This is a short guide how I finaly managed to setup a CAPsMAN configuration, including a management VLAN on the CAP.
References
- https://help.mikrotik.com/docs/display/ROS/WiFi
Background
I have some experience with Mikrotik, but had almost no experience with wireless systems before my attempt. So this description shall be read with a grain of salt. If something was done overly complicated or if someone has a more elegant solution, please share to and highlight problems. This short guide was written, because I struggled with the Mikrotik provided documentation a lot. For the test, I ordered and used 1x hap-ax3, 1x hap-ax2 and 1x cAP-ax.
There is a slight chance that the config contains small errors, since I obfuscated some settings to not expose some actual settings of my actual config for security and paranoia reasons.
Design Goals
- 1 CAPsMAN
- Multiple AP's (all ax)
- Separate Management VLAN for all Mikrotik devices
- Using RouterOS 7.14 or newer
- Try out IEEE 802.11r fast BSS transition feature
There are clearly a lot of features missing in the current "new" implementation of CAPsMAN. It kind of works if you have a single network without VLAN segmentation and multiple slave's with their own separate VLAN. Once you introduce those and even want a separate management VLAN and VLAN filtering enabled on the bridge, I have found no good way to make it "centrally" managed. Therefore the current solution involves some manual configuration on the CAP's itself. Since AC devices also not support automatic datapath configuration from CAPsMAN, there might be a chance that the same solution works out of the box for AC or mixed setups. I also found some bugs, where CAPsMAN was running on a CAP itself. The local radios would not always reliable configure themself. For this reason, I placed the CAPsMAN server on a RB5009, which also act as my main router for my home network.
Hardware Setup
Code: Select all
--------------------[ CAPsMAN - RB5009 ]--------------------|| (Trunk)|| ------------------| --- [ CAP1 - hap-ax3 ]| ------------------|| ------------------| --- [ CAP2 - hap-ax2 ]| ------------------|| ------------------| --- [ CAP3 - cAP-ax ] ------------------VLANs
- 100 - MGMT
- 200 - LAN
- 300 - GUEST
- 310 - IOT
All the VLANs are routed on the central RB5009. Inter-VLAN routing and firewalling is configured and not part of this guide.
Setup Process
CAPsMAN - RB5009
From RouterOS 7.13, there should be a dedicated "WiFi" section, replacing the functionalities that could be found up to RouterOS 7.12.
Theo following relevant interfaces are present:
Code: Select all
/interface vlanadd interface=bridge1 name=vlan100-mgmt vlan-id=100add interface=bridge1 name=vlan200-lan vlan-id=200add interface=bridge1 name=vlan300-guest vlan-id=300add interface=bridge1 name=vlan310-iot vlan-id=310In my case, the CAPsMAN server shall run on the VLAN ID 100. Therefore I have to set the following configuration:
Code: Select all
/interface wifi capsmanset ca-certificate=auto enabled=yes interfaces=vlan100-mgmt package-path="" \ require-peer-certificate=no upgrade-policy=noneThe setting will allow CAPsMAN to automatically accept and create certificates needed for the management relation. If you ever have to quickly change the CAPsMAN controller and or assign a CAP to an other CAPsMAN, you have to delete the certificates on the devices first. The certificates can be found under "System" > "Certificates".
Now create the wifi configuration, starting with the datapath.
Since we will manually configure the VLANs on each CAP, we have to define a datapath with the bridge's name only. On my devices, I want to enforce to only have 1 bridge present at any time and they are all named "bridge1".
Code: Select all
/interface wifi datapathadd bridge=bridge1 disabled=no name=DP_MANUALThe wifi configuration:
Code: Select all
/interface wifi securityadd authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes \ ft-mobility-domain=0x200 ft-over-ds=no name=lan-secadd authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes \ ft-mobility-domain=0x300 ft-over-ds=no name=guest-secadd authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes \ ft-mobility-domain=0x310 ft-over-ds=no name=iot-sec /interface wifi configurationadd country=Switzerland datapath=DP_MANUAL disabled=no name=guest-cfg security=\ guest-sec ssid=wt-guestadd country=Switzerland datapath=DP_MANUAL disabled=no name=lan-cfg security=\ lan-sec ssid=wt-lanadd country=Switzerland datapath=DP_MANUAL disabled=no name=iot-cfg security=\ iot-sec ssid=wt-iotCreate provisioning rules
Code: Select all
/interface wifi provisioningadd action=create-dynamic-enabled comment="2.4 GHz" disabled=no master-configuration=lan-cfg slave-configurations=guest-cfg,iot-cfg \ supported-bands=2ghz-nadd action=create-dynamic-enabled comment="5 GHz" disabled=no master-configuration=lan-cfg slave-configurations=guest-cfg supported-bands=\ 5ghz-acadd action=create-dynamic-enabled disabled=no master-configuration=lan-cfg slave-configurations=guest-cfg supported-bands=5ghz-axCAPx
Now we configure each CAP.
For the VLANs, I also create the different VLANs, to expose them to local RouterOS instance. Technically this can be omitted, expect the management VLAN, which is needed in my case for management and also CAP to CAPsMAN communication. Adjust the input firewall rules if needed.
Code: Select all
/interface vlanadd interface=bridge1 name=vlan100-mgmt vlan-id=100add interface=bridge1 name=vlan200-lan vlan-id=200add interface=bridge1 name=vlan300-guest vlan-id=300add interface=bridge1 name=vlan310-iot vlan-id=310Setup the wifi interfaces
On the used devices, there are usually two radio present in the default configuration. "wifi1" tends to be the 5 GHz radio. As a first step, I usually rename them to "wifi-lan-50" and "wifi-lan-24", because they will be assigned to the SSID/VLAN "LAN" afterwards.
Code: Select all
/interface wifiset [ find default-name=wifi2 ] channel.band=2ghz-ax \.skip-dfs-channels=10min-cac .width=20/40mhz \configuration.manager=capsman .mode=ap disabled=no \ name=wifi-lan-24 security.authentication-types=""set [ find default-name=wifi1 ] channel.band=5ghz-ax \.skip-dfs-channels=10min-cac .width=20/40/80mhz \configuration.manager=capsman .mode=ap disabled=no \ name=wifi-lan-50 security.authentication-types=""add configuration.mode=ap disabled=no master-interface=wifi-lan-24 \name=wifi-iot-24add configuration.mode=ap disabled=no master-interface=wifi-lan-24 \name=wifi-guest-24add configuration.mode=ap disabled=no master-interface=wifi-lan-50 \name=wifi-guest-50Configure Bridge
Make sure the bridge is named "bridge1". The process involves 3 parts:
- Assign all ports and VLAN ID (PVID)
- Configure VLANs on the bridge
- Activate VLAN filtering
The filtering will be configured later.
Code: Select all
/interface bridge portadd bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wifi-lan-50 internal-path-cost=10 path-cost=10 pvid=200add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wifi-lan-24 internal-path-cost=10 path-cost=10 pvid=200add bridge=bridge1 comment=uplink interface=ether1 internal-path-cost=10 path-cost=10 trusted=yesadd bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi-guest-24 pvid=300add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi-guest-50 pvid=300add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi-iot-24 pvid=310/interface bridge vlanadd bridge=bridge1 tagged=bridge1,ether1 \vlan-ids=100add bridge=bridge1 tagged=bridge1,ether1 untagged=wifi-lan-50,wifi-lan-24 \vlan-ids=200add bridge=bridge1 tagged=bridge1,ether1 \vlan-ids=31add bridge=bridge1 tagged=bridge1,ether1 untagged=wifi-iot-24 \vlan-ids=310Automatically assign an IP to the management interface for L3 connectivity. A firewall rule on the input chain must probably be added to reach the device.
Code: Select all
/ip dhcp-clientadd interface=vlan100-mgmt/ip firewall filteradd action=accept chain=input comment="Accept from Management" \in-interface=vlan100-mgmtActivate the VLAN filtering on the bridge
Code: Select all
/interface bridgeadd name=bridge1 vlan-filtering=yesFinaly activate the CAP connectivity. The "caps-man-addresses" can be removed, but I prefer to have it configured. Set it to your correct IP. The important part is to set "slaves-static=yes", or your CAPsMAN may mess up your manual interface configuration.
Code: Select all
/interface wifi capset caps-man-addresses=192.168.100.1 certificate=request \discovery-interfaces=vlan100-mgmt enabled=yes slaves-static=yesAfter that, interfaces should configure themself. If not, I found out, that on the CAPsMAN device, there is a "Remote CAP" tap (Winbox) in the WiFi section, where there is a button called "Provisioning" which seems to force the redistribution of the config to the currently selected CAP. Do not use the "Provisioning" function in the "Radio" tap, since it seems to destroy and re-create the interfaces on the managed CAPs and replace them with dynamic interfaces.
Overall it works. I would still like if CAPsMAN would offer more advanced controller function to create a true central management solution. Since all this stuff can be configured manually, I don's see a reason, why this can not be automated and in the same step make it universal compatible with AC and AX devices and also enabled VLAN filtering on the bridge. Anyway, for my small setup of only 3 CAP devices, it works fine and runs more stable than my previous TP-Link solution so far. Bandwidth is acceptable. Fingers crossed that it will run for the next couple of years.
Things that I woul like to really understand
VLAN / SSID assignment on CAP
How does CAPsMAN form the relation ship between manually created interfaces and provisioned configurations? There is not a single reference on the VLAN ID (PVID) in the CAPsMAN config, and still it assigns it to the correct interface every time.
Fast Transition
I intentionally configured BSS fast transition (FT) over the air and not over distributed system (DS). Would it be possible in this configuration to avoid CAPsMAN altogether and just set the domain? - What role does CAPsMAN play here under the hood?
