CAPsMAN causing issues with Guest WiFi

I have two APs (both hAP ax S connected as CAPsMAN / CAP) and I want do dissect my home network into multiple WLANs. I made a guest SSID called home.34_2_NTR, but the issue is that for some reason devices cannot join that SSID from my CAPsMAN, but joining from the CAP works perfectly fine. Devices roaming from the CAP to the CAPsMAN doesn’t disconnect them. The issue is only that devices cannot join the guest WLAN through the CAPsMAN.

I followed this guide by MikroTik https://www.youtube.com/watch?v=37aff6d14Xk&t=480. In the case of a CAPsMAN configuration, they explain in the video that you can provision f.e. a guest WLAN as a slave interface which is under the master WLAN (in my case home.34_2) which has already been provisioned. But that way only my CAP would offer the guest WLAN, so I figured in the CAPsMAN I’d have to manually create another WLAN with the same guest configuration (also here home.34_2 as master), but apparently having the guest configuration provisioned for the CAP as a slave and the same for the CAPsMAN is causing issues. I’m thinking because of my lack of experience I’ve accidently misconfigured / misunderstood something. I’ve pasted the configuration of my CAPsMAN below. Could you please help me out?

Edit: I’ve removed my old config since, as @jaclaz and @pmastal noted had a lot of bloat, which made it difficult to follow me. Here is my cleaned up config: CAPsMAN causing issues with Guest WiFi - #5 by bloodynetworker

Point #21:
GP & CSA (Good Practice and Common Sense Advice) for Mikrotik devices

Post also the CAP configuration, otherwise it would be difficult to understand how it works.

What about home.34_2_IOT?

Possibly unrelated, but you have some duplicated settings in configuration/security and actual interfaces, IMHO adopting a scheme like the one in the Mikrotik help:

# Creating a security profile, which will be common for both interfaces
/interface wifi security
add name=common-auth authentication-types=wpa2-psk,wpa3-psk passphrase="diceware makes good passwords" wps=disable
# Creating a common configuration profile and linking the security profile to it
/interface wifi configuration
add name=common-conf ssid=MikroTik country=Latvia security=common-auth
# Creating separate channel configurations for each band
/interface wifi channel
add name=ch-2ghz frequency=2412,2437,2472 width=20mhz
add name=ch-5ghz frequency=5180,5260,5500 width=20/40/80mhz
# Assigning to each interface the common profile as well as band-specific channel profile, in case of "no supported channels" message on interfaces, make sure that correct (channel) configuration is applied to each.
/interface wifi
set wifi1 channel=ch-5ghz configuration=common-conf disabled=no
set wifi2 channel=ch-2ghz configuration=common-conf disabled=no

makes them more readable and avoids possible conflicts.

Hey thanks for your quick reply,
I’ve followed your #21 point and removed the DHCP server on the CAPsMAN since I don’t need it.

You’ll find the CAP configuration below.

Since home.34_2_IOT and home.34_2_NTR are configured the same way, I also have the issue on IOT.

The reason why I have duplicate settings in …

1. configuration is because I want each SSID to have its own configuration profile for the case that I have to change them specifically
2. settings is because I have no other choice… some settings just don’t correctly apply when I select any security profile and that is why I have to manually reenter those missing settings, which thereafter results in the “bloat” you’ve mentioned.

Another note:
I don’t know whether this matters or what this exactly means, but NTR and IOT are only marked as BOUND

wifi1353×468 101 KB

Here is the config of my CAP:

/interface bridge
add admin-mac=D0:EA:11:3D:DC:1A auto-mac=no comment=defconf name=bridge
/interface wifi
# managed by CAPsMAN D0:EA:11:3D:E0:96%bridge, traffic processing on CAP
# mode: AP, SSID: home.34_2, channel: 2412/ax
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.manager=capsman .mode=ap datapath.bridge=bridge disabled=no \
    name=2ghz security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
# managed by CAPsMAN D0:EA:11:3D:E0:96%bridge, traffic processing on CAP
# mode: AP, SSID: home.34_5, channel: 5700/ax/Ce/D
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.manager=capsman .mode=ap datapath.bridge=bridge disabled=no \
    name=5ghz security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=2ghz
add bridge=bridge comment=defconf interface=5ghz
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add disabled=yes interface=ether1 list=WAN
/interface wifi cap
set caps-man-addresses=10.0.0.10 certificate=request discovery-interfaces=\
    bridge enabled=yes
/ip address
add address=10.0.0.20/24 comment=defconf interface=bridge network=10.0.0.0
/ip dhcp-client
add disabled=yes interface=ether2 name=client1
/ip dns
set allow-remote-requests=yes servers=10.0.0.1
/ip dns static
add address=10.0.0.20 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.0.1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Office

