
/interface wifiwave2 provisioning
add action=create-enabled comment=hap-ax3-WiFi-5Ghz disabled=no master-configuration=App.72-WiFi-5Ghz radio-mac=YY:YY:YY:YY:YY:72 supported-bands=5ghz-ax
add action=create-enabled comment=hap-ax3-WiFi-2Ghz disabled=no master-configuration=App.72-WiFi-2Ghz radio-mac=YY:YY:YY:YY:YY:73
/ip address
add address=192.168.1.2/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8,1.1.1.1,9.9.9.9,192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,9.9.9.9,192.168.1.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add comment="Route to main router" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src="" routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMPv6" disabled=yes protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" disabled=yes port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." disabled=yes dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" disabled=yes dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" disabled=yes protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" disabled=yes src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" disabled=yes hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" disabled=yes protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" disabled=yes protocol=139
add action=accept chain=forward comment="defconf: accept IKE" disabled=yes dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" disabled=yes protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=yes protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Kyiv
/system identity
set name="********"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/system routerboard mode-button
set enabled=yes hold-time=0s..20s on-event="/system/script/run leds-toggle-mode;"
/system routerboard reset-button
set hold-time=0s..20s
/system scheduler
add interval=1d name=leds-day-mode on-event="/system/script/run leds-day-mode;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-08-02 start-time=07:00:00
add interval=1d name=leds-night-mode on-event="/system/script/run leds-night-mode;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-08-02 start-time=22:00:00
/system script
add dont-require-permissions=no name=leds-day-mode owner=silvestr policy=read,write source="/system/leds/settings/set all-leds-off=never;"
add dont-require-permissions=no name=leds-night-mode owner=silvestr policy=read,write source="/system/leds/settings/set all-leds-off=immediate;"
add dont-require-permissions=no name=leds-toggle-mode owner=silvestr policy=read,write source=\
    ":if ([ /system/leds/settings/get all-leds-off ] = \"never\") do={\
    \n  /system/leds/settings/set all-leds-off=immediate;\
    \n} else={\
    \n  /system/leds/settings/set all-leds-off=never;\
    \n}"
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Image
Image
You do not have the required permissions to view the files attached to this post.
Last edited by silvestr on Sun Aug 06, 2023 9:02 pm, edited 2 times in total.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 3:56 pm

You seem to be missing a rule to accept 127.0.0.1 in your firewall for input.
Top
 
silvestr
just joined
Topic Author
Posts: 12
Joined: Sun Aug 06, 2023 2:56 pm

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 4:01 pm

You seem to be missing a rule to accept 127.0.0.1 in your firewall for input.
This router works as a switch and don't have firewall at all. As I understood I still need this rule for capsman?
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 4:08 pm

Then why are there firewall rules in your config?

Edit: I see, only ipv6 rules.

Leave out ip address for capsmanager.
Top
 
silvestr
just joined
Topic Author
Posts: 12
Joined: Sun Aug 06, 2023 2:56 pm

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 4:12 pm

Then why are there firewall rules in your config?

Edit: I see, only ipv6 rules.

Leave out ip address for capsmanager.
You mean in IPv4 firewall?
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 4:15 pm

Here

/interface wifiwave2 cap
set caps-man-addresses=127.0.0.1 certificate=request discovery-interfaces=LAN enabled=yes lock-to-caps-man=yes

Ps and please don't quote the previous post all the time. Is not needed.
Top
 
silvestr
just joined
Topic Author
Posts: 12
Joined: Sun Aug 06, 2023 2:56 pm

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 4:33 pm

Unfortunately, it doesn't help.
Code: Select all
/interface wifiwave2 cap
set certificate=request discovery-interfaces=LAN enabled=yes lock-to-caps-man=yes
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 4:48 pm

To rule out some issues ...
Can you set it like this:

/interface wifiwave2 cap
set discovery-interfaces=all enabled=yes

and

/interface wifiwave2 capsman
set enabled=yes interfaces=LAN

Does the log file show some messages related to caps or capsman ?
Top
 
silvestr
just joined
Topic Author
Posts: 12
Joined: Sun Aug 06, 2023 2:56 pm

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 4:58 pm

I changed the discovery interface as you said, but no effect.
Code: Select all
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/capsman print 
                   enabled: yes
                interfaces: LAN
            ca-certificate: auto
               certificate: auto
  require-peer-certificate: yes
              package-path: 
            upgrade-policy: suggest-same-version
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/cap print     
                      enabled: yes
         discovery-interfaces: all
                  certificate: request
             lock-to-caps-man: yes
Also here are logs
You do not have the required permissions to view the files attached to this post.
Last edited by silvestr on Sun Aug 06, 2023 8:56 pm, edited 1 time in total.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 5:06 pm

Your device is used as switch/access point ?
Then why is there a DHCP server and pool connected to bridge ?

