CAP configuration between hAP ax3 and wAP AC does not work

RouterOS Wireless Networking
1

I have an hAB ax3 configured as CAPsMAN following WiFi - RouterOS - MikroTik Documentation and it seems to be successfull (at least I can reach my network with the hAP as access point and the commands did not give an errors).

Then I tried to run the the wAP as CAP. I failed doing so following the description. I should do following:

/interface/wifi/cap set enabled=yes

But interface has no wifi in it:

[admin@MikroTik] > /interface/wifi/cap set enabled=yes
expected command name (line 1 column 11)
[admin@MikroTik] >

Here what it has:

[admin@MikroTik] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  RS ether1                              ether            1500  1598       9214 D4:01:C3:61:E2:53
 1     ether2                              ether            1500  1598       9214 D4:01:C3:61:E2:54
 2   S wlan1                               wlan             1500  1600       2290 D4:01:C3:61:E2:55
 3   S wlan2                               wlan             1500  1600       2290 D4:01:C3:61:E2:56
 4  R  ;;; defconf
       bridge                              bridge           1500  1598            D4:01:C3:61:E2:54
[admin@MikroTik] /interface>

I tried to solve this using the quicksettings in WebFig. Therefore I changed to Quicksettings for CAP. Now it seems I have devices that want to be configured by an CAPsMAN:

[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  RS ether1                              ether            1500  1598       9214 D4:01:C3:61:E2:53
 1   S ether2                              ether            1500  1598       9214 D4:01:C3:61:E2:54
 2  XS ;;; managed by CAPsMAN
       wlan1                               wlan             1500  1600       2290 D4:01:C3:61:E2:55
 3  XS ;;; managed by CAPsMAN
       wlan2                               wlan             1500  1600       2290 D4:01:C3:61:E2:56
 4  R  ;;; defconf
       bridge                              bridge           1500  1598            D4:01:C3:61:E2:54
[admin@MikroTik] >

Using WebFig I also set the CAPsMan Address to the IP of the bridge device of the hAP (running the CAPsMAN). Nevertheless, I do not see anything that looks like the two devices work together... Has anyone an idea what I need to do?

2

Could it be that you have the wireless package installed on the wAP ac? If ARM based, you could change from wireless to wifi-qcom-ac and continue.

WiFi - RouterOS - MikroTik Documentation

3

According https://mikrotik.com/product/RBwAPG-5HacT2HnD the wAP ac has a MIPSBE architecture realized by a QCA9556, so no arm. I downloaded the packaged for Router OS 6.49.19 running on my wAP from https://mikrotik.com/download and there is no wifi* package (from your description I guess because it is not a arm).

Perhaps I should have mentioned before that the hAP ax3 is running RouterOS 7.19.4.

4

There is no way managing the CAP from the hAP AX3 through CAPsMAN. The options you have:

  • Not using CAPsMAN (which is not a bad option in itself)
  • Get an ARM ac device (like the wAP ac) and use the wifi-qcom-ac driver
  • Get another AX device (like the wAP AX) and have best experience
1 Like
5

"wAP AC" is especially confusing because under this name both a MIPSBE and an ARM device have been sold: https://mikrotik.com/product/wap_ac
But as you have the MIPSBE device, there is no way to manage it with CAPsMAN together with an AX3.

6

I would prefer the idea not use CAPsMAN, but as far as I understand I will not be able to 802.11r and/or 802.11k/v running without CAPsMAN. Ist this right? I do not want to run a multi AP setup without this, that was the reason why I bought MikroTik devices...

7

Then you should not have chosen the (this model) wAP ac.

You are aware this device was introduced nearly a decade ago?

8

No, I was not. But with https://mikrotik.com/product/wap_ax it will work?

9

Yes, that will work.
I am amazed that you had apparently recently bought a wAP ac and that it was a MIPSBE version...
Or did you already have that or obtain it second-hand?

10

Legacy CAPsMAN for management of wireless-driven CAPs doesn't support any of 802.11 r/k/v ... as others have noted, one has to use new CAPsMAN for AX drviced (and arm-based AC devices) to get support for station mobility.

1 Like
11

I bought it about a year ago anywhere for another use case. But it was a new one. I guess the shop needed to get something off... :slight_smile: It was relative cheap. Now I book it as apprenticeship premium...

1 Like
12

I have now replaced the wAP ac by a wAP ax. I configured the bridge to include ether1, gave the bridge an IP in my network, disabled dhcp server and added the caps configuration as describer:

/interface/wifi/cap set enabled=yes
/interface/wifi/set wifi1,wifi2 configuration.manager=capsman-or-local

If I look into the GUI (WinBox) I see following an error message "no connection to CAPSsMAN, managed locally". Here a screenshot:

WinBox-No_connection_to_CAPsMAN
WinBox-No_connection_to_CAPsMAN1170×288 41.4 KB

I also tried to fix the IP of the hAP ax running CAPsMAN:

/interface/wifi/cap set enabled=yes caps-man-addresses=192.168.168.3 
/interface/wifi/set wifi1,wifi2 configuration.manager=capsman-or-local

Same result... What als do I need to do?

13

Actually, to be complete, there is an option.
Remove wifi-qcom and replace with wireless driver.
Then you can use AX3 as capsman controller for legacy wireless APs.
But you will loose local radios on AX3, which is probably not what you want.
Just mentioning it ...

14

You should set manager to capsman (and not capsman-or-local), as you want to control it by the CAPsMAN (and not any local CAPsMAN instance).

/interface/wifi/set wifi1,wifi2 configuration.manager=capsman

If you share the config of both CAPsMAN and CAPS, we might be able to explain.
Both CAPS and CAPsMAN can ping each other?

15

There should be no need for any configuration, just reset it to defaults using the button:

Reset button

The reset button has three functions:

  • Hold this button during boot time until the LED light starts flashing, and release the button to reset the RouterOS configuration (total 5 seconds).
  • Keep holding for 5 more seconds, the LED turns solid, release now to turn on CAP mode. The device will now look for a CAPsMAN server (total 10 seconds).
  • Or Keep holding the button for 5 more seconds until the LED turns off, then release it to make the RouterBOARD look for Netinstall servers (total 15 seconds).
16

Both can ping each other. Changing the configuration manager does not change anything but the error message. It say now only "no connection to CAPSsMAN".

To be honest I have no idea which part of the config is relevant, but I can give the complete output of export on hAP ax, as far as I see it has no passwords or something like it inside:

# 2025-08-22 17:06:06 by RouterOS 7.19.4
# software id = I2Y0-Q3GK
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = YYYYYYYYYYYYYYYY
/interface bridge
add admin-mac=D4:01:C3:0B:20:6B auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi security
add authentication-types=wpa-psk,wpa2-psk disabled=no name=HexenSecurityProfile
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz \
    configuration.country=Germany .mode=ap .ssid=Hexennetz disabled=no security=HexenSecurityProfile \
    security.authentication-types=wpa-psk,wpa2-psk .connect-priority=0 .encryption="" .ft=yes .ft-over-ds=yes \
    .group-key-update=5m
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=disabled .width=20/40mhz configuration.country=\
    Germany .mode=ap .ssid=Hexennetz disabled=no security=HexenSecurityProfile security.authentication-types=\
    wpa-psk,wpa2-psk .connect-priority=0 .ft=yes .ft-over-ds=yes
/interface wifi configuration
add country=Germany name=5ghz security=HexenSecurityProfile ssid=Hexennetz
add country=Germany name=2ghz security=HexenSecurityProfile ssid=Hexennetz
add country=Germany name=5ghz_v security=HexenSecurityProfile ssid=CAPsMAN5_v
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=ether1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
/interface ovpn-server server
add mac-address=FE:8E:19:92:A1:2A name=ovpn-server1
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=all package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=5ghz slave-configurations=5ghz_v supported-bands=\
    5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=2ghz supported-bands=2ghz-n
/ip address
add address=192.168.135.3/24 comment=defconf interface=bridge network=192.168.135.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge lease-time=10m name=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=\
    WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set www-ssl certificate=webfig disabled=no
/ip ssh
set always-allow-password-login=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=AP2
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system ntp client servers
add address=de.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

And for the cAP ax:

# 2025-08-22 16:53:26 by RouterOS 7.19.4
# software id = YRYJ-RKDM
#
# model = wAPG-5HaxD2HaxD
# serial number = YYYYYYYYYYYYYYY
/interface bridge
add admin-mac=04:F4:1C:08:71:D1 auto-mac=no comment=defconf name=bridge
/interface wifi
# no connection to CAPsMAN
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.manager=capsman .mode=ap .ssid=\
    MikroTik-0871D2 disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
# no connection to CAPsMAN
set [ find default-name=wifi2 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.manager=capsman .mode=ap .ssid=\
    MikroTik-0871D2 disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=yes interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
/interface ovpn-server server
add mac-address=FE:45:BB:A0:B1:F9 name=ovpn-server1
/interface wifi cap
set caps-man-addresses=192.168.168.3 enabled=yes
/ip address
add address=192.168.135.4 comment=defconf interface=bridge network=\
    192.168.135.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=ap-outdoor-no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Please tell me if I can filter the output a bit to make it easier for you...

17

If I do this, how does the wAP ax get the LAN configuration? I think CAPsMAN configures only the WLan...

To make it clear, I want to reach following:

WiFi_Home
WiFi_Home1058×595 41.2 KB

The picture is not complete, there are more hosts in the network (some connected to the hAP ax, which I also use as LAN switch) bit it shows the important part: All access points shall route the data to LAN (no mash, no repeater). The important part for me is, that the mobile device can connect to the WiFi and move around and the connection automatically changes to the best access point.

18

Cap config does in broad lines

  • all interface to bridge
  • dhcp client on bridge
  • all wifi interfaces to capsman managed

And that's about it.

1 Like
19

You might want to reset your CAPS (wAP AX) to CAPS Mode:
/system reset-configuration caps-mode=yes

1 Like
20

Personally I also use keep-users and don't backup.

1 Like