Manual:CAPsMAN with VLANs: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
Line 8: Line 8:
It is possible to create centralized Access Point management setup for home or office environment that is scalable to many Access Point, such a setup is quite easy to configure and has been explained in the [[Manual:Simple_CAPsMAN_setup | Simple CAPSMAN setup]] guide, but for more complex setups VLANs might be required. CAPsMAN has a functionality to assign a certain VLAN ID under certain conditions. This guide will provide an example how assign a VLAN ID to Wireless packets based on the AP, to which a Wireless client connects to. CAPsMAN with VLANs can be achieved either by using [[Manual:CAPsMAN#Local_Forwarding_Mode | Local Forwarding Mode]] or CAPsMAN Forwarding Mode, the Local Forwarding Mode will provide the possibility to use a switch between your APs and CAPsMAN router to switch packets (to achieve larger throughput), while CAPsMAN Forwarding Mode should be used when all traffic should always be forwarded to the CAPsMAN router (in most cases to filter packets).
It is possible to create centralized Access Point management setup for home or office environment that is scalable to many Access Point, such a setup is quite easy to configure and has been explained in the [[Manual:Simple_CAPsMAN_setup | Simple CAPSMAN setup]] guide, but for more complex setups VLANs might be required. CAPsMAN has a functionality to assign a certain VLAN ID under certain conditions. This guide will provide an example how assign a VLAN ID to Wireless packets based on the AP, to which a Wireless client connects to. CAPsMAN with VLANs can be achieved either by using [[Manual:CAPsMAN#Local_Forwarding_Mode | Local Forwarding Mode]] or CAPsMAN Forwarding Mode, the Local Forwarding Mode will provide the possibility to use a switch between your APs and CAPsMAN router to switch packets (to achieve larger throughput), while CAPsMAN Forwarding Mode should be used when all traffic should always be forwarded to the CAPsMAN router (in most cases to filter packets).


Here we are going to assign all our Wireless clients to '''VLAN10''', if they connect to '''WiFi_WORK''', and going to assign Wireless clients to '''VLAN20''', if they connect to '''WiFi_GUEST'''. We are going to use CAPsMAN provisioning rules to assign proper SSID to each Access Point (AP) by checking the AP's identity.
In this example we are going to assign all our Wireless clients to '''VLAN10''', if they connect to '''WiFi_WORK''', and going to assign Wireless clients to '''VLAN20''', if they connect to '''WiFi_GUEST'''. We are going to use Virtual APs to create multiple SSIDs for our Wireless clients to connect to while using a single physical device. An example how to use a single SSID for a single physical device will also be shown by using CAPsMAN provisioning rules.


=Using Local Forwarding Mode=
=Using Local Forwarding Mode=

Revision as of 08:46, 16 August 2018

Version.png

Applies to RouterOS: v6.41 +


Summary

It is possible to create centralized Access Point management setup for home or office environment that is scalable to many Access Point, such a setup is quite easy to configure and has been explained in the Simple CAPSMAN setup guide, but for more complex setups VLANs might be required. CAPsMAN has a functionality to assign a certain VLAN ID under certain conditions. This guide will provide an example how assign a VLAN ID to Wireless packets based on the AP, to which a Wireless client connects to. CAPsMAN with VLANs can be achieved either by using Local Forwarding Mode or CAPsMAN Forwarding Mode, the Local Forwarding Mode will provide the possibility to use a switch between your APs and CAPsMAN router to switch packets (to achieve larger throughput), while CAPsMAN Forwarding Mode should be used when all traffic should always be forwarded to the CAPsMAN router (in most cases to filter packets).

In this example we are going to assign all our Wireless clients to VLAN10, if they connect to WiFi_WORK, and going to assign Wireless clients to VLAN20, if they connect to WiFi_GUEST. We are going to use Virtual APs to create multiple SSIDs for our Wireless clients to connect to while using a single physical device. An example how to use a single SSID for a single physical device will also be shown by using CAPsMAN provisioning rules.

