Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

wermut · Thu May 30, 2024 7:09 pm

This is a short guide how I finaly managed to setup a CAPsMAN configuration, including a management VLAN on the CAP.

References

https://help.mikrotik.com/docs/display/ROS/WiFi

https://support.apple.com/guide/deploym ... 116c0f/web

Background
I have some experience with Mikrotik, but had almost no experience with wireless systems before my attempt. So this description shall be read with a grain of salt. If something was done overly complicated or if someone has a more elegant solution, please share to and highlight problems. This short guide was written, because I struggled with the Mikrotik provided documentation a lot. For the test, I ordered and used 1x hap-ax3, 1x hap-ax2 and 1x cAP-ax.

There is a slight chance that the config contains small errors, since I obfuscated some settings to not expose some actual settings of my actual config for security and paranoia reasons.

Design Goals

1 CAPsMAN
Multiple AP's (all ax)
Separate Management VLAN for all Mikrotik devices
Using RouterOS 7.14 or newer
Try out IEEE 802.11r fast BSS transition feature

There are clearly a lot of features missing in the current "new" implementation of CAPsMAN. It kind of works if you have a single network without VLAN segmentation and multiple slave's with their own separate VLAN. Once you introduce those and even want a separate management VLAN and VLAN filtering enabled on the bridge, I have found no good way to make it "centrally" managed. Therefore the current solution involves some manual configuration on the CAP's itself. Since AC devices also not support automatic datapath configuration from CAPsMAN, there might be a chance that the same solution works out of the box for AC or mixed setups. I also found some bugs, where CAPsMAN was running on a CAP itself. The local radios would not always reliable configure themself. For this reason, I placed the CAPsMAN server on a RB5009, which also act as my main router for my home network.

Hardware Setup

--------------------
[ CAPsMAN - RB5009 ]
--------------------
|
| (Trunk)
|
|     ------------------
| --- [ CAP1 - hap-ax3 ]
|     ------------------
|
|     ------------------
| --- [ CAP2 - hap-ax2 ]
|     ------------------
|
|     ------------------
| --- [ CAP3 - cAP-ax  ]
      ------------------

VLANs

100 - MGMT

200 - LAN

300 - GUEST

310 - IOT

All the VLANs are routed on the central RB5009. Inter-VLAN routing and firewalling is configured and not part of this guide.

Setup Process

CAPsMAN - RB5009

From RouterOS 7.13, there should be a dedicated "WiFi" section, replacing the functionalities that could be found up to RouterOS 7.12.

Theo following relevant interfaces are present:

/interface vlan
add interface=bridge1 name=vlan100-mgmt vlan-id=100
add interface=bridge1 name=vlan200-lan vlan-id=200
add interface=bridge1 name=vlan300-guest vlan-id=300
add interface=bridge1 name=vlan310-iot vlan-id=310

In my case, the CAPsMAN server shall run on the VLAN ID 100. Therefore I have to set the following configuration:

/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=vlan100-mgmt package-path="" \
    require-peer-certificate=no upgrade-policy=none

The setting will allow CAPsMAN to automatically accept and create certificates needed for the management relation. If you ever have to quickly change the CAPsMAN controller and or assign a CAP to an other CAPsMAN, you have to delete the certificates on the devices first. The certificates can be found under "System" > "Certificates".

Now create the wifi configuration, starting with the datapath.

Since we will manually configure the VLANs on each CAP, we have to define a datapath with the bridge's name only. On my devices, I want to enforce to only have 1 bridge present at any time and they are all named "bridge1".

/interface wifi datapath
add bridge=bridge1 disabled=no name=DP_MANUAL

The wifi configuration:

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes \
    ft-mobility-domain=0x200 ft-over-ds=no name=lan-sec
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes \
    ft-mobility-domain=0x300 ft-over-ds=no name=guest-sec
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes \
    ft-mobility-domain=0x310 ft-over-ds=no name=iot-sec
    
/interface wifi configuration
add country=Switzerland datapath=DP_MANUAL disabled=no name=guest-cfg security=\
    guest-sec ssid=wt-guest
add country=Switzerland datapath=DP_MANUAL disabled=no name=lan-cfg security=\
    lan-sec ssid=wt-lan
add country=Switzerland datapath=DP_MANUAL disabled=no name=iot-cfg security=\
    iot-sec ssid=wt-iot

Create provisioning rules

/interface wifi provisioning
add action=create-dynamic-enabled comment="2.4 GHz" disabled=no master-configuration=lan-cfg slave-configurations=guest-cfg,iot-cfg \
    supported-bands=2ghz-n
add action=create-dynamic-enabled comment="5 GHz" disabled=no master-configuration=lan-cfg slave-configurations=guest-cfg supported-bands=\
    5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=lan-cfg slave-configurations=guest-cfg supported-bands=5ghz-ax

CAPx

Now we configure each CAP.

For the VLANs, I also create the different VLANs, to expose them to local RouterOS instance. Technically this can be omitted, expect the management VLAN, which is needed in my case for management and also CAP to CAPsMAN communication. Adjust the input firewall rules if needed.

/interface vlan
add interface=bridge1 name=vlan100-mgmt vlan-id=100
add interface=bridge1 name=vlan200-lan vlan-id=200
add interface=bridge1 name=vlan300-guest vlan-id=300
add interface=bridge1 name=vlan310-iot vlan-id=310

Setup the wifi interfaces

On the used devices, there are usually two radio present in the default configuration. "wifi1" tends to be the 5 GHz radio. As a first step, I usually rename them to "wifi-lan-50" and "wifi-lan-24", because they will be assigned to the SSID/VLAN "LAN" afterwards.

/interface wifi
set [ find default-name=wifi2 ] channel.band=2ghz-ax \
	.skip-dfs-channels=10min-cac .width=20/40mhz \
	configuration.manager=capsman .mode=ap disabled=no \
    name=wifi-lan-24 security.authentication-types=""
set [ find default-name=wifi1 ] channel.band=5ghz-ax \
	.skip-dfs-channels=10min-cac .width=20/40/80mhz \
	configuration.manager=capsman .mode=ap disabled=no \
    name=wifi-lan-50 security.authentication-types=""
add configuration.mode=ap disabled=no master-interface=wifi-lan-24 \
	name=wifi-iot-24
add configuration.mode=ap disabled=no master-interface=wifi-lan-24 \
	name=wifi-guest-24
add configuration.mode=ap disabled=no master-interface=wifi-lan-50 \
	name=wifi-guest-50

Configure Bridge

Make sure the bridge is named "bridge1". The process involves 3 parts:

Assign all ports and VLAN ID (PVID)
Configure VLANs on the bridge
Activate VLAN filtering

The filtering will be configured later.

