diff --git a/docs/00-CURRENT-STATE.md b/docs/00-CURRENT-STATE.md index bd1f2a8..1ec8c8b 100644 --- a/docs/00-CURRENT-STATE.md +++ b/docs/00-CURRENT-STATE.md @@ -17,7 +17,11 @@ | WAN IP (Static) | 62.73.120.142 | | LAN Subnet | 192.168.31.0/24 | | Docker Bridge | 172.17.0.0/24 | -| SSH Access | `ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1` | +| SSH Access | `ssh -i /root/.ssh/mikrotik_key -p 2222 xtrm@192.168.31.1` | + +**SSH Users:** +- `xtrm` - Primary admin user (key-based from Unraid) +- `unraid` - Secondary admin user (key-based from Unraid) **Interfaces:** - `ether1` - WAN (62.73.120.142/23) @@ -31,6 +35,28 @@ | pihole:latest | 172.17.0.2 | DNS sinkhole (Pi-hole v6) | | unbound:latest | 172.17.0.3 | Recursive DNS resolver | +### MikroTik cAP ac (192.168.31.6) + +| Parameter | Value | +|-----------|-------| +| Role | CAPsMAN Managed Access Point | +| RouterOS Version | 7.20.1 (stable) | +| Identity | CAP XL ac | +| Board | RBcAPGi-5acD2nD | +| SSH Access | `ssh -p 2222 xtrm@192.168.31.6` | +| SSH Password | M0stW4nt3d@xtrm | + +**Note:** SSH key (id_ed25519 from Desktop) installed for key-based auth. + +### WiFi Networks + +| SSID | Password | Bands | Security | Purpose | +|------|----------|-------|----------|---------| +| XTRM | M0stW4nt3d@home | 2.4GHz + 5GHz | WPA/WPA2 (2.4GHz), WPA2/WPA3 (5GHz) | Main network | +| XTRM2 | M0stW4nt3d@IoT | 2.4GHz | WPA/WPA2 | Legacy/IoT devices | + +**CAPsMAN:** hAP ax³ manages cAP ac via CAPsMAN (WiFi controller). See [09-MIKROTIK-WIFI-CAPSMAN.md](./09-MIKROTIK-WIFI-CAPSMAN.md) for full configuration. + ### Unraid Server (192.168.31.2) **Tailscale IP:** 100.100.208.70 @@ -222,6 +248,10 @@ Proceed to individual phase documents: 4. [Phase 4: Remote Gaming](./04-PHASE4-REMOTE-GAMING.md) 5. [Phase 5: RustDesk Setup](./05-PHASE5-RUSTDESK.md) 6. [Phase 6: Portainer Management](./06-PHASE6-PORTAINER-MANAGEMENT.md) +7. [Phase 7: Gitea GitOps](./08-PHASE7-GITEA-GITOPS.md) + +**Reference Documents:** +- [MikroTik WiFi & CAPsMAN Configuration](./09-MIKROTIK-WIFI-CAPSMAN.md) --- diff --git a/docs/07-CHANGELOG.md b/docs/07-CHANGELOG.md index f96fec6..76f99e3 100644 --- a/docs/07-CHANGELOG.md +++ b/docs/07-CHANGELOG.md @@ -1,4 +1,33 @@ # Infrastructure Changelog + +## 2026-01-18 - MikroTik WiFi & CAPsMAN Configuration + +### CAPsMAN Setup +- [MIKROTIK] Configured CAPsMAN on hAP ax³ (192.168.31.1) as WiFi controller +- [MIKROTIK] Added cAP ac (192.168.31.6) as managed access point +- [MIKROTIK] Created provisioning rules for 2.4GHz and 5GHz bands +- [MIKROTIK] cAP ac radios now managed by CAPsMAN (configuration.manager=capsman) + +### WiFi Security Updates +- [WIFI] XTRM (2.4GHz): Changed from WPA2/WPA3 to WPA/WPA2 for legacy device support +- [WIFI] XTRM2 (IoT): Changed from WPA2/WPA3 to WPA/WPA2 for legacy device support +- [WIFI] XTRM (5GHz): Remains WPA2/WPA3 +- [WIFI] Fixed configuration band mismatch (cfg-XTRM5g