Cannot create a guests Wi-Fi network.

Hello, I need help becouse in my company we need a guests Wi-Fi, but I never used WinBox and they assigned this task becouse they also don’t know what happens and I decided to post here becouse I guess it will help.

The problem is that we’ve got our network, all it interfaces are in a bridge, and now we created a new bridge to create a virtual Wi-Fi with a different subnet on it to create there a guests network so they cannot see the IPs on our network and they only can access Internet, but I cannot access Internet from that subnet. The router is configured with CAPsMAN, I configured a new address that I want it to be the gateway (192.168.99.1) in the menu “addresses”, a new route that go to 0.0.0.0 from my gateway, a nat rule for the subnet 192.168.99.0 and the network with CAPsMAN to be a slave from our 2.4Ghz Wi-Fi. With all that configuration cannot access Internet from that subnet and the Wi-Fi point appears but devices doesn’t connect when DHCP is activated.

I don’t know if something is missing or it’s configured in a bad way, I need help on this because I don’t have so much idea of how this software works.
Thank you for your attention and I hope this problem is soon solved.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys etc. )

# apr/09/2024 09:46:07 by RouterOS 6.49.10
# software id = IJH1-AHYL
#
# model = RBD52G-5HacD2HnD
# serial number = ***
/caps-man channel
add band=2ghz-b/g/n extension-channel=XX name="2.4Ghz (FA)"
add band=5ghz-a/n/ac extension-channel=XXXX name="5Ghz (FA)"
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=LOCAL
add client-to-client-forwarding=yes local-forwarding=yes name=GUEST
/interface bridge
add name=bridge_guest
add name=bridge_spa
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-eC/gn(27dBm), SSID: SPA_WIFI, local forwarding
set [ find default-name=wlan1 ] country=spain disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5540/20-eeCe/ac/DP(24dBm), SSID: SPA_WIFI, local forwarding
set [ find default-name=wlan2 ] country=spain disabled=no ssid=MikroTik
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=spa_wifi \
    passphrase=***
add authentication-types=wpa2-psk encryption=aes-ccm name=spa_guest \
    passphrase=***
/caps-man configuration
add channel="2.4Ghz (FA)" datapath=LOCAL hw-retries=4 multicast-helper=full \
    name="2.4Ghz (FA)" security=spa_wifi ssid=SPA_WIFI
add channel="5Ghz (FA)" datapath=LOCAL hw-retries=4 multicast-helper=full \
    name="5Ghz (FA)" security=spa_wifi ssid=SPA_WIFI
add channel="2.4Ghz (FA)" datapath=GUEST datapath.bridge=bridge_guest mode=ap \
    name=Guest_2.4Ghz security=spa_guest ssid=SPA_GUEST
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.99.3-192.168.99.10
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge_guest lease-time=\
    1d10m name=dhcp1
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled disabled=yes hw-supported-modes=b,g,gn \
    master-configuration="2.4Ghz (FA)" name-format=identity
add action=create-dynamic-enabled hw-supported-modes=b,g,gn \
    master-configuration="2.4Ghz (FA)" name-format=identity \
    slave-configurations=Guest_2.4Ghz
add action=create-dynamic-enabled hw-supported-modes=a,an,ac \
    master-configuration="5Ghz (FA)" name-format=identity
/interface bridge port
add bridge=bridge_spa interface=ether5
add bridge=bridge_spa interface=ether1
add bridge=bridge_spa interface=ether2
add bridge=bridge_spa interface=ether3
add bridge=bridge_spa interface=ether4
/interface wireless cap
# 
set bridge=bridge_spa discovery-interfaces=bridge_spa,bridge_guest enabled=\
    yes interfaces=wlan1,wlan2
/ip address
add address=192.168.101.195/24 interface=bridge_spa network=192.168.101.0
add address=192.168.99.2/24 interface=bridge_guest network=192.168.99.0
add address=192.168.99.3/24 interface=bridge_guest network=192.168.99.0
add address=192.168.99.1/24 interface=bridge_guest network=192.168.99.0
/ip dhcp-client
add disabled=no interface=bridge_spa
/ip dhcp-server network
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set servers=192.168.101.1,8.8.8.8,8.8.4.4
/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=192.168.101.0/24 \
    out-interface=bridge_spa src-address=192.168.99.0/24
/ip firewall nat
add action=masquerade chain=srcnat dst-address=0.0.0.0 out-interface=\
    bridge_spa src-address=192.168.101.0/24
add action=accept chain=srcnat dst-address=192.168.101.0/24 out-interface=\
    bridge_spa src-address=192.168.99.0/24
/ip route
add disabled=yes distance=1 gateway=192.168.99.1
add distance=1 dst-address=192.168.99.0/24 gateway=192.168.101.5
add disabled=yes distance=1 dst-address=192.168.99.0/24 gateway=192.168.99.1
add check-gateway=ping distance=1 dst-address=192.168.99.0/32 gateway=\
    192.168.99.1
add distance=1 dst-address=192.168.101.5/32 gateway=192.168.101.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=SPA_WADMIN

Sorry not familiar with capsman, and not sure why needed with single device??
otherwise its too easy to setup a vlan ( transparent ) for the current LAN and a new one for guests, attached to the WLAN…

A good security practice is to separate management and user data traffic. Therefore, it is recommended that when you configure VLANs, you use VLAN 1 for management purposes only (VLAN Best Practices and Security Tips for Cisco Business Routers)
So, you have default “VLAN1” - for management purposes only, and you need “VLAN10” for spa and “VLAN20” for guests.
Regardless of whether you need a capsman, you need a vlan first

You have got to be kidding!!

DO NOT Use VLAN1 for management, its already in use in the background by RoS.
Use any other vlan for management and data.
example..
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Ok, I’ve got a few questions:

1. Should I create another bridge for the datapath or something like that or i have to make it all in a single bridge?
2. Then should I just create an VLAN, and if it’s like that, how do I assign the virtual WLAN to that VLAN?

Consider that I want to create a guest network in network 99 and not on the same local network, which is 101.
And please if you could explain me how that structure works patiently I would be grateful, cause im new at this and I don’t know how it works at all.

Sorry, of course VLAN 0, thank you.
(MikroTik uses VLAN 0. If you try to create a VLAN 1 scenario with MikroTik, and expecting tagged frames, it will be incompatible with other vendors who default VLAN 1 as untagged)
I meant:
“So, you have default VLAN 0 as untagged - for management purposes only, and you need “VLAN10” for spa and “VLAN20” for guests.”

If the OP was already using VLANs, putting the guest WiFi on another one would be perfectly justified.

Converting this configuration to VLANs for that single purpose, however, is not. You do not need VLANs to have an isolated guest WiFi network.

Concur tangent, I could post a working config for either option in minutes, except he is using capsman which I dont touch with a 10 foot pole. One of these years will have to bite the bullet.

“typical home LAN case, where you have a lone Internet gateway that is also providing this guest WiFi service”

Another way without vlans but with a guest bridge is simply using a bridge filter.
Guest bridge way - it’s a simple and clear settings for guest dhcp server, guest bridge queue etc.
Use same SSID on 2,4 and 5GHz to make handover faster/seamless and both interfaces being in the same bridge.

Usually even a small business has several network devices, in addition to guest wifi, video surveillance, etc.
If today there is a need for one access point, then tomorrow there will be two… and very soon it will be easier to understand vlans once in a lifetime ))

Without diagram all is a bit weird.
Is this acting as a router as well and if so where is the WAN information
( which port, static IP or dynamic IP, from ISP or private IP from ISP router/modem

Pease I need an answer guys I need you.

The article I linked you to above gives two different solutions. What was wrong with them?

You didnt answer any of llamajama’s questions, so if you want help…

You mean this one? This one doesn’t teach how to do it with CAPsMAN so it doesn’t work for me.

llamajaja, I use CAPsMAN becouse in my company we’ve got 4 devices to distribute the Wi-Fi and this one is working as a master, but not router. The only things I wanna know is if I have to create another bridge or I have to make it in the same. I tried to do it both and still not connecting when you want to connect to the virtual wlan. I don’t know what more to do and I’m lost. I also tried to use VLANs but I don’t know how to assign it to the virtual guests WLAN and also I don’t know in what interface do I have to add it.

One of the things that CAPsMAN does is create a single virtual bridge among all the WiFi routers under its control. I’ve never used CAPsMAN, but doesn’t that mean the bridge filtering option at the end of that article would apply?

Yes. It’s a simple way - guest bridge, guest DHCP etc… in guest VLAN

https://help.mikrotik.com/docs/display/ROS/WiFi

CAPsMAN - CAP VLAN configuration example:
In this example, we will assign VLAN10 to our main SSID, and will add VLAN20 for the guest network, ether5 from CAPsMAN is connected to CAP.

CAPs using “wifi-qcom” package can get “vlan-id” via Datapath from CAPsMAN, CAPs using “wifi-qcom-ac” package will need to use the configuration provided at the end of this example.

CAPsMAN:
/interface bridge
add name=br vlan-filtering=yes
/interface vlan
add interface=br name=MAIN vlan-id=10
add interface=br name=GUEST vlan-id=20
/interface wifi datapath
add bridge=br name=MAIN vlan-id=10
add bridge=br name=GUEST vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_MAIN passphrase=HaveAg00dDay
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=Security_GUEST passphrase=HaveAg00dDay
/interface wifi configuration
add datapath=MAIN name=MAIN security=Security_MAIN ssid=MAIN_Network
add datapath=GUEST name=GUEST security=Security_GUEST ssid=GUEST_Network
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool2 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=yes interface=br name=dhcp1
add address-pool=dhcp_pool1 interface=MAIN name=dhcp2
add address-pool=dhcp_pool2 interface=GUEST name=dhcp3
/interface bridge port
add bridge=br interface=ether5
add bridge=br interface=ether4
add bridge=br interface=ether3
add bridge=br interface=ether2
/interface bridge vlan
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=20
add bridge=br tagged=br,ether5,ether4,ether3,ether2 vlan-ids=10
/interface wifi capsman
set enabled=yes interfaces=br
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=5ghz-ax
add action=create-dynamic-enabled master-configuration=MAIN slave-configurations=GUEST supported-bands=2ghz-ax
/ip address
add address=192.168.1.1/24 interface=br network=192.168.1.0
add address=192.168.10.1/24 interface=MAIN network=192.168.10.0
add address=192.168.20.1/24 interface=GUEST network=192.168.20.0
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
/system identity
set name=cAP_Controller
CAP using “wifi-qcom” package:
/interface bridge
add name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=bridgeLocal disabled=no
CAP using “wifi-qcom-ac” package:
/interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no
add disabled=no master-interface=wifi1 name=wifi21
add disabled=no master-interface=wifi2 name=wifi22
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal interface=wifi1 pvid=10
add bridge=bridgeLocal interface=wifi21 pvid=20
add bridge=bridgeLocal interface=wifi2 pvid=10
add bridge=bridgeLocal interface=wifi22 pvid=20
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 untagged=wifi1,wifi2 vlan-ids=10
add bridge=bridgeLocal tagged=ether1 untagged=wifi21,wifi22 vlan-ids=20
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-static=yes
Additionally, the configuration below has to be added to the CAPsMAN configuration:

/interface wifi datapath
add bridge=br name=DP_AC
/interface wifi configuration
add datapath=DP_AC name=MAIN_AC security=Security_MAIN ssid=MAIN_Network
add datapath=DP_AC name=GUEST_AC security=Security_GUEST ssid=GUEST_Network
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=5ghz-ac
add action=create-dynamic-enabled master-configuration=MAIN_AC slave-configurations=GUEST_AC supported-bands=2ghz-n

What wrong with this for you?

I’ll try with this.