Cap AX: Windows Clients: "Can't connect to this network"

User4011 · November 19, 2023, 6:20pm

My first experience with an MT AP and CAPsMAN.

Router: RB4011
Cap ax: cAPGi-5HaxD2HaxD connected on ether10 which has VLANs tagged.
3 SSID on two VLANS (will add a 3rd, but want to get clients connecting with IPs from their respective DHCPs)

All existing VLANS are working correctly elsewhere, but it seems I’m missing something rather simple most likely.

I may not be looking for the correct thing in the log, but if I’m searching for the radio MAC, I’m not getting much information showing me why I am not connecting.

I believe I have the AP in CAP mode correctly. Odd thing is since I upgraded the AP, I can’t reset the device to factory default anymore. I’m not sure that I need to at the moment, but why I cannot is unclear to me. Same method worked at least 5 times prior to me discovering RoS software / package mismatch version issue. Upgraded and have everything on 7.12 and RB4011 now sees and adds the interface.

Grateful for any assistance and will provide further info if requested.

Config (minus IP address list)

# 2023-11-18 19:35:22 by RouterOS 7.12
# software id = L2GF-7Z2L
#
# model = RB4011iGS+
# serial number = F0260E1487C0
/interface bridge
add admin-mac=2C:C8:1B:2D:40:6D auto-mac=no comment=defconf name=bridge \
    protocol-mode=mstp vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-WAN
set [ find default-name=ether2 ] comment=LAN name=ether2-access
set [ find default-name=sfp-sfpplus1 ] loop-protect=on
/interface wifiwave2
add name=cap-wifi1 radio-mac=78:9A:18:10:9E:7C
/interface vlan
add comment="VLAN for Mgmt" interface=bridge name=MGMT vlan-id=99
add comment=Hypervisor interface=bridge name=VLAN10 vlan-id=10
add comment=Servers interface=bridge name=VLAN20 vlan-id=20
add comment=Data interface=bridge name=VLAN30 vlan-id=30
add comment=Work interface=bridge name=VLAN50 vlan-id=50
add comment="Untrusted LAN" interface=bridge name=VLAN60 vlan-id=60
add interface=bridge name=VLAN100-LAB vlan-id=100
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Work
add name=VLAN
add name=Winbox
add name=Wifi
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifiwave2 channel
add disabled=no name="5 Ghz AX"
add band=2ghz-ax disabled=no name="2.5 Ghz AX"
add band=5ghz-a disabled=no name="5Ghz A"
add band=5ghz-n disabled=no name="5Hgz A/N"
add band=5ghz-ac disabled=no name="5Ghz A/C"
add band=2ghz-g disabled=no name="2Ghz G"
add band=2ghz-n disabled=no name="2Ghz N"
/interface wifiwave2 datapath
add bridge=bridge disabled=no name=Trusted vlan-id=30
add bridge=bridge disabled=no name=Guest vlan-id=60
add bridge=bridge disabled=no name=IoT vlan-id=60
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    ccmp,ccmp-256 name=Trusted wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    ccmp,ccmp-256 name=Guest wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    ccmp,ccmp-256 name=IoT wps=disable
/interface wifiwave2 configuration
add country="United States" datapath=Trusted disabled=no manager=\
    capsman-or-local mode=ap name=Trusted security=Trusted ssid=Maranatha
add channel="5 Ghz AX" country="United States" datapath=Guest disabled=no \
    manager=capsman-or-local mode=ap name=Guest security=Guest ssid=Guest
add channel="2.5 Ghz AX" country="United States" datapath=IoT disabled=no \
    manager=capsman-or-local mode=ap name=IoT security=IoT ssid=IoTElm
/ip ipsec policy group
add name=vpn
/ip ipsec profile
add dh-group=modp1024 enc-algorithm=aes-256 hash-algorithm=sha256 name=vpn
/ip ipsec peer
add disabled=yes exchange-mode=ike2 name=vpn passive=yes profile=vpn
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add disabled=yes enc-algorithms=aes-256-cbc name=vpn pfs-group=none
/ip pool
add name=VLAN50 ranges=192.168.50.100-192.168.50.150
add name=VLAN60 ranges=192.168.60.100-192.168.60.150
add name=MGMT ranges=192.168.99.20-192.168.99.100
add name=VLAN30 ranges=192.168.30.100-192.168.30.150
add name=VLAN10 ranges=192.168.10.100-192.168.10.150
add name=VLAN20 ranges=192.168.20.100-192.168.20.150
add name=VLAN100-LAB ranges=10.10.10.100-10.10.10.150
add name=dhcp_pool18 ranges=10.10.10.100-10.10.10.150
/ip dhcp-server
add address-pool=VLAN50 interface=VLAN50 lease-time=10m name=VLAN50
add address-pool=VLAN60 interface=VLAN60 lease-time=10m name=VLAN60
add address-pool=MGMT interface=MGMT lease-time=10m name=MGMT
add address-pool=VLAN30 interface=VLAN30 lease-time=10m name=VLAN30
add address-pool=VLAN10 interface=VLAN10 lease-time=10m name=VLAN10
add address-pool=VLAN20 interface=VLAN20 lease-time=10m name=VLAN20
add address-pool=VLAN100-LAB interface=VLAN100-LAB lease-time=10m name=\
    VLAN100-LAB
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
add disabled=no name=default-v3 version=3
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
add disabled=yes instance=default-v3 name=backbone-v3
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether4 pvid=60
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether6 pvid=60
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether7 pvid=30
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether9 pvid=99
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether10
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
    interface=sfp-sfpplus1
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=ether5 pvid=50
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether8
/ip firewall connection tracking
set enabled=yes loose-tcp-tracking=no tcp-established-timeout=30m
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=4096 rp-filter=loose
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="VLAN 99" tagged=bridge,sfp-sfpplus1,ether8,ether10 \
    untagged=ether9 vlan-ids=99
add bridge=bridge comment="VLAN 50" tagged=\
    bridge,sfp-sfpplus1,ether10,*26,ether8 untagged=ether5 vlan-ids=50
add bridge=bridge comment="VLAN 60" tagged=bridge,sfp-sfpplus1,ether10,ether8 \
    untagged=ether4 vlan-ids=60
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether10,ether8 untagged=\
    ether7,ether3 vlan-ids=30
add bridge=bridge tagged=bridge,sfp-sfpplus1,ether10,ether8 vlan-ids=10
add bridge=bridge tagged=bridge,sfp-sfpplus1,*26,ether10,ether8 vlan-ids=20
add bridge=bridge comment=LAB tagged=bridge,sfp-sfpplus1,ether10,*26 \
    vlan-ids=100
/interface list member
add comment=defconf disabled=yes interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=VLAN50 list=VLAN
add interface=VLAN60 list=VLAN
add interface=VLAN30 list=VLAN
add interface=VLAN10 list=VLAN
add interface=VLAN20 list=VLAN
add disabled=yes interface=bridge list=Winbox
add interface=MGMT list=Winbox
add interface=VLAN30 list=Winbox
add interface=ether2-access list=Winbox
add interface=MGMT list=VLAN
add interface=VLAN100-LAB list=VLAN
add interface=*26 list=Wifi
/interface ovpn-server server
set auth=sha1,md5
/interface wifiwave2 cap
set discovery-interfaces=bridge enabled=yes
/interface wifiwave2 capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=Trusted \
    name-format="" radio-mac=78:9A:18:10:9E:7D slave-configurations=IoT,Guest
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
    network=192.168.88.0
add address=192.168.99.1/24 comment=MGMT interface=MGMT network=192.168.99.0
add address=192.168.50.1/24 comment=WORK interface=VLAN50 network=\
    192.168.50.0
add address=192.168.60.1/24 comment="Untrusted LAN" interface=VLAN60 network=\
    192.168.60.0
add address=192.168.30.1/24 comment=Data interface=VLAN30 network=\
    192.168.30.0
add address=192.168.10.1/24 comment=Hyper interface=VLAN10 network=\
    192.168.10.0
add address=192.168.20.1/24 comment=Servers interface=VLAN20 network=\
    192.168.20.0
add address=192.168.5.1/24 interface=ether2-access network=192.168.5.0
add address=10.10.10.1/24 comment=LAB interface=VLAN100-LAB network=\
    10.10.10.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add interface=ether1-WAN use-peer-dns=no
/ip dhcp-server
add address-pool=*1 disabled=yes interface=bridge lease-time=10m name=defconf
/ip dhcp-server lease
add address=192.168.30.103 client-id=1:74:d8:3e:8b:f4:89 mac-address=\
    74:D8:3E:8B:F4:89 server=VLAN30
add address=192.168.30.109 client-id=1:9c:3d:cf:c:8f:c0 mac-address=\
    9C:3D:CF:0C:8F:C0 server=VLAN30
add address=192.168.50.100 client-id=1:d8:bb:c1:7a:37:81 mac-address=\
    D8:BB:C1:7A:37:81 server=VLAN50
add address=192.168.88.254 client-id=1:0:2b:67:c9:3f:7 mac-address=\
    00:2B:67:C9:3F:07 server=defconf
add address=192.168.20.100 client-id=\
    ff:7f:2a:fd:a7:0:1:0:1:2b:88:c8:3e:0:c:29:52:36:5b mac-address=\
    9E:E2:7F:2A:FD:A7 server=VLAN20
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1
add address=192.168.10.0/24 comment=Hyper gateway=192.168.10.1
add address=192.168.20.0/24 comment=Server gateway=192.168.20.1
add address=192.168.30.0/24 comment=Data dns-server=192.168.20.5 gateway=\
    192.168.30.1
add address=192.168.50.0/24 comment=Work gateway=192.168.50.1
add address=192.168.60.0/24 comment="Untrusted LAN" gateway=192.168.60.1
add address=192.168.99.0/24 comment=MGMT gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=30m max-concurrent-queries=1000 \
    max-concurrent-tcp-sessions=2000 servers=1.1.1.1 use-doh-server=\
    https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com
add address=104.16.249.249 name=cloudflare-dns.com
/ip firewall address-list
/ip firewall filter
##excluded for brevity
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid for input chain" \
    connection-state=invalid log=yes log-prefix=\
    "defconf: drop invalid input chain"
add action=accept chain=input comment="defconf: accept ICMP" in-interface=\
    !ether1-WAN protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN,RADUIS,User manager..)" \
    dst-address=127.0.0.1 log=yes log-prefix="ACCEPT - CAPsMan local ip"
add action=accept chain=input dst-port=8291,8844 in-interface=!ether1-WAN \
    log=yes log-prefix=WinboxNOTwan protocol=tcp src-address-list=\
    allowed_to_router
add action=accept chain=input comment="CAPSMANAGER Discovery" dst-port=\
    5246,5247 protocol=udp
add action=accept chain=input comment="CAPSMANAGER Discovery" protocol=udp \
    src-port=5246,5247
add action=accept chain=input comment="Allow LAN DNS queries-UDP BRIDGE" \
    dst-port=53,123 in-interface-list=VLAN log=yes log-prefix=\
    "Allow UDP DNS bridge" protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries-TCP BRIDGE" \
    dst-port=53 in-interface-list=VLAN log=yes log-prefix=\
    "TCP DNS for VLANS bridge" protocol=tcp
add action=accept chain=input comment=\
    "IP addresses that are allowed to access the router" log=yes log-prefix=\
    Winbox src-address-list=allowed_to_router
add action=accept chain=input comment="EMERGENCY WINBOX ACCESS - ETH2" \
    in-interface=ether2-access src-address=192.168.5.55
add action=reject chain=input comment="useful for tracking LAN issues" \
    in-interface-list=VLAN log=yes log-prefix="icmp prohibited" reject-with=\
    icmp-admin-prohibited
add action=accept chain=input log=yes log-prefix="ACCEPT - AP src mac" \
    src-mac-address=78:9A:18:10:9E:7A
add action=drop chain=input comment="Drop All Else" log=yes log-prefix=\
    "Drop All Else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="DNS server udp" dst-address-list=\
    DNS01 dst-port=53 in-interface-list=VLAN log=yes log-prefix=\
    "DNS server udp" protocol=udp
add action=accept chain=forward comment="DNS server tcp" dst-address-list=\
    DNS01 dst-port=53 in-interface-list=VLAN log=yes log-prefix=\
    "DNS server tcp" protocol=tcp
add action=accept chain=forward dst-port=22,3389,5901 in-interface=VLAN30 \
    log=yes log-prefix="SSH out" out-interface=ether1-WAN protocol=tcp
add action=accept chain=forward comment="VLAN Internet Access only!" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward dst-address-list=VLAN100-LABRouter \
    src-address-list=allowed_to_LAB
add action=accept chain=forward comment="WORK PC to Prox Home Servers" \
    dst-address-list="Prox Home" dst-port=8006,8007 protocol=tcp \
    src-address-list=WORKPC
add action=drop chain=forward dst-address-list=!WORK src-address-list=WORK
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
    dst-address-list=VLAN20 dst-port=8006,80,443,9443,3389,5900,5901,8007 \
    protocol=tcp src-address-list=VLAN30
add action=accept chain=forward comment="VLAN30 to ProxMox Mgmt interface" \
    dst-address-list=VLAN20 dst-port=8006,8007 protocol=tcp src-address-list=\
    MGMT_address
add action=accept chain=forward comment="Aruba Switch Admin page" \
    dst-address-list="ARUBAS SWITCH" dst-port=4343 log=yes log-prefix=\
    "Aruba Web Interface" protocol=tcp src-address-list=allowed_to_router
add action=accept chain=forward comment="ICMP from Allowed to VLAN" log=yes \
    log-prefix="ICMP Allowed list to VLAN" out-interface-list=VLAN protocol=\
    icmp src-address-list=allowed_to_router
add action=accept chain=forward comment="Remote access to LAB Sonicwall" \
    dst-address-list=VLAN100-LAB dst-port=80,443,4433 log=yes log-prefix=\
    "VLAN100-LAB remote access" protocol=tcp src-address-list=\
    allowed_to_router
add action=accept chain=forward comment="Proxmox FileServer Admin" \
    dst-address=192.168.20.50 dst-port=9090 log=yes log-prefix=\
    "To Proxmox File Server" protocol=tcp src-address-list=allowed_to_router
add action=accept chain=forward comment="VLAN30 to ProxMox ssh by IP" \
    dst-address-list=VLAN20 dst-port=22 protocol=tcp src-address-list=VLAN30
add action=accept chain=forward dst-address-list=ProxMoxFileServer dst-port=\
    445 protocol=tcp src-address-list=VLAN30
add action=accept chain=forward comment="To Wazuh TCP" dst-address-list=\
    Ubuntu-Portainer dst-port=1514,1515,55000,9200 in-interface-list=VLAN \
    log=yes log-prefix=DestWazuhTCP protocol=tcp
add action=accept chain=forward comment="To Wazuh UDP" dst-address-list=\
    Ubuntu-Portainer dst-port=514 in-interface-list=VLAN log=yes log-prefix=\
    DestWazuhUDP protocol=udp
add action=accept chain=forward dst-address=192.168.20.100 src-address=\
    192.168.30.103
add action=reject chain=forward in-interface-list=LAN log=yes log-prefix=\
    "ICMP prohibited" reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="Drop All Else" log=yes log-prefix=\
    "Drop All Else"
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    src-address-list=unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    src-address-list=unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    src-address-list=unexpected-src-address-hitting-ISP
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none log=yes log-prefix=NAT_MASQ_LAB out-interface=\
    VLAN100-LAB