Using Local Forwarding Mode

Alt text
CAPsMAN topology for VLANs and using Local Forwarding Mode

CAPsMAN Router

  • Create appropriate CAP configurations for each VLAN
/caps-man configuration
add country=latvia datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=use-tag name=Config_WORK security.authentication-types=wpa-psk,wpa2-psk \
    security.passphrase=secret_work_password ssid=WiFi_WORK
add country=latvia datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=use-tag name=Config_GUEST security.authentication-types=\
    wpa-psk,wpa2-psk security.passphrase=secret_guest_password ssid=WiFi_GUEST
  • We will assign the "WORK" configuration, if the identity starts with "AP_WORK_*" and will assign the "GUEST" configuration, if the identity starts with "AP_GUEST_*", this can be done by using CAPsMAN provisioning rules
/caps-man provisioning
add action=create-dynamic-enabled identity-regexp=^AP_GUEST_ master-configuration=Config_GUEST
add action=create-dynamic-enabled identity-regexp=^AP_WORK_ master-configuration=Config_WORK
  • For security reasons, limit the CAPsMAN to a single interface
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether1
  • Enable the CAPsMAN manager
/caps-man manager
set enabled=yes
  • Setup DHCP Server for each VLAN
/interface vlan
add interface=ether1 name=VLAN10 vlan-id=10
add interface=ether1 name=VLAN20 vlan-id=20
/ip address
add address=192.168.10.1/24 interface=VLAN10
add address=192.168.20.1/24 interface=VLAN20
/ip pool
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 name=dhcp10
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1

Switch

In this example we are going to be using Bridge VLAN Filering to filter unknown VLANs and to assign other devices to the same networks. Some devices are capable of offloading this to the built-in switch chip, check Basic VLAN switching guide to see how to configure it on different types of devices.

  • Setup Bridge VLAN Filtering
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4 pvid=10
add bridge=bridge1 interface=ether5 pvid=20
/interface bridge vlan
add bridge=bridge tagged=ether1,ether2,ether3 untagged=ether4,ether5 vlan-ids=10,20
Icon-note.png

Note: In this example untagged traffic is going to be used to communicate between CAPs and CAPsMAN Router. By default, if PVID is not changed, untagged traffic is going to be forwarded between ports that have the same PVID value set (including the default PVID).


CAPs

  • Create a bridge and assign a port to it, that is connect to the CAPsMAN Router
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
  • Enable CAP mode on the AP, make sure you specify to use the newly created bridge
/interface wireless cap
set bridge=bridge1 discovery-interfaces=bridge1 enabled=yes interfaces=wlan1
Icon-note.png

Note: Don't forget to set a proper identity on the APs since CAPsMAN is going to assign appropriate configuration on the APs based on it's identity.


That is it! Connect Wireless clients to your APs and check connectivity.

Using CAPsMAN Forwarding Mode

Alt text
CAPsMAN topology for VLANs and using CAPsMAN Forwarding Mode

CAPsMAN Router

  • Setup Bridge VLAN filtering to limit interfaces to appropriate VLANs
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface bridge port
add bridge=bridge1 interface=ether1 pvid=10
add bridge=bridge1 interface=ether2 pvid=20
/interface bridge vlan
add bridge=bridge1 tagged=bridge untagged=ether1,ether2 vlan-ids=10,20
Icon-note.png

Note: CAPsMAN will attach CAP interfaces to the bridge and automatically will add appropriate entries to the bridge VLAN table.


  • Create appropriate CAP configurations for each VLAN
/caps-man configuration
add country=latvia datapath.bridge=bridge1 datapath.vlan-id=10 datapath.vlan-mode=use-tag name=Config_WORK security.authentication-types=wpa-psk,wpa2-psk \
    security.passphrase=secret_work_password ssid=WiFi_WORK
add country=latvia datapath.bridge=bridge1 datapath.vlan-id=20 datapath.vlan-mode=use-tag name=Config_GUEST security.authentication-types=wpa-psk,wpa2-psk \
    security.passphrase=secret_guest_password ssid=WiFi_GUEST
  • We will assign the "WORK" configuration, if the identity starts with "AP_WORK_*" and will assign the "GUEST" configuration, if the identity starts with "AP_GUEST_*", this can be done by using CAPsMAN provisioning rules
/caps-man provisioning
add action=create-dynamic-enabled identity-regexp=^AP_GUEST_ master-configuration=Config_GUEST
add action=create-dynamic-enabled identity-regexp=^AP_WORK_ master-configuration=Config_WORK
  • For security reasons, limit the CAPsMAN to interfaces. to which CAPs are going to be connected
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether3
add disabled=no interface=ether4
  • Enable the CAPsMAN manager
/caps-man manager
set enabled=yes
  • Setup DHCP Server for each VLAN
/interface vlan
add interface=bridge1 name=VLAN10 vlan-id=10
add interface=bridge1 name=VLAN20 vlan-id=20
/ip address
add address=192.168.10.1/24 interface=VLAN10
add address=192.168.20.1/24 interface=VLAN20
/ip pool
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 name=dhcp10
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1

CAPs

  • Enable CAP mode on each AP, specify which interface is connected to the CAPsMAN router
/interface wireless cap
set discovery-interfaces=ether1 enabled=yes interfaces=wlan1
Icon-note.png

Note: Don't forget to set a proper identity on the APs since CAPsMAN is going to assign appropriate configuration on the APs based on it's identity.


That is it! Connect Wireless clients to your APs and check connectivity.