Mikrotik CAPsMAN is Awesome

Содержание

Mikrotik routers use CAPsMAN (Controlled Access Point Manager) to configure and synchronize a mesh of wireless access points or CAPs (Controlled Access Points). This is extremely useful for setting up multiple access points with the exact same WiFI name or SSID and security settings, and a dedicated guest network, for example.

Sidenote: I wish there was brief description under each RouterOS configuration panel that would describe the purpose of the particular section or just link to the relevant wiki page. The amount of abbreviations used throughout the RouterOS management interface makes it really difficult for anyone new to the platform.

How does CAPsMAN work?

Behind the scenes CAPsMAN uses either MAC (Layer 2) or UDP packets over IP (Layer 3) to discover and configure the access points.

All of this communication can be secured and encrypted via Datagram Transport Layer Security (DTLS) which is very similar to Transport Layer Security (TLS) used on the web but for UDP packets. RouterOS takes care of generating the certificate authority (CA) certificate and the associated keys.

I wonder how similar it is to CAPWAP?

Using CAPsMAN with a Local Access Point (CAP)

CAPsMAN can also configure an access point or CAP running on the same device as CAPsMAN itself. However, it might require additional firewall rules to allow the communication between the CAP and the CAPs manager.

By default, RouterOS adds the following firewall rule to allow local CAPsMAN to communicate with the local CAP:

but all of the local CAPsMAN communication will be blocked by the following rule (also added by default) that prohibits all traffic coming to the router from outside the LAN interface list:

Default firewall rules for the Mikrotik Home Mesh quick-set or profile

Default firewall rules for the Mikrotik Home Mesh quick-set or profile.

That’s because all of the CAPsMAN traffic looks like this to the router:

RouterOS firewall blocking local CAP setup via CAPsMAN on the same device.

Notice how the in and out interfaces are shown as unknown in the logs because CAPsMAN uses the MAC layer instead of the IP layer for the communication which makes the traffic appear to be invalid. See this forum thread for additional insight.

There are two solutions to this:

First, configure the local CAP to use 127.0.0.1 as the CAPsMAN address:

which will make it use the IP layer for CAPsMAN communication and will therefore honour the local loopback firewall rule.

Specify the CAPsMAN address as 127.0.0.1 for the local CAP.

Alternatively, add a new firewall input rule (for everything going to the router not just passing through) to allow traffic from the local address type into the local address type of the router:

and place it before anything that is blocking non-local traffic.

New RouterOS firewall rule to allow all local address-type traffic on the input chain.

New RouterOS firewall rule to allow all “local” address-type traffic on the “input” chain.

Here are posts and forum threads I’ve found useful when learning about RouterOS CAPsMAN:


Источник: kaspars.net