Hello, I need help becouse in my company we need a guests Wi-Fi, but I never used WinBox and they assigned this task becouse they also don't know what happens and I decided to post here becouse I guess it will help.
The problem is that we've got our network, all it interfaces are in a bridge, and now we created a new bridge to create a virtual Wi-Fi with a different subnet on it to create there a guests network so they cannot see the IPs on our network and they only can access Internet, but I cannot access Internet from that subnet. The router is configured with CAPsMAN, I configured a new address that I want it to be the gateway (192.168.99.1) in the menu "addresses", a new route that go to 0.0.0.0 from my gateway, a nat rule for the subnet 192.168.99.0 and the network with CAPsMAN to be a slave from our 2.4Ghz Wi-Fi. With all that configuration cannot access Internet from that subnet and the Wi-Fi point appears but devices doesn't connect when DHCP is activated.
I don't know if something is missing or it's configured in a bad way, I need help on this because I don't have so much idea of how this software works.
Thank you for your attention and I hope this problem is soon solved.
Re: Cannot create a guests Wi-Fi network.
/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )
Re: Cannot create a guests Wi-Fi network.
Code: Select all
# apr/09/2024 09:46:07 by RouterOS 6.49.10
# software id = IJH1-AHYL
#
# model = RBD52G-5HacD2HnD
# serial number = ***
/caps-man channel
add band=2ghz-b/g/n extension-channel=XX name="2.4Ghz (FA)"
add band=5ghz-a/n/ac extension-channel=XXXX name="5Ghz (FA)"
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=LOCAL
add client-to-client-forwarding=yes local-forwarding=yes name=GUEST
/interface bridge
add name=bridge_guest
add name=bridge_spa
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(27dBm), SSID: SPA_WIFI, local forwarding
set [ find default-name=wlan1 ] country=spain disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5540/20-eeCe/ac/DP(24dBm), SSID: SPA_WIFI, local forwarding
set [ find default-name=wlan2 ] country=spain disabled=no ssid=MikroTik
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=spa_wifi \
passphrase=***
add authentication-types=wpa2-psk encryption=aes-ccm name=spa_guest \
passphrase=***
/caps-man configuration
add channel="2.4Ghz (FA)" datapath=LOCAL hw-retries=4 multicast-helper=full \
name="2.4Ghz (FA)" security=spa_wifi ssid=SPA_WIFI
add channel="5Ghz (FA)" datapath=LOCAL hw-retries=4 multicast-helper=full \
name="5Ghz (FA)" security=spa_wifi ssid=SPA_WIFI
add channel="2.4Ghz (FA)" datapath=GUEST datapath.bridge=bridge_guest mode=ap \
name=Guest_2.4Ghz security=spa_guest ssid=SPA_GUEST
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.99.3-192.168.99.10
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_guest lease-time=\
1d10m name=dhcp1
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes hw-supported-modes=b,g,gn \
master-configuration="2.4Ghz (FA)" name-format=identity
add action=create-dynamic-enabled hw-supported-modes=b,g,gn \
master-configuration="2.4Ghz (FA)" name-format=identity \
slave-configurations=Guest_2.4Ghz
add action=create-dynamic-enabled hw-supported-modes=a,an,ac \
master-configuration="5Ghz (FA)" name-format=identity
/interface bridge port
add bridge=bridge_spa interface=ether5
add bridge=bridge_spa interface=ether1
add bridge=bridge_spa interface=ether2
add bridge=bridge_spa interface=ether3
add bridge=bridge_spa interface=ether4
/interface wireless cap
#
set bridge=bridge_spa discovery-interfaces=bridge_spa,bridge_guest enabled=\
yes interfaces=wlan1,wlan2
/ip address
add address=192.168.101.195/24 interface=bridge_spa network=192.168.101.0
add address=192.168.99.2/24 interface=bridge_guest network=192.168.99.0
add address=192.168.99.3/24 interface=bridge_guest network=192.168.99.0
add address=192.168.99.1/24 interface=bridge_guest network=192.168.99.0
/ip dhcp-client
add disabled=no interface=bridge_spa
/ip dhcp-server network
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set servers=192.168.101.1,8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=192.168.101.0/24 \
out-interface=bridge_spa src-address=192.168.99.0/24
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0 out-interface=\
bridge_spa src-address=192.168.101.0/24
add action=accept chain=srcnat dst-address=192.168.101.0/24 out-interface=\
bridge_spa src-address=192.168.99.0/24
/ip route
add disabled=yes distance=1 gateway=192.168.99.1
add distance=1 dst-address=192.168.99.0/24 gateway=192.168.101.5
add disabled=yes distance=1 dst-address=192.168.99.0/24 gateway=192.168.99.1
add check-gateway=ping distance=1 dst-address=192.168.99.0/32 gateway=\
192.168.99.1
add distance=1 dst-address=192.168.101.5/32 gateway=192.168.101.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=SPA_WADMIN
Re: Cannot create a guests Wi-Fi network.
