Since updating both CAP and RB4011 router to 7.13beta2, my new cAPGi-5HaxD2HaxD (ether1) in now not receiving a DHCP address from RB4011(ether10).

I have reset the CAP device a number of times and verified that the device will receive a DHCP address from the router on a different port. DHCP server on the router has an address for the MAC saying offering, but it will not bind.

I’ve plugged into ether10 on the RB4011 laptop which receives an IP from the DHCP server.

;;; VLAN 99
0   bridge  99        bridge          ether10         
                      sfp-sfpplus1

5  H ether10       bridge  yes  99    0x80      10         10                  none

Same port was giving dhcp address to CAP during my attempts to configure prior to the ROS upgrade. I’d since upgraded to 7.13beta2 based on info I’d received back from MT.

So, I need to get this CAP IP and then revisit the joys of CAPsMAN.

Your port 10 is tagged vlan 99?
Then you need to add vlan 99 itf to bridge on cap.
Don’t enable vlan filtering.
And set listen itf for cap to vlan99.
Then it should work.

@holvoetn,

Thank you, port 10 has PVID of 99 and is untagged VLAN99.

Please forgive me, but I must ask because I don’t know what itf means. What does itf mean?

I thought it might have been a typo in another post, but now I’ve seen it used several times.

Interface

lol. Of course.

I just reset the CAP AX to CAPS mode. You know. For practice.

Now, on the CAP I have VLAN99 added to bridgeLocal, and tagged bridgeLocal. Bridge VLAN filtering off on the bridgeLocal itf( )

Still no IP on the CAP. RB4011 dhcp scope keeps offering to the eth1 MAC of the CAP without success.

No tag bridgelocal needed.
Cap also needs to listen to vlan99 interface.

So I untagged bridgeLocal from VLAN99.

Cap also needs to listen to vlan99 interface.

Um, do you mean change CAP Discoverable interfaces? It was set as bridgeLocal (of which eth1 is a port). I set it to eth1 I mean eth1 is on the bridgeLocal bridge, so I’m not sure what difference that would make. Didn’t, by the looks of it.

Still no IP from VLAN99.

Here’s the config after changes if I interpreted them correctly:

# <insert fixed time here> by RouterOS 7.13beta2
# software id = NV3I-XF25
#
# model = cAPGi-5HaxD2HaxD
# serial number = 
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# no connection to CAPsMAN
add configuration.manager=capsman .mode=ap datapath=capdp radio-mac=****
# no connection to CAPsMAN
add configuration.manager=capsman .mode=ap datapath=capdp radio-mac=****
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal vlan-ids=99
/interface wifi cap
set discovery-interfaces=ether1 enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system note
set show-at-login=no

When I plug my laptop into eth2 on CAP, it gets an IP on the VLAN99. Still no IP for the CAP.

From the DHCP server RB4011

/ip/dhcp-server/lease> print
Flags: D - DYNAMIC
Columns: ADDRESS, MAC-ADDRESS, HOST-NAME, SERVER, STATUS, LAST-SEEN        
15 D 192.168.99.98   78:9A:18:10:9E:7A  MikroTik                  MGMT    offered    0s           
16 D 192.168.99.99   00:2B:67:C9:3F:07  LenovoP53s             MGMT     bound     2m44s

RB4011 config:

