28.07.2024

1321

CAP lite im CAPsMode - ping und winbox nicht möglich

Hallo,

ich habe einen RB5009 und 2 cAP XL und einen cAP lite. Aus Hobbygründen möchte ich die Geräte mit CAPSMAN betreiben. Alle APs funktionieren aus WLAN-Sicht weitestgehend wie sie sollen. Alle drei Geräte stellen 2 SSIDs zur Verfügung und über alle Geräte sind Clients im Netz. Zu versorgen sind ca. 80 Clients. Alle APs und SSIDs und zugehörige VLANs werden richtig verbunden. Den lite habe ich zuletzt hinzugefügt und per Reset-Taster in den CAPS-Mode versetzt. Am Router-Port bekommt er alle VLANs für die SSIDs tagged und den 10er als untagged zur Verfügung gestellt. Im 10er-Netz läuft ein DHCP und stellt auch eine IP 10.4 bereit. Aber ich erreiche den AP nur via Router und MAC Telnet. ping vom Router oder PC bleibt unbeantwortet.
Wonach kann ich noch schauen? Welche Infos kann ich euch noch zur Verfügung stellen?

Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben

Content-ID: 53064799799

Url: https://administrator.de/contentid/53064799799

Ausgedruckt am: 23.11.2024 um 09:11 Uhr

20 Kommentare

Neuester Kommentar

Moin.

ping vom Router oder PC bleibt unbeantwortet.
Wonach kann ich noch schauen?

Firewall.

Welche Infos kann ich euch noch zur Verfügung stellen?

Wie immer bringt uns ein

/export

vom RB5009 und CAP sofortige Klarheit.

Gruß strods

beide exporte folgen
beim 5009er habe ich capsman access-listen, DHCP-leases und dns-static-listen gekürzt.

Vielen Dank.

cAP lite export

# 2024-07-25 16:38:00 by RouterOS 7.14
# software id = MG6B-84LY
#
# model = RBcAPL-2nD
# serial number = XXXXXXXXXXXX
/interface bridge
add admin-mac=DC:2C:6E:CB:97:D6 auto-mac=no comment=defconf name=bridgeLocal port-cost-mode=short
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(18dBm), SSID: AUS, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=AP3_HWR_lite
/system note
set show-at-login=no

RB5009 export:

