Can't connect CAP AX using capsman

RouterOS Wireless Networking
1

Hi I am configuring a new network based on an “old” one someone had created.

I am using a CCR2004-16 Router and a bunch of cap ax-s.

I can’t get the AP-s to show up in my router capsman “Remote CAP” or anywhere for that matter.

I have pressed down the reset button until the LED is solid green (after blinking green). So it should be in capsman search mode.

My capsman base setup is as follows.

/caps-man configuration
add channel.extension-channel=disabled country=REDACTED datapath.bridge=bridge-wifi name=wifi security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=REDACTED
/caps-man datapath
add bridge=bridge-lan name=datapath1
/caps-man manager
set enabled=yes package-path=/
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=wifi
2

For AX devices you have to use a different CAPsMAN:
https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-WifiWave2CAPsMAN

3

Thanks!

4

I have run into a issue where I downloaded the extra-package from: https://mikrotik.com/download

Then I unzipped it and uploaded the npk package for wifiwave2 to /files but I can’t install it as a package.

EDIT: When booting console shows: error broken package wifiwave2

EDIT2: zerotier package installed succesffuly tho.

EDIT3:

                   uptime: 4m15s
                  version: 7.11.2 (stable)
               build-time: Aug/31/2023 13:55:47
         factory-software: 7.6
              free-memory: 3829.4MiB
             total-memory: 4032.0MiB
                      cpu: ARM64
                cpu-count: 4
                 cpu-load: 0%
           free-hdd-space: 104.7MiB
          total-hdd-space: 129.0MiB
  write-sect-since-reboot: 58
         write-sect-total: 12097
               bad-blocks: 0.3%
        architecture-name: arm64
               board-name: CCR2004-16G-2S+
                 platform: MikroTik

EDIT5: After using https I was able to upload it.

5

As far as I know it requires a reboot.

Aah…you found out. Did you download:
https://download.mikrotik.com/routeros/7.11.2/all_packages-arm64-7.11.2.zip

It has to be the arm64 package…

6

I still cant seem to find the AP in the Radios or Remote CAP.

#create a security profile
/interface wifiwave2 security
add authentication-types=wpa3-psk name=REDACTED passphrase=REDACTED

#create configuraiton profiles to use for provisioning
/interface wifiwave2 configuration
add country=REDACTED name=5ghz security=REDACTED ssid=Floor5-5GHz datapath=datapath1 datapath.bridge=bridge-lan security.authentication-types=wpa3-psk .encryption=gcmp-256
add name=2ghz security=REDACTED ssid=Floor5 datapath=datapath1 datapath.bridge=bridge-lan security.authentication-types=wpa3-psk .encryption=gcmp-256
add country=REDACTED name=5ghz_v security=REDACTED ssid=Floor5-5GHz_v datapath=datapath1 datapath.bridge=bridge-lan security.authentication-types=wpa3-psk .encryption=gcmp-256

#configure provisioning rules, configure band matching as needed
/interface wifiwave2 provisioning
add action=create-dynamic-enabled master-configuration=5ghz slave-configurations=5ghz_v supported-bands=5ghz-n
add action=create-enabled master-configuration=2ghz supported-bands=2ghz-n

#enable CAPsMAN service
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes

/interface/wifiwave2/cap set enabled=yes
7

Just to be sure…you did reset the cAP ax to CAP mode?

8

I unplugged PoE Ethernet. Plugged it back in. Waited for 10 seconds until LED is green and then unpressed it. It should turn the CAP AX to cap mode. Correct?

Or do I need to log in to the CAP awell?

9

Solid green I assume?
Did the cAP ax request/get an IP address?

10

Uh how would I check that?

11

Well it does seem to get an IP.
2023-09-19_15-14.png

12

I think that video is needed!

13

Time for some next stepping…can you provide configs from both CAPsMAN and CAPS?

/export file=anynameyoulike

Make sure to remove serial and any other private information like public IP.

14

Well I know ive redacted some stuff. But here it is.

As far as I understand, the person who setup the old setup wrote something like this:

APs are connected to the network essentially without configuring, only the admin user replaces the password.

To add to the central management, you need to hold down the AP reset button before you put the power on, and then count to ten and track the lights.

If the steps are done correctly, the device will register with the central administration.

Next, you need to enable the CAP interface created in the router and say Configuration: wifi in the interface settings. A more polite name for the device in the Remote CAP tab doesn’t hurt either.

To get access to the AP web interface, some port forwards have been made in the NAT rules of the router wall. Yeah, it’s a lazy solution, but enough for us.

Before, of course, you should set up a more permanent address corresponding to AP mac in your router’s DHCP leases.

The last moves are to open the AP Web Interface and press enter in the terminal to confirm the central management conf and set the admins user password.

This last move is quite important, because otherwise the conf will be forgotten after the restart, and this confirmation dialog will only be in the terminal of the web interface. The Latvians.

I wanna continue with this setup. As it works. OK

The router is behind NAT. So There are three vlans. NR 6 is for ??? The two other vlans are for the mikrotik mgmt (web,ssh) and also access to the internet.

The WiFi clients should not see the mgmt as they get their IP from 10.0.0.0/12 pool.
ccr2004-config.rsc (10.7 KB)

15

So much to improve…but lets focus on the current problem.
Can you share the CAP config as well?

16

CAP as the CAP AX ? I havent done anything to it.

17

Indeed, just to be sure…

What’s in between the router and the cAP ax?

18

CAP AX ↔ (<- PoE out - Mikrotik PoE adapter - → Data) ↔ CCR2004 eth port1

19

Will the configurations of the capax be identical, same vlans etc… or do the capax’s serve different groups of users and thus not be identical in most respects.

All to say is your wasting your time.
Here is an easy capax setup that you only need to basically change the IP address of the capax on the trusted network for each device.
Each port on the main upstream router only needs to be a trunk port to ether1 on the capax ,carrying the correct vlans.
No capsman settings required, AND WIFI settings contain only WIFI parameters!!! Too easy.
I fully recommend that if the capax is not easily accessible (in terms of plugging in a laptop to ether2 for troubleshooting) that you run a second wire on install to a location where you can plug the other end of the ethercable into a laptop.

/interface bridge
add ingress-filtering=no name=bridgecap1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgecap1 name=Trusted-vlan11 vlan-id=11  { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=management
/interface wireless
{ As required  phuck capsman }
/interface bridge port
add bridge=bridgecap1 ingress-filtering=yes  frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridgecap1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=WLAN1 pvid=11 comment="trusted wifi"
{ note: if no management wifi required, then ignore the above line }
add bridge=bridgecap1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=WLAN2 pvid=ab comment="wlan for vlan ab"
add bridge=bridgecap1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=WLAN3 pvid=cd comment="wlan for vlan cd"
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridgecap1 tagged=bridgecap1,ether1  untagged=WLAN1 vlan-ids=11
{ note: if no management wifi required then    add bridge=bridgecap1  tagged=bridgecap1,ether1  vlan-ids=11 }  
add bridge=bridgecap1 tagged=ether1  untagged=WLAN2 vlan-ids=ab
add bridge=bridgecap1 tagged=ether1  untagged=WLAN3 vlan-ids=cd
/interface list member
add interface=Trusted-vlan11 list=management
add interface=emergaccess list=management
/ip address
add address=192.168.10.X/24 interface=Trusted-vlan11 network=192.168.10.0  comment="IP of capax1 on trusted subnet"
add address=192.168.55.1/24 interface=emergaccess network=192.168.55.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.10.1  { Note: Done so all dns requests use trusted subnet } 
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.10.1 comment="ensures route avail through trusted subnet gateway"
/ip service
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.10.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management

For CAPAX2, copy config and paste and make some very minor changes:

  • to make things clear, simply change bridge to bridgecap2
  • modify IP address of Trusted-Vlan ( aka IP address of capax2 to the applicable IP
  • ensure correct vlans are identified to WLANS on /interface bridge ports
  • ensure correct WLANS are indentified on /interface bridge vlans.

5 mins tops!

To better understand what I am doing with ether2 → https://forum.mikrotik.com/viewtopic.php?t=181718

20

A lot of information to understand. I guess my main point is that it used to be easy to add a CAP to our capsman, with just changing it to caps mode. Now with these capax it doesnt seem to cooperate.

Our other setup uses: RouterBOARD 3011UiAS and 8 x RBwAPG-5HacT2HnD