/interface bridge port
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wifi-lan-50 internal-path-cost=10 path-cost=10 pvid=200
add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=wifi-lan-24 internal-path-cost=10 path-cost=10 pvid=200
add bridge=bridge1 comment=uplink interface=ether1 internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi-guest-24 pvid=300
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi-guest-50 pvid=300
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged interface=wifi-iot-24 pvid=310

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 \
	vlan-ids=100
add bridge=bridge1 tagged=bridge1,ether1 untagged=wifi-lan-50,wifi-lan-24 \
	vlan-ids=200
add bridge=bridge1 tagged=bridge1,ether1 \
	vlan-ids=31
add bridge=bridge1 tagged=bridge1,ether1 untagged=wifi-iot-24 \
	vlan-ids=310

Automatically assign an IP to the management interface for L3 connectivity. A firewall rule on the input chain must probably be added to reach the device.

/ip dhcp-client
add interface=vlan100-mgmt

/ip firewall filter
add action=accept chain=input comment="Accept from Management" \
in-interface=vlan100-mgmt

Activate the VLAN filtering on the bridge

/interface bridge
add name=bridge1 vlan-filtering=yes

Finaly activate the CAP connectivity. The "caps-man-addresses" can be removed, but I prefer to have it configured. Set it to your correct IP. The important part is to set "slaves-static=yes", or your CAPsMAN may mess up your manual interface configuration.

/interface wifi cap
set caps-man-addresses=192.168.100.1 certificate=request \
discovery-interfaces=vlan100-mgmt enabled=yes slaves-static=yes

After that, interfaces should configure themself. If not, I found out, that on the CAPsMAN device, there is a "Remote CAP" tap (Winbox) in the WiFi section, where there is a button called "Provisioning" which seems to force the redistribution of the config to the currently selected CAP. Do not use the "Provisioning" function in the "Radio" tap, since it seems to destroy and re-create the interfaces on the managed CAPs and replace them with dynamic interfaces.

Overall it works. I would still like if CAPsMAN would offer more advanced controller function to create a true central management solution. Since all this stuff can be configured manually, I don's see a reason, why this can not be automated and in the same step make it universal compatible with AC and AX devices and also enabled VLAN filtering on the bridge. Anyway, for my small setup of only 3 CAP devices, it works fine and runs more stable than my previous TP-Link solution so far. Bandwidth is acceptable. Fingers crossed that it will run for the next couple of years.

Things that I woul like to really understand

VLAN / SSID assignment on CAP

How does CAPsMAN form the relation ship between manually created interfaces and provisioned configurations? There is not a single reference on the VLAN ID (PVID) in the CAPsMAN config, and still it assigns it to the correct interface every time.

Fast Transition

I intentionally configured BSS fast transition (FT) over the air and not over distributed system (DS). Would it be possible in this configuration to avoid CAPsMAN altogether and just set the domain? - What role does CAPsMAN play here under the hood?

Thu May 30, 2024 8:41 pm

Nice work !!
Will review later this week when I have more time.

As for your questions:

Things that I woul like to really understand

VLAN / SSID assignment on CAP

How does CAPsMAN form the relation ship between manually created interfaces and provisioned configurations? There is not a single reference on the VLAN ID (PVID) in the CAPsMAN config, and still it assigns it to the correct interface every time.

Fast Transition

I intentionally configured BSS fast transition (FT) over the air and not over distributed system (DS). Would it be possible in this configuration to avoid CAPsMAN altogether and just set the domain? - What role does CAPsMAN play here under the hood?

1- datapath setting is responsible for that unless I misunderstood your question ?
2- capsman is not needed per se for this to work. It will also work between 2.4Ghz and 5Ghz radio on the same AP, as long as the same SSID is used.
Key point here is that all radios where you want this to work, need to be configured by the same ROS instance.
And that can also be capsman ...

MichalPospichal · Thu May 30, 2024 9:32 pm

Great guide, appreciate the effort.

I just configured VLANs with CAPsMAN for the first time myself just a few days ago so I had to also dig for information so here are my thoughts.

The Datapath VLAN provisioning works from the CAPsMAn side (well, sort of, more on that below), but you still need to have it also on the CAP side, yes.
Basically the only setting in the WiFi interface on the CAP side you need to do (besides activating the CAP mode obviously) is to create Datapath, into which you assign the CAP bridge, and then assign this datapath to each of the wifi interfaces. This way the WiFi interfaces are automatically added to your CAP bridge, and this for some reason is the only thing that is not properly propagated from CAPsMAN. Important note regarding this - after you are done with the config, you need to reboot the CAP, because otherwise the WiFi interfaces are not added to the CAP bridge dynamically the first time you activate them from CAPsMAN side. Only after the reboot it started to work for me.
The rest of the Datapath values can be set on CAPsMAN side.

Then the bridge port/VLAN settings are mostly OK with one little exception - you do not need to add any WiFi interface as tagged or untagged in bridge/vlan. This will be handled automatically by the Datapath you set on the CAP, where they are dynamically added to the CAP bridge and tagged/untagged as needed automatically. Add only your trunk ether port and bridge interface as tagged (I believe bridge is only needed for the vlans that have interface/vlan defined).

I think the less config you need on CAP the better, putting all that you can on the CAPsMAN side. And at least for me it works this way without any issues.

wermut · Thu May 30, 2024 10:05 pm

Thanks for the replies so far.

Yes, for AX devices only, VLAN ID's can be defined in the datapath and automatically propagated, but for AC devices and also if VLAN filtering is enabled on the CAP bridge, it does not seem to work. If no management VLAN is configured and VLAN filtering disabled, the automatic way works as you described.

The official Wifi documentation from Mikrotik has a sample under https://help.mikrotik.com/docs/display/ ... onexample: for the "wifi-qcom-ac" driver. They state, that the automatic VLAN assignment does in this case not (yet?) work and you have to configure the VLAN assignment of the CAP radios manually, which I did in this example also for the "wifi-qcom" driver. The official example only uses two VLANs. A LAN and one for GUEST. In the provisioning rules in CAPsMAN, you can set a config for the master and for slaves, where multiple slaves are possible to pass on as a list. That the master config is assigned to the master Wifi interface is kind of logic. What I do not get so far is, how the right slave configuration is passed to the right manually created slave interface on the CAP. In my case it must assign the SSID "wt-iot" to "wifi-iot-24" and "wt-guest" to the interface "wifi-guest-24" and "wifi-guest-50". It works reliably but in the CAPsMAN datapath we only define the bridge as copied from the mentioned example in the Mikrotik documentation. In my case the datapath is just named "DP_MANUAL" with the "bridge1" as it's bridge and that is reference in the config under datapath. No VLAN ID allowed. Documentation says even: "Passing datapaths "MAIN/GUEST" from the start of the example to "wifi-qcom-ac" CAP would be misconfiguration, make sure to use datapath without "vlan-id" specified to such devices."

