L2TP e410 with Mikrotik Problems

Products Enterprise Wi-Fi Networks
1

2019-02-24 20_51_58-Window.png

GOAL

Basically 2 SSIDs v5 and v15 in e410.

If I connect to v5, I'll get vlan5 ip

I need guidance from Cambium

or Cambium can reproduce my issue by copying my Mikrotik setup

tq

PROBLEMS:

1. I can't get dhcp when I connecting my pc to v5 or v15 ssid in e410
Tunnel in Mikrotik or Cambium side shown up


CONFIGS:

http://community.cambiumnetworks.com/bstrc49894/attachments/bstrc49894/cnPilot_E_Series/39/1/L2TPv2%20Tunnel%20Configuration.pdf
Cambium L2TP documentation using BCP
 
CAMBIUM
management user admin password $crypt$1$AVMSLfGfB7AT6ZjEJUi6IsdkuWApwB2R
no management http
management cambium-remote
management cambium-remote url https://192.168.88.231
management cambium-remote validate-server-cert
management https
management http port 80
no management telnet
management ssh
management https port 443
led
lldp
no poe-out
country-code CN
wpa2-handshake-retry 4 4
wpa2-handshake-timeout 100 500 1000
wpa2-handshake-log-level 4
placement indoor
!
wireless radio 1
no shutdown
channel auto
channel-width 20
channel-list all-channels
data-rate unicast 1b 2b 5.5b 11b 12 18 24 36 48 54
data-rate non-unicast highest-basic
power auto
mode gn
no airtime-fairness
auto-channel-select on-startup
antenna-gain 5
beacon-interval 100
dynamic-channel-selection
dynamic-channel-selection threshold 100
dynamic-channel-selection samples 20
off-channel-scan dwell-time 50
auto-rf chan-hold-time 120
auto-rf packet-error-rate-threshold 30
auto-rf channel-utilization-threshold 25
mesh-xtnded-dev-list
wmm-parameters downstream txoplimit vi 3008
wmm-parameters downstream txoplimit vo 1504
wmm-parameters upstream txoplimit vi 3008
wmm-parameters upstream txoplimit vo 1504
!
wireless radio 2
shutdown
channel auto
channel-width 80
channel-list all-channels
data-rate unicast 6b 9 12b 18 24b 36 48 54
data-rate non-unicast highest-basic
power auto
no airtime-fairness
auto-channel-select on-startup
antenna-gain 5
beacon-interval 100
dynamic-channel-selection
dynamic-channel-selection threshold 100
dynamic-channel-selection samples 20
off-channel-scan dwell-time 50
auto-rf chan-hold-time 120
auto-rf packet-error-rate-threshold 30
auto-rf channel-utilization-threshold 25
mesh-xtnded-dev-list
wmm-parameters downstream txoplimit vi 3008
wmm-parameters downstream txoplimit vo 1504
wmm-parameters upstream txoplimit vi 3008
wmm-parameters upstream txoplimit vo 1504
!
wireless wlan 1
ssid v5
no shutdown
vlan 5
security wpa2-psk
no protected-mgmt-frames
passphrase $crypt$1$8gTOHx5MAAbUnAJJwRefP868Ec9c+Zt6
band 2.4GHz
dtim-interval 1
max-associated-client 127
client-cache cnMaestro
tunnel-mode
mac-authentication policy deny
passpoint interworking access-network-type private
no guest-access
dhcp-option82
dhcp-option82 circuit-id vlanid
dhcp-option82 remote-id vlanid
!
wireless wlan 2
ssid v15
no shutdown
vlan 15
security wpa2-psk
no protected-mgmt-frames
passphrase $crypt$1$iXEbXsvsHfPr/UQt7PrPzffMcljmLcrX
band 2.4GHz
dtim-interval 1
max-associated-client 127
client-cache cnMaestro
tunnel-mode
mac-authentication policy deny
passpoint interworking access-network-type private
no guest-access
dhcp-option82
dhcp-option82 circuit-id vlanid
dhcp-option82 remote-id vlanid
!
rogue-ap detection
!
!
interface eth 1
switchport mode access
switchport access vlan 1
!
interface vlan 1
ip nat inside
ip dhcp request-option-all
ip address zeroconf
management-access all
ip address 192.168.88.228 255.255.255.0
!
interface vlan 5
ip nat inside
management-access all
ip address 10.0.5.228 255.255.255.0
!
interface vlan 15
ip nat inside
management-access all
ip address 10.0.15.228 255.255.255.0
!
ntp server pool.ntp.org
tunnel encapsulation l2tp
!
tunnel l2tp
remote-host 192.168.88.11
pmtudisc
tcp-mss 1400
auth admin $crypt$1$x9VEbiKcHlFefdNxLZXBMcwAcs5FXBas
!
tunnel l2gre
remote-host 192.168.88.11
dscp 0
mtu 1500
tcp-mss 1410
!
ip route default 192.168.88.1
ip name-server 8.8.8.8
ip name-server 9.9.9.9
ip domain-name ngtrain.com
dhcp-option82 circuit-id vlanid
dhcp-option82 remote-id vlanid
dhcp-option82 vlan 1
!
timezone Asia/Jakarta
hostname E410-97ACF5
snmp-server
ip gw-source-precedence static 1
ip gw-source-precedence dhcpc 2
ip gw-source-precedence pppoe 3
logging syslog 7
 
