hi all
i connected the CAPsMAN and all CAPs through Ether3.and all ether3 are conneted to Trunkport in a cisco switch. there is not any static route or firewall rule or .....
here is my configuration
=================
CAPsMAN
/interface ethernet
set [ find default-name=ether3 ] name=ether3-CAPsLAN


/interface bridge
add name=bridge350
add name=bridge400


/interface vlan
add interface=ether3-CAPsLAN name=VLAN350 use-service-tag=yes vlan-id=350
add interface=ether3-CAPsLAN name=VLAN400 use-service-tag=yes vlan-id=400


/ip address
add address=10.20.90.1/24 interface=bridge350 network=10.20.90.0
add address=10.20.80.1/24 interface=bridge400 network=10.20.80.0
add address=10.20.70.1/24 interface=ether3-CAPsLAN network=10.20.70.0


/caps-man datapath
add bridge=bridge350 name=DATAPATH_VLAN350 vlan-id=350
add bridge=bridge400 name=DATAPATH_VLAN400 vlan-id=400


/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=Channe350 width=20
add band=2ghz-b/g/n frequency=2432 name=Channel400 width=20

/caps-man configuration
add channel=Channe350 datapath=DATAPATH_VLAN350 mode=ap name=VLAN350 ssid=SSID_VLAN350
add channel=Channel400 datapath=DATAPATH_VLAN400 mode=ap name=VLAN400 ssid=SSID_VLAN400

/caps-man interface
#
add arp=enabled configuration=VLAN400 disabled=no l2mtu=1600 mac-address=\
D4:CA:6D:9F:35:13 master-interface=none mtu=1500 name=CAP_VLAN400 \
radio-mac=D4:CA:6D:9F:35:13
#
add arp=enabled configuration=VLAN350 disabled=no l2mtu=1600 mac-address=\
D4:CA:6D:9F:35:13 master-interface=CAP_VLAN400 mtu=1500 name=CAP_VLAN350 \
radio-mac=00:00:00:00:00:00

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

/caps-man provisioning
add master-configuration=VLAN400 slave-configurations=VLAN350

/interface bridge port
add bridge=bridge350 interface=VLAN350
add bridge=bridge400 interface=VLAN400

/ip dhcp-server network
add address=10.20.80.0/24 dns-server=10.20.80.1 domain=KCC-400.com gateway=10.20.80.1
add address=10.20.90.0/24 dns-server=10.20.90.1 domain=KCC-350.com gateway=10.20.90.1

/ip pool
add name=POOL400 ranges=10.20.80.20-10.20.80.100
add name=POOL350 ranges=10.20.90.20-10.20.90.100

/ip dhcp-server
add address-pool=POOL350 disabled=no interface=bridge350 name=DHCP350
add address-pool=POOL400 disabled=no interface=bridge400 name=DHCP400

/ip dns
set allow-remote-requests=yes servers=10.20.70.1,172.16.0.12,8.8.8.8

/system identity
set name=CAPsMAN
====================
CAPs
/interface wireless cap
set caps-man-addresses=10.20.70.1,10.20.80.1,10.20.90.1 certificate=request \
discovery-interfaces=ether3 enabled=yes interfaces=wlan1 \
lock-to-caps-man=yes

/ip address
add address=10.20.90.10/24 interface=ether3 network=10.20.90.0
add address=10.20.70.10/24 interface=ether3 network=10.20.70.0
add address=10.20.80.10/24 interface=ether3 network=10.20.80.0

/system identity
set name=CAP
============

there is some problem
1-users can not connect to SSID_VLAN350
2-if you connect to SSID_400 you will be receive 10.20.80.x/24 (VLAN400) ip address. but you can ping 10.20.90.1 (VLAN350)

what the problem in my configuration
i want to isolate all virtual AP users.

cheers

please cheack post and answer
http://forum.mikrotik.com/viewtopic.php?f=2&t=89456

Hi,

from a quick view, noticed that the ip addresses are all configured to the ether3 physical interface, not to the VLAN interfaces.
This miight solve issue 1.

For issue 2 you may add some firewall rules to the forward chain in order to block some traffic.

Cheers

hi mate, tanx for your answer.
1-i removed the ip address of ether3, but i've got the same problem
and when i use the vlan tagging in datapath nobody can not connect to the SSID_VLAN350 (slave)
/caps-man datapath
add bridge=bridge350 name=DATAPATH_VLAN350 vlan-id=350
add bridge=bridge400 name=DATAPATH_VLAN400 vlan-id=400

and when i disable vlan tagging in date path everything works fine!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!


2-i think when i use the vlan , all networks must be isolated without writing any firewall rule