# 2024-07-29 01:52:10 by RouterOS 7.15.3
# software id = TLNV-6NZM
#
# model = RB5009UPr+S+
# serial number = XXXXXXXXXXXX
/caps-man channel add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2432 name=2GHz-Ch5 tx-power=10
/caps-man channel add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2452 name=2GHz-Ch9 tx-power=10
/caps-man channel add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=2Ghz-Ch1 tx-power=10
/caps-man channel add band=5ghz-a/n/ac control-channel-width=40mhz-turbo extension-channel=disabled frequency=5180 name=Ch36_20M tx-power=20
/interface bridge add dhcp-snooping=yes fast-forward=no igmp-snooping=yes ingress-filtering=no name=BR1 port-cost-mode=short pvid=10 vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] advertise=1G-baseT-half,1G-baseT-full comment=WAN name=ether1-WAN-fritte poe-out=off
/interface ethernet set [ find default-name=ether2 ] advertise=100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full comment=Pi4-3-HA mac-address=DC:2C:6E:3E:E5:2A name=ether2-Pi4-3-HA
/interface ethernet set [ find default-name=ether3 ] advertise=100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full comment=Pi4-1 mac-address=DC:2C:6E:3E:E5:2B name=ether3-Pi4-1 poe-out=off
/interface ethernet set [ find default-name=ether4 ] advertise=100M-baseT-full comment=ap-hwr mac-address=DC:2C:6E:3E:E5:2C name=ether4-AP3-HWR-lite
/interface ethernet set [ find default-name=ether5 ] advertise=100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full comment=Pi4-2 mac-address=DC:2C:6E:3E:E5:2D name=ether5-Pi4-2
/interface ethernet set [ find default-name=ether6 ] advertise=100M-baseT-full mac-address=DC:2C:6E:3E:E5:2E name=ether6-AP4-HWR-ax
/interface ethernet set [ find default-name=ether7 ] advertise=100M-baseT-full,1G-baseT-full comment=ap-kitchen mac-address=DC:2C:6E:3E:E5:2F name=ether7-PP8-AP2-EG-XL
/interface ethernet set [ find default-name=ether8 ] advertise=1G-baseT-full comment=ap-dach mac-address=DC:2C:6E:3E:E5:30 name=ether8-PP18-AP1-OG-XL
/interface ethernet set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no mac-address=DC:2C:6E:3E:E5:31 name=sfp1-MT-switch
/interface wireguard add listen-port=13232 mtu=1420 name=wireguard2
/interface vlan add interface=BR1 name=VLAN10_admin vlan-id=10
/interface vlan add interface=BR1 name=VLAN11_server vlan-id=11
/interface vlan add interface=BR1 name=VLAN20_maindevices vlan-id=20
/interface vlan add interface=BR1 name=VLAN21_guests vlan-id=21
/interface vlan add interface=BR1 name=VLAN30_iot vlan-id=30
/interface vlan add interface=BR1 name=VLAN40_smarthome vlan-id=40
/interface vlan add interface=BR1 name=VLAN50_iot vlan-id=50
/interface vlan add interface=BR1 name=VLAN60_guest vlan-id=60
/interface vlan add interface=BR1 name=VLAN90_pis vlan-id=90
/caps-man rates add basic=6Mbps name="GN Only - No B rates" supported=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps  
/caps-man security add authentication-types=wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=12h name=wpa2
/disk set usb1 media-interface=none media-sharing=no
/interface list add name=WAN
/interface list add name=VLANs
/caps-man configuration add country=germany datapath.bridge=BR1 .client-to-client-forwarding=yes .interface-list=VLANs .local-forwarding=yes .vlan-mode=use-tag distance=dynamic installation=any mode=ap multicast-helper=full name="SSID DC10" rates.basic=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .ht-basic-mcs="" .supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .vht-basic-mcs="" .vht-supported-mcs="" rx-chains="" security.authentication-types=wpa2-psk .eap-methods=passthrough .eap-radius-accounting=yes .encryption=aes-ccm .group-encryption=aes-ccm .group-key-update=12h .tls-certificate=none .tls-mode=no-certificates ssid=dc10 tx-chains=""  
/caps-man configuration add country=germany datapath.bridge=BR1 .client-to-client-forwarding=yes .interface-list=VLANs .local-forwarding=yes .vlan-mode=use-tag distance=dynamic installation=any mode=ap multicast-helper=full name="SSID DC11" rates.basic=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .ht-basic-mcs="" .supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .vht-basic-mcs="" .vht-supported-mcs="" rx-chains="" security.authentication-types=wpa2-psk .eap-radius-accounting=no .encryption=aes-ccm .group-encryption=aes-ccm .group-key-update=12h .tls-certificate=none .tls-mode=no-certificates ssid=dc11 tx-chains=""  
/caps-man configuration add country=germany datapath.bridge=BR1 .client-to-client-forwarding=yes .interface-list=VLANs .local-forwarding=yes .vlan-mode=use-tag distance=dynamic installation=any mode=ap multicast-helper=full name="SSID 247-404" rates.basic=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .ht-basic-mcs="" .supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .vht-basic-mcs="" .vht-supported-mcs="" rx-chains="" security.authentication-types=wpa2-psk .eap-radius-accounting=no .encryption=aes-ccm .group-encryption=aes-ccm .group-key-update=12h .tls-certificate=none .tls-mode=no-certificates ssid=247-404 tx-chains=""  
/caps-man configuration add country=germany datapath.bridge=BR1 .client-to-client-forwarding=yes .interface-list=VLANs .local-forwarding=yes .vlan-mode=use-tag distance=dynamic installation=any mode=ap multicast-helper=full name="SSID TARS-42" rates.basic=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .ht-basic-mcs="" .supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .vht-basic-mcs="" .vht-supported-mcs="" rx-chains="" security.authentication-types=wpa2-psk .eap-radius-accounting=no .encryption=aes-ccm .group-encryption=aes-ccm .group-key-update=12h .tls-certificate=none .tls-mode=no-certificates ssid=TARS-42 tx-chains=""  
/caps-man configuration add country=germany datapath.bridge=BR1 .client-to-client-forwarding=yes .interface-list=VLANs .local-forwarding=yes .vlan-mode=use-tag distance=dynamic installation=any mode=ap multicast-helper=full name="SSID skynet" rates.basic=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .ht-basic-mcs="" .supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .vht-basic-mcs="" .vht-supported-mcs="" rx-chains="" security.authentication-types=wpa2-psk .eap-methods=passthrough .eap-radius-accounting=no .encryption=aes-ccm .group-encryption=aes-ccm .group-key-update=12h .tls-certificate=none .tls-mode=no-certificates ssid=skynet tx-chains=""  
