CAPsMAN behaviour

rupertas · May 2, 2025, 8:05am

Hello,
have a strange situation when a devices connected to network can communicate without any problems, but they stop, when interface is provisioned by CAPsMAN
I’m sure it is my mistake somewhere.
Would appreciate some help.
In details:
HyperHDR installed on tv to control led for ambilight, it’s web ui is accessible on port 8090
HyperHDR controls WLED running on ESP8266 to physically control LED strip

The problem is that when CAPsMAN is provisioning interface - HyperHDR is no longer accessible and WLED is no longer controlled

This is my CAPsMAN config:

/caps-man channel
add band=5ghz-a/n/ac control-channel-width=20mhz name=channel5g
add band=2ghz-b/g/n control-channel-width=20mhz name=channel2g
/caps-man datapath
add bridge=bridge-guest name=datapath-guest vlan-id=1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name="security profile"
add authentication-types=wpa2-psk encryption=aes-ccm name=security-guest
add authentication-types=wpa2-psk encryption=aes-ccm name=security-iot
/caps-man configuration
add channel=channel5g country=lithuania datapath.bridge=bridge1 installation=any name=cfg-5g security="security profile" ssid=B5AH15
add channel=channel2g country=lithuania datapath.bridge=bridge1 installation=any mode=ap name=cfg-2g security="security profile" ssid=B5AH12
add datapath=datapath-guest mode=ap name=cfg-GUEST security=security-guest ssid=GUEST
add channel=channel2g country=lithuania datapath.bridge=bridge1 hide-ssid=no installation=any name=cfg-iot security=security-iot ssid=B5AH12IOT
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=cfg-5g name-format=identity slave-configurations=cfg-GUEST
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg-2g name-format=identity slave-configurations=cfg-GUEST,cfg-iot

And this is my working interfaces:

/interface bridge
add name=bridge-guest port-cost-mode=short
add name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
/interface mesh
add disabled=yes mesh-portal=yes name=Mesh
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Password-WiFi supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name="Guest profile" supplicant-identity=""
/interface wireless
# managed by CAPsMAN
# channel: 2427/20-Ce/gn(17dBm), SSID: B5AH12, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" frequency=2427 frequency-mode=manual-txpower installation=indoor mode=ap-bridge name=wlan1_24 security-profile=Password-WiFi ssid=\
    B5AH12
add disabled=no keepalive-frames=disabled mac-address=0A:..:..:..:..:20 master-interface=wlan1_24 multicast-buffering=disabled name=wlan1_24-guest security-profile="Guest profile" ssid=GUEST \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(23dBm), SSID: B5AH15, CAPsMAN forwarding
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-onlyac channel-width=20/40/80mhz-XXXX country="united states" frequency=auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge \
    name=wlan2_58 security-profile=Password-WiFi ssid=B5AH15
/interface bridge port
add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=wlan1_24 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=wlan2_58 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge-guest interface=wlan1_24-guest internal-path-cost=10 path-cost=10
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:..:..:..:..:59 name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.77.2/32 interface=wireguard name=peer1 public-key="3VMCT7l8............MEQ="
/interface wireless cap
# 
set caps-man-addresses=192.168.1.1 enabled=yes interfaces=wlan2_58,wlan1_24

Edit: it is not accessible only when a client is connected to 2.4Ghz SSID B5AH12
it is accessible on B5AH15 (5Ghz), it is accesible on LAN, it is even accessible when client is connected to B5AH12 virtual interface B5AH12IOT

erlinden · May 3, 2025, 9:26am

To me it looks like your CAP is acting as a lot more than CAP only. I.e. there are security profiles, while all you need are interfaces that are managed by CAPsMAN. Also, there is no need to have multiple bridges and afaik wireless interfaces are added to the bridge dynamically. And why is the CAP running Wireguard?

What I would do: reset the CAP to CAPS Mode and continue from there:

/system reset-configuration caps-mode=yes

rupertas · May 3, 2025, 11:08am

Sorry for not providing enough info,
this is my main router (hAP ac³) which runs a CAPsMAN and also manages itself
that is why it runs wireguard

rupertas · May 13, 2025, 11:15am

Any clues?
What else I have noticed:
its just that devices on B5AH12 (2.4GHz network) cannot communicate
If a phone and a pc is using this SSID - they don’t see each other, but there is no problem if one of them is using different SSID
it is strange as this issues appears only when interface is controlled by CAPsMAN

erlinden · May 13, 2025, 11:44am

Can you please provide complete configs? It’s really hard to understand.

rupertas · May 13, 2025, 2:17pm

Here it is, I hope I’m not exposing too much?:

# 2025-05-13 16:52:04 by RouterOS 7.18.2
# software id = V...Y
#
# model = RBD53iG-5HacD2HnD
# serial number = E...E
/caps-man channel
add band=5ghz-a/n/ac control-channel-width=20mhz name=channel5g
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2427 name=channel2g
/interface bridge
add name=bridge-guest port-cost-mode=short
add name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
/interface mesh
add disabled=yes mesh-portal=yes name=Mesh
/interface wireguard
add listen-port=1...1 mtu=1420 name=wireguard
/caps-man datapath
add bridge=bridge-guest name=datapath-guest vlan-id=1
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name="security profile"
add authentication-types=wpa2-psk encryption=aes-ccm name=security-guest
add authentication-types=wpa2-psk encryption=aes-ccm name=security-iot
/caps-man configuration
add channel=channel5g datapath.bridge=bridge1 installation=any name=cfg-5g security="security profile" ssid=B5AH15
add channel=channel2g datapath.bridge=bridge1 installation=any mode=ap name=cfg-2g security="security profile" ssid=B5AH12
add datapath=datapath-guest mode=ap name=cfg-GUEST security=security-guest ssid=GUEST
add channel=channel2g datapath.bridge=bridge1 hide-ssid=no installation=any name=cfg-iot security=security-iot ssid=B5AH12IOT
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=Password-WiFi supplicant-identity=""
add authentication-types=wpa2-psk mode=dynamic-keys name="Guest profile" supplicant-identity=""
/interface wireless
# managed by CAPsMAN
# channel: 2427/20-Ce/gn(17dBm), SSID: B5AH12, CAPsMAN forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n frequency=2427 frequency-mode=manual-txpower installation=indoor mode=ap-bridge name=wlan1_24 security-profile=Password-WiFi ssid=\
    B5AH12
add disabled=no keepalive-frames=disabled mac-address=0A...20 master-interface=wlan1_24 multicast-buffering=disabled name=wlan1_24-guest security-profile="Guest profile" ssid=GUEST \
    wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
# managed by CAPsMAN
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-onlyac channel-width=20/40/80mhz-XXXX frequency=auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge \
    name=wlan2_58 security-profile=Password-WiFi ssid=B5AH15
/ip pool
add name=dhcp_pool0 ranges=192.168.1.100-192.168.1.254
add name=dhcp_pool1 ranges=10.10.10.100-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=10m name=dhcp1
add address-pool=dhcp_pool1 interface=bridge-guest lease-time=10m name=dhcp-guest
/user group
set read policy=local,telnet,ssh,reboot,read,test,winbox,password,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy,!web
set write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,sniff,sensitive,api,romon,rest-api,!ftp,!policy,!web
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api,romon,rest-api,!web
add name=home policy=read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=cfg-5g name-format=identity slave-configurations=cfg-GUEST
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg-2g name-format=identity slave-configurations=cfg-GUEST,cfg-iot
/interface bridge port
add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=wlan1_24 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=wlan2_58 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge-guest interface=wlan1_24-guest internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE...59 name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.77.2/32 interface=wireguard name=peer1 public-key=""
/interface wireless access-list
add comment=Win interface=wlan1_24-guest mac-address=9C...0C
add comment=WXM interface=wlan1_24-guest mac-address=24...9C
/interface wireless cap
# 
set caps-man-addresses=192.168.1.1 enabled=yes interfaces=wlan2_58,wlan1_24
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=10.10.10.1/24 interface=bridge-guest network=10.10.10.0
add address=192.168.77.1/24 interface=wireguard network=192.168.77.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface=ether1_WAN
/ip dhcp-server lease
add address=192.168.1.154 client-id=1...cc comment=Fronius mac-address=78...CC server=dhcp1
.....
add address=10.10.10.107 client-id=1:2..c comment=WXM mac-address=24...9C server=dhcp-guest
add address=10.10.10.108 client-id=1:9...c comment=Win mac-address=9C...C server=dhcp-guest
add address=192.168.1.2 client-id=1:f4...3c mac-address=F4...3C server=dhcp1
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=e..e.sn.mynetname.net list=WAN-IP
add address=192.168.1.0/24 list=LAN
add address=10.10.10.100-10.10.10.254 list="Guest users"
add address=acme-v02.api.letsencrypt.org list=LE
add address=acme-staging-v02.api.letsencrypt.org list=LE
add address=letsencrypt.org list=LE
/ip firewall filter
add action=accept chain=input dst-port=80 in-interface=ether1_WAN protocol=tcp src-address-list=LE
add action=accept chain=input comment="allow WireGuard" dst-port=1...1 protocol=udp
add action=accept chain=input comment="allow WireGuard traffic" src-address=192.168.77.0/24
add action=accept chain=forward dst-address=192.168.1.111 dst-address-list="" dst-port=443 protocol=tcp src-address-list=""
add action=accept chain=forward disabled=yes dst-address=192.168.1.100 dst-address-list="" dst-port=4...4 protocol=tcp src-address-list=""
add action=drop chain=input comment="block guest - local ports" dst-address=10.10.10.1 dst-port=21,22,23,8123,8291 protocol=tcp src-address-list="Guest users"
add action=drop chain=input comment="block guest - LAN" dst-address=192.168.1.0/24 src-address-list="Guest users"
add action=accept chain=input dst-address=192.168.1.122 src-address-list="Guest users"
/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-list=WAN-IP new-connection-mark=HairPin_NAT src-address-list=LAN
/ip firewall nat
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=ether1_WAN src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=H dst-address-list=WAN-IP dst-port=8... protocol=tcp src-port="" to-addresses=192.168.1. to-ports=8...
add action=dst-nat chain=dstnat comment="H SSL" dst-address-list=WAN-IP dst-port=443 protocol=tcp src-port="" to-addresses=192.168.1. to-ports=443
add action=dst-nat chain=dstnat comment="S firmware update" disabled=yes dst-address-list=WAN-IP dst-port=44004 protocol=tcp src-port="" to-addresses=192.168.1.100 to-ports=4...4
add action=dst-nat chain=dstnat comment="H SSL" dst-address-list=WAN-IP dst-port=80 protocol=tcp src-port="" to-addresses=192.168.1. to-ports=80
add action=dst-nat chain=dstnat comment="H WireGuard" dst-address-list=WAN-IP dst-port=5....5 in-interface=ether1_WAN protocol=udp to-addresses=192.168.1. to-ports=5....5
add action=masquerade chain=srcnat comment="H WireGuard" src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="Mikrotik WireGuard" src-address=192.168.77.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.1.0/24
set www-ssl address=0.0.0.0/0,0.0.0.0/0,0.0.0.0/0 certificate=letsencrypt-autogen_2024-04-25T07:35:20Z disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=ether1_WAN type=external
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe
/system identity
set name=MTmain
/system leds
set 0 interface=wlan1_24 leds=led1,led2,led3,led4,led5 type=wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system note
set show-at-login=no
/system scheduler
add interval=11w3d name="SSL Let's Encrypt Renew" on-event="certificate/enable-ssl-certificate dns-name=e...e.sn.mynetname.net" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2024-04-25 start-time=23:50:00