Wireless networking with CAPsMAN and the MikroTik cAP ac

From Nathan Kennedy Enterprises
Jump to: navigation, search

This document assumes the router is configured and working normally and all configuration is performed via webfig

CAPsMAN Configuration For 2.4 and 5GHz SSIDs

Get the MAC Addresses for the cAP radios

  1. Log in to the Access Point
  2. Go to Wireless
  3. Click on the wlan1 interface
  4. Copy the MAC Address down and note if the band is 2 or 5GHz
  5. Click Cancel
  6. Click on the wlan2 interface
  7. Copy the MAC Address down and note if the band is 2 or 5GHz
  8. Click Cancel

Router Configuration

Log into the Router that will be the central CAPsMAN Manager

Initial CAPsMAN Configuration

  1. Click on CAPsMAN
  2. On CAP Interface tab click on Manger button
  3. Check the Enabled Box
  4. Set Certificate and CA Certificate to auto, or none
    1. (I encountered an issue with auto-generated certificates that I believe has to do with an existing CA I configured on the router)
  5. Set Upgrade Policy to "suggest same version"
  6. Click on Interfaces
  7. Click on Add New
  8. Change Interface from all to bridge
  9. Click on OK
  10. Click on the all interface
  11. Check the forbid box
  12. Click on Ok

Configure Datapaths

Datapaths are the forwarding mechanism from the radios to the network they belong on

  1. Go to Datapaths (need a better description of what this does)
  2. Click on Add New
  3. Change the name to Default
  4. Set the Bridge from the drop-down

Configure Security Options

Here is where you configure Authentication and Encryption for the wireless networks.

  1. Click on the Security Tab (this sets your passwords)
  2. Click on Add new
  3. Enter a name for the security configuration
  4. Set Authentication type to WPA2 PSK
  5. Set Encryption to aes ccm and tkip
  6. Set the Passphrase to something secure

Configure Channels

Channels specify radio band and frequency options

2.4 and 5GHz band configuration
  1. Click on the Channels tab
  2. Click on the Add new button
  3. Set the name to Default24
  4. Set the Band to 2ghz-b/g/n
  5. Click on OK
  6. Click on Add new
  7. Set the name to Default5g
  8. Set the band to 5ghz-a/n/ac
  9. Click on Ok

SSID Creation

  1. Click on Configurations Tab
  2. Click the Add New button
  3. Set the name to Default24G
  4. Set the SSID to Default24G
  5. Set the Country appropriately
  6. Set the Channel to Default24
  7. Set the Datapath to Default
  8. Set the Security to what was created earlier
  9. Click on OK
  10. Click on Add New
  11. Set the name to Default5G
  12. Set the SSID to Default5G
  13. Set the Country appropriately
  14. Set the Channel to Default5g
  15. Set the Datapath to Default
  16. Set the Security to what was created earlier
  17. Click on Ok

Provision the Configuration to the Radios

  1. Click on Provisioning Tab
  2. Click on Add New
  3. Paste the 5g radio MAC address in the Radio Mac field
  4. Set Hw. Supported Modes to ac
  5. Set Action to create dynamic enabled
  6. Set the Master Configuration to Default5G
  7. Click on Ok
  8. Click on Add New
  9. Paste the 2g radio MAC address in the Radio Mac field
  10. Set Action to create dynamic enabled
  11. Set the Master Configuration to Default24G
  12. Click on Ok

Change the Access Point Radios to be CAPsMAN Managed

  1. Log in to the access point
  2. Go to Wireless
  3. On the WiFi Interfaces tab click on the CAP button
  4. Add both wlan interfaces to the Interfaces section
  5. Set Certificate to request
    1. If there are certificate issues set this to none
  6. Set Discover Interfaces to bridge
  7. Set the CAPsMAN addresses to the address of the CAPsMAN router the above configuration was done on
  8. Click Ok

Guest Network Configuration

All configuration is performed on the router that is the central CAPsMAN controller

Interface and DHCP Configuration

Create a VLAN and Assign it an IP Address

  1. Go to Interfaces -> VLAN
  2. Click on Add New
  3. Enter a Name
  4. Set the VLAN ID
  5. Set Interface to bridge
  6. Go to IP -> Addresses
  7. Click on Add New
  8. Enter the address that will be used as the gateway for the guest network
  9. Enter the network address
  10. Select the VLAN interface created earlier

DHCP Configuration

  1. Go to IP -> Pool
  2. Click on Add New
  3. Enter a Name
  4. Enter the address range for the guest network
  5. Go to IP -> DHCP Server
  6. On the DHCP tab click Add New
  7. Enter a Name
  8. Set Interface to the VLAN interface created earlier
  9. Set the Address Pool to the one created earlier
  10. Click on the Networks tab
  11. Click Add New
  12. Enter the network address
  13. Enter the gateway address (the one the VLAN interface is set to)
  14. Add some entries to the DNS Servers (I like to use 8.8.8.8 and 1.1.1.1)

Configure the Guest Network in CAPsMAN

Go to CAPsMAN

Create a Rate to Limit Bandwidth on the Guest Network
  1. Click on the Rates tab
  2. Click on Add New
  3. Set the Name to Guest
  4. Set Basic Rates (set it low so your guests don't use all your bandwidth)
  5. Set Supported Rates to the same value as above
Configure Authentication and Encryption
  1. Click on the Security Cfg. tab
  2. Click Add New
  3. Set the Name to Guest
  4. Set Authentication type to WPA2 PSK
  5. Set Encryption to aes ccm and tkip
  6. Set Passphrase to something easy for guests to enter
Configure a Datapath for Traffic to go on the VLAN
  1. Click on the Datapaths tab
  2. Click Add New
  3. Set the Name
  4. Set Bridge to bridge
  5. Set VLAN Mode to use tag
  6. Set VLAN ID to the ID configured earlier
Configure the SSID for the Guest Network
  1. Click on the Configurations Tab
  2. Click Add New
  3. Set the Name to Guest
  4. Set the SSID
  5. Set the Country
  6. Set the Channel to Default24 (I don't like tying up the 5g with guest access)
  7. Set the Rate to Guest
  8. Set the Datapath to the one created earlier
  9. Set the Security to Guest
Provision the Guest Network to the Radios
  1. Click on the Provisioning tab
  2. Click on the entry for the 2.4GHz radio
  3. Set the Slave Configuration to Guest
  4. Click OK

Restrict Access From the Guest Network

  1. Go to IP -> Firewall
  2. On the Filter Rules tab click Add New
  3. Set Chain to input
  4. Set Src. Address to the Guest network address
  5. Set Dst. Address to the Privat network address
  6. Set In. Interface to the Guest VLAN
  7. Set Action to reject
  8. Click Ok
  9. Drag the rule up so it is above any Accept Input rules