jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add MikroTik WiFi & CAPsMAN documentation
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details

Browse Source 
- Created 09-MIKROTIK-WIFI-CAPSMAN.md with full configuration details
- Added cAP ac device info and WiFi networks to 00-CURRENT-STATE.md
- Updated changelog with WiFi/CAPsMAN setup and legacy device fix
- Documented SSH access for both MikroTik devices
- Added WiFi network credentials and security settings

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
jazzymc
2026-01-18 22:08:23 +02:00
parent 14057a7420
commit 8d24d7481a
3 changed files with 412 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
docs/00-CURRENT-STATE.md
View File

@@ -17,7 +17,11 @@
| WAN IP (Static) | 62.73.120.142 | | WAN IP (Static) | 62.73.120.142 |
| LAN Subnet | 192.168.31.0/24 | | LAN Subnet | 192.168.31.0/24 |
| Docker Bridge | 172.17.0.0/24 | | Docker Bridge | 172.17.0.0/24 |
| SSH Access | `ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1` | | SSH Access | `ssh -i /root/.ssh/mikrotik_key -p 2222 xtrm@192.168.31.1` |
**SSH Users:**
- `xtrm` - Primary admin user (key-based from Unraid)
- `unraid` - Secondary admin user (key-based from Unraid)
**Interfaces:** **Interfaces:**
- `ether1` - WAN (62.73.120.142/23) - `ether1` - WAN (62.73.120.142/23)
@@ -31,6 +35,28 @@
| pihole:latest | 172.17.0.2 | DNS sinkhole (Pi-hole v6) | | pihole:latest | 172.17.0.2 | DNS sinkhole (Pi-hole v6) |
| unbound:latest | 172.17.0.3 | Recursive DNS resolver | | unbound:latest | 172.17.0.3 | Recursive DNS resolver |
### MikroTik cAP ac (192.168.31.6)
| Parameter | Value |
|-----------|-------|
| Role | CAPsMAN Managed Access Point |
| RouterOS Version | 7.20.1 (stable) |
| Identity | CAP XL ac |
| Board | RBcAPGi-5acD2nD |
| SSH Access | `ssh -p 2222 xtrm@192.168.31.6` |
| SSH Password | M0stW4nt3d@xtrm |
**Note:** SSH key (id_ed25519 from Desktop) installed for key-based auth.
### WiFi Networks
| SSID | Password | Bands | Security | Purpose |
|------|----------|-------|----------|---------|
| XTRM | M0stW4nt3d@home | 2.4GHz + 5GHz | WPA/WPA2 (2.4GHz), WPA2/WPA3 (5GHz) | Main network |
| XTRM2 | M0stW4nt3d@IoT | 2.4GHz | WPA/WPA2 | Legacy/IoT devices |
**CAPsMAN:** hAP ax³ manages cAP ac via CAPsMAN (WiFi controller). See [09-MIKROTIK-WIFI-CAPSMAN.md](./09-MIKROTIK-WIFI-CAPSMAN.md) for full configuration.
### Unraid Server (192.168.31.2) ### Unraid Server (192.168.31.2)
**Tailscale IP:** 100.100.208.70 **Tailscale IP:** 100.100.208.70
@@ -222,6 +248,10 @@ Proceed to individual phase documents:
4. [Phase 4: Remote Gaming](./04-PHASE4-REMOTE-GAMING.md) 4. [Phase 4: Remote Gaming](./04-PHASE4-REMOTE-GAMING.md)
5. [Phase 5: RustDesk Setup](./05-PHASE5-RUSTDESK.md) 5. [Phase 5: RustDesk Setup](./05-PHASE5-RUSTDESK.md)
6. [Phase 6: Portainer Management](./06-PHASE6-PORTAINER-MANAGEMENT.md) 6. [Phase 6: Portainer Management](./06-PHASE6-PORTAINER-MANAGEMENT.md)
7. [Phase 7: Gitea GitOps](./08-PHASE7-GITEA-GITOPS.md)
**Reference Documents:**
- [MikroTik WiFi & CAPsMAN Configuration](./09-MIKROTIK-WIFI-CAPSMAN.md)
--- ---

29
docs/07-CHANGELOG.md
View File

@@ -1,4 +1,33 @@
# Infrastructure Changelog # Infrastructure Changelog
## 2026-01-18 - MikroTik WiFi & CAPsMAN Configuration
### CAPsMAN Setup
- [MIKROTIK] Configured CAPsMAN on hAP ax³ (192.168.31.1) as WiFi controller
- [MIKROTIK] Added cAP ac (192.168.31.6) as managed access point
- [MIKROTIK] Created provisioning rules for 2.4GHz and 5GHz bands
- [MIKROTIK] cAP ac radios now managed by CAPsMAN (configuration.manager=capsman)
### WiFi Security Updates
- [WIFI] XTRM (2.4GHz): Changed from WPA2/WPA3 to WPA/WPA2 for legacy device support
- [WIFI] XTRM2 (IoT): Changed from WPA2/WPA3 to WPA/WPA2 for legacy device support
- [WIFI] XTRM (5GHz): Remains WPA2/WPA3
- [WIFI] Fixed configuration band mismatch (cfg-XTRM5g had 2ghz-n, cfg-XTRM2g had 5ghz-ac)
### SSH Key Configuration
- [SSH] Added SSH key to cAP ac for xtrm user (key-based auth from Desktop)
- [SSH] Documented SSH access for both MikroTik devices
### Documentation
- [DOCS] Created 09-MIKROTIK-WIFI-CAPSMAN.md with full WiFi/CAPsMAN configuration
- [DOCS] Updated 00-CURRENT-STATE.md with cAP ac device info and WiFi networks
- [DOCS] Added WiFi passwords and connection details to documentation
### Issue Resolved
- [FIX] iPad 2 connectivity issue - resolved by enabling WPA-PSK on 2.4GHz networks
---
## 2026-01-18 - Docker Organization & Container Fixes ## 2026-01-18 - Docker Organization & Container Fixes
### FolderView2 Categories Reorganized ### FolderView2 Categories Reorganized

352
docs/09-MIKROTIK-WIFI-CAPSMAN.md Normal file
View File

@@ -0,0 +1,352 @@
# MikroTik WiFi & CAPsMAN Configuration
**Document Created:** 2026-01-18
**Last Updated:** 2026-01-18
---
## Device Inventory
### MikroTik hAP ax³ (CAPsMAN Controller)
| Parameter | Value |
|-----------|-------|
| Role | Main Router + CAPsMAN Controller |
| IP Address | 192.168.31.1 |
| RouterOS Version | 7.20.6 (stable) |
| Identity | HAPax3 |
**SSH Connection:**
```bash
# From Unraid server (key-based)
ssh -i /root/.ssh/mikrotik_key -p 2222 xtrm@192.168.31.1
# Alternative user
ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1
```
### MikroTik cAP ac (Managed Access Point)
| Parameter | Value |
|-----------|-------|
| Role | CAPsMAN Managed Access Point |
| IP Address | 192.168.31.6 |
| RouterOS Version | 7.20.1 (stable) |
| Identity | CAP XL ac |
| Board | RBcAPGi-5acD2nD |
**SSH Connection:**
```bash
# Key-based (from desktop)
ssh -p 2222 xtrm@192.168.31.6
# Password-based
ssh -p 2222 xtrm@192.168.31.6
# Password: M0stW4nt3d@xtrm
```
---
## WiFi Networks
### XTRM (Main Network)
| Parameter | Value |
|-----------|-------|
| SSID | XTRM |
| Password | M0stW4nt3d@home |
| Bands | 2.4GHz + 5GHz |
| Security | WPA-PSK, WPA2-PSK (2.4GHz) / WPA2-PSK, WPA3-PSK (5GHz) |
### XTRM2 (IoT Network)
| Parameter | Value |
|-----------|-------|
| SSID | XTRM2 |
| Password | M0stW4nt3d@IoT |
| Bands | 2.4GHz only |
| Security | WPA-PSK, WPA2-PSK |
| Purpose | Legacy/IoT devices |
---
## WiFi Interfaces
### hAP ax³ (Local Interfaces)
| Interface | Band | SSID | Channel | Status |
|-----------|------|------|---------|--------|
| hap-wifi1 | 5GHz | XTRM | 5180, 5260, 5500 (80MHz) | Running |
| hap-wifi2 | 2.4GHz | XTRM | 2412, 2432, 2472 (20MHz) | Running |
| hap-wifi2-virtual1 | 2.4GHz | XTRM2 | 2412, 2432, 2472 (20MHz) | Running |
### cAP ac (CAPsMAN Managed)
| Interface | Band | SSID | Channel | Status |
|-----------|------|------|---------|--------|
| cap-wifi1 | 2.4GHz | XTRM | 2432 (20MHz) | Running |
| cap-wifi1-virtual1 | 2.4GHz | XTRM2 | (virtual) | Running |
| cap-wifi2 | 5GHz | XTRM | 5260 (80MHz, DFS) | Running |
---
## CAPsMAN Configuration
### Controller Settings (hAP ax³)
```
/interface/wifi/capsman/print
enabled: yes
interfaces: bridge
require-peer-certificate: no
upgrade-policy: none
generated-ca-certificate: WiFi-CAPsMAN-CA-789A182CA548
generated-certificate: WiFi-CAPsMAN-789A182CA548
```
### Channel Configurations
```
/interface/wifi/channel/print
0 name="ch-2ghz" frequency=2412,2432,2472 width=20mhz
1 name="ch-5ghz" frequency=5180,5260,5500 width=20/40/80mhz
```
### Security Profiles
```
/interface/wifi/security/print
0 name="sec-XTRM" authentication-types=wpa2-psk,wpa3-psk
passphrase="M0stW4nt3d@home"
1 name="sec-IoT" authentication-types=wpa-psk,wpa2-psk
passphrase="M0stW4nt3d@IoT" disable-pmkid=yes
```
### WiFi Configurations
```
/interface/wifi/configuration/print
0 name="cfg-XTRM5g" ssid="XTRM"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-5ghz channel.band=5ghz-ac
datapath.bridge=bridge
1 name="cfg-XTRM2g" ssid="XTRM"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-2ghz channel.band=2ghz-n
datapath.bridge=bridge
2 name="cfgXTRM-IoT" ssid="XTRM2"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-2ghz channel.band=2ghz-n
datapath.bridge=bridge
```
### Provisioning Rules
```
/interface/wifi/provisioning/print
0 comment="XTRM-5G"
supported-bands=5ghz-ac
action=create-dynamic-enabled
master-configuration=cfg-XTRM5g
1 comment="XTRM-2G"
supported-bands=2ghz-n
action=create-dynamic-enabled
master-configuration=cfg-XTRM2g
slave-configurations=cfgXTRM-IoT
```
---
## CAP Configuration (cAP ac)
### CAP Settings
```
/interface/wifi/cap/print
enabled: yes
discovery-interfaces: bridge
caps-man-addresses: 192.168.31.1
```
### Interface Manager Settings
Both radios must be set to CAPsMAN managed:
```
/interface/wifi set wifi1 configuration.manager=capsman
/interface/wifi set wifi2 configuration.manager=capsman
```
---
## Legacy Device Compatibility
### iPad 2 / Older Devices
Older devices (pre-2012) may not support:
- WPA3-PSK
- PMF (Protected Management Frames)
- 5GHz band
**Solution:** Use XTRM2 network which supports WPA-PSK/WPA2-PSK without WPA3.
### Important Notes
1. **WPA + WPA3 Incompatibility:** MikroTik does not allow WPA-PSK and WPA3-PSK in the same configuration. Use WPA-PSK + WPA2-PSK for legacy support.
2. **Management Protection:** When using WPA3, management-protection must be "allowed" or "required". Setting it to "disabled" with WPA3 will cause interface to become inactive.
3. **Band Configuration:** Ensure configuration templates have correct `channel.band` settings:
- 5GHz configs: `5ghz-ac` or `5ghz-ax`
- 2.4GHz configs: `2ghz-n` or `2ghz-ax`
---
## Useful Commands
### Check Connected Clients
```
/interface/wifi/registration-table/print
```
### Check CAPsMAN Remote CAPs
```
/interface/wifi/capsman/remote-cap/print
```
### Check All WiFi Radios
```
/interface/wifi/radio/print
```
### Check Interface Status
```
/interface/wifi/print
```
### Restart WiFi Interface
```
/interface/wifi disable [interface-name]
:delay 2s
/interface/wifi enable [interface-name]
```
### View WiFi Logs
```
/log print where topics~"wireless" or topics~"wifi"
```
---
## Troubleshooting
### Interface Shows "I" (Inactive)
1. Check for configuration errors in detail view:
```
/interface/wifi/print detail where name=[interface]
```
2. Look for comment warnings like:
- "can't use WPA with WPA3"
- "management protection should be allowed or required with WPA3"
- "no available channels"
3. Verify channel configuration has proper frequency settings
### CAP Not Connecting to CAPsMAN
1. Verify CAPsMAN is enabled on controller:
```
/interface/wifi/capsman/print
```
2. Check CAP has correct CAPsMAN address:
```
/interface/wifi/cap/print
```
3. Ensure CAP radios are set to CAPsMAN managed:
```
/interface/wifi/print detail
# Look for configuration.manager=capsman
```
4. Check firewall isn't blocking CAPsMAN traffic (UDP 5246-5247)
### CAP Interfaces Show "B" But Not "R"
This is normal when traffic is processed on CAP (local forwarding mode). The "R" (Running) flag only appears on the CAP device itself, not on CAPsMAN.
---
## Network Diagram
```
Internet
┌────────────────────────┐
│ MikroTik hAP ax³ │
│ 192.168.31.1 │
│ CAPsMAN Controller │
│ │
│ WiFi Interfaces: │
│ - hap-wifi1 (5GHz) │
│ - hap-wifi2 (2.4GHz) │
│ - XTRM, XTRM2 │
└───────────┬────────────┘
│ LAN
┌───────────┴────────────┐
│ │
▼ ▼
┌────────────────────┐ ┌────────────────────┐
│ MikroTik cAP ac │ │ Other Devices │
│ 192.168.31.6 │ │ 192.168.31.x │
│ CAPsMAN Managed │ │ │
│ │ │ │
│ WiFi Interfaces: │ │ │
│ - wifi1 (2.4GHz) │ │ │
│ - wifi2 (5GHz) │ │ │
│ - XTRM, XTRM2 │ │ │
└────────────────────┘ └────────────────────┘
```
---
## SSH Key Setup
### Adding SSH Key to MikroTik Device
1. Copy public key to device:
```bash
scp -P 2222 ~/.ssh/id_ed25519.pub user@[device-ip]:key.pub
```
2. Import key for user:
```
/user/ssh-keys/import public-key-file=key.pub user=[username]
```
3. Verify import:
```
/user/ssh-keys/print
```
4. Clean up:
```
/file/remove key.pub
```
### Current SSH Key Status
| Device | User | Key Installed |
|--------|------|---------------|
| hAP ax³ (192.168.31.1) | xtrm | Yes (mikrotik_key from Unraid) |
| hAP ax³ (192.168.31.1) | unraid | Yes (mikrotik_key from Unraid) |
| cAP ac (192.168.31.6) | xtrm | Yes (id_ed25519 from Desktop) |