/caps-man configuration add country=germany datapath.bridge=BR1 .client-to-client-forwarding=yes .interface-list=VLANs .local-forwarding=yes .vlan-mode=use-tag distance=dynamic installation=any mode=ap multicast-helper=full name="SSID AUS" rates.basic=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .ht-basic-mcs="" .supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps .vht-basic-mcs="" .vht-supported-mcs="" rx-chains="" security.authentication-types=wpa2-psk .eap-methods=eap-tls .eap-radius-accounting=no .encryption=aes-ccm .group-encryption=aes-ccm .group-key-update=12h .tls-certificate=none .tls-mode=no-certificates ssid=AUS tx-chains=""  
/caps-man datapath add bridge=BR1 client-to-client-forwarding=no interface-list=VLANs local-forwarding=no name=vlan-datapath vlan-mode=use-tag
/caps-man configuration add country=germany datapath=vlan-datapath datapath.vlan-id=10 distance=indoors installation=any mode=ap multicast-helper=full name="SSID tipic" rx-chains="" security=wpa2 ssid=tipic tx-chains=""  
/caps-man configuration add country=germany datapath=vlan-datapath datapath.vlan-id=60 distance=indoors installation=any mode=ap multicast-helper=full name="SSID showboxx" rx-chains="" security=wpa2 ssid=showboxx tx-chains=""  
/caps-man configuration add channel.band=2ghz-g/n country=germany datapath=vlan-datapath datapath.arp=enabled .client-to-client-forwarding=yes .local-forwarding=no .vlan-id=40 distance=indoors installation=any mode=ap multicast-helper=full name="SSID amnesia" rx-chains="" security=wpa2 ssid=amnesia tx-chains=""  
/caps-man configuration add channel.band=2ghz-g/n country=germany datapath=vlan-datapath datapath.client-to-client-forwarding=no .local-forwarding=yes .vlan-id=50 distance=dynamic installation=any mode=ap multicast-helper=full name="SSID blitz" rx-chains="" security=wpa2 ssid=blitz tx-chains=""  
/caps-man configuration add country=germany datapath=vlan-datapath datapath.arp=enabled .vlan-id=20 distance=dynamic installation=any mode=ap multicast-helper=full name="SSID harryklein" rx-chains="" security=wpa2 ssid=harryklein tx-chains=""  
/interface wifi security add authentication-types=wpa2-eap disabled=no name=sec1
/interface wifi configuration add country=Germany disabled=no name=5ghz security=sec1 ssid=CAPsMAN_5
/interface wifi configuration add name=2ghz security=sec1 ssid=CAPsMAN2
/interface wifi configuration add country=Germany disabled=no name=5ghz_v security=sec1 ssid=CAPsMAN5_v
/interface wireless security-profiles set [ find default=yes ] radius-mac-mode=as-username-and-password supplicant-identity=MikroTik
/ip dhcp-server option add code=42 name=NTP-Server value="'130.149.17.21'"  
/ip hotspot profile add dns-name=button.hotspot hotspot-address=192.168.60.1 name=hsprof1
/ip hotspot user profile set [ find default=yes ] keepalive-timeout=3h status-autorefresh=1h
/ip kid-control add fri=0s-23h5m mon=0s-23h5m name=julius sat=0s-23h5m sun=0s-23h5m thu=0s-23h5m tue=0s-23h5m wed=0s-23h5m
/ip pool add name=POOL01 ranges=192.168.1.2-192.168.1.254
/ip pool add name=POOL10 ranges=192.168.10.200-192.168.10.254
/ip pool add name=POOL20 ranges=192.168.20.200-192.168.20.254
/ip pool add name=POOL30 ranges=192.168.30.200-192.168.30.254
/ip pool add name=POOL40 ranges=192.168.40.200-192.168.40.254
/ip pool add name=POOL50 ranges=192.168.50.200-192.168.50.254
/ip pool add name=POOL90 ranges=192.168.90.200-192.168.90.254
/ip pool add name=POOL60 ranges=192.168.60.200-192.168.60.254
/ip pool add name=POOL21 ranges=192.168.21.200-192.168.21.254
/ip pool add name=POOL11 ranges=192.168.11.200-192.168.11.254
/ip dhcp-server add address-pool=POOL01 disabled=yes interface=BR1 lease-time=10m name=DHCP-SRV1
/ip dhcp-server add address-pool=POOL10 interface=VLAN10_admin lease-time=10m name=VLAN10_DHCP
/ip dhcp-server add address-pool=POOL20 interface=VLAN20_maindevices lease-time=5m name=VLAN20_DHCP use-radius=yes
/ip dhcp-server add address-pool=POOL30 interface=VLAN30_iot lease-time=10m name=VLAN30_DHCP
/ip dhcp-server add address-pool=POOL40 interface=VLAN40_smarthome lease-time=10m name=VLAN40_DHCP use-radius=yes
/ip dhcp-server add address-pool=POOL50 interface=VLAN50_iot lease-time=10m name=VLAN50_DHCP
/ip dhcp-server add address-pool=POOL90 interface=VLAN90_pis lease-time=10m name=VLAN90_DHCP
/ip dhcp-server add address-pool=POOL21 interface=VLAN21_guests lease-time=10m name=VLAN21_DHCP
/ip dhcp-server add address-pool=POOL60 interface=VLAN60_guest lease-time=10m name=VLAN60_DHCP
/ip dhcp-server add address-pool=POOL11 interface=VLAN11_server lease-time=10m name=VLAN11_DHCP
/ip hotspot add address-pool=POOL60 disabled=no idle-timeout=2h interface=VLAN60_guest keepalive-timeout=1h name=hotspot1 profile=hsprof1
/ip smb users set [ find default=yes ] disabled=yes
/ip smb users add name=smb-admin
/system logging action set 0 memory-lines=5000
/system logging action set 1 disk-lines-per-file=5000
/caps-man aaa set mac-mode=as-username-and-password
/caps-man access-list add action=accept allow-signal-out-of-range=10s comment=sw2,plug-aqua,aqua disabled=no interface=any mac-address=E4:C3:2A:89:F8:4F radius-accounting=no ssid-regexp=AUS vlan-id=40 vlan-mode=use-tag
/caps-man access-list add action=accept allow-signal-out-of-range=10s comment=guest-rule disabled=no interface=any radius-accounting=no ssid-regexp=AUS vlan-id=21 vlan-mode=use-tag
/caps-man access-list add action=accept allow-signal-out-of-range=10s comment="only in range" disabled=yes signal-range=-80..120 ssid-regexp=""  
/caps-man access-list add action=reject allow-signal-out-of-range=10s comment="reject all others" disabled=yes ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat  
/caps-man manager set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=suggest-same-version
/caps-man manager interface add interface=ether4-AP3-HWR-lite
/caps-man manager interface add interface=ether7-PP8-AP2-EG-XL
/caps-man manager interface add interface=ether8-PP18-AP1-OG-XL
/caps-man provisioning add action=create-dynamic-enabled master-configuration="SSID AUS" name-format=identity slave-configurations="SSID blitz"  
/ip smb set enabled=yes
/dude set enabled=yes
/interface bridge port add bridge=BR1 ingress-filtering=no interface=ether4-AP3-HWR-lite internal-path-cost=10 path-cost=10 pvid=10 trusted=yes
/interface bridge port add bridge=BR1 ingress-filtering=no interface=ether6-AP4-HWR-ax internal-path-cost=10 path-cost=10 pvid=10 trusted=yes
/interface bridge port add bridge=BR1 ingress-filtering=no interface=ether5-Pi4-2 internal-path-cost=10 path-cost=10 pvid=40
/interface bridge port add bridge=BR1 ingress-filtering=no interface=ether7-PP8-AP2-EG-XL internal-path-cost=10 path-cost=10 pvid=10 trusted=yes
/interface bridge port add bridge=BR1 ingress-filtering=no interface=ether8-PP18-AP1-OG-XL internal-path-cost=10 path-cost=10 pvid=10 trusted=yes
/interface bridge port add bridge=BR1 ingress-filtering=no interface=sfp1-MT-switch internal-path-cost=10 path-cost=10 pvid=10 trusted=yes
/interface bridge port add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3-Pi4-1 internal-path-cost=10 path-cost=10 pvid=40
/interface bridge port add bridge=BR1 ingress-filtering=no interface=ether2-Pi4-3-HA internal-path-cost=10 path-cost=10 pvid=40
/interface bridge settings set use-ip-firewall-for-vlan=yes
/ip firewall connection tracking set udp-timeout=10s
/ip neighbor discovery-settings set discover-interface-list=all
/ipv6 settings set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes forward=no
/interface bridge vlan add bridge=BR1 tagged=BR1,sfp1-MT-switch vlan-ids=10
/interface bridge vlan add bridge=BR1 tagged=sfp1-MT-switch,BR1,ether4-AP3-HWR-lite,ether3-Pi4-1,ether7-PP8-AP2-EG-XL,ether8-PP18-AP1-OG-XL,ether5-Pi4-2,ether6-AP4-HWR-ax vlan-ids=20
/interface bridge vlan add bridge=BR1 tagged=sfp1-MT-switch,BR1,ether5-Pi4-2,ether6-AP4-HWR-ax,ether7-PP8-AP2-EG-XL,ether8-PP18-AP1-OG-XL vlan-ids=30
/interface bridge vlan add bridge=BR1 tagged=sfp1-MT-switch,BR1,ether7-PP8-AP2-EG-XL,ether8-PP18-AP1-OG-XL,ether4-AP3-HWR-lite vlan-ids=40
/interface bridge vlan add bridge=BR1 tagged=sfp1-MT-switch,BR1,ether5-Pi4-2,ether4-AP3-HWR-lite,ether7-PP8-AP2-EG-XL,ether8-PP18-AP1-OG-XL vlan-ids=50
/interface bridge vlan add bridge=BR1 tagged=BR1,sfp1-MT-switch,ether7-PP8-AP2-EG-XL,ether8-PP18-AP1-OG-XL vlan-ids=60
/interface bridge vlan add bridge=BR1 tagged=sfp1-MT-switch,BR1 vlan-ids=90
/interface bridge vlan add bridge=BR1 tagged=BR1,sfp1-MT-switch,ether7-PP8-AP2-EG-XL,ether8-PP18-AP1-OG-XL vlan-ids=21
/interface bridge vlan add bridge=BR1 tagged=BR1,sfp1-MT-switch vlan-ids=11
/interface ethernet switch set 0 name=rb5009-router
/interface list member add interface=ether1-WAN-fritte list=WAN
/interface list member add interface=VLAN20_maindevices list=VLANs
/interface list member add interface=VLAN50_iot list=VLANs
/interface list member add interface=VLAN30_iot list=VLANs
/interface list member add interface=VLAN40_smarthome list=VLANs
/interface list member add interface=VLAN10_admin list=VLANs
/interface list member add interface=VLAN90_pis list=VLANs
/interface list member add interface=VLAN60_guest list=VLANs
/interface list member add interface=VLAN11_server list=VLANs
/interface ovpn-server server set auth=sha1,md5
/interface wifi capsman set ca-certificate=auto certificate=auto enabled=yes interfaces=ether6-AP4-HWR-ax,ether7-PP8-AP2-EG-XL package-path="" require-peer-certificate=no upgrade-policy=none  
/interface wifi provisioning add action=create-dynamic-enabled master-configuration=5ghz slave-configurations=5ghz_v supported-bands=5ghz-n
/interface wifi provisioning add action=create-dynamic-enabled master-configuration=2ghz supported-bands=2ghz-n
/interface wireless cap set caps-man-addresses=192.168.1.1
/ip address add address=192.168.98.1/24 disabled=yes interface=*16 network=192.168.98.0
/ip address add address=192.168.99.1/24 interface=wireguard2 network=192.168.99.0
/ip address add address=192.168.1.1/24 interface=BR1 network=192.168.1.0
/ip address add address=192.168.10.1/24 interface=VLAN10_admin network=192.168.10.0
/ip address add address=192.168.20.1/24 interface=VLAN20_maindevices network=192.168.20.0
/ip address add address=192.168.30.1/24 interface=VLAN30_iot network=192.168.30.0
/ip address add address=192.168.40.1/24 interface=VLAN40_smarthome network=192.168.40.0
/ip address add address=192.168.50.1/24 interface=VLAN50_iot network=192.168.50.0
/ip address add address=192.168.90.1/24 interface=VLAN90_pis network=192.168.90.0
/ip address add address=192.168.60.1/24 interface=VLAN60_guest network=192.168.60.0
/ip address add address=192.168.88.10/24 disabled=yes interface=ether4-AP3-HWR-lite network=192.168.88.0
/ip address add address=192.168.100.1/24 disabled=yes interface=*C2 network=192.168.100.0
/ip address add address=192.168.21.1/24 interface=VLAN21_guests network=192.168.21.0
/ip address add address=192.168.11.1/24 interface=VLAN11_server network=192.168.11.0
/ip arp add address=192.168.10.4 interface=VLAN10_admin mac-address=DC:2C:6E:CB:97:C6
/ip cloud set ddns-update-interval=1h
/ip dhcp-client add interface=ether1-WAN-fritte use-peer-dns=no
/ip dhcp-client add disabled=yes interface=ether2-Pi4-3-HA
/ip dhcp-server config set radius-password=same-as-user store-leases-disk=immediately
/ip dhcp-server lease add address=192.168.10.4 comment=ap3,caplite1,ap-hwr lease-time=1h mac-address=DC:2C:6E:CB:97:D6 server=VLAN10_DHCP use-src-mac=yes
/ip dhcp-server network add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dhcp-server network add address=192.168.10.0/24 dhcp-option=NTP-Server dns-server=192.168.1.1 gateway=192.168.10.1
/ip dhcp-server network add address=192.168.11.0/24 dhcp-option=NTP-Server dns-server=192.168.1.1 gateway=192.168.11.1
/ip dhcp-server network add address=192.168.20.0/24 dhcp-option=NTP-Server dns-server=192.168.11.106 domain=button.lan gateway=192.168.20.1
/ip dhcp-server network add address=192.168.21.0/24 comment=guests dhcp-option=NTP-Server dns-server=192.168.11.106 gateway=192.168.21.1
/ip dhcp-server network add address=192.168.30.0/24 comment="blitz - IoT" dhcp-option=NTP-Server dns-server=192.168.1.1 gateway=192.168.30.1  
/ip dhcp-server network add address=192.168.40.0/24 dhcp-option=NTP-Server dns-server=192.168.11.106 gateway=192.168.40.1 ntp-server=192.168.1.1
/ip dhcp-server network add address=192.168.50.0/24 dhcp-option=NTP-Server dns-server=192.168.1.1 gateway=192.168.50.1
/ip dhcp-server network add address=192.168.60.0/24 dhcp-option=NTP-Server dns-server=192.168.1.1 gateway=192.168.60.1
/ip dhcp-server network add address=192.168.90.0/24 dhcp-option=NTP-Server dns-server=192.168.1.1 gateway=192.168.90.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip dns static add address=192.168.10.4 comment=localbuttonhome name=ap3
/ip firewall filter add action=jump chain=forward comment="jump to kid-control rules" jump-target=kid-control  
/ip firewall filter add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes  
/ip firewall filter add action=accept chain=input comment=xxxxxx dst-address-type=local src-address-type=local
/ip firewall filter add action=accept chain=forward dst-address=192.168.100.2 dst-port=53 in-interface=VLAN60_guest protocol=udp
/ip firewall filter add action=accept chain=forward in-interface=VLAN60_guest out-interface=ether1-WAN-fritte
/ip firewall filter add action=drop chain=forward in-interface=VLAN60_guest out-interface=!ether1-WAN-fritte
/ip firewall filter add action=accept chain=input comment="accept established,related" connection-state=established,related,untracked  
/ip firewall filter add action=accept chain=forward comment="accept established,related" connection-state=established,related,untracked  
/ip firewall filter add action=accept chain=input comment=wireguard1 dst-port=13231 protocol=udp
/ip firewall filter add action=accept chain=input comment=wireguard2 dst-port=13232 protocol=udp
/ip firewall filter add action=accept chain=forward connection-state=established,related disabled=yes
/ip firewall filter add action=accept chain=input comment="Allow VLAN" disabled=yes in-interface-list=VLANs  
/ip firewall filter add action=accept chain=forward comment=20to90 connection-state=established,related,new disabled=yes in-interface=VLAN20_maindevices out-interface=VLAN90_pis
/ip firewall filter add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new disabled=yes in-interface-list=VLANs out-interface-list=WAN  
/ip firewall filter add action=accept chain=input comment="allow ICMP" disabled=yes in-interface=ether1-WAN-fritte in-interface-list=WAN protocol=icmp  
/ip firewall filter add action=accept chain=input comment="allow Winbox" disabled=yes in-interface=ether1-WAN-fritte in-interface-list=WAN port=8291 protocol=tcp  
/ip firewall filter add action=accept chain=input comment="allow WAN-SSH" disabled=yes in-interface=ether1-WAN-fritte in-interface-list=WAN port=22 protocol=tcp  
/ip firewall filter add action=accept chain=input comment="allow WAN-wireguard" disabled=yes in-interface=ether1-WAN-fritte in-interface-list=WAN port=13231 protocol=udp  
/ip firewall filter add action=accept chain=input comment="allow WAN FTP " disabled=yes in-interface=ether1-WAN-fritte port=21 protocol=tcp  
/ip firewall filter add action=drop chain=input comment="block everything else" in-interface=ether1-WAN-fritte  
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes  
/ip firewall filter add action=drop chain=forward disabled=yes dst-address=192.168.10.0/24 src-address=192.168.20.0/24
/ip firewall filter add action=drop chain=forward connection-state=invalid disabled=yes
/ip firewall nat add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes  
/ip firewall nat add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN  
/ip firewall nat add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.60.0/24  
/ip firewall nat add action=masquerade chain=srcnat src-address=172.17.0.0/24
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www-ssl disabled=no
/ip ssh set host-key-size=4096 strong-crypto=yes
/ip traffic-flow set enabled=yes
/ipv6 nd set [ find default=yes ] disabled=yes
/snmp set contact=JS enabled=yes location=LBD-HWR-Router trap-version=2
/system clock set time-zone-name=Europe/Berlin
/system identity set name=MT5009-1
/system logging add topics=radius
/system logging add topics=manager
/system logging add topics=dhcp
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp server set enabled=yes
/system ntp client servers add address=10.0.0.1
/system routerboard settings
# Firmware upgraded successfully, please reboot for changes to take effect!
set auto-upgrade=yes force-backup-booter=yes
/system scheduler add name=global-scripts on-event="/system/script { run global-config; run global-functions; }" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup  
/system scheduler add interval=1d name=ScriptInstallUpdate on-event=":global ScriptInstallUpdate; \$ScriptInstallUpdate;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup  
/system scheduler add interval=1m name="\$FlushTelegramQueue" on-event=":global FlushTelegramQueue; \$FlushTelegramQueue;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup  
/tool mac-server set allowed-interface-list=*2000010
/tool mac-server mac-winbox set allowed-interface-list=*2000010
/tool romon set enabled=yes
/tool romon port add disabled=no interface=ether4-AP3-HWR-lite
/tool romon port add disabled=no interface=ether6-AP4-HWR-ax
/tool romon port add disabled=no interface=ether7-PP8-AP2-EG-XL
/tool romon port add disabled=no interface=ether8-PP18-AP1-OG-XL
/tool romon port add disabled=no interface=sfp1-MT-switch
/tool traffic-monitor add interface=ether1-WAN-fritte name=tmon1
/user group add name=homeassistant policy=local,read,test,api,!telnet,!ssh,!ftp,!reboot,!write,!policy,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
/user-manager set certificate=Userman-Cert enabled=yes require-message-auth=no
/user-manager router add address=127.0.0.1 name=router1
/user-manager router add address=192.168.10.8 disabled=yes name=AP_Dach
/user-manager router add address=192.168.10.7 disabled=yes name=AP_EG
/user-manager router add address=192.168.10.10 disabled=yes name=switch

