I am now in very interesting situation, for the past days I am trying to make CAPsMAN work on a RB5009, I have installed the `wifi-qcom` package on the RB5009, and after so much testing I could partially make CAPsMAN work, the setup I have is the following:
RB5009 uses Ether1 and Ether2 in bonding (and bridged) to one Switch (which works but it's not in the scope of this problem I guess).
RB5009 uses Ether7 to connect to the CAP 5HaxD2HaxD ether1.
I use various VLANs:
vlan_id=99 for Management
vlan_id=10 for employees
vlan_id=80 for guests
vlan_id=90 configured but not in use yet.
Also I asume that the `wifi-qcom` works differently than the `wifi-qcom-ac` for rOS v7.14.1 meaning that I do NOT need to specify the VLANs on the CAPs and so, enough to do it in the CAPsMAN as usual...
But I have 2 weird problems I have:
1- Even if I Configured the IP on the bridge of the CAP (also the route) I cannot ping the CAPsMAN, nor cannot ping 1.1.1.1 for example from the CAP. But somehow the CAP can connect to the CAPsMAN and create the WIFI ... I guess CAPsMAN works in a lower layer, but I Guess this is not right in my installation.
2- I can make the CAP work with a primary SSID but I tried to specify the `ih-guest` ssid as slave, which is created but when joining to the WIFI I am not receiving any IP address from the DHCP server.
I am stuck with this for days, and I am not sure what I am doing bad.... So I wanted to ask you if one of you please can you check my configs, I don't see where can be the problem ....
For the CAPsMAN:
Code: Select all
# model = RB5009UPr+S+
# serial number = XXXXXXXXXXXX
/interface bridge
add name=bridge1 pvid=99 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Bonding to switch1 Switch Port1" \
poe-out=off
set [ find default-name=ether2 ] comment="Bonding to switch1 Switch Port2" \
poe-out=off
set [ find default-name=ether5 ] comment="ADMIN ETH" name=ether5-access
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=\
"ISP WAN" name=sfp speed=1G-baseT-full
/interface wifi
add name=cap-wifi1 radio-mac=AA:BB:CC:DD:EE:30
/interface vlan
add comment="Guests VLAN80 for WIFI" interface=bridge1 name=guests vlan-id=80
add comment="employees vlan" interface=bridge1 name=vlan10 vlan-id=10
add comment="sysadmins vlan" interface=bridge1 name=vlan90 vlan-id=90
add comment="Admin Vlan" interface=bridge1 name=vlan99 vlan-id=99
/interface bonding
add comment="Bonding Trunk for Switch" mode=802.3ad name=bonding_to_switch \
slaves=ether1,ether2
/interface list
add comment="all Vlans" name=VLAN
add comment="The WAN" name=WAN
add comment="Where the admin VLAN is trunk" name=BASE
add comment="The Interface list needed for ADMINS" name=ADMIN
/interface wifi channel
add band=5ghz-ax disabled=no frequency=\
5230-5250,5210-5230,5190-5210,5170-5190 name=5GHz_US_bands width=20/40mhz
/interface wifi datapath
add bridge=bridge1 comment="Employees VLAN WIFI" disabled=no name=\
employees_wifi_datapath vlan-id=10
add bridge=bridge1 comment="Employees VLAN WIFI" disabled=no name=\
guests_datapath vlan-id=80
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment=\
"Security Profile for Employees wifi" disabled=no name=\
employees_wifi_security_profile wps=disable
add authentication-types=wpa2-psk,wpa3-psk comment=\
"Security Profile for Employees wifi" disabled=no name=\
guests_wifi_security_profile wps=disable
/interface wifi configuration
add channel=5GHz_US_bands comment="Employees WIFI 5GHz" country=\
"United States" datapath=employees_wifi_datapath disabled=no name=\
5g_employees security=employees_wifi_security_profile ssid=ihconau2
add channel=5GHz_US_bands comment="Employees WIFI 5GHz" country=\
"United States" datapath=guests_datapath disabled=no name=5g_guests \
security=employees_wifi_security_profile ssid=ih-guests
/ip pool
add comment="employees vlan10" name=vlan10 ranges=\
192.168.10.10-192.168.10.254
add comment="sysadmin vlan90" name=vlan90 ranges=192.168.90.10-192.168.90.254
add comment="ip pool for ether5" name=ether5 ranges=10.0.0.10-10.0.0.20
add comment="ip pool for admin vlan99" name=vlan99 ranges=\
10.0.99.2-10.0.99.254
add comment="Guests vlan80" name=vlan80 ranges=10.0.80.10-10.0.80.254
/ip dhcp-server
add address-pool=vlan10 comment="For employees vlan10" interface=vlan10 \
lease-time=10m name=vlan10
add address-pool=vlan90 comment="For sysadmins vlan90" interface=vlan90 \
lease-time=10m name=vlan90
add address-pool=ether5 comment="DHCP for eth5 access" interface=\
ether5-access lease-time=5d name=ether5
add address-pool=vlan99 comment="For admin vlan99" disabled=yes interface=\
vlan99 lease-time=10m name=vlan99
add address-pool=vlan80 comment="For guests vlan80" interface=guests \
lease-time=10m name=vlan80
/ip smb users
set [ find default=yes ] disabled=yes
/interface bridge port
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7 pvid=99
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=bonding_to_switch pvid=99
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 comment="Base VLAN99" tagged=bonding_to_switch,bridge1 \
untagged=ether6,ether8,ether7 vlan-ids=99
add bridge=bridge1 comment="Employees VLAN10" tagged=\
ether6,ether7,ether8,bonding_to_switch,bridge1 vlan-ids=10
add bridge=bridge1 comment="Sysadmins VLAN90" tagged=\
ether6,ether7,ether8,bonding_to_switch,bridge1 vlan-ids=90
add bridge=bridge1 comment="Guests VLAN80" tagged=\
bridge1,bonding_to_switch,ether7 vlan-ids=80
/interface list member
add comment=VLAN10 interface=vlan10 list=VLAN
add comment=VLAN90 interface=vlan90 list=VLAN
add comment=VLAN99 interface=vlan99 list=VLAN
add comment="BASE just vlan99" interface=vlan99 list=BASE
add comment="admin vlan99" interface=vlan99 list=ADMIN
add comment="Sysadmin from vlan90" interface=vlan90 list=ADMIN
add interface=sfp list=WAN
/interface wifi access-list
add action=reject comment="Reject anonymous MACs for WIFIs" disabled=yes \
mac-address=02:00:00:00:00:00 mac-address-mask=02:00:00:00:00:00
/interface wifi cap
set enabled=yes slaves-static=yes
/interface wifi capsman
set enabled=yes interfaces=BASE package-path="" require-peer-certificate=no \
upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment="Employees 5Ghz provisioning" \
disabled=no master-configuration=5g_employees slave-configurations=\
5g_guests supported-bands=5ghz-ax
/ip address
add address=10.0.99.1/24 comment="admin vlan99 Ip addresses" interface=vlan99 \
network=10.0.99.0
add address=192.168.10.1/24 comment="employees vlan_10 Ip addresses" \
interface=vlan10 network=192.168.10.0
add address=192.168.90.0/24 comment="sysadmins vlan90 Ip addresses" \
interface=vlan90 network=192.168.90.0
add address=10.0.0.1/24 comment="Admin IP for eth5" interface=ether5-access \
network=10.0.0.0
add address=aaa.bbb.ccc.234/29 comment="Main IP for ISP Router" \
interface=sfp network=aaa.bbb.ccc.232
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=1.1.1.1,8.8.4.4 gateway=10.0.0.1
add address=10.0.80.0/24 comment="Guests vlan80 network" dns-server=\
1.1.1.1,8.8.4.4 gateway=10.0.80.1
add address=10.0.99.0/24 comment="Admin vlan90 network" dns-server=\
1.1.1.1,8.8.4.4 gateway=10.0.99.1
add address=192.168.10.0/24 comment="employees vlan10 network" dns-server=\
192.168.10.1 gateway=192.168.10.1
add address=192.168.90.0/24 comment="Syadmins vlan99 network" dns-server=\
192.168.90.1 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.4.4
/ip firewall filter
add action=drop chain=input comment="DROP DNS tcp port 53 from WAN" dst-port=\
53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="DROP DNS udp port 53 from WAN" dst-port=\
53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow Estab & Related" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=accept chain=input comment=\
"Allow ICMP to WAN From Wan for monitoring" in-interface-list=WAN \
protocol=icmp src-address-list=Wan_monitoring
add action=drop chain=input comment="drop ICMP to WAN" in-interface-list=WAN \
protocol=icmp
add action=accept chain=input comment="Accept Loopback for CAPSMAN" \
dst-address=127.0.0.1
add action=accept chain=input comment="Allow everything from VLANs" \
in-interface-list=VLAN
add action=accept chain=input comment="Allow Admin VLAN full access" \
in-interface-list=BASE
add action=drop chain=input comment="DROP REST OF INPUT" in-interface-list=\
WAN
add action=accept chain=forward comment="VLAN Internet Access only" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
"Drop everything Forward from VLANs- TO ACTIVE WHEN TESTED" \
in-interface-list=VLAN
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade WAN" \
out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip route
add comment="Main Wan Gateway" disabled=no distance=1 dst-address=\
0.0.0.0/0 gateway=aaa.bbb.ccc.233 pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=10.0.0.0/24,10.0.69.0/24,10.0.99.0/24,192.168.90.0/24
set api disabled=yes
set winbox address=\
10.0.0.0/24,10.0.69.0/24,10.0.99.0/24,192.168.90.0/24,192.168.10.0/24
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=America/Chicago
/system identity
set name=router01
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org
add address=europe.pool.ntp.org
/tool romon
set enabled=yes
For the CAP:
Code: Select all
# model = cAPGi-5HaxD2HaxD
# serial number = XXXXXXXXXXX
/interface bridge
add name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: ihconau2, channel: 5220/ax/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
disabled=no
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 pvid=99
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip address
add address=10.0.99.101 interface=bridgeLocal network=10.0.99.0
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.99.1
/system note
set show-at-login=no
Many many thanks in advance !!