Hello to all
I settup CAPsman and CAP with vlan and magaemet vlan but i like to know is it batter way to do same thing ?

RB3011 is main router and capsman, SFP port from router is conected to Cisco 2960S-48 SFP port (gigabit 0/49) and CAP (cAP ac) are connected on gigabit port of Cisco from 10-21

RB3011
[xxxxxxx@xxxxxxxxx] > export

jan/24/2021 15:17:46 by RouterOS 6.48

software id = 3CB8-SW3F

model = RB3011UiAS

serial number = B88D0B4526F6

/caps-man channel
add band=2ghz-g/n name="Auto 2,4GHz"
add band=5ghz-a/n/ac name="Auto 5GHz"
/interface bridge
add admin-mac=6A:99:34:E3:95:1F auto-mac=no name=bridge10
add admin-mac=0E:C6:4C:03:93:94 auto-mac=no name=bridge20
add admin-mac=C4:AD:34:85:10:A5 auto-mac=no name=bridge33
add admin-mac=4E:62:E7:88:D7:13 auto-mac=no name=bridge254
/interface ethernet
set [ find default-name=ether1 ] comment=Internet
set [ find default-name=sfp1 ] comment=TRUNK
/interface ipip
add local-address=178.219.10.134 name="SPAJZ Centrala" remote-address=95.140.124.94
/interface vlan
add interface=bridge10 name=b-vlan10 vlan-id=10
add interface=bridge20 name=b-vlan20 vlan-id=20
add interface=bridge33 name=b-vlan30 vlan-id=30
add interface=bridge254 name=b-vlan254 vlan-id=254
add interface=sfp1 name=vlan10 vlan-id=10
add interface=sfp1 name=vlan20 vlan-id=20
add interface=sfp1 name=vlan30 vlan-id=30
add interface=sfp1 name=vlan254 vlan-id=254
/caps-man datapath
add bridge=bridge10 client-to-client-forwarding=yes local-forwarding=yes name=datapath10
add bridge=bridge254 name=datapath254 vlan-id=254 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=Gosti passphrase=freespot
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=Firma passphrase=spajz1234
/caps-man configuration
add channel="Auto 2,4GHz" country=serbia datapath=datapath10 mode=ap name="xxxxxx 2,4GHz" security=Firma ssid="xxxxxxxxx. 2,4GHz"
add channel="Auto 2,4GHz" country=serbia datapath=datapath254 mode=ap name=xxxxxxxx security=Gosti ssid=Kupci
add channel="Auto 5GHz" country=serbia datapath=datapath10 mode=ap name="xxxxxxxxxx" security=Firma ssid="xxxxxxxx. 5GHz"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.5.50-192.168.5.200
add name=dhcp_pool1 ranges=192.168.20.50-192.168.20.150
add name=dhcp_pool2 ranges=192.168.33.50-192.168.33.100
add name=dhcp_pool3 ranges=192.168.254.2-192.168.254.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool0 disabled=no interface=bridge10 lease-time=1d name=Data
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=bridge20 lease-time=1d name=VoIP
add add-arp=yes address-pool=dhcp_pool2 disabled=no interface=bridge33 lease-time=1d name=Security+Management
add add-arp=yes address-pool=dhcp_pool3 disabled=no interface=b-vlan254 lease-time=1d name=Gosti
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=all signal-range=-87..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=all signal-range=-120..88 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration="Firma 2,4GHz" name-format=identity slave-configurations=Gosti
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration="Firma 5GHz" name-format=identity
/interface bridge port
add bridge=bridge33 interface=ether2
add bridge=bridge10 interface=ether3
add bridge=bridge10 interface=ether4
add bridge=bridge10 interface=ether5
add bridge=bridge10 interface=ether6
add bridge=bridge10 interface=ether7
add bridge=bridge33 interface=ether8
add bridge=bridge33 interface=ether9
add bridge=bridge33 interface=ether10
add bridge=bridge10 interface=b-vlan10
add bridge=bridge10 interface=vlan10
add bridge=bridge20 interface=b-vlan20
add bridge=bridge20 interface=vlan20
add bridge=bridge33 interface=b-vlan30
add bridge=bridge33 interface=vlan30
add bridge=bridge254 interface=b-vlan254
add bridge=bridge254 interface=vlan254
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=bridge33 list=LAN
add interface=ether1 list=WAN
/ip address
add address=192.168.33.1/24 interface=bridge33 network=192.168.33.0
add address=192.168.5.1/24 interface=bridge10 network=192.168.5.0
add address=192.168.20.1/24 interface=bridge20 network=192.168.20.0
add address=192.168.254.1/24 interface=b-vlan254 network=192.168.254.0
add address=178.219.10.134/30 interface=ether1 network=178.219.10.132
add address=13.0.0.2/30 interface="SPAJZ Centrala" network=13.0.0.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
add address=192.168.33.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.33.1
add address=192.168.254.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.254.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat dst-address=!192.168.3.0/24 ipsec-policy=out,none out-interface=ether1 src-address=192.168.5.0/24 to-addresses=xxxxxxxxxxxx
add action=src-nat chain=srcnat dst-address=192.168.3.0/24 ipsec-policy=out,none out-interface=ether1 src-address=192.168.5.0/24 to-addresses=13.0.0.2
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1 src-address=192.168.20.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1 src-address=192.168.33.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1 src-address=192.168.254.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
/ip route
add distance=1 gateway=178.219.10.133
add distance=1 dst-address=192.168.3.0/24 gateway="XXXXXXXXxxxxxx"
/ip service
set telnet disabled=yes
/ip smb
set allow-guests=no
/ip upnp
set show-dummy-rule=no
/lcd
set backlight-timeout=never default-screen=interfaces
/lcd pin
set pin-number=1910
/system ntp client
set enabled=yes primary-ntp=162.159.200.123
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add allow-address=10.20.20.0/24
/tool graphing queue
add allow-address=10.20.20.0/24
/tool graphing resource
add allow-address=10.20.20.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes

cAP ac settup

jan/24/2021 15:23:06 by RouterOS 6.48

software id = ADQS-VNNP

model = RBcAPGi-5acD2nD

serial number = B9320B1491CD

/interface bridge
add admin-mac=5E:5D:95:E6:9C:26 auto-mac=no name=bridge10
add admin-mac=C4:AD:34:8D:77:FE auto-mac=no name=bridge33
/interface wireless

managed by CAPsMAN

channel: 2412/20-Ce/gn(20dBm), SSID: XXXXXXX. 2,4GHz, local forwarding

set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge ssid=MikroTik-8D7800
station-roaming=enabled wireless-protocol=802.11

managed by CAPsMAN

channel: 5180/20-Ceee/ac/P(23dBm), SSID: XXXXXX 5GHz, local forwarding

set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower installation=indoor mode=ap-bridge ssid=MikroTik-8D7801
station-roaming=enabled wireless-protocol=802.11

managed by CAPsMAN

SSID: xXXXXXX, CAPsMAN forwarding

add mac-address=C6:AD:34:8D:78:00 master-interface=wlan1 mode=station name=wlan3
/interface vlan
add interface=bridge10 name=b-vlan10 vlan-id=10
add interface=bridge33 name=b-vlan30 vlan-id=30
add interface=ether1 name=vlan10 vlan-id=10
add interface=ether1 name=vlan30 vlan-id=30
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge10 interface=ether2
add bridge=bridge10 interface=b-vlan10
add bridge=bridge10 interface=vlan10
add bridge=bridge33 interface=b-vlan30
add bridge=bridge33 interface=vlan30
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface wireless cap

set bridge=bridge10 certificate=request discovery-interfaces=bridge33 enabled=yes interfaces=wlan1,wlan2 static-virtual=yes
/ip address
add address=192.168.33.9/24 interface=bridge33 network=192.168.33.0
/ip cloud
set update-time=no
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=192.168.33.1
/ip service
set telnet disabled=yes
/ip smb
set allow-guests=no
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Belgrade
/system identity
set name="XXXXXXX"
/system ntp client
set enabled=yes primary-ntp=162.159.200.1
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/tool bandwidth-server
set authenticate=no enabled=no
/tool graphing interface
add allow-address=10.20.20.0/24
/tool graphing queue
add allow-address=10.20.20.0/24
/tool graphing resource
add allow-address=10.20.20.0/24
/tool romon
set enabled=yes

Cisco C2960S
Trunk port to router SFP

interface GigabitEthernet 1/0/49
description TRUNK RUTER
switchport trunk allowed vlan 10,20,30,254
switchport mode trunk

TRUNK port to CAP CAP ac
interface GigabitEthernet1/0/2
description AP1
switchport trunk allowed vlan 10,30
switchport mode trunk

Any sugestion ? For better settup.
It work, but I like to have the best settup

Please use the code tags (from the menu, select “brackets”) to make it more readable.

First thing I would change is using a single bridge with VLAN filtering on it (both on the CAPsMAN and the CAP).

Assign IP addresses to the VLAN interfaces.

Don’t use auto frequencies, ever. You can add channellists (containing channel 1, 6 and 11 for 2.4GHz band).

I wouldnt use capsman with only the wifi of the router and one capac. Why complicate ones life and add another programming overhead…
If there was some advantage sure but I dont see any.

I have 11 cAP ac and one RB3011. I give exampe of one cAP, same setting is on all. So in this scenarion CAPSMAN must be used

Some link for manual for cahnel list setup for 2,4 and 5GHZ ?

Just add multiple frequencies:

11 capac, I feel your pain.
I have enough headaches with capac that I switched to TPLINK EAP245, NOTICEABLE improvement in stability and connectivity.

And for 5GHZ ?
Real problem is that I can't find decent manual for this scenario. 4 vlan-s with management vlan for devices access, capsman dual band with all wireless on one bridge with vlan 10 with Local Forwarding and Client to client forwarding and roaming without connectio drop

Hi, which default vlan did you put for the trunk ports?