Hi guys, this is my concept for new house. When i’m going to second floor, my wireless devices still keeping lowest signal from ax3 and they dont connecting to ax2 on the second floor. This is my config for each ax:
ax3
# 2025-12-22 12:27:38 by RouterOS 7.21rc2
# software id = P1P8-BB46
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/interface bridge add name=br-lan vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] comment="WAN NETIA "
/interface ethernet set [ find default-name=ether2 ] comment="VLAN20 LAN"
/interface ethernet set [ find default-name=ether3 ] comment="VLAN20 LAN"
/interface ethernet set [ find default-name=ether4 ] comment="IoT ax3 port"
/interface ethernet set [ find default-name=ether5 ] comment=TRUNK
/interface vlan add comment=LAN interface=br-lan name=vlan20 vlan-id=20
/interface vlan add interface=ether1 name=vlan35-pppoe vlan-id=35
/interface vlan add comment=mgmt interface=br-lan name=vlan69 vlan-id=69
/interface vlan add comment=IoT interface=br-lan name=vlan600 vlan-id=600
/interface vlan add comment=welcome interface=br-lan name=vlan777 vlan-id=777
/interface pppoe-client add add-default-route=yes comment="WAN NETIA" disabled=no interface=vlan35-pppoe name=int_netia_strzelc0w user=
/interface list add name=LAN
/interface list add name=WAN
/interface list add name=MGMT
/interface wifi channel add band=2ghz-ax frequency=2412,2437,2462 name=ch-24ghz width=20mhz
/interface wifi channel add band=5ghz-ax disabled=no frequency=5180 name=ch-5ghz width=20/40/80mhz
/interface wifi datapath add bridge=br-lan name=dp20 vlan-id=20
/interface wifi datapath add bridge=br-lan name=dp600 vlan-id=600
/interface wifi datapath add bridge=br-lan client-isolation=yes name=dp777 vlan-id=777
/interface wifi datapath add bridge=br-lan disabled=no name=dp69 vlan-id=69
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk name=sec-lan
/interface wifi security add authentication-types=wpa2-psk name=sec-iot
/interface wifi security add authentication-types=wpa2-psk name=sec-guest
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk name=sec-mgmt
/interface wifi configuration add datapath=dp20 disabled=no name=cfg-dom security=sec-lan ssid=
/interface wifi configuration add datapath=dp600 disabled=no name=cfg-iot security=sec-iot ssid=
/interface wifi configuration add datapath=dp69 disabled=no name=cfg-mgmt security=sec-mgmt ssid=
/interface wifi configuration add datapath=dp777 disabled=no name=cfg-guest security=sec-guest ssid=
/interface wifi set [ find default-name=wifi2 ] comment="LAN 2.4 GHz" configuration=cfg-dom configuration.mode=ap disabled=no name=int_VLAN20_2.4
/interface wifi set [ find default-name=wifi1 ] comment="LAN 5 GHz" configuration=cfg-dom configuration.mode=ap disabled=no name=int_VLAN20_5.0
/interface wifi add comment="MGMT Network" configuration=cfg-mgmt configuration.mode=ap disabled=no mac-address= master-interface=int_VLAN20_2.4 name=int_VLAN69_mgmt
/interface wifi add comment="IoT network" configuration=cfg-iot configuration.mode=ap disabled=no mac-address= master-interface=int_VLAN20_2.4 name=int_VLAN600_IoT
/interface wifi add comment=GOSCINNA configuration=cfg-guest configuration.mode=ap disabled=no mac-address=master-interface=int_VLAN20_2.4 name=int_VLAN777_welcome2.4
/interface wifi add comment=GOSCINNA configuration=cfg-guest configuration.mode=ap disabled=no mac-address=master-interface=int_VLAN20_5.0 name=int_VLAN777_welcome5.0
/ip pool add name=pool20 ranges=10.0.20.2-10.0.20.62
/ip pool add name=pool600 ranges=192.168.60.2-192.168.60.62
/ip pool add name=pool777 ranges=10.77.0.2-10.77.0.62
/ip pool add name=pool69 ranges=10.0.69.0/29
/ip dhcp-server add address-pool=pool20 interface=vlan20 name=dhcp20
/ip dhcp-server add address-pool=pool600 interface=vlan600 name=dhcp600
/ip dhcp-server add address-pool=pool777 interface=vlan777 name=dhcp777
/ip dhcp-server add address-pool=pool69 interface=vlan69 name=dhcp69
/system logging action set 0 memory-lines=100
/zerotier set zt1 disabled=no disabled=no
/zerotier interface add allow-default=no allow-global=no allow-managed=yes comment="ZeroTier Network" disabled=no instance=zt1 name= network=
/interface bridge port add bridge=br-lan comment=LAN interface=ether2 pvid=20
/interface bridge port add bridge=br-lan comment=LAN interface=ether3 pvid=20
/interface bridge port add bridge=br-lan comment=IoT interface=ether4 pvid=600
/interface bridge port add bridge=br-lan comment=TRUNK interface=ether5
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 untagged=ether2,ether3 vlan-ids=20
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 untagged=ether4 vlan-ids=600
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=69
/interface list member add interface=int_netia_strzelc0w list=WAN
/interface list member add interface=br-lan list=MGMT
/interface wifi cap set caps-man-addresses=127.0.0.1 discovery-interfaces=br-lan enabled=yes
/interface wifi capsman set enabled=yes interfaces=br-lan
/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=cfg-dom slave-configurations=cfg-iot,cfg-mgmt,cfg-guest
/ip address add address=10.0.20.1/26 comment="VLAN 20 - LAN" interface=vlan20 network=10.0.20.0
/ip address add address=192.168.60.1/26 comment="VLAN 600 - IoT" interface=vlan600 network=192.168.60.0
/ip address add address=10.77.0.1/26 comment="VLAN 777 - Guest" interface=vlan777 network=10.77.0.0
/ip address add address=10.0.69.1/29 comment="VLAN 69 - MGMT" interface=vlan69 network=10.0.69.0
/ip dhcp-server network add address=10.0.20.0/26 dns-server=10.0.20.1 gateway=10.0.20.1
/ip dhcp-server network add address=10.0.69.0/29 dns-server=10.0.69.1 gateway=10.0.69.1
/ip dhcp-server network add address=10.77.0.0/26 dns-server=10.77.0.1 gateway=10.77.0.1
/ip dhcp-server network add address=192.168.60.0/26 dns-server=192.168.60.1 gateway=192.168.60.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter add action=accept chain=input comment="MGMT - WinBox access" dst-port=8291 protocol=tcp src-address=10.0.69.0/29
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip service set ftp disabled=yes
/ip service set ssh disabled=yes
/ip service set telnet disabled=yes
/ip service set winbox address=10.0.69.0/29
/ip service set api disabled=yes
/system clock set time-zone-name=
/system identity set name=ax3
/system package update set channel=testing
2) ax2
# 2025-12-14 22:33:59 by RouterOS 7.21rc2
# software id = 2AW4-QDUG
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge add name=br-lan vlan-filtering=yes
/interface vlan add interface=br-lan name=vlan69 vlan-id=69
/interface bridge port add bridge=br-lan interface=ether5
/interface bridge port add bridge=br-lan interface=ether1 pvid=20
/interface bridge port add bridge=br-lan interface=ether2 pvid=20
/interface bridge port add bridge=br-lan interface=ether3 pvid=20
/interface bridge port add bridge=br-lan interface=ether4 pvid=20
/interface bridge port add bridge=br-lan interface=wifi1
/interface bridge port add bridge=br-lan interface=wifi2
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=20
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=69
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=600
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=777
/interface wifi cap set caps-man-addresses=10.0.20.1 discovery-interfaces=br-lan enabled=yes
/ip address add address=10.0.69.6/29 interface=vlan69 network=10.0.69.0
/system identity set name=ax2
From you provision rules you are referring to configuration:
/interface wifi configuration add datapath=dp20 disabled=no name=cfg-dom security=sec-lan ssid=
/interface wifi configuration add datapath=dp600 disabled=no name=cfg-iot security=sec-iot ssid=
/interface wifi configuration add datapath=dp69 disabled=no name=cfg-mgmt security=sec-mgmt ssid=
These are incomplete (assuming you only redacted the ssid). You should add at least country and security. Channel can be added, especially when you want to use better control.
