Dieser Artikel zeigt ein Setup für die Erstellung eines CapsMan Wifi Netzwerks mit gemischten AX- und AC-Geräten
In diesem Setup wird mithilfe von Vlans ein Wifi Setup für Office und Gast erstellt, welche voneinander getrennt werden.
In diesem Beispiel wird auch ein „legacy-“ AC device in diesem Fall ein hAPac3 mit dem wifi Paket eingebunden
In den untenstehenden Konfigurationen sehen Sie die unterschiedliche Vorgehensweise um ein MikroTik Wifi Device mit CAPsMan2 zu verwalten.
Vorbereitungen
Installation wifiwave2
Aktuell wird die Installation des WifiWave2 Pakets für folgende Platformen unterstützt:
Das Paket findet sich jeweils auf der MikroTik Homepage Software unter Extra Packages. Laden Sie diese Datei (*.zip) für die jeweils passende installierte Version und Platform herunter, entpacken es und kopieren Sie die Datei wifiwave2xxx.npk auf Ihr RouterOS Gerät. Zur Installation führen Sie einen Neustart durch.
Vorbereitungen
Hinweis
Die Installation des wifiwave2 Pakets ist nur notwendig, wenn Ihr Router nicht bereits ein AX Gerät ist (bei hAPax2/ax3 sowie cAP AX). Dort ist das Paket bereits installiert.
Bei nicht AX RouterOS Geräten:Durch die Installation des wifiwave2 Pakets, werden die alten Pakete wireless und CapsMan deaktiviert! Sichern Sie also vorher noch evtl. vorhandene CapsMan Einstellungen auf Ihrem RouterOS Gerät!
Dieses Setup wurde mit der RouterOS Version 7.11.2 durchgeführt. Prinzipiell sollte dieses Setup mit allen RouterOS Version ab ca. 7.5 durchführbar sein, eine Garantie dafür kann aber nicht übernommen werden.
Diagramm:
Schematische Darstellung
Konfiguration des RouterOS CAPsMan2Controllers
# CAPsMan2Controller setup
# This setup will create a wifiwave2 capsman controller useable for CAP ax AND cap ac devices
# assumes, that this device is connected to a home network on ether1 interface assuming that
# WAN network has address range of 192.168.178.0/24 (FritzBox) and a runing DHCP-Server
# it will create a own private network for the bridge
# will setup 2 Vlans 10 and 20
# Vlan 10 = Office WLAN - passphrase = MTOffice2023
# Vlan 20 = Guest WLAN - passphrase = MTGuest2023
# IP addresses
# ether1-WAN as DHCP-Client assuming a address from 192.168.178.0/24 and a Gateway 192.168.178.1
# Bridge = 192.168.66.1
# Vlan10 = 10.10.10.1
# Vlan20 = 20.20.20.1
# DHCP Server
# dhcp-bridge = 192.168.66.20-192.168.66.200
# Vlan10 = 10.10.10.20-10.10.10.200
# Vlan20 = 20.20.20.20-20.20.20.200
#
# This setup will create Simple Queues and Queues Types to limit the max. (total/per connection) Upload/Download for WLAN Home/Guest connections
# Firewall will be configured to reject connections from Guest-WLAN to Home-WLAN, from GUEST to GUEST and from GUEST to WAN and disable ping to WAN gateway 192.168.178.1
#
#BEGIN generic config
/system identity
set name=CAPsMan2Controller
/tool romon
set enabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
#END generic config
# Begin config for CAPsMan2Controller
#Bridge create/prepare
/interface bridge
add ingress-filtering=no name=bridge priority=0x7999 vlan-filtering=yes
#BEGIN Interfaces
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no name=ether1-WAN
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
/interface vlan
add interface=bridge name=vlan-10-Home vlan-id=10
add interface=bridge name=vlan-20-Guest vlan-id=20
#END Interfaces
#BEGIN Setup IP Address
/ip/dhcp-client
add interface=ether1-WAN add-default-route=yes
/ip address
add address=10.10.10.1/24 interface=vlan-10-Home network=10.10.10.0
add address=20.20.20.1/24 interface=vlan-20-Guest network=20.20.20.0
add address=192.168.66.1/24 interface=bridge network=192.168.66.0
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=20.20.20.0/24 gateway=20.20.20.1
add address=192.168.66.0/24 gateway=192.168.66.1
#END Setup IP Address