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent fi\
    rewall to quickly disable RAW filtering without disabling all RAW rules" \
    disabled=yes log=yes log-prefix="RAW FILTER DISABLED!!"
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface-list=WAN \
    log=yes log-prefix="Incoming WAN invalid src addy" src-address-list=\
    unexpected-src-address-hitting-ISP
add action=drop chain=prerouting comment=\
    "drop non-legit dst-addresses hitting WAN side" dst-address-list=\
    !expected-dst-address-to-my-ISP in-interface-list=WAN log=yes log-prefix=\
    "Incoming WAN invalid dst addy"
add action=drop chain=prerouting comment=\
    "drop non-legit traffic coming from LAN" in-interface-list=LAN log=yes \
    log-prefix="non-legit FROM LAN" src-address-list=\
    !expected-address-from-LAN
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=bad_ipv4
add action=drop chain=prerouting comment="Non-LAN IP coming from LAN" \
    in-interface-list=LAN log=yes log-prefix="Non-LAN ip coming from LAN" \
    src-address-list=!LAN
/ip ipsec identity
add auth-method=digital-signature certificate="Home server2" comment=\
    "Home client2" disabled=yes generate-policy=port-strict match-by=\
    certificate mode-config=vpn peer=vpn policy-template-group=vpn \
    remote-certificate="Home client2"
add auth-method=digital-signature certificate="Home server" comment=\
    "Home client1" disabled=yes generate-policy=port-strict match-by=\
    certificate mode-config=vpn peer=vpn policy-template-group=vpn \
    remote-certificate="Home client1"
/ip ipsec mode-config
add address-pool=*D name=vpn
/ip ipsec policy
set 0 disabled=yes
add disabled=yes dst-address=0.0.0.0/0 group=vpn proposal=vpn src-address=\
    0.0.0.0/0 template=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=20022
set www-ssl address=192.168.30.103/32,192.168.88.0/24,192.168.99.0/24 \
    certificate=https-cert disabled=no port=8844 tls-version=only-1.2
set api disabled=yes
set winbox address=\
    192.168.88.0/24,192.168.99.0/24,192.168.30.103/32,192.168.5.0/24
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ip traffic-flow
set interfaces=VLAN50
/ipv6 firewall address-list
add address=fd12:672e:6f65:8899::/64 list=allowed
add address=fe80::/16 list=allowed
add address=fe02::/48 list=allowed
add address=ff02::/16 comment=multicast list=allowed
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: allow established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=ipv6,invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=input comment="accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/16
add action=drop chain=input disabled=yes in-interface=ether1-WAN log=yes \
    log-prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" \
    src-address-list=allowed
add action=drop chain=input disabled=yes
add action=accept chain=forward comment=established,related connection-state=\
    established,related
add action=accept chain=forward comment="defconf: accepts icmpv6 after raw" \
    in-interface=!ether1-WAN protocol=icmpv6
add action=drop chain=forward disabled=yes log-prefix=IPV6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall"
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
/system clock
set time-zone-autodetect=no time-zone-name=America/New_York
/system identity
set name=RB4011
/system note
set note="Be Careful!" show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes local-clock-stratum=4 manycast=yes \
    use-local-clock=yes
/system ntp client servers
add address=162.159.200.1
add address=162.159.200.123
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=Winbox
/tool mac-server ping
set enabled=no

User4011 · November 19, 2023, 9:04pm

Update:

I enabled the interface:

On RB4011, Manually set the SSID, Channel, Security, Datapath bridge and VLAN 30 on the cap-wifi1 interface.

Client connects to the SSID, but does not get an IP.

Then,

Added cap-wifi1 to bridge, ingress filtering, admin only untagged and priority tagged, PVID 1. Same result.
Remove Datapath bridge and VLAN 30 from Interface setting. Same result.

MAC@cap-wifi1 connected, signal strength -49

gigabyte091 · November 20, 2023, 3:50am

So for CAP you should have your mgmt or any network that you have CAPsMAN running untagged and VLANs that you want to use on that CAP tagged. Does your CAP have connection with CAPsMAN controller ?

User4011 · November 20, 2023, 7:28pm

Change: RB4011-> ether 10->PVID from 1 to 99.
Effect: CAP now receives IP in mgmt VLAN 99.

“Does CAP have connection with CAPsMAN controller?”

Answers:

On CAP ax, Wireless->Remote CAP->CAPsMAN->enabled.
On RB4011, Wireless->Remote CAP->CAPsMAN->disabled.

CAP ax config:

# 2023-11-20 11:48:44 by RouterOS 7.12
# software id = NV3I-XF25
#
# model = cAPGi-5HaxD2HaxD
# serial number = HER090EMVE1
/interface bridge
add admin-mac=78:9A:18:10:9E:7A auto-mac=no comment=defconf name=bridgeLocal \
    vlan-filtering=yes
/interface vlan
add interface=bridgeLocal name=VLAN30 vlan-id=30
add interface=bridgeLocal name=VLAN60 vlan-id=60
/interface wifiwave2 datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
add bridge=bridgeLocal name=VLAN30 vlan-id=30
add bridge=bridgeLocal name=VLAN60 vlan-id=60
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp-256 \
    name=Maranatha wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp-256 \
    name=IoT wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Guest wps=disable
/interface wifiwave2 configuration
add country="United States" datapath=VLAN30 disabled=no mode=ap name=\
    Maranatha security=Maranatha ssid=Maranatha
add country="United States" datapath=VLAN60 disabled=no mode=ap name=IoT \
    security=IoT ssid=IMaranatha
add country="United States" datapath=VLAN60 disabled=no mode=ap name=Guest \
    security=Guest ssid=GMaranatha
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal interface=*3
add bridge=bridgeLocal interface=*4
/interface bridge vlan
add bridge=bridgeLocal vlan-ids=""
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=30
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=60
/interface wifiwave2 cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
    no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=Maranatha \
    name-format="" slave-configurations=Guest,IoT
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.99.0/24,192.168.10.0/24,192.168.30.0/24
set www-ssl address=192.168.99.0/24,192.168.10.0/24,192.168.30.0/24 disabled=\
    no
set winbox address=192.168.99.0/24,192.168.10.0/24,192.168.30.0/24
/system clock
set time-zone-name=America/Chicago
/system identity
set name=cAPax01
/system note
set show-at-login=no

gigabyte091 · November 20, 2023, 7:54pm

Did you mess with the settings in CAP ?

User4011 · November 20, 2023, 8:40pm

I think you are probably asking for CAP on the AP, but here are both just in case.

CAP in RB4011:

 /interface/wifiwave2/cap print
               enabled: no
  discovery-interfaces: bridge
    caps-man-addresses: 192.168.99.100

CAP in CAP ax:

/interface/wifiwave2/cap print
               enabled: yes
  discovery-interfaces: bridgeLocal

User4011 · November 21, 2023, 1:01am

I’m able to ping the gateways of VLAN 30 and 60 from the CAP ax. Still cannot connect to either of the 3 SSIDs.

[admin@cAPax01] > /interface/wifiwave2/cap/print
               enabled: yes
  discovery-interfaces: bridgeLocal
    caps-man-addresses: 192.168.99.100
[admin@cAPax01] /interface/wifiwave2/capsman> /interface/wifiwave2/capsman/print
                   enabled: no
            ca-certificate: auto
  require-peer-certificate: no
              package-path: 
            upgrade-policy: none
  generated-ca-certificate: CAPsMAN-CA-789A18109E7A
     generated-certificate: CAPsMAN-789A18109E7A
[admin@cAPax01] /interface/wifiwave2/capsman> /ping 192.168.30.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                              
    0 192.168.30.1                               56  64 281us     
    1 192.168.30.1                               56  64 270us     
    sent=2 received=2 packet-loss=0% min-rtt=270us avg-rtt=275us max-rtt=281us 

[admin@cAPax01] /interface/wifiwave2/capsman> /ping 192.168.60.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                              
    0 192.168.60.1                               56  64 281us     
    1 192.168.60.1                               56  64 238us     
    2 192.168.60.1                               56  64 278us     
    sent=3 received=3 packet-loss=0% min-rtt=238us avg-rtt=265us max-rtt=281us

gigabyte091 · November 21, 2023, 3:42am

No, I mean did you added VLANs yourself in CAP ? Because that is not necessary.

You put device in CAP mode, on router you create hybrid port where mgmt or trusted network is untagged and VLANs that you want to use are tagged.

Everyrhing else is done on CAPsMAN controller. There is no need to touch CAP at all.

vingjfg · November 21, 2023, 5:29am

The only thing I can see is there is no use-tag for vlan30 and 60 in your datapath. Can you try adding it to one and test if that makes a difference? Not sure it will though.

/interface wifiwave2 datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
add bridge=bridgeLocal name=VLAN30 vlan-id=30
add bridge=bridgeLocal name=VLAN60 vlan-id=60

User4011 · November 21, 2023, 4:15pm

@gigabyte091

So, abandon configuring anything further on the AP,
set to CAPS mode and config CAPsMAN on the router?

Router->ether 10 is a PVID 99 and VLAN 99 untagged on this port so it will get an IP in mgmt range. VLAN 60 and 30 remain tagged. Is this the hybrid configuration to which you refer? As AP is getting IP now and VLANS remain tagged, should be what you had advised.

By the way, thank you and others who’ve taken the time to read and for those contributing input. I am grateful.

User4011 · November 21, 2023, 7:21pm

ON AP:

System>Reset Configuration->Checked CAPS Mode and only have an admin password on it. Default config.

ON Router:

Interface does not show up, but an IP address is given.

[blah@RB4011] > /interface/wifiwave2/cap/print
               enabled: yes
  discovery-interfaces: bridge
    caps-man-addresses: 192.168.99.100
[blah@RB4011] > /interface/wifiwave2/capsman/print
                   enabled: yes
                interfaces: bridge
  require-peer-certificate: no
              package-path: 
            upgrade-policy: none
  generated-ca-certificate: CAPsMAN-CA-2CC81B2D406C
     generated-certificate: CAPsMAN-2CC81B2D406C
[blah@RB4011] >

User4011 · November 21, 2023, 11:21pm

Still back at square one. Device not detected on Router. Master: Unknown

On the Router:

gigabyte091 · November 22, 2023, 11:26am

Sorry for waiting, so if your RB4011 is router, why are you using cAP ax as CAPsMAN ?

On your device that acts as CAPsMAN controller you don’t touch CAP menu because that is only if that device is CAP and not CAPsMAN controller.

You said this:

ON AP:

System>Reset Configuration->Checked CAPS Mode and only have an admin password on it. Default config.

And that is okay. Now your device is ready to connect to CAPsMAN.

But this I don’t understand:

ON Router:

Interface does not show up, but an IP address is given.
CODE: SELECT ALL

[blah@RB4011] > /interface/wifiwave2/cap/print
enabled: yes
discovery-interfaces: bridge
caps-man-addresses: 192.168.99.100

[blah@RB4011] > /interface/wifiwave2/capsman/print
enabled: yes
interfaces: bridge
require-peer-certificate: no
package-path:
upgrade-policy: none
generated-ca-certificate: CAPsMAN-CA-2CC81B2D406C
generated-certificate: CAPsMAN-2CC81B2D406C

>
> [blah@RB4011] >

Why did you enable CAP mode here ? You need to enable CAPsMAN, under Remote radio you have CAPsMAN option.

erlinden · November 22, 2023, 12:42pm

How did that MAC address get there?

User4011 · November 22, 2023, 8:20pm

OK, so going back to a config on the AP and ignoring using CAPsMAN on the router entirely(!@#@!). CAPsMAN mode magic, my rear end.

On the AP, changed my datapath in my profile to use capdp (which has NO VLANS), the client is able to pick up an IP address on the untagged VLAN, the same IP address pool as the AP.

So why won’t it work when I specify the datapaths that have VLANS??

I can ping the VLANs from the AP:

[admin@cAP AX] > ping 192.168.60.1
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                           
    0 192.168.60.1                               56  64 269us     
    1 192.168.60.1                               56  64 249us     
    2 192.168.60.1                               56  64 261us     
    sent=3 received=3 packet-loss=0% min-rtt=249us avg-rtt=259us max-rtt=269us 

[admin@cAP AX] > ping 192.168.30.1  
  SEQ HOST                                     SIZE TTL TIME       STATUS                                                                           
    0 192.168.30.1                               56  64 275us     
    1 192.168.30.1                               56  64 237us     
    2 192.168.30.1                               56  64 192us     
    sent=3 received=3 packet-loss=0% min-rtt=192us avg-rtt=234us max-rtt=275us

Config on the AP:

# 2023-11-22 15:16:44 by RouterOS 7.12
# software id = NV3I-XF25
#
# model = cAPGi-5HaxD2HaxD
# serial number = HER090EMVE1
/interface bridge
add admin-mac=78:9A:18:10:9E:7A auto-mac=no comment=defconf name=bridgeLocal
/interface vlan
add interface=ether1 name=VLAN30 use-service-tag=yes vlan-id=30
add interface=ether1 name=VLAN60 use-service-tag=yes vlan-id=60
/interface wifiwave2 datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
add bridge=bridgeLocal disabled=no name=VLAN30 vlan-id=30
add bridge=bridgeLocal disabled=no name=VLAN60 vlan-id=60
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Trusted wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=Guest wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=IoT wps=disable
/interface wifiwave2 configuration
add country="United States" datapath=VLAN30 disabled=no mode=ap name=Trusted security=Trusted ssid=Maranatha
add country="United States" datapath=capdp disabled=no mode=ap name=Guest security=Guest ssid=GMaranatha
add country="United States" datapath=VLAN60 disabled=no mode=ap name=IoT security=IoT ssid=IMaranatha
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,ether2 untagged=wifi1,wifi2 vlan-ids=30
add bridge=bridgeLocal tagged=ether1,ether2 vlan-ids=60
/interface wifiwave2 cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=Trusted name-format="" slave-configurations=Guest,IoT
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=America/New_York
/system identity
set name="cAP AX"
/system note
set show-at-login=no

User4011 · November 22, 2023, 8:33pm

I removed “untagged=wifi1,wifi2”. No change:

add bridge=bridgeLocal tagged=ether1,ether2 vlan-ids=30
add bridge=bridgeLocal tagged=ether1,ether2 vlan-ids=60

whatever · November 22, 2023, 8:38pm

deleted

User4011 · November 22, 2023, 8:46pm

Same story. No IP from the VLANs, but IP from the capdp

[admin@cAP AX] > /interface/bridge/print
Flags: X - disabled, R - running 
 0 R ;;; defconf
     name="bridgeLocal" mtu=auto actual-mtu=1500 l2mtu=1560 arp=enabled arp-timeout=auto mac-address=78:9A:18:10:9E:7A 
     protocol-mode=rstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=78:9A:18:10:9E:7A ageing-time=5m priority=0x8000 
     max-message-age=20s forward-delay=15s transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 frame-types=admit-all 
     ingress-filtering=yes dhcp-snooping=no

gigabyte091 · November 23, 2023, 5:27am

I posted my config in another topic where you asked a question.

If your AP is CAP and by some configuration it is then it’s not default configuration on it… You are using service tag why ?

videolab · August 27, 2025, 8:52pm

Disable filter rules and run tests