By pressing the mentioned "Provisioning" button, the CAP configured and worked always successful. Did some reboots anyway.

To the Fast Transition topic. I half read the IEEE standard. The main use case for the feature seems to be, when IEEE 802.1x (RADIUS) is enabled, since authentication can take ages. In this case, the system (CAPsMAN) shall be configured to use "FT over DS" (Distributed System), the handover process goes over the backhaul ethernet and passes the authentication info over to the new AP as I assume. The device itself does then not need to re-authenticate on the new AP. In my WPA2 and WPA3 PSK scheme, I explicitly disabled "FT over DS". This way the client has to ask around, if there is an access point with the same SSID and same "ft mobility domain" is present. If a better AP is found, the login info will be send "over the air" not over DS to the new access point which then can take the connection. From my view, it is not 100% necessary to have CAPsMAN in this special case, but have not the time to really dig that deep to verify. May it be a packet routing or ARP thing?

MichalPospichal · Thu May 30, 2024 10:50 pm

Yes, for AX devices only, VLAN ID's can be defined in the datapath and automatically propagated, but for AC devices and also if VLAN filtering is enabled on the CAP bridge, it does not seem to work. If no management VLAN is configured and VLAN filtering disabled, the automatic way works as you described.

True, this apparently works only if configuring ax wifi-qcom devices, AC cannot be done in this way. However, I do have management VLAN and VLAN filtering enabled on both the CAPsMAN router and the CAP and it still seems to work automatically.

gigabyte091 · Fri May 31, 2024 5:28 am

Great tutorial, maybe you should put it in "Useful user articles" section.

I had one strange problem where I used create dynamic enabled with my CAPs and was able to change config etc. But when third CAP was added to the mix CAPsMAN created two virtual interfaces on top of the master interfaces for no reason only on that CAP... And I was unable to change anything on that CAP. (Other two I could change whatever)

Changing to create enabled in provisioning solved that problem.

mftovey · Mon Jun 17, 2024 11:12 pm

Last winter I used the same WiFi documentation as is referenced in this thread (https://help.mikrotik.com/docs/display/ROS/WiFi) to develop a WiFi with VLANs configuration. I am using a hEX S as the primary router, (RB760iGS) and a hAP ax^3 for the WiFi access point (C53UiG+5HPaxD2HPaxD). The configuration I developed is very similar to what is described in this thread (I did not configure fast transfer). It has worked very well for me.

Recently I decided to expand my configuration to include an additional hAP access point. After installing a base configuration on the new hAP, I connected it to the hEX and rebooted everything. CAPsMAN recognized the new hAP and added it into the system.

However, it is not functioning properly. When I move a client device between AP zones, I can see the client roam from one AP to the other, but it cannot seem to properly reestablish a network configuration. I see the client repeatedly connecting to and disconnecting from the second AP. It does not matter which direction I move, from the old AP to the new AP or from the new AP to the old AP, the same behavior is experienced. And once this cycle is started, I cannot simply move back to the original AP, I
must wait for a period of time (2 minutes?) before the client will successfully reestablish a connection to either AP. Once the client is successfully connect to an AP, it works fine as long as I do not move into the other AP zone.

I am at a loss as to what is wrong here. Would someone be willing to review my configuration and point out any flaws they see? I have included the relevant router and AP configurations below for brevity and I am willing to post the full configurations if necessary. I also have a syslog server and logging from the Mikrotik devices is being forwarded to there, so I can provide log output if that would be helpful.

Thanks in advance,
-Mark

hEX router configuration:

/interface bridge
add name=BR1 port-cost-mode=short protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=BR1 name=GUEST vlan-id=20
add interface=BR1 name=HOME vlan-id=10
add interface=BR1 name=IOT vlan-id=30
add interface=BR1 name=MGMT vlan-id=99

/interface wifi datapath
add bridge=BR1 disabled=no name=HOME vlan-id=10
add bridge=BR1 disabled=no name=GUEST vlan-id=20
add bridge=BR1 disabled=no name=IOT vlan-id=30

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=GUEST
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=HOME
add authentication-types=wpa-psk,wpa2-psk disabled=no name=IOT

/interface wifi configuration
add country="United States" datapath=HOME disabled=no mode=ap name=HOME security=HOME ssid=wtnet
add country="United States" datapath=GUEST disabled=no mode=ap name=GUEST security=GUEST ssid=wtnet-g
add country="United States" datapath=IOT disabled=no mode=ap name=IOT security=IOT ssid=wtnet-i

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=99
add bridge=BR1 interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=BR1 interface=ether4 internal-path-cost=10 path-cost=10 pvid=20
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether5 internal-path-cost=10 path-cost=10 pvid=30
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=sfp1 internal-path-cost=10 path-cost=10 pvid=99

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether3,ether4,ether5,sfp1 untagged=ether2 vlan-ids=99
add bridge=BR1 tagged=BR1,ether3,ether4,ether5,sfp1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether3,ether4,ether5,sfp1 vlan-ids=20
add bridge=BR1 tagged=BR1,ether3,ether4,ether5,sfp1 vlan-ids=30

/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=MGMT package-path="" require-peer-certificate=no upgrade-policy=none

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=HOME name-format="" slave-configurations=GUEST,IOT

/ip address
add address=192.168.0.1/24 interface=MGMT network=192.168.0.0
add address=10.0.10.1/24 interface=HOME network=10.0.10.0
add address=10.0.20.1/24 interface=GUEST network=10.0.20.0
add address=10.0.30.1/24 interface=IOT network=10.0.30.0

/system identity
set name=Router


hAP access point configuration:

/interface bridge
add name=BR1 port-cost-mode=short protocol-mode=none

/interface vlan
add interface=BR1 name=MGMT vlan-id=99

/interface wifi datapath
add bridge=BR1 disabled=no name=capdp

/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: wtnet, channel: 5220/ax/eeCe
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=capdp disabled=no
# managed by CAPsMAN
# mode: AP, SSID: wtnet, channel: 2412/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=capdp disabled=no

/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 path-cost=10 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 path-cost=10 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 path-cost=10 pvid=30

