MikroTik

Posted: **Fri Aug 18, 2023 3:36 pm**

I have been running my CCR2004 with a couple cAP XL ac devices for a long time, very stable, no issues at all.

I recently replaced both my APs with cAP ax, and installed wifiwave2 on my CCR2004 to support them. I configured CAPsMAN in wifiwave2, but the cAP ax simply aren't provisioning. I'm sure I'm missing something, I just can't figure out what it is, and another set of eyes might help.

My network is very simple in concept, ether1 on the CCR2004 is WAN to my ISP, and everything else is just one giant bridge1. CAPsMAN is running on the CCR2004, and the cAP ax are on the CCR2004 and/or a downstream passive switch, but also on the same bridge1.

I'm just putting the cAP ax in "CAP" mode using the reset switches, though I have also tried to join them forcibly to the CAPsMAN through their config, and that doesn't work either. If I configure them manually without CAPsMAN, they work fine, so they aren't broken.

cAP ax are running 7.12beta1 + wifiwave2
CCR2004 is running 7.12beta1 + wifiwave2

Here's the configuration for the CCR2004 as it stands now:

# 2023-08-18 08:27:46 by RouterOS 7.12beta1
# software id = CWU8-WMJ4
#
# model = CCR2004-16G-2S+
# serial number = an-serial
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wifiwave2 datapath
add bridge=bridge1 disabled=no name=datapath1
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=yes disabled=no ft=yes ft-over-ds=yes name=\
    "FDCP Wifi Security" wps=disable
/interface wifiwave2 configuration
add chains="" channel.band=5ghz-ax .width=20/40/80mhz datapath=datapath1 disabled=no manager=capsman mode=ap name=\
    "Hector (5GHz)" security="FDCP Wifi Security" security.authentication-types="" ssid=Hector
add channel.band=2ghz-ax .width=20/40/80mhz country="United States" datapath=datapath1 disabled=no manager=capsman \
    mode=ap name="Florry (2.4GHz)" security="FDCP Wifi Security" security.authentication-types="" ssid=Florry
/ip pool
add name=dhcp_pool0 ranges=10.62.14.128-10.62.14.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=10m name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface wifiwave2 capsman
# failed to create CA certificate: name must be unique! (6)
set ca-certificate=auto enabled=yes interfaces=LAN package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration="Hector (5GHz)" radio-mac=00:00:00:00:00:00
add action=create-dynamic-enabled disabled=no master-configuration="Florry (2.4GHz)" radio-mac=00:00:00:00:00:00 \
    supported-bands=2ghz-n
/ip address
add address=10.62.14.1/24 comment="foo.com LAN range" interface=bridge1 network=10.62.14.0
/ip arp
add address=10.62.14.42 interface=bridge1 mac-address=98:06:3C:24:AB:C9
/ip cloud
set ddns-enabled=yes ddns-update-interval=20m
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.62.14.17 comment="clock.foo.com" mac-address=58:BF:25:C3:DC:13 server=dhcp1
/ip dhcp-server network
add address=10.62.14.0/24 dns-server=94.140.14.49,94.140.14.59 domain=foo.com gateway=10.62.14.1 ntp-server=\
    10.62.14.1
/ip dns
set servers=94.140.14.49,94.140.14.59
/ip dns static
add address=10.62.14.17 name=clock.foo.com
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.62.14.0/24,4.59.157.210/32,73.132.190.55/32
set ssh address=10.62.14.0/24,4.59.157.210/32,73.132.190.55/32
set api address=10.62.14.0/24,73.132.190.55/32
set winbox address=10.62.14.0/24,73.132.190.55/32
set api-ssl address=10.62.14.0/24,73.132.190.55/32
/system clock
set time-zone-name=America/New_York
/system identity
set name=rtr1
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
/tool e-mail
set address=66.111.4.139 from=foo@foo.com port=465 tls=starttls user=foo@foo.com

I'm getting that cert error as you can see, and I have researched and seen that others did too, but I tried revoking/deleting all certs and I still get it, so I'm not sure if that's a red herring or what.

Any ideas?

Posted: **Fri Aug 18, 2023 4:43 pm**

On first read looks like you need to define better provisioning rules (define 5ghz ax and 2.4ghz ax as supported-bands), also remove certs from configuration.

Posted: **Sat Aug 19, 2023 4:06 am**

Ok, I got rid of the cert issue (it needed a revocation and a reboot), and I vastly simplified even my simple config, but still no dice. Here's the config on the CCR2004 now:

# 2023-08-18 22:18:40 by RouterOS 7.12beta1
# software id = CWU8-WMJ4
#
# model = CCR2004-16G-2S+
# serial number = an serial
/interface bridge
add name=bridge1
/interface wifiwave2
add name=cap-wifi1
add name=cap-wifi2
add name=cap-wifi3
add name=cap-wifi4
/interface list
add name=WAN
add name=LAN
/interface wifiwave2 configuration
add channel.band=2ghz-n .width=20/40mhz country="United States" datapath.bridge=bridge1 .interface-list=all disabled=no manager=capsman mode=ap name=\
    Florry security.authentication-types=wpa2-psk .disable-pmkid=yes .ft=yes .ft-over-ds=yes .group-encryption=ccmp .wps=disable ssid=Florry
add channel.band=5ghz-ac .width=20/40/80mhz country="United States" datapath.bridge=bridge1 .interface-list=all disabled=no manager=capsman mode=ap \
    name=Hector security.authentication-types=wpa2-psk .disable-pmkid=yes .ft=yes .ft-over-ds=yes .group-encryption=ccmp .wps=disable ssid=Hector
/ip pool
add name=dhcp_pool0 ranges=10.62.14.128-10.62.14.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=10m name=dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=sfp-sfpplus2
/ip neighbor discovery-settings
set discover-interface-list=all lldp-med-net-policy-vlan=1
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface wifiwave2 capsman
set enabled=yes interfaces=LAN package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-enabled disabled=no master-configuration=Florry radio-mac=00:00:00:00:00:00 supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=Hector radio-mac=00:00:00:00:00:00 supported-bands=5ghz-ax
/ip address
add address=10.62.14.1/24 comment="foo.comLAN range" interface=bridge1 network=10.62.14.0
/ip arp
add address=10.62.14.42 interface=bridge1 mac-address=98:06:3C:24:AB:C9
/ip cloud
set ddns-enabled=yes ddns-update-interval=20m
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.62.14.17 comment="clock.foo.com (Kitchen)" mac-address=58:BF:25:C3:DC:13 server=dhcp1
server=dhcp1
/ip dhcp-server network
add address=10.62.14.0/24 dns-server=94.140.14.49,94.140.14.59 domain=foo.com.com gateway=10.62.14.1 ntp-server=10.62.14.1
/ip dns
set servers=94.140.14.49,94.140.14.59
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.62.14.0/24,4.59.157.210/32,73.132.190.55/32
set ssh address=10.62.14.0/24,4.59.157.210/32,73.132.190.55/32
set api address=10.62.14.0/24,73.132.190.55/32
set winbox address=10.62.14.0/24,73.132.190.55/32
set api-ssl address=10.62.14.0/24,73.132.190.55/32
/system clock
set time-zone-name=America/New_York
/system identity
set name=rtr1
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
/tool e-mail
set address=66.111.4.139 from=fdcp@foo.com port=465 tls=starttls user=d@foo.com

On each of the cAP ax, the config is the same, typical CAP Mode stuff:

# 2023-08-18 21:53:17 by RouterOS 7.12beta1
# software id = PV0Z-J0LX
#
# model = cAPGi-5HaxD2HaxD
# serial number = an serial
/interface bridge
add admin-mac=48:A9:8A:C7:94:7E auto-mac=no comment=defconf name=bridgeLocal
/interface wifiwave2 datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifiwave2
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifiwave2 cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=America/New_York
/system note
set show-at-login=no

The only thing I see on the CCR2004 is grayed out wifi interfaces:

Screenshot 2023-08-18 215831.jpg

The radios show up, and the remote CAPS, so there's at least connectivity, but simply no SSID being broadcast.

Posted: **Sat Aug 19, 2023 5:12 am**

...and if I just manually enable those interfaces, I get "SSID not set" (and still no broadcast of the network)

ssidnotset.jpg

Posted: **Sun Aug 20, 2023 1:56 am**

Ok, so this might be interesting. I basically got tired of trying CAPsMAN and decided to simply try the same configuration on one of the APs directly. I know the quickset works fine on these APs, so the radios do work, but, unfortunately, that configuration I tried in CAPsMAN before causes the same behavior (disabled interfaces) on the APs directly. I have no idea what the problem might be, things look in order.