On the CAP, you are missing:
#set configuration.manager= on the WiFi interface that should act as CAP
/interface/wifi/set wifi1,wifi2 configuration.manager=capsman
mkx
December 22, 2025, 1:23pm
3
And to achieve smooth roaming, you have to look into /interface/wifi/steering . ROS is supposed to create appropriate steering groups automatically (based on wifi interface's SSID), but you could set them up manually (and assign them as steering property in /interface/wifi/configuration ). And useful properties (not sure how they're set when using dynamic steering groups) are rrm=yes 2g-probe-delay=yes .
The second (or the first?) is to set ft=yes ft-over-ds=yes in security profiles.
Ok, so far i have make changes but when im near ax2 on the second floor, i cant connect to my wireless network (the circle connection is “thinking) and ive got auto ip configuration addr like 169.x.x.x.x
Screenshot from winbox from CAP - like wtf? why there is so many duplicated wifi interfaces?
rsc
CAP
# 2025-12-15 10:10:13 by RouterOS 7.21rc2
# software id = 2AW4-QDUG
#
# model =
# serial number =
/interface bridge add name=br-lan vlan-filtering=yes
/interface wifi
# managed by CAPsMAN 78:9A:18:8B:89:B2%br-lan, traffic processing on CAP
# mode: AP, SSID: misionek, channel: 5700/ax/eeCe/D
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no
/interface wifi
# managed by CAPsMAN 78:9A:18:8B:89:B2%br-lan, traffic processing on CAP
# mode: AP, SSID: misionek, channel: 2422/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no
/interface vlan add interface=br-lan name=vlan69 vlan-id=69
/interface bridge port add bridge=br-lan interface=ether5
/interface bridge port add bridge=br-lan interface=ether1 pvid=20
/interface bridge port add bridge=br-lan interface=ether2 pvid=20
/interface bridge port add bridge=br-lan interface=ether3 pvid=20
/interface bridge port add bridge=br-lan interface=ether4 pvid=20
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=20
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=69
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=600
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=777
/interface wifi cap set caps-man-addresses=10.0.20.1 discovery-interfaces=br-lan enabled=yes
/ip address add address=10.0.69.6/29 interface=vlan69 network=10.0.69.0
/system identity set name=ax2
2025-12-15 10:10:13 by RouterOS 7.21rc2
CAPSMAN
# 2025-12-23 00:09:38 by RouterOS 7.21rc2
# software id = P1P8-BB46
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/interface bridge add name=br-lan vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] comment="WAN NETIA "
/interface ethernet set [ find default-name=ether2 ] comment="VLAN20 LAN"
/interface ethernet set [ find default-name=ether3 ] comment="VLAN20 LAN"
/interface ethernet set [ find default-name=ether4 ] comment="IoT ax3 port"
/interface ethernet set [ find default-name=ether5 ] comment=TRUNK
/interface vlan add comment=LAN interface=br-lan name=vlan20 vlan-id=20
/interface vlan add interface=ether1 name=vlan35-pppoe vlan-id=35
/interface vlan add comment=mgmt interface=br-lan name=vlan69 vlan-id=69
/interface vlan add comment=IoT interface=br-lan name=vlan600 vlan-id=600
/interface vlan add comment=welcome interface=br-lan name=vlan777 vlan-id=777
/interface pppoe-client add add-default-route=yes comment="WAN NETIA" disabled=no interface=vlan35-pppoe name=int_netia_strzelc0w user=
/interface list add name=LAN
/interface list add name=WAN
/interface list add name=MGMT
/interface wifi channel add band=2ghz-ax frequency=2412,2437,2462 name=ch-24ghz width=20mhz
/interface wifi channel add band=5ghz-ax disabled=no frequency=5180 name=ch-5ghz width=20/40/80mhz
/interface wifi datapath add bridge=br-lan name=dp20 vlan-id=20
/interface wifi datapath add bridge=br-lan name=dp600 vlan-id=600
/interface wifi datapath add bridge=br-lan client-isolation=yes name=dp777 vlan-id=777
/interface wifi datapath add bridge=br-lan disabled=no name=dp69 vlan-id=69
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=sec-lan
/interface wifi security add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=sec-iot
/interface wifi security add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=sec-guest
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk name=sec-mgmt
/interface wifi steering add 2g-probe-delay=yes disabled=no name=steering_misionek neighbor-group=dynamic-misionek- rrm=yes
/interface wifi steering add 2g-probe-delay=yes disabled=no name=steering_iot neighbor-group=dynamic-IoT-09822ad0 rrm=yes
/interface wifi steering add 2g-probe-delay=yes disabled=no name=steering_guests neighbor-group=dynamic-welcome- rrm=yes
/interface wifi steering add 2g-probe-delay=yes disabled=no name=steering_mgmt neighbor-group=dynamic-mgmt-8a741aca rrm=yes
/interface wifi configuration add datapath=dp20 disabled=no name=cfg-dom security=sec-lan security.ft=yes .ft-over-ds=yes ssid=misionek steering=steering_misionek
/interface wifi configuration add datapath=dp600 disabled=no name=cfg-iot security=sec-iot security.ft=yes .ft-over-ds=yes ssid=IoT steering=steering_iot
/interface wifi configuration add datapath=dp69 disabled=no name=cfg-mgmt security=sec-mgmt security.ft=yes .ft-over-ds=yes ssid=mgmt steering=steering_mgmt
/interface wifi configuration add datapath=dp777 disabled=no name=cfg-guest security=sec-guest security.ft=yes .ft-over-ds=yes ssid=welcome steering=steering_guests
/interface wifi set [ find default-name=wifi2 ] comment="LAN 2.4 GHz" configuration=cfg-dom configuration.mode=ap disabled=no name=int_VLAN20_2.4
/interface wifi set [ find default-name=wifi1 ] comment="LAN 5 GHz" configuration=cfg-dom configuration.mode=ap disabled=no name=int_VLAN20_5.0
/interface wifi add comment="MGMT Network" configuration=cfg-mgmt configuration.mode=ap disabled=no mac-address= master-interface=int_VLAN20_2.4 name=int_VLAN69_mgmt
/interface wifi add comment="IoT network" configuration=cfg-iot configuration.mode=ap disabled=no mac-address= master-interface=int_VLAN20_2.4 name=int_VLAN600_IoT
/interface wifi add comment=GOSCINNA configuration=cfg-guest configuration.mode=ap disabled=no mac-address= master-interface=int_VLAN20_2.4 name=int_VLAN777_welcome2.4
/interface wifi add comment=GOSCINNA configuration=cfg-guest configuration.mode=ap disabled=no mac-address= master-interface=int_VLAN20_5.0 name=int_VLAN777_welcome5.0
/ip pool add name=pool20 ranges=10.0.20.2-10.0.20.62
/ip pool add name=pool600 ranges=192.168.60.2-192.168.60.62
/ip pool add name=pool777 ranges=10.77.0.2-10.77.0.62
/ip pool add name=pool69 ranges=10.0.69.0/29
/ip dhcp-server add address-pool=pool20 interface=vlan20 name=dhcp20
/ip dhcp-server add address-pool=pool600 interface=vlan600 name=dhcp600
/ip dhcp-server add address-pool=pool777 interface=vlan777 name=dhcp777
/ip dhcp-server add address-pool=pool69 interface=vlan69 name=dhcp69
/system logging action set 0 memory-lines=100
/zerotier set zt1 disabled=no disabled=no
/zerotier interface add allow-default=no allow-global=no allow-managed=yes comment="ZeroTier Network" disabled=no instance=zt1 name=zt-strz3lc0w network=
/interface bridge port add bridge=br-lan comment=LAN interface=ether2 pvid=20
/interface bridge port add bridge=br-lan comment=LAN interface=ether3 pvid=20
/interface bridge port add bridge=br-lan comment=IoT interface=ether4 pvid=600
/interface bridge port add bridge=br-lan comment=TRUNK interface=ether5
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 untagged=ether2,ether3 vlan-ids=20
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 untagged=ether4 vlan-ids=600
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=69
/interface list member add interface=int_netia_strzelc0w list=WAN
/interface list member add interface=br-lan list=MGMT
/interface wifi cap set caps-man-addresses=127.0.0.1 discovery-interfaces=br-lan enabled=yes
/interface wifi capsman set enabled=yes interfaces=br-lan
/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=cfg-dom slave-configurations=cfg-iot,cfg-mgmt,cfg-guest
/ip address add address=10.0.20.1/26 comment="VLAN 20 - LAN" interface=vlan20 network=10.0.20.0