# 2023-11-24 19:58:44 by RouterOS 7.13beta2
# software id = L2GF-7Z2L
#
# model = RB4011iGS+
# serial number = ***
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-WAN
set [ find default-name=ether2 ] comment=LAN name=ether2-access
set [ find default-name=sfp-sfpplus1 ] loop-protect=on
/interface vlan
add comment="VLAN for Mgmt" interface=bridge name=MGMT vlan-id=99
add comment=Hypervisor interface=bridge name=VLAN10 vlan-id=10
add comment=Servers interface=bridge name=VLAN20 vlan-id=20
add comment=Data interface=bridge name=VLAN30 vlan-id=30
add comment=Work interface=bridge name=VLAN50 vlan-id=50
add comment="Untrusted LAN" interface=bridge name=VLAN60 vlan-id=60
add interface=bridge name=VLAN100-LAB vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Work
add name=VLAN
add name=Winbox
add name=Wifi
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add disabled=no name="5 Ghz AX"
add band=2ghz-ax disabled=no name="2.5 Ghz AX"
add band=5ghz-a disabled=no name="5Ghz A"
add band=5ghz-n disabled=no name="5Hgz A/N"
add band=5ghz-ac disabled=no name="5Ghz A/C"
add band=2ghz-g disabled=no name="2Ghz G"
add band=2ghz-n disabled=no name="2Ghz N"
/interface wifi datapath
add bridge=bridge disabled=no name=Trusted vlan-id=30
add bridge=bridge disabled=no name=Guest vlan-id=60
add bridge=bridge disabled=no name=IoT vlan-id=60
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    ccmp,ccmp-256 name=Trusted wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    ccmp,ccmp-256 name=Guest wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    ccmp,ccmp-256 name=IoT wps=disable
/interface wifi configuration
add channel="5 Ghz AX" country="United States" datapath=Trusted disabled=no \
    manager=capsman mode=ap name=Trusted security=Trusted ssid=Maranatha
add channel="2.5 Ghz AX" country="United States" datapath=Guest disabled=no \
    manager=capsman mode=ap name=Guest security=Guest ssid=GMaranatha
add channel="2.5 Ghz AX" country="United States" datapath=IoT disabled=no \
    manager=capsman mode=ap name=IoT security=IoT ssid=IMaranatha
/ip ipsec policy group
add name=vpn
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer
add disabled=yes exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add disabled=yes enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip pool
add name=VLAN50 ranges=192.168.50.100-192.168.50.150
add name=VLAN60 ranges=192.168.60.100-192.168.60.150
add name=MGMT ranges=192.168.99.20-192.168.99.100
add name=VLAN30 ranges=192.168.30.100-192.168.30.150
add name=VLAN10 ranges=192.168.10.100-192.168.10.150
add name=VLAN20 ranges=192.168.20.100-192.168.20.150
add name=VLAN100-LAB ranges=10.10.10.100-10.10.10.150
add name=dhcp_pool18 ranges=10.10.10.100-10.10.10.150
/ip dhcp-server
add address-pool=VLAN50 interface=VLAN50 lease-time=10m name=VLAN50
add address-pool=VLAN60 interface=VLAN60 lease-time=10m name=VLAN60
add address-pool=MGMT interface=MGMT lease-time=10m name=MGMT
add address-pool=VLAN30 interface=VLAN30 lease-time=10m name=VLAN30
add address-pool=VLAN10 interface=VLAN10 lease-time=10m name=VLAN10
add address-pool=VLAN20 interface=VLAN20 lease-time=10m name=VLAN20
add address-pool=VLAN100-LAB interface=VLAN100-LAB lease-time=10m name=\
    VLAN100-LAB
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 \
    internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 \
    internal-path-cost=10 path-cost=10 pvid=60
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 \
    internal-path-cost=10 path-cost=10 pvid=60
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7 \
    internal-path-cost=10 path-cost=10 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 \
    internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10 \
    internal-path-cost=10 path-cost=10 pvid=99
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=sfp-sfpplus1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 \
    internal-path-cost=10 path-cost=10 pvid=50
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether8 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set enabled=yes loose-tcp-tracking=no tcp-established-timeout=30m
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=4096 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="VLAN 99" tagged=bridge,sfp-sfpplus1,ether8,ether10 \
    untagged=ether9 vlan-ids=99
add bridge=bridge comment="VLAN 50" tagged=\
    bridge,sfp-sfpplus1,ether10,*26,ether8 untagged=ether5 vlan-ids=50
add bridge=bridge comment="VLAN 60" tagged=bridge,sfp-sfpplus1,ether10,ether8 \
    untagged=ether4 vlan-ids=60
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether10,ether8 untagged=\
    ether7,ether3 vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether10,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,*26,ether10,ether8 vlan-ids=20
add bridge=bridge comment=LAB tagged=bridge,sfp-sfpplus1,ether10,*26 \
    vlan-ids=100
add bridge=bridge vlan-ids=""
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf disabled=yes interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=VLAN50 list=VLAN
add interface=VLAN60 list=VLAN
add interface=VLAN30 list=VLAN
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
add disabled=yes interface=bridge list=Winbox
add interface=MGMT list=Winbox
add interface=VLAN30 list=Winbox
add interface=ether2-access list=Winbox
add interface=MGMT list=VLAN
add interface=VLAN100-LAB list=VLAN
add interface=*26 list=Wifi
/interface ovpn-server server
set auth=sha1,md5
/interface wifi cap
set discovery-interfaces=bridge
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=Trusted \
    name-format="" radio-mac=78:9A:18:10:9E:7D slave-configurations=IoT,Guest
add action=create-dynamic-enabled disabled=no master-configuration=Trusted \
    name-format="" radio-mac=78:9A:18:10:9E:7C slave-configurations=IoT,Guest
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.88.0
add address=192.168.99.1/24 comment=MGMT interface=MGMT network=192.168.99.0
add address=192.168.50.1/24 comment=WORK interface=VLAN50 network=\
    192.168.50.0
add address=192.168.60.1/24 comment="Untrusted LAN" interface=VLAN60 network=\
    192.168.60.0
add address=192.168.30.1/24 comment=Data interface=VLAN30 network=\
    192.168.30.0
add address=192.168.10.1/24 comment=Hyper interface=VLAN10 network=\
    192.168.10.0
add address=192.168.20.1/24 comment=Servers interface=VLAN20 network=\
    192.168.20.0
add address=192.168.5.1/24 interface=ether2-access network=192.168.5.0
add address=10.10.10.1/24 comment=LAB interface=VLAN100-LAB network=\
    10.10.10.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add interface=ether1-WAN use-peer-dns=no
/ip dhcp-server
add address-pool=*1 disabled=yes interface=bridge lease-time=10m name=defconf
/ip dhcp-server lease
add address=192.168.30.103 client-id=1:74:d8:3e:8b:f4:89 mac-address=\
    74:D8:3E:8B:F4:89 server=VLAN30
add address=192.168.30.109 client-id=1:9c:3d:cf:c:8f:c0 mac-address=\
    9C:3D:CF:0C:8F:C0 server=VLAN30
add address=192.168.50.100 client-id=1:d8:bb:c1:7a:37:81 mac-address=\
    D8:BB:C1:7A:37:81 server=VLAN50
add address=192.168.88.254 client-id=1:0:2b:67:c9:3f:7 mac-address=\
    00:2B:67:C9:3F:07 server=defconf
add address=192.168.20.100 client-id=\
    ff:7f:2a:fd:a7:0:1:0:1:2b:88:c8:3e:0:c:29:52:36:5b mac-address=\
    9E:E2:7F:2A:FD:A7 server=VLAN20
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=192.168.10.0/24 comment=Hyper gateway=192.168.10.1
add address=192.168.20.0/24 comment=Server gateway=192.168.20.1
add address=192.168.30.0/24 comment=Data dns-server=192.168.20.5 gateway=\
    192.168.30.1
add address=192.168.50.0/24 comment=Work gateway=192.168.50.1
add address=192.168.60.0/24 comment="Untrusted LAN" gateway=192.168.60.1
add address=192.168.99.0/24 comment=MGMT gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=30m max-concurrent-queries=1000 \
    max-concurrent-tcp-sessions=2000 servers=1.1.1.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
/ip firewall filter
*****
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid for input chain" \
    connection-state=invalid log=yes log-prefix=\
    "defconf: drop invalid input chain"
add action=accept chain=input comment="defconf: accept ICMP" in-interface=\
    !ether1-WAN protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN,RADUIS,User manager..)" \
    dst-address=127.0.0.1 log=yes log-prefix="ACCEPT - CAPsMan local ip"
add action=accept chain=input dst-port=8291,8844 in-interface=!ether1-WAN \
    log=yes log-prefix=WinboxNOTwan protocol=tcp src-address-list=\
    allowed_to_router
add action=accept chain=input comment="CAPSMANAGER Discovery" dst-port=\
    5246,5247 protocol=udp
add action=accept chain=input comment="CAPSMANAGER Discovery" protocol=udp \
    src-port=5246,5247
add action=accept chain=input comment="Allow LAN DNS queries-UDP BRIDGE" \
    dst-port=53,123 in-interface-list=VLAN log=yes log-prefix=\
    "Allow UDP DNS bridge" protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP BRIDGE" \
    dst-port=53 in-interface-list=VLAN log=yes log-prefix=\
    "TCP DNS for VLANS bridge" protocol=tcp
add action=accept chain=input comment=\
    "IP addresses that are allowed to access the router" log=yes log-prefix=\
    Winbox src-address-list=allowed_to_router
add action=accept chain=input comment="EMERGENCY WINBOX ACCESS - ETH2" \
    in-interface=ether2-access src-address=192.168.5.55
add action=reject chain=input comment="useful for tracking LAN issues" \
    in-interface-list=VLAN log=yes log-prefix="icmp prohibited" reject-with=\
    icmp-admin-prohibited
add action=accept chain=input log=yes log-prefix="ACCEPT - AP src mac" \
    src-mac-address=78:9A:18:10:9E:7A
add action=drop chain=input comment="Drop All Else" log=yes log-prefix=\
    "Drop All Else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="DNS server udp" dst-address-list=\
    DNS01 dst-port=53 in-interface-list=VLAN log=yes log-prefix=\
    "DNS server udp" protocol=udp
add action=accept chain=forward comment="DNS server tcp" dst-address-list=\
    DNS01 dst-port=53 in-interface-list=VLAN log=yes log-prefix=\
    "DNS server tcp" protocol=tcp
add action=accept chain=forward dst-port=22,3389,5901 in-interface=VLAN30 \
    log=yes log-prefix="SSH out" out-interface=ether1-WAN protocol=tcp
add action=accept chain=forward comment="VLAN Internet Access only!" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward dst-address-list=VLAN100-LABRouter \
    src-address-list=allowed_to_LAB
add action=accept chain=forward comment="WORK PC to Prox Home Servers" \
    dst-address-list="Prox Home" dst-port=8006,8007 protocol=tcp \
    src-address-list=WORKPC
add action=drop chain=forward dst-address-list=!WORK src-address-list=WORK
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
    dst-address-list=VLAN20 dst-port=8006,80,443,9443,3389,5900,5901,8007 \
    protocol=tcp src-address-list=VLAN30
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
    dst-address-list=VLAN20 dst-port=8006,8007 protocol=tcp src-address-list=\
    MGMT_address
add action=accept chain=forward comment="Aruba Switch Admin page" \
    dst-address-list="ARUBAS SWITCH" dst-port=4343 log=yes log-prefix=\
    "Aruba Web Interface" protocol=tcp src-address-list=allowed_to_router
add action=accept chain=forward comment="ICMP from Allowed to VLAN" log=yes \
    log-prefix="ICMP Allowed list to VLAN" out-interface-list=VLAN protocol=\
    icmp src-address-list=allowed_to_router
add action=accept chain=forward comment="Remote access to LAB Sonicwall" \
    dst-address-list=VLAN100-LAB dst-port=80,443,4433 log=yes log-prefix=\
    "VLAN100-LAB remote access" protocol=tcp src-address-list=\
    allowed_to_router
add action=accept chain=forward comment="Proxmox FileServer Admin" \
    dst-address=192.168.20.50 dst-port=9090 log=yes log-prefix=\
    "To Proxmox File Server" protocol=tcp src-address-list=allowed_to_router
add action=accept chain=forward comment="VLAN30 to ProxMox ssh by IP" \
    dst-address-list=VLAN20 dst-port=22 protocol=tcp src-address-list=VLAN30
add action=accept chain=forward dst-address-list=ProxMoxFileServer dst-port=\
    445 protocol=tcp src-address-list=VLAN30
add action=accept chain=forward comment="To Wazuh TCP" dst-address-list=\
    Ubuntu-Portainer dst-port=1514,1515,55000,9200 in-interface-list=VLAN \
    log=yes log-prefix=DestWazuhTCP protocol=tcp
add action=accept chain=forward comment="To Wazuh UDP" dst-address-list=\
    Ubuntu-Portainer dst-port=514 in-interface-list=VLAN log=yes log-prefix=\
    DestWazuhUDP protocol=udp
add action=accept chain=forward dst-address=192.168.20.100 src-address=\
    192.168.30.103
add action=reject chain=forward in-interface-list=LAN log=yes log-prefix=\
    "ICMP prohibited" reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="Drop All Else" log=yes log-prefix=\
    "Drop All Else"
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    src-address-list=unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    src-address-list=unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    src-address-list=unexpected-src-address-hitting-ISP
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none log=yes log-prefix=NAT_MASQ_LAB out-interface=\
    VLAN100-LAB
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent fi\
    rewall to quickly disable RAW filtering without disabling all RAW rules" \
    disabled=yes log=yes log-prefix="RAW FILTER DISABLED!!"
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    log=yes log-prefix="Incoming WAN invalid src addy" src-address-list=\
    unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment=\
    "drop non-legit dst-addresses hitting WAN side" dst-address-list=\
    !expected-dst-address-to-my-ISP in-interface-list=WAN log=yes log-prefix=\
    "Incoming WAN invalid dst addy"
add action=drop chain=prerouting comment=\
    "drop non-legit traffic coming from LAN" in-interface-list=LAN log=yes \
    log-prefix="non-legit FROM LAN" src-address-list=\
    !expected-address-from-LAN
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=bad_ipv4
add action=drop chain=prerouting comment="Non-LAN IP coming from LAN" \
    in-interface-list=LAN log=yes log-prefix="Non-LAN ip coming from LAN" \
    src-address-list=!LAN
/ip ipsec identity
add auth-method=digital-signature certificate="Home server2" comment=\
    "Home client2" disabled=yes generate-policy=port-strict match-by=\
    certificate mode-config=vpn peer=vpn policy-template-group=vpn \
    remote-certificate="Home client2"
add auth-method=digital-signature certificate="Home server" comment=\
    "Home client1" disabled=yes generate-policy=port-strict match-by=\
    certificate mode-config=vpn peer=vpn policy-template-group=vpn \
    remote-certificate="Home client1"
/ip ipsec mode-config
add address-pool=*D name=vpn
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=20022
set www-ssl address=192.168.30.103/32,192.168.88.0/24,192.168.99.0/24 \
    certificate=https-cert disabled=no port=8844 tls-version=only-1.2
set api disabled=yes
set winbox address=\
    192.168.88.0/24,192.168.99.0/24,192.168.30.103/32,192.168.5.0/24
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ip traffic-flow
set interfaces=VLAN50
/ipv6 firewall address-list
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=fe02::/48 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: allow established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=drop chain=input disabled=yes in-interface=ether1-WAN log=yes \
    log-prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input disabled=yes
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accepts icmpv6 after raw" \
    in-interface=!ether1-WAN protocol=icmpv6
add action=drop chain=forward disabled=yes log-prefix=IPV6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall"
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
/system clock
set time-zone-autodetect=no time-zone-name=America/New_York
/system identity
set name=RB4011
/system note
set note="Be Careful!" show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes local-clock-stratum=4 manycast=yes \
    use-local-clock=yes
/system ntp client servers
add address=162.159.200.1
add address=162.159.200.123
/system package update
set channel=testing
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Winbox
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes

CAP AX is connected to Ether10 on the RB4011

A couple of misinterpretations on CAP config:

/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp

====ADD ===
/interface vlan
add interface=bridgeLocal name=VLAN99 vlan-id=99

/interface wifi

no connection to CAPsMAN

add configuration.manager=capsman .mode=ap datapath=capdp radio-mac=****

no connection to CAPsMAN

add configuration.manager=capsman .mode=ap datapath=capdp radio-mac=****

/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal vlan-ids=99
/interface wifi cap
set discovery-interfaces=ether1 enabled=yes slaves-datapath=capdp
=== CHANGE TO ===
set discovery-interfaces=> VLAN99 > enabled=yes slaves-datapath=capdp

/ip dhcp-client
add comment=defconf interface=bridgeLocal
=== CHANGE TO === (forgot this one)
add comment=defconf interface=> VLAN99

/system note
set show-at-login=no

Side comment:
personally I would increase lease times on some of those DHCP parts.
10m is too short for most (and it will cause unnecessary writes to flash each time a new lease is handed out)
Guest wifi could be relatively shorter (1h), rest I would put at 4h, even 1d.

On your RB4011-config (I was suspecting the problem was there):

/interface bridge vlan
add bridge=bridge comment=“VLAN 99” tagged=bridge,sfp-sfpplus1,ether8,ether10
untagged=ether9 vlan-ids=99

Your ether10 is TAGGED.
So it’s a mix of both worlds you made …
And that’s why a PC will get a lease and your CAP does not.
PC doesn’t know a thing about VLAN tags.

Make a decision.
Either ether10 is UNtagged and then you need to move it to the untagged section.
In that case, reset CAP device again to caps mode and it will work.
No VLANs can be used there with this config !

Either you use ether10 as a trunk port if you want to use other VLANs on that AP and then you can leave it as it is now.
And the setup I gave you will work then (after you corrected those modifications).
But then I would advice to change ether10 port to “Admit only VLAN tagged” to keep things clean.

For reference:
review this excellent guide again on setting up vlans by pcunite, I’m sure you missed some parts in it.
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1