Hi everyone,

Anyone would know why on earth my CAPsMAN router is able to properly manage the wifi on my AP, but can't manage its own wlan interfaces? Please check attached screenshot below, you should be able to see the local wlan interfaces are not enabled.
Please, what am I doing wrong, this is driving me nuts.

Thanks,

Pedro.

PS: without wanting to be rude, this is the same issue as reported on viewtopic.php?f=7&t=127463, but I think I overcomplicated that post. Please assume this current post you're reading as cannon.

Check discovery interface on CAP settings. Should be LAN interface.

I did try already all possible combinations for "Discovery Interface" although I had it set at "Bridge" before. Still no good... Btw, I don't have any option for "LAN" on the "Discovery Interfaces". Any other things I should check? I currently have the CAP options for wireless as:

I've just happened to stumble upon the problem and managed to fix it a few hours ago. I'm sure this would've been dead easy for any hardcore routerOS person on here...

Go to IP > Firewall and disable the default rule commented as "drop all not coming from LAN". That should immediately add the local wlan interface(s) to CAPsMAN. Not sure why this comes like this by default, as obviously it prevents you from CAP-ing the local wifi interfaces on that same CAPsMAN device.

This needs to be disabled because obviously traffic from the local wlan interfaces is not coming from the LAN interface...

Allow traffic from&to 127.0.0.1 to enable CAPsMAN instead of allowing traffic from anywhere (even WAN).

viewtopic.php?t=109377#p553944

as said above...

For future reference, for anyone having the same problem, if you want to CAP the wireless of the CAPsMAN device itself and for some reason you can't, this is what you need to do (after you set up CAP Manager and CAP on your wireless):

1. In Wireless > CAP > CAPsMAN Addresses: make sure you have 127.0.0.1
2. IP > Firewall > Add: create a new rule for the input "chain", set the src address as "127.0.0.1", protocol "UDP", dst ports "5246,5247", action "accept"
3. Make sure the above firewall rule comes right before the default rule whose comment is "drop all not coming from LAN"
4. PROFIT

Not sure why this isn't bang on on some beginners guide documentation, or CAPsMAN common mistakes, or whatever. But it is true that documentation is not MikroTik's forte. ¯\_(ツ)_/¯ Really wish that would change.

Peace out.

Thank you. I had the same problem.
(Y)

Sorry guys, pretty much complete newb with routing but got everything else working EXCEPT self-registration.

Other/external cAP showing up in CAPsMAN, check.
Firewall rule for 127.0.0.1 UDP, check.
Enable CAP in Wireless on the CAPsMAN router, with or without the CAPsMAN address, and with every possible option for Discovery Interface (including none), and it just goes to "being managed" but never shows up in registrations.

Any other ideas?

Sorry guys, pretty much complete newb with routing but got everything else working EXCEPT self-registration.

Other/external cAP showing up in CAPsMAN, check.
Firewall rule for 127.0.0.1 UDP, check.
Enable CAP in Wireless on the CAPsMAN router, with or without the CAPsMAN address, and with every possible option for Discovery Interface (including none), and it just goes to "being managed" but never shows up in registrations.

Any other ideas?

Same boat here. One hAP AC2, one cAP AC, and both running 6.42.6 RouteOS.

I can see the CAP in the "remote CAP" tab in CAPsMAN, and it is broadcasting the right SSID, connects and works fine. However, the local wireless interfaces are showing up as "managed by CAPsMAN", but both are disabled and slave, but they are nowhere to be seen or configured.

Any pointer? If if helps, i can dump my config (do let me know the command to use, i am a n00b).

Finally have this figured out, but this may or may not be a happy solution.

If one follows the guide to for a simple CAPsMan setup,
https://wiki.mikrotik.com/wiki/Manual:S ... sMAN_setup
one would have, at the end, forbid CAP manager from listening to the "all" interface This appears to be the crux of the problem for me.

