Capsman in wifiwave2 don't provision correctly.

RouterOS Wireless Networking
1

Screenshot 2023-08-06 at 15.34.55.png
Screenshot 2023-08-06 at 15.35.10.png
When I provision my radio interfaces to be managed by capsman Wi-Fi disappears from discovery. And inside in interfaces wifi1 and wifi2 showed as disabled.
Here is my config:

# 2023-08-06 15:27:04 by RouterOS 7.10.2
# software id = 7SS0-SMSP
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = ************
/interface bridge
add admin-mac=*********** auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 channel
add band=2ghz-ax comment="Config for 2GHz channel" disabled=no name=Channel-2GHz width=20mhz
add band=5ghz-ax comment="Configuration for 5Ghz" disabled=no name=Channel-5Ghz skip-dfs-channels=disabled width=20/40/80mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=******
/interface wifiwave2 configuration
add channel=Channel-5Ghz comment=WiFi-5Ghz country=Ukraine disabled=no manager=capsman-or-local mode=ap name=WiFi-5Ghz security=****** ssid=*****
add channel=Channel-2GHz comment=WiFi-2Ghz country=Ukraine disabled=no manager=capsman-or-local mode=ap name=WiFi-2Ghz security=****** ssid=*****
/interface wifiwave2
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration=WiFi-5Ghz disabled=no
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration=WiFi-2Ghz disabled=no
/ip pool
add name=ax3-address-pool ranges=192.168.1.10-192.168.1.128
/ip dhcp-server
add address-pool=ax3-address-pool interface=bridge lease-time=10h name=dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge interface=wifi1
add bridge=bridge interface=wifi2
/ip firewall connection tracking
set enabled=no
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
/interface wifiwave2 cap
set caps-man-addresses=127.0.0.1 certificate=request discovery-interfaces=LAN enabled=yes lock-to-caps-man=yes
/interface wifiwave2 capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=LAN package-path="" require-peer-certificate=yes upgrade-policy=suggest-same-version
/interface wifiwave2 provisioning
add action=create-enabled comment=hap-ax3-WiFi-5Ghz disabled=no master-configuration=App.72-WiFi-5Ghz radio-mac=YY:YY:YY:YY:YY:72 supported-bands=5ghz-ax
add action=create-enabled comment=hap-ax3-WiFi-2Ghz disabled=no master-configuration=App.72-WiFi-2Ghz radio-mac=YY:YY:YY:YY:YY:73
/ip address
add address=192.168.1.2/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=8.8.8.8,1.1.1.1,9.9.9.9,192.168.1.1 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,9.9.9.9,192.168.1.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add comment="Route to main router" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 pref-src="" routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMPv6" disabled=yes protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" disabled=yes port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." disabled=yes dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" disabled=yes dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" disabled=yes protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" disabled=yes protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" disabled=yes src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" disabled=yes hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" disabled=yes protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" disabled=yes protocol=139
add action=accept chain=forward comment="defconf: accept IKE" disabled=yes dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" disabled=yes protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" disabled=yes protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" disabled=yes in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Kyiv
/system identity
set name="********"
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/system routerboard mode-button
set enabled=yes hold-time=0s..20s on-event="/system/script/run leds-toggle-mode;"
/system routerboard reset-button
set hold-time=0s..20s
/system scheduler
add interval=1d name=leds-day-mode on-event="/system/script/run leds-day-mode;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-08-02 start-time=07:00:00
add interval=1d name=leds-night-mode on-event="/system/script/run leds-night-mode;" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-08-02 start-time=22:00:00
/system script
add dont-require-permissions=no name=leds-day-mode owner=silvestr policy=read,write source="/system/leds/settings/set all-leds-off=never;"
add dont-require-permissions=no name=leds-night-mode owner=silvestr policy=read,write source="/system/leds/settings/set all-leds-off=immediate;"
add dont-require-permissions=no name=leds-toggle-mode owner=silvestr policy=read,write source=\
    ":if ([ /system/leds/settings/get all-leds-off ] = \"never\") do={\
    \n  /system/leds/settings/set all-leds-off=immediate;\
    \n} else={\
    \n  /system/leds/settings/set all-leds-off=never;\
    \n}"
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

2

You seem to be missing a rule to accept 127.0.0.1 in your firewall for input.

3

This router works as a switch and don’t have firewall at all. As I understood I still need this rule for capsman?

4

Then why are there firewall rules in your config?

Edit: I see, only ipv6 rules.

Leave out ip address for capsmanager.

5

You mean in IPv4 firewall?

6

Here

/interface wifiwave2 cap
set caps-man-addresses=127.0.0.1 certificate=request discovery-interfaces=LAN enabled=yes lock-to-caps-man=yes

Ps and please don’t quote the previous post all the time. Is not needed.

7

Unfortunately, it doesn’t help.

/interface wifiwave2 cap
set certificate=request discovery-interfaces=LAN enabled=yes lock-to-caps-man=yes
8

To rule out some issues …
Can you set it like this:

/interface wifiwave2 cap
set discovery-interfaces=all enabled=yes

and

/interface wifiwave2 capsman
set enabled=yes interfaces=LAN

Does the log file show some messages related to caps or capsman ?

9

I changed the discovery interface as you said, but no effect.

[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/capsman print 
                   enabled: yes
                interfaces: LAN
            ca-certificate: auto
               certificate: auto
  require-peer-certificate: yes
              package-path: 
            upgrade-policy: suggest-same-version
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/cap print     
                      enabled: yes
         discovery-interfaces: all
                  certificate: request
             lock-to-caps-man: yes

Also here are logs
Screenshot 2023-08-06 at 16.56.48.png

10

Your device is used as switch/access point ?
Then why is there a DHCP server and pool connected to bridge ?

You are certain those provisioning rules correspond to the radio MAC addresses (can be checked in Winbox/webfig via Wireless/Radios) ?

Question …
If this is your only access point, why make your life so difficult and use capsman ?
But that doesn’t change the fact it should work … probably something stupid but I don’t see it either.

11
  1. Yes as switch/access point.
  2. I want to unload the main hex router that has a firewall there and works as a main entry point.
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/provisioning print 
Columns: RADIO-MAC, ACTION, MASTER-CONFIGURATION
# RADIO-MAC          ACTION          MASTER-CONFIGURATION
;;; hap-ax3-WiFi-5Ghz
0 YY:YY:YY:YY:YY:72  create-enabled  App.72-WiFi-5Ghz    
;;; hap-ax3-WiFi-2Ghz
1 YY:YY:YY:YY:YY:73  create-enabled  App.72-WiFi-2Ghz    
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/radio print        
Flags: L - LOCAL
Columns: CAP, RADIO-MAC, INTERFACE
#   CAP                            RADIO-MAC          INTERFACE
0 L                                YY:YY:YY:YY:YY:72  wifi1    
1 L                                YY:YY:YY:YY:YY:73  wifi2    
2   MikroTik(hAP ax3)@192.168.1.2  YY:YY:YY:YY:YY:72           
3   MikroTik(hAP ax3)@192.168.1.2  YY:YY:YY:YY:YY:73
  1. I have one main router hex, it works as an entry point. and two AP, hap hex Lite (still shipping to me) and hap ax3. Ax3 is a powerful device, so I want DHCP and capsman locate there.
12

Can you also show interface/wifiwave2/print ?

13 
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/print 
Flags: M - MASTER; B - BOUND; I, R - RUNNING
Columns: NAME
#     NAME 
;;; managed by CAPsMAN
0 MBI wifi1
;;; managed by CAPsMAN
1 MBI wifi2
14

There is something invalid, the provisioning is not being done.

15 
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/configuration print 
Flags: X - disabled 
 0   ;;; WiFi-5Ghz
     name="App.72-WiFi-5Ghz" mode=ap ssid="*******" country=Ukraine manager=capsman-or-local security=******* channel=Channel-5Ghz 

 1   ;;; WiFi-2Ghz
     name="App.72-WiFi-2Ghz" mode=ap ssid="*******" country=Ukraine manager=capsman-or-local security=******* channel=Channel-2GHz 
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/channel print       
Flags: X - disabled 
 0   ;;; Config for 2GHz channel
     name="Channel-2GHz" band=2ghz-ax width=20mhz 

 1   ;;; Configuration for 5Ghz
     name="Channel-5Ghz" band=5ghz-ax width=20/40/80mhz skip-dfs-channels=disabled 
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/se            
security     set   
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/security print 
Flags: X - disabled 
 0   name="*******" authentication-types=wpa2-psk,wpa3-psk passphrase="********************" 
[silvestr@MikroTik(hAP ax3)] > interface/wifiwave2/provisioning print 
Columns: RADIO-MAC, ACTION, MASTER-CONFIGURATION
# RADIO-MAC          ACTION          MASTER-CONFIGURATION
;;; hap-ax3-WiFi-5Ghz
0 YY:YY:YY:YY:YY:72  create-enabled  App.72-WiFi-5Ghz    
;;; hap-ax3-WiFi-2Ghz
1 YY:YY:YY:YY:YY:73  create-enabled  App.72-WiFi-2Ghz
16

Hi, it has been discussed here multiple times. Capsman in wifiwave2 does not control/provision it’s own wifi interfaces.
But you can use the same configuration, security,…and set up the WIFI interfaces manualy.
It will work correctly as soon as all settings are the same as passed to remote CAPs via provisioning.

17

Oh, I didn’t know that, sorry for the dumb questions. Unfortunately, I can’t google this info before.

Could you please point out where in the documentation this is described?

18

It is good question and to be honest, I do not know. I learnt it from the Mikrotik feedback provided by some mates here in the forum.

19

Yeah, cause for me it’s not an obvious thing, especially if video on youtube with old capsman tell that you need to enable cap on your device.

20

Recently I saw a post where it was indicated it IS possible now.