Stuck with new wifi-"capsman"

toolongformt · Tue Jun 11, 2024 4:53 pm

Hi,

I had 2 "wireless" (=older) devices running as accesspoints, my crs328 did the job as capsman (controller).
Now I wanted to switch to newer accesspoints and bought 2 cAPGi-5HaxD2HaxD
In one thread I read that I could use old and new capsman together, but it didn't work, so I canceled capsman on the crs328 and started the new wifi package on my VM.
That worked so far, I come (with my configuration settings for wifi) to the point where my first accesspoint "knows" that it is managed by my capsman.
My problem now is, that the accesspoint doesn't start showing the SSID, and both of the entries in chapter "WiFi" are empty so far; just showing wifi1 and wifi2, but empty.

On my first accesspoint:

[admin@MikroTik] /interface/wifi> export
# 2024-06-11 15:47:07 by RouterOS 7.15.1
# software id = 9J12-2RZ6
#
# model = cAPGi-5HaxD2HaxD
# serial number = ***
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman-or-local .mode=ap datapath=capdp
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp
/interface wifi cap
set caps-man-addresses=10.43.210.254 discovery-interfaces=LAN-Bridge enabled=yes slaves-datapath=capdp
/interface wifi datapath
add bridge=LAN-Bridge comment=defconf disabled=no name=capdp

On the VM:

# 2024-06-11 15:48:56 by RouterOS 7.15
# software id = 
#
/interface wifi
add name=cap-wifi1 radio-mac=D4:01:C3:94:99:A2
add name=cap-wifi2 radio-mac=D4:01:C3:94:99:A1
/interface wifi channel
add band=5ghz-n disabled=no frequency=2300-7300 name=channel1 skip-dfs-channels=all width=20mhz
add band=2ghz-n disabled=no frequency=2300-7300 name=channel2 skip-dfs-channels=all width=20mhz
/interface wifi datapath
add bridge=LAN-Bridge disabled=no name=datapath1 vlan-id=1
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=R403-Wifi6-security
/interface wifi configuration
add channel=channel1 country=Austria datapath=datapath1 datapath.bridge=LAN-Bridge disabled=no manager=capsman mode=ap name=R403-Wifi6 security=R403-Wifi6-security security.ft=no ssid=R403-Wifi6
add channel=channel2 country=Austria datapath=datapath1 disabled=no mode=ap name=R403-Wifi.alt security=R403-Wifi6-security ssid=R403-Wifi.alt
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=LAN-Bridge package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=R403-Wifi6 radio-mac=00:00:00:00:00:00

I compared the config with a lot of guides, but I cannot see "the" mistake. I know there can be improvements, but at first I wanted to see wifi and do a first simple test with my enduser devices.

added
(1) on the capsman controller I see the accesspoint under "remote cap"
(2) instead provisioning as "create enabled" I also tested dynamically
(3) on the controller I also see 2 cap-interfaces cap-wifi1 and cap-wifi2
(4) this vm is my main router / firewall / ... I have a rule to allow any traffic within the subnet, so incoming and outgoing within the local lan is (should be, if I didn't a mistake) allowed.

I'm thankful for anykind of help!
Erik

toolongformt · Tue Jun 11, 2024 4:56 pm

oh, just as additional info: the second config "r403.alt" (english "old") is deactivated at the moment (not in provisioning list). Wanted to narrow down, but I'm not sure if this is useful.

erlinden · Wed Jun 12, 2024 9:39 am

Tha CAPs config isn't complete, did you remove anything from it?
If not, please reset the device to CAPS Mode (/system/reset configuration).
Otherwise, please post full config.

In regards to your server, start from a bare minimum:

#create a security profile
/interface wifi security
add authentication-types=wpa2-psk name=sec1 passphrase=*****************
 
#create configuraiton profiles to use for provisioning
/interface wifi configuration
add country=Austria name=config security=sec1 ssid=R403-Wifi6
 
#configure provisioning rules, configure band matching as needed
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=config supported-bands=5ghz-n
# might be redundant when leaving supported-bands behind, not sure if possible
add action=create-dynamic-enabled master-configuration=config supported-bands=2ghz-n 

#enable CAPsMAN service
/interface wifi capsman
set ca-certificate=auto enabled=yes

The documentation might be usefull:
https://help.mikrotik.com/docs/display/ ... ionexample:

toolongformt · Wed Jun 12, 2024 9:57 am

Hi Erlinden,

Thanks for the link to the manual, I used it as the primary source for my work... so I don't see where I made the mistake...

yes, both CAPS are just bought, out of the box, reset to CAPS mode, and configured like the manual says (of course with my IP etc..)

(The second isn't even visible for winbox, but that's another issue.)

The config from the one that I can manage:

[admin@MikroTik] > export verbose 
# 2024-06-12 08:49:16 by RouterOS 7.15.1
# software id = 9J12-2RZ6
#
# model = cAPGi-5HaxD2HaxD
# serial number = ***
/interface bridge
add admin-mac=D4:01:C3:94:99:9F ageing-time=5m arp=enabled arp-timeout=auto auto-mac=no comment=defconf dhcp-snooping=no disabled=no \
    fast-forward=yes forward-delay=15s igmp-snooping=no max-message-age=20s mtu=auto mvrp=no name=bridgeLocal port-cost-mode=long priority=\
    0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=no
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=\
    enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1568 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=D4:01:C3:94:99:9F mtu=1500 name=ether1 orig-mac-address=\
    D4:01:C3:94:99:9F rx-flow-control=off tx-flow-control=off
set [ find default-name=ether2 ] advertise=10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full arp=\
    enabled arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no l2mtu=1568 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=D4:01:C3:94:99:A0 mtu=1500 name=ether2 orig-mac-address=\
    D4:01:C3:94:99:A0 poe-out=auto-on poe-priority=10 power-cycle-interval=none !power-cycle-ping-address power-cycle-ping-enabled=no \
    !power-cycle-ping-timeout rx-flow-control=off tx-flow-control=off
/queue interface
set bridgeLocal queue=no-queue
/interface ethernet switch
set 0 !cpu-flow-control mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" include="" name=static
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=none default-route-distance=2 ip-type=auto name=default \
    use-network-apn=yes use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# no connection to CAPsMAN
add arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=yes mac-address=D4:01:C3:94:99:A1 name=wifi1 radio-mac=\
    D4:01:C3:94:99:A1
# no connection to CAPsMAN
add arp-timeout=auto configuration.manager=capsman datapath=capdp disabled=yes mac-address=D4:01:C3:94:99:A2 name=wifi2 radio-mac=\
    D4:01:C3:94:99:A2
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot html-directory-override="" http-cookie-lifetime=3d \
    http-proxy=0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap name=default smtp-server=0.0.0.0 split-user-domain=no use-radius=\
    no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d \
    name=default !parent-queue !queue-type shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec mode-config
set [ find default=yes ] name=request-only responder=no use-responder-dns=exclusively
/ip ipsec policy group
set [ find default=yes ] name=default
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048,modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=aes-128,3des hash-algorithm=sha1 \
    lifetime=1d name=default nat-traversal=yes proposal-check=obey
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc lifetime=30m name=default \
    pfs-group=modp1024
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ppp profile
set *0 address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes !dns-server \
    !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default on-down="" on-up="" only-one=default \
    !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default use-encryption=default \
    use-ipv6=yes use-mpls=default use-upnp=default !wins-server
set *FFFFFFFE address-list="" !bridge !bridge-horizon bridge-learning=default !bridge-path-cost !bridge-port-priority change-tcp-mss=yes \
    !dns-server !idle-timeout !incoming-filter !insert-queue-before !interface-list !local-address name=default-encryption on-down="" on-up="" \
    only-one=default !outgoing-filter !parent-queue !queue-type !rate-limit !remote-address !session-timeout use-compression=default \
    use-encryption=yes use-ipv6=yes use-mpls=default use-upnp=default !wins-server
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
# no connection to CAPsMAN
set wifi1 queue=wireless-default
# no connection to CAPsMAN
set wifi2 queue=wireless-default
/routing bgp template
set default as=65530 name=default
/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=no encryption-protocol=DES name=public read-access=yes security=\
    none write-access=no
/system logging action
set 0 memory-lines=1000 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=1000 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=0.0.0.0 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto \
    syslog-time-format=bsd-syslog target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy skin=\
    default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy skin=\
    default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,rest-api skin=\
    default
/certificate settings
set crl-download=no crl-store=ram crl-use=no
/console settings
set sanitize-names=no
/disk settings
set auto-media-interface=none auto-media-sharing=no auto-smb-sharing=no auto-smb-user=guest
/ip smb
set comment=MikrotikSMB domain=MSHOME enabled=auto interfaces=all
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=\
    admit-all horizon=none hw=yes ingress-filtering=yes interface=ether1 !internal-path-cost learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridgeLocal broadcast-flood=yes comment=defconf disabled=no edge=auto fast-leave=no frame-types=\
    admit-all horizon=none hw=yes ingress-filtering=yes interface=ether2 !internal-path-cost learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes unknown-unicast-flood=yes
/interface bridge port-controller
# disabled
set bridge=none cascade-ports="" switch=none
/interface bridge port-extender
# disabled
set control-ports="" excluded-ports="" switch=none
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=static lldp-mac-phy-config=no lldp-max-frame-size=no lldp-med-net-policy-vlan=disabled lldp-poe-power=yes mode=\
    tx-and-rx protocol=cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes arp-timeout=30s icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    max-neighbor-entries=16384 rp-filter=no secure-redirects=yes send-redirects=yes tcp-syncookies=no
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled disable-ipv6=no forward=yes \
    max-neighbor-entries=14336
