Hi everyone,
I’m a beginner with RouterOS and currently testing a CAPsMAN setup. My setup includes an hAP ax² as the controller (firmware v7.18.2 arm64), with a few NetMetal AX devices connected via Ethernet and configured as CAPs. At the moment, the router’s WAN port is not connected, I’m just testing the local behavior.
When only one CAP is connected, everything works fine: the device connects, receives the configuration, and in Winbox I see red messages like “operated by cap [MAC]%bridge, traffic processing on CAP”.
The issue appears when I connect a second NetMetal AX. As soon as I plug it in, the red messages disappear from both devices, as if the CAPs are being disabled. After several seconds, they reappear, but the behavior is unstable. Sometimes the devices seem to take turns connecting and disconnecting.
In the log, when one of the CAPs disconnects, the exact message is: Disconnected CAPAX01@MACADDRESS, connection interrupted
Also, when I set a static 5 GHz frequency (e.g. 5180 MHz, channel 36), even with only one CAP connected, I sometimes get the following error:
CAP MACADDRESS@etherX: no available channels
I’m using the 5GHz-AX band, country is set to Italy, and I’ve tried various non-DFS frequencies (36, 40, 44, 149) with 20/40/80MHz channel widths, but the issue persists.
The only 5 GHz channel setting that works reliably is selecting “5GHz-AX” as the band and “20MHz” as the channel width, without specifying a frequency (the option called “5GHz All”).
This works only when a single CAP is connected. I noticed that in this case, the channel that gets used is 5500 MHz.
Below I will paste the full configuration export of the hAP ax².
# 2025-03-10 15:16:10 by RouterOS 7.18.2
# software id = XXXXX
#
# model = C52iG-5HaxD2HaxD
# serial number = XXXXX
/interface bridge
add comment=defconf name=bridge protocol-mode=none
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=5ghz-ax frequency=5180 name=5GHZ::CH36 width=20mhz
add band=5ghz-ax frequency=5200 name=5GHZ::CH40 width=20mhz
add band=5ghz-ax frequency=5220 name=5GHZ::CH44 width=20mhz
add band=5ghz-ax frequency=5240 name=5GHZ::CH48 width=20mhz
add band=5ghz-ax frequency=5745 name=5GHZ::CH149 width=20mhz
add band=5ghz-ax frequency=5765 name=5GHZ::CH153 width=20mhz
add band=5ghz-ax frequency=5785 name=5GHZ::CH157 width=20mhz
add band=5ghz-ax frequency=5805 name=5GHZ::CH161 width=20mhz
add band=5ghz-ax frequency=5825 name=5GHZ::CH165 width=20mhz
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=5GHZ::UNII-1 \
width=20mhz
add band=5ghz-ax disabled=no frequency=5745,5765,5785,5805,5825 name=\
5GHZ::UNII-3 width=20mhz
add band=5ghz-ax disabled=no frequency=\
5180,5200,5220,5240,5745,5765,5785,5805,5825 name=5GHZ::NON-DFS width=20mhz
add band=2ghz-ax frequency=2412 name=2GHZ::CH1 width=20mhz
add band=2ghz-ax frequency=2437 name=2GHZ::CH6 width=20mhz
add band=2ghz-ax frequency=2462 name=2GHZ::CH11 width=20mhz
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2GHZ::AUTO width=\
20mhz
add band=5ghz-ax disabled=no name="5GHZ ALL" width=20mhz
/interface wifi datapath
add bridge=bridge client-isolation=no disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no encryption=ccmp ft=yes \
ft-over-ds=yes name=security1
/interface wifi configuration
add channel=2GHZ::AUTO country=Italy datapath=datapath1 disabled=no distance=1 \
mode=ap name=2GHZ security=security1 ssid=TestAP
add channel="5GHZ ALL" country=Italy datapath=datapath1 disabled=no distance=1 \
mode=ap name=5GHZ security=security1 ssid=TestAP
/interface wifi
# operated by CAP MACADDRESS%bridge, traffic processing on CAP
add configuration=2GHZ disabled=no name=CAP::2GHZ radio-mac=MACADDRESS
add configuration=2GHZ configuration.mode=ap disabled=no name=CAP::2GHZ2 \
radio-mac=MACADDRESS
# operated by CAP MACADDRESS%bridge, traffic processing on CAP
add configuration=5GHZ disabled=no name=CAP::5GHZ radio-mac=MACADDRESS
add configuration=5GHZ configuration.mode=ap disabled=no name=CAP::5GHZ2 \
radio-mac=MACADDRESS
set [ find default-name=wifi2 ] channel.frequency=2412,2437,2462 configuration=\
2GHZ configuration.mode=ap name=HAP::2GHZ
set [ find default-name=wifi1 ] configuration=5GHZ configuration.mode=ap name=\
HAP::5GHZ
/ip dhcp-server
add interface=bridge lease-time=10m name=dhcp1
/ip pool
add name=dhcp_pool0 ranges=192.168.1.46-192.168.1.49,192.168.1.53-192.168.1.55
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=*2
add bridge=bridge comment=defconf interface=*3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi cap
set caps-man-addresses=127.0.0.1 certificate=request discovery-interfaces=\
bridge enabled=yes slaves-datapath=datapath1 slaves-static=no
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes package-path="" \
require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=2GHZ name-format=\
CAP::2GHZ slave-name-format="" supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=5GHZ name-format=\
CAP::5GHZ supported-bands=5ghz-ax
/ip address
add address=192.168.1.251/24 comment=defconf interface=bridge network=\
192.168.1.0
/ip dhcp-client
# Interface not active
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.251
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.251 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Here is the full export of a single CAP NetMetal ax:
# 2025-03-10 13:38:18 by RouterOS 7.18.2
# software id = XXXXXXXXXX
#
# model = L23UGSR-5HaxD2HaxD
# serial number = XXXXXXXXXX
/interface bridge
add admin-mac=MACADDRESS auto-mac=no comment=defconf name=bridgeLocal \
protocol-mode=none
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN MACADDRESS%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: TestAP, channel: 2437/ax
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
disabled=no
# managed by CAPsMAN MACADDRESS%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: TestAP, channel: 5560/ax/D
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=sfp1
/interface wifi cap
set certificate=request discovery-interfaces=bridgeLocal enabled=yes \
slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system identity
set name=CAPAX02
/system note
set show-at-login=no
Since I’m new to MikroTik, I’m not sure if this is a configuration problem, any suggestions are very welcome.
Thanks in advance!