/ip address add address=192.168.60.1/26 comment="VLAN 600 - IoT" interface=vlan600 network=192.168.60.0
/ip address add address=10.77.0.1/26 comment="VLAN 777 - Guest" interface=vlan777 network=10.77.0.0
/ip address add address=10.0.69.1/29 comment="VLAN 69 - MGMT" interface=vlan69 network=10.0.69.0
/ip dhcp-server network add address=10.0.20.0/26 dns-server=10.0.20.1 gateway=10.0.20.1
/ip dhcp-server network add address=10.0.69.0/29 dns-server=10.0.69.1 gateway=10.0.69.1
/ip dhcp-server network add address=10.77.0.0/26 dns-server=10.77.0.1 gateway=10.77.0.1
/ip dhcp-server network add address=192.168.60.0/26 dns-server=192.168.60.1 gateway=192.168.60.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter add action=accept chain=input comment="MGMT - WinBox access" dst-port=8291 protocol=tcp src-address=10.0.69.0/29
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip service set ftp disabled=yes
/ip service set ssh disabled=yes
/ip service set telnet disabled=yes
/ip service set winbox address=10.0.69.0/29
/ip service set api disabled=yes
/system clock set time-zone-name=Europe/Warsaw
/system identity set name=ax3
/system package update set channel=testing
According to this line you want 4 ssid's per radio:
/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=cfg-dom slave-configurations=cfg-iot,cfg-mgmt,cfg-guest
Per SSID an (virtual) interface is created to accomodate it.
Because you are missing the datapath in your CAP config, there is no IP:
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no datapath=capdp
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no datapath=capdp
jaclaz
December 23, 2025, 9:28am
6
Only for the record and FYI, addresses in range 169.254.0.1 - 169.254.255.254 are so-called APIPA addresses (Automatic Private IP Addressing), they are automatically generated[1] on many devices when there is no valid IP address set (received by DHCP server), so whenever you find a device with one of such address it means that the DHCP server did not work as expected, so the DHCP server and related settings are the first thing to check.
[1] the idea is to provide in most cases basic network connectivity to devices on a same network, even when the DHCP server is not working as expected.
almost done!
rsc 23.12.2025
Capsman
# 2025-12-23 10:27:07 by RouterOS 7.21rc2
# software id = P1P8-BB46
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/interface bridge add name=br-lan vlan-filtering=yes
/interface ethernet set [ find default-name=ether1 ] comment="WAN NETIA "
/interface ethernet set [ find default-name=ether2 ] comment="VLAN20 LAN"
/interface ethernet set [ find default-name=ether3 ] comment="VLAN20 LAN"
/interface ethernet set [ find default-name=ether4 ] comment="IoT ax3 port"
/interface ethernet set [ find default-name=ether5 ] comment=TRUNK
/interface vlan add comment=LAN interface=br-lan name=vlan20 vlan-id=20
/interface vlan add interface=ether1 name=vlan35-pppoe vlan-id=35
/interface vlan add comment=mgmt interface=br-lan name=vlan69 vlan-id=69
/interface vlan add comment=IoT interface=br-lan name=vlan600 vlan-id=600
/interface vlan add comment=welcome interface=br-lan name=vlan777 vlan-id=777
/interface pppoe-client add add-default-route=yes comment="WAN NETIA" disabled=no interface=vlan35-pppoe name=int_netia_strzelc0w user=
/interface list add name=LAN
/interface list add name=WAN
/interface list add name=MGMT
/interface wifi channel add band=2ghz-ax frequency=2412,2437,2462 name=ch-24ghz width=20mhz
/interface wifi channel add band=5ghz-ax disabled=no frequency=5180 name=ch-5ghz skip-dfs-channels=all width=20/40/80mhz
/interface wifi datapath add bridge=br-lan name=dp20 vlan-id=20
/interface wifi datapath add bridge=br-lan name=dp600 vlan-id=600
/interface wifi datapath add bridge=br-lan client-isolation=yes name=dp777 vlan-id=777
/interface wifi datapath add bridge=br-lan disabled=no name=dp69 vlan-id=69
/interface wifi security add authentication-types=wpa3-psk disabled=no ft=no ft-over-ds=no name=sec-lan
/interface wifi security add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=sec-iot
/interface wifi security add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=sec-guest
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk name=sec-mgmt
/interface wifi steering add 2g-probe-delay=yes disabled=no name=steering_misionek neighbor-group=dynamic-misionek-5941e592 rrm=yes
/interface wifi steering add 2g-probe-delay=yes disabled=no name=steering_iot neighbor-group=dynamic-IoT-09822ad0 rrm=yes
/interface wifi steering add 2g-probe-delay=yes disabled=no name=steering_guests neighbor-group=dynamic-welcome-56ec7693 rrm=yes
/interface wifi steering add 2g-probe-delay=yes disabled=no name=steering_mgmt neighbor-group=dynamic-mgmt-8a741aca rrm=yes
/interface wifi configuration add datapath=dp20 disabled=no name=cfg-dom security=sec-lan security.ft=yes .ft-over-ds=yes ssid=misionek steering=steering_misionek
/interface wifi configuration add datapath=dp600 disabled=no name=cfg-iot security=sec-iot security.ft=yes .ft-over-ds=yes ssid=IoT steering=steering_iot
/interface wifi configuration add datapath=dp69 disabled=no name=cfg-mgmt security=sec-mgmt security.ft=yes .ft-over-ds=yes ssid=mgmt steering=steering_mgmt
/interface wifi configuration add datapath=dp777 disabled=no name=cfg-guest security=sec-guest security.ft=yes .ft-over-ds=yes ssid=welcome steering=steering_guests
/interface wifi set [ find default-name=wifi2 ] comment="LAN 2.4 GHz" configuration=cfg-dom configuration.mode=ap disabled=no name=int_VLAN20_2.4
/interface wifi set [ find default-name=wifi1 ] comment="LAN 5 GHz" configuration=cfg-dom configuration.mode=ap disabled=no name=int_VLAN20_5.0
/interface wifi add comment="MGMT Network" configuration=cfg-mgmt configuration.mode=ap disabled=no mac-address=7A:9A:18:8B:89:B8 master-interface=int_VLAN20_2.4 name=int_VLAN69_mgmt
/interface wifi add comment="IoT network" configuration=cfg-iot configuration.mode=ap disabled=no mac-address=7A:9A:18:8B:89:B7 master-interface=int_VLAN20_2.4 name=int_VLAN600_IoT
/interface wifi add comment=GOSCINNA configuration=cfg-guest configuration.mode=ap disabled=no mac-address=7A:9A:18:8B:89:B9 master-interface=int_VLAN20_2.4 name=int_VLAN777_welcome2.4
/interface wifi add comment=GOSCINNA configuration=cfg-guest configuration.mode=ap disabled=no mac-address=7A:9A:18:8B:89:B6 master-interface=int_VLAN20_5.0 name=int_VLAN777_welcome5.0
/ip pool add name=pool20 ranges=10.0.20.2-10.0.20.62
/ip pool add name=pool600 ranges=192.168.60.2-192.168.60.62
/ip pool add name=pool777 ranges=10.77.0.2-10.77.0.62
/ip pool add name=pool69 ranges=10.0.69.0/29
/ip dhcp-server add address-pool=pool20 interface=vlan20 name=dhcp20
/ip dhcp-server add address-pool=pool600 interface=vlan600 name=dhcp600
/ip dhcp-server add address-pool=pool777 interface=vlan777 name=dhcp777
/ip dhcp-server add address-pool=pool69 interface=vlan69 name=dhcp69
/system logging action set 0 memory-lines=100
/zerotier set zt1 disabled=no disabled=no
/zerotier interface add allow-default=no allow-global=no allow-managed=yes comment="ZeroTier Network" disabled=no instance=zt1 name=zt-strz3lc0w network=
/interface bridge port add bridge=br-lan comment=LAN interface=ether2 pvid=20
/interface bridge port add bridge=br-lan comment=LAN interface=ether3 pvid=20
/interface bridge port add bridge=br-lan comment=IoT interface=ether4 pvid=600
/interface bridge port add bridge=br-lan comment=TRUNK interface=ether5
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 untagged=ether2,ether3 vlan-ids=20
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 untagged=ether4 vlan-ids=600
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=69
/interface list member add interface=int_netia_strzelc0w list=WAN
/interface list member add interface=br-lan list=MGMT
/interface wifi cap set caps-man-addresses=127.0.0.1 discovery-interfaces=br-lan enabled=yes
/interface wifi capsman set enabled=yes interfaces=br-lan
/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=cfg-dom slave-configurations=cfg-iot,cfg-mgmt,cfg-guest
/ip address add address=10.0.20.1/26 comment="VLAN 20 - LAN" interface=vlan20 network=10.0.20.0
/ip address add address=192.168.60.1/26 comment="VLAN 600 - IoT" interface=vlan600 network=192.168.60.0
/ip address add address=10.77.0.1/26 comment="VLAN 777 - Guest" interface=vlan777 network=10.77.0.0
/ip address add address=10.0.69.1/29 comment="VLAN 69 - MGMT" interface=vlan69 network=10.0.69.0
/ip dhcp-server network add address=10.0.20.0/26 dns-server=10.0.20.1 gateway=10.0.20.1
/ip dhcp-server network add address=10.0.69.0/29 dns-server=10.0.69.1 gateway=10.0.69.1
/ip dhcp-server network add address=10.77.0.0/26 dns-server=10.77.0.1 gateway=10.77.0.1
/ip dhcp-server network add address=192.168.60.0/26 dns-server=192.168.60.1 gateway=192.168.60.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter add action=accept chain=input comment="MGMT - WinBox access" dst-port=8291 protocol=tcp src-address=10.0.69.0/29
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
/ip service set ftp disabled=yes
/ip service set ssh disabled=yes
/ip service set telnet disabled=yes
/ip service set winbox address=10.0.69.0/29
/ip service set api disabled=yes
/system clock set time-zone-name=
/system identity set name=ax3
/system package update set channel=testing
CAP
# 2025-12-23 10:27:47 by RouterOS 7.21rc2
# software id = 2AW4-QDUG
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge add name=br-lan vlan-filtering=yes
/interface vlan add interface=br-lan name=vlan69 vlan-id=69
/interface wifi datapath add bridge=br-lan comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN 78:9A:18:8B:89:B2%br-lan, traffic processing on CAP
# mode: AP, SSID: misionek, channel: 5700/ax/eeCe/D
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
/interface wifi
# managed by CAPsMAN 78:9A:18:8B:89:B2%br-lan, traffic processing on CAP
# mode: AP, SSID: misionek, channel: 2422/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port add bridge=br-lan interface=ether5
/interface bridge port add bridge=br-lan interface=ether1 pvid=20
/interface bridge port add bridge=br-lan interface=ether2 pvid=20
/interface bridge port add bridge=br-lan interface=ether3 pvid=20
/interface bridge port add bridge=br-lan interface=ether4 pvid=20
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=20
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=69
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=600
/interface bridge vlan add bridge=br-lan tagged=br-lan,ether5 vlan-ids=777
/interface wifi cap set caps-man-addresses=10.0.20.1 discovery-interfaces=br-lan enabled=yes
/ip address add address=10.0.69.6/29 interface=vlan69 network=10.0.69.0
/ip dns set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip route add dst-address=0.0.0.0/0 gateway=10.0.69.1
/system clock set time-zone-name=
/system identity set name=ax2
/system package update set channel=development
It's always up to the client to decide whether or not to roam. You might want to reduce Tx Power on the 2.4GHz radios to convince the clients...
Are the radios on different channels? That is required for best roaming experience.
My advice:
/interface wifi configuration add datapath=dp20 disabled=no name=cfg-dom security=sec-lan security.ft=yes .ft-over-ds=yes ssid=misionek steering=steering_misionek
/interface wifi configuration add datapath=dp600 disabled=no name=cfg-iot security=sec-iot security.ft=yes .ft-over-ds=yes ssid=IoT steering=steering_iot
/interface wifi configuration add datapath=dp69 disabled=no name=cfg-mgmt security=sec-mgmt security.ft=yes .ft-over-ds=yes ssid=mgmt steering=steering_mgmt
/interface wifi configuration add datapath=dp777 disabled=no name=cfg-guest security=sec-guest security.ft=yes .ft-over-ds=yes ssid=welcome steering=steering_guests
Remove all the overwritten properties (in the above case .ft and .ft-over-ds) as they are already set on the security part.
But strange - i can’t connect to guests network on second floor - on the 1st floor guests is works ok, and when im back on the first floor, my laptop is holding connection from second floor, and wont automaticly switch to better signal.