RSS

Centrally Managed WiFi with MikroTik CAPsMAN

MikroTik has been known in the WISP wireless world for a long time for their wireless PTP and PTMP products. However more recently they have also started making WiFi products aimed at home, office, and enterprise networks. These products can be centrally managed with Controlled Access Point system MANager, or CAPsMAN.

Keywords: WiFi, Managed WiFi, CAPsMAN, MikroTik, VLAN

Introduction

MikroTik has been known in the WISP wireless world for a long time for their wireless PTP and PTMP products. However more recently they have also started making WiFi products aimed at home, office, and enterprise networks. These products can be centrally managed with Controlled Access Point system MANager, or CAPsMAN.

CAPsMAN Forwarding Options

CAPsMAN offers both local forwarding at the AP, as well as centralized CAPsMAN forwarding.

Advantages of each forwarding option

Local Forwarding CAPsMAN Forwarding
Increased forwarding performance. Simplified Layer2 configuration.
Better performance with diverse locations. Layer 3 Mobility.

Configuring the Wireless Device for CAPsMAN

The only configuration for the device that will be CAPsMAN managed is to have a bridge, and add devices into that bridge.

Most other WiFi routers that use Atheros default to having adaptive noise immunity enabled. Mikrotik does not. CAPsMAN also does not control the adaptive noise immunity settings on the advanced tab of the wireless interfaces because this is specific to products with Atheros chipsets. Therefor adaptive noise immunity should be enabled manually before doing CAPsMAN config.

/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode

Configuring CAPsMAN

The CAPsMAN tabs are presented in a fairly useful order. I begin building the configuration in the following order:

  1. channels
  2. datapaths
  3. security config

Once these things are created then the SSID configurations can be created in the Configurations tab. Once this is done then APs can be provisioned if CAPsMAN is enabled.

Simple Config

This includes 1 SSID, both 2.4 and 5GHz use this same SSID and PSK. No VLANs involved. Skips DFS channels b/c that causes delays starting 5GHz SSIDs.

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled name=channel24
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee name=channel51 skip-dfs-channels=yes

/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-g3ckoL

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security-g3ckoL passphrase=PASSWORD_GOES_HERE

/caps-man configuration
add channel=channel24 country=canada datapath=datapath-g3ckoL installation=indoor mode=ap name=cfg24 security=security-g3ckoL ssid=g3ckoL
add channel=channel51 country=canada datapath=datapath-g3ckoL installation=indoor mode=ap name=cfg51 security=security-g3ckoL ssid=g3ckoL

/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version

/caps-man manager interface
set [ find default=yes ] forbid=no

/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg24 name-format=prefix-identity name-prefix=2.4g
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=cfg51 name-format=prefix-identity name-prefix=5g

Medium Config

This includes 2 SSIDs, both 2.4 and 5GHz on one of the SSIDs, and a 2nd which is 5GHz only (for troubleshooting). Same PSK on both. Skips DFS channels b/c that causes delays starting 5GHz SSIDs.

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled name=channel24
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee name=channel51 skip-dfs-channels=yes

/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-g3ckoL

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security-g3ckoL passphrase=PASSWORD_GOES_HERE

/caps-man configuration
add channel=channel24 country=canada datapath=datapath-g3ckoL installation=indoor mode=ap name=cfg24 security=security-g3ckoL ssid=g3ckoL
add channel=channel51 country=canada datapath=datapath-g3ckoL installation=indoor mode=ap name=cfg51 security=security-g3ckoL ssid=g3ckoL

add channel=channel51 country=canada datapath=datapath-g3ckoL installation=indoor mode=ap name=cfg51-5 security=security-g3ckoL ssid=g3cko5

/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version

/caps-man manager interface
set [ find default=yes ] forbid=no

/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg24 name-format=prefix-identity name-prefix=2.4g
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=cfg51 slave-configurations=cfg51-5 name-format=prefix-identity name-prefix=5g

Complex Config

This includes 4 SSIDs, mapped onto the 2.4GHz and 5GHz radios. SSIDs map to VLANs, which are tagged. One SSID is hidden. The 5GHz only SSID that is a clone of the general SSID also exists in this example. DFS channels are again skipped b/c of delays.

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled name=channel24
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee name=channel51 skip-dfs-channels=yes

/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-g3ckoL vlan-id=2 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-g3ckoP vlan-id=3 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=datapath-g3ckoWork vlan-id=4 vlan-mode=use-tag

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security-g3ckoL passphrase=PASSWORD_GOES_HERE
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security-g3ckoP passphrase=PASSWORD_GOES_HERE
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=security-g3ckoWork passphrase=PASSWORD_GOES_HERE

/caps-man configuration
add channel=channel24 country=canada datapath=datapath-g3ckoL installation=indoor mode=ap name=cfg24 security=security-g3ckoL ssid=g3ckoL
add channel=channel51 country=canada datapath=datapath-g3ckoL installation=indoor mode=ap name=cfg51 security=security-g3ckoL ssid=g3ckoL
add channel=channel51 country=canada datapath=datapath-g3ckoL installation=indoor mode=ap name=cfg51-5 security=security-g3ckoL ssid=g3cko5
add channel=channel51 country=canada datapath=datapath-g3ckoP installation=indoor mode=ap name=cfg51devices security=security-g3ckoP ssid=g3ckoP
add channel=channel24 country=canada datapath=datapath-g3ckoP installation=indoor mode=ap name=cfg24devices security=security-g3ckoP ssid=g3ckoP
add channel=channel24 country=canada datapath=datapath-g3ckoWork hide-ssid=yes installation=indoor mode=ap name=cfg24Work security=security-g3ckoWork ssid=g3ckoWork
add channel=channel51 country=canada datapath=datapath-g3ckoWork hide-ssid=yes installation=indoor mode=ap name=cfg51Work security=security-g3ckoWork

/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version

/caps-man manager interface
set [ find default=yes ] forbid=no

/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg24 name-format=prefix-identity name-prefix=2.4g slave-configurations=cfg24devices
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=cfg51 name-format=prefix-identity name-prefix=5g slave-configurations=cfg51-5,cfg51Work,cfg51devices