 
MIKROTIK
RB951
/interface bridge
add name=bridge1 vlan-filtering=yes
/interface l2tp-server
add name=L2TP-in1 user=admin
/interface gre
add disabled=yes dscp=0 !keepalive local-address=192.168.88.11 mtu=1500 name=\
gre-tunnel1 remote-address=192.168.88.228
/interface vlan
add interface=bridge1 name=v5 vlan-id=5
add interface=bridge1 name=v15 vlan-id=15
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=poolv5 ranges=10.0.5.101-10.0.5.200
add name=poolv15 ranges=10.0.15.101-10.0.15.200
/ip dhcp-server
add address-pool=poolv5 disabled=no interface=v5 name=dhcp-v5
add address-pool=poolv15 disabled=no interface=v15 name=dhcp-v15
/ppp profile
add bridge=bridge1 name=pppBridging
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=5
add bridge=bridge1 interface=ether3 pvid=15
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=5
add bridge=bridge1 tagged=bridge1 untagged=ether3 vlan-ids=15
/interface l2tp-server server
set default-profile=pppBridging enabled=yes max-mru=1500 max-mtu=1500
/ip address
add address=192.168.88.11/24 interface=ether1 network=192.168.88.0
add address=10.0.15.1/24 interface=v15 network=10.0.15.0
add address=10.0.5.1/24 interface=v5 network=10.0.5.0
/ip dhcp-server network
add address=10.0.5.0/24 gateway=10.0.5.1
add address=10.0.15.0/24 gateway=10.0.15.1
/ip dns
set servers=1.1.1.1,9.9.9.9
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.88.1
/ppp secret
add name=admin password=admin
 
 
PC1
/ip address
add address=10.0.5.11/24 interface=ether2 network=10.0.5.0
/ip route
add distance=1 gateway=10.0.5.1
 
 
PC2
/ip address
add address=10.0.15.11/24 interface=ether3 network=10.0.15.0
/ip route
add distance=1 gateway=10.0.15.1
2

Hi nbctcp,

Please send me a private message at shashank.tadakamadla@cambiumnetworks.com.

3

UPDATE1.

With help from CAM_TSK, now dhcp from Cambium side is working

1. I need to disable vlan filtering in Mikrotik side, in order to make dhcp working on Cambium side

2. delete vlan5 and vlan15 in Cambium side

Next step will be I need to ask Mikrotik forum on how to enable vlan filtering and still allow l2tp traffic

I need vlan filtering because in order to make a port become access port, otherwise PVID won't work on that port

UPDATE2:

1. in order for L2TP and Access ports in Mikrotik working together.
I need to create 2 Bridges with different vlans. 1 for L2TP Bridge without vlan-filtering and 1 for Access port Bridge with vlan-filtering


L2TP WORKING EXAMPLE

CAMBIUM
management ssh
management user admin password $crypt$1$RZT7S2DYrKCrASFzvIZhAIRd0tUI4XXn
management https
management cambium-remote url https://192.168.88.231
management cambium-remote
management cambium-remote validate-server-cert
management http port 80
no management http
no management telnet
management https port 443
led
lldp
no poe-out
country-code CN
wpa2-handshake-retry 4 4
wpa2-handshake-timeout 100 500 1000
wpa2-handshake-log-level 4
placement indoor
!
wireless radio 1
no shutdown
channel auto
channel-width 20
channel-list all-channels
data-rate unicast 1b 2b 5.5b 11b 12 18 24 36 48 54
data-rate non-unicast highest-basic
power auto
mode gn
no airtime-fairness
auto-channel-select on-startup
antenna-gain 5
beacon-interval 100
dynamic-channel-selection
dynamic-channel-selection threshold 100
dynamic-channel-selection samples 20
off-channel-scan dwell-time 50
auto-rf chan-hold-time 120
auto-rf packet-error-rate-threshold 30
auto-rf channel-utilization-threshold 25
mesh-xtnded-dev-list
wmm-parameters downstream txoplimit vi 3008
wmm-parameters downstream txoplimit vo 1504
wmm-parameters upstream txoplimit vi 3008
wmm-parameters upstream txoplimit vo 1504
!
wireless radio 2
shutdown
channel auto
channel-width 80
channel-list all-channels
data-rate unicast 6b 9 12b 18 24b 36 48 54
data-rate non-unicast highest-basic
power auto
no airtime-fairness
auto-channel-select on-startup
antenna-gain 5
beacon-interval 100
dynamic-channel-selection
dynamic-channel-selection threshold 100
dynamic-channel-selection samples 20
off-channel-scan dwell-time 50
auto-rf chan-hold-time 120
auto-rf packet-error-rate-threshold 30
auto-rf channel-utilization-threshold 25
mesh-xtnded-dev-list
wmm-parameters downstream txoplimit vi 3008
wmm-parameters downstream txoplimit vo 1504
wmm-parameters upstream txoplimit vi 3008
wmm-parameters upstream txoplimit vo 1504
!
wireless wlan 1
ssid v5
no shutdown
vlan 5
security wpa2-psk
no protected-mgmt-frames
passphrase $crypt$1$aYSnZZxjhxJ9at0/Pc+UO851iVBnXaxg
band 2.4GHz
dtim-interval 1
max-associated-client 127
tunnel-mode
mac-authentication policy deny
passpoint interworking access-network-type private
no guest-access
dhcp-option82
dhcp-option82 circuit-id vlanid
dhcp-option82 remote-id vlanid
!
wireless wlan 2
ssid v15
no shutdown
vlan 15
security wpa2-psk
no protected-mgmt-frames
passphrase $crypt$1$TkQ2oVbBglsmv/PzZD0WpEWnaGBNp5ku
band 2.4GHz
dtim-interval 1
max-associated-client 127
client-cache cnMaestro
tunnel-mode
mac-authentication policy deny
passpoint interworking access-network-type private
no guest-access
dhcp-option82
dhcp-option82 circuit-id vlanid
dhcp-option82 remote-id vlanid
!
rogue-ap detection
!
!
interface eth 1
switchport mode access
switchport access vlan 1
!
interface vlan 1
ip address zeroconf
ip dhcp request-option-all
management-access all
ip address 192.168.88.228 255.255.255.0
!
ntp server pool.ntp.org
tunnel encapsulation l2tp
!
tunnel l2tp
remote-host 192.168.88.11
pmtudisc
tcp-mss 1400
auth admin $crypt$1$gDEclE6BRyUk0/znfbkwdFhsvQ7fg3yk
!
tunnel l2gre
remote-host 192.168.88.11
dscp 0
mtu 1500
tcp-mss 1410
!
ip domain-name ngtrain.com
ip name-server 8.8.8.8
ip name-server 9.9.9.9
ip route default 192.168.88.1
dhcp-option82 circuit-id vlanid
dhcp-option82 remote-id vlanid
dhcp-option82 vlan 1
!
timezone Asia/Jakarta
hostname E410-97ACF5
snmp-server
ip gw-source-precedence static 1
ip gw-source-precedence dhcpc 2
ip gw-source-precedence pppoe 3
logging syslog 7
 
 
 
MIKROTIK
NOTE:
  1. L2TP for Cambium won't work with Bridge vlan-filtering.
    so if you want pc in your LAN working with access port (untagged pc connected to access port vlan10 for example), you need to create a new bridge with vlan-filtering, vlan, dhcp etc
 
RB951
/interface bridge
add mtu=1500 name=bridge1
/interface l2tp-server
add name=l2tp-in1 user=admin
/interface vlan
add interface=bridge1 name=v5 vlan-id=5
add interface=bridge1 name=v15 vlan-id=15
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=poolv5 ranges=10.0.5.101-10.0.5.200
add name=poolv15 ranges=10.0.15.101-10.0.15.200
/ip dhcp-server
add address-pool=poolv5 disabled=no interface=v5 name=dhcp-v5
add address-pool=poolv15 disabled=no interface=v15 name=dhcp-v15
/ppp profile
add bridge=bridge1 name=pppBridging use-encryption=no
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=5
add bridge=bridge1 interface=ether3 pvid=15
/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=5
add bridge=bridge1 tagged=bridge1 untagged=ether3 vlan-ids=15
/interface l2tp-server server
set default-profile=pppBridging enabled=yes mrru=1560
/ip address
add address=192.168.88.11/24 interface=ether1 network=192.168.88.0
add address=10.0.15.1/24 interface=v15 network=10.0.15.0
add address=10.0.5.1/24 interface=v5 network=10.0.5.0
/ip dhcp-server network
add address=10.0.5.0/24 gateway=10.0.5.1
add address=10.0.15.0/24 gateway=10.0.15.1
/ip dns
set servers=1.1.1.1,9.9.9.9
/ip firewall nat
add action=masquerade chain=srcnat
/ip route
add distance=1 gateway=192.168.88.1
/ppp secret
add name=admin password=admin profile=pppBridging
 
 
PC1
/ip address
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether2
 
 
PC2
/ip address
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether3

tq

4

hello 

2 mikrotik 

2 gateway 

2 ssid 

work or not work

5

Please draw your goal.

In this L2TP is if connection from AP through WAN port.

If connection through LAN port then no need L2TP.

Both AP connection through WAN or LAN are possible

Then you can use either

1. 1 SSID 1 vlan (that mean if you have 5 vlan, then you need 5 SSID. simpler but not ideal)

2. or 1 SSID, dynamic VLAN (complex but the best. you need MS NPS or FreeRadius)

1 Like
6

cambium cnmaestro cloud work or not working?