You are certain those provisioning rules correspond to the radio MAC addresses (can be checked in Winbox/webfig via Wireless/Radios) ?

Question ...
If this is your only access point, why make your life so difficult and use capsman ?
But that doesn't change the fact it should work ... probably something stupid but I don't see it either.
Top
 
silvestr
just joined
Topic Author
Posts: 12
Joined: Sun Aug 06, 2023 2:56 pm

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 5:12 pm

1. Yes as switch/access point.
2. I want to unload the main hex router that has a firewall there and works as a main entry point.
3.
Code: Select all
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/provisioning print 
Columns: RADIO-MAC, ACTION, MASTER-CONFIGURATION
# RADIO-MAC          ACTION          MASTER-CONFIGURATION
;;; hap-ax3-WiFi-5Ghz
0 YY:YY:YY:YY:YY:72  create-enabled  App.72-WiFi-5Ghz    
;;; hap-ax3-WiFi-2Ghz
1 YY:YY:YY:YY:YY:73  create-enabled  App.72-WiFi-2Ghz    
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/radio print        
Flags: L - LOCAL
Columns: CAP, RADIO-MAC, INTERFACE
#   CAP                            RADIO-MAC          INTERFACE
0 L                                YY:YY:YY:YY:YY:72  wifi1    
1 L                                YY:YY:YY:YY:YY:73  wifi2    
2   MikroTik(hAP ax3)@192.168.1.2  YY:YY:YY:YY:YY:72           
3   MikroTik(hAP ax3)@192.168.1.2  YY:YY:YY:YY:YY:73
4. I have one main router hex, it works as an entry point. and two AP, hap hex Lite (still shipping to me) and hap ax3. Ax3 is a powerful device, so I want DHCP and capsman locate there.
Last edited by silvestr on Sun Aug 06, 2023 8:57 pm, edited 1 time in total.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 5:16 pm

Can you also show interface/wifiwave2/print ?
Top
 
silvestr
just joined
Topic Author
Posts: 12
Joined: Sun Aug 06, 2023 2:56 pm

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 5:18 pm

Code: Select all
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/print 
Flags: M - MASTER; B - BOUND; I, R - RUNNING
Columns: NAME
#     NAME 
;;; managed by CAPsMAN
0 MBI wifi1
;;; managed by CAPsMAN
1 MBI wifi2
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 5:20 pm

There is something invalid, the provisioning is not being done.
Top
 
silvestr
just joined
Topic Author
Posts: 12
Joined: Sun Aug 06, 2023 2:56 pm

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 5:36 pm

Code: Select all
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/configuration print 
Flags: X - disabled 
 0   ;;; WiFi-5Ghz
     name="App.72-WiFi-5Ghz" mode=ap ssid="*******" country=Ukraine manager=capsman-or-local security=******* channel=Channel-5Ghz 

 1   ;;; WiFi-2Ghz
     name="App.72-WiFi-2Ghz" mode=ap ssid="*******" country=Ukraine manager=capsman-or-local security=******* channel=Channel-2GHz 
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/channel print       
Flags: X - disabled 
 0   ;;; Config for 2GHz channel
     name="Channel-2GHz" band=2ghz-ax width=20mhz 

 1   ;;; Configuration for 5Ghz
     name="Channel-5Ghz" band=5ghz-ax width=20/40/80mhz skip-dfs-channels=disabled 
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/se            
security     set   
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/security print 
Flags: X - disabled 
 0   name="*******" authentication-types=wpa2-psk,wpa3-psk passphrase="********************" 
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/provisioning print 
Columns: RADIO-MAC, ACTION, MASTER-CONFIGURATION
# RADIO-MAC          ACTION          MASTER-CONFIGURATION
;;; hap-ax3-WiFi-5Ghz
0 YY:YY:YY:YY:YY:72  create-enabled  App.72-WiFi-5Ghz    
;;; hap-ax3-WiFi-2Ghz
1 YY:YY:YY:YY:YY:73  create-enabled  App.72-WiFi-2Ghz
Last edited by silvestr on Sun Aug 06, 2023 9:12 pm, edited 2 times in total.
Top
 
Joe1vm
newbie
Posts: 28
Joined: Sat Apr 06, 2013 4:07 pm

Re: Capsman in wifiwave2 don't provision correctly.  [SOLVED]

Sun Aug 06, 2023 7:07 pm

Hi, it has been discussed here multiple times. Capsman in wifiwave2 does not control/provision it's own wifi interfaces.
But you can use the same configuration, security,...and set up the WIFI interfaces manualy.
It will work correctly as soon as all settings are the same as passed to remote CAPs via provisioning.
Top
 
silvestr
just joined
Topic Author
Posts: 12
Joined: Sun Aug 06, 2023 2:56 pm

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 7:11 pm

Oh, I didn't know that, sorry for the dumb questions. Unfortunately, I can't google this info before.

