Capsman Setup with hap ax2
Posted: Mon Aug 05, 2024 7:15 pm
by n4p
Hello,
I'm currently trying to set up Capsman with hap ax2 components.
However, it's failing because I can't understand why the VLAN configuration isn't working.
I want to create 3 SSIDs and put each one in a different network.
With Capsman(v1) it was relatively easy because you simply configured the VLAN ID in the datapath. However, it doesn't seem to work with the current Capsman.
I keep getting the VLAN ID 1 entered, even though it should be 10. After researching Wikipedia, you can see that this doesn't work without the additional "wifi-qcom" package.
But it doesn't work correctly with the package either, so the question is, what is the correct way to configure VLAN IDs using Capsman??
Thank you!
Best regards
Re: Capsman Setup with hap ax2
Posted: Mon Aug 05, 2024 7:58 pm
by neki
It doesn't work for wifi-qcom-ac, not your case... Wiki is for ROSv6, also not your case... Post your configs..
Re: Capsman Setup with hap ax2
Posted: Tue Aug 06, 2024 7:18 am
by n4p
And without any additional package it did not work, correct?
Re: Capsman Setup with hap ax2
Posted: Tue Aug 06, 2024 8:12 am
by holvoetn
First, use the correct documentation:
https://help.mikrotik.com/docs/display/ ... ionexample:
Second:
if all your devices (cAP and controller) are AX2, there are no additional packages needed then what's needed to run the device standalone.
Attention: packages have been split as of 7.13.
From this version on, you DO need wifi-qcom package (it's no longer part of base ROS) or you will have no wifi.
What version are you using ?
What you DO need to take into account: capsman for wave2 can not control local radios on the controller, you need to configure those radios locally, not via capsman (ONLY on the controller).
However: 90% of the config for local or capsman is the same if you use configuration, channel, datapath, security, ..., so no real problem.
And because the same ROS instance will control both capsman and local radios, roaming etc will work as expected.
Re: Capsman Setup with hap ax2
Posted: Tue Aug 06, 2024 11:11 am
by n4p
Hi,
that's the configuration expamle what i used to configure this setup.
Capsman is running on a hex poe what is powering my hap ax2 devices.
Currently i use 7.15.3, so i have to install wifi-qcom. Ok, thats what i already have done.
here is my current config
hex poe
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2Ghz
add band=5ghz-ax disabled=no frequency=5180,5260,5500 name=5Ghz
/interface wifi datapath
add bridge=bridge client-isolation=yes disabled=no name=wlan_datapath vlan-id=\
27
add bridge=bridge client-isolation=yes disabled=no name=wlan_iot_datapath \
vlan-id=21
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no group-encryption=ccmp \
name=wlan_sec
add authentication-types=wpa2-psk disabled=no group-encryption=tkip name=\
wlan_iot_sec
/interface wifi configuration
add channel=2Ghz datapath=wlan_datapath disabled=no mode=ap name=wlan_2Ghz \
security=wlan_sec ssid=wlan
add channel=5Ghz datapath=wlan_datapath disabled=no mode=ap name=wlan_5Ghz \
security=wlan_sec ssid=wlan
add channel=2Ghz datapath=wlan_iot_datapath disabled=no mode=ap name=\
wlan_iot_2Ghz security=wlan_iot_sec ssid=wlan-IOT
add channel=5Ghz datapath=wlan_iot_datapath disabled=no mode=ap name=\
wlan_iot_5Ghz security=wlan_iot_sec ssid=wlan-IOT
/interface wifi steering
add disabled=no name=steering_IOT neighbor-group=dynamic-wlan-dbeda0b9 rrm=yes \
wnm=yes
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-0855317698C4 certificate=\
WiFi-CAPsMAN-0855317698C4 enabled=yes interfaces=bridge package-path="" \
require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=wlan_2Ghz \
name-format=%I-2Ghz slave-configurations=wlan_iot_2Ghz supported-bands=\
2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=wlan_5Ghz \
name-format=%I-5Ghz slave-configurations=wlan_iot_5Ghz supported-bands=\
5ghz-ax
/interface bridge
add admin-mac=08:55:31:76:98:C4 auto-mac=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=sfp1 internal-path-cost=10 path-cost=10
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4,ether5,ether2 vlan-ids=10,11,20,21,22,20
hap ax2
/interface bridge
add ingress-filtering=no name=bridge port-cost-mode=short vlan-filtering=yes
/interface bridge port
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10 pvid=11
add bridge=bridge interface=ether3 internal-path-cost=10 path-cost=10 pvid=11
add bridge=bridge interface=ether4 internal-path-cost=10 path-cost=10 pvid=11
add bridge=bridge interface=ether5 internal-path-cost=10 path-cost=10 pvid=11
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether3,ether2,ether4,ether5 \
vlan-ids=10,11,20,21,201
Re: Capsman Setup with hap ax2
Posted: Tue Aug 06, 2024 2:33 pm
by neki
Bridge has to be defined on CAPs, not in CAPsMAN configuration profile, same applies to mode. Also VLAN filtering is incomplete. But hard to tell when you cut just part of the config.
CAPsMAN
/interface wifi datapath
add bridge=bridge client-isolation=yes disabled=no name=wlan_datapath vlan-id=\
27 (not defined later?)
add bridge=bridge client-isolation=yes disabled=no name=wlan_iot_datapath \
vlan-id=21
/interface wifi configuration
add channel=2Ghz datapath=wlan_datapath disabled=no mode=ap name=wlan_2Ghz \
security=wlan_sec ssid=wlan
add channel=5Ghz datapath=wlan_datapath disabled=no mode=ap name=wlan_5Ghz \
security=wlan_sec ssid=wlan
add channel=2Ghz datapath=wlan_iot_datapath disabled=no mode=ap name=\
wlan_iot_2Ghz security=wlan_iot_sec ssid=wlan-IOT
add channel=5Ghz datapath=wlan_iot_datapath disabled=no mode=ap name=\
wlan_iot_5Ghz security=wlan_iot_sec ssid=wlan-IOT
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-vlan-tagged comment=defconf interface=ether3 internal-path-cost=10 path-cost=10 (??)
add bridge=bridge frame-types=admit-only-vlan-tagged comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-vlan-tagged comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-vlan-tagged comment=defconf interface=sfp1 internal-path-cost=10 path-cost=10 (is sfp1 part of the local network?)
/interface bridge vlan
add bridge=bridge tagged=bridge,ether4,ether5,ether2 vlan-ids=10,11,20,21,22,20
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=11
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=21
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=22
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=201
Is ether3 used as trunk? If not, adjust the above...
CAP
there should be something like this: (manager, mode and datapath.bridge have to be set localy)
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
datapath.bridge=bridge disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
datapath.bridge=bridge disabled=no
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 path-cost=10 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 path-cost=10 pvid=11
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 path-cost=10 pvid=11
add bridge=bridge interface=wifi1 (this is done by datapath.bridge)
add bridge=bridge interface=wifi2 (this is done by datapath.bridge)
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether3,ether2,ether4,ether5 vlan-ids=10,11,20,21,201
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=bridge,ether1 untagged=ether3,ether2,ether4,ether5 vlan-ids=11
add bridge=bridge tagged=bridge,ether1 vlan-ids=20
add bridge=bridge tagged=bridge,ether1 vlan-ids=21
add bridge=bridge tagged=bridge,ether1 vlan-ids=22
add bridge=bridge tagged=bridge,ether1 vlan-ids=201