Community discussions

MikroTik App
  4. RouterOS
  5. Wireless Networking

Guest VLAN on CAPsMAN

Post Reply
 
ClintonITWorks
just joined
Topic Author
Posts: 12
Joined: Thu Nov 09, 2023 8:41 pm

Guest VLAN on CAPsMAN

Thu Jan 25, 2024 4:20 am

I can get the guest network up and broadcasting, but devices will not connect to it. If I remove the vlan id and put it on the bridge it works just fine, but on the wrong subnet of course. I am fairly confident my issue has to do with my vlan configuration, but I cannot figure out what that is. Here is my configuration:
Code: Select all
# 2024-01-24 21:16:45 by RouterOS 7.13
# software id = 9ARR-3SRK
#
# model = RB4011iGS+

/interface bridge
add add-dhcp-option82=yes admin-mac=78:9A:18:9F:05:21 auto-mac=no comment=\
    defconf dhcp-snooping=yes name=bridge_LOCAL port-cost-mode=short \
    vlan-filtering=yes
/interface vlan
add interface=bridge_LOCAL name=VLAN100_GuestWiFi vlan-id=100
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2.4Ghz \
    skip-dfs-channels=all width=20/40mhz
add band=5ghz-ax disabled=no frequency=5170-5250 name=5Ghz skip-dfs-channels=\
    all width=20/40/80mhz
/interface wifi datapath
add bridge=bridge_LOCAL disabled=no name=datapath1
add disabled=no name=datapath_GuestWiFi vlan-id=100
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name=\
    sec1
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name=\
    sec_GuestWiFi
/interface wifi configuration
add channel=5Ghz country="United States" datapath=datapath1 disabled=no mode=\
    ap name=5Ghz security=sec1 ssid=Szostak_Design_5
add channel=2.4Ghz country="United States" datapath=datapath1 disabled=no \
    mode=ap name=2.4Ghz security=sec1 ssid=Szostak_Design_2.4
add channel=5Ghz country="United States" datapath=datapath_GuestWiFi \
    disabled=no mode=ap name=cfg_GuestWiFi security=sec_GuestWiFi ssid=\
    Szostak_Design_Guest
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1
/ip pool
add name=L2TP_VPN01 ranges=10.10.10.201-10.10.10.250
add name=GuestWiFi ranges=172.16.8.2-172.16.8.100
/ip dhcp-server
add address-pool=L2TP_VPN01 interface=ether1 lease-time=8h name=dhcp_VPN01
add address-pool=GuestWiFi interface=VLAN100_GuestWiFi lease-time=8h name=\
    dhcp_GuestWiFi
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add dns-server=10.10.10.100,9.9.9.9 local-address=10.10.10.1 name=L2TP_VPN01 \
    remote-address=L2TP_VPN01 use-ipv6=no
/interface bridge port
add bridge=bridge_LOCAL comment=defconf disabled=yes interface=ether1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge_LOCAL comment=defconf interface=ether2 internal-path-cost=\
    10 path-cost=10
add bridge=bridge_LOCAL interface=VLAN100_GuestWiFi
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP_VPN01 enabled=yes \
    one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge_LOCAL list=LAN
/interface wifi capsman
set ca-certificate=********* certificate=\
    ********* enabled=yes interfaces=bridge_LOCAL \
    package-path="" require-peer-certificate=no upgrade-policy=\
    suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=5Ghz \
    supported-bands=5ghz-ax,5ghz-n,5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=2.4Ghz \
    supported-bands=2ghz-ax,2ghz-g,2ghz-n
/ip address
add address=10.10.10.1/24 interface=bridge_LOCAL network=10.10.10.0
add address=172.16.8.1/24 interface=VLAN100_GuestWiFi network=172.16.8.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=172.16.8.0/24 dns-server=9.9.9.9,142.112.112.112 gateway=\
    172.16.8.1
/ip dns
set servers=9.9.9.9,142.112.112.112
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=input comment=VPN01_ipsec in-interface=ether1 \
    protocol=ipsec-esp
add action=accept chain=input comment=VPN01_udp dst-port=500,1701,4500 \
    in-interface=ether1 protocol=udp
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ppp secret
"Removed Secrets for privacy"
/system clock
set time-zone-name=America/New_York
/system identity
set name=StkDgn
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
Top
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1227
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Guest VLAN on CAPsMAN

Thu Jan 25, 2024 5:40 am

If you go VLAN, go VLAN all the way, so you have VLAN100 for guests and create another VLAN for your main network.

Leave default VLAN1 in the background.

What are you missing is to under /interface/bridge/vlan you add your VLAN, so tag it to the bridge, and tag it to the port going to your CAP. And remove VLAN100 from /interface/bridge/port.
Top
 
ClintonITWorks
just joined
Topic Author
Posts: 12
Joined: Thu Nov 09, 2023 8:41 pm

Re: Guest VLAN on CAPsMAN

Thu Jan 25, 2024 6:39 am

So I tried tagging the VLAN, and maybe it's my physical topology that's working against me, but when I tag the VLAN the CAPsMAN loses connection to the caps entirely. The topology is: ISP modem --> ether1 on rb4011, rb4011 ether2 --> netgear 24 port switch, and everything on the LAN runs into the switch, including the two WiFi 6 caps. I considered moving the caps to the rb4011,but can't figure out how to configure the same VLAN on both ports for the two caps.
Top
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1227
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Guest VLAN on CAPsMAN

Thu Jan 25, 2024 7:11 am

So, what i recommend you is to create 2 VLANs and stop using VLAN1, after that you need to define which VLAN is your trusted or management VLAN.

After that you create hybrid port where your MGMT network is untagged and your guest VLAN is tagged. In that case your CAPs will be able to communicate with controller. I have setup like that myself, 2 CAPs, MGMT network untagged, other VLANs tagged.
Top
Post Reply

Who is online

Users browsing this forum: mstanciu and 11 guests
  4. RouterOS
  5. Wireless Networking