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 untagged=ether2 vlan-ids=99
add bridge=BR1 tagged=ether1 untagged=ether3 vlan-ids=10
add bridge=BR1 tagged=ether1 untagged=ether4 vlan-ids=20
add bridge=BR1 tagged=ether1 untagged=ether5 vlan-ids=30

/interface wifi cap
set discovery-interfaces=MGMT enabled=yes slaves-datapath=capdp

/ip address
add address=192.168.0.2/24 interface=MGMT network=192.168.0.0

/system identity
set name=AccessPoint1

MichalPospichal · Tue Jun 18, 2024 12:11 am

@mftovey: Could you please clarify which ports are supposed to be your trunk ports on the hEX and hAP sides?
AFAIK trunk ports should have the PVID=1, but I don't see that in your cofnig.

edit:
Assuming that on the hEX side sfp1 is trunk port, ether2 is management port, ether3 vlan10, ether4 vlan20 and ether5 vlan30, and you want to send all the vlans to your cAPs, then I think it should be like this:

/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 path-cost=10 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 path-cost=10 pvid=30
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=sfp1 internal-path-cost=10 path-cost=10 pvid=1

/interface bridge vlan
add bridge=BR1 tagged=BR1,sfp1 untagged=ether2 vlan-ids=99
add bridge=BR1 tagged=BR1,sfp1 untagged=ether3 vlan-ids=10
add bridge=BR1 tagged=BR1,sfp1 untagged=ether4 vlan-ids=20
add bridge=BR1 tagged=BR1,sfp1 untagged=ether5 vlan-ids=30

On hAP side then, assuming ether1 is trunk, and ether2-5 the same as on hEX:

/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged interface=ether1 internal-path-cost=10 path-cost=10 pvid=1
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether2 internal-path-cost=10 path-cost=10 pvid=99
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether3 internal-path-cost=10 path-cost=10 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether4 internal-path-cost=10 path-cost=10 pvid=20
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged interface=ether5 internal-path-cost=10 path-cost=10 pvid=30

/interface bridge vlan
add bridge=BR1 tagged=BR1,ether1 untagged=ether2 vlan-ids=99
add bridge=BR1 tagged=ether1 untagged=ether3 vlan-ids=10
add bridge=BR1 tagged=ether1 untagged=ether4 vlan-ids=20
add bridge=BR1 tagged=ether1 untagged=ether5 vlan-ids=30

mftovey · Tue Jun 18, 2024 5:00 am

A smart switch (RB260GS) is connected to the sfp1 port on the hEX. All that is currently connected to it are IOT devices. Ports ether4 and ether5 are the trunk ports to the hAP access points. Port ether3 is a trunk port to a TP-Link smart switch in my office where I have a server connected to the MGMT VLAN and my workstation, printer, etc. connected to the HOME VLAN. Port ether2 is a maintenance port and port ether1 is the WAN connection. The MGMT VLAN is configured with PVID 99 and the intent was to end the datapaths over the MGMT VLAN. Is that where the problem resides? How does this change the configuration you provided?

mftovey · Thu Jun 20, 2024 10:41 pm

I think I may have found the solution. In the Mikrotik documentation for configuring CAPsMAN, I found this notice:

If the CAP is hAP ax2 or hAP ax3, it is strongly recommended to enable RSTP in the bridge configuration, on the CAP
configuration.manager should only be set on the CAP device itself, don't pass it to the CAP or configuration profile that you provision.

Both of my access points are hAP ax3, so I enabled RSTP on them. After that roaming started working properly with none of the associate/diassociate issues. The hand off is a little slow in being triggered, but I have seen several discussions on how to tune that. I will play around with that a bit. But the bottom line is that the roaming now appears to be functioning properly for me.

-Mark

bobbyjball3 · Thu Jul 11, 2024 5:12 am

Thanks for this. I was struggling and I think this got me close. My cap comes up, I see it in neighbors, I can reach it in Inbox from my admin vlan. But while all of the wifi interfaces are provisioned, set with the right PVID, and enabled, No devices actually connect to the AP. Here's my config for the cap - what dumb thing have I done?

########################################################
######## CAPSMAN-Managed CAP
########################################################

:global adminInterfaceIpAddress "10.0.1.5/24";
:global capName "mikrotik-living-cap";
:global routerIpAddress "10.0.1.1";

/system identity set name="$capName"
/system ntp client set enabled=yes servers=$routerIpAddress
/ip dns set servers=$routerIpAddress

/ip service
disable telnet
disable ftp
disable api
disable api-ssl
disable www
/ip ssh set strong-crypto=yes

/interface bridge add name=cap-bridge protocol-mode=none vlan-filtering=no
/ip address add address=$adminInterfaceIpAddress interface=cap-bridge

/interface bridge port add bridge=cap-bridge interface=ether1 frame-types=admit-only-vlan-tagged
/interface bridge port add bridge=cap-bridge interface=ether2 pvid=101 frame-types=admit-only-untagged-and-priority-tagged

/interface bridge vlan
add bridge=cap-bridge tagged=cap-bridge,ether1 untagged=ether2 vlan-ids=101
add bridge=cap-bridge tagged=cap-bridge,ether1 vlan-ids=110
add bridge=cap-bridge tagged=cap-bridge,ether1 vlan-ids=120
add bridge=cap-bridge tagged=cap-bridge,ether1 vlan-ids=130

/interface vlan add interface=cap-bridge name=101-admin-vlan vlan-id=101
/ip address add address=$adminInterfaceIpAddress interface=101-admin-vlan

/interface list add name=ADMIN_VLAN
/interface list member add interface=101-admin-vlan list=ADMIN_VLAN
/interface list member add interface=ether2 list=ADMIN_VLAN
/ip neighbor discovery-settings set discover-interface-list=ADMIN_VLAN
/tool mac-server mac-winbox set allowed-interface-list=ADMIN_VLAN
/tool mac-server set allowed-interface-list=ADMIN_VLAN

/interface wifi datapath add bridge=cap-bridge comment=defconf disabled=no name=cap-datapath
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=cap-datapath disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=cap-datapath disabled=no

/interface wifi cap 
set discovery-interfaces=101-admin-vlan caps-man-addresses=$routerIpAddress enabled=yes certificate=request slaves-datapath=cap-datapath

/ip route add disabled=no dst-address=0.0.0.0/0 gateway=$routerIpAddress suppress-hw-offload=no

/interface bridge set cap-bridge vlan-filtering=yes

neki · Thu Jul 11, 2024 11:14 am

If you followed this guide, you are probably missing VLAN definition in datapath on CAPsMAN.

