CAPsMAN (L009) for CAP (hAP-AX3) not working

RubbereR · January 7, 2026, 5:11pm

I have problems in getting CAPsMAN to work. II have a L009 router that is my master and acts as a CAPsMAN for a CAP which is a hAP AX3. I have included the configuration for the L009. The L009 has 4 VLAN's and SSID's broadcasting on channel 11 and the CAPsMAN setup should be used for the hAP AX3 which is connected on ether7. Broadcasting on L009 is working as designed however when connecting the CAP on ether7 the connection will not happen. See below config for L009 and hAP AX3.

I have CAPsMAN/CAP working on 4 RB2011 devices but cannot get it to work on these new devices.
Help is very much appreciated.

L009-configuration

2026-01-07 15:55:30 by RouterOS 7.20.6
software id = CSCD-0EAB
model = L009UiGS-2HaxD
serial number = removed

/interface bridge
add admin-mac=04:F4:1C:9A:F3:58 auto-mac=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Uplink Telenet Router"
set [ find default-name=ether2 ] comment=MGMT
set [ find default-name=ether3 ] comment="Home Assistant (30)"
set [ find default-name=ether4 ] comment="Schuur (30)"
set [ find default-name=ether5 ] comment="Trunk RB2011"
set [ find default-name=ether6 ] comment="HomeNet (10)"
set [ find default-name=ether7 ] comment="HomeNet (10)"
set [ find default-name=ether8 ] comment="Kantoor (10)"
set [ find default-name=sfp1 ] comment="Trunk hAP AX3"
/interface vlan
add comment=HomeNet interface=bridge name=vlan10 vlan-id=10
add comment=Management interface=bridge name=vlan20 vlan-id=20
add comment=IoT interface=bridge name=vlan30 vlan-id=30
add comment=Guest interface=bridge name=vlan99 vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=MGMT
add name=HOMENET
add name=IOT
add name=GUEST
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2462 name=ch2g-11 width=20mhz
/interface wifi datapath
add bridge=bridge comment=Guest disabled=no name=datapath-guest vlan-id=99
add bridge=bridge comment=HomeNet disabled=no name=datapath-hinkley vlan-id=
10
add bridge=bridge comment=Management disabled=no name=datapath-tsjernobyl
vlan-id=20
add bridge=bridge comment=Iot disabled=no name=datapath-harrisburg vlan-id=30
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment=Guest disabled=no name=
security-guest
add authentication-types=wpa2-psk,wpa3-psk comment=HomeNet disabled=no name=
security-hinkley
add authentication-types=wpa2-psk,wpa3-psk comment=Management disabled=no
name=security-tsjernobyl
add authentication-types=wpa2-psk,wpa3-psk comment=Iot disabled=no name=
security-harrisburg
/interface wifi configuration
add channel=ch2g-11 comment=Guest country=Canada datapath=datapath-guest
disabled=no installation=indoor mode=ap name=cfg-guest security=
security-guest ssid=Guest
add channel=ch2g-11 comment=IoT country=Canada datapath=datapath-harrisburg
disabled=no installation=indoor mode=ap name=cfg-harrisburg security=
security-harrisburg ssid=Harrisburg
add channel=ch2g-11 comment=HomeNet country=Canada datapath=datapath-hinkley
disabled=no mode=ap name=cfg-hinkley security=security-hinkley ssid=
Hinkley
add channel=ch2g-11 comment=Management country=Canada datapath=
datapath-tsjernobyl disabled=no mode=ap name=cfg-Tsjernobyl security=
security-tsjernobyl ssid=Tsjernobyl
/interface wifi
set [ find default-name=wifi1 ] configuration=cfg-Tsjernobyl
add configuration=cfg-hinkley mac-address=06:F4:1C:9A:F3:60 master-interface=
wifi1 name=wifi2
add configuration=cfg-harrisburg mac-address=06:F4:1C:9A:F3:61
master-interface=wifi1 name=wifi3
add configuration=cfg-guest mac-address=06:F4:1C:9A:F3:62 master-interface=
wifi1 name=wifi4
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment=HomeNet name=pool_homenet ranges=10.10.10.10-10.10.10.50
add comment=Management name=pool_management ranges=10.10.20.10-10.10.20.25
add comment=IoT name=pool_iot ranges=10.10.30.10-10.10.30.254
add comment=Guest name=pool_guest ranges=10.10.99.10-10.10.99.50
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=pool_homenet comment=HomeNet interface=vlan10 name=
dhcp_homenet
add address-pool=pool_management comment=Management interface=vlan20 name=
dhcp_management
add address-pool=pool_iot comment=IoT interface=vlan30 lease-time=3h name=
dhcp_iot
