Guide: CAPsMAN configuration with management VLAN (RouterOS 7.14.3)

Thanks for the posts above.
The official documentation/examples aren’t great so the earlier posts have been helpful in getting a working config.

A couple of points for others who are trying to setup wifi VLANs with CAPsMAN.
From what I now understand there are two ways of configuring wifi VLANs:

1. CAPsMAN datapath VLAN
   The VLAN ID is configured in the CAPsMAN datapath
   The wifi interfaces and VLANs are automatically provisioned/configured by CAPsMAN.
   There is no need manually configure cAP wifi interfaces and VLAN ID.
2. cAP VLAN interfaces
   Wifi interfaces and VLANs are manually configured on the cAP.
   CAPsMAN is still configured as per CAPsMAN datapath except the VLAN ID is not configured.

In my view CAPsMAN datapath is simpler/easier and hence better.
But only cAP AX units support CAPsMAN datapath VLAN config (at least with v7.16.1 and older). Maybe this will change in the future.
Note cAP AX units can be configured using cAP VLAN interfaces if preferred.

cAP AC units must be configured using cAP VLAN interfaces.
CAPsMAN will display the error — vlan-id configured, but interface does not support assigning vlans if you try to configure an cAP AC with datapath VLAN.

And a gotcha when configuring cAP VLAN interfaces.
If the manually configured wifi interfaces are changed during provisioning there is most likely an error in your config.
I ran into this initially but with the config below provisioning via Wifi > Radios tab > Provision and Wifi > Remote CAP > Provision now works without changing the interfaces.

Below is the additional config required to setup wifi VLANs with cAP AC, cAP AX and CAPsMAN.

• RB960PGS running CAPsMAN
• RBcAPGi-5acD2nD cAP AC connected to eth4
• cAPGi-5HaxD2HaxD cAP AX connected to eth5
• cAP AC VLAN configured with cAP VLAN interfaces
• cAP AX VLAN configured with CAPsMAN datapath VLAN
• All running v7.16.1
• VLAN 20 - cAP AC main wifi with SSID = Access McAccessPoint
• VLAN 30 - cAP AC guest wifi with SSID = Access McAccessPoint-Guest
• VLAN 40 - cAP AX main wifi with SSID = Testy McTesticle
• VLAN 50 - cAP AX guest wifi with SSID = Testy McTesticle-Guest

CAPsMAN Config

/interface bridge
set [ find comment=defconf ] vlan-filtering=yes

/interface vlan
add interface=bridge name=wifi-capac-vlan20-main vlan-id=20
add interface=bridge name=wifi-capac-vlan30-guest vlan-id=30
add interface=bridge name=wifi-capax-vlan40-main vlan-id=40
add interface=bridge name=wifi-capax-vlan50-guest vlan-id=50

/interface wifi datapath
add bridge=bridge disabled=no name=cap-dp-ax40-main vlan-id=40
add bridge=bridge disabled=no name=cap-dp-ax50-guest vlan-id=50
add bridge=bridge disabled=no name=cap-dp-ac

#NOTE: This could be simplified if frequencies weren't specified for 2Ghz AX, 2Ghz N, 5Ghz AC, 5Ghz AX
/interface wifi configuration
add channel=cap-ch2ax datapath=cap-dp-ax40-main disabled=no name=cap-cfg2ax-vlan40-main security=cap-secwpa3 ssid="Testy McTesticle"
add channel=cap-ch2ax datapath=cap-dp-ax50-guest disabled=no name=cap-cfg2ax-vlan50-guest security=cap-secwpa3 ssid="Testy McTesticle-Guest"
add channel=cap-ch5ax datapath=cap-dp-ax40-main disabled=no name=cap-cfg5ax-vlan40-main security=cap-secwpa3 ssid="Testy McTesticle"
add channel=cap-ch5ax datapath=cap-dp-ax50-guest disabled=no name=cap-cfg5ax-vlan50-guest security=cap-secwpa3 ssid="Testy McTesticle-Guest"
add channel=cap-ch2n datapath=cap-dp-ac disabled=no name=cap-cfg2n-vlan20-main security=cap-secwpa3 ssid="Access McAccessPoint"
add channel=cap-ch2n datapath=cap-dp-ac disabled=no name=cap-cfg2n-vlan30-guest security=cap-secwpa3 ssid="Access McAccessPoint-Guest"
add channel=cap-ch5ac datapath=cap-dp-ac disabled=no name=cap-cfg5ac-vlan20-main security=cap-secwpa3 ssid="Access McAccessPoint"
add channel=cap-ch5ac datapath=cap-dp-ac disabled=no name=cap-cfg5ac-vlan30-guest security=cap-secwpa3 ssid="Access McAccessPoint-Guest"

