diff --git a/docs/07-WIFI-CAPSMAN-CONFIG.md b/docs/07-WIFI-CAPSMAN-CONFIG.md index 36f53d9..d1833a9 100644 --- a/docs/07-WIFI-CAPSMAN-CONFIG.md +++ b/docs/07-WIFI-CAPSMAN-CONFIG.md @@ -1,6 +1,6 @@ # WiFi and CAPsMAN Configuration -**Last Updated:** 2026-02-14 +**Last Updated:** 2026-02-26 **Purpose:** Document WiFi network settings, CAPsMAN configuration, and device compatibility requirements --- @@ -23,8 +23,8 @@ | SSID | XTRM | | Band | 5GHz | | Mode | 802.11ax (WiFi 6) | -| Channel | Auto (DFS enabled) | -| Width | 80MHz | +| Channel | 5180 MHz (ch 36) | +| Width | 40MHz | | Security | WPA2-PSK + WPA3-PSK | | Cipher | CCMP (AES) | | 802.11r (FT) | Enabled | @@ -98,44 +98,73 @@ If devices still can't connect, use WPA-only with TKIP-only: | Interfaces | bridge, vlan10-mgmt | | Certificate | Auto-generated | -### CAP Device (CAP XL ac - 192.168.10.2) +### CAP Device (cAP XL ac - 192.168.10.2) | Setting | Value | |---------|-------| | caps-man-addresses | 192.168.10.1 | +| discovery-interfaces | bridgeLocal | +| slaves-datapath | capdp (bridge=bridgeLocal, vlan-id=40) | | certificate | request | | RouterOS | 7.21.1 | | SSH Port | 2222 | -| SSH | `ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.2` | +| SSH (via proxy) | See ProxyJump command below | -**Note:** CAP was factory reset on 2026-02-13. CAPsMAN certificate was regenerated and CAP re-enrolled with `certificate=request`. +**SSH Access:** Direct SSH to CAP is unreliable. Use ProxyJump through Unraid: +```bash +ssh -o ProxyCommand="ssh -i ~/.ssh/id_ed25519_unraid -p 422 -W %h:%p root@192.168.10.20" -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.2 +``` + +### CAP Bridge VLAN Filtering + +The CAP runs bridge VLAN filtering to properly tag/untag WiFi client traffic before sending it to the HAP over the trunk link (ether1): + +| Setting | Value | +|---------|-------| +| bridgeLocal | vlan-filtering=yes, pvid=10 | +| ether1 (trunk) | bridge port, PVID=10 | +| wifi1, wifi2 | dynamic bridge ports, PVID=40 (set by datapath vlan-id) | + +**Bridge VLAN Table:** + +| VLAN | ether1 | wifi1 | wifi2 | bridgeLocal | Purpose | +|------|--------|-------|-------|-------------|---------| +| 10 | untagged | - | - | untagged | Management | +| 20 | tagged | tagged | tagged | - | Trusted | +| 25 | tagged | tagged | tagged | - | Kids | +| 30 | tagged | tagged | tagged | - | IoT | +| 35 | tagged | tagged | tagged | - | Cameras | +| 40 | tagged | untagged | untagged | - | CatchAll (default) | ### CAP Interfaces | Interface | Radio | Band | SSID | Security | Status | |-----------|-------|------|------|----------|--------| -| cap-wifi1 | wifi1 | 2.4GHz | XTRM2 | WPA2-PSK, CCMP | Working | -| cap-wifi2 | wifi2 | 5GHz | XTRM | WPA2/WPA3-PSK | Working (Ch 5220, 20/40MHz) | +| cap-wifi1 | wifi2 | 5GHz | XTRM | WPA2/WPA3-PSK, CCMP | Working (Ch 52/5260, 40MHz, DFS) | +| cap-wifi2 | wifi1 | 2.4GHz | XTRM2 | WPA2-PSK, CCMP | Working (Ch 6/2437, 20MHz) | -**Note:** cap-wifi1 uses cfg-xtrm2 but with WPA2+CCMP only (not WPA+TKIP like the local wifi2). Legacy IoT devices requiring TKIP will only work on HAP1's local wifi2. +**Note:** cap-wifi2 uses WPA2+CCMP only (not WPA+TKIP like HAP's local wifi2). Legacy IoT devices requiring TKIP will only work on HAP1's local wifi2. --- ## WiFi Access List -**Status:** VLAN assignment via access list is **not active** (rolled back 2026-01-27). All entries use `action=accept` without VLAN ID. Devices get their VLAN via DHCP static leases on the bridge. +**Status:** VLAN assignment via access list is **active**. Each entry has a `vlan-id` that assigns the device to the correct VLAN upon WiFi association. This works on both HAP (local) and CAP (remote, via bridge VLAN filtering). -**29 entries** configured (MAC-based accept rules + 1 default catch-all): +**30+ entries** configured (MAC-based accept rules with VLAN IDs + 1 default catch-all): -| # | MAC | Device | Notes | -|---|-----|--------|-------| -| 0 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra - Kaloyan | | -| 1 | 82:6D:FB:D9:E0:47 | MacBook Air - Nora | | -| 12 | CE:B8:11:EA:8D:55 | MacBook - Kaloyan | | -| 13 | BE:A7:95:87:19:4A | MacBook 5GHz - Kaloyan | | -| 27 | B8:27:EB:32:B2:13 | RecalBox RPi3 | VLAN 25 (Kids) | -| 28 | CC:5E:F8:D3:37:D3 | ASUS ROG Ally - Kaloyan | | -| 29 | (any) | Default - VLAN40 | Catch-all | +| # | MAC | Device | VLAN | +|---|-----|--------|------| +| 0 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra - Kaloyan | 20 | +| 1 | 82:6D:FB:D9:E0:47 | MacBook Air - Nora | 20 | +| 12 | CE:B8:11:EA:8D:55 | MacBook - Kaloyan | 20 | +| 13 | BE:A7:95:87:19:4A | MacBook 5GHz - Kaloyan | 20 | +| 27 | B8:27:EB:32:B2:13 | RecalBox RPi3 | 25 | +| 28 | CC:5E:F8:D3:37:D3 | ASUS ROG Ally - Kaloyan | 20 | +| 31 | C8:5C:CC:40:B4:AA | Xiaomi Air Purifier 2 | 30 | +| 32 | (any) | Default - VLAN40 | 40 (catch-all) | + +**Default behavior:** Devices not in the access list get VLAN 40 (CatchAll) via the default rule and the datapath `vlan-id=40`. ### Show Full Access List diff --git a/docs/08-DNS-ARCHITECTURE.md b/docs/08-DNS-ARCHITECTURE.md index eefd219..5b1a1f7 100644 --- a/docs/08-DNS-ARCHITECTURE.md +++ b/docs/08-DNS-ARCHITECTURE.md @@ -1,6 +1,6 @@ # DNS Architecture with AdGuard Failover -**Last Updated:** 2026-02-06 +**Last Updated:** 2026-02-26 --- @@ -194,8 +194,10 @@ Settings are synced from Unraid (source of truth) to MikroTik every 30 minutes. ### Sync Container +Container: `adguardhome-sync` at 192.168.10.11 (br0 macvlan, static IP) + ```yaml -# /mnt/user/appdata/adguard-sync/adguardhome-sync.yaml +# /mnt/user/appdata/dockge/stacks/adguard-sync/adguardhome-sync.yaml cron: "*/30 * * * *" runOnStart: true @@ -204,22 +206,13 @@ origin: username: jazzymc password: 7RqWElENNbZnPW -replicas: - - url: http://192.168.10.1:3000 - username: jazzymc - password: 7RqWElENNbZnPW - -features: - dns: - serverConfig: false - accessLists: true - rewrites: true - filters: true - clientSettings: true - services: true +replica: + url: http://192.168.10.1:3000 + username: jazzymc + password: 7RqWElENNbZnPW ``` -**Note:** The sync container must be connected to both `dockerproxy` and `br0` networks to reach both AdGuard instances. +**Note:** The sync container is on the `br0` macvlan network with a static IP to avoid conflicts with infrastructure devices. --- diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 23c9835..3ed270c 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -4,6 +4,26 @@ --- +## 2026-02-26 + +### WiFi & CAP VLAN Fixes +- **[WIFI]** Fixed 5GHz channel overlap: HAP wifi1 reduced from 80MHz to 40MHz at 5180MHz, CAP cap-wifi1 at 5220MHz (no overlap) +- **[WIFI]** Restored all 29 WiFi access-list MAC→VLAN entries (were missing/lost) +- **[WIFI]** Fixed cap-wifi2 band mismatch: was `band=2ghz-n` with frequency=5220 (5GHz), corrected to frequency=2412 +- **[CAPSMAN]** Enabled bridge VLAN filtering on CAP (cAP XL ac) — all VLANs now properly tagged through CAP +- **[CAPSMAN]** CAP bridgeLocal config: vlan-filtering=yes, pvid=10, VLANs 10/20/25/30/35/40 with proper tagged/untagged members +- **[CAPSMAN]** Set `capdp` datapath vlan-id=40 for default PVID on dynamic wifi bridge ports +- **[CAPSMAN]** VLAN assignment through CAP now working — access-list vlan-id entries propagate correctly +- **[NETWORK]** Fixed AdGuard Home IP conflict: container was at 192.168.10.2 (CAP's IP), now static at 192.168.10.10 +- **[NETWORK]** Fixed adguardhome-sync IP conflict: was at 192.168.10.3 (CSS326's IP), now static at 192.168.10.11 +- **[WIFI]** Added Xiaomi Air Purifier 2 (C8:5C:CC:40:B4:AA) to access-list as VLAN 30 (IoT) + +### WiFi Quality Optimization +- **[WIFI]** Fixed 2.4GHz co-channel interference: HAP on ch 1 (2412), CAP moved from ch 1 to ch 6 (2437) +- **[WIFI]** Fixed 5GHz overlap: HAP stays ch 36 (5180, 40MHz), CAP moved from ch 44 (5220) to ch 52 (5260, DFS) +- **[WIFI]** Fixed CAP 2.4GHz width from 40MHz to 20MHz for IoT compatibility +- **[WIFI]** TX power kept at defaults (17/16 dBm) — reduction caused kitchen coverage loss through concrete walls + ## 2026-02-24 ### Motherboard Replacement & NVMe Cache Pool