cAP ax with CAPsMAN config and some Problems

The Configuration ist:

Router with Internet Access: RB5009UG+S+
Switch with only Mgmt Vlan, no Acces List etc: CRS328-24P-4S+RM
Access Points: cAPGi-5HaxD2HaxD

The first is i have one bridge with 4 Vlan (Default, Guest, Mgmt, Private)
I have 4 DHCP scope’s

If the cAP is starting with blank CAPsMAN config, he get the config from CAPsMAN but no IP address:

default offering lease 172.27.1.68 for 48:A9:8A:E4:F2:06 without success

If i enable the VLAN Filtering on bridgeLocal i get an ip from dhcp scope (vlan1) but i lost the CAPsMAN config.

# 1970-01-02 01:44:34 by RouterOS 7.11.2
# software id = 82UI-6ZJA
#
# model = cAPGi-5HaxD2HaxD
# serial number = HEK08N4NHVA
/interface bridge
add admin-mac=48:A9:8A:E4:F2:06 auto-mac=no comment=defconf name=bridgeLocal
/interface wifiwave2 datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: Blackbird-inside, channel: 5500/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Blackbird-inside, channel: 2437/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifiwave2 cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system identity
set name=Red
/system note
set show-at-login=no

Also the config of the Router:

# 2023-10-29 02:14:50 by RouterOS 7.11.2
# software id = P25A-1ER7
#
# model = RB5009UG+S+
# serial number = HEP090WEY84
/interface bridge
add admin-mac=78:9A:18:02:C2:ED auto-mac=no frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-pppoe
set [ find default-name=ether2 ] name=ether2-isp-lte
set [ find default-name=ether3 ] name=ether3-mac-winbox
set [ find default-name=ether4 ] name=ether4-test
set [ find default-name=ether5 ] name=ether5-trunk
set [ find default-name=ether6 ] name=ether6-trunk
set [ find default-name=ether7 ] name=ether7-bonding1
set [ find default-name=ether8 ] name=ether8-bonding1
set [ find default-name=sfp-sfpplus1 ] name=sfp1-trunk
/interface vlan
add interface=bridge name=vlan-1-default vlan-id=1
add interface=bridge name=vlan-216-dmz vlan-id=216
add interface=bridge name=vlan-217-mgmt vlan-id=217
add interface=bridge name=vlan-218-inside vlan-id=218
/interface wifiwave2 datapath
add disabled=no name=vlan-216 vlan-id=216
add disabled=no name=vlan-218 vlan-id=218
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name=agms-wpa2-pks
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name=pand-wpa2-pks
/interface wifiwave2 configuration
add country=Austria datapath=vlan-218 disabled=no mode=ap name=private security=agms-wpa2-pks ssid=private
add country=Austria datapath=vlan-216 disabled=no mode=ap name=guest security=pand-wpa2-pks ssid=guest
/ip pool
add name=pool-dmz ranges=172.27.216.65-172.27.216.126
add name=pool-mgmt ranges=172.27.217.129-172.27.217.199
add name=pool-inside ranges=172.27.218.65-172.27.218.126
add name=pool-default ranges=172.27.1.65-172.27.1.126
/ip dhcp-server
add address-pool=pool-mgmt interface=vlan-217-mgmt name=mgmt
add address-pool=pool-dmz interface=vlan-216-dmz name=dmz
add address-pool=pool-inside interface=vlan-218-inside name=inside
add address-pool=pool-default interface=vlan-1-default name=default
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4-test pvid=217
add bridge=bridge interface=ether5-trunk
add bridge=bridge interface=ether6-trunk
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp1-trunk
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp1-trunk,ether5-trunk,ether6-trunk vlan-ids=216
add bridge=bridge tagged=bridge,sfp1-trunk,ether5-trunk,ether6-trunk vlan-ids=217
add bridge=bridge tagged=bridge,sfp1-trunk,ether5-trunk,ether6-trunk vlan-ids=218
add bridge=bridge tagged=bridge,sfp1-trunk,ether5-trunk,ether6-trunk vlan-ids=1
/interface wifiwave2 capsman
set ca-certificate=auto certificate=auto enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=Blackbird-inside slave-configurations=Blackbird-guest
/ip address
add address=172.27.217.254/25 interface=vlan-217-mgmt network=172.27.217.128
add address=172.27.216.254/24 interface=vlan-216-dmz network=172.27.216.0
add address=172.27.218.254/24 interface=vlan-218-inside network=172.27.218.0
add address=172.27.1.254/24 interface=vlan-1-default network=172.27.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1-pppoe use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=172.27.1.0/24 dns-server=172.27.1.254 gateway=172.27.1.254
add address=172.27.216.0/24 dhcp-option=domain-search,disable-netbios dns-server=172.27.216.254 domain=dmz.local gateway=172.27.216.254
add address=172.27.217.128/25 dhcp-option=domain-search,disable-netbios dns-server=172.27.217.254 domain=mgmt.local gateway=172.27.217.254
add address=172.27.218.0/24 dhcp-option=domain-search,disable-netbios dns-server=172.27.218.254 domain=inside.local gateway=172.27.218.254
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked!" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid!" connection-state=invalid
add action=accept chain=input comment="accept icmp!" protocol=icmp
add action=accept chain=input comment="accept www for LetsEncrypt" dst-port=80 protocol=tcp src-address-list=LetsEncrypt
add action=accept chain=input comment="accept https from any" disabled=yes dst-port=443 protocol=tcp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)!" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=!WAN
add action=drop chain=input comment="drop all coming from WAN!" in-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy!" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy!" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack! connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked!" connection-state=established,related,untracked
add action=accept chain=forward dst-port=53 out-interface-list=WAN protocol=udp
add action=drop chain=forward comment="drop invalid!" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed!" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade! ipsec-policy=out,none out-interface=ether1-pppoe
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www-ssl certificate=letsencrypt-autogen_2023-10-26T22:36:51Z disabled=no tls-version=only-1.2
set api-ssl certificate=letsencrypt-autogen_2023-10-26T22:36:51Z tls-version=only-1.2

Does everyone know how i can change the config to delete vlan1 config and use mgmt vlan to use it for mgmt.

I don’t know if something is changed but if you enable VLAN filtering on CAP Wifi goes haywire…

So best thing is don’t touch cAP, everything is done on controller router.

I have RB5009 and 2 cAPs and everthing is done on RB5009. Just untag your network where CAPsMAN resides and tag other VLANs. Then add datapath for that VLANs and then just assing VLANs to the desired wireless interface.

Hi,

thanks for you imput, this was the point to find the solution

I dont touch the cAP config and change the trunk port to a trunk port with default vlan.

Now it is working.