VLAN should be set in datapath on CAPsMAN.
Bridge, in datapath, must be set on each CAP locally.

bobbyjball3 · Thu Jul 11, 2024 4:11 pm

Thanks for the reply, @neki. I did check my capsman config and I definitely specify vlan id in my datapath configs on the capsman side (I’ll post this configuration as well, but am away from my home). I can see that capsman has set the correct PVIDs on the WiFi interfaces in my bridge even.

I tried toggling vlan filtering off as well just to check as I know there were bugs related to capsman and vlan filtering. But no love.

I’m on ROS7.15.2 FWIW.

bobbyjball3 · Fri Jul 12, 2024 4:20 am

Here are my complete capsman and cap configs.

Capsman config:

/interface wifi channel
add frequency=2412,2432,2472 name=2GHz-channel width=20mhz
add frequency=5170-5250 name=5GHz-channel width=20/40/80mhz

/interface wifi datapath
add bridge=edge-router-bridge name=admin-datapath vlan-id=101
add bridge=edge-router-bridge name=user-datapath vlan-id=110
add bridge=edge-router-bridge name=iot-datapath vlan-id=130

/interface wifi security
add authentication-types=wpa2-psk name=admin-auth wps=disable
add authentication-types=wpa2-psk name=user-auth wps=disable
add authentication-types=wpa2-psk name=iot-auth wps=disable

/interface wifi configuration
add channel=2GHz-channel country="United States" datapath=admin-datapath mode=ap name=admin-conf-2g security=admin-auth ssid=LLAP_Admin
add channel=2GHz-channel country="United States" datapath=user-datapath mode=ap name=user-conf-2g security=user-auth ssid=LLAP
add channel=2GHz-channel country="United States" datapath=iot-datapath mode=ap name=iot-conf-2g security=iot-auth ssid=LLAP_IOT
add channel=5GHz-channel country="United States" datapath=admin-datapath mode=ap name=admin-conf-5g security=admin-auth ssid=LLAP_Admin
add channel=5GHz-channel country="United States" datapath=user-datapath mode=ap name=user-conf-5g security=user-auth ssid=LLAP
add channel=5GHz-channel country="United States" datapath=iot-datapath mode=ap name=iot-conf-5g security=iot-auth ssid=LLAP_IOT

/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=101-admin-vlan upgrade-policy=require-same-version

/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=user-conf-2g slave-configurations=admin-conf-2g,iot-conf-2g supported-bands=2ghz-ax
add action=create-dynamic-enabled master-configuration=user-conf-5g slave-configurations=admin-conf-5g,iot-conf-5g supported-bands=5ghz-ax

CAP config:

/interface bridge
add name=cap-bridge protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=cap-bridge name=101-admin-vlan vlan-id=101
/interface list
add name=ADMIN_VLAN
/interface wifi datapath
add bridge=cap-bridge comment=defconf disabled=no name=cap-datapath
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: LLAP, channel: 5180/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=cap-datapath disabled=no
# managed by CAPsMAN
# mode: AP, SSID: LLAP, channel: 2412/ax
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=cap-datapath disabled=no
# managed by CAPsMAN
# mode: AP, SSID: LLAP_Admin
add datapath=cap-datapath disabled=no mac-address=4A:A9:8A:CA:3B:E0 master-interface=wifi2 name=wifi7
# managed by CAPsMAN
# mode: AP, SSID: LLAP_IOT
add datapath=cap-datapath disabled=no mac-address=4A:A9:8A:CA:3B:E1 master-interface=wifi2 name=wifi8
# managed by CAPsMAN
# mode: AP, SSID: LLAP_Admin
add datapath=cap-datapath disabled=no mac-address=4A:A9:8A:CA:3B:DE master-interface=wifi1 name=wifi9
# managed by CAPsMAN
# mode: AP, SSID: LLAP_IOT
add datapath=cap-datapath disabled=no mac-address=4A:A9:8A:CA:3B:DF master-interface=wifi1 name=wifi10
/interface bridge port
add bridge=cap-bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=cap-bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=101
/ip neighbor discovery-settings
set discover-interface-list=ADMIN_VLAN
/interface bridge vlan
add bridge=cap-bridge tagged=cap-bridge,ether1 untagged=ether2 vlan-ids=101
add bridge=cap-bridge tagged=cap-bridge,ether1 vlan-ids=110
add bridge=cap-bridge tagged=cap-bridge,ether1 vlan-ids=120
add bridge=cap-bridge tagged=cap-bridge,ether1 vlan-ids=130
/interface list member
add interface=101-admin-vlan list=ADMIN_VLAN
add interface=ether2 list=ADMIN_VLAN
/interface wifi cap
set caps-man-addresses=10.0.1.1 certificate=request discovery-interfaces=101-admin-vlan enabled=yes slaves-datapath=cap-datapath slaves-static=yes
/ip address
add address=10.0.1.5/24 interface=101-admin-vlan network=10.0.1.0
/ip dns
set servers=10.0.1.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.1.1 suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Indiana/Indianapolis
/system identity
set name=mikrotik-living-cap
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.1.1

erlinden · Tue Sep 17, 2024 11:02 am

Thanks for this post! I switched my hybrid ports to trunk ports on all devices (router/switches/accesspoints). Ran into the problem that from time to time management IP addresses were assigned to mobile devices. Hope this improves my situation.

rrawstron · Fri Oct 18, 2024 8:16 am

Thanks for the posts above.
The official documentation/examples aren't great so the earlier posts have been helpful in getting a working config.

A couple of points for others who are trying to setup wifi VLANs with CAPsMAN.
From what I now understand there are two ways of configuring wifi VLANs:

CAPsMAN datapath VLAN
The VLAN ID is configured in the CAPsMAN datapath
The wifi interfaces and VLANs are automatically provisioned/configured by CAPsMAN.
There is no need manually configure cAP wifi interfaces and VLAN ID.
cAP VLAN interfaces
Wifi interfaces and VLANs are manually configured on the cAP.
CAPsMAN is still configured as per CAPsMAN datapath except the VLAN ID is not configured.

In my view CAPsMAN datapath is simpler/easier and hence better.
But only cAP AX units support CAPsMAN datapath VLAN config (at least with v7.16.1 and older). Maybe this will change in the future.
Note cAP AX units can be configured using cAP VLAN interfaces if preferred.

cAP AC units must be configured using cAP VLAN interfaces.
CAPsMAN will display the error --- vlan-id configured, but interface does not support assigning vlans if you try to configure an cAP AC with datapath VLAN.