/interface detect-internet
set detect-interface-list=none internet-interface-list=none lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
    default-profile=default-encryption enabled=no keepalive-timeout=30 l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface lte settings
set firmware-path=firmware mode=auto
/interface ovpn-server server
set auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc default-profile=default enable-tun-ipv6=no enabled=no \
    ipv6-prefix-len=64 keepalive-timeout=60 mac-address=FE:2C:AD:71:C5:94 max-mtu=1500 mode=ip netmask=24 port=1194 protocol=tcp push-routes=\
    "" redirect-gateway=disabled reneg-sec=3600 require-client-certificate=no tls-version=any tun-server-ipv6=::
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no \
    keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=443 tls-version=any verify-client-certificate=no
/interface wifi cap
set caps-man-addresses=10.43.210.254 certificate=request discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifi capsman
set enabled=no
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=no ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-client
add add-default-route=yes comment=defconf default-route-distance=1 dhcp-options=hostname,clientid disabled=no interface=bridgeLocal \
    use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=5m
/ip dns
set address-list-extra-time=0s allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB doh-max-concurrent-queries=50 \
    doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
    query-server-timeout=2s query-total-timeout=10s servers="" use-doh-server="" verify-doh-cert=no vrf=main
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no src-address=::
/ip service
set telnet address="" disabled=no port=23 vrf=main
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80 vrf=main
set ssh address="" disabled=no port=22 vrf=main
set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any vrf=main
set api address="" disabled=no port=8728 vrf=main
set winbox address="" disabled=no port=8291 vrf=main
set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] directory=pub disabled=yes invalid-users="" name=pub read-only=no require-encryption=no valid-users=""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=200 port=1080 version=4 vrf=main
/ip ssh
set allow-none-crypto=no always-allow-password-login=no forwarding-enabled=no host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=128k enabled=no inactive-flow-timeout=15s interfaces=all packet-sampling=no sampling-interval=0 \
    sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=\
    yes igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes ipv6-flow-label=yes is-multicast=yes last-forwarded=yes \
    nat-dst-address=yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes out-interface=yes packets=yes protocol=yes \
    src-address=yes src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes \
    tcp-window-size=yes tos=yes ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes disabled=no dns="" hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no pref64="" ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m \
    ra-preference=medium reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=no engine-id-suffix="" location="" src-address=:: trap-community=public trap-generators=temp-exception trap-target="" \
    trap-version=1 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=Europe/Vienna
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start="1970-01-01 00:00:00" time-zone=+00:00
/system identity
set name=MikroTik
/system leds
set 0 disabled=no leds=poe-led type=poe-out
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=no mode=unicast servers="" vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=main
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
set 9 cpu=auto
set 10 cpu=auto
set 11 cpu=auto
set 12 cpu=auto
set 13 cpu=auto
set 14 cpu=auto
set 15 cpu=auto
set 16 cpu=auto
set 17 cpu=auto
set 18 cpu=auto
set 19 cpu=auto
set 20 cpu=auto
set 21 cpu=auto
set 22 cpu=auto
set 23 cpu=auto
set 24 cpu=auto
set 25 cpu=auto
set 26 cpu=auto
set 27 cpu=auto
set 28 cpu=auto
set 29 cpu=auto
set 30 cpu=auto
set 31 cpu=auto
set 32 cpu=auto
set 33 cpu=auto
set 34 cpu=auto
set 35 cpu=auto
set 36 cpu=auto
set 37 cpu=auto
set 38 cpu=auto
set 39 cpu=auto
set 40 cpu=auto
set 41 cpu=auto
set 42 cpu=auto
set 43 cpu=auto
set 44 cpu=auto
set 45 cpu=auto
set 46 cpu=auto
set 47 cpu=auto
set 48 cpu=auto
/system resource irq rps
set ether1 disabled=yes
set ether2 disabled=yes
/system resource usb settings
set authorization=no
/system routerboard mode-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
set auto-upgrade=no boot-device=nand-if-fail-then-ethernet boot-protocol=bootp force-backup-booter=no preboot-etherboot=disabled \
    preboot-etherboot-server=any protected-routerboot=disabled reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes ping-start-after-boot=5m ping-timeout=1m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set from=<> port=25 server=0.0.0.0 tls=no user="" vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=all
/tool mac-server mac-winbox
set allowed-interface-list=all
/tool mac-server ping
set enabled=yes
/tool romon
set enabled=no id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all
/tool sms
set allowed-number="" channel=0 port=none receive-enabled=no sms-storage=sim
/tool sniffer
set file-limit=1000KiB file-name="" filter-cpu="" filter-direction=any filter-dst-ip-address="" filter-dst-ipv6-address="" \
    filter-dst-mac-address="" filter-dst-port="" filter-interface="" filter-ip-address="" filter-ip-protocol="" filter-ipv6-address="" \
    filter-mac-address="" filter-mac-protocol="" filter-operator-between-entries=or filter-port="" filter-size="" filter-src-ip-address="" \
    filter-src-ipv6-address="" filter-src-mac-address="" filter-src-port="" filter-stream=no filter-vlan="" memory-limit=100KiB memory-scroll=\
    yes only-headers=no quick-rows=20 quick-show-frame=no streaming-enabled=no streaming-server=0.0.0.0:37008
/tool traffic-generator
set latency-distribution-max=100us measure-out-of-order=no stats-samples-to-keep=100 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
/user settings
set minimum-categories=0 minimum-password-length=0

erlinden · Wed Jun 12, 2024 10:04 am

Can you please do a standard export instead of verbose?

toolongformt · Wed Jun 12, 2024 10:05 am

In regards to your server, start from a bare minimum:

#create a security profile
/interface wifi security
add authentication-types=wpa2-psk name=sec1 passphrase=*****************
 
#create configuraiton profiles to use for provisioning
/interface wifi configuration
add country=Austria name=config security=sec1 ssid=R403-Wifi6
 
#configure provisioning rules, configure band matching as needed
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=config supported-bands=5ghz-n
# might be redundant when leaving supported-bands behind, not sure if possible
add action=create-dynamic-enabled master-configuration=config supported-bands=2ghz-n 

#enable CAPsMAN service
/interface wifi capsman
set ca-certificate=auto enabled=yes

The documentation might be usefull:
https://help.mikrotik.com/docs/display/ ... ionexample:

done. Checked the config in winbox, seems identical, but the accesspoints didn't see capsman anymore.
Played around with the interface, and at some point the accesspoint changed to "managed by capsman". But there's still no wifi.

toolongformt · Wed Jun 12, 2024 10:14 am

Standard export from the cAP ax:

[admin@MikroTik] > export        
# 2024-06-12 09:14:20 by RouterOS 7.15.1
# software id = 9J12-2RZ6
#
# model = cAPGi-5HaxD2HaxD
# serial number = **
/interface bridge
add admin-mac=D4:01:C3:94:99:9F auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifi cap
set caps-man-addresses=10.43.210.254 discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=Europe/Vienna
/system note
set show-at-login=no

erlinden · Wed Jun 12, 2024 10:24 am

Did you do this manually on the CAPsMAN?

/interface wifi
add name=cap-wifi1 radio-mac=D4:01:C3:94:99:A2
add name=cap-wifi2 radio-mac=D4:01:C3:94:99:A1

toolongformt · Wed Jun 12, 2024 10:27 am

Did you do this manually on the CAPsMAN?
Code: Select all
/interface wifi
add name=cap-wifi1 radio-mac=D4:01:C3:94:99:A2
add name=cap-wifi2 radio-mac=D4:01:C3:94:99:A1

no.
Those are the 2 mac adresses from the first cAP ax... in the gui they appeared after the ap sees the capsman...

neki · Wed Jun 12, 2024 10:30 am

Try to remove radio-mac

/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=R403-Wifi6 radio-mac=00:00:00:00:00:00

radio-mac (MAC address) MAC address of radio to be matched. No default value.

toolongformt · Wed Jun 12, 2024 10:33 am

Try to remove radio-mac
Code: Select all
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=R403-Wifi6 radio-mac=00:00:00:00:00:00
radio-mac (MAC address) MAC address of radio to be matched. No default value.

???
//EDIT: I understand, you took that info from the original configuration, which I replaced with the suggested simple one. In the current config is no 00:...00 anymore. It's empty.

[admin@VM-Router-R403] /interface/wifi/provisioning> export
# 2024-06-12 09:32:31 by RouterOS 7.15
# software id = 
#
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=config supported-bands=\
    5ghz-n
[admin@VM-Router-R403] /interface/wifi/provisioning>

cbka · Wed Jun 12, 2024 10:38 am

same issue here as with TO - tried your solution with removing mac but no luck still

toolongformt · Wed Jun 12, 2024 10:42 am

same issue here as with TO - tried your solution with removing mac but no luck still

Hi cbka, which device do you use as capsman?

neki · Wed Jun 12, 2024 10:43 am

I saw it here....

mfc1.png

toolongformt · Wed Jun 12, 2024 10:46 am

ok neki, I got it. Was a little confused because that was an "older" config.

cbka · Wed Jun 12, 2024 10:54 am

same issue here as with TO - tried your solution with removing mac but no luck still
Hi cbka, which device do you use as capsman?

HAP AX^3

toolongformt · Wed Jun 12, 2024 11:02 am

ok, so we can say, it doesn't make a difference if the capsman has its own wireless integrated, or, like my situation, the capsman is a vm with just 2 ethernetports and no own wireless cards.

erlinden · Wed Jun 12, 2024 11:14 am

HAP AX^3

Can you follow this link by the letter to see if you get it to work:
https://youtu.be/37aff6d14Xk?feature=shared

ok, so we can say, it doesn't make a difference if the capsman has its own wireless integrated, or, like my situation, the capsman is a vm with just 2 ethernetports and no own wireless cards.

Can you make all changes and report if it gave a solution, together with the latest config?
And make sure that CAPs can reach the CAPsMAN.

toolongformt · Wed Jun 12, 2024 11:23 am

https://youtu.be/37aff6d14Xk?feature=shared

nothing new, I used that source of knowledge as well.
Still I have "SSID not set" in both wifis

toolongformt · Wed Jun 12, 2024 11:32 am

SOLUTION (for me)...
on the capsman (!):
* enable capsman as client and set itself as the capsman
* under wifi - wifi delete the 2 wifi entries. They are now recreated automatically, and instantly it gets its own configuration, and the same config moves to the accesspoint.

Now I see my wifi, on 2 and 5 GHz (I didn't separate the 2 configs for channels, bands or anything, just left everything blank).
But THE trick for me was to delete the 2 entries in wifi -> wifi

Now I can play with datapath etc, because I don't get an ip address...

toolongformt · Wed Jun 12, 2024 12:33 pm

so I have to add, that after I "normalized" names of interfaces, bridges, other entries, etc... I'm back at "SSID not set"

The two accesspoints see the capsman and log that they are connected, but nothing more.
Now I don't get wifi to run.
My last positive state was, that my ipad sees wifi6 and tries to connect, but without getting an IP.
Therefore I wanted to sort and cleanup, but in the end it seems that I messed up again... and I can't find the problem...

toolongformt · Wed Jun 12, 2024 8:09 pm

at that point I need to tell mikrotik something:
I don't know what your understanding of quality assurance is, but the current situation could have more

I had a running config on the cap ax, and only renaming (!) some entries set it completely out of function. The config itself was correct!
I didn't get the ap up and running, no matter what I did. Only a reset to caps-mode made it work again.
So, now guess, I imported the exactly same config as I saved before, and then it runs.
So if you find somebody who can tell me why delete and replay the same config makes the difference between "doesn't work at all" and "works at once", please... let us know.
There are a lot of threads with the same problems I had, and nowhere was a solution ... I mean a solution like "THIS does the trick, THIS was the error, THIS has helped".
I only found "somehow", "after reset",... if at all...