/ip pool
add name=ipv4-pool-dhcp-vlan20 ranges=10.10.20.200-10.10.20.254
add name=ipv4-pool-dhcp-vlan30 ranges=10.10.30.200-10.10.30.254
add name=ipv4-pool-dhcp-vlan40 ranges=10.10.40.200-10.10.40.254
add name=ipv4-pool-dhcp-vlan50 ranges=10.10.50.200-10.10.50.254

/ip dhcp-server
add address-pool=ipv4-pool-dhcp-vlan20 interface=wifi-capac-vlan20-main name=dhcpv4-server-vlan20
add address-pool=ipv4-pool-dhcp-vlan30 interface=wifi-capac-vlan30-guest name=dhcpv4-server-vlan30
add address-pool=ipv4-pool-dhcp-vlan40 interface=wifi-capax-vlan40-main name=dhcpv4-server-vlan40
add address-pool=ipv4-pool-dhcp-vlan50 interface=wifi-capax-vlan50-guest name=dhcpv4-server-vlan50

/interface bridge vlan
add bridge=bridge tagged=bridge,ether4 vlan-ids=20
add bridge=bridge tagged=bridge,ether4 vlan-ids=30
add bridge=bridge tagged=bridge,ether5 vlan-ids=40
add bridge=bridge tagged=bridge,ether5 vlan-ids=50

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg2ax-vlan40-main slave-configurations=cap-cfg2ax-vlan50-guest supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg5ax-vlan40-main slave-configurations=cap-cfg5ax-vlan50-guest supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg2n-vlan20-main slave-configurations=cap-cfg2n-vlan30-guest supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=cap-cfg5ac-vlan20-main slave-configurations=cap-cfg5ac-vlan30-guest supported-bands=5ghz-ac

/ip address
add address=10.10.20.1/24 interface=wifi-capac-vlan20-main network=10.10.20.0
add address=10.10.30.1/24 interface=wifi-capac-vlan30-guest network=10.10.30.0
add address=10.10.40.1/24 interface=wifi-capax-vlan40-main network=10.10.40.0
add address=10.10.50.1/24 interface=wifi-capax-vlan50-guest network=10.10.50.0

/ip dhcp-server network
add address=10.10.20.0/24 dns-server=10.10.20.1 domain=vlan20.internal gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=10.10.30.1 domain=vlan30.internal gateway=10.10.30.1
add address=10.10.40.0/24 dns-server=10.10.40.1 domain=vlan40.internal gateway=10.10.40.1
add address=10.10.50.0/24 dns-server=10.10.50.1 domain=vlan50.internal gateway=10.10.50.1

cAP AC Config

/interface bridge
set [ find comment=defconf ] vlan-filtering=yes

/interface wifi
set [ find default-name=wifi1 ] name=wifi1-capac-vlan20-main
set [ find default-name=wifi2 ] name=wifi2-capac-vlan20-main
add disabled=no master-interface=wifi1-capac-vlan20-main name=wifi1-capac-vlan30-guest
add disabled=no master-interface=wifi2-capac-vlan20-main name=wifi2-capac-vlan30-guest

/interface bridge port
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1-capac-vlan20-main pvid=20
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-capac-vlan20-main pvid=20
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1-capac-vlan30-guest pvid=30
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-capac-vlan30-guest pvid=30

/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 untagged=wifi1-capac-vlan20-main,wifi2-capac-vlan20-main vlan-ids=20
add bridge=bridgeLocal tagged=bridgeLocal,ether1 untagged=wifi1-capac-vlan30-guest,wifi2-capac-vlan30-guest vlan-ids=30

/interface wifi cap
set slaves-static=yes