And a gotcha when configuring cAP VLAN interfaces.
If the manually configured wifi interfaces are changed during provisioning there is most likely an error in your config.
I ran into this initially but with the config below provisioning via Wifi > Radios tab > Provision and Wifi > Remote CAP > Provision now works without changing the interfaces.

Below is the additional config required to setup wifi VLANs with cAP AC, cAP AX and CAPsMAN.

RB960PGS running CAPsMAN
RBcAPGi-5acD2nD cAP AC connected to eth4
cAPGi-5HaxD2HaxD cAP AX connected to eth5
cAP AC configured via cAP VLAN interfaces
cAP AX configured via CAPsMAN datapath VLAN
All running v7.16.1
VLAN 20 - cAP AC main wifi with SSID = Access McAccessPoint
VLAN 30 - cAP AC guest wifi with SSID = Access McAccessPoint-Guest
VLAN 40 - cAP AX main wifi with SSID = Testy McTesticle
VLAN 50 - cAP AX guest wifi with SSID = Testy McTesticle-Guest

CAPsMAN Config

/interface bridge
set [ find comment=defconf ] vlan-filtering=yes

/interface vlan
add interface=bridge name=wifi-capac-vlan20-main vlan-id=20
add interface=bridge name=wifi-capac-vlan30-guest vlan-id=30
add interface=bridge name=wifi-capax-vlan40-main vlan-id=40
add interface=bridge name=wifi-capax-vlan50-guest vlan-id=50

/interface wifi datapath
add bridge=bridge disabled=no name=cap-dp-ax40-main vlan-id=40
add bridge=bridge disabled=no name=cap-dp-ax50-guest vlan-id=50
add bridge=bridge disabled=no name=cap-dp-ac

#NOTE: This could be simplified if frequencies weren't specified for 2Ghz AX, 2Ghz N, 5Ghz AC, 5Ghz AX
/interface wifi configuration
add channel=cap-ch2ax datapath=cap-dp-ax40-main disabled=no name=cap-cfg2ax-vlan40-main security=cap-secwpa3 ssid="Testy McTesticle"
add channel=cap-ch2ax datapath=cap-dp-ax50-guest disabled=no name=cap-cfg2ax-vlan50-guest security=cap-secwpa3 ssid="Testy McTesticle-Guest"
add channel=cap-ch5ax datapath=cap-dp-ax40-main disabled=no name=cap-cfg5ax-vlan40-main security=cap-secwpa3 ssid="Testy McTesticle"
add channel=cap-ch5ax datapath=cap-dp-ax50-guest disabled=no name=cap-cfg5ax-vlan50-guest security=cap-secwpa3 ssid="Testy McTesticle-Guest"
add channel=cap-ch2n datapath=cap-dp-ac disabled=no name=cap-cfg2n-vlan20-main security=cap-secwpa3 ssid="Access McAccessPoint"
add channel=cap-ch2n datapath=cap-dp-ac disabled=no name=cap-cfg2n-vlan30-guest security=cap-secwpa3 ssid="Access McAccessPoint-Guest"
add channel=cap-ch5ac datapath=cap-dp-ac disabled=no name=cap-cfg5ac-vlan20-main security=cap-secwpa3 ssid="Access McAccessPoint"
add channel=cap-ch5ac datapath=cap-dp-ac disabled=no name=cap-cfg5ac-vlan30-guest security=cap-secwpa3 ssid="Access McAccessPoint-Guest"

/ip pool
add name=ipv4-pool-dhcp-vlan20 ranges=10.10.20.200-10.10.20.254
add name=ipv4-pool-dhcp-vlan30 ranges=10.10.30.200-10.10.30.254
add name=ipv4-pool-dhcp-vlan40 ranges=10.10.40.200-10.10.40.254
add name=ipv4-pool-dhcp-vlan50 ranges=10.10.50.200-10.10.50.254

/ip dhcp-server
add address-pool=ipv4-pool-dhcp-vlan20 interface=wifi-capac-vlan20-main name=dhcpv4-server-vlan20
add address-pool=ipv4-pool-dhcp-vlan30 interface=wifi-capac-vlan30-guest name=dhcpv4-server-vlan30
add address-pool=ipv4-pool-dhcp-vlan40 interface=wifi-capax-vlan40-main name=dhcpv4-server-vlan40
add address-pool=ipv4-pool-dhcp-vlan50 interface=wifi-capax-vlan50-guest name=dhcpv4-server-vlan50

/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether4 vlan-ids=30
add bridge=bridge tagged=bridge,ether5 vlan-ids=40
add bridge=bridge tagged=bridge,ether5 vlan-ids=50

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg2ax-vlan40-main slave-configurations=cap-cfg2ax-vlan50-guest supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg5ax-vlan40-main slave-configurations=cap-cfg5ax-vlan50-guest supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg2n-vlan20-main slave-configurations=cap-cfg2n-vlan30-guest supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg5ac-vlan20-main slave-configurations=cap-cfg5ac-vlan30-guest supported-bands=5ghz-ac

/ip address
add address=10.10.20.1/24 interface=wifi-capac-vlan20-main network=10.10.20.0
add address=10.10.30.1/24 interface=wifi-capac-vlan30-guest network=10.10.30.0
add address=10.10.40.1/24 interface=wifi-capax-vlan40-main network=10.10.40.0
add address=10.10.50.1/24 interface=wifi-capax-vlan50-guest network=10.10.50.0

/ip dhcp-server network
add address=10.10.20.0/24 dns-server=10.10.20.1 domain=vlan20.internal gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=10.10.30.1 domain=vlan30.internal gateway=10.10.30.1
add address=10.10.40.0/24 dns-server=10.10.40.1 domain=vlan40.internal gateway=10.10.40.1
add address=10.10.50.0/24 dns-server=10.10.50.1 domain=vlan50.internal gateway=10.10.50.1

cAP AC Config

/interface bridge
set [ find comment=defconf ] vlan-filtering=yes

/interface wifi
set [ find default-name=wifi1 ] name=wifi1-capac-vlan20-main
set [ find default-name=wifi2 ] name=wifi2-capac-vlan20-main
add disabled=no master-interface=wifi1-capac-vlan20-main name=wifi1-capac-vlan30-guest
add disabled=no master-interface=wifi2-capac-vlan20-main name=wifi2-capac-vlan30-guest

/interface bridge port
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1-capac-vlan20-main pvid=20
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-capac-vlan20-main pvid=20
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1-capac-vlan30-guest pvid=30
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-capac-vlan30-guest pvid=30

/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 untagged=wifi1-capac-vlan20-main,wifi2-capac-vlan20-main vlan-ids=20
add bridge=bridgeLocal tagged=bridgeLocal,ether1 untagged=wifi1-capac-vlan30-guest,wifi2-capac-vlan30-guest vlan-ids=30

/interface wifi cap
set slaves-static=yes

RicSan · Sun Dec 01, 2024 11:39 am

Hi,
the configuration works fine on an hAP device as a CAP.
I was using the access list on the CAPSMAN (Wireless) to route wifi clients to different networks.

Doing this now on the new (WiFi) ends up in a log entry showing:
Disassociated, can not assign VLAN, maximum VLAN count for interface reached

Is there a way to use access list to force a different vlan ID to a wifi client without upgrading to hAX hardware?

rrawstron · Tue Jan 07, 2025 4:43 am

@RicSan Sorry your question doesn't make sense to me (though I'm not a MikroTik expert).
My limited understanding is that access lists grant or deny access to a SSID.
And each SSID i.e. wifi interface, is configured with a single VLAN.

Hence if you want the wifi client to use a different VLAN, a different SSID (configuration) is required e.g.

SSID1 --> VLAN10
SSID2 --> VLAN20

My earlier post describes how to configure this with AC and AX CAPs.

From the error I'd guess you're trying to assign multiple VLANs to a single SSID i.e. wifi interface which I didn't think isn't possible.
However someone more experienced might correct me on this.

I'd suggest starting a new thread topic for this.

rrawstron · Tue Jan 07, 2025 5:28 am

An update to the earlier working config examples to setup wifi VLANs with cAP AC, cAP AX and CAPsMAN, this time including a management VLAN.

RB960PGS running CAPsMAN
RBcAPGi-5acD2nD cAP AC connected to eth4
cAPGi-5HaxD2HaxD cAP AX connected to eth5
cAP AC wifi configured via cAP VLAN interfaces
cAP AX wifi configured via CAPsMAN datapath VLAN
All devices running v7.16.2
VLAN 10 - management VLAN + CAPsMAN
VLAN 20 - cAP AC client wifi with SSID = Access McAccessPoint
VLAN 30 - cAP AC guest wifi with SSID = Access McAccessPoint-Guest
VLAN 40 - cAP AX client wifi with SSID = Testy McTesticle
VLAN 50 - cAP AX guest wifi with SSID = Testy McTesticle-Guest
Router <> cAP VLANs configured as trunks
DHCP configured for each VLAN
CAPsMAN configured for VLAN 10 (management)

WARNING: The config below aligns with the ordering when exporting config.
Running commands to admit-only-vlan-tagged packets on interfaces may lock you out of the device if you are connected via that interface.
e.g. on a cAP AC or cAP AX if you are connected via ether 1 run these commands as the end/as the very last step.

/interface bridge port
add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether1

And don't forget to secure your network with firewall rules kids!

RB960PGS running CAPsMAN

/interface bridge
set [ find comment=defconf ] vlan-filtering=yes

/interface vlan
add interface=bridge name=vlan10-mgmt vlan-id=10
add interface=bridge name=vlan20-client-capac vlan-id=20
add interface=bridge name=vlan30-guest-capac vlan-id=30
add interface=bridge name=vlan40-client-capax vlan-id=40
add interface=bridge name=vlan50-guest-capax vlan-id=50

# NOTE: This could be simplified if frequencies weren't specified for 2Ghz AX, 2Ghz N, 5Ghz AC, 5Ghz AX
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412-2462 name=cap-ch2ax skip-dfs-channels=10min-cac
add band=2ghz-n disabled=no frequency=2412-2462 name=cap-ch2n skip-dfs-channels=10min-cac
add band=5ghz-ac disabled=no name=cap-ch5ac skip-dfs-channels=10min-cac
add band=5ghz-ax disabled=no name=cap-ch5ax skip-dfs-channels=10min-cac

/interface wifi datapath
add bridge=bridge disabled=no name=cap-dp-ac
add bridge=bridge disabled=no name=cap-dp-ax40-client vlan-id=40
add bridge=bridge disabled=no name=cap-dp-ax50-guest vlan-id=50

# NOTE: This could be simplified if unique passwords weren't required for each VLAN
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=cap-secwpa3-vlan20-client
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=cap-secwpa3-vlan30-guest
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=cap-secwpa3-vlan40-client
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=cap-secwpa3-vlan50-guest

# NOTE: The steering/neighbor groups are only created after an initial CAPsMAN provisioning i.e. must be added after
/interface wifi steering
add disabled=no name=cap-steering-capac-vlan20-client neighbor-group="dynamic-Access McAccessPoint-f3ea40ae"
add disabled=no name=cap-steering-capac-vlan30-guest neighbor-group="dynamic-Access McAccessPoint-Guest-f3ea40ae"
add disabled=no name=cap-steering-capax-vlan40-client neighbor-group="dynamic-Testy McTesticle-f3ea40ae"
add disabled=no name=cap-steering-capax-vlan50-guest neighbor-group="dynamic-Testy McTesticle-f3ea40ae"

# NOTE: The steering/neighbor groups are only created after an initial CAPsMAN provisioning i.e. must be added after
/interface wifi configuration
add channel=cap-ch2n country="New Zealand" datapath=cap-dp-ac disabled=no name=cap-cfg2n-vlan20-client security=cap-secwpa3-vlan20-client ssid="Access McAccessPoint" steering=cap-steering-capac-vlan20-client
add channel=cap-ch2n country="New Zealand" datapath=cap-dp-ac disabled=no name=cap-cfg2n-vlan30-guest security=cap-secwpa3-vlan30-guest ssid="Access McAccessPoint-Guest" steering=cap-steering-capac-vlan30-guest
add channel=cap-ch5ac country="New Zealand" datapath=cap-dp-ac disabled=no name=cap-cfg5ac-vlan20-client security=cap-secwpa3-vlan20-client ssid="Access McAccessPoint" steering=cap-steering-capac-vlan20-client
add channel=cap-ch5ac country="New Zealand" datapath=cap-dp-ac disabled=no name=cap-cfg5ac-vlan30-guest security=cap-secwpa3-vlan30-guest ssid="Access McAccessPoint-Guest" steering=cap-steering-capac-vlan30-guest
add channel=cap-ch2ax country="New Zealand" datapath=cap-dp-ax40-client disabled=no name=cap-cfg2ax-vlan40-client security=cap-secwpa3-vlan40-client ssid="Testy McTesticle" steering=cap-steering-capax-vlan40-client
add channel=cap-ch2ax country="New Zealand" datapath=cap-dp-ax50-guest disabled=no name=cap-cfg2ax-vlan50-guest security=cap-secwpa3-vlan50-guest ssid="Testy McTesticle-Guest" steering=cap-steering-capax-vlan50-guest
add channel=cap-ch5ax country="New Zealand" datapath=cap-dp-ax40-client disabled=no name=cap-cfg5ax-vlan40-client security=cap-secwpa3-vlan40-client ssid="Testy McTesticle" steering=cap-steering-capax-vlan40-client
add channel=cap-ch5ax country="New Zealand" datapath=cap-dp-ax50-guest disabled=no name=cap-cfg5ax-vlan50-guest security=cap-secwpa3-vlan50-guest ssid="Testy McTesticle-Guest" steering=cap-steering-capax-vlan50-guest

