jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
infrastructure/docs/07-WIFI-CAPSMAN-CONFIG.md
Kaloyan Danchev 7867b5c950
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
WiFi VLAN fixes, CAP bridge filtering, AdGuard IP conflicts, channel optimization 
- Enable bridge VLAN filtering on CAP for proper per-client VLAN assignment
- Fix AdGuard container IP conflicts (.2→.10, .3→.11) with static IPs
- Fix 2.4GHz co-channel interference (both APs were on ch 1, CAP now ch 6)
- Fix 5GHz overlap (HAP ch 36/5180, CAP moved to ch 52/5260)
- Update WiFi access-list: VLAN assignment now active with per-device VLAN IDs
- Add Xiaomi Air Purifier MC1 to VLAN 30 access-list

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-27 09:40:29 +02:00

230 lines
6.7 KiB
Markdown
Raw Permalink Blame History

# WiFi and CAPsMAN Configuration
**Last Updated:** 2026-02-26
**Purpose:** Document WiFi network settings, CAPsMAN configuration, and device compatibility requirements
---
## Network Overview
| SSID | Band | Purpose | Password |
|------|------|---------|----------|
| XTRM | 5GHz | Primary network (fast devices) | `M0stW4nt3d@home` |
| XTRM2 | 2.4GHz | IoT/Legacy devices | `M0stW4nt3d@IoT` |
---
## XTRM (5GHz) - wifi1
**Target:** Modern devices (phones, laptops, tablets)
| Setting | Value |
|---------|-------|
| SSID | XTRM |
| Band | 5GHz |
| Mode | 802.11ax (WiFi 6) |
| Channel | 5180 MHz (ch 36) |
| Width | 40MHz |
| Security | WPA2-PSK + WPA3-PSK |
| Cipher | CCMP (AES) |
| 802.11r (FT) | Enabled |
| Password | `M0stW4nt3d@home` |
---
## XTRM2 (2.4GHz) - wifi2
**Target:** IoT devices, legacy devices, smartwatches
### CRITICAL COMPATIBILITY REQUIREMENTS
Some devices (Tuya JMWZG1 gateway, Amazfit TREX3, iPad 2) require legacy settings:
| Setting | Value | Reason |
|---------|-------|--------|
| SSID | XTRM2 | |
| Band | 2.4GHz | IoT compatibility |
| Mode | **802.11g** | Legacy device support |
| Channel | **1 (2412 MHz)** | Most compatible |
| Width | **20MHz** | Required for old devices |
| Security | **WPA-PSK + WPA2-PSK** | WPA needed for legacy |
| Cipher | **TKIP + CCMP** | TKIP required for old devices |
| 802.11r (FT) | **Disabled** | Causes issues with IoT |
| Password | `M0stW4nt3d@IoT` | |
### Devices Requiring WPA + TKIP
| Device | MAC Address | Model | Notes |
|--------|-------------|-------|-------|
| Roborock S7 Vacuum | B0:4A:39:3F:9A:14 | S7 | Requires WPA+TKIP |
| Amazfit TREX3 | TBD | Smartwatch | Requires WPA+TKIP |
| Tuya Smart Gateway | 38:1F:8D:04:6F:E4 | JMWZG1 | Requires WPA+TKIP |
| iPad 2 | TBD | A1395/A1396 | Legacy device |
### RouterOS Commands for XTRM2
```routeros
# Working configuration for legacy devices
/interface wifi set wifi2 \
channel.frequency=2412 \
channel.band=2ghz-g \
channel.width=20mhz \
security.authentication-types=wpa-psk,wpa2-psk \
security.encryption=tkip,ccmp \
security.ft=no \
security.ft-over-ds=no \
security.passphrase="M0stW4nt3d@IoT"
```
### Fallback (Maximum Compatibility)
If devices still can't connect, use WPA-only with TKIP-only:
```routeros
/interface wifi set wifi2 \
security.authentication-types=wpa-psk \
security.encryption=tkip
```
---
## CAPsMAN Configuration
### Manager (HAP ax³ - 192.168.10.1)
| Setting | Value |
|---------|-------|
| Enabled | Yes |
| Interfaces | bridge, vlan10-mgmt |
| Certificate | Auto-generated |
### CAP Device (cAP XL ac - 192.168.10.2)
| Setting | Value |
|---------|-------|
| caps-man-addresses | 192.168.10.1 |
| discovery-interfaces | bridgeLocal |
| slaves-datapath | capdp (bridge=bridgeLocal, vlan-id=40) |
| certificate | request |
| RouterOS | 7.21.1 |
| SSH Port | 2222 |
| SSH (via proxy) | See ProxyJump command below |
**SSH Access:** Direct SSH to CAP is unreliable. Use ProxyJump through Unraid:
```bash
ssh -o ProxyCommand="ssh -i ~/.ssh/id_ed25519_unraid -p 422 -W %h:%p root@192.168.10.20" -i ~/.ssh/mikrotik_key -p 2222 xtrm@192.168.10.2
```
### CAP Bridge VLAN Filtering
The CAP runs bridge VLAN filtering to properly tag/untag WiFi client traffic before sending it to the HAP over the trunk link (ether1):
| Setting | Value |
|---------|-------|
| bridgeLocal | vlan-filtering=yes, pvid=10 |
| ether1 (trunk) | bridge port, PVID=10 |
| wifi1, wifi2 | dynamic bridge ports, PVID=40 (set by datapath vlan-id) |
**Bridge VLAN Table:**
| VLAN | ether1 | wifi1 | wifi2 | bridgeLocal | Purpose |
|------|--------|-------|-------|-------------|---------|
| 10 | untagged | - | - | untagged | Management |
| 20 | tagged | tagged | tagged | - | Trusted |
| 25 | tagged | tagged | tagged | - | Kids |
| 30 | tagged | tagged | tagged | - | IoT |
| 35 | tagged | tagged | tagged | - | Cameras |
| 40 | tagged | untagged | untagged | - | CatchAll (default) |
### CAP Interfaces
| Interface | Radio | Band | SSID | Security | Status |
|-----------|-------|------|------|----------|--------|
| cap-wifi1 | wifi2 | 5GHz | XTRM | WPA2/WPA3-PSK, CCMP | Working (Ch 52/5260, 40MHz, DFS) |
| cap-wifi2 | wifi1 | 2.4GHz | XTRM2 | WPA2-PSK, CCMP | Working (Ch 6/2437, 20MHz) |
**Note:** cap-wifi2 uses WPA2+CCMP only (not WPA+TKIP like HAP's local wifi2). Legacy IoT devices requiring TKIP will only work on HAP1's local wifi2.
---
## WiFi Access List
**Status:** VLAN assignment via access list is **active**. Each entry has a `vlan-id` that assigns the device to the correct VLAN upon WiFi association. This works on both HAP (local) and CAP (remote, via bridge VLAN filtering).
**30+ entries** configured (MAC-based accept rules with VLAN IDs + 1 default catch-all):
| # | MAC | Device | VLAN |
|---|-----|--------|------|
| 0 | AA:ED:8B:2A:40:F1 | Samsung S25 Ultra - Kaloyan | 20 |
| 1 | 82:6D:FB:D9:E0:47 | MacBook Air - Nora | 20 |
| 12 | CE:B8:11:EA:8D:55 | MacBook - Kaloyan | 20 |
| 13 | BE:A7:95:87:19:4A | MacBook 5GHz - Kaloyan | 20 |
| 27 | B8:27:EB:32:B2:13 | RecalBox RPi3 | 25 |
| 28 | CC:5E:F8:D3:37:D3 | ASUS ROG Ally - Kaloyan | 20 |
| 31 | C8:5C:CC:40:B4:AA | Xiaomi Air Purifier 2 | 30 |
| 32 | (any) | Default - VLAN40 | 40 (catch-all) |
**Default behavior:** Devices not in the access list get VLAN 40 (CatchAll) via the default rule and the datapath `vlan-id=40`.
### Show Full Access List
```routeros
/interface wifi access-list print
```
---
## Troubleshooting
### Device can see XTRM2 but can't connect
1. Check security settings - device may need WPA (not WPA2)
2. Check cipher - device may need TKIP (not CCMP/AES)
3. Try 802.11g mode instead of 802.11n
4. Use channel 1, 6, or 11
### Device connects but disconnects immediately
1. Check if 802.11r (Fast Transition) is disabled
2. Check VLAN assignment - CAP clients need special rule
3. Check channel width - use 20MHz for stability
### CAP not connecting to CAPsMAN
1. Check certificate - remove old cert and re-request
2. Check firewall - ports 5246-5247 UDP must be open
3. Check interface binding - CAPsMAN must listen on correct interface
---
## Backup Files
| File | Location | Purpose |
|------|----------|---------|
| wifi-backup-working.rsc | Router files | WiFi config export |
| config-backup-working.backup | Router files | Full system backup |
---
## Quick Reference
### Show WiFi status
```routeros
/interface wifi print
/interface wifi monitor wifi2 once
/interface wifi registration-table print
```
### Show security settings
```routeros
/interface wifi security print detail
:put [/interface wifi get wifi2 security.authentication-types]
:put [/interface wifi get wifi2 security.encryption]
```
### Check CAPsMAN
```routeros
/interface wifi capsman print
/interface wifi capsman remote-cap print
```
Reference in New Issue View Git Blame Copy Permalink