CAPsMAN <> cAP config and behaviour is baffling me - managed, yet unmanaged...

I have recently installed a 5009 with 3 cAP ac access points in my home. I have updated the wireless packages to use wifi-qcom and wifi-qcom-ac, respectively, and gone about setting up the configs as per the Mikrotik docs: https://help.mikrotik.com/docs/display/ROS/WiFi.

The router has mostly got the default/base config applied and is updated to 7.14 (as are the APs). There are a handful of settings I will likely change but for now the default seems to be OK for what I need initially. However, there is a bit of an issue… I am unable to control the access points effectively (at all really).

I have provisioned the the APs by holding the reset button during boot which seemed to make them connect to the router to get their configs. These configs work and I am able to auth and connect to the Internet no problem. However, in the WiFi window (on the router), I see “-- no connection to CAPsMAN, managed locally” and when logged into the AP, I see “managed by CAPsMAN” with addtl wifi info (though not all configs are present/applied).

I am not quite clear on how to get the Router and the cAPs to agree on their management/settings and it seems that while they are able to get their base config, I am unable to modify or control them further. It looks like even though the base config is applied, additional communications between the router and the APs isn’t working.

I am wondering if it is related to certs.

I have attached both the router and AP configs here.

Any help is greatly appreciated, thanks in advance.
cAP.rsc (1.1 KB)
router_conf.rsc (8.54 KB)

Wave2 capsman is in base ROS package since 7.13.

Remove wifi-qcom package from RB5009.

So I did this, removed the wifi-qcom package from router and rebooted it to apply the change… The issue remains… I rebooted one of the APs to see if that would make a difference and it did not. Do you think I need to redo the whole “unplug PoE connection, hold ‘reset’ and plug back in, wait for flashing LEDs and let go of ‘reset’ button” thing to sync them again?

Edit to add: I notice in the WinBox “neighbor” tab that this AP has a DHCP IP and also a 0.0.0.0 IP associated with the MAC address after reboot… See Attached image.

Do I need to do a thing to adjust this after the removal of the wifi-qcom package?

Can you please clarify what is not working since your questions/response is quite unclear.

On RB5009, there should not be a message anymore about interfaces being managed locally. Yes or no ?

You should see on RB5009 the 6 radios of the 3 APs being controlled by capsman (3x 5Ghz, 3x 2.4GHz). Yes or no ?

Are you able to use the APs with the settings your configured on RB5009 ? Yes or no ?

About config:
caps looks ok (rather default)

RB5009:
I think you missed some things in the provided documents …

remove:

/interface wifi cap
set discovery-interfaces=bridge enabled=yes lock-to-caps-man=no slaves-static=no

Your RB5009 has no radios, so it does not need to listen for capsman. It IS the capsman controller.

Bridge:
what’s this ??

add bridge=bridge interface=*50
add bridge=bridge interface=*54
add bridge=bridge interface=*51
add bridge=bridge interface=*55
add bridge=bridge interface=*4E
add bridge=bridge interface=*4F

Remove the errors.

conflict here…

/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge network=192.168.88.0
add address=10.10.0.1/24 interface=bridge network=10.10.0.0
add address=10.10.0.1 interface=ether1 network=10.10.0.1

I assume you do not want to use the 192.168.88.0/24 subnet ? Remove it then (also the pool and DHCP-server network).
You have set your bridge to address 10.10.0.1 but you do the SAME on ether1 ? Why ? Ether1 should be in subnet of your upstream ISP router, I would think (can’t know for sure since you did not reveal how that part is constructed).

And further on you have DHCP client on ether1, which more or less confirms my finding.

Clean up and repost config please.

>> Can you please clarify what is not working since your questions/response is quite unclear.

So the APs are showing in the CAPsMAN and have initial config but it doesn’t seem I can made any new changes (“pushing” WPS button for my printer as an example). It looks like there is a communication issue between the CAPsMAN and the APs (though it looks like a partial issue??)

See screenshot from WiFi dialog. ^ Here ^

I can share a screenshot of what I see on the APs (it shows managed by CAPsMAN with SSID though doesn’t allow local config despite that being set in router conf) as well as AP config again if you think it would be helpful.

As for the rest of your comments, they were helpful and correct, I have responded below.

Yup, mostly default still… Just getting this up and running before I start implementing things (apologies, I am new to Mikrotik)

Fixed

I actually think this was auto-populated or something? these are the ends of the AP radio MAC addresses which seem to have been automatically added in the previous config. They seem to have disappeared after uninstalling the wifi-qcom package.

Yup, you are correct. I have attached the updated config. I was in the process of updating the local network settings and I hadn’t cleaned up all the pieces. Apologies.

You have set your bridge to address 10.10.0.1 but you do the SAME on ether1 ? Why ? Ether1 should be in subnet of your upstream ISP router, I would think (can’t know for sure since you did not reveal how that part is constructed).

I don’t really know why that was there. I believe it is fixed now, though, I have removed that and things should be correct on the basics of the config. I appreciate your assistance identifying errors.
router_updated.rsc (7.89 KB)

Your wireless interfaces on the CAP aren’t part of the bridge, hence it can’t be controlled.

Please read this carefully:
https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-WiFiCAPsMAN

Good catch !!
That SHOULD however be part of default caps config …

Minor other thing (I don’t think it makes any difference)

/interface wifi capsman
set enabled=yes interfaces=all package-path="" require-peer-certificate=no \
    upgrade-policy=none

Change interface from all to bridge. You don’t want incoming requests for capsman from WAN (which anyhow should be blocked by firewall, but better safe then sorry).

When you go to RB5009 / Wifi / Remote Cap, you do see the 3 APs ?
The tab to the left, select all radios and then Provision. This will retrigger provisioning.

First off, thank you very much for your input and feedback, I really appreciate the help you have so freely offered.

Apologies for the delayed update here, work has been a little wild the last couple days.

As mentioned earlier, I have added the cap-wifiX interfaces to the bridge but they show in the config as follows:

add bridge=bridge comment=wifi interface=*2F
add bridge=bridge comment=wifi interface=*30
add bridge=bridge comment=wifi interface=*31
add bridge=bridge comment=wifi interface=*32
add bridge=bridge comment=wifi interface=*33
add bridge=bridge comment=wifi interface=*34

I have attempted adding the cap-wifi interfaces using CLI and also using the GUI. They show in the bridge dialogue but go like this ^ after attempting provisioning, showing as “unknown” in the GUI.

Of course, the CAPs are still showing as before, “–no connection to CAPsMAN, managed locally” while the CAPs themselves show that they are managed by CAPsMAN.
EDIT: I can see all 3 APs in the RemoteCap tab of the WiFi menu.

I am beginning to wonder if there is maybe something incorrect on the Firewall config? I have essentially kept the default config as it came out the box though I have moved some of the rules around, notably putting all the blocker rules last. The CAPs are connected to a switch (also a MikroTik) which in turn is connected on ether2 on the Router.

I have attached the current config again with only very minor redactions in an effort to share as much relevant info as possible.

Once again, thank you for your assistance in getting to the bottom of this issue!

Edit to add: I have enabled logging on all “block” rules of the firewall and while reviewing the logs for an unrelated issue, I noted a few interesting entries.

I can see the CAP connect:

***:FF@cap-wifi5 connected, signal strength -64

and disconnect:

***:FF@cap-wifi5 disconnected, connection lost, signal strength -67

This seems to be happening repeatedly for all the AP interfaces.

And checking DHCP log messages, I see some ARP conflicts:

Detected conflict by ARP response for 10.10.0.205 from **:**:**:**:**:FF

and these all appear to be the CAP radio MACs? I think so though I see on the switch that each of the ports connected to the CAPs have 3-4 MAC addresses associated.

I think this may be the cause of the issue here but I have no idea what is causing it or how to fix it!
latest_router_conf.rsc (8.21 KB)

Why do you even attempt to do this ?
Those interfaces will come on their own once the cap devices are being managed by capsman.

More generally speaking, whenever you see something in Mikrotik exports with an asterisk * followed by a (hex) number, it means in a nutshell:
here there was something that used to make sense but that - due to some changes in some other parts of the configuration - is now invalid and RoS cannot understand what this is.

Those entries need to be deleted (and if needed re-created with valid values).

Because of this comment:

I guess I misunderstood what was being suggested here.

Either way, I have removed the settings and provisioned the APs from the “Remote CAP” tab in the Wireless section but no dice.

The CAPs are visible but not being added to the bridge… At this point I am beginning to think that the only way to get them to work is to rebuild the whole router config from scratch (though it really doesn’t make sense to need to do that)…

An additional thought that occurs to me is that connecting the CAPs to the router directly (ether3-5) instead of via the switch might make a difference here? I would appreciate any thoughts on this idea.

I am also curious about the issues on the MAC conflicts I am seeing in the logs… It seems like it could be relevant though I am unsure how to further investigate that specifically.

On CAP those wireless interfaces need to be part of bridge.
Only wifi1 and wifi2.

Not on capsman controller, that will come on is own.

I strongly suggest you reread documentation.

On a default cap config only Ethernet ports are part of the bridge.

And you are quite correct too !
My bad …

Ethernet to bridge.
All wireless/wifi interface looking for capsman using bridge.

Your CAP config looks perfectly fine and is the default config you get when turning the device into caps-mode. Nothing wrong.

But why did you enable caps mode on your router? makes no sense and probably explains the wifi interfaces in your rb5009 export. Your caps wifi interfaces are dynamic provisioned. They show in print but not in export on your caps manager (rb5009) device - when configured correctly.

tl;Dr
on your rb5009 disable cap mode:

/interface/wifi/cap set enabled=no

This is what happens when your provisioning is set to “create dynamic enabled”. It deletes and re-creates the wifi1/2 interfaces, causing this to appear throughout your configuration where they were used. You can avoid this by using a “datapath” in the wifi configuration applied, and set it to the “bridge”. Then it will add itself automatically.

Hi, looks like your second post today about provisioning and I have a feeling like there is some misunderstanding. Ofcourse, I can be wrong. Anyway, provisioning should be used ONCE. If you are provisioning already provisioned rules it’s basically misconfiguration/bad behavior.

Workflow of provision → config change → provision → config change → provision is wrong and shouldn’t be done.

Correct workflow is provision → unprovision → change of rules → provision again

Reprovisioning is only needed when you change provisioning rules, not configuration of interfaces. (change of provisioning action is correct case for this)

By nature of the correct procedure, it shouln’d be surprise that interfaces are deleted when you unprovision them.

EDIT:
Look, they even updated the help page, so it’s no longer “underground knowledge”.
RadioProvisioning

Provision must be done only initially, and is done automatically upon CAP joining if there are matching provisioning rules that are enabled.
If you adjust any configuration profile that is linked to the provisioned interface, all changes will be “pushed” as soon as you apply changes to the profile, with no need to re-create the already existing interface.
Provisioning itself is not for sending configuration, it is for essentially creating a new interface. In most cases, there is no reason to perform manual provisioning once you already have CAP interfaces running.

Not for one or the other but … I frequently notice changed config is NOT pushed to radios and I can only push “provision” in such a case…