Trying to understand how to properly setup guest wireless netwok I found this docs, CAPsMAN - CAP VLAN configuration example section.

After reading docs, forums and some experiments, I have a few questions:

1. Do I understand correctly that to configure a guest wireless network using ROS 7.13+ with new CAPsMAN and WiFi menu, each AP must be manually configured IN ANY CASE with some bridge and VLAN settings (Section CAP using "wifi-qcom-ac" package)? For example, in the "old" CAPsMAN it was enough to switch the AP to CAPS mode one time, and then all settings of the AP was made only through the CAPSMAN controller, no any manual bridge or VLAN "hacks" is required, guest wireless network is simply configured just by creating new bridge, IP pool and custom datapath.

2. I have a few wAP ac AP's. Each one is on ROS7 7.14.2 "wifi-qcom-ac" driver, because of new features, better performance and new "WiFi" menu support, as docs says in Compatibility section. Old driver "wireless" is removed, and another one "wifi-qcom" is only for 802.11ax AP (not my case). So, I tried to setup VLAN using datapath with VLAN ID and in docs section Datapath properties I found notice "802.11ac chipsets do not support this type of VLAN tagging, but they can be configured as VLAN access ports in bridge settings". This again brings me to the fact that each of my AP's requires manual configuration AT LEAST to use a such basic things as VLAN, even if we are not touching the topic of setting up a guest wireless network using VLAN and other related stuff. Looks like this may be fixed in future, but еwo years have already passed since this topic created.

3. I came to the following conclusions: on ROS7 there is no method for setting up a guest wireless network using new CAPsMAN without additional manual configuration of each AP. Or you can try, but will be faced with "vlan-id configured but interface does not support assigning vlans" error. Why do we need a CAPsMAN if it doesn’t solve such basic problems of automating AP's setup? Why is so much manual work required? If you have to change something (VLAN ID?), you will again have to do it manually at each point.

There is one solution how to not configure AP's by hands - running both capsmans at the same time: new CAPsMAN for main network, old CAPsMAN for guest network, both without VLAN. But this solution looks extremely bad and cumbersome for such a simple task, doesn’t it?

As a result of all this research, I'm stuck: all of the methods mentioned above for creating a guest wireless network (manually configuring each AP, or using new and old CAPsMAN together and legacy drivers) are not adequate, from my point of view, at least, because of too many manual works and dumb configurations for each AP.

Please tell me, am I right, or am I wrong about something, and is it worth looking somewhere else?

Thank you.

I'm about to tackle this change introduced in new CAPsMAN resulting in the error "vlan-id configured, but interface does not support assigning vlans" if you try and assign a VLAN via configuration, as in old CAPsMAN.

Nobody has replied but maybe because there are many other posts on the same subject. I'm about to go digging for them so when I find the definitive answer, I'll try and post a link back here.

But in terms of your comment "each AP must be manually configured IN ANY CASE with some bridge and VLAN settings", yes, I believe you're correct. I agree that it's not ideal and is a step backwards from the old CAPsMAN where doing a factory reset into CAPS mode was all you had to do. As you say, the issue was flagged a long time ago and there is no recent fix. I guess it must be difficult to make it generic. I might be missing something but doesn't CAPs on the access point need to pick up this settings from the configuration on CAPsMAN:



Later... I've just one through the default cAP ac configuration in cAPs mode to determine the difference in configuration and there is a lot of changes! So your comment about a lot of configuration needed on the access points out the box is valid IMO. I often get criticised for saying "UniFi is a lot easier" and this is a classic example. CAPsMAN was so simple before in the most frequent use case: private and guest networks. Now it's a *lot* harder to set up a guest network

Is there a mistake in the examples given here: https://help.mikrotik.com/docs/display/ ... onexample:

The documentation is for a CAP which typically have one or two ethernet ports. Am I missing something but the example is this:
Those last three lines are not for cAP ac as it only has two ethernet ports?

And for the record, I've just gone through the cAP ac configuration in CAPs mode and documented the differences needed. Hardly central management via CAPsMAN anymore

# 2024-04-29 22:58:29 by RouterOS 7.14.3
# software id = L2M3-RH7W
#
# model = RBcAPGi-5acD2nD
# serial number = E2810E56A183
/interface bridge
# MOD: add vlan-filtering=yes
add admin-mac=2C:C8:1B:66:B4:A6 auto-mac=no comment=defconf name=bridgeLocal vlan-filtering=yes
# MOD: datapath not used
# /interface wifi datapath
# add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Sea Captain's House 2G, channel: 2412/n/Ce
# MOD: removed datapath=capdp
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# MOD: new slave interface
add disabled=no master-interface=wifi1 name=wifi21
# managed by CAPsMAN
# mode: AP, SSID: Sea Captain's House 5G, channel: 5320/ac/eeeC
# MOD: removed datapath=capdp
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
# MOD: new slave interface
add disabled=no master-interface=wifi2 name=wifi22
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
# MOD: VLAN tagging on the Wi-Fi interfaces
add bridge=bridgeLocal interface=wifi1 pvid=10
add bridge=bridgeLocal interface=wifi21 pvid=20
add bridge=bridgeLocal interface=wifi2 pvid=10
add bridge=bridgeLocal interface=wifi22 pvid=20
# MOD: adding VLANs to bridge
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 untagged=wifi1,wifi2 vlan-ids=10
add bridge=bridgeLocal tagged=ether1 untagged=wifi21,wifi22 vlan-ids=20
/interface wifi cap
# MOD: remove slaves-datapath=capdp
set discovery-interfaces=bridgeLocal enabled=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=Europe/London
/system identity
set name="AP0 10 - lab"
/system note

Is all of this, err, configuration required just because the qcom-ac wireless driver doesn't support vlan tagging on the interface itself?