7.14.3 Hex CapsMan -> capAc - 3rd SSID with VLAN Problem

kilburnflyer · Sun May 26, 2024 1:59 am

After reading all the discussion about using the legacy devices with 7.14.3 (in this case it's a Hex and capAC ) using the documentation found here:

https://help.mikrotik.com/docs/display/ ... %22package

[ Anchor link doesn't work but it's the section: CAP using "wifi-qcom-ac" package ]

I was able to successfully get it to work with the physical Wi-Fi interfaces for VLAN1 and slave configuration interfaces for VLAN10.

The trade off appears to be you can use the latest version of router OS and the qcom-ac package but you just have to add the interfaces manually on each cap for initial config.

If you continue to get the benefits of propagating password changes via CapsMan to multiple devices once they've been set up that seems good.

So after getting two SSID's working:

master-1-slave.jpg

master-with-1-slave.jpg

I was very excited to add the third one and added it to the provisioning but instead of assigning this 3rd SSID to the interfaces (wifi31 and wifi32) that I had manually created the cap decided to create a dynamic interface instead with a random numbering choice.

master-2-slaves.jpg

master-with-2-slaves-not-using-interface.jpg

This of course is no good because due to the manual VLAN settings that you have to set up it the capAC doesn’t know anything about this dynamically created interface and therfore the VLAN doesn't work work.

Can anyone work out why it's creating a dynamic interface once it gets to the 3rd SSID?

Here is a video showing the problem:

https://www.screencast.com/t/KllZZx8OS

Things I have tried:

Provisioning: create enabled or create dynamic enabled – same result.
Naming of Interfaces: Instead of wifi1 wifi2 wifi21 wifi22 wifi31 wifi32 – changed to wifi1 wifi2 wifi3 wifi4 wifi5 wifi6 – same result.

neki · Mon May 27, 2024 2:49 pm

I have few suggestions...

Don't use VLAN1, use 10,20,30 instead (or whatever numbers, but not 1)

As you demonstrated in the video, CAPsMAN is capable of creating interfaces, so unprovision everything and delete those manually created from the CAPs, lets see what will happen. Also, in provisioning tab set up name format, use %I-wifi and action create enabled.

Anyway, CAPsMAN created interfaces should be available in bridge VLAN configuration:

cm01.png

neki · Mon May 27, 2024 7:51 pm

So, I got to your configs and your main issue now, are misconfigured VLANs. You have to have working network before you start playing with CAPsMAN.

VLAN interface should be defined only for main/management network where you need IP for the device itself (for cAP)
Bridge ports must have frame-types set, admit-only-vlan-tagged for trunks and admit-only-untagged-and-priority-tagged for access ports
All VLANs must be tagged on the bridge
Do not rename "things", bridgeLocal, IOT (do you know what is it without any context? ...oh, wait it's vlan20)
- pool10
- pool20
- vlan10
- vlan20
- bridge1

I don't have time now, try to search for bridge VLANs...

Here is my config of cAP:

# 2024-04-07 19:43:15 by RouterOS 7.14.1
#
# model = cAPGi-5HaxD2HaxD
/interface bridge
add admin-mac=XXX auto-mac=no name=bridge1 vlan-filtering=yes
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: XXX, channel: 5785/ax/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath.bridge=bridge1 disabled=no
# managed by CAPsMAN
# mode: AP, SSID: XXX, channel: 2462/ax
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath.bridge=bridge1 disabled=no
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=10
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 untagged=ether2 vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=40
/interface wifi cap
set certificate=request discovery-interfaces=vlan10 enabled=yes
/ip dhcp-client
add interface=vlan10
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=vlan10
add action=drop chain=input
/system clock
set time-zone-name=Europe/XXX
/system identity
set name=cAP-ax-03
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/tool romon
set enabled=yes secrets=XXX

MichalPospichal · Sat Jun 01, 2024 12:00 am

All VLANs must be tagged on the bridge

Just a small question - from various tutorials I understood that you need to tag vlans on the bridge only for the vlans that have vlan interface created on that bridge.
So in case of cap with only management vlan interface created it should be only this one vlan. The rest of vlans should be tagged only on the trunk port.
Or did I understand it wrong?

kilburnflyer · Sat Jun 01, 2024 12:53 am

As you demonstrated in the video, CAPsMAN is capable of creating interfaces, so unprovision everything and delete those manually created from the CAPs, lets see what will happen.
cm01.png

Thank you for taking the time to look through the configuration - I will follow try and replicate - regarding manually creating the interfaces I was under the impression from the Mikrotik examples in the wiki that I had to to this due to CapsMan not being able to dynamically create an interface *and* assign a VLAN id to the interface because it has to be added in the Datapath tab with the new WiFi menu and that specifically does not work when using the new WiFi config method - did I read this wrong?

neki · Tue Jun 04, 2024 2:19 pm

I was not able to find anything like that about dynamic interface creation but the VLAN datapath is commonly known limitation.

Lost features

The following notable features are lost when running 802.11ac products with drivers that are compatible with the 'wifi' management interface

Nstreme and Nv2 wireless protocols
VLAN configuration in the wireless settings (Per-interface VLANs can be configured in bridge settings)
Compatibility with station-bridging as implemented in the 'wireless' package, station-bridge only works between the same type of drivers. Wifi to Wifi, and Wireless to Wireless.

@Michal you are right, but I'm not sure about the datapath VLAN auto assignation. May be it will work without it, may be not... I can't try it now... (anyway, it's valid only for AX devices)

kilburnflyer · Wed Jun 05, 2024 9:42 pm

Just updating on here as I go and throwing this out there.

Since the manually generated interfaces which are then to be configured by CapsMan was showing the problem illustrated earlier in the thread I decided manually create the interfaces that would be created and fully configure them locally just to see that the configuration was possible. What I found was once I got to the 3rd virtual SSID just as with CapsMan i.e.

wifi1
wifi2
wifi21
wifi22
wifi31

it wouldn't create it because it was assigning a MAC address of one of the physical interfaces without be asking - I deleted this from the dialog and then it created OK - is in conceivable that this what is causing CapsMan to fail?

7.14.3 Hex CapsMan -> capAc - 3rd SSID with VLAN Problem

7.14.3 Hex CapsMan -> capAc - 3rd SSID with VLAN Problem

Re: 7.14.3 Hex CapsMan -> capAc - 3rd SSID with VLAN Problem

Re: 7.14.3 Hex CapsMan -> capAc - 3rd SSID with VLAN Problem

Re: 7.14.3 Hex CapsMan -> capAc - 3rd SSID with VLAN Problem

Re: 7.14.3 Hex CapsMan -> capAc - 3rd SSID with VLAN Problem

Re: 7.14.3 Hex CapsMan -> capAc - 3rd SSID with VLAN Problem

Re: 7.14.3 Hex CapsMan -> capAc - 3rd SSID with VLAN Problem

Who is online