/ip address add address=192.168.1.1/24 interface=BR1 network=192.168.1.0

Das ist schonmal schlecht, der Bridge selbst sollte man i.d.R. keine IP verpassen, schon gar nicht diese wenn die Bridge als PVID die 10 hat welche ja schon über das VLAN10 mit dem MGMT gekoppelt ist.
Des weiteren ist der CAP nicht Standard, die Firewall-Regel am CAP ist überflüssig genauso wie das hier

/routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5

Wenn die FW Regeln am RB5009 alle deaktiviert sind (bis auf das Masquerade am ether1) dann sollte auch der Ping problemlos durchgehen, sofern der RB5009 das einzige Default GW für den Client im Netz ist. FW kommt immer zum Schluss.
Für ein Ping vom Router aus sollte man immer die Quell-IP angeben von der man aus pingt.

Hi,

was ich noch dazu empfehlen würde:
cAP lite:

# 2024-07-25 16:38:00 by RouterOS 7.14

RB5009:

# 2024-07-29 01:52:10 by RouterOS 7.15.3

beides auf die selbe Version bringen!

Möchte ich auch gern, aber

[admin@AP3_HWR_lite] > /system/package/update/check-for-updates 
            channel: stable
  installed-version: 7.14
             status: ERROR: could not resolve dns name

Zitat von @buttons:

Möchte ich auch gern, aber

[admin@AP3_HWR_lite] > /system/package/update/check-for-updates 
            channel: stable
  installed-version: 7.14
             status: ERROR: could not resolve dns name

Dann hat der entweder kein Internet, DNS Server ist nicht erreichbar oder dein DNS Server blockt die Domain... Also entweder fixen oder die Firmware von Hand unter https://mikrotik.com/download runterladen und per Drag n drop in die Winbox schieben, anschließend rebooten und die RouterBoot FW updaten nicht vergessen.

RTFM
https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS

Zitat von @13910172396:

/ip address add address=192.168.1.1/24 interface=BR1 network=192.168.1.0

habe ich entfernt.

Des weiteren ist der CAP nicht Standard, die Firewall-Regel am CAP ist überflüssig genauso wie das hier

ist der CAP nicht automatisch Standard, wenn ich den im CAPS-Mode starte?
welche Einstellungen sind nicht Standard, wie komme ich zu den Standard-Einstellungen bzw. in den CAPS-Mode?

/routing bfd configuration add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5

Was macht routing bfd?