So, in conclusion:

• Setup the LAN accept rule as stated above
  Code: Select all

  add action=accept chain=input comment="CAPsMAN accept all local traffic" src-address-type=local

  , and put it before the "drop all not coming from LAN" rule
• Don't disable the CAPsMAN manager interface.
• No need to add the bridge rule

Given the setup, however, I am not entirely sure what would happen if there's a CAP connected to eth1 (my WAN port). Given mine is a private property setup with only internet upstream, it's probably not any concern of mine if an upstream CAP gets connected to mine, but still, not necessarily the best especially setting this up in a multi-tier environment. But then again, if you are setting all that tiers up, you can probably afford to not use the local wireless.

Thanks a lot, it works!

I was having this same problem, and the solutions here were half of the problem. I've been running capsmanager for quite awhile, but deployed new routers yesterday for a customer, and copying my existing configs didn't work. My remote APs worked, but the onboard wifi just sat there doing nothing. After turning on "caps" in system->logging I found that the problem was due to the lack of using certificates. The solution was easy:

In CAPsMAN->CAP Interface, "Manager" button, be sure Certificate and CA Certificate are both set to "auto". Or by CLI:

/caps-man manager set ca-certificate=auto certificate=auto enabled=yes

Then, in Wireless->WiFi Interfaces, "CAP" button, be sure it's enabled, has your wlan interface(s) selected, and certificate set to "request" with the CAPsMAN Address set to 127.0.0.1, and bridge to the name of your LAN interface. Stock this is called "bridge" I think. I always rename mine to "lan" - so change your config accordingly. CLI version:

/interface wireless cap set bridge=lan caps-man-addresses=127.0.0.1 certificate=request enabled=yes interfaces=wlan1,wlan2

(Note this is a dual band AP, if you only have one, then drop it to just wlan1 or the name of your wireless interface)

I was having this same problem, [...] I found that the problem was due to the lack of using certificates.

I had same issue and my conclusion is:

1) once you set cap to use certificate, even do you set it back to no certificate, it still ask certificate and result in error.
summary: once set to use certificate you are sold.

2) local cap cannot connect through Layer 2, no matter what config you do, Layer 2 will not work with local cap.

3) you cannot forbid all interfaces on CAPsMan if you need local cap to connect to it (even on Layer 3). This is a bug and Mikrotik should address it. One would be able to specify local interface as allowed and WAN interfaces as forbidden, this is a security issue.

The workarounds on this thread make it works.

I have hundreds of CapMans managing they own wireless interfaces.

1st. and very important - never use any default configuration on router - start with absolute empty configuration.
2. Make CapsMan config
3. Exclude wlan interfaces from any bridge
4. Activate Caps on wireless - just set "discovery interface' local bridge on witch CapMan running.

I have hundreds of CapMans managing they own wireless interfaces.

On layer2 or layer3? I do have it working, but could not make it work on layer 2.

1st. and very important - never use any default configuration on router - start with absolute empty configuration.
2. Make CapsMan config
3. Exclude wlan interfaces from any bridge
4. Activate Caps on wireless - just set "discovery interface' local bridge on witch CapMan running.

Exactly the recipe I follow but:

1) I can´t remove "all" rule on capsman interfaces and if set it to forbid, local cap can´t connect. That is a bug, one should be able to specify only one interface if necessary.
I cannot agree that allow capsman on all interfaces is wise thing, and as far as I can tell this has to do with layer 2 connection because I can drop layer 3 with firewall rules.

2) Local cap only do layer 3 and not layer 2 (not a big deal but with no explanation to why this happens I still think there is something wrong)

Anyway, with all set to allow, local cap is able to connect (layer 3) and work perfectly.

Hi everyone,
Sorry for asking naive questions.

I have setup capsman on Hap AC2 and hap mini works fine in caps mode, but
Hap AC2 wlan1 does not get detected.

I have added 127.0.0.1 firewall rules, I have tried what has been recommended in the forums, but still wlan1 does not get detected.
How can this be fixed?
Thanks.


# mar/30/2019 09:21:05 by RouterOS 6.44.1
# software id = Z41C-3617
#
# model = RBD52G-5HacD2HnD
# serial number = 8FDE094620DC
/caps-man channel add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=channel_2.4G_1 tx-p
ower=20
/caps-man channel add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=channel_2.4G_6 tx-p
ower=20
/interface bridge add admin-mac=B8:69:F4:30:20:7B auto-mac=no comment=defconf name=bridge
/interface bridge add name=bridge-CAPsMAN
/interface ethernet set [ find default-name=ether1 ] mac-address=00:30:4F:6B:62:61 speed=100Mbps
/interface ethernet set [ find default-name=ether2 ] speed=100Mbps
/interface ethernet set [ find default-name=ether3 ] speed=100Mbps
/interface ethernet set [ find default-name=ether4 ] speed=100Mbps
/interface ethernet set [ find default-name=ether5 ] speed=100Mbps
/caps-man datapath add bridge=bridge-CAPsMAN client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/caps-man configuration add channel=channel_2.4G_1 country=armenia datapath=datapath1 hide-ssid=no mode=ap name=cfg_micro1 rx-chains
=0,1,2 security=securityCap ssid=MikroPJ tx-chains=0,1,2
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=armenia distance=indoors frequency=auto mode=ap-br
idge security-profile=my_version ssid=MikroJames1990F wireless-protocol=802.11 wps-mode=disabled
/ip hotspot profile set [ find default=yes ] html-directory=flash/hotspot
/ip pool add name=dhcp ranges=192.168.88.3-192.168.88.254
/ip dhcp-server add address-pool=dhcp disabled=no interface=bridge name=defconf
/caps-man manager set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface add interface=bridge
/caps-man manager interface add forbid=yes interface=ether1
/caps-man provisioning add action=create-dynamic-enabled hw-supported-modes=b,gn master-configuration=cfg_micro1 name-prefix=Mikroti
k-Dual
/caps-man provisioning add action=create-dynamic-enabled disabled=yes ip-address-ranges=127.0.0.1 master-configuration=cfg_micro1
/interface bridge port add bridge=bridge comment=defconf interface=ether2
/interface bridge port add bridge=bridge comment=defconf interface=ether3
/interface bridge port add bridge=bridge comment=defconf interface=ether4
/interface bridge port add bridge=bridge comment=defconf interface=ether5
/interface bridge port add bridge=bridge comment=defconf interface=wlan1
/interface bridge port add bridge=bridge comment=defconf interface=wlan2
/interface bridge port add bridge=bridge disabled=yes interface=ether1
/ip neighbor discovery-settings set discover-interface-list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=ether2 list=LAN
/interface list member add interface=ether3 list=LAN
/interface list member add interface=ether4 list=LAN
/interface list member add interface=ether5 list=LAN
/interface list member add interface=wlan2 list=LAN
/interface list member add interface=wlan1 list=LAN
/interface list member add interface=bridge list=LAN
/interface wireless cap
#
set caps-man-addresses=127.0.0.1 caps-man-names="" discovery-interfaces=bridge-CAPsMAN enabled=yes interfaces=wlan1
/ip address add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip address add address=192.168.115.43/27 interface=ether1 network=192.168.115.32
/ip address add address=192.168.88.1/24 interface=bridge network=192.168.88.0
/ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server lease add address=dhcp mac-address=34:14:5F:DE:B0:2C server=defconf
/ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static add address=192.168.88.1 name=router.lan
/ip firewall filter add action=accept chain=output dst-address=127.0.0.1 log=yes port=5246,5247 protocol=udp src-address=127.0.0.1
/ip firewall filter add action=accept chain=input comment="CAPs to CAPsMAN" dst-port=5246,5247 log=yes protocol=udp src-address=127.
0.0.1
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=establish
ed,related,untracked disabled=yes
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
disabled=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=establ
ished,related,untracked disabled=yes
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat co
nnection-state=new disabled=yes in-interface-list=WAN
/ip firewall filter add action=accept chain=input comment="CAPsMAN accept all local traffic" disabled=yes src-address-type=local
/ip firewall filter add action=accept chain=input disabled=yes src-address=127.0.0.1
/ip firewall filter add action=accept chain=input comment=CAPsMAN disabled=yes in-interface-list=!all port=5246,5247 protocol=udp
/ip firewall filter add action=accept chain=input disabled=yes dst-address-type=local src-address-type=local
/ip firewall filter add action=accept chain=output disabled=yes dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.
0.1
/ip firewall filter add action=accept chain=input disabled=yes dst-address=127.0.0.1 port=5246,5247 protocol=udp src-address=127.0.0
.1
/ip firewall filter add action=accept chain=input disabled=yes in-interface=bridge
/ip firewall filter add action=accept chain=input connection-state=new disabled=yes dst-address-type=local src-address-type=local
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip route add distance=1 gateway=192.168.115.33
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set ssh port=2200
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ip ssh set allow-none-crypto=yes strong-crypto=yes
/system clock set time-zone-name=Asia/Yerevan
/system identity set name=MikroJTik
/system routerboard settings set cpu-frequency=488MHz
/tool bandwidth-server set enabled=no
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no

