jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
infrastructure/docs/archive/09-MIKROTIK-WIFI-CAPSMAN.md
XTRM-Unraid b250493d5a
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Major documentation restructure - consolidated docs 
New Structure:
- 01-NETWORK-MAP.md - Network topology, IPs, Docker networks, services
- 02-SERVICES-CRITICAL.md - DNS, Auth, Routing (P0/P1 services)
- 03-SERVICES-OTHER.md - All non-critical services
- 04-HARDWARE-INVENTORY.md - Physical devices and specs
- 05-CHANGELOG.md - Major events only

New Folders:
- docs/archive/ - Legacy docs (read-only reference)
- docs/wip/ - Planned changes and ideas
  - UPGRADE-2026-HARDWARE.md - N5 Air + N100 migration plan
  - GITOPS-CONTAINERS.md - Phase 2 container GitOps

Changes:
- Moved all 22 legacy docs to archive/
- Consolidated container IPs, physical map, and services into single network map
- Extracted critical vs non-critical service classification
- Simplified changelog to major events only

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-25 11:17:33 +02:00

353 lines
8.5 KiB
Markdown
Raw Permalink Blame History

# MikroTik WiFi & CAPsMAN Configuration
**Document Created:** 2026-01-18
**Last Updated:** 2026-01-18
---
## Device Inventory
### MikroTik hAP ax³ (CAPsMAN Controller)
| Parameter | Value |
|-----------|-------|
| Role | Main Router + CAPsMAN Controller |
| IP Address | 192.168.31.1 |
| RouterOS Version | 7.20.6 (stable) |
| Identity | HAPax3 |
**SSH Connection:**
```bash
# From Unraid server (key-based)
ssh -i /root/.ssh/mikrotik_key -p 2222 xtrm@192.168.31.1
# Alternative user
ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1
```
### MikroTik cAP ac (Managed Access Point)
| Parameter | Value |
|-----------|-------|
| Role | CAPsMAN Managed Access Point |
| IP Address | 192.168.31.6 |
| RouterOS Version | 7.20.1 (stable) |
| Identity | CAP XL ac |
| Board | RBcAPGi-5acD2nD |
**SSH Connection:**
```bash
# Key-based (from desktop)
ssh -p 2222 xtrm@192.168.31.6
# Password-based
ssh -p 2222 xtrm@192.168.31.6
# Password: M0stW4nt3d@xtrm
```
---
## WiFi Networks
### XTRM (Main Network)
| Parameter | Value |
|-----------|-------|
| SSID | XTRM |
| Password | M0stW4nt3d@home |
| Bands | 2.4GHz + 5GHz |
| Security | WPA-PSK, WPA2-PSK (2.4GHz) / WPA2-PSK, WPA3-PSK (5GHz) |
### XTRM2 (IoT Network)
| Parameter | Value |
|-----------|-------|
| SSID | XTRM2 |
| Password | M0stW4nt3d@IoT |
| Bands | 2.4GHz only |
| Security | WPA-PSK, WPA2-PSK |
| Purpose | Legacy/IoT devices |
---
## WiFi Interfaces
### hAP ax³ (Local Interfaces)
| Interface | Band | SSID | Channel | Status |
|-----------|------|------|---------|--------|
| hap-wifi1 | 5GHz | XTRM | 5180, 5260, 5500 (80MHz) | Running |
| hap-wifi2 | 2.4GHz | XTRM | 2412, 2432, 2472 (20MHz) | Running |
| hap-wifi2-virtual1 | 2.4GHz | XTRM2 | 2412, 2432, 2472 (20MHz) | Running |
### cAP ac (CAPsMAN Managed)
| Interface | Band | SSID | Channel | Status |
|-----------|------|------|---------|--------|
| cap-wifi1 | 2.4GHz | XTRM | 2432 (20MHz) | Running |
| cap-wifi1-virtual1 | 2.4GHz | XTRM2 | (virtual) | Running |
| cap-wifi2 | 5GHz | XTRM | 5260 (80MHz, DFS) | Running |
---
## CAPsMAN Configuration
### Controller Settings (hAP ax³)
```
/interface/wifi/capsman/print
enabled: yes
interfaces: bridge
require-peer-certificate: no
upgrade-policy: none
generated-ca-certificate: WiFi-CAPsMAN-CA-789A182CA548
generated-certificate: WiFi-CAPsMAN-789A182CA548
```
### Channel Configurations
```
/interface/wifi/channel/print
0 name="ch-2ghz" frequency=2412,2432,2472 width=20mhz
1 name="ch-5ghz" frequency=5180,5260,5500 width=20/40/80mhz
```
### Security Profiles
```
/interface/wifi/security/print
0 name="sec-XTRM" authentication-types=wpa2-psk,wpa3-psk
passphrase="M0stW4nt3d@home"
1 name="sec-IoT" authentication-types=wpa-psk,wpa2-psk
passphrase="M0stW4nt3d@IoT" disable-pmkid=yes
```
### WiFi Configurations
```
/interface/wifi/configuration/print
0 name="cfg-XTRM5g" ssid="XTRM"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-5ghz channel.band=5ghz-ac
datapath.bridge=bridge
1 name="cfg-XTRM2g" ssid="XTRM"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-2ghz channel.band=2ghz-n
datapath.bridge=bridge
2 name="cfgXTRM-IoT" ssid="XTRM2"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-2ghz channel.band=2ghz-n
datapath.bridge=bridge
```
### Provisioning Rules
```
/interface/wifi/provisioning/print
0 comment="XTRM-5G"
supported-bands=5ghz-ac
action=create-dynamic-enabled
master-configuration=cfg-XTRM5g
1 comment="XTRM-2G"
supported-bands=2ghz-n
action=create-dynamic-enabled
master-configuration=cfg-XTRM2g
slave-configurations=cfgXTRM-IoT
```
---
## CAP Configuration (cAP ac)
### CAP Settings
```
/interface/wifi/cap/print
enabled: yes
discovery-interfaces: bridge
caps-man-addresses: 192.168.31.1
```
### Interface Manager Settings
Both radios must be set to CAPsMAN managed:
```
/interface/wifi set wifi1 configuration.manager=capsman
/interface/wifi set wifi2 configuration.manager=capsman
```
---
## Legacy Device Compatibility
### iPad 2 / Older Devices
Older devices (pre-2012) may not support:
- WPA3-PSK
- PMF (Protected Management Frames)
- 5GHz band
**Solution:** Use XTRM2 network which supports WPA-PSK/WPA2-PSK without WPA3.
### Important Notes
1. **WPA + WPA3 Incompatibility:** MikroTik does not allow WPA-PSK and WPA3-PSK in the same configuration. Use WPA-PSK + WPA2-PSK for legacy support.
2. **Management Protection:** When using WPA3, management-protection must be "allowed" or "required". Setting it to "disabled" with WPA3 will cause interface to become inactive.
3. **Band Configuration:** Ensure configuration templates have correct `channel.band` settings:
- 5GHz configs: `5ghz-ac` or `5ghz-ax`
- 2.4GHz configs: `2ghz-n` or `2ghz-ax`
---
## Useful Commands
### Check Connected Clients
```
/interface/wifi/registration-table/print
```
### Check CAPsMAN Remote CAPs
```
/interface/wifi/capsman/remote-cap/print
```
### Check All WiFi Radios
```
/interface/wifi/radio/print
```
### Check Interface Status
```
/interface/wifi/print
```
### Restart WiFi Interface
```
/interface/wifi disable [interface-name]
:delay 2s
/interface/wifi enable [interface-name]
```
### View WiFi Logs
```
/log print where topics~"wireless" or topics~"wifi"
```
---
## Troubleshooting
### Interface Shows "I" (Inactive)
1. Check for configuration errors in detail view:
```
/interface/wifi/print detail where name=[interface]
```
2. Look for comment warnings like:
- "can't use WPA with WPA3"
- "management protection should be allowed or required with WPA3"
- "no available channels"
3. Verify channel configuration has proper frequency settings
### CAP Not Connecting to CAPsMAN
1. Verify CAPsMAN is enabled on controller:
```
/interface/wifi/capsman/print
```
2. Check CAP has correct CAPsMAN address:
```
/interface/wifi/cap/print
```
3. Ensure CAP radios are set to CAPsMAN managed:
```
/interface/wifi/print detail
# Look for configuration.manager=capsman
```
4. Check firewall isn't blocking CAPsMAN traffic (UDP 5246-5247)
### CAP Interfaces Show "B" But Not "R"
This is normal when traffic is processed on CAP (local forwarding mode). The "R" (Running) flag only appears on the CAP device itself, not on CAPsMAN.
---
## Network Diagram
```
Internet
┌────────────────────────┐
│ MikroTik hAP ax³ │
│ 192.168.31.1 │
│ CAPsMAN Controller │
│ │
│ WiFi Interfaces: │
│ - hap-wifi1 (5GHz) │
│ - hap-wifi2 (2.4GHz) │
│ - XTRM, XTRM2 │
└───────────┬────────────┘
│ LAN
┌───────────┴────────────┐
│ │
▼ ▼
┌────────────────────┐ ┌────────────────────┐
│ MikroTik cAP ac │ │ Other Devices │
│ 192.168.31.6 │ │ 192.168.31.x │
│ CAPsMAN Managed │ │ │
│ │ │ │
│ WiFi Interfaces: │ │ │
│ - wifi1 (2.4GHz) │ │ │
│ - wifi2 (5GHz) │ │ │
│ - XTRM, XTRM2 │ │ │
└────────────────────┘ └────────────────────┘
```
---
## SSH Key Setup
### Adding SSH Key to MikroTik Device
1. Copy public key to device:
```bash
scp -P 2222 ~/.ssh/id_ed25519.pub user@[device-ip]:key.pub
```
2. Import key for user:
```
/user/ssh-keys/import public-key-file=key.pub user=[username]
```
3. Verify import:
```
/user/ssh-keys/print
```
4. Clean up:
```
/file/remove key.pub
```
### Current SSH Key Status
| Device | User | Key Installed |
|--------|------|---------------|
| hAP ax³ (192.168.31.1) | xtrm | Yes (mikrotik_key from Unraid) |
| hAP ax³ (192.168.31.1) | unraid | Yes (mikrotik_key from Unraid) |
| cAP ac (192.168.31.6) | xtrm | Yes (id_ed25519 from Desktop) |
Reference in New Issue View Git Blame Copy Permalink