Could you please point out where in the documentation this is described?
Top
 
Joe1vm
newbie
Posts: 28
Joined: Sat Apr 06, 2013 4:07 pm

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 7:35 pm

It is good question and to be honest, I do not know. I learnt it from the Mikrotik feedback provided by some mates here in the forum.
Top
 
silvestr
just joined
Topic Author
Posts: 12
Joined: Sun Aug 06, 2023 2:56 pm

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 7:41 pm

Yeah, cause for me it's not an obvious thing, especially if video on youtube with old capsman tell that you need to enable cap on your device.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Sun Aug 06, 2023 9:27 pm

Recently I saw a post where it was indicated it IS possible now.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Mon Aug 07, 2023 6:32 am

silvestr
Did you already re-provision those radios with all latest changes ?
Go to tab radio, select radio and hit button "provision"
Top
 
silvestr
just joined
Topic Author
Posts: 12
Joined: Sun Aug 06, 2023 2:56 pm

Re: Capsman in wifiwave2 don't provision correctly.

Mon Aug 07, 2023 8:58 am

I am still experimenting, but as was said above, capsman works only on remote cap. On the remote cap, you need to manually set the manager to
Code: Select all
capsman or local
. In that case, the remote cap will be managed by a capsman.
Top
 
cmassey
just joined
Posts: 20
Joined: Fri Nov 08, 2019 8:06 am

Re: Capsman in wifiwave2 don't provision correctly.

Tue Aug 08, 2023 10:32 pm

For an unfortunate update, I just checked with Mikrotik Support and they say capsman will still not manage the local interfaces. I asked if they plan on fixing that and haven't gotten a response yet.

Old capsman didn't really have roaming though, right? My assumption is that using capsman for remote caps and just provisioning the local interface is basically the same as old capsman because it's just configuring interfaces the same way. The drawback is that we wouldn't get to use the new roaming feature in wifiwave2.

Am I correct or are there other drawbacks to needing to configure things this way?
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Tue Aug 08, 2023 11:13 pm

Wifiwave2 capsman roaming only works on radios controlled by the same ROS instance.
So remote caps radios and local radios on the controller are being controlled by the same instance.
Their roaming will work.
Top
 
cmassey
just joined
Posts: 20
Joined: Fri Nov 08, 2019 8:06 am

Re: Capsman in wifiwave2 don't provision correctly.

Wed Aug 09, 2023 8:19 pm

Strange, Mikrotik support said this:
Controller can not control local interfaces via CAPsMAN - yes, only remote cAP control is possible.
Local interfaces, will not be the part of cAP network, and will not participate in the roaming between the APs.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Wed Aug 09, 2023 8:36 pm

I didn't say the local radio is controlled by capsman because as it seems, that can not be done.
I said the roaming part will be covered across capsman radios AND local radios IF the local radio is part of the same device which acts as controller.
That's the same instance of ROS.

See this thread:
viewtopic.php?t=194778
Top
 
cmassey
just joined
Posts: 20
Joined: Fri Nov 08, 2019 8:06 am

Re: Capsman in wifiwave2 don't provision correctly.

Wed Aug 09, 2023 9:08 pm

In the second sentence he literally says that the local interfaces will not participate in roaming. For context, I was asking about having 1 ax2 as the main router and having another ax2 being a cap.

That's fine though, roaming working across APs managed by the same instance of RouterOS is great news.


That being said, it seems like it doesn't matter at all that local interfaces can't be configured using capsman? i just need to tell the local interfaces to provision.
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 6768
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Capsman in wifiwave2 don't provision correctly.

Wed Aug 09, 2023 9:11 pm

That's how it should work, yes.
And since capsman and wifiwave2 are so intertwined, the config for capsman is close to identical for a local interface.
Just make sure on tab ft (config, security, ...) these settings are active:
FT Enabled
FT over DS
Top
Post Reply

Who is online

Users browsing this forum: mt44rm and 7 guests
  4. RouterOS
  5. Wireless Networking