add address-pool=pool_guest comment=Guest interface=vlan99 lease-time=3h
name=dhcp_guest
/port
set 0 name=serial0
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment="MGMT (20)" frame-types=
admit-only-untagged-and-priority-tagged interface=ether2 pvid=20
add bridge=bridge comment="Home Assistant (30)" frame-types=
admit-only-untagged-and-priority-tagged interface=ether3 pvid=30
add bridge=bridge comment="Schuur (30)" frame-types=
admit-only-untagged-and-priority-tagged interface=ether4 pvid=30
add bridge=bridge comment="Trunk RB2011" interface=ether5
add bridge=bridge comment="HomeNet (10)" frame-types=
admit-only-untagged-and-priority-tagged interface=ether6 pvid=10
add bridge=bridge comment="HomeNet (10)" frame-types=admit-only-vlan-tagged
interface=ether7
add bridge=bridge comment="Kantoor (10)" frame-types=
admit-only-untagged-and-priority-tagged interface=ether8 pvid=10
add bridge=bridge interface=wifi1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether5,ether7,wifi1 untagged=ether6,ether8
vlan-ids=10
add bridge=bridge tagged=bridge,ether5,ether7,wifi1 untagged=ether2 vlan-ids=
20
add bridge=bridge tagged=bridge,ether5,ether7,wifi1 untagged=ether3,ether4
vlan-ids=30
add bridge=bridge tagged=bridge,ether5,ether7,wifi1 vlan-ids=99
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=vlan10 list=HOMENET
add interface=vlan20 list=MGMT
add interface=vlan30 list=IOT
add interface=vlan99 list=GUEST
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
add interface=vlan99 list=LAN
/interface wifi cap
set caps-man-addresses=10.10.20.1 discovery-interfaces=bridge,vlan20 enabled=
yes
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no
upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=
cfg-Tsjernobyl slave-configurations=cfg-hinkley,cfg-harrisburg,cfg-guest
supported-bands=2ghz-ax
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
add address=10.10.10.1/24 comment=HomeNet interface=vlan10 network=10.10.10.0
add address=10.10.20.1/24 comment=Management interface=vlan20 network=
10.10.20.0
add address=10.10.30.1/24 comment=IoT interface=vlan30 network=10.10.30.0
add address=10.10.99.1/24 comment=Guest interface=vlan99 network=10.10.99.0
/ip dhcp-client
add comment=defconf default-route-tables=main interface=ether1 use-peer-dns=
no
/ip dhcp-server lease
add address=10.10.30.19 comment=Ring-Frontdoor mac-address=4C:24:98:A7:0B:36
server=dhcp_iot
add address=10.10.30.18 client-id=1:3c:39:e7:2d:4e:fa comment=HW-Watermeter
mac-address=3C:39:E7:2D:4E:FA server=dhcp_iot
add address=10.10.30.12 client-id=1:0:5f:67:7a:cb:ed comment=TL-WPA8635P
mac-address=00:5F:67:7A:CB:ED server=dhcp_iot
add address=10.10.30.11 client-id=1:5c:2f:af:37:9d:72 comment=HW-Batt-1
mac-address=5C:2F:AF:37:9D:72 server=dhcp_iot
add address=10.10.30.10 client-id=1:5c:2f:af:37:d:4 comment=HW-Batt-2
mac-address=5C:2F:AF:37:0D:04 server=dhcp_iot
add address=10.10.30.20 client-id=1:3c:39:e7:28:12:7a comment=HW-Koelkast
mac-address=3C:39:E7:28:12:7A server=dhcp_iot
add address=10.10.30.21 client-id=1:3c:39:e7:22:de:62 comment=
"HW-kWh 3 Phase" mac-address=3C:39:E7:22:DE:62 server=dhcp_iot
add address=10.10.30.22 client-id=1:3c:39:e7:24:26:b2 comment=HW-P1
mac-address=3C:39:E7:24:26:B2 server=dhcp_iot
add address=10.10.30.23 client-id=1:3c:39:e7:29:44:d8 comment=HW-Vaatwasser
mac-address=3C:39:E7:29:44:D8 server=dhcp_iot
add address=10.10.30.24 comment=Ring-Chime mac-address=54:E0:19:6E:B0:73
server=dhcp_iot
add address=10.10.30.25 client-id=1:3c:39:e7:28:14:3a comment=HW-Vriezer
mac-address=3C:39:E7:28:14:3A server=dhcp_iot
add address=10.10.30.27 comment=Netatmo mac-address=70:EE:50:68:CB:B4 server=
dhcp_iot
add address=10.10.30.30 client-id=1:5c:2f:af:1f:66:b2 comment="HW-Airco Voor"
mac-address=5C:2F:AF:1F:66:B2 server=dhcp_iot
add address=10.10.30.31 client-id=1:5c:2f:af:1f:2a:ea comment=HW-Wasdroger
mac-address=5C:2F:AF:1F:2A:EA server=dhcp_iot
add address=10.10.30.34 client-id=1:5c:2f:af:36:ac:8e comment=
"HW-Airco Achter" mac-address=5C:2F:AF:36:AC:8E server=dhcp_iot
add address=10.10.30.35 client-id=1:3c:39:e7:28:1e:1a comment=
HW-Verwarmingsketel mac-address=3C:39:E7:28:1E:1A server=dhcp_iot
add address=10.10.30.32 client-id=1:5c:2f:af:37:e8:c comment=HW-Wasmachine
mac-address=5C:2F:AF:37:E8:0C server=dