jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WiFi VLAN fixes, CAP bridge filtering, AdGuard IP conflicts, channel optimization
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
- Enable bridge VLAN filtering on CAP for proper per-client VLAN assignment
- Fix AdGuard container IP conflicts (.2→.10, .3→.11) with static IPs
- Fix 2.4GHz co-channel interference (both APs were on ch 1, CAP now ch 6)
- Fix 5GHz overlap (HAP ch 36/5180, CAP moved to ch 52/5260)
- Update WiFi access-list: VLAN assignment now active with per-device VLAN IDs
- Add Xiaomi Air Purifier MC1 to VLAN 30 access-list

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kaloyan Danchev
2026-02-27 09:40:29 +02:00
parent cdb961f943
commit 7867b5c950
3 changed files with 78 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
docs/07-WIFI-CAPSMAN-CONFIG.md
View File

@@ -1,6 +1,6 @@
# WiFi and CAPsMAN Configuration # WiFi and CAPsMAN Configuration
**Last Updated:** 2026-02-14 **Last Updated:** 2026-02-26
**Purpose:** Document WiFi network settings, CAPsMAN configuration, and device compatibility requirements **Purpose:** Document WiFi network settings, CAPsMAN configuration, and device compatibility requirements
--- ---
@@ -23,8 +23,8 @@
| SSID | XTRM | | SSID | XTRM |
| Band | 5GHz | | Band | 5GHz |
| Mode | 802.11ax (WiFi 6) | | Mode | 802.11ax (WiFi 6) |
| Channel | Auto (DFS enabled) | | Channel | 5180 MHz (ch 36) |
| Width | 80MHz | | Width | 40MHz |
| Security | WPA2-PSK + WPA3-PSK | | Security | WPA2-PSK + WPA3-PSK |
| Cipher | CCMP (AES) | | Cipher | CCMP (AES) |
| 802.11r (FT) | Enabled | | 802.11r (FT) | Enabled |
@@ -98,44 +98,73 @@ If devices still can't connect, use WPA-only with TKIP-only:
| Interfaces | bridge, vlan10-mgmt | | Interfaces | bridge, vlan10-mgmt |
| Certificate | Auto-generated | | Certificate | Auto-generated |
### CAP Device (CAP XL ac - 192.168.10.2) ### CAP Device (cAP XL ac - 192.168.10.2)
| Setting | Value | | Setting | Value |
|---------|-------| |---------|-------|
| caps-man-addresses | 192.168.10.1 | | caps-man-addresses | 192.168.10.1 |
| discovery-interfaces | bridgeLocal |
| slaves-datapath | capdp (bridge=bridgeLocal, vlan-id=40) |
| certificate | request | | certificate | request |
| RouterOS | 7.21.1 | | RouterOS | 7.21.1 |
| SSH Port | 2222 | | SSH Port | 2222 |
| SSH | `ssh -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.2` | | SSH (via proxy) | See ProxyJump command below |
**Note:** CAP was factory reset on 2026-02-13. CAPsMAN certificate was regenerated and CAP re-enrolled with `certificate=request`. **SSH Access:** Direct SSH to CAP is unreliable. Use ProxyJump through Unraid:
```bash
ssh -o ProxyCommand="ssh -i ~/.ssh/id_ed25519_unraid -p 422 -W %h:%p root@192.168.10.20" -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.2
```
### CAP Bridge VLAN Filtering
The CAP runs bridge VLAN filtering to properly tag/untag WiFi client traffic before sending it to the HAP over the trunk link (ether1):
| Setting | Value |
|---------|-------|
| bridgeLocal | vlan-filtering=yes, pvid=10 |
| ether1 (trunk) | bridge port, PVID=10 |
| wifi1, wifi2 | dynamic bridge ports, PVID=40 (set by datapath vlan-id) |
