I am intending to deploy a Hex S 2025 and cAP ac with the latter controlled by CAPsMAN running on the former, using create-enabled because I am trying to do some VLANning.
My latest attempt worked, to a degree, but the CAP config needed some tweaking. I reset the CAP to no-def config and rebuilt it with the revised config. The configuration went ok but when I connected a cable between the CAP and the Hex the CAP’s WiFi tab tells me that there is “no connection to CAPsMAN”. This situation continued after a reboot of both devices.
Since there is clearly a physical connection (I can see both ends of the cable connecting the devices) this seems to indicate that the CAPsMAN is not allowing the CAP to re-deploy from it. From reading around the Forum, I am assuming that the reason for this is related to the fact that I used a create-enabled deployment, which I understand to be intended as a one-off process.
It surely must be possible to perform this manoeuvre without also rebuilding the Hex ? I would be grateful if someone would let me know what I need to do to the Hex or the CAP to get the CAPsMAN to recognise the reconfigured CAP as something it should deploy to.
Thanks, in advance, for any help.
Please share the configs (both CAPsMAN and CAPS):
/export file=anynameyoulike
Remove serials and any other private info, post as Preformatted text by using the </> button.
mkx
October 7, 2025, 12:57pm
3
You mentioned VLANing ... so you have to be careful about setting of /interface/wifi/capsman -> intefaces on CAPsMAN and /interface/wifi/cap -> discovery-interfaces on CAP ... these two interfaces have to be in same VLAN so that CAPsMAN and CAP can talk to each other over L2.
Another possibility is to set IP address of CAPsMAN on CAP (so traffic gets routed) ... but IMO that's a special case and is best to avoid if possible.
Thanks for the responses. My configs for both devices are below, in case they are useful.
# 2025-10-07 13:46:42 by RouterOS 7.20
# software id = XXXXX
#
# model = E60iUGS
# serial number = XXXXX
/interface bridge
add comment="LAN bridge" name=bridge-lan vlan-filtering=yes
/interface ethernet
set \[ find default-name=ether1 \] comment="ISP WAN" name=ether1-wan
set \[ find default-name=ether2 \] comment=
"Dedicated unbridged port for management access" name=ether2-mgmt
set \[ find default-name=ether3 \] comment="Switch in the IT Cupboard" name=
ether3-csw1
set \[ find default-name=ether4 \] comment="Managed Switch in the Loft" name=
ether4-lsw1
set \[ find default-name=ether5 \] comment="PoE CAP D1" name=ether5-capd1
/interface vlan
add comment="Home VLAN" interface=bridge-lan name=vlan10-home vlan-id=10
add comment="IoT VLAN" interface=bridge-lan name=vlan20-iot vlan-id=20
add comment="Guest VLAN" interface=bridge-lan name=vlan30-guest vlan-id=30
add comment="Management VLAN" interface=bridge-lan name=vlan99-mgmt vlan-id=
99
/interface list
add comment="Management interface list" name=mgmt
add comment="Home VLAN" name=homevlan
add comment="IoT and Guest VLANs" name=IGvlans
add comment="WAN interface list" name=wan
/interface wifi datapath
add bridge=bridge-lan comment="Generic datapath for cAP ac APs" disabled=no
name=dp-ac-generic
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment="Home WiFi security"
disabled=no ft=yes name=sec-home
add authentication-types=wpa-psk,wpa2-psk,wpa3-psk comment=
"IoT WiFi security" disabled=no ft=no name=sec-iot
add authentication-types=wpa2-psk,wpa3-psk comment="Guest WiFi security"
disabled=no ft=yes name=sec-guest
/interface wifi configuration
add comment="Config for AthelTek (IoT) WiFi SSID" country="United Kingdom"
datapath=dp-ac-generic disabled=no name=config-iot-wifi security=sec-iot
ssid=AthelTek
/interface wifi steering
add disabled=no name=steering-main rrm=yes wnm=yes
/interface wifi configuration
add comment="Config for AthelNet (home) WiFi SSID" country="United Kingdom"
datapath=dp-ac-generic disabled=no name=config-home-wifi security=
sec-home ssid=AthelNet steering=steering-main
add comment="Config for WeaLan (guest) WiFi SSID" country="United Kingdom"
datapath=dp-ac-generic disabled=no name=config-guest-wifi security=
sec-guest ssid=WeaLan steering=steering-main
/interface wifi
add configuration=config-home-wifi disabled=no name=cap-wifi1 radio-mac=
C4:AD:XX:YY:ZZ:FA
add configuration=config-iot-wifi disabled=no mac-address=C6:AD:XX:YY:ZZ:FA
master-interface=cap-wifi1 name=cap-wifi1-virtual1
add configuration=config-guest-wifi disabled=no mac-address=C6:AD:XX:YY:ZZ:FB
master-interface=cap-wifi1 name=cap-wifi1-virtual2
add configuration=config-home-wifi disabled=no name=cap-wifi2 radio-mac=
C4:AD:XX:YY:ZZ:FB
add configuration=config-iot-wifi disabled=no mac-address=C6:AD:XX:YY:ZZ:FC
master-interface=cap-wifi2 name=cap-wifi2-virtual1
add configuration=config-guest-wifi disabled=no mac-address=C6:AD:XX:YY:ZZ:FD
master-interface=cap-wifi2 name=cap-wifi2-virtual2
/ip pool
add name=pool-home ranges=10.10.0.25-10.10.0.254
add name=pool-iot ranges=10.20.0.2-10.20.0.254
add name=pool-guest ranges=10.30.0.2-10.30.0.254
add name=pool-mgmt ranges=10.99.0.25-10.99.0.254
/ip dhcp-server
add address-pool=pool-home interface=vlan10-home lease-time=1d name=dhcp-home
add address-pool=pool-iot interface=vlan20-iot lease-time=1d name=dhcp-iot
add address-pool=pool-guest interface=vlan30-guest lease-time=1h name=
dhcp-guest
add address-pool=pool-mgmt interface=vlan99-mgmt lease-time=1d name=dhcp-mgmt
/interface bridge port
add bridge=bridge-lan comment="IT Cupboard Switch (VLAN 10)" frame-types=
admit-only-untagged-and-priority-tagged interface=ether3-csw1 pvid=10
add bridge=bridge-lan comment="Loft Switch Trunk Port" frame-types=
admit-only-vlan-tagged interface=ether4-lsw1
add bridge=bridge-lan comment="CAPD1 Trunk Port with PoE" frame-types=
admit-only-vlan-tagged interface=ether5-capd1
/ip neighbor discovery-settings
set discover-interface-list=mgmt
/interface bridge vlan
add bridge=bridge-lan comment="Access port for IT cupboard switch to VLAN10"
tagged=bridge-lan,ether4-lsw1,ether5-capd1 untagged=ether3-csw1 vlan-ids=
10
add bridge=bridge-lan comment="IoT VLAN with access only via Wi-FI AP trunks"
tagged=bridge-lan,ether4-lsw1,ether5-capd1 vlan-ids=20
add bridge=bridge-lan comment=
"Guest VLAN with access only via Wi-FI AP trunks" tagged=
bridge-lan,ether4-lsw1,ether5-capd1 vlan-ids=30
add bridge=bridge-lan comment="Management VLAN" tagged=
bridge-lan,ether4-lsw1,ether5-capd1 vlan-ids=99
/interface list member
add comment="Dedicated management port" interface=ether2-mgmt list=mgmt
add comment="Management VLAN" interface=vlan99-mgmt list=mgmt
add comment="Home VLAN" interface=vlan10-home list=homevlan
add comment="IoT VLAN" interface=vlan20-iot list=IGvlans
add comment="Guest VLAN" interface=vlan30-guest list=IGvlans
add comment="WAN interface" interface=ether1-wan list=wan
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=vlan99-mgmt
/interface wifi provisioning
add action=create-enabled comment="Provision config to all APs" disabled=no
master-configuration=config-home-wifi slave-configurations=
config-iot-wifi,config-guest-wifi
/ip address
add address=10.10.0.1/24 comment="Home VLAN addresses" interface=vlan10-home
network=10.10.0.0
add address=10.20.0.1/24 comment="IoT VLAN addresses" interface=vlan20-iot
network=10.20.0.0
add address=10.30.0.1/24 comment="Guest VLAN addresses" interface=
vlan30-guest network=10.30.0.0
add address=10.99.0.1/24 comment="Management VLAN addresses" interface=
vlan99-mgmt network=10.99.0.0
/ip cloud
set update-time=no
/ip dhcp-client
# Interface not active
add interface=ether1-wan
/ip dhcp-server network
add address=10.10.0.0/24 comment="Home DHCP Network" dns-server=10.10.0.1
gateway=10.10.0.1
add address=10.20.0.0/24 comment="IoT DHCP Network" dns-server=10.20.0.1
gateway=10.20.0.1
add address=10.30.0.0/24 comment="Guest DHCP Network" dns-server=10.30.0.1
gateway=10.30.0.1
add address=10.99.0.0/24 comment="Management DHCP Network" dns-server=
10.99.0.1 gateway=10.99.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=10.10.0.20 comment="Jon Desktop" list=Jon-webfig
add address=10.10.0.21 comment="Jon laptop " list=Jon-webfig
add address=10.10.0.22 comment="Jon Phone" list=Jon-webfig
/ip firewall filter
add action=accept chain=input comment="Allow established connections"
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid packets" connection-state=
invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow local loopback for CAPsMAN"
dst-address=127.0.0.1
add action=accept chain=input comment="Allow UDP LAN DNS queries" dst-port=53
in-interface-list=!wan protocol=udp
add action=accept chain=input comment="Allow TCP LAN DNS queries" dst-port=53
in-interface-list=!wan protocol=tcp
add action=accept chain=input comment=
"Allow full access to the management interfaces" in-interface-list=mgmt
add action=accept chain=input comment=
"Allow restricted webfig access to the router" dst-port=80,443
in-interface=vlan10-home protocol=tcp src-address-list=Jon-webfig
add action=drop chain=input comment="Drop all other inputs"
add action=fasttrack-connection chain=forward comment=
"Fasttrack established connections" connection-state=established,related
hw-offload=yes
add action=accept chain=forward comment="Allow established connections"
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid packets"
connection-state=invalid
add action=accept chain=forward comment="Allow Home -> IoT traffic"
connection-state=new in-interface=vlan10-home out-interface=vlan20-iot
add action=accept chain=forward comment="Allow Home -> Management traffic"
connection-state=new in-interface=vlan10-home out-interface=vlan99-mgmt
add action=accept chain=forward comment=
"Allow internet access for management VLAN" connection-state=new
in-interface-list=mgmt out-interface-list=wan
add action=accept chain=forward comment="Allow internet access for home VLAN"
connection-state=new in-interface-list=homevlan out-interface-list=wan
add action=accept chain=forward comment=
"Allow internet access for all other VLANs" connection-state=new
in-interface-list=IGvlans out-interface-list=wan
add action=drop chain=forward comment="Drop all other forwarded traffic"
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for internet access"
out-interface-list=wan
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system identity
set name=MikroTikCore
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mgmt
/tool mac-server mac-winbox
set allowed-interface-list=mgmt
# 2025-10-07 12:37:21 by RouterOS 7.20
# software id = XXXXX
#
# model = RBcAPGi-5acD2nD
# serial number = XXXXX
/interface bridge
add comment="CAP bridge" name=cap-bridge vlan-filtering=yes
/interface wifi
# no connection to CAPsMAN
set \[ find default-name=wifi1 \] configuration.manager=capsman .mode=ap
disabled=no name=master-2ghz-vlan10
# no connection to CAPsMAN
set \[ find default-name=wifi2 \] configuration.manager=capsman .mode=ap
disabled=no name=master-5ghz-vlan10
add disabled=no mac-address=C6:AD:XX:YY:ZZ:FA master-interface=
master-2ghz-vlan10 name=slave-2ghz-vlan20
add disabled=no mac-address=C6:AD:XX:YY:ZZ:FC master-interface=
master-2ghz-vlan10 name=slave-2ghz-vlan30
add disabled=no mac-address=C6:AD:XX:YY:ZZ:FB master-interface=
master-5ghz-vlan10 name=slave-5ghz-vlan20
add disabled=no mac-address=C6:AD:XX:YY:ZZ:FD master-interface=
master-5ghz-vlan10 name=slave-5ghz-vlan30
/interface vlan
add interface=ether1 name=vlan99-mgmt vlan-id=99
/interface list
add comment="Management interface list" name=mgmt
/interface wifi datapath
add bridge=cap-bridge name=cap-datapath
/interface bridge port
add bridge=cap-bridge comment="Trunk port" frame-types=admit-only-vlan-tagged
interface=ether1
add bridge=cap-bridge comment="Access port VLAN 10 - 2Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=master-2ghz-vlan10
pvid=10
add bridge=cap-bridge comment="Access port VLAN 10 - 5Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=master-5ghz-vlan10
pvid=10
add bridge=cap-bridge comment="Access port VLAN 20 - 2Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=slave-2ghz-vlan20 pvid=
20
add bridge=cap-bridge comment="Access port VLAN 20 - 5Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=slave-5ghz-vlan20 pvid=
20
add bridge=cap-bridge comment="Access port VLAN 30 - 2Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=slave-2ghz-vlan30 pvid=
30
add bridge=cap-bridge comment="Access port VLAN 30 - 5Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=slave-5ghz-vlan30 pvid=
30
/ip neighbor discovery-settings
set discover-interface-list=mgmt
/interface bridge vlan
add bridge=cap-bridge tagged=cap-bridge,ether1 vlan-ids=99
add bridge=cap-bridge tagged=cap-bridge,ether1 untagged=
master-2ghz-vlan10,master-5ghz-vlan10 vlan-ids=10
add bridge=cap-bridge tagged=cap-bridge,ether1 untagged=
slave-2ghz-vlan20,slave-5ghz-vlan20 vlan-ids=20
add bridge=cap-bridge tagged=cap-bridge,ether1 untagged=
slave-2ghz-vlan30,slave-5ghz-vlan30 vlan-ids=30
/interface list member
add comment="Dedicated management port" interface=ether2 list=mgmt
add comment="Management VLAN" interface=vlan99-mgmt list=mgmt
/interface wifi cap
set certificate=request discovery-interfaces=vlan99-mgmt enabled=yes
slaves-datapath=cap-datapath slaves-static=yes
/ip address
add address=10.99.0.2/24 interface=vlan99-mgmt network=10.99.0.0
/ip cloud
set update-time=no
/ip dns
set servers=10.99.0.1
/ip route
add distance=1 gateway=10.99.0.1
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system identity
set name=MikroTikCAPU1
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mgmt
/tool mac-server mac-winbox
set allowed-interface-list=mgmt
Ab5
October 7, 2025, 1:37pm
6
change to add action=create-dynamic-enabled
might have to delete the interfaces already created in the wifi tab (/interface/wifi/) on Capsman
mkx
October 8, 2025, 7:46pm
8
On cap, you have vlan99-mgmt interface anchored to ether1 ... which is wrong, it should be anchored to cap-bridge since ether1 is member port of bridge.
Thanks for your suggestion and for taking the time to have a look at my configs.
I think I’m going to give up on this. It all seems rather chaotic. Every time I reboot the Hex anc cAP ac the outcome on the CAP is different and, unfortunately it seems, never the intended one. It’s difficult even to describe the situation. Sometimes there are the six wifi interfaces I am expecting (i.e. master and two slaves for 5G and 2G) and sometimes an extra two, named wifi1 and wifi2 appear, marked managed by capsman, whilst two of the named slave interfaces, which were ‘managed by capsman the last time I rebooted, stand idly by.
I think I will bite the bullet and buy an AX CAP and just hope that it won’t take three more weeks to get working.
jaclaz
October 9, 2025, 2:05pm
10
Not that it helps in any way, but IF the issue is the configuration(s) or - to put it rather bluntly - your lack of experience with Mikrotik, it is improbable that getting different hardware will automagically solve the issue.
Your configuration is a bit more complex than usual because of the VLANs and the multiple wifi slave interfaces, maybe you should try again with just the two standard wifi ones (and with the correction suggested by mkx.