Sorry not familiar with capsman, and not sure why needed with single device??
otherwise its too easy to setup a vlan ( transparent ) for the current LAN and a new one for guests, attached to the WLAN.......
otherwise its too easy to setup a vlan ( transparent ) for the current LAN and a new one for guests, attached to the WLAN.......
Re: Cannot create a guests Wi-Fi network.
A good security practice is to separate management and user data traffic. Therefore, it is recommended that when you configure VLANs, you use VLAN 1 for management purposes only (VLAN Best Practices and Security Tips for Cisco Business Routers)Hello, I need help becouse in my company we need a guests Wi-Fi, but I never used WinBox and they assigned this task becouse they also don't know what happens and I decided to post here becouse I guess it will help.
So, you have default "VLAN1" - for management purposes only, and you need "VLAN10" for spa and "VLAN20" for guests.
Regardless of whether you need a capsman, you need a vlan first
Re: Cannot create a guests Wi-Fi network.
You have got to be kidding!!
DO NOT Use VLAN1 for management, its already in use in the background by RoS.
Use any other vlan for management and data.
example..
viewtopic.php?t=143620
DO NOT Use VLAN1 for management, its already in use in the background by RoS.
Use any other vlan for management and data.
example..
viewtopic.php?t=143620
Re: Cannot create a guests Wi-Fi network.
Ok, I've got a few questions:
1. Should I create another bridge for the datapath or something like that or i have to make it all in a single bridge?
2. Then should I just create an VLAN, and if it's like that, how do I assign the virtual WLAN to that VLAN?
Consider that I want to create a guest network in network 99 and not on the same local network, which is 101.
And please if you could explain me how that structure works patiently I would be grateful, cause im new at this and I don't know how it works at all.
1. Should I create another bridge for the datapath or something like that or i have to make it all in a single bridge?
2. Then should I just create an VLAN, and if it's like that, how do I assign the virtual WLAN to that VLAN?
Consider that I want to create a guest network in network 99 and not on the same local network, which is 101.
And please if you could explain me how that structure works patiently I would be grateful, cause im new at this and I don't know how it works at all.
Last edited by yosue111 on Wed Apr 10, 2024 2:12 pm, edited 2 times in total.
Re: Cannot create a guests Wi-Fi network.
Sorry, of course VLAN 0, thank you.You have got to be kidding!!
DO NOT Use VLAN1 for management, its already in use in the background by RoS.
Use any other vlan for management and data.
example..
viewtopic.php?t=143620
(MikroTik uses VLAN 0. If you try to create a VLAN 1 scenario with MikroTik, and expecting tagged frames, it will be incompatible with other vendors who default VLAN 1 as untagged)
I meant:
"So, you have default VLAN 0 as untagged - for management purposes only, and you need "VLAN10" for spa and "VLAN20" for guests."
Re: Cannot create a guests Wi-Fi network.
If the OP was already using VLANs, putting the guest WiFi on another one would be perfectly justified.
Converting this configuration to VLANs for that single purpose, however, is not. You do not need VLANs to have an isolated guest WiFi network.
Converting this configuration to VLANs for that single purpose, however, is not. You do not need VLANs to have an isolated guest WiFi network.
Re: Cannot create a guests Wi-Fi network.
Concur tangent, I could post a working config for either option in minutes, except he is using capsman which I dont touch with a 10 foot pole. One of these years will have to bite the bullet.
Re: Cannot create a guests Wi-Fi network.
"typical home LAN case, where you have a lone Internet gateway that is also providing this guest WiFi service"If the OP was already using VLANs, putting the guest WiFi on another one would be perfectly justified.
Converting this configuration to VLANs for that single purpose, however, is not. You do not need VLANs to have an isolated guest WiFi network.
Another way without vlans but with a guest bridge is simply using a bridge filter.
Guest bridge way - it's a simple and clear settings for guest dhcp server, guest bridge queue etc.
Use same SSID on 2,4 and 5GHz to make handover faster/seamless and both interfaces being in the same bridge.
Usually even a small business has several network devices, in addition to guest wifi, video surveillance, etc.
If today there is a need for one access point, then tomorrow there will be two... and very soon it will be easier to understand vlans once in a lifetime ))
Re: Cannot create a guests Wi-Fi network.
Without diagram all is a bit weird.
Is this acting as a router as well and if so where is the WAN information
( which port, static IP or dynamic IP, from ISP or private IP from ISP router/modem
Is this acting as a router as well and if so where is the WAN information
( which port, static IP or dynamic IP, from ISP or private IP from ISP router/modem
Re: Cannot create a guests Wi-Fi network.
Pease I need an answer guys I need you.Ok, I've got a few questions:
1. Should I create another bridge for the datapath or something like that or i have to make it all in a single bridge?
2. Then should I just create an VLAN, and if it's like that, how do I assign the virtual WLAN to that VLAN?
Consider that I want to create a guest network in network 99 and not on the same local network, which is 101.
And please if you could explain me how that structure works patiently I would be grateful, cause im new at this and I don't know how it works at all.
Re: Cannot create a guests Wi-Fi network.
Pease I need an answer guys I need you.
The article I linked you to above gives two different solutions. What was wrong with them?
Re: Cannot create a guests Wi-Fi network.
You didnt answer any of llamajama's questions, so if you want help.............
Re: Cannot create a guests Wi-Fi network.
You mean this one? This one doesn't teach how to do it with CAPsMAN so it doesn't work for me.If the OP was already using VLANs, putting the guest WiFi on another one would be perfectly justified.
Converting this configuration to VLANs for that single purpose, however, is not. You do not need VLANs to have an isolated guest WiFi network.
Re: Cannot create a guests Wi-Fi network.
llamajaja, I use CAPsMAN becouse in my company we've got 4 devices to distribute the Wi-Fi and this one is working as a master, but not router. The only things I wanna know is if I have to create another bridge or I have to make it in the same. I tried to do it both and still not connecting when you want to connect to the virtual wlan. I don't know what more to do and I'm lost. I also tried to use VLANs but I don't know how to assign it to the virtual guests WLAN and also I don't know in what interface do I have to add it.
Re: Cannot create a guests Wi-Fi network.
This one doesn't teach how to do it with CAPsMAN so it doesn't work for me.
One of the things that CAPsMAN does is create a single virtual bridge among all the WiFi routers under its control. I've never used CAPsMAN, but doesn't that mean the bridge filtering option at the end of that article would apply?
Re: Cannot create a guests Wi-Fi network.
Yes. It's a simple way - guest bridge, guest DHCP etc... in guest VLANllamajaja, I use CAPsMAN becouse in my company we've got 4 devices to distribute the Wi-Fi and this one is working as a master, but not router. The only things I wanna know is if I have to create another bridge
https://help.mikrotik.com/docs/display/ROS/WiFi
CAPsMAN - CAP VLAN configuration example:
In this example, we will assign VLAN10 to our main SSID, and will add VLAN20 for the guest network, ether5 from CAPsMAN is connected to CAP.
CAPs using "wifi-qcom" package can get "vlan-id" via Datapath from CAPsMAN, CAPs using "wifi-qcom-ac" package will need to use the configuration provided at the end of this example.
CAPsMAN:
/interface bridge
add name=br vlan-filtering=yes
/interface vlan
add interface=br name=MAIN vlan-id=10
add interface=br name=GUEST vlan-id=20
/interface wifi datapath
add bridge=br name=MAIN vlan-id=10
add bridge=br name=GUEST vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_MAIN passphrase=HaveAg00dDay
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_GUEST passphrase=HaveAg00dDay
/interface wifi configuration
add datapath=MAIN name=MAIN security=Security_MAIN ssid=MAIN_Network
add datapath=GUEST name=GUEST security=Security_GUEST ssid=GUEST_Network
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=yes interface=br name=dhcp1
add address-pool=dhcp_pool1 interface=MAIN name=dhcp2
add address-pool=dhcp_pool2 interface=GUEST name=dhcp3
/interface bridge port
add bridge=br interface=ether5
add bridge=br interface=ether4
add bridge=br interface=ether3
add bridge=br interface=ether2
/interface bridge vlan
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=20
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=10
/interface wifi capsman
set enabled=yes interfaces=br
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=5ghz-ax
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=2ghz-ax
/ip address
add address=192.168.1.1/24 interface=br network=192.168.1.0
add address=192.168.10.1/24 interface=MAIN network=192.168.10.0
add address=192.168.20.1/24 interface=GUEST network=192.168.20.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
/system identity
set name=cAP_Controller
CAP using "wifi-qcom" package:
/interface bridge
add name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=bridgeLocal disabled=no
CAP using "wifi-qcom-ac" package:
/interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no
add disabled=no master-interface=wifi1 name=wifi21
add disabled=no master-interface=wifi2 name=wifi22
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal interface=wifi1 pvid=10
add bridge=bridgeLocal interface=wifi21 pvid=20
add bridge=bridgeLocal interface=wifi2 pvid=10
add bridge=bridgeLocal interface=wifi22 pvid=20
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 untagged=wifi1,wifi2 vlan-ids=10
add bridge=bridgeLocal tagged=ether1 untagged=wifi21,wifi22 vlan-ids=20
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-static=yes
Additionally, the configuration below has to be added to the CAPsMAN configuration:
/interface wifi datapath
add bridge=br name=DP_AC
/interface wifi configuration
add datapath=DP_AC name=MAIN_AC security=Security_MAIN ssid=MAIN_Network
add datapath=DP_AC name=GUEST_AC security=Security_GUEST ssid=GUEST_Network
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=5ghz-ac
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=2ghz-n
What wrong with this for you?
Re: Cannot create a guests Wi-Fi network.
I'll try with this.Yes. It's a simple way - guest bridge, guest DHCP etc... in guest VLANllamajaja, I use CAPsMAN becouse in my company we've got 4 devices to distribute the Wi-Fi and this one is working as a master, but not router. The only things I wanna know is if I have to create another bridge
https://help.mikrotik.com/docs/display/ROS/WiFi
CAPsMAN - CAP VLAN configuration example:
In this example, we will assign VLAN10 to our main SSID, and will add VLAN20 for the guest network, ether5 from CAPsMAN is connected to CAP.
CAPs using "wifi-qcom" package can get "vlan-id" via Datapath from CAPsMAN, CAPs using "wifi-qcom-ac" package will need to use the configuration provided at the end of this example.
CAPsMAN:
/interface bridge
add name=br vlan-filtering=yes
/interface vlan
add interface=br name=MAIN vlan-id=10
add interface=br name=GUEST vlan-id=20
/interface wifi datapath
add bridge=br name=MAIN vlan-id=10
add bridge=br name=GUEST vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_MAIN passphrase=HaveAg00dDay
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_GUEST passphrase=HaveAg00dDay
/interface wifi configuration
add datapath=MAIN name=MAIN security=Security_MAIN ssid=MAIN_Network
add datapath=GUEST name=GUEST security=Security_GUEST ssid=GUEST_Network
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=yes interface=br name=dhcp1
add address-pool=dhcp_pool1 interface=MAIN name=dhcp2
add address-pool=dhcp_pool2 interface=GUEST name=dhcp3
/interface bridge port
add bridge=br interface=ether5
add bridge=br interface=ether4
add bridge=br interface=ether3
add bridge=br interface=ether2
/interface bridge vlan
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=20
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=10
/interface wifi capsman
set enabled=yes interfaces=br
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=5ghz-ax
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=2ghz-ax
/ip address
add address=192.168.1.1/24 interface=br network=192.168.1.0
add address=192.168.10.1/24 interface=MAIN network=192.168.10.0
add address=192.168.20.1/24 interface=GUEST network=192.168.20.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
/system identity
set name=cAP_Controller
CAP using "wifi-qcom" package:
/interface bridge
add name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=bridgeLocal disabled=no
CAP using "wifi-qcom-ac" package:
/interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no
add disabled=no master-interface=wifi1 name=wifi21
add disabled=no master-interface=wifi2 name=wifi22
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal interface=wifi1 pvid=10
add bridge=bridgeLocal interface=wifi21 pvid=20
add bridge=bridgeLocal interface=wifi2 pvid=10
add bridge=bridgeLocal interface=wifi22 pvid=20
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 untagged=wifi1,wifi2 vlan-ids=10
add bridge=bridgeLocal tagged=ether1 untagged=wifi21,wifi22 vlan-ids=20
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-static=yes
Additionally, the configuration below has to be added to the CAPsMAN configuration:
/interface wifi datapath
add bridge=br name=DP_AC
/interface wifi configuration
add datapath=DP_AC name=MAIN_AC security=Security_MAIN ssid=MAIN_Network
add datapath=DP_AC name=GUEST_AC security=Security_GUEST ssid=GUEST_Network
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=5ghz-ac
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=2ghz-n
What wrong with this for you?
Re: Cannot create a guests Wi-Fi network.
When I activate VLAN filter I loose access to my Mikrotik device (I'ts an HAP ac2 btw). I had to reset it and backup. DHCP also doesn't work and I just noticed, I'm lost and this is giving me headache.Yes. It's a simple way - guest bridge, guest DHCP etc... in guest VLANllamajaja, I use CAPsMAN becouse in my company we've got 4 devices to distribute the Wi-Fi and this one is working as a master, but not router. The only things I wanna know is if I have to create another bridge
https://help.mikrotik.com/docs/display/ROS/WiFi
CAPsMAN - CAP VLAN configuration example:
In this example, we will assign VLAN10 to our main SSID, and will add VLAN20 for the guest network, ether5 from CAPsMAN is connected to CAP.
CAPs using "wifi-qcom" package can get "vlan-id" via Datapath from CAPsMAN, CAPs using "wifi-qcom-ac" package will need to use the configuration provided at the end of this example.
CAPsMAN:
/interface bridge
add name=br vlan-filtering=yes
/interface vlan
add interface=br name=MAIN vlan-id=10
add interface=br name=GUEST vlan-id=20
/interface wifi datapath
add bridge=br name=MAIN vlan-id=10
add bridge=br name=GUEST vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_MAIN passphrase=HaveAg00dDay
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_GUEST passphrase=HaveAg00dDay
/interface wifi configuration
add datapath=MAIN name=MAIN security=Security_MAIN ssid=MAIN_Network
add datapath=GUEST name=GUEST security=Security_GUEST ssid=GUEST_Network
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=yes interface=br name=dhcp1
add address-pool=dhcp_pool1 interface=MAIN name=dhcp2
add address-pool=dhcp_pool2 interface=GUEST name=dhcp3
/interface bridge port
add bridge=br interface=ether5
add bridge=br interface=ether4
add bridge=br interface=ether3
add bridge=br interface=ether2
/interface bridge vlan
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=20
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=10
/interface wifi capsman
set enabled=yes interfaces=br
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=5ghz-ax
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=2ghz-ax
/ip address
add address=192.168.1.1/24 interface=br network=192.168.1.0
add address=192.168.10.1/24 interface=MAIN network=192.168.10.0
add address=192.168.20.1/24 interface=GUEST network=192.168.20.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
/system identity
set name=cAP_Controller
CAP using "wifi-qcom" package:
/interface bridge
add name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=bridgeLocal disabled=no
CAP using "wifi-qcom-ac" package:
/interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no
add disabled=no master-interface=wifi1 name=wifi21
add disabled=no master-interface=wifi2 name=wifi22
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal interface=wifi1 pvid=10
add bridge=bridgeLocal interface=wifi21 pvid=20
add bridge=bridgeLocal interface=wifi2 pvid=10
add bridge=bridgeLocal interface=wifi22 pvid=20
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 untagged=wifi1,wifi2 vlan-ids=10
add bridge=bridgeLocal tagged=ether1 untagged=wifi21,wifi22 vlan-ids=20
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-static=yes
Additionally, the configuration below has to be added to the CAPsMAN configuration:
/interface wifi datapath
add bridge=br name=DP_AC
/interface wifi configuration
add datapath=DP_AC name=MAIN_AC security=Security_MAIN ssid=MAIN_Network
add datapath=DP_AC name=GUEST_AC security=Security_GUEST ssid=GUEST_Network
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=5ghz-ac
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=2ghz-n
What wrong with this for you?
Re: Cannot create a guests Wi-Fi network.
To configure without headache do the following. (temporary)
Take ether5 off the bridge ( so not identifed on /interface bridge ports or /interface bridge vlans )
Give ether5 its own IP address like 192.168.55.1/24
Change IPV4 settings on desktop or laptop and give it an Ip address of 192.168.55.5 for example.
You can now config the router safe from any bridge vlan changes by plugging into ether5
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Take ether5 off the bridge ( so not identifed on /interface bridge ports or /interface bridge vlans )
Give ether5 its own IP address like 192.168.55.1/24
Change IPV4 settings on desktop or laptop and give it an Ip address of 192.168.55.5 for example.
You can now config the router safe from any bridge vlan changes by plugging into ether5
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Re: Cannot create a guests Wi-Fi network.
Ether5 is where I recieve Internet, I tried to disconnect it from the bridge and had to reset again. You mean as a port of the bridge or as a subinterface? Becouse as a subinterface doesn't let me do it and as a port just told you what happened before.To configure without headache do the following. (temporary)
Take ether5 off the bridge ( so not identifed on /interface bridge ports or /interface bridge vlans )
Give ether5 its own IP address like 192.168.55.1/24
Change IPV4 settings on desktop or laptop and give it an Ip address of 192.168.55.5 for example.
You can now config the router safe from any bridge vlan changes by plugging into ether5
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Re: Cannot create a guests Wi-Fi network.
Sorry didnt realize ether5 was internet, let me rephrase...... Take any one ethernet port ( not WAN ) that you can temporarily modify ( ether1,2,3,4 ??? ) off the bridge.
So why was ether5 on your bridge ports then if it was the WAN ?????
So why was ether5 on your bridge ports then if it was the WAN ?????
