7.15.3 wifi-qcom-ac cap's slaves interfaces problem.

Hi,I have L009UiGS-RM as CAPSMAN Controller and some cAP ac with wifi-qcom-ac package. If I try to use same configuration like in https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-CAPsMAN: all works fine, but if i try to provision one more slave configuration its working incorrectly. 3nd slave configuration create dynamic interface “wifixx” instead of use static interface that i created.
Please help me, i spent 4 hours on it and no luck. Only main and one slave interface provision working, main and 2 slaves not(

L009UiGS-RM

/interface bridge
add admin-mac=78:9A:18:A3:F7:00 auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=vlan-10-staff vlan-id=10
add interface=bridge name=vlan-20-guest vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridge name=MAIN vlan-id=10
add bridge=bridge name=GUEST vlan-id=20
add bridge=bridge client-isolation=yes disabled=no name=wifi-qcom-ac
add bridge=bridge disabled=no name=wifi-qcom-ac-noisolation
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=Security_MAIN
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=Security_GUEST
/interface wifi configuration
add datapath=MAIN name=MAIN security=Security_MAIN ssid=MAIN_Network
add datapath=GUEST name=GUEST security=Security_GUEST ssid=GUEST_Network
add datapath=wifi-qcom-ac-noisolation disabled=no name=tech-ac security=Security_MAIN ssid=Tech_Network
add datapath=wifi-qcom-ac-noisolation disabled=no name=staff-ac security=Security_GUEST ssid=STAFF_Network
add datapath=wifi-qcom-ac disabled=no name=guest-ac security=Security_GUEST security.ft=no .ft-over-ds=no \
    ssid=GUEST_Network
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=staff ranges=172.16.102.2-172.16.102.254
add name=guest ranges=172.17.102.2-172.17.102.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=staff interface=vlan-10-staff name=staff
add address-pool=guest interface=vlan-20-guest name=guest
/port
set 0 name=serial0
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=\
    zt1 port=9993
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge vlan-ids=20
add bridge=bridge tagged=ether1,bridge vlan-ids=10
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether7 list=WAN
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=\
    5ghz-ax
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=\
    2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=tech-ac slave-configurations=\
    staff-ac,guest-ac supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=tech-ac slave-configurations=\
    staff-ac,guest-ac supported-bands=2ghz-n
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=172.17.102.1/24 interface=vlan-20-guest network=172.17.102.0
add address=172.16.102.1/24 interface=vlan-10-staff network=172.16.102.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether7
/ip dhcp-server network
add address=172.16.102.0/24 gateway=172.16.102.1
add address=172.17.102.0/24 gateway=172.17.102.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward dst-address=192.168.20.2 src-address=192.168.20.3
add action=accept chain=input comment="allow winbox remote access" dst-port=8291 in-interface-list=WAN \
    protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
    127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
    !dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=\
    WAN
/ip firewall raw
add action=drop chain=prerouting dst-address=192.168.20.0/24 src-address=192.168.20.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 \
    protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
    in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=\
    in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" \
    in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=test
/system note
set show-at-login=no
/system package update
set channel=testing
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

cAP ac

/interface bridge
add admin-mac=74:4D:28:BD:7A:8D auto-mac=no comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged name=bridgeLocal vlan-filtering=yes
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Tech_Network, channel: 2472/n/eC
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
    disabled=no
# managed by CAPsMAN
# mode: AP, SSID: STAFF_Network
add configuration.mode=ap disabled=no mac-address=76:4D:28:BD:7A:8F \
    master-interface=wifi1 name=wifi1-vlan10-staff
add configuration.mode=ap disabled=no mac-address=76:4D:28:BD:7A:91 \
    master-interface=wifi1 name=wifi1-vlan20-guest
# managed by CAPsMAN
# mode: AP, SSID: Tech_Network, channel: 5500/ac/Ceee
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
    disabled=no
add configuration.mode=ap disabled=no mac-address=76:4D:28:BD:7A:90 \
    master-interface=wifi2 name=wifi2-vlan10-staff
# managed by CAPsMAN
# mode: AP, SSID: GUEST_Network
add configuration.mode=ap disabled=no mac-address=76:4D:28:BD:7A:92 \
    master-interface=wifi2 name=wifi2-vlan20-guest
# managed by CAPsMAN
# mode: AP, SSID: GUEST_Network
add datapath=capdp disabled=no mac-address=76:4D:28:BD:7A:90 master-interface=\
    wifi1 name=wifi3
# managed by CAPsMAN
# mode: AP, SSID: STAFF_Network
add datapath=capdp disabled=no mac-address=76:4D:28:BD:7A:91 master-interface=\
    wifi2 name=wifi4
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal interface=wifi1
add bridge=bridgeLocal interface=wifi1-vlan10-staff pvid=10
add bridge=bridgeLocal interface=wifi2
add bridge=bridgeLocal interface=wifi2-vlan10-staff pvid=10
add bridge=bridgeLocal interface=wifi1-vlan20-guest pvid=20
add bridge=bridgeLocal interface=wifi2-vlan20-guest pvid=20
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 untagged=\
    wifi1-vlan20-guest,wifi2-vlan20-guest vlan-ids=20
add bridge=bridgeLocal tagged=ether1 untagged=\
    wifi1-vlan10-staff,wifi2-vlan10-staff vlan-ids=10
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp \
    slaves-static=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=CAP2-test
/system note
set show-at-login=no

Change provision rules to create enabled and manually change interface names and vlans id’s on caps is the only way for now :frowning:.

100% Pain in the A$$, this issue.
MT really needs to get onto fixing this.
I have a mix of ~20ac + 20ax units running under capsman(wireless + wifi )

Being able to bring all my units under 1(wifi) controller-window is what I want.

Its so close to working, even the ap’s when I try this, i see in the bridge VLAN dynamically allocates properly, but no l2 pathway from client to bride/vlan..

It just complains in the contoller in red text!!

preach… we’re still software limited by Mikrotik with them using the newer qualcom drivers.

We had to roll back the AC access points - removing the wifi-qcom-ac package and revert back to wireless package. The qcom-ac was not stable in a production environment. Devices would not stay connected. Even with proper AP configuration with manual bridge / vlan configuration.

100% agree. VLANs with wifi-qcom-ac and capsman makes capsman look like a complete useless dumb manager. Who needs a manager which is not capable of managing its caps? Idiotic. And then for all of a sudden, learning the hard way, you have to use “create enabled” instead of “create dynamic enabled” so wifi interfaces are not renamed on config change. But don’t ever do a manual provision: then even your non-dynamic interfaces may get renamed and you screw up your whole manual config on your Caps. Configured by pain in the ass, destroyed in 1 second. It is really a shame for a commercial product.

Hi All,

I’m new in CAPSMan and spent days reading / watching tutorials on how to configure.
Am I understand well? CAPSMan is now unable to create vlans on the CPAPs. I have to to manually set everything is related to VLANS on each caps.
The only thing CAPSMan can do is set some wifi interface config.
On the top of these I have to use create-enabled action and slave-static. And the best thing despite the lot of manual work, my interface names can be intermittenly have been changed, and have to manually set my VLAN config again?
This way there is not so much advantages to use CAPSMan at all. :frowning: