The controller of Wi-Fi access points on Mikrotik

Introduction

In the latest version of the Mikrotik RouterOS operating system under number 6.11, an experimental function was added that allows you to use a router on this platform as a controller of Wi-Fi access points. Unfortunately, since this functionality has just appeared and is in beta status, information about it is limited to a rather boring article on Mikrotik's Wiki-Reference. I could not find step-by-step instructions for setting up, therefore, it was decided to try to set everything up using the scientific poke method. In this post, I consider a simple controller setup (without delving into the jungle of settings, of which there are a lot) providing the following configuration (essentially the same as that that would be configured on a simple D-Link DIR-620 SOHO router with native firmware, and used at home):

• Two Wi-Fi routers Mikrotik RouterBoard
  
  • Routerboard RB951G-2HnD - the main one, is a Wi-Fi controller, access point, router, DHCP and DNS server. Next I will call it the controller
  • Routerboard RB951Ui-2HnD - optional, is only a Wi-Fi access point and a switch for 3 ports (POE in and out ports are not included in the switch and are reserved for the future). Next I will call it an access point or a point
• WPA / WPA2-PSK authentication with AES encryption
• Strictly defined channel, with a width of 20 MHz
• The only SSID not hidden
• Clients are not isolated from each other and the wired network (really, why is this at home?)

To those interested, I propose to continue reading under the cut. Warning traffic!

Disclaimer

So, we realized the fear and risk associated with the use of technologies that are at the testing stage, we understand that only you will be responsible for repeating the steps described in this article. It is immediately worth noting that this functionality is not yet compatible with:

• Nstreme AP support
• Nv2 AP support

That is, only 802.11 works.

Training

According to information from Wiki, the operation of this system does not require Wi-Fi on the router, in which case the device can act as a controller.
First of all, you need to update the system on our routers to version 6.11. You can download the firmware file from the official Mikrotik website, then drag it to the Winbox window, and then restart the router; or go to the System -> Packages section, click the Check For Updates button and click Check For Updates again in the window that appears, and then Download & Upgrade.
Further, in the download section on the official Mikrotik website, you need to download the Wireless CAPsMAN package file (it is located in the same place as the firmware for your platform), and then install it in the same way as updating RouterOS, i.e. drag it to the Winbox window and reboot.
After rebooting, go to the Packages section to make sure that the package is correctly installed and activated.


Please note that the wireless-fp package has appeared, and the wireless package has become inactive. In addition, a new CAPsMAN item appeared in the main menu and a CAP button in the Wireless section.

Controller Setup

The actions described in this section need to be performed only on the controller.
We go to the CAPsMAN section in the main menu.



The first tab Interfaces will contain pseudo-interfaces that appear when connecting access points to the controller for each connection, one pseudo-interface. If you go into any pseudo-interface, you can see the settings that are applied to it.

In principle, you can manually create an interface for an access point, for example, if necessary, select any point with some special settings.

To enable controller mode, press the "Manager" button, select the Enabled checkbox and click OK.
Go to the Configurations tab. Here configurations are created that will later be deployed to our access points.

Create a new configuration

Let's set the configuration name, SSID, only one mode is available, but just in case, I decided not to leave this value empty, although everything works with empty too. We’ll immediately point out that you should use all available antennas for receiving and transmitting (on my routers there are two of them, but the third check mark, although it is set, will not affect anything).

Next, define the channel settings

Note that you can make any settings, either directly in the configuration, or create a “Channel” object on the corresponding tab of CAPsMAN, and then select it from the list. This can be convenient in the presence of complex configurations with a combination of various parameters for several access points. We’ll specify the frequency (unfortunately, there is no drop-down list, so you have to specify the value manually), for some reason the channel width for me for some reason takes only 20 MHz (in the description of the field in the console it says that it can be a decimal number from 0 to 4294967.295, so put 20 / 40 is not possible, and if you specify values ​​greater than 20, an error appears that the access point does not support this frequency). If you do not specify the channel width, then 20 MHz will be accepted by default. Next, select the broadcast format 2ghz-b / g / n. The next field in the sense should just make it possible to expand the channel to 20/40, but for some reason this does not happen regardless of the selected value. Just in case, I choose Ce (in previous versions of above).

The next section allows you to specify network settings.

As in the case of the channel, you can arrange this section of the configuration through a separate object.
The local-forwarding checkbox allows you to transfer traffic control to access points. In this case, getting clients to a specific subnet (by adding a wlan interface to a specific bridge), routing, etc. will be carried out in the usual way, i.e. via the wireless network interface. Removing this checkmark transfers control to the controller; accordingly, all other settings on this tab are valid only when the checkmark is unchecked.

Security Section

It contains, in principle, the usual settings that do not need commenting. The only thing I want to note is the lack of WEP authentication. Here you can also make settings in a separate "Security" object, and then specify it in the corresponding field.

Deployment

After we have finished editing the configuration, save it. We will need it in the next stage.



On the Provisioning tab, we create a new deployment. Specify the type of configuration.
Create a “Provisioning” object in this section.



The Radio Mac field allows you to define the specific access point to which this deployment will be applied, by default - to all. The action must be specified "create dynamic enabled", other options are needed for static interfaces. We will indicate the newly created configuration as the main one.

Configure Access Points

Everything is much simpler here. Settings are made on routers equipped with Wi-Fi modules. Go to the Wireless section.



Press the CAP button.



We check the Enabled checkbox, specify the wireless interface, in case the access point and the controller are one device, add your IP in the CAPsMAN addresses field.



If the access point and the controller are different devices, then CAPsMAN addresses can be omitted; instead, specify Discovery Interfaces.

The Bridge field can be filled in - indicate the bridge in which the local network is located, in this case, when a connection is established with the controller, the interface will be automatically added to the bridge, but you can not specify it, then it will have to be assigned in the Bridge menu item.



After clicking OK. A red comment will appear at the interface, indicating that it is controlled by the controller.



After establishing a connection with the controller and receiving settings from it, a second line of comment will appear indicating the network parameters.



And in the Interfaces tab of the CAPsMAN menu item, pseudo-interfaces corresponding to these connections will appear.
After editing the controller settings, you can force update the deployment to access points in the Remote CAP and Radio sections (depending on what settings have been changed) by highlighting the desired point and pressing the Provision button.





Connected clients by interfaces can be seen in the Registration Table section:

Conclusion

Since the functionality of CAPsMAN and CAP has just appeared in the public domain and is still in beta testing status, I assume that the interface, settings and features may very soon change. But fundamental changes are unlikely to happen, so I hope that the post will not lose its relevance.

When writing this post, an article from the official Wiki Mikrotik was used.

UPD: re-read the wiki, found an error in the post regarding the datapath tab, made corrections to the article.