/ip pool
add name=ipv4-pool-dhcp-vlan10 ranges=10.10.10.200-10.10.10.254
add name=ipv4-pool-dhcp-vlan20 ranges=10.10.20.200-10.10.20.254
add name=ipv4-pool-dhcp-vlan30 ranges=10.10.30.200-10.10.30.254
add name=ipv4-pool-dhcp-vlan40 ranges=10.10.40.200-10.10.40.254
add name=ipv4-pool-dhcp-vlan50 ranges=10.10.50.200-10.10.50.254

/ip dhcp-server
add address-pool=ipv4-pool-dhcp-vlan10 interface=vlan10-mgmt name=dhcpv4-server-vlan10
add address-pool=ipv4-pool-dhcp-vlan20 interface=vlan20-client-capac name=dhcpv4-server-vlan20
add address-pool=ipv4-pool-dhcp-vlan30 interface=vlan30-guest-capac name=dhcpv4-server-vlan30
add address-pool=ipv4-pool-dhcp-vlan40 interface=vlan40-client-capax name=dhcpv4-server-vlan40
add address-pool=ipv4-pool-dhcp-vlan50 interface=vlan50-guest-capax name=dhcpv4-server-vlan50

# WARNING: If you are connected via ether4 or ether5 this config may lock you out WARNING
# WARNING: If you are connected via ether4 or ether5 run these commands at end WARNING
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5

/interface bridge vlan
add bridge=bridge tagged=bridge,ether4,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether4 vlan-ids=30
add bridge=bridge tagged=bridge,ether5 vlan-ids=40
add bridge=bridge tagged=bridge,ether5 vlan-ids=50

/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=vlan10-mgmt package-path="" require-peer-certificate=no upgrade-policy=none

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg2ax-vlan40-client slave-configurations=cap-cfg2ax-vlan50-guest supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg2n-vlan20-client slave-configurations=cap-cfg2n-vlan30-guest supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg5ax-vlan40-client slave-configurations=cap-cfg5ax-vlan50-guest supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg5ac-vlan20-client slave-configurations=cap-cfg5ac-vlan30-guest supported-bands=5ghz-ac

/ip address
add address=10.10.10.1/24 interface=vlan10-mgmt network=10.10.10.0
add address=10.10.20.1/24 interface=vlan20-client-capac network=10.10.20.0
add address=10.10.30.1/24 interface=vlan30-guest-capac network=10.10.30.0
add address=10.10.40.1/24 interface=vlan40-client-capax network=10.10.40.0
add address=10.10.50.1/24 interface=vlan50-guest-capax network=10.10.50.0

/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 domain=vlan10.local gateway=10.10.10.1
add address=10.10.20.0/24 dns-server=10.10.20.1 domain=vlan20.local gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=10.10.30.1 domain=vlan30.local gateway=10.10.30.1
add address=10.10.40.0/24 dns-server=10.10.40.1 domain=vlan40.local gateway=10.10.40.1
add address=10.10.50.0/24 dns-server=10.10.50.1 domain=vlan50.local gateway=10.10.50.1

cAP AC wifi configured via cAP VLAN interfaces

/interface bridge
set [ find comment=defconf ] vlan-filtering=yes

/interface vlan
add interface=ether1 name=vlan10-mgmt vlan-id=10

/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp

/interface wifi
set [ find default-name=wifi1 ] name=wifi1-capac-vlan20-client
set [ find default-name=wifi2 ] name=wifi2-capac-vlan20-client
add disabled=no master-interface=wifi1-capac-vlan20-client name=wifi1-capac-vlan30-guest
add disabled=no master-interface=wifi2-capac-vlan20-client name=wifi2-capac-vlan30-guest

# WARNING: If you are connected via ether1 this config may lock you out WARNING
# WARNING: If you are connected via ether1 run these commands at end WARNING
/interface bridge port
add bridge=bridgeLocal comment=defconf frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1-capac-vlan20-client pvid=20
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-capac-vlan20-client pvid=20
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1-capac-vlan30-guest pvid=30
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-capac-vlan30-guest pvid=30

/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=10
add bridge=bridgeLocal tagged=bridgeLocal,ether1 untagged=wifi1-capac-vlan20-client,wifi2-capac-vlan20-client vlan-ids=20
add bridge=bridgeLocal tagged=bridgeLocal,ether1 untagged=wifi1-capac-vlan30-guest,wifi2-capac-vlan30-guest vlan-ids=30

/interface wifi cap
set certificate=request discovery-interfaces=vlan10-mgmt enabled=yes slaves-datapath=capdp slaves-static=yes

/ip dhcp-client
add interface=vlan10-mgmt

cAP AX wifi configured via CAPsMAN datapath VLAN

/interface bridge
set [ find comment=defconf ] vlan-filtering=yes

/interface vlan
add interface=ether1 name=vlan10-mgmt vlan-id=10

/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp

#/interface wifi
# No configuration as managed by CAPsMAN

# WARNING: If you are connected via ether1 this config may lock you out WARNING
# WARNING: If you are connected via ether1 run these commands at end WARNING
/interface bridge port
add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether1

/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=10
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=40
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=50

/interface wifi cap
set certificate=request discovery-interfaces=vlan10-mgmt enabled=yes slaves-datapath=capdp

/ip dhcp-client
add interface=vlan10-mgmt

boxcee · Sun Feb 02, 2025 10:56 am

Thanks a lot for the updated guide! Works well!

I have a suggestion, though. Perhaps put these lines for the cAP AX at the end:

/interface bridge port
add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether1

If they are done too early, you will lock yourself out.

rrawstron · Tue Feb 04, 2025 4:58 am

Hahahahah fair comment @boxcee

I've updated my post/config examples to warn about this.
At the moment the config is based on extracting relevant config from a working setup.
If I find time/get motivated I might change the post to have a step by step config like the original post.

Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Re: Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)