Hi friends, I've almost tried everything on my knowledge, the second AP stil on MB status, the parameters are the same for the first AP but it doesn't run. It connects to capman but not possibile to connect to that AP. There is the master CapsMAN .88.1, the first AP .88.2 and the second AP .88.3
Here is the photo,and the config of CapsMAN: thank you for precious help,

[*]# jul/24/2021 16:35:25 by RouterOS 6.47.10

software id = 11RE-K5D6

model = RB750Gr3

serial number = CC210D2235B3

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled
frequency=2437 name=canale6
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled
frequency=2412 name=canale1
/interface bridge
add admin-mac=08:55:31:B8:99:20 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] advertise=1000M-full name=ether2-DOM
rx-flow-control=on tx-flow-control=on
set [ find default-name=ether3 ] name=ether3-SAD
/caps-man interface
add disabled=no l2mtu=1600 mac-address=08:55:31:37:88:01 master-interface=
none name=cap2 radio-mac=08:55:31:37:88:01 radio-name=085531378801
/caps-man datapath
add bridge=bridge name=datapath2GHz
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
passphrase=***
/caps-man configuration
add channel=canale6 country=russia datapath=datapath2GHz mode=ap name=
2.4GHz-ch6 security=security1 ssid=Zaimka
add channel=canale1 country=russia datapath=datapath2GHz mode=ap name=
2.4GHz-ch1 security=security1 ssid=Zaimka
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.50-192.168.88.239
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=2.4GHz-ch1
name-format=identity radio-mac=2C:C8:1B:22:81:E2
add action=create-dynamic-enabled master-configuration=2.4GHz-ch6
name-format=identity radio-mac=08:55:31:37:88:01
/interface bridge port
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether1
add bridge=bridge interface=ether3-SAD
add bridge=bridge interface=ether4
add bridge=bridge interface=ether2-DOM
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client

DHCP client can not run on slave interface!

add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,1.1.1.1
gateway=192.168.88.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.88.254
/system clock
set time-zone-name=Europe/Moscow
/system ntp client
set primary-ntp=193.204.114.232 secondary-ntp=132.163.97.5
/system routerboard settings
set silent-boot=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

mikro.jpg1638×882 264 KB

Is it possible that the second AP (which is a RBWAP2ND), needs different Firewall parameters as firtst AP? (which is a hAP ac2). I’ve declared the ethernet nterface as LAN and actually the firewall parameters are the sams between APs..

https://www.youtube.com/watch?v=taQ70m0DVYA

I've checked the video, nothing new for me there, my problem is more deep than standard configuration, I mean I don't know why the second ap is not getting the proper config from capsman, in the RemoteCAP I see the IP address of the second ap instead of the MAC, as I see for the ap1.
I guess the problem is on bridge MAC of ap2, which is the same of WiFi, strange, on ap1 is different (by default), so I would cahnge it but I can't when it's running, and these caps are 3 hours by car from me, I need to be careful. I've tried to cange the WiFi interface MAC and provisioning the capsman to it, but it's not working, it still use the previous MAC which is the bridge one, the caps is forcing wifi interface to use the previous mac.. which is the bridge too. What is wrong here? I post the capsman config and ap2, thank you for help

Capsman:

[admin@MikroTik] > export

jul/25/2021 23:25:24 by RouterOS 6.47.10

software id = 11RE-K5D6

model = RB750Gr3

serial number = CC210D2235B3

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled
frequency=2437 name=canale6
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled
frequency=2412 name=canale1
/interface bridge
add admin-mac=08:55:31:B8:99:20 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] advertise=1000M-full name=ether2-DOM
rx-flow-control=on tx-flow-control=on
set [ find default-name=ether3 ] advertise=10M-full,100M-half,100M-full name=
ether3-SAD
/caps-man interface
add disabled=no l2mtu=1600 mac-address=08:55:31:37:88:02 master-interface=none
name=cap2 radio-mac=08:55:31:37:88:02 radio-name=085531378801
add disabled=no l2mtu=1600 mac-address=08:55:31:37:88:01 master-interface=none
name=cap3 radio-mac=08:55:31:37:88:01 radio-name=085531378801
/caps-man datapath
add bridge=bridge name=datapath2GHz
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1 passphrase=\

/caps-man configuration
add channel=canale6 country=russia datapath=datapath2GHz distance=indoors
installation=outdoor mode=ap name=2.4GHz-ch6 security=security1 ssid=Zaimka
add channel=canale1 country=russia datapath=datapath2GHz mode=ap name=
2.4GHz-ch1 security=security1 ssid=Zaimka
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.50-192.168.88.239
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=2.4GHz-ch1 name-format=
prefix-identity radio-mac=2C:C8:1B:22:81:E2
add action=create-dynamic-enabled master-configuration=2.4GHz-ch6 name-format=
prefix-identity radio-mac=08:55:31:37:88:02
/interface bridge port
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether1
add bridge=bridge interface=ether3-SAD
add bridge=bridge interface=ether4
add bridge=bridge interface=ether2-DOM
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client

DHCP client can not run on slave interface!

add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=8.8.8.8,1.1.1.1 gateway=
192.168.88.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=
out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.88.254
/system clock
set time-zone-name=Europe/Moscow
/system ntp client
set primary-ntp=193.204.114.232 secondary-ntp=132.163.97.5
/system routerboard settings
set silent-boot=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

ap2:
[admin@MikroTik-SAD] > export

jan/08/1970 07:45:14 by RouterOS 6.47.10

software id = 6W5F-6GYH

model = RouterBOARD wAP 2nD r2

serial number = 6D820D3BF0DB

/interface bridge
add name=bridge1
/interface wireless

managed by CAPsMAN

channel: 2437/20-Ce/gn(28dBm), SSID: , CAPsMAN forwarding

set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
distance=indoors frequency=auto installation=outdoor mode=ap-bridge ssid=
MikroTik-378801 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=wlan1 name=defconf
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=wlan1 list=LAN
add comment=defconf interface=ether1 list=LAN
/interface wireless cap

set bridge=bridge1 caps-man-addresses=192.168.88.1 discovery-interfaces=ether1
enabled=yes interfaces=wlan1
/ip address
add address=192.168.88.3/24 interface=bridge1 network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=
invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=
out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.88.254
/system identity
set name=MikroTik-SAD
/system ntp client
set primary-ntp=193.204.114.232 secondary-ntp=132.163.97.5
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik-SAD] >

I suppose I need to force the bridge using another MAC, but how? Maybe by terminal? Is it safe to do?

PS: I’ve also created the role in ap2 firewall to accept udp packets from capsman (and put the role on position1) as well on capsman to enable receive udp from ap2, no effect

PS2: on ap2 I have “CAP sent max keepalives without response”

PS3: as I read in a forum, I’ve removed the intervace wlan1 from the bridge (just eth1 is present now), as well I did it in the caps config. No effect. ON capsman I still see a MB, the wlan on ap2 still show connected to capsman but no SSID (as well as before)

PS4: on the capsman I’ve a strange behaviour for eth3, where the caps2 is connected, what is this root? May it influence the issue? I can’t change it

Now I have the Bridge with the same MAC of ethernet, I suppose that the capsman replies to ethernet MAC and the ap2 cap isn’t receiving the expected packets. Sincerely I can’t figure out why in the beginning it connects, but after doesn’t work. Also paramentes like SSID, fequency etc aren’t passed to ap2 that shows differnet values.
I can’t change MAC of ethernet as well as mac for bridge, but I would like to, how can I do it without loose the router? Thank you!

PS: on capsman I have this:
removing stale connection [08:55:31:37:88:00/10/4d36,Run,[08:55:31:37:88:00]] because of ident conflict with [08:55:31:37:88:00/10/349e,Join,[08:55:31:37:88:00]]

I solved removing the ap2 entry in the “CAP Interface”, disabling and renabling Capsman I’ve seen on both caps a DSMB. By the time I did several canges, like disabling all drops on firewall, remove wlan from bridge, and many more changes.
I consider this a bug of Mikrotik FW, since the CAP Interface is an automatic list appearing after provisioning and enabling caps, it’s not supposed we remove the bad entry to get finally a sucessful one. Please consider this, I’ve spent at leat 6 hours to figure it out.

If you suspect its a bug, no one will notice unless you send a supout report and email to MT…
https://wiki.mikrotik.com/wiki/Manual:Support_Output_File

Mate, don’t hate me, I have no clue how to prepare a file and send it, I’m not having the problem now and I don’t know how to reproduce it. I can just stay that changes made on caps won’t have effect if there was an “error” (actually not error, just not complete cap handshaking, keeping on MB or MBI) in CAP interface, I’m more than sure I solved the problem only when I removed it from CAP interface and I enabled again CAPSman for discovering.
If it sounds interesting, than someone may notice it. From my side in future anyt time I?ll made changes I’ll delete first device on CAP interface