Here's the config:

# 1970-01-02 00:17:14 by RouterOS 7.12beta1
# software id = IP66-BS4B
#
# model = cAPGi-5HaxD2HaxD
# serial number = an serial
/interface bridge
add name=bridge1
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.mode=ap
/interface list
add name=WAN
add name=LAN
/interface wifiwave2 channel
add band=5ghz-ac disabled=no name="(Compatibility) 5GHz AC"
add band=5ghz-ax disabled=no name="(Modern) 5GHz AX" width=20/40/80mhz
add band=2ghz-n disabled=no name="(Legacy) 2.4GHz" width=20mhz
/interface wifiwave2 datapath
add bridge=bridge1 disabled=no name="Main Bridge"
/interface wifiwave2 security
add authentication-types=wpa2-psk disable-pmkid=yes disabled=no encryption=ccmp ft=yes ft-over-ds=yes group-encryption=ccmp name="Compatibility Profile" wps=disable
add authentication-types=wpa3-psk disable-pmkid=yes disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes group-encryption=ccmp name="Modern Security" wps=disable
/interface wifiwave2 configuration
add channel="(Compatibility) 5GHz AC" country="United States" datapath="Main Bridge" disabled=no manager=local mode=ap name="Hector (5GHz Compatibility)" security="Compatibility Profile" ssid=Hector
add channel="(Legacy) 2.4GHz" country="United States" datapath="Main Bridge" disabled=no manager=local mode=ap name="Florry (2.4GHz Legacy)" security="Compatibility Profile" ssid=Florry
add channel="(Modern) 5GHz AX" country="United States" datapath="Main Bridge" disabled=no manager=local mode=ap name="Zoe (5GHz Modern)" security="Modern Security" ssid=Zoe
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=*3
add bridge=bridge1 interface=*4
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration="Zoe (5GHz Modern)" radio-mac=00:00:00:00:00:00 slave-configurations="Hector (5GHz Compatibility)" supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration="Florry (2.4GHz Legacy)" radio-mac=00:00:00:00:00:00 supported-bands=2ghz-ax
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add interface=ether1
/system note
set show-at-login=no

And the radios provision, but just never enable the interfaces:

grayed out.jpg

I just see nothing wrong... any ideas?

Posted: **Sun Aug 20, 2023 6:30 am**

I have similar setup on CCR+cAP ax with CAPsMAN, which works fine. The config is below for your info.

# 2023-08-14 21:43:06 by RouterOS 7.10.2
#
# model = cAPGi-5HaxD2HaxD
# serial number 
/interface bridge
add name=bridge1
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    disabled=no
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wifi2
add bridge=bridge1 interface=wifi1
/ipv6 settings
set disable-ipv6=yes
/interface wifiwave2 cap
set discovery-interfaces=bridge1 enabled=yes
/ip dhcp-client
add interface=bridge1
/system clock
set time-zone-name=America/Los_Angeles

Posted: **Sun Aug 20, 2023 11:08 am**

Reset cap device and then use quickset.
What happens then ?

Never use quickset after already applying config. You can not be sure then how it is setup.
And after using quickset once, never use it again (same reason).

Posted: **Sun Aug 20, 2023 1:26 pm**

...and if I just manually enable those interfaces, I get "SSID not set" (and still no broadcast of the network)

ssidnotset.jpg

"SSID not set" was in our case the delete of an SSID. Under Provisioning the system is not deleting the slave config (replaced by something other)... Delete the wrong slave removed the "SSID not set".

MikroTik

cAP ax + CCR2004 + wifiwave2 + CAPsMAN

cAP ax + CCR2004 + wifiwave2 + CAPsMAN

Re: cAP ax + CCR2004 + wifiwave2 + CAPsMAN

Re: cAP ax + CCR2004 + wifiwave2 + CAPsMAN

Re: cAP ax + CCR2004 + wifiwave2 + CAPsMAN

Re: cAP ax + CCR2004 + wifiwave2 + CAPsMAN

Re: cAP ax + CCR2004 + wifiwave2 + CAPsMAN

Re: cAP ax + CCR2004 + wifiwave2 + CAPsMAN

Re: cAP ax + CCR2004 + wifiwave2 + CAPsMAN