I had the same problem. I solved the problem by deleting the original firewall. After that I installed another firewall. That was it. I think it's because of a drop rule.

Hello,

i have similar problems, however i have narrowed it down to a single client causing this (an iPhone).

Everything works fine, but when this client connects it causes this loop, and capsman goes down.

same problem with client to client on or off.

Any ideas?

One of those days i guess..

Cable replacement solved all issues.

Hi All!

I also had the local CAP disabled issue which I managed to solve with zour help (setting capsman to 127.0.0.1 and adding the firewall rule to allow the UDP ports).
I have one question remaining:
Does the drop rule's condition have to be !LAN? Couldn't it be WAN?
I think the difference would only be allowing packets coming from localhost which would fix the issue without an additional rule...

Hey All,

Just to add my experience. I was confounded. Followed all these tips, still no joy. In the end what got it working for me was:

/caps-man manager interface add disabled=no forbid=yes interface=ether10 (my wan interface)
/interface wireless cap set bridge=bridge discovery-interfaces=bridge enabled=yes interfaces=wlan1
/ip firewall filter
add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-address-type=local log-prefix=CAPsMAN src-address-type=local
add action=drop chain=input comment="Drop all else" in-interface=!bridge

Having the the two firewall filters was important. For some reason the cap on the router would not come up unless I had an explicit except rule for the bridge on the deny all else filter.

Bloody frustrating but I got there.

Very disapointed with this behavior... All external devices can freely connect to CAP-Manager, but internal WiFi-interface must done workaround prior to connect to own CAPsMan.
I'm using 6.49.7 with internal LAN bridge (br-lan, 192.168.30.1) and none of above advices does not help me. Here are two rules that really help me to accomplish this quest:

I have a question about the new Capsman (wifi menu for controlling the wifiwave2 devices). Is it possible to manage the wifi interfaces on the same RB Capsman itself runs on (for example on hAP ax3)? If yes, how to do it?

... (wifi menu for controlling the wifiwave2 devices) ...

Just use the same configuration profiles for both CAPsMAN and local radios. For that, you don't need to join the local box as a CAP, everything (including the roaming protocols) will still work.

P.S. Please note that this thread was originally created for the "old" CAPsMAN, not the wifiwave2 one, and the two are pretty different.

If I understand it correctly, I should set the local wifi interfaces as "Capsman or local" and on other Routerboards it should be Capsman only?

No. You first create a configuration profile and put all you settings in there:

Once done, use it for provisioning your remote CAPs and also set that profile for your local radios:

There is no need to use the .manager property at all (unless you wish to be very specific). In any case, do NOT use it in profiles (that makes little sense), only set it for specific interfaces.

You can trigger provisioning on your local interfaces, no need to set configuration manually. In Winbox just select your local radio and hit the "provision" button, in cli run something like "/interface/wifi/radio/provision [find local]" etc.

If I understand it correctly, I should set the local wifi interfaces as "Capsman or local" and on other Routerboards it should be Capsman only?

No, on local capsman interfaces it should remain unset or "local".

Thank you both for the clarification. I did it according to the Mikrotik documentation and the configuration.manager parameter was used there, so I needed to clarify.

I was ask today same question as new post, there is a way, check below

viewtopic.php?t=203335