Re: Cannot create a guests Wi-Fi network.
But the other ports are not connected phisically to the network, does that matter? Anyways I'm gonna try. I guess the "Internet port" should be ether1 but in my company they have connected it to ether5 and in defconf, this ether5 comes connected to bridgelocal and if you disconnect it you loose access to the device and have to reset it.Sorry didnt realize ether5 was internet, let me rephrase...... Take any one ethernet port ( not WAN ) that you can temporarily modify ( ether1,2,3,4 ??? ) off the bridge.
So why was ether5 on your bridge ports then if it was the WAN ?????
Re: Cannot create a guests Wi-Fi network.
But the other ports are not connected phisically to the network, does that matter?
There are control freaks here who think you should have to go into the router/switch configuration to explicitly enable the port when plugging a new device in. Me, I just bridge all the LAN-side ports and be done with it. Decide which kind of network admin you are, and do it that way.
The real point here is that for normal use, you should never bridge the WAN port to the LAN. That bypasses the firewall and NAT layers!
The only exception I can think of is that you're running an old-school direct-Internet-access service straight out of the late 1980s, as when you're distributing a public AS block in an ISP, or you're doing IPv6-only, or similar.
I guess the "Internet port" should be ether1 but in my company they have connected it to ether5
That's perfectly fine. I do the same thing on my hAP ax³ here because of the MT engineers' questionable design decision to make ether1 the device's sole PoE port. My cable modem neither provides nor consumes PoE, and so with this righteous justification, I moved the WAN port to the other end of the device.
I don't use PoE on that device today, but I now have that option without reconfiguring my Internet gateway first.
RouterOS is uncommonly flexible. Your job as admin is to tell it what you want it to do, not the other way around.
Re: Cannot create a guests Wi-Fi network.
Then changing ether1 to be the Internet port should be all? That makes sense becouse in that way I could activate the vlan filtering in the bridge and make VLANs to create the network 99 (guests network). Thank you I'll try. Please if I'm wrong or it is something missing I would be grateful if you communicate to me. Thank you tangent for the explanation.But the other ports are not connected phisically to the network, does that matter?
There are control freaks here who think you should have to go into the router/switch configuration to explicitly enable the port when plugging a new device in. Me, I just bridge all the LAN-side ports and be done with it. Decide which kind of network admin you are, and do it that way.
The real point here is that for normal use, you should never bridge the WAN port to the LAN. That bypasses the firewall and NAT layers!
The only exception I can think of is that you're running an old-school direct-Internet-access service straight out of the late 1980s, as when you're distributing a public AS block in an ISP, or you're doing IPv6-only, or similar.
I guess the "Internet port" should be ether1 but in my company they have connected it to ether5
That's perfectly fine. I do the same thing on my hAP ax³ here because of the MT engineers' questionable design decision to make ether1 the device's sole PoE port. My cable modem neither provides nor consumes PoE, and so with this righteous justification, I moved the WAN port to the other end of the device.
I don't use PoE on that device today, but I now have that option without reconfiguring my Internet gateway first.
RouterOS is uncommonly flexible. Your job as admin is to tell it what you want it to do, not the other way around.
Last edited by yosue111 on Tue Apr 16, 2024 9:52 am, edited 1 time in total.
Re: Cannot create a guests Wi-Fi network.
I just tried and cant make connection with no other port that is out of the local bridge, don't know why. I'm gonna try to make the WLANs run in other bridge appart from the local one. Should I connect ether1 to the local bridge and connect to the bridge through it or I just keep connecting to the bridge with ether5?
Re: Cannot create a guests Wi-Fi network.
I rode this post viewtopic.php?t=201744 that says that if you create a VLAN on the ether port that is connected your mikrotik device and you attach it as a port in guests bridge should work, but doesn't for me. Is that well configured or not? And another point is that my DHCP doesn't work properly, it is not assigning the IPs well and devices don't appear in leases. When I connect to my guests Wi-Fi gives me IPs from the local bridge and not even in the range of local Wi-Fi DHCP. I need help.
