Table des matières

Mikrotik - Capsman

Partout

  1. mettre à jour RouterOS
  2. activer package wireless-cm2
  3. /system reboot

Sur les APs

  1. relever les MACs
  2. appuyer sur reset et mettre le jus
  3. continuer d'appuyer 10s (rien clignotte puis 2g et AP/CAP clignottent puis seulement AP/CAP clignotte) ⇒ charge la conf CAP

RQ : l'AP est client DHCP

Sur le CAPsMAN

  1. activer le neighbor discovery sur le lien correspondant
  2. configurer les bridges qui vont bien
  3. configurer les IPs / DHCP qui vont bien (y compris pour le lien des CAPs)
  4. activer le service CAPsMAN
  5. faire des configurations capsman (configurations avec pays/passphrase/ssid dedans, conf de provisionning avec un master et des slaves configuration)
  6. provisionning : pas de critère, faire en create-dynamic-enabled, un slave = un virtual-AP

/caps-man access-list

add action=accept interface=all signal-range=-80..120
add action=reject interface=all signal-range=-120..-81
- dans IP neighbor : récupérer IP du CAP

Sur le CAP

  1. SSH

/system identity set name=plmcreawbg03

/password

/system reboot
y

SINON interface WEB, mode CAP, DHCP, mettre identity

Exemple de config CAPsMAN

/caps-man configuration
add channel.tx-power=3 country=france datapath.bridge=br-creafab_lan mode=ap name=\
    csmcfg-creafab_lan security.authentication-types=wpa2-psk security.encryption=\
    aes-ccm security.group-encryption=aes-ccm security.passphrase=\
    XXXXXX ssid=creafab_lan
add datapath.bridge=br-creafab_invite name=csmcfg-creafab_invite \
    ssid=SSIDXXXXX
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=csmcfg-creafab_lan \
    name-format=prefix-identity name-prefix=set1 slave-configurations=\
    csmcfg-creafab_invite

Pour "régénérer" les interface des CAPs

  1. supprimer les interfaces
  2. aller dans “remote cap”, selectionner un CAP et cliquer sur provision

SCRIPT CAP

#-------------------------------------------------------------------------------
# Note: script will not execute at all (will throw a syntax error) if
#       dhcp or wireless-fp packages are not installed
#-------------------------------------------------------------------------------
	
#| CAP configuration
#|   'ether1' is considered a management port with DHCP client configured
#|
#|   All other ethernet interfaces are bridged.
#|   'wlan1' is set to be managed by CAPsMAN

# management port name
:global manPort "ether1";
# bridge port name
:global brName "bridgeLocal";

:global logPref "defconf:";

# wait for ethernet interfaces
:while ([/interface ethernet find] = "") do={ :delay 1s; }

# try to add dhcp client on management port (may fail if already exist)
:do {
  /ip dhcp-client add interface=$manPort disabled=no
} on-error={ :log warning "$logPref unable to add dhcp client";}

:local macSet 0;
:local tmpMac "";

:foreach k in=[/interface ethernet find] do={
#  first ethernet is found; add bridge and set mac address of the ethernet port
  :if ($macSet = 0) do={
    :set tmpMac [/interface ethernet get $k mac-address];
    /interface bridge add name=$brName auto-mac=no admin-mac=$tmpMac;
    :set macSet 1;                                                                     }
  }
}

# try to configure caps (may fail if for example specified interfaces are missing)
# TODO: loop through all wireless interfaces
:do {
  /interface wireless cap     
    set enabled=yes interfaces=wlan1 discovery-interfaces=$manPort bridge=$brName
} on-error={ :log warning "$logPref unable to configure caps";}

DONNE

# jan/11/2016 17:57:22 by RouterOS 6.33.3
# software id = Q41X-HNFF
#
/interface bridge
add admin-mac=E4:8D:8C:CB:7E:DE auto-mac=no name=bridgeLocal
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=ether1 enabled=yes interfaces=wlan1
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/system clock
set time-zone-name=Europe/Paris
/system leds
set 0 interface=wlan1
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled

EXEMPLE (manager et bornes/switch sur LAN)

[admin@MikroTik] > /export
# feb/07/2018 15:10:52 by RouterOS 6.41.1
# software id = X7UN-ZDDS
#
# model = 960PGS
# serial number = 78D2077CEA93
/interface bridge
add fast-forward=no name=br-invite
add admin-mac=01:02:03:04:05:06 auto-mac=no comment=defconf name=br-lan
/caps-man configuration
add country=france datapath.bridge=br-lan datapath.client-to-client-forwarding=yes mode=ap name=conf-lan security.authentication-types=wpa2-psk security.encryption=aes-ccm \
    security.group-encryption=aes-ccm security.passphrase=passphraseTemp ssid=testSSID
add country=france datapath.bridge=br-invite datapath.client-to-client-forwarding=yes mode=ap name=conf-invite security.authentication-types=wpa2-psk security.encryption=aes-ccm \
    security.group-encryption=aes-ccm security.passphrase=passphraseTemp ssid=testSSID
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-invite ranges=192.168.111.101-192.168.111.199
/ip dhcp-server
add address-pool=pool-invite disabled=no interface=br-invite name=dhcp-invite
/port
set 0 baud-rate=115200 data-bits=8 flow-control=none name=usb1 parity=none stop-bits=1
/tool user-manager customer
set admin access=own-routers,own-users,own-profiles,own-limits,config-payment-gw
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=conf-liberasys-lan name-format=prefix-identity name-prefix=set1 slave-configurations=conf-liberasys-invite
/interface bridge port
add bridge=br-lan comment=defconf interface=ether2
add bridge=br-lan comment=defconf interface=ether3
add bridge=br-lan comment=defconf interface=ether4
add bridge=br-lan comment=defconf interface=ether5
add bridge=br-lan comment=defconf interface=sfp1
add bridge=br-lan interface=ether1
/interface list member
add comment=defconf interface=br-lan list=LAN
add comment=defconf interface=br-invite list=WAN
/ip address
add address=192.168.111.254/24 interface=br-invite network=192.168.111.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=br-lan
/ip dhcp-server network
add address=192.168.111.0/24 dns-server=192.168.111.254 gateway=192.168.111.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Paris
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set br-lan disabled=yes display-time=5s
set br-invite disabled=yes display-time=5s
set set1-gros-1 disabled=yes display-time=5s
set set1-gros-1-1 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set set1-gros-2 disabled=yes display-time=5s
set set1-gros-2-1 disabled=yes display-time=5s
set set1-petit-1 disabled=yes display-time=5s
set set1-petit-1-1 disabled=yes display-time=5s
set set1-petit-2 disabled=yes display-time=5s
set set1-petit-2-1 disabled=yes display-time=5s
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool user-manager database
set db-path=flash/user-manager