Building corporate Wi-Fi network using MikroTik CAPsMAN, cAP 2n and Cisco switches
The Objective
The request from the client was to have a WiFi network for the company employees and a separate WiFi network for company guests.
The Network
I have a network similar to the one in the diagram bellow.
The MikroTik CCR acts as a router for Internet connectivity and VPN for interconnecting with the main office.
The Hardware
The company central router was already a MikroTik CCR so I decided to use it for managing the access points via Controlled Access Point system Manager (CAPsMAN). I choose 6 MikroTik cAP 2n as access points which will be distributed across 3 floors because they had the possibility to be installed on the ceiling. Also there were Cisco SG 300-52 switches installed in the location.
Configuring the CCR router and CAPsMAN
We need to Vlan interfaces on the router for routing and NAT purposes. I already use Ethernet port 12 on the CCR for Vlan's so i will make the example based on it.
/interface vlan add interface=ether12 name=WLAN vlan-id=600 add interface=ether12 name=WiFiGuest vlan-id=700
Now let's add some IP addresses on the interfaces. they will serve for gateway for the clients.
/ip address add address=10.0.0.1/24 interface=WLAN network=10.0.0.0 add address=172.30.90.1/24 interface=WiFiGuest network=172.30.90.0
Now let's create the CAPsMAN datapaths for the 2 VLANS
/caps-man datapath
add local-forwarding=yes name=inet_vlan_600 vlan-id=600 \ vlan-mode=use-tag
add local-forwarding=yes name=guest_vlan_700 vlan-id=700 \ vlan-mode=use-tag
As you see we use local-forwarding=yes in this mode the wireless interface on CAP behaves as a normal interface and takes part in normal data forwarding. Wireless interface will accept/pass data to networking stack on CAP. CAPsMAN will not participate in data forwarding and will not process any of data frames, it will only control interface configuration and client association process.
Now let's create the wireless security profiles for the networks
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm \ name=Intranet passphrase=somecoolintranet password
add authentication-types=wpa2-psk encryption=aes-ccm name=Guests \
passphrase=guestpassword
Now we will configure the WiFi channel and frequencies for the networks
/caps-man channel
add band=2ghz-onlyn extension-channel=Ce frequency=2412 name=Intranet \ width=20
add band=2ghz-onlyn extension-channel=Ce frequency=2462 name=Guests \ width=20
Now let's set-up the configurations we will provide to the remote access points and enable CAPsMAN
/caps-man configuration
add channel=Intranet country=russia datapath=inet_vlan_600 mode=ap \ name=intranet security=Intranet ssid=WiFi-Intranet
add channel=Guests country=russia datapath=guest_vlan_700 mode=ap \ name=guests security=Guests ssid=WiFi-Guests
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=intranet \
slave-configurations=guests
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
Configuring the Cisco SG 300-52 switches
Because we have separate Vlan's for the 2 networks the switch ports going to the MikroTik CCR router and to the cAP 2n access points have to be trunk ports.
Assuming we have port Gi52 going to the CCR and ports Gi43-49 going to the cAP 2n access points let's do the configuration
SW2#conf t
SW2(config)#interface gigabitethernet52
SW2(config-if)#switchport mode trunk
SW2(config-if)switchport trunk allowed vlan add 600,700
SW2(config)#interface range gi43-49
SW2(config-if-range)#switchport mode trunk
SW2(config-if-range)#switchport trunk allowed vlan add 600,700
Enabling Controlled Access Point (CAP) on the Wireless Access points
Enabling CAP on the access point requires only one command
[admin@AP1-1] > /interface wireless cap set enabled=yes
We do that for all our access points.
That's all now we have all our access points managed by central CAPsMAN
Any suggestions and comments are accepted.
NOC Engineer at TPLEX
2 年very nice info
Administratrice Systèmes et réseaux chez CNRS C?te d'Azur
3 年Hello, i don't discover capsman over the cap. Can you help me please?
This will not work if you have more than one AP connected to mikrotik. Because you choose to set vlan on interface and how about having two Access Point connected to different ports who need the same vlan? Missing bridge
Manager la Primaria Socol
6 年V? rog s?-mi trimite?i un mail la [email protected] Suntem interesa?i de o colaborare. Mul?umesc!
Looking for a new challenge / opportunity
7 年I don't think a slave int will take the channel in consideration. You can set a different channel on each AP, but not on the same int (physical). I doubt that you can see different channels if you will look with an WiFi analyzer for Guest and Wlan on the same AP :).