Code: Select all
#
apr/16/2024 14:54:48 by RouterOS 6.49.10
# software id = IJH1-AHYL
#
# model = RBD52G-5HacD2HnD
# serial number = D7160D7D1923
/caps-man channel
add band=2ghz-b/g/n extension-channel=XX name="2.4Ghz(FA)"
add band=5ghz-a/n/ac extension-channel=XXXX name="5Ghz(FA)"
/interface bridge
add name=bridge_guest
add admin-mac=08:55:31:77:CF:07 auto-mac=no name=bridge_spa
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=\
MikroTik-77CF0B wireless-protocol=802.11
# managed by CAPsMAN
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=MikroTik-77CF0C wireless-protocol=802.11
/interface vlan
add interface=ether5 name=vlan_guest vlan-id=10
/caps-man datapath
add bridge=bridge_spa client-to-client-forwarding=yes local-forwarding=yes \
name=SPA_WIFI
add bridge=bridge_guest client-to-client-forwarding=yes local-forwarding=yes \
name=SPA_GUEST
/caps-man security
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=no encryption=aes-ccm \
group-encryption=aes-ccm name=SPA_WIFI
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
group-encryption=aes-ccm group-key-update=10m name=SPA-GUEST
/caps-man configuration
add channel="2.4Ghz(FA)" channel.skip-dfs-channels=yes country=spain \
datapath=SPA_WIFI datapath.bridge=bridge_spa hw-retries=4 mode=ap \
multicast-helper=full name=SPA_WIFI_2.4GHz security=SPA_WIFI ssid=\
SPA_WIFI
add channel="5Ghz(FA)" channel.skip-dfs-channels=yes country=spain datapath=\
SPA_WIFI datapath.bridge=bridge_spa guard-interval=any hw-retries=4 mode=\
ap multicast-helper=full name=SPA_WIFI_5GHz security=SPA_WIFI ssid=\
SPA_WIFI
add channel="2.4Ghz(FA)" channel.skip-dfs-channels=yes country=spain \
datapath=SPA_GUEST hw-retries=4 mode=ap multicast-helper=full name=\
SPA_GUEST security=SPA-GUEST ssid=SPA_GUEST
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool0 ranges=192.168.101.80-192.168.101.99
add name=dhcp_pool1 ranges=192.168.99.2-192.168.99.15
/ip dhcp-server
add address-pool=pool0 disabled=no interface=bridge_spa name=SPA_WIFI
add address-pool=dhcp_pool1 disabled=no interface=bridge_guest name=SPA_GUEST
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge_spa
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,g,gn \
master-configuration=SPA_WIFI_2.4GHz name-format=identity \
slave-configurations=SPA_GUEST
add action=create-dynamic-enabled hw-supported-modes=a,an,ac \
master-configuration=SPA_WIFI_5GHz name-format=identity
/interface bridge port
add bridge=bridge_spa interface=ether2
add bridge=bridge_spa interface=ether3
add bridge=bridge_spa interface=ether4
add bridge=bridge_spa interface=ether5
add bridge=bridge_spa interface=wlan1
add bridge=bridge_spa interface=wlan2
add bridge=bridge_guest interface=vlan_guest
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge_spa list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
#
set bridge=bridge_spa discovery-interfaces=bridge_spa enabled=yes interfaces=\
wlan1,wlan2
/ip address
add address=192.168.101.195/24 interface=bridge_spa network=192.168.101.0
add address=192.168.99.1/24 interface=bridge_guest network=192.168.99.0
/ip dhcp-client
add disabled=no interface=bridge_spa
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1 gateway=\
192.168.99.1
add address=192.168.101.0/24 dns-server=192.168.101.1 gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" in-interface-list=WAN \
src-address=192.168.99.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=SPA_WADMIN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN