====== Mikrotik - Capsman ======

===== Partout =====

  - mettre à jour RouterOS
  - activer package wireless-cm2
  - /system reboot 

===== Sur les APs =====

  - relever les MACs
  - appuyer sur reset et mettre le jus
  - continuer d'appuyer 10s (rien clignotte puis 2g et AP/CAP clignottent puis seulement AP/CAP clignotte) => charge la conf CAP

**RQ :** l'AP est client DHCP

===== Sur le CAPsMAN =====

  - activer le neighbor discovery sur le lien correspondant
  - configurer les bridges qui vont bien
  - configurer les IPs / DHCP qui vont bien (y compris pour le lien des CAPs)
  - activer le service CAPsMAN
  - faire des configurations capsman (configurations avec pays/passphrase/ssid dedans, conf de provisionning avec un master et des slaves configuration)
  - provisionning : pas de critère, faire en create-dynamic-enabled, un slave = un virtual-AP
  /caps-man access-list
  add action=accept interface=all signal-range=-80..120
  add action=reject interface=all signal-range=-120..-81
  - dans IP neighbor : récupérer IP du CAP

===== Sur le CAP =====

  - SSH
  /system identity set name=plmcreawbg03
  /password
  
  /system reboot
  y

**SINON** interface WEB, mode CAP, DHCP, mettre identity

===== Exemple de config CAPsMAN =====

  /caps-man configuration
  add channel.tx-power=3 country=france datapath.bridge=br-creafab_lan mode=ap name=\
      csmcfg-creafab_lan security.authentication-types=wpa2-psk security.encryption=\
      aes-ccm security.group-encryption=aes-ccm security.passphrase=\
      XXXXXX ssid=creafab_lan
  add datapath.bridge=br-creafab_invite name=csmcfg-creafab_invite \
      ssid=SSIDXXXXX
  /caps-man provisioning
  add action=create-dynamic-enabled master-configuration=csmcfg-creafab_lan \
      name-format=prefix-identity name-prefix=set1 slave-configurations=\
      csmcfg-creafab_invite

===== Pour "régénérer" les interface des CAPs =====

  - supprimer les interfaces
  - aller dans "remote cap", selectionner un CAP et cliquer sur provision

===== SCRIPT CAP =====

  #-------------------------------------------------------------------------------
  # Note: script will not execute at all (will throw a syntax error) if
  #       dhcp or wireless-fp packages are not installed
  #-------------------------------------------------------------------------------
  	
  #| CAP configuration
  #|   'ether1' is considered a management port with DHCP client configured
  #|
  #|   All other ethernet interfaces are bridged.
  #|   'wlan1' is set to be managed by CAPsMAN
  
  # management port name
  :global manPort "ether1";
  # bridge port name
  :global brName "bridgeLocal";
  
  :global logPref "defconf:";
  
  # wait for ethernet interfaces
  :while ([/interface ethernet find] = "") do={ :delay 1s; }
  
  # try to add dhcp client on management port (may fail if already exist)
  :do {
    /ip dhcp-client add interface=$manPort disabled=no
  } on-error={ :log warning "$logPref unable to add dhcp client";}
  
  :local macSet 0;
  :local tmpMac "";
  
  :foreach k in=[/interface ethernet find] do={
  #  first ethernet is found; add bridge and set mac address of the ethernet port
    :if ($macSet = 0) do={
      :set tmpMac [/interface ethernet get $k mac-address];
      /interface bridge add name=$brName auto-mac=no admin-mac=$tmpMac;
      :set macSet 1;                                                                     }
    }
  }
  
  # try to configure caps (may fail if for example specified interfaces are missing)
  # TODO: loop through all wireless interfaces
  :do {
    /interface wireless cap     
      set enabled=yes interfaces=wlan1 discovery-interfaces=$manPort bridge=$brName
  } on-error={ :log warning "$logPref unable to configure caps";}

==== DONNE ====

  # jan/11/2016 17:57:22 by RouterOS 6.33.3
  # software id = Q41X-HNFF
  #
  /interface bridge
  add admin-mac=E4:8D:8C:CB:7E:DE auto-mac=no name=bridgeLocal
  /interface wireless cap
  set bridge=bridgeLocal discovery-interfaces=ether1 enabled=yes interfaces=wlan1
  /ip dhcp-client
  add dhcp-options=hostname,clientid disabled=no interface=ether1
  /system clock
  set time-zone-name=Europe/Paris
  /system leds
  set 0 interface=wlan1
  /system routerboard settings
  set cpu-frequency=650MHz protected-routerboot=disabled

===== EXEMPLE (manager et bornes/switch sur LAN) =====

  [admin@MikroTik] > /export
  # feb/07/2018 15:10:52 by RouterOS 6.41.1
  # software id = X7UN-ZDDS
  #
  # model = 960PGS
  # serial number = 78D2077CEA93
  /interface bridge
  add fast-forward=no name=br-invite
  add admin-mac=01:02:03:04:05:06 auto-mac=no comment=defconf name=br-lan
  /caps-man configuration
  add country=france datapath.bridge=br-lan datapath.client-to-client-forwarding=yes mode=ap name=conf-lan security.authentication-types=wpa2-psk security.encryption=aes-ccm \
      security.group-encryption=aes-ccm security.passphrase=passphraseTemp ssid=testSSID
  add country=france datapath.bridge=br-invite datapath.client-to-client-forwarding=yes mode=ap name=conf-invite security.authentication-types=wpa2-psk security.encryption=aes-ccm \
      security.group-encryption=aes-ccm security.passphrase=passphraseTemp ssid=testSSID
  /interface list
  add comment=defconf name=WAN
  add comment=defconf name=LAN
  /interface wireless security-profiles
  set [ find default=yes ] supplicant-identity=MikroTik
  /ip hotspot profile
  set [ find default=yes ] html-directory=flash/hotspot
  /ip pool
  add name=default-dhcp ranges=192.168.88.10-192.168.88.254
  add name=pool-invite ranges=192.168.111.101-192.168.111.199
  /ip dhcp-server
  add address-pool=pool-invite disabled=no interface=br-invite name=dhcp-invite
  /port
  set 0 baud-rate=115200 data-bits=8 flow-control=none name=usb1 parity=none stop-bits=1
  /tool user-manager customer
  set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
  /caps-man manager
  set enabled=yes
  /caps-man provisioning
  add action=create-dynamic-enabled master-configuration=conf-liberasys-lan name-format=prefix-identity name-prefix=set1 slave-configurations=conf-liberasys-invite
  /interface bridge port
  add bridge=br-lan comment=defconf interface=ether2
  add bridge=br-lan comment=defconf interface=ether3
  add bridge=br-lan comment=defconf interface=ether4
  add bridge=br-lan comment=defconf interface=ether5
  add bridge=br-lan comment=defconf interface=sfp1
  add bridge=br-lan interface=ether1
  /interface list member
  add comment=defconf interface=br-lan list=LAN
  add comment=defconf interface=br-invite list=WAN
  /ip address
  add address=192.168.111.254/24 interface=br-invite network=192.168.111.0
  /ip dhcp-client
  add dhcp-options=hostname,clientid disabled=no interface=br-lan
  /ip dhcp-server network
  add address=192.168.111.0/24 dns-server=192.168.111.254 gateway=192.168.111.254
  /ip dns
  set allow-remote-requests=yes
  /ip dns static
  add address=192.168.88.1 name=router.lan
  /ipv6 firewall address-list
  add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
  add address=::1/128 comment="defconf: lo" list=bad_ipv6
  add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
  add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
  add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
  add address=100::/64 comment="defconf: discard only " list=bad_ipv6
  add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
  add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
  add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
  add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
  add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
  add address=::/104 comment="defconf: other" list=bad_ipv6
  add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
  /ipv6 firewall filter
  add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
  add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
  add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
  add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
  add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
  add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
  add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
  add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
  add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
  add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
  add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
  add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
  add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
  add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
  add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
  add action=accept chain=forward comment="defconf: accept HIP" protocol=139
  add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
  add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
  add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
  add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
  add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
  /system clock
  set time-zone-name=Europe/Paris
  /system lcd
  set contrast=0 enabled=no port=parallel type=24x4
  /system lcd page
  set time disabled=yes display-time=5s
  set resources disabled=yes display-time=5s
  set uptime disabled=yes display-time=5s
  set packets disabled=yes display-time=5s
  set bits disabled=yes display-time=5s
  set version disabled=yes display-time=5s
  set identity disabled=yes display-time=5s
  set br-lan disabled=yes display-time=5s
  set br-invite disabled=yes display-time=5s
  set set1-gros-1 disabled=yes display-time=5s
  set set1-gros-1-1 disabled=yes display-time=5s
  set ether1 disabled=yes display-time=5s
  set ether2 disabled=yes display-time=5s
  set ether3 disabled=yes display-time=5s
  set ether4 disabled=yes display-time=5s
  set ether5 disabled=yes display-time=5s
  set sfp1 disabled=yes display-time=5s
  set set1-gros-2 disabled=yes display-time=5s
  set set1-gros-2-1 disabled=yes display-time=5s
  set set1-petit-1 disabled=yes display-time=5s
  set set1-petit-1-1 disabled=yes display-time=5s
  set set1-petit-2 disabled=yes display-time=5s
  set set1-petit-2-1 disabled=yes display-time=5s
  /tool mac-server
  set allowed-interface-list=LAN
  /tool mac-server mac-winbox
  set allowed-interface-list=LAN
  /tool user-manager database
  set db-path=flash/user-manager