[admin@MT5009-1] /routing> /ip/firewall/filter/export                              
# 2024-07-29 15:10:12 by RouterOS 7.15.3
# software id = TLNV-6NZM
#
# model = RB5009UPr+S+
# serial number = XXXXXXXXXXXX
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" disabled=yes jump-target=kid-control  
add action=accept chain=input comment=xxxxxx dst-address-type=local src-address-type=local
add action=accept chain=input comment="accept established,related" connection-state=established,related,untracked disabled=yes  
add action=accept chain=forward comment="accept established,related" connection-state=established,related,untracked  
add action=accept chain=input comment=wireguard1 dst-port=13231 protocol=udp
add action=accept chain=input comment=wireguard2 dst-port=13232 protocol=udp
add action=drop chain=input comment="block everything else" disabled=yes in-interface=ether1-WAN-fritte  

Für ein Ping vom Router aus sollte man immer die Quell-IP angeben von der man aus pingt.

[admin@MT5009-1] /routing> /tool/ping src-address=192.168.10.1 address=192.168.10.4
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                           
    0 192.168.10.4                                                 timeout                                                                                                                                          
    1 192.168.10.4                                                 timeout                                                                                                                                          
    2 192.168.10.4                                                 timeout                                                                                                                                          
    sent=2 received=0 packet-loss=100% 

Was kann ich machen?
Vielen Dank für die Hilfe.

Zitat von @13910172396:

Zitat von @buttons:

Möchte ich auch gern, aber

[admin@AP3_HWR_lite] > /system/package/update/check-for-updates 
            channel: stable
  installed-version: 7.14
             status: ERROR: could not resolve dns name

das manual und verschiedene Optionen um die Geräte zu upgraden sind mir bekannt.

Ich komme nur per MAC telnet auf den CAP.

Zitat von @buttons:
ist der CAP nicht automatisch Standard, wenn ich den im CAPS-Mode starte?
welche Einstellungen sind nicht Standard, wie komme ich zu den Standard-Einstellungen bzw. in den CAPS-Mode?

Doch aber deine gepostete Config ist eben nicht Standard, da sind Einträge drin die du definitiv selbst gemacht hast und die in deinem Szenario keinen Sinn ergeben!

Was macht routing bfd?

https://help.mikrotik.com/docs/display/ROS/BFD

[admin@MT5009-1] /routing> /ip/firewall/filter/export

Ich sagte alle Regeln deaktivieren, wirklich alle bis auf das NAT an Ether1, Firewall erst wenn alles andere läuft!!

Was kann ich machen?

Prüfe auf dem CAP welche Interfaces eine IP bekommen haben und auch wie die ARP Tabelle dort aussieht (/ip arp).

Und auch die ARP-Tabelle am RB5009 checken an welchem Interface die MAC des CAP auftaucht.

/caps-man manager interface add interface=ether4-AP3-HWR-lite
/caps-man manager interface add interface=ether7-PP8-AP2-EG-XL
/caps-man manager interface add interface=ether8-PP18-AP1-OG-XL

Hier besser nur das MGMT Interface aus dem die CAPs die IP beziehen (VLAN10_admin) angeben

[admin@MT5009-1] > /ip/firewall/filter/print   
Flags: X - disabled, I - invalid; D - dynamic 

[admin@MT5009-1] > /routing/bfd/configuration/print 
Flags: X - disabled, I - inactive 

[admin@AP3_HWR_lite] > /ip/firewall/filter/print           
Flags: X - disabled, I - invalid; D - dynamic 

[admin@AP3_HWR_lite] > /ip/dhcp-client/print 
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE    USE-PEER-DNS  ADD-DEFAULT-ROUTE  STATUS  ADDRESS        
;;; defconf
0 bridgeLocal  yes           yes                bound   192.168.10.4/24

[admin@AP3_HWR_lite] > /routing/bfd/configuration/print           
Flags: X - disabled, I - inactive 

[admin@MT5009-1] > /ip/arp/print 
Flags: D - DYNAMIC; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE, STATUS
  #    ADDRESS          MAC-ADDRESS        INTERFACE            STATUS    
  0  C 192.168.10.4     DC:2C:6E:CB:97:C6  VLAN10_admin         permanent
...

[admin@AP3_HWR_lite] > /ip/arp/print 
Flags: D - DYNAMIC; C - COMPLETE
Columns: ADDRESS, MAC-ADDRESS, INTERFACE, STATUS
#    ADDRESS         MAC-ADDRESS        INTERFACE    STATUS   
0 DC 10.0.0.2        DC:2C:6E:3E:E5:2C  bridgeLocal  stale    
1 DC 192.168.10.249  BC:24:11:A8:84:36  bridgeLocal  stale    
2 DC 192.168.10.1    DC:2C:6E:3E:E5:2A  bridgeLocal  reachable

[admin@MT5009-1] > /tool/ping src-address=192.168.10.1 address=192.168.10.4
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                                           
    0 192.168.10.4                                                 timeout                                                                                                                                          
    1 192.168.10.4                                                 timeout                                                                                                                                          
    sent=2 received=0 packet-loss=100% 

[admin@AP3_HWR_lite] > /tool/ping src-address=192.168.10.4 address=192.168.10.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                            
    0 192.168.10.1                                                 timeout                                                                           
    1 192.168.10.1                                                 timeout                                                                           
    sent=2 received=0 packet-loss=100% 

Sehr ungewöhnlich.

Wie sieht die Routing-Tabelle aus?
Kann der CAP andere IPs pingen (z.B. 1.1.1.1) oder in anderen Netzen?
Sniffer mal am VLAN10_admin Interface des rb5009 wenn du vom CAP pingst und das ganze auch anders rum (/tool sniffer) und schau dir das Resultat mit Wireshark an.
CAP dann erst mal ein RouterOs Firmwareupdate machen (inkl. Bootloader, wichtig!) machen auch nochmal komplett zurücksetzen

/system reset-configuration caps-mode=yes skip-backup=yes keep-users=yes

Ansonsten mal ein Netinstall des CAP um eventuelle Rückstände im OS zu beseitigen.