I'm not angry and don't want to say "it's c***p"... No, just the opposite. The system itself is very good and knowing some basics you can get capsman relatively easy up and running.
But never change a word afterwards.

The one and only open question is: why is the config not running until I reset the device and replay the same config back?
It would clearly be a step forward to find that out and work on the issue.

To everyone in this thread, your tips were all helpful! Again I learned a lot, especially about the new capsman "WiFi".
My thanks to all of you! And if someone wants to know more about my current settings, I could post them... but they aren't different from the latest prints. Just re-imported.
Please let me know if someone goes the same way and has the same success with the new capsman.

best regards!

toolongformt · Wed Jun 12, 2024 8:37 pm

and another thing: please test "set identity".
And pelase let us know when it will work as expected

Meanwhile I try to find out, which of my devices is "unknown", and wich is "unknown" ...

toolongformt · Wed Jun 12, 2024 8:51 pm

after 2 more tests I can tell you that there must be a huge problem with 7.15.1
As soon as something is changed, no matter what, and no matter if you change it back, the ap is not responding anymore or setting back the config.
It ALWAYS (!) ends in "SSID not set".

I can prove that live, if you want.
That is a clear sign, that this version is not "stable", it's far from beta, because THAT is fooling me.

Mikrotik, tell me, when you get your stuff running stable. Again I have to say, I'll take my new APs from the wall and replace it with my old hardware.

20 minutes ago I was happy to see 2 ap's up and running, but renaming one of them set the clomplete system out of work.
That is not professional, that is still beginner level, sorry. Get your stuff together, mikrotik...

toolongformt · Wed Jun 12, 2024 9:32 pm

next thing I found, has to do with the high quality...
as soon as I changed something (name of a bridge e.g.), "set wifi1,wifi2 configuration.manager=capsman-or-local" is completely GONE on all accesspoints!
Every change removes that line from all accesspoints. Why?
I was looking for a setting like "deactivate all ap's instantly if at least one setting is changed after (initial) provisioning".

infabo · Wed Jun 12, 2024 9:49 pm

you most probably have create-dynamic-enabled provisioning rules.

infabo · Wed Jun 12, 2024 10:07 pm

That is not professional, that is still beginner level, sorry.

A fault confessed is half redressed.

toolongformt · Wed Jun 12, 2024 10:43 pm

you most probably have create-dynamic-enabled provisioning rules.

this or without dynamic and manually... plays no role. The setting is gone.
Maybe it's a security feature? Don't know... I must have missed that in some documentation

toolongformt · Wed Jun 12, 2024 11:57 pm

HAP AX^3
Can you follow this link by the letter to see if you get it to work:
https://youtu.be/37aff6d14Xk?feature=shared

ok, so we can say, it doesn't make a difference if the capsman has its own wireless integrated, or, like my situation, the capsman is a vm with just 2 ethernetports and no own wireless cards.
Can you make all changes and report if it gave a solution, together with the latest config?
And make sure that CAPs can reach the CAPsMAN.

connection to capsman... hm, it drops when I leave the room. I see it on my monitor... when I come back, it needs some seconds and the aps are connected to capsman.
When I walk away, after 5m the connection from ap to capsman goes down.

toolongformt · Thu Jun 13, 2024 10:21 am

next problem: a further new device denies every kind of access. Reset doesn't work. This device came dead on arrival.

Mikrotik, maybe (!) you could warn customers that they must have a neverending amount of patience.

toolongformt · Thu Jun 13, 2024 3:00 pm

and after a while all aps heft left their connection to capsman... out of nothing...

really, this is not ready, mikrotik...

erlinden · Thu Jun 13, 2024 3:10 pm

really, this is not ready, mikrotik...

I can assure you, based upon my experience, that it can be stable as rock.
And that it has an incredible amount of options that can be (mis)configured.

If you run into connection problems, there seems to be "something" that is interfering with your network.
Make sure to solve that first, only when that is solved you can start working on optimizing the wireless part.