**Bridge VLAN Table:**
| VLAN | ether1 | wifi1 | wifi2 | bridgeLocal | Purpose |
|------|--------|-------|-------|-------------|---------|
| 10 | untagged | - | - | untagged | Management |
| 20 | tagged | tagged | tagged | - | Trusted |
| 25 | tagged | tagged | tagged | - | Kids |
| 30 | tagged | tagged | tagged | - | IoT |
| 35 | tagged | tagged | tagged | - | Cameras |
| 40 | tagged | untagged | untagged | - | CatchAll (default) |
### CAP Interfaces ### CAP Interfaces
| Interface | Radio | Band | SSID | Security | Status | | Interface | Radio | Band | SSID | Security | Status |
|-----------|-------|------|------|----------|--------| |-----------|-------|------|------|----------|--------|
| cap-wifi1 | wifi1 | 2.4GHz | XTRM2 | WPA2-PSK, CCMP | Working | | cap-wifi1 | wifi2 | 5GHz | XTRM | WPA2/WPA3-PSK, CCMP | Working (Ch 52/5260, 40MHz, DFS) |
| cap-wifi2 | wifi2 | 5GHz | XTRM | WPA2/WPA3-PSK | Working (Ch 5220, 20/40MHz) | | cap-wifi2 | wifi1 | 2.4GHz | XTRM2 | WPA2-PSK, CCMP | Working (Ch 6/2437, 20MHz) |
**Note:** cap-wifi1 uses cfg-xtrm2 but with WPA2+CCMP only (not WPA+TKIP like the local wifi2). Legacy IoT devices requiring TKIP will only work on HAP1's local wifi2. **Note:** cap-wifi2 uses WPA2+CCMP only (not WPA+TKIP like HAP's local wifi2). Legacy IoT devices requiring TKIP will only work on HAP1's local wifi2.
--- ---
## WiFi Access List ## WiFi Access List
**Status:** VLAN assignment via access list is **not active** (rolled back 2026-01-27). All entries use `action=accept` without VLAN ID. Devices get their VLAN via DHCP static leases on the bridge. **Status:** VLAN assignment via access list is **active**. Each entry has a `vlan-id` that assigns the device to the correct VLAN upon WiFi association. This works on both HAP (local) and CAP (remote, via bridge VLAN filtering).
**29 entries** configured (MAC-based accept rules + 1 default catch-all): **30+ entries** configured (MAC-based accept rules with VLAN IDs + 1 default catch-all):
| # | MAC | Device | Notes | | # | MAC | Device | VLAN |
|---|-----|--------|-------| |---|-----|--------|------|
| 0 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra - Kaloyan | | | 0 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra - Kaloyan | 20 |
| 1 | 82:6D:FB:D9:E0:47 | MacBook Air - Nora | | | 1 | 82:6D:FB:D9:E0:47 | MacBook Air - Nora | 20 |
| 12 | CE:B8:11:EA:8D:55 | MacBook - Kaloyan | | | 12 | CE:B8:11:EA:8D:55 | MacBook - Kaloyan | 20 |
| 13 | BE:A7:95:87:19:4A | MacBook 5GHz - Kaloyan | | | 13 | BE:A7:95:87:19:4A | MacBook 5GHz - Kaloyan | 20 |
| 27 | B8:27:EB:32:B2:13 | RecalBox RPi3 | VLAN 25 (Kids) | | 27 | B8:27:EB:32:B2:13 | RecalBox RPi3 | 25 |
| 28 | CC:5E:F8:D3:37:D3 | ASUS ROG Ally - Kaloyan | | | 28 | CC:5E:F8:D3:37:D3 | ASUS ROG Ally - Kaloyan | 20 |
| 29 | (any) | Default - VLAN40 | Catch-all | | 31 | C8:5C:CC:40:B4:AA | Xiaomi Air Purifier 2 | 30 |
| 32 | (any) | Default - VLAN40 | 40 (catch-all) |
**Default behavior:** Devices not in the access list get VLAN 40 (CatchAll) via the default rule and the datapath `vlan-id=40`.
### Show Full Access List ### Show Full Access List

25
docs/08-DNS-ARCHITECTURE.md
View File

@@ -1,6 +1,6 @@
# DNS Architecture with AdGuard Failover # DNS Architecture with AdGuard Failover
**Last Updated:** 2026-02-06 **Last Updated:** 2026-02-26
--- ---
@@ -194,8 +194,10 @@ Settings are synced from Unraid (source of truth) to MikroTik every 30 minutes.
### Sync Container ### Sync Container
Container: `adguardhome-sync` at 192.168.10.11 (br0 macvlan, static IP)
```yaml ```yaml
# /mnt/user/appdata/adguard-sync/adguardhome-sync.yaml # /mnt/user/appdata/dockge/stacks/adguard-sync/adguardhome-sync.yaml
cron: "*/30 * * * *" cron: "*/30 * * * *"
runOnStart: true runOnStart: true
@@ -204,22 +206,13 @@ origin:
username: jazzymc username: jazzymc
password: 7RqWElENNbZnPW password: 7RqWElENNbZnPW
replicas: replica:
- url: http://192.168.10.1:3000 url: http://192.168.10.1:3000
username: jazzymc username: jazzymc
password: 7RqWElENNbZnPW password: 7RqWElENNbZnPW
features:
dns:
serverConfig: false
accessLists: true
rewrites: true
filters: true
clientSettings: true
services: true
``` ```
**Note:** The sync container must be connected to both `dockerproxy` and `br0` networks to reach both AdGuard instances. **Note:** The sync container is on the `br0` macvlan network with a static IP to avoid conflicts with infrastructure devices.
--- ---

20
docs/CHANGELOG.md
View File

@@ -4,6 +4,26 @@
--- ---
## 2026-02-26
### WiFi & CAP VLAN Fixes
- **[WIFI]** Fixed 5GHz channel overlap: HAP wifi1 reduced from 80MHz to 40MHz at 5180MHz, CAP cap-wifi1 at 5220MHz (no overlap)
- **[WIFI]** Restored all 29 WiFi access-list MAC→VLAN entries (were missing/lost)
- **[WIFI]** Fixed cap-wifi2 band mismatch: was `band=2ghz-n` with frequency=5220 (5GHz), corrected to frequency=2412
- **[CAPSMAN]** Enabled bridge VLAN filtering on CAP (cAP XL ac) — all VLANs now properly tagged through CAP
- **[CAPSMAN]** CAP bridgeLocal config: vlan-filtering=yes, pvid=10, VLANs 10/20/25/30/35/40 with proper tagged/untagged members
- **[CAPSMAN]** Set `capdp` datapath vlan-id=40 for default PVID on dynamic wifi bridge ports
- **[CAPSMAN]** VLAN assignment through CAP now working — access-list vlan-id entries propagate correctly
- **[NETWORK]** Fixed AdGuard Home IP conflict: container was at 192.168.10.2 (CAP's IP), now static at 192.168.10.10
- **[NETWORK]** Fixed adguardhome-sync IP conflict: was at 192.168.10.3 (CSS326's IP), now static at 192.168.10.11
- **[WIFI]** Added Xiaomi Air Purifier 2 (C8:5C:CC:40:B4:AA) to access-list as VLAN 30 (IoT)
### WiFi Quality Optimization
- **[WIFI]** Fixed 2.4GHz co-channel interference: HAP on ch 1 (2412), CAP moved from ch 1 to ch 6 (2437)
- **[WIFI]** Fixed 5GHz overlap: HAP stays ch 36 (5180, 40MHz), CAP moved from ch 44 (5220) to ch 52 (5260, DFS)
- **[WIFI]** Fixed CAP 2.4GHz width from 40MHz to 20MHz for IoT compatibility
- **[WIFI]** TX power kept at defaults (17/16 dBm) — reduction caused kitchen coverage loss through concrete walls
## 2026-02-24 ## 2026-02-24
### Motherboard Replacement & NVMe Cache Pool ### Motherboard Replacement & NVMe Cache Pool