[admin@MT5009-1] > /caps-man/manager/interface/print 
Flags: * - DEFAULT; X - DISABLED
Columns: INTERFACE, FORBID
#    INTERFACE              FORBID
0 *  all                    yes   
1  X ether4-AP3-HWR-lite    no    
2  X ether7-PP8-AP2-EG-XL   no    
3  X ether8-PP18-AP1-OG-XL  no    
4    VLAN10_admin           no  

die einzelnen Interfaces waren schon deaktiviert. Habe jetzt "all" auch auf forbid gestellt.

Zitat von @13910172396:

Sehr ungewöhnlich.

Wie sieht die Routing-Tabelle aus?

[admin@MT5009-1] > /routing/table/print 
Flags: D - dynamic; X - disabled, I - invalid; U - used 
 0 D   name="main" fib   

* Kann der CAP andere IPs pingen (z.B. 1.1.1.1) oder in anderen Netzen?

Nein

[admin@AP3_HWR_lite] > /tool/ping src-address=192.168.10.4 address=1.1.1.1     
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                            
    0 1.1.1.1                                                      timeout                                                                           
    1 1.1.1.1                                                      timeout                                                                           
    sent=2 received=0 packet-loss=100% 

* Sniffer mal am VLAN10_admin Interface des rb5009 wenn du vom CAP pingst und das ganze auch anders rum (/tool sniffer) und schau dir das Resultat mit Wireshark an.

44 109.831 VLAN10_admin                            192.168.10.4                                                          192.168.10.1                                                          icmp           70   2
45 109.831 VLAN10_admin                            192.168.10.1                                                          192.168.10.4                                                          icmp           70   2

* CAP dann erst mal ein RouterOs Firmwareupdate machen (inkl. Bootloader, wichtig!) machen auch nochmal komplett zurücksetzen

/system reset-configuration caps-mode=yes skip-backup=yes keep-users=yes

Ansonsten mal ein Netinstall des CAP um eventuelle Rückstände im OS zu beseitigen.

Update kann ich dann vermutlich nur mit netinstall machen.

Blödsinn, mal ehrlich lies den Link oben, einen Rechner direkt an den CAP klemmen, per Winbox und MAC Adresse connecten oder sftp und File manuell drauf schieben, reboot feddisch.

/routing/table/print

nee.

/ip route print

[admin@MT5009-1] > /ip route print                                   
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY             DISTANCE
DAd 0.0.0.0/0        10.0.0.1                   1
DAc 10.0.0.0/24      ether1-WAN-fritte          0
DAc 192.168.10.0/24  VLAN10_admin               0
DAc 192.168.11.0/24  VLAN11_server              0
DAc 192.168.20.0/24  VLAN20_maindevices         0
DAc 192.168.21.0/24  VLAN21_guests              0
DAc 192.168.30.0/24  VLAN30_iot                 0
DAc 192.168.40.0/24  VLAN40_smarthome           0
DAc 192.168.50.0/24  VLAN50_iot                 0
DAc 192.168.60.0/24  VLAN60_guest               0
DAc 192.168.90.0/24  VLAN90_pis                 0
DAc 192.168.99.0/24  wireguard2                 0

[admin@AP3_HWR_lite] > /ip route print
Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, DISTANCE
    DST-ADDRESS      GATEWAY       DISTANCE
DAd 0.0.0.0/0        192.168.10.1         1
DAc 192.168.10.0/24  bridgeLocal          0

Ahh ich seh den Fehler jetzt, du hast dir auf dem RB5009 ein Eigentor geschossen indem du manuell einen ARP Eintrag für den CAP mit der falschen MAC Adresse gesetzt hast, deswegen auch keinerlei Layer-3 Connectivity zum und vom CAP. Man beachte das C an der vorletzten Stelle.

/ip arp add address=192.168.10.4 interface=VLAN10_admin mac-address=DC:2C:6E:CB:97:C6

Lösch den manuellen Eintrag bitte, den ermittelt der RB5009 per ARP eh von selbst.

Dein CAP hat nämlich die DC:2C:6E:CB:97:D6 laut deinem Export, die du selbst gesetzt hast indem du auto-mac auf no gesetzt hast.

/interface bridge add admin-mac=DC:2C:6E:CB:97:D6 auto-mac=no comment=defconf name=bridgeLocal port-cost-mode=short

Wie sagt man so schön, kleiner Fehler große Wirkung 🙂🖖

Kühlen Feierabend, Prost🍻.
Gruß Strods

Das muss ein Versehen gewesen sein. Vielen Dank für die Mühe.
Ich habe noch einen zweiten CAP lite, der bisher noch wieder in Betrieb war.
Dort hab ich jetzt per NetInstall das upgrade gemacht. Der hat wiederum den die D6-MAC.

Auf C6 läuft jetzt auch die 7.15.3 (inkl. BootFW). Kann das Gerät pingen und komm auch per winbox drauf, aber caps-man findet den nicht. Reicht hier für den CAPs Manager wirklich VLAN10_admin als Interface? Muss hier nicht der HW-Port rein?