Can you please add some loggin when the connection is lost? From both CAPsMAN and CAP?

toolongformt · Thu Jun 13, 2024 5:24 pm

and why arrive devices "dead on arrival-lookalike"?
why do i have with the simpliest situations more troubles than every manual talks about?
why does over night change half of the configuration, which was stable an hour ago?

current situations:
1) I left the dead-on-arrival look-alike-device over night sitting alone in the cold, dark night, and the next morning it was running. Evening before I left it for 2h+ with not signal, no LED on, nothing.
2) Regarding wifi: I managed to upgrade all devices to new wifi (even older arm devices) and have now 16 "wifis" running with 2 different configs on 2 each channels on 3 external AP's and an RB962UiGS-5HacT2HnT as wifi capsman. Everything works fine, but again, I wanted to prove it, after changing some names, half of the system doesn't work anymore. So for example DHCP. I don't get addresses anymore, but the names and links are all correct.
The simple log windows were helpful all the time, I had it running on all devices to see, what they do.
Now I'm searching for a log that shows me what could be the cause (or at least could be a hint) that I don't get an ip address. When I set it manually, network on ipad works fine.
DHCP on the other side works great for LAN devices.
Bridges are all fine (I hope so), they have the ethernet port + dynamic (otherwise I don't get the wifi ports into the bridge, by now).

erlinden · Thu Jun 13, 2024 5:34 pm

DHCP and Apple...could be lease time. Would help if you share the latest complete config of the device(s) running DHCP server and CAPsMAN.
Or combined WPA2-PSK and WPA3-PSK.

Yes...been there, done that.

toolongformt · Thu Jun 13, 2024 6:25 pm

DHCP and Apple...could be lease time. Would help if you share the latest complete config of the device(s) running DHCP server and CAPsMAN.

No, I use Apple devices since 14 years, they never had a problem with lease time etc. My windows notebook also doesn't get an IP.
I suspect there is something between wifi -> datapath -> dhcpserver, but I don't find it.

running config of dhcp server is a lot to grey out...

toolongformt · Thu Jun 13, 2024 6:26 pm

Or combined WPA2-PSK and WPA3-PSK.

not the case. just wpa2-psk

toolongformt · Thu Jun 13, 2024 6:36 pm

my current capsman:

# model = RB962UiGS-5HacT2HnT
# serial number = xxx
/interface bridge
add admin-mac=48:A9:8A:47:38:14 auto-mac=no comment=defconf name=bridgeLocal port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface list
add include=all name=LAN
/interface wifi channel
add band=5ghz-n disabled=no name=channel_5g width=20mhz
add band=2ghz-n disabled=no name=channel_2g width=20mhz
/interface wifi datapath
add bridge=bridgeLocal disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=r403-security
add authentication-types=wpa2-psk disabled=no name=heimautomatisierung
/interface wifi configuration
add channel.skip-dfs-channels=all country=Austria datapath=datapath1 datapath.bridge=bridgeLocal disabled=no mode=ap name=cfg1-clients security=r403-security ssid=R403
add channel=channel_2g channel.width=20mhz country=Austria datapath=datapath1 disabled=no hide-ssid=yes mode=ap name=cfg3-homeauto security=r403-security ssid=R403-2.4G
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=sfp1
add bridge=bridgeLocal interface=wlan1
add bridge=bridgeLocal interface=wlan2
add bridge=bridgeLocal interface=dynamic
/interface list member
add interface=bridgeLocal list=LAN
/interface wifi cap
set caps-man-addresses=10.43.210.203 discovery-interfaces=bridgeLocal
/interface wifi capsman
set enabled=yes interfaces=bridgeLocal package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1-clients slave-configurations=cfg3-homeauto
/interface wireless cap
set bridge=bridgeLocal caps-man-addresses=10.43.210.202 discovery-interfaces=bridgeLocal interfaces=wlan1,wlan2
/ip address
add address=10.43.210.203/24 interface=bridgeLocal network=10.43.210.0
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=WAP.CAPSMAN
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.43.210.254
[admin@WAP.CAPSMAN] >

The DHCP Server is running stable for the LAN segment. I think there has been coming something between wifi-clients and DHCP.
When I set a static IP on a wifi-device, I cannot ping anything in the LAN segment. Somehow the wifi network is disrupted from the LAN, but I cannot find it.
And I cannot remember that I had done something what could have caused that situation...

flynno · Fri Jun 14, 2024 1:35 pm

Hey,

You have wifi interfaces bridged, try removing them from bridge

Stuck with new wifi-"capsman"

Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Re: Stuck with new wifi-"capsman"

Who is online