Add extra WAP AX to Hex AX in Capsman setup

RouterOS
1

WIth greatly appreciated help from this forum, I have succesfully followed the MikrotikMasters Capsman setup guide for my Hex and attached Test pc on port 2 and WAPAX on port5 (i am not using the Switch in between my hex and the WAP AX).

Now i want to add another WAP AX to the Hex. I rebooted this new WAP AX 'without default' with the export of the working and configured WAP, to load upon boot. So that new one is exactly as the working one now.

Now i want to plug the new one in ether3 of the Hex. I know i have to make changes as to add port 3 in the Hex. I am thinking of this:

/interface ethernet
set [find default-name=ether3] name=ether3-wap2

/interface bridge port
add interface=ether3-wap2 bridge=LAN-bridge

IST
/interface bridge vlan
add bridge=LAN-bridge vlan-ids=10 tagged=LAN-bridge,ether5-switch untagged=ether2-test
add bridge=LAN-bridge vlan-ids=20 tagged=LAN-bridge,ether5-switch
add bridge=LAN-bridge vlan-ids=30 tagged=LAN-bridge,ether5-switch

SOLL
/interface bridge vlan
add bridge=LAN-bridge vlan-ids=10 tagged=LAN-bridge,ether3-wap2,ether5-switch untagged=ether2-test
add bridge=LAN-bridge vlan-ids=20 tagged=LAN-bridge,ether3-wap2,ether5-switch
add bridge=LAN-bridge vlan-ids=30 tagged=LAN-bridge,ether3-wap2,ether5-switch

Is this what has to be done or am i missing something? I tried this setup but my Test-pC and the ipad attached to MM-GUEST didnt have working internet anymore (i could ping but not visit any site...)

My code in the Hex:

/interface bridge
add frame-types=admit-only-vlan-tagged name=lan-bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN"
set [ find default-name=ether2 ] name="ether2 TEST PC"
set [ find default-name=ether3 ] name="ether3"
set [ find default-name=ether4 ] name="ether4"
set [ find default-name=ether5 ] name="ether5 SWITCH"
/interface vlan
add interface=lan-bridge name=vlan10-MGMT vlan-id=10
add interface=lan-bridge name=vlan20-CORP vlan-id=20
add interface=lan-bridge name=vlan30-GUEST vlan-id=30
/interface wifi channel
add band=5ghz-ax frequency=5180 name=5GHZ::CH36 width=20mhz
add band=5ghz-ax frequency=5200 name=5GHZ::CH40 width=20mhz
add band=5ghz-ax frequency=5220 name=5GHZ::CH44 width=20mhz
add band=5ghz-ax frequency=5240 name=5GHZ::CH48 width=20mhz
add band=5ghz-ax frequency=5745 name=5GHZ::CH149 width=20mhz
add band=5ghz-ax frequency=5765 name=5GHZ::CH153 width=20mhz
add band=5ghz-ax frequency=5785 name=5GHZ::CH157 width=20mhz
add band=5ghz-ax frequency=5805 name=5GHZ::CH161 width=20mhz
add band=5ghz-ax frequency=5825 name=5GHZ::CH165 width=20mhz
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=5GHZ::UNII-1 \
    width=20mhz
add band=5ghz-ax disabled=no frequency=5745,5765,5785,5805,5825 name=\
    5GHZ::UNII-3 width=20mhz
add band=5ghz-ax disabled=no frequency=\
    5180,5200,5220,5240,5745,5765,5785,5805,5825 name=5GHZ::NON-DFS width=\
    20mhz
add band=2ghz-ax frequency=2412 name=2GHZ::CH1 width=20mhz
add band=2ghz-ax frequency=2437 name=2GHZ::CH6 width=20mhz
add band=2ghz-ax frequency=2462 name=2GHZ::CH11 width=20mhz
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2GHZ::AUTO width=\
    20mhz
/interface wifi datapath
add disabled=no name=datapath-corp vlan-id=20
add disabled=no name=datapath-guest vlan-id=30
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec1-corp
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec-guest
/interface wifi configuration
add channel=5GHZ::NON-DFS country=Portugal datapath=datapath-corp disabled=no \
    mode=ap name=cfg-5Ghz security=sec1-corp ssid=MM5ghz
add channel=2GHZ::AUTO country=Portugal datapath=datapath-corp disabled=no \
    mode=ap name=cfg2Ghz security=sec1-corp ssid=MM2ghz
add datapath=datapath-guest disabled=no mode=ap name=cfg-GUEST security=\
    sec-guest ssid=MM-GUEST
/interface wifi
# operated by CAP macadres1%vlan10-MGMT, traffic processing on CAP
add configuration=cfg2Ghz disabled=no name=cap-wifi1 radio-mac=\
    macadres2
# operated by CAP macadres3%vlan10-MGMT, traffic processing on CAP
add configuration=cfg-GUEST disabled=no mac-address=macadres4 \
    master-interface=cap-wifi1 name=cap-wifi1-virtual1
# operated by CAP macadres5%vlan10-MGMT, traffic processing on CAP
add configuration=cfg-5Ghz disabled=no name=cap-wifi2 radio-mac=\
    macadres6
# operated by CAP macadres8%vlan10-MGMT, traffic processing on CAP
add configuration=cfg-GUEST disabled=no mac-address=macadres9 \
    master-interface=cap-wifi2 name=cap-wifi2-virtual1
add configuration=cfg2Ghz disabled=no name=cap-wifi3 radio-mac=\
    macadres10
add configuration=cfg-GUEST disabled=no mac-address=macadres11 \
    master-interface=cap-wifi3 name=cap-wifi3-virtual1
add configuration=cfg-5Ghz disabled=no name=cap-wifi4 radio-mac=\
    macadres12
add configuration=cfg-GUEST disabled=no mac-address=macadres13 \
    master-interface=cap-wifi4 name=cap-wifi4-virtual1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.0.10.2-10.0.10.254
add name=dhcp_pool1 ranges=10.0.20.20-10.0.20.200
add name=dhcp_pool2 ranges=10.0.30.2-10.0.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan10-MGMT lease-time=10h name=dhcp1
add address-pool=dhcp_pool1 interface=vlan20-CORP lease-time=10h name=dhcp2
add address-pool=dhcp_pool2 interface=vlan30-GUEST lease-time=10h name=dhcp3
/interface bridge port
add bridge=lan-bridge interface="ether2 TEST PC" pvid=10
add bridge=lan-bridge frame-types=admit-only-vlan-tagged interface=\
    "ether5 SWITCH"
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=lan-bridge tagged="ether5 SWITCH,lan-bridge" untagged=\
    "ether2 TEST PC" vlan-ids=10
add bridge=lan-bridge tagged="ether5 SWITCH,lan-bridge" vlan-ids=20,30
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=vlan10-MGMT \
    package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg-5Ghz \
    slave-configurations=cfg-GUEST supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=cfg2Ghz \
    slave-configurations=cfg-GUEST supported-bands=2ghz-ax
/ip address
add address=10.0.10.1/24 interface=vlan10-MGMT network=10.0.10.0
add address=10.0.20.1/24 interface=vlan20-CORP network=10.0.20.0
add address=10.0.30.1/24 interface=vlan30-GUEST network=10.0.30.0
/ip dhcp-client
add default-route-tables=main interface="ether1 WAN"
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=10.0.20.1 gateway=10.0.20.1
add address=10.0.30.0/24 dns-server=10.0.30.1 gateway=10.0.30.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=192.168.3.0/24 list=ALLOWED
/ip firewall filter
add action=drop chain=input connection-state=!established in-interface=\
    "ether1 WAN" src-address-list=!ALLOWED
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN"
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=ROUTER01

Kind regards!

2

I dont know exactly what you are doing, but when you have set up capsman properly, you just do two things with your new wap ax:

  1. reset wap ax to caps mode (see docs)
  2. connect it to any port of your capsman device

Done. It should be auto discovered and provisioned.

3

I followed the above mentioned installation guide for Capsman with VLAN's. It uses a Switch on ether5 and i think it's intention is that new wireless AP's have to be connected that way (on the Switch, not on the Hex). I don't need a switch and want to connect my extra WAP AX to ether3.

I'm curious te know what i would have to change in the hex to do so; the WAP AX is ready as it has been rebooted without defaults and the copy of the already attached WAP.

I tried it myself but i didn't have acces to webpages after my alterations; i decided to delete those and ask here.

And so my question: What would i have to do change in the above mentioned code to have ether3 working as well?

4

Something like this:

/interface bridge vlan
add bridge=lan-bridge tagged="ether3,ether5 SWITCH,lan-bridge" untagged="ether2 TEST PC" vlan-ids=10
add bridge=lan-bridge tagged="ether3,ether5 SWITCH,lan-bridge" vlan-ids=20,30

If this gives an error, just add ether3 interface manually in Winbox.

/interface bridge port
add bridge=lan-bridge frame-types=admit-only-vlan-tagged interface=\
    "ether3"

If you want to know more...please read this great topic about VLAN:
Using RouterOS to VLAN your network - MikroTik

Don't forget to make the adjustments on the second wAP AX like you did in the other topic.

5

Thank you again. I also updated everything to the same and latest firmware. Both actions where needed and now it all works.

Many thanks!!!

1 Like