#BEGIN Setup DHCP-Server
/ip pool
add name=dhcp_pool0-vlan10 ranges=10.10.10.20-10.10.10.200
add name=dhcp_pool1-vlan20 ranges=20.20.20.20-20.20.20.200
add name=dhcp_pool-bridge ranges=192.168.66.20-192.168.66.200
/ip dhcp-server
add address-pool=dhcp_pool0-vlan10 interface=vlan-10-Home lease-time=3d name=\
dhcp-vlan10
add address-pool=dhcp_pool1-vlan20 interface=vlan-20-Guest lease-time=8h \
name=dhcp-vlan20
add address-pool=dhcp_pool-bridge interface=bridge lease-time=1w3d name=\
dhcp-bridge
#END Setup DHCP-Server
#BEGIN Setup Bridge
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3,ether4,ether5 vlan-ids=20
#END Setup Bridge
# DNS Setup
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
#BEGIN Firewall config
/ip firewall address-list
add address=20.20.20.0/24 list=Guest-WLAN
add address=10.10.10.0/24 list=OfficeWLAN
add address=192.168.178.2-192.168.178.255 list=FB-HomeLan
add address=20.20.20.20-20.20.20.255 list=Guest-WLAN-Clients
/ip firewall filter
add action=reject chain=forward dst-address-list=OfficeWLAN reject-with=\
icmp-network-unreachable src-address-list=Guest-WLAN
add action=reject chain=input dst-address-list=OfficeWLAN reject-with=\
icmp-host-unreachable src-address-list=Guest-WLAN
add action=reject chain=forward dst-address-list=FB-HomeLan reject-with=\
icmp-network-unreachable src-address-list=Guest-WLAN
add action=reject chain=input dst-address-list=FB-HomeLan reject-with=\
icmp-host-unreachable src-address-list=Guest-WLAN
add action=reject chain=forward dst-address-list=Guest-WLAN-Clients \
reject-with=icmp-host-prohibited src-address-list=Guest-WLAN
add action=reject chain=input dst-address-list=Guest-WLAN-Clients \
reject-with=icmp-host-prohibited src-address-list=Guest-WLAN
add action=reject chain=forward dst-address=192.168.178.1 reject-with=\
icmp-host-prohibited src-address-list=Guest-WLAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=guest-conn \
passthrough=yes src-address-list=Guest-WLAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
#END Firewall config
#IPv6
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-WAN request=address \
use-interface-duid=yes
#BEGIN Setup Queues
/queue type
add kind=pcq name=PCQ-Download-40Mbit pcq-classifier=dst-address pcq-rate=41M
add kind=pcq name=PCQ-Upload-15Mbit pcq-classifier=src-address pcq-rate=15M
add kind=pcq name=PCQ-Download-25Mbit pcq-classifier=dst-address pcq-rate=25M
add kind=pcq name=PCQ-Upload-05Mbit pcq-classifier=src-address pcq-rate=6M
/queue simple
add max-limit=30M/75M name=queue-GuestWLan queue=\
PCQ-Upload-05Mbit/PCQ-Download-25Mbit target=vlan-20-Guest total-queue=\
PCQ-Download-25Mbit
add max-limit=35M/85M name=queue-WLan priority=7/7 queue=\
PCQ-Upload-15Mbit/PCQ-Download-40Mbit target=vlan-10-Home total-queue=\
PCQ-Download-40Mbit
#END Setup Queues
#BEGIN Setup wifiwave2
/interface wifiwave2 aaa
add disabled=no name=aaa1
/interface wifiwave2 datapath
add bridge=bridge disabled=no name=wlan-AX-Office vlan-id=10
add bridge=bridge disabled=no name=wlan-AX-Guest vlan-id=20 client-isolation=yes
add bridge=bridge disabled=no name=wlan-AC-Office
add bridge=bridge disabled=no name=wlan-AC-Guest client-isolation=yes
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no encryption=ccmp name=Sec-Office passphrase="MTOffice2023"
add authentication-types=wpa2-psk disabled=no encryption=ccmp name=Sec-Guest passphrase="MTGuest2023"
/interface wifiwave2 configuration
add channel.skip-dfs-channels=all country=Germany datapath=wlan-AX-Office \
disabled=no mode=ap name=cfg-AX-Office security=Sec-Office security.ft=\
yes .ft-over-ds=yes ssid=MT-Office
add channel.skip-dfs-channels=all country=Germany datapath=wlan-AX-Guest \
disabled=no mode=ap name=cfg-AX-Guest security=Sec-Guest security.ft=yes \
.ft-over-ds=yes ssid=MT-Guest
add channel.skip-dfs-channels=all country=Germany datapath=wlan-AC-Office disabled=no mode=ap \
name=cfg-AC-Office security=Sec-Office security.ft=yes .ft-over-ds=yes \
ssid=MT-Office
add channel.skip-dfs-channels=all country=Germany datapath=wlan-AC-Guest disabled=no mode=ap \
name=cfg-AC-Guest security=Sec-Guest security.ft=yes .ft-over-ds=yes \
ssid=MT-Guest
/interface wifiwave2 provisioning
add action=create-dynamic-enabled comment="default 2GHz AX" disabled=no \
master-configuration=cfg-AX-Office name-format="2GHz ax wifi-%I" \
slave-configurations=cfg-AX-Guest supported-bands=2ghz-ax
add action=create-dynamic-enabled comment="default 5GHz AX" disabled=no \
master-configuration=cfg-AX-Office name-format="5GHz ax wifi-%I" \
slave-configurations=cfg-AX-Guest supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="default 2GHz N (none AX)" disabled=no \
master-configuration=cfg-AC-Office name-format="hAPac 2GHz wifi-%C" \
slave-configurations=cfg-AC-Guest supported-bands=2ghz-n
add action=create-dynamic-enabled comment="default 5GHz ac (none AX)" disabled=no \
master-configuration=cfg-AC-Office name-format="hAPac 5GHz wifi-%C" \
slave-configurations=cfg-AC-Guest supported-bands=5ghz-ac
/interface wifiwave2 cap
set discovery-interfaces=bridge slaves-datapath=wlan-AX-Guest
/interface wifiwave2 capsman
set ca-certificate=auto certificate=auto \
enabled=yes interfaces=bridge package-path=/capsman \
require-peer-certificate=no upgrade-policy=none
#END Setup wifiwave2
## End config for CAPsMan2Controller
Konfiguration des hAPax2 als CAPSman Client
#default configuration for cAP ax devices to be managed by a capsman wifiwave2
# -- START block from MikroTik wifiwave2 capsman sample online documentation
/interface bridge
add name=bridgeLocal
/interface wifiwave2 datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wifiwave2 cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=bridgeLocal disabled=no
# -- END block from MikroTik wifiwave2 capsman sample online documentation
# optional enable romon
/tool/romon/set enabled=yes
# optional set name of MT CAP device
/system/identity/set name=hAPax2
Konfiguration des hAPac3 als CAPSman Client unter wifiwave2
#default configuration for hAP ac devices to be managed by a capsman wifiwave2
# This configuration will setup a hAP ac device with 2 wifi interfaces (wifi1,wifi2)
# with 2 Vlans 10,20
#optional enable romon
/tool/romon/set enabled=yes
# optional set name of MT device
/system/identity/set name=hAPac3
#-- START block wifiwave2 capsman
/interface bridge
add name=bridgeLocal
/interface wifiwave2 datapath
add bridge=bridgeLocal disabled=no name=capdp-Vlan10 vlan-id=10
add bridge=bridgeLocal disabled=no name=capdp-Vlan20 vlan-id=20
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp-Vlan10 disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp-Vlan10 disabled=no
#add slave interfaces
add master-interface=wifi1 datapath=capdp-Vlan20 name=wifi3
add master-interface=wifi2 datapath=capdp-Vlan20 name=wifi4
#configure bridge
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=2GHz-Master interface=wifi1 pvid=10
add bridge=bridgeLocal comment=5GHz-Master interface=wifi2 pvid=10
add bridge=bridgeLocal comment=2GHz-Slave interface=wifi3 pvid=20
add bridge=bridgeLocal comment=5GHz-Slave interface=wifi4 pvid=20
/interface/bridge/vlan
#Vlan 10
add bridge=bridgeLocal tagged=ether1,ether2,ether3,ether4,ether5 vlan-ids=10
#Vlan 20
add bridge=bridgeLocal tagged=ether1,ether2,ether3,ether4,ether5 vlan-ids=20
#enable Vlan filtering
/interface/bridge
set vlan-filtering=yes numbers=0
# set dhcp-client on bridge
/ip dhcp-client
add interface=bridgeLocal disabled=no
#set cap mode
/interface wifiwave2 cap
set discovery-interfaces=bridgeLocal slaves-static=yes enabled=yes slaves-datapath=capdp-Vlan20
# -- END block wifiwave2 capsman