I didn’t reset it to CAPS Mode since then the CAP didn’t want to accept DHCP for some reason. Thats why I manually configured it on my subnet 10.0.0.0 for it to work properly. There are some defconf settings, which I cannot tell are of importance, but I’d rather not touch something that I don’t have much clue about.

Thanks in advance.

@bloodynetworker. It looks like you have a bit of a messy configuration - you “overwrite “ some options, which causes issues.
Please consider a configuration without CAPsMAN and AP on the same device. From my experience, separating it is helpful and is strongly recommended.
If you wish to have separate WLANs for home / IOT / NRS SIDs, you should use VLAN’s to separate (segment) networks.

Even if you wish to keep the existing configuration, the device has CAPsMAN, an AP, and a second device as an AP. Start with a minimalistic configuration for everything you can.
Also, don’t forget CAPsMAN + AP on the same device, you have to set up “wifi configuration.manager=capsman-or-local” or “wifi configuration.manager=local”

Config for CAPsMAN + AP
First reset configuration:

/interface wifi reset wifi
/interface wifi reset wif2

Next, set up the configuration:

/interface wifi channel
add band=5ghz-ax disabled=no frequency=5150-5250,5250-5350,5470-5725 name=channel_5ghz skip-dfs-channels=10min-cac width=20/40mhz
add band=2ghz-ax disabled=no frequency=2412,2432,2472 name=channel_2ghz width=20mhz

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes management-protection=allowed name=sec_FAM
add authentication-types=wpa2-psk,wpa3-psk comment="includes NTR and IOT" disabled=no ft=yes ft-over-ds=yes management-protection=allowed name=sec_not_FAM
/interface wifi steering
add disabled=no name=steering1 rrm=yes wnm=yes

/interface wifi configuration
# home
add channel=channel_5ghz country=Germany disabled=no name=cfg_home.34_5 security=sec_FAM ssid=home.34_5 steering=steering1 name=cfg_home.34_5
add channel=channel_2ghz country=Germany disabled=no name=cfg_home.34_2 security=sec_FAM ssid=home.34_2 steering=steering1 name=cfg_home.34_2
# IOT
add channel=channel_5ghz country=Germany disabled=no name=cfg_home.34_5 security=sec_not_FAM ssid=home.34_5_IOT steering=steering1 name=cfg_home.34_5_IOT
add channel=channel_2ghz country=Germany disabled=no name=cfg_home.34_2 security=sec_not_FAM ssid=home.34_2_IOT steering=steering1 name=cfg_home.34_2_IOT
# NTR
add channel=channel_5ghz country=Germany disabled=no name=cfg_home.34_5 security=sec_not_FAM ssid=home.34_5_NTR steering=steering1 name=cfg_home.34_5_NTR
add channel=channel_2ghz country=Germany disabled=no name=cfg_home.34_2 security=sec_not_FAM ssid=home.34_2_NTR steering=steering1 name=cfg_home.34_2_NTR

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg_home.34_2 slave-configurations=cfg_home.34_2_IOT,cfg_home.34_2_NTR supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg_home.34_5 slave-configurations=cfg_home.34_5_IOT,cfg_home.34_5_NTR supported-bands=5ghz-ax

/interface wifi capsman
set enabled=yes interfaces=bridge

and set up for the physical interfaces:

/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman-or-local .mode=ap disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman-or-local .mode=ap disabled=no

For “interface wifi security“, don’t forget config password(s).

And config for the CAP:

/interface wifi reset wifi
/interface wifi reset wif2

/interface wifi
set [ find name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
set [ find name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no

/interface wifi cap
set discovery-interfaces=bridge enabled=yes

@pmastal @jaclaz upon your requests I’ve now cleaned up my configurations.

I’m aware that I haven’t setup VLANs yet @pmastal, this is because I do one step at a time.

As I’ve already stated: Provisioning IOT and NTR wifi configuration as slave interfaces for the CAP works fine

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg_home.34_2 slave-configurations=cfg_home.34_2_NTR,cfg_home.34_2_IOT supported-bands=2ghz-ax

, but since now only the CAP is offering those wifis, I thought I have to manually create both of the same wifi on the CAPsMAN too.

/interface wifi
add configuration=cfg_home.34_2_IOT configuration.mode=ap disabled=no mac-address=D2:EA:11:3D:E0:9C master-interface=home.34_2 mtu=1500 name=home.34_2_IOT security=\
    sec_not_FAM steering=steering1
add configuration=cfg_home.34_2_NTR configuration.mode=ap disabled=no mac-address=D2:EA:11:3D:E0:9B master-interface=home.34_2 mtu=1500 name=home.34_2_NTR security=\
    sec_not_FAM steering=steering1

I did so by selecting home.34_2 as their master configuration just like the IOT and NTR configurations are provisioned to the master configuration of home.34_2, but this seems to be causing issues with devices, who want to join from the IOT / NTR wifi that the CAPsMAN offers.

Complete configuration of my CAPsMAN:

/interface bridge
add admin-mac=D0:EA:11:3D:E0:96 auto-mac=no comment=defconf fast-forward=no name=bridge
/interface list
add name=LAN
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5150-5250,5250-5350,5470-5725 name=channel_5ghz skip-dfs-channels=10min-cac width=20/40mhz
add band=2ghz-ax disabled=no frequency=2412,2432,2472 name=channel_2ghz width=20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp ft=yes ft-over-ds=yes ft-preserve-vlanid=yes management-encryption=cmac \
    management-protection=allowed name=sec_FAM wps=disable
add authentication-types=wpa2-psk,wpa3-psk comment="includes NTR and IOT" disabled=no encryption=ccmp ft=yes ft-over-ds=yes ft-preserve-vlanid=yes \
    management-encryption=cmac management-protection=allowed name=sec_not_FAM wps=push-button
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-home.34_5-7e02348a rrm=yes wnm=yes
/interface wifi configuration
add channel=channel_5ghz country=Germany disabled=no mode=ap name=cfg_home.34_5 security=sec_FAM ssid=home.34_5 steering=steering1
add channel=channel_2ghz country=Germany disabled=no mode=ap name=cfg_home.34_2 security=sec_FAM ssid=home.34_2 steering=steering1
add channel=channel_2ghz country=Germany disabled=no mode=ap name=cfg_home.34_2_NTR security=sec_not_FAM ssid=home.34_2_NTR steering=steering1
add channel=channel_2ghz country=Germany disabled=no mode=ap name=cfg_home.34_2_IOT security=sec_not_FAM ssid=home.34_2_IOT steering=steering1
/interface wifi
set [ find default-name=wifi2 ] channel=channel_2ghz configuration=cfg_home.34_2 configuration.mode=ap disabled=no name=home.34_2 security=sec_FAM steering=\
    steering1
add configuration=cfg_home.34_2_IOT configuration.mode=ap disabled=no mac-address=D2:EA:11:3D:E0:9C master-interface=home.34_2 mtu=1500 name=home.34_2_IOT security=\
    sec_not_FAM steering=steering1
add configuration=cfg_home.34_2_NTR configuration.mode=ap disabled=no mac-address=D2:EA:11:3D:E0:9B master-interface=home.34_2 mtu=1500 name=home.34_2_NTR security=\
    sec_not_FAM steering=steering1
set [ find default-name=wifi1 ] channel=channel_5ghz configuration=cfg_home.34_5 configuration.mode=ap disabled=no name=home.34_5 security=sec_FAM steering=\
    steering1
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=home.34_2
add bridge=bridge comment=defconf interface=home.34_5
add bridge=bridge interface=ether1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
/interface wifi capsman
set enabled=yes interfaces=bridge upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg_home.34_2 slave-configurations=cfg_home.34_2_NTR,cfg_home.34_2_IOT supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg_home.34_5 supported-bands=5ghz-ax
/ip address
add address=10.0.0.10/24 comment=defconf interface=bridge network=10.0.0.0
/ip dns
set allow-remote-requests=yes servers=10.0.0.1
/ip dns static
add address=10.0.0.10 comment=defconf name=router.lan type=A
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.0.1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Main

Complete configuration of my CAP:

/interface bridge
add admin-mac=D0:EA:11:3D:DC:1A auto-mac=no comment=defconf name=bridge
/interface wifi
# managed by CAPsMAN D0:EA:11:3D:E0:96%bridge, traffic processing on CAP
# mode: AP, SSID: home.34_2, channel: 2472/ax
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.manager=capsman .mode=ap datapath.bridge=bridge disabled=no name=2ghz \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
# managed by CAPsMAN D0:EA:11:3D:E0:96%bridge, traffic processing on CAP
# mode: AP, SSID: home.34_5, channel: 5700/ax/Ce/D
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.manager=capsman .mode=ap datapath.bridge=bridge disabled=no name=5ghz \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=LAN
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=2ghz
add bridge=bridge comment=defconf interface=5ghz
add bridge=bridge interface=ether1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
/interface wifi cap
set caps-man-addresses=10.0.0.10 certificate=request discovery-interfaces=bridge enabled=yes
/ip address
add address=10.0.0.20/24 comment=defconf interface=bridge network=10.0.0.0
/ip dns
set allow-remote-requests=yes servers=10.0.0.1
/ip dns static
add address=10.0.0.20 comment=defconf name=router.lan type=A
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.0.1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Office

I don’t really get what I’m doing wrong since I do not see any other possibility to also add IOT and NTR on my CAPsMAN. Please help me understand what I’m doing wrong!

Thanks in advance.

@bloodynetworker

Once again, I don’t see on the device where CAPSMAN and AP the WIFI has a direct point for the configuration.manager is capsman-or-local or directly local.
Also, on CAP, I see you did not reset the configuration.

If you know better how to configure, I’m not able to help.

Your sentence doesn’t really make much sense, sorry but I’d have to guess what you mean:
I didn’t set the manager option on the master wifi of the CAPSMAN. Setting it to capsman-or-local makes the CAP work on its own, so it tells me: “no connection to capsman, managed locally“. Selecting that option on the CAPsMAN master wifi configuration doesn’t resolve the issue.

I forgot to mention that I tried it in CAPS mode and reset it, it’s not working properly since the CAP doesn’t accept my subnet 10.0.0.0 and instead it keeps running on 192.168.88.0. This is why you don’t see any change: I rolled back my prior config and then debloated it. Aside from that, you could tell me what is wrong with my config, I’m all ears. I put a lot of work into understanding the configuration and setting things up so I want to follow your intention. Tbh, It looks fine to me.

And here is the issue - you mix CAPsMAN and AP configurations. Solution: separate devices for APs and CAPsMAN, or it will be a never-ending story.

On CAP, did you execute:

/interface wifi reset wifi
/interface wifi reset wif2

I did not write - reset full config on AP. I only provided the Wi-Fi config, nothing more.

Hey there, thanks for your reply. Could you please elaborate what you mean by “separation”? Do mind, that I’m a MikroTik beginner and I cannot really follow how you mean that. I know that I have every device configured as AP, but I don’t really get the idea of “separating“ CAPsMAN config and AP config. In your post back then (citation below) you recommended a setting that has capsman and ap mode settings set so how isn’t this “mixing“? I’m clueless how you want me to “separate“ sorry… Please share your intentions.

True! Sorry I must’ve misunderstood you back then. I’ll try it soon and keep you updated!

How many APs do you want to use?

Separating the CAPsMAN and the AP is:

• you need only one device for CAPsMAN configuration. These devices can also serve as routers
• The 2 APs are independent devices.

In that case, you need 3 devices. Also, it is better to use the AX as APs devices.