Hi,

I was setting up my three routers (all RB4011iGS+5HacQ2HnD) up with ROS7 from scratch. I started with the IP settings (IP address and DHCP server) and then configured CAPsMAN which worked as expected for my access points (all set up in CAPS mode) and the local wifi of the router. After that I set up WireGuard by following the RoadWarrior WireGuard tunnel documentation.

On the first two devices I just discovered at the end that CAPsMAN wasn't working anymore for the router (local access through 127.0.0.1) and I wasn't able to fix it which forced me to set up wifi manually on the router. On the third device I checked a bit more closely and discovered that the local CAPsMAN connection starts failing just after adding the wireguard interface and before any firewall or interface list changes.

I was starting with 7.10.2 and hoping that 7.11 maybe fixes the issue but I tested it this morning and the issue remains.

Here's the configuration of the third router I set up yesterday: Is this a known issue (I couldn't find anything using search)? Is there anything additional I can check/log to pin down the issue? Or is it just some misconfiguration on my end?

You should be using 7.11 stable. I dont use capsman as the additional overhead to configure is simply not worth it.

This is strange and possibly one source of issues........
/ip dns static
add address=192.168.99.1 comment=defconf name=router.lan

Get rid of it........ and recommend at least put some servers on dns config if not using the ISPs dns.
/ip dns
set allow-remote-requests=yes servers=1.1.1.1

Disable IPV6 if not required.

Thanks a lot for taking the time to answer, it's very appreciated!

You should be using 7.11 stable.

I am, I just exported the config before I updated. Unfortunately 7.11 doesn't change anything for me on that issue.

I dont use capsman as the additional overhead to configure is simply not worth it.

To me it's very helpful as I don't have to configure 3 access points but only once at a central place.

This is strange and possibly one source of issues........
/ip dns static
add address=192.168.99.1 comment=defconf name=router.lan

Get rid of it........ and recommend at least put some servers on dns config if not using the ISPs dns.

/ip dns
set allow-remote-requests=yes servers=1.1.1.1

Yes, I messed up when I adjusted the configuration before attaching it here. I'm using 192.168.8.0 for the local network and 192.168.88.0 for the WireGuard peers, so I manually changed it to 192.168.9.0 and 192.168.99.0 to not confuse you with the default 192.168.88.0. This setting you mention is actually 192.168.9.1 but I'm using the ISPs dns.

Disable IPV6 if not required.

I just disabled it but local CAP still doesn't connect.

Hi,

I was setting up my three routers (all RB4011iGS+5HacQ2HnD) up with ROS7 from scratch. I started with the IP settings (IP address and DHCP server) and then configured CAPsMAN which worked as expected for my access points (all set up in CAPS mode) and the local wifi of the router. After that I set up WireGuard by following the RoadWarrior WireGuard tunnel documentation.

On the first two devices I just discovered at the end that CAPsMAN wasn't working anymore for the router (local access through 127.0.0.1) and I wasn't able to fix it which forced me to set up wifi manually on the router. On the third device I checked a bit more closely and discovered that the local CAPsMAN connection starts failing just after adding the wireguard interface and before any firewall or interface list changes.

I was starting with 7.10.2 and hoping that 7.11 maybe fixes the issue but I tested it this morning and the issue remains.

Here's the configuration of the third router I set up yesterday:
wireguard_capsman_issue.txt

Is this a known issue (I couldn't find anything using search)? Is there anything additional I can check/log to pin down the issue? Or is it just some misconfiguration on my end?

I think your config missing following:
/interface wireless cap set caps-man-addresses=127.0.0.1

Your config already contains:
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

I would propopose 1 more for output:
/ip firewall filter add chain=output action=accept protocol=udp src-address=127.0.0.1 dst-address=127.0.0.1 port=5246,5247
/ip firewall filter add chain=input action=accept protocol=udp src-address=127.0.0.1 dst-address=127.0.0.1 port=5246,5247

These settings are only for 4011 with local cap.
All remote CAPs leave as is.

I just compared your config vs my hap ac3 with capsman + local cap

Your config:
/interface wireless cap
set bridge=bridge discovery-interfaces=bridge interfaces=wlan1,wlan2

My config:
/interface wireless cap
#
set bridge=bridge1 caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1

PS - my config runs as wireguard client with no problems

PS2 - you may disable this for 4011+local CAP:
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2

wlan1 and wlan2 will be added dynamically upon you enable CAP mode , as you specify bridge:
/interface wireless cap
set bridge=bridge discovery-interfaces=bridge interfaces=wlan1,wlan2
Try it up (7.10-7.11 works with no changes)

Like I said, capsman doubles the size of a clean efficient config, with far more chances of errors............
I avoid it like the plague!

I think your config missing following:
/interface wireless cap set caps-man-addresses=127.0.0.1

Awesome, you're my hero! this was the missing piece. You made my day, thanks a lot!

It's interesting that the local CAPsMAN can be discovered without that setting if no WireGuard is present but is needed with WireGuard active. Is this something we need to inform Mikrotik about?

It's interesting that the local CAPsMAN can be discovered without that setting if no WireGuard is present but is needed with WireGuard active. Is this something we need to inform Mikrotik about?

There is no old-school capsman starting with hap ax2, ax3....
Get ready for new pain )