had 2ghz-n, cfg-XTRM2g had 5ghz-ac) + +### SSH Key Configuration +- [SSH] Added SSH key to cAP ac for xtrm user (key-based auth from Desktop) +- [SSH] Documented SSH access for both MikroTik devices + +### Documentation +- [DOCS] Created 09-MIKROTIK-WIFI-CAPSMAN.md with full WiFi/CAPsMAN configuration +- [DOCS] Updated 00-CURRENT-STATE.md with cAP ac device info and WiFi networks +- [DOCS] Added WiFi passwords and connection details to documentation + +### Issue Resolved +- [FIX] iPad 2 connectivity issue - resolved by enabling WPA-PSK on 2.4GHz networks + +--- + ## 2026-01-18 - Docker Organization & Container Fixes ### FolderView2 Categories Reorganized diff --git a/docs/09-MIKROTIK-WIFI-CAPSMAN.md b/docs/09-MIKROTIK-WIFI-CAPSMAN.md new file mode 100644 index 0000000..3c64ddb --- /dev/null +++ b/docs/09-MIKROTIK-WIFI-CAPSMAN.md @@ -0,0 +1,352 @@ +# MikroTik WiFi & CAPsMAN Configuration + +**Document Created:** 2026-01-18 +**Last Updated:** 2026-01-18 + +--- + +## Device Inventory + +### MikroTik hAP ax³ (CAPsMAN Controller) + +| Parameter | Value | +|-----------|-------| +| Role | Main Router + CAPsMAN Controller | +| IP Address | 192.168.31.1 | +| RouterOS Version | 7.20.6 (stable) | +| Identity | HAPax3 | + +**SSH Connection:** +```bash +# From Unraid server (key-based) +ssh -i /root/.ssh/mikrotik_key -p 2222 xtrm@192.168.31.1 + +# Alternative user +ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1 +``` + +### MikroTik cAP ac (Managed Access Point) + +| Parameter | Value | +|-----------|-------| +| Role | CAPsMAN Managed Access Point | +| IP Address | 192.168.31.6 | +| RouterOS Version | 7.20.1 (stable) | +| Identity | CAP XL ac | +| Board | RBcAPGi-5acD2nD | + +**SSH Connection:** +```bash +# Key-based (from desktop) +ssh -p 2222 xtrm@192.168.31.6 + +# Password-based +ssh -p 2222 xtrm@192.168.31.6 +# Password: M0stW4nt3d@xtrm +``` + +--- + +## WiFi Networks + +### XTRM (Main Network) + +| Parameter | Value | +|-----------|-------| +| SSID | XTRM | +| Password | M0stW4nt3d@home | +| Bands | 2.4GHz + 5GHz | +| Security | WPA-PSK, WPA2-PSK (2.4GHz) / WPA2-PSK, WPA3-PSK (5GHz) | + +### XTRM2 (IoT Network) + +| Parameter | Value | +|-----------|-------| +| SSID | XTRM2 | +| Password | M0stW4nt3d@IoT | +| Bands | 2.4GHz only | +| Security | WPA-PSK, WPA2-PSK | +| Purpose | Legacy/IoT devices | + +--- + +## WiFi Interfaces + +### hAP ax³ (Local Interfaces) + +| Interface | Band | SSID | Channel | Status | +|-----------|------|------|---------|--------| +| hap-wifi1 | 5GHz | XTRM | 5180, 5260, 5500 (80MHz) | Running | +| hap-wifi2 | 2.4GHz | XTRM | 2412, 2432, 2472 (20MHz) | Running | +| hap-wifi2-virtual1 | 2.4GHz | XTRM2 | 2412, 2432, 2472 (20MHz) | Running | + +### cAP ac (CAPsMAN Managed) + +| Interface | Band | SSID | Channel | Status | +|-----------|------|------|---------|--------| +| cap-wifi1 | 2.4GHz | XTRM | 2432 (20MHz) | Running | +| cap-wifi1-virtual1 | 2.4GHz | XTRM2 | (virtual) | Running | +| cap-wifi2 | 5GHz | XTRM | 5260 (80MHz, DFS) | Running | + +--- + +## CAPsMAN Configuration + +### Controller Settings (hAP ax³) + +``` +/interface/wifi/capsman/print +enabled: yes +interfaces: bridge +require-peer-certificate: no +upgrade-policy: none +generated-ca-certificate: WiFi-CAPsMAN-CA-789A182CA548 +generated-certificate: WiFi-CAPsMAN-789A182CA548 +``` + +### Channel Configurations + +``` +/interface/wifi/channel/print +0 name="ch-2ghz" frequency=2412,2432,2472 width=20mhz +1 name="ch-5ghz" frequency=5180,5260,5500 width=20/40/80mhz +``` + +### Security Profiles + +``` +/interface/wifi/security/print +0 name="sec-XTRM" authentication-types=wpa2-psk,wpa3-psk + passphrase="M0stW4nt3d@home" + +1 name="sec-IoT" authentication-types=wpa-psk,wpa2-psk + passphrase="M0stW4nt3d@IoT" disable-pmkid=yes +``` + +### WiFi Configurations + +``` +/interface/wifi/configuration/print +0 name="cfg-XTRM5g" ssid="XTRM" + security.authentication-types=wpa-psk,wpa2-psk + channel=ch-5ghz channel.band=5ghz-ac + datapath.bridge=bridge + +1 name="cfg-XTRM2g" ssid="XTRM" + security.authentication-types=wpa-psk,wpa2-psk + channel=ch-2ghz channel.band=2ghz-n + datapath.bridge=bridge + +2 name="cfgXTRM-IoT" ssid="XTRM2" + security.authentication-types=wpa-psk,wpa2-psk + channel=ch-2ghz channel.band=2ghz-n + datapath.bridge=bridge +``` + +### Provisioning Rules + +``` +/interface/wifi/provisioning/print +0 comment="XTRM-5G" + supported-bands=5ghz-ac + action=create-dynamic-enabled + master-configuration=cfg-XTRM5g + +1 comment="XTRM-2G" + supported-bands=2ghz-n + action=create-dynamic-enabled + master-configuration=cfg-XTRM2g + slave-configurations=cfgXTRM-IoT +``` + +--- + +## CAP Configuration (cAP ac) + +### CAP Settings + +``` +/interface/wifi/cap/print +enabled: yes +discovery-interfaces: bridge +caps-man-addresses: 192.168.31.1 +``` + +### Interface Manager Settings + +Both radios must be set to CAPsMAN managed: +``` +/interface/wifi set wifi1 configuration.manager=capsman +/interface/wifi set wifi2 configuration.manager=capsman +``` + +--- + +## Legacy Device Compatibility + +### iPad 2 / Older Devices + +Older devices (pre-2012) may not support: +- WPA3-PSK +- PMF (Protected Management Frames) +- 5GHz band + +**Solution:** Use XTRM2 network which supports WPA-PSK/WPA2-PSK without WPA3. + +### Important Notes + +1. **WPA + WPA3 Incompatibility:** MikroTik does not allow WPA-PSK and WPA3-PSK in the same configuration. Use WPA-PSK + WPA2-PSK for legacy support. + +2. **Management Protection:** When using WPA3, management-protection must be "allowed" or "required". Setting it to "disabled" with WPA3 will cause interface to become inactive. + +3. **Band Configuration:** Ensure configuration templates have correct `channel.band` settings: + - 5GHz configs: `5ghz-ac` or `5ghz-ax` + - 2.4GHz configs: `2ghz-n` or `2ghz-ax` + +--- + +## Useful Commands + +### Check Connected Clients +``` +/interface/wifi/registration-table/print +``` + +### Check CAPsMAN Remote CAPs +``` +/interface/wifi/capsman/remote-cap/print +``` + +### Check All WiFi Radios +``` +/interface/wifi/radio/print +``` + +### Check Interface Status +``` +/interface/wifi/print +``` + +### Restart WiFi Interface +``` +/interface/wifi disable [interface-name] +:delay 2s +/interface/wifi enable [interface-name] +``` + +### View WiFi Logs +``` +/log print where topics~"wireless" or topics~"wifi" +``` + +--- + +## Troubleshooting + +### Interface Shows "I" (Inactive) + +1. Check for configuration errors in detail view: + ``` + /interface/wifi/print detail where name=[interface] + ``` + +2. Look for comment warnings like: + - "can't use WPA with WPA3" + - "management protection should be allowed or required with WPA3" + - "no available channels" + +3. Verify channel configuration has proper frequency settings + +### CAP Not Connecting to CAPsMAN + +1. Verify CAPsMAN is enabled on controller: + ``` + /interface/wifi/capsman/print + ``` + +2. Check CAP has correct CAPsMAN address: + ``` + /interface/wifi/cap/print + ``` + +3. Ensure CAP radios are set to CAPsMAN managed: + ``` + /interface/wifi/print detail + # Look for configuration.manager=capsman + ``` + +4. Check firewall isn't blocking CAPsMAN traffic (UDP 5246-5247) + +### CAP Interfaces Show "B" But Not "R" + +This is normal when traffic is processed on CAP (local forwarding mode). The "R" (Running) flag only appears on the CAP device itself, not on CAPsMAN. + +--- + +## Network Diagram + +``` + Internet + │ + ▼ + ┌────────────────────────┐ + │ MikroTik hAP ax³ │ + │ 192.168.31.1 │ + │ CAPsMAN Controller │ + │ │ + │ WiFi Interfaces: │ + │ - hap-wifi1 (5GHz) │ + │ - hap-wifi2 (2.4GHz) │ + │ - XTRM, XTRM2 │ + └───────────┬────────────┘ + │ + │ LAN + │ + ┌───────────┴────────────┐ + │ │ + ▼ ▼ +┌────────────────────┐ ┌────────────────────┐ +│ MikroTik cAP ac │ │ Other Devices │ +│ 192.168.31.6 │ │ 192.168.31.x │ +│ CAPsMAN Managed │ │ │ +│ │ │ │ +│ WiFi Interfaces: │ │ │ +│ - wifi1 (2.4GHz) │ │ │ +│ - wifi2 (5GHz) │ │ │ +│ - XTRM, XTRM2 │ │ │ +└────────────────────┘ └────────────────────┘ +``` + +--- + +## SSH Key Setup + +### Adding SSH Key to MikroTik Device + +1. Copy public key to device: + ```bash + scp -P 2222 ~/.ssh/id_ed25519.pub user@[device-ip]:key.pub + ``` + +2. Import key for user: + ``` + /user/ssh-keys/import public-key-file=key.pub user=[username] + ``` + +3. Verify import: + ``` + /user/ssh-keys/print + ``` + +4. Clean up: + ``` + /file/remove key.pub + ``` + +### Current SSH Key Status + +| Device | User | Key Installed | +|--------|------|---------------| +| hAP ax³ (192.168.31.1) | xtrm | Yes (mikrotik_key from Unraid) | +| hAP ax³ (192.168.31.1) | unraid | Yes (mikrotik_key from Unraid) | +| cAP ac (192.168.31.6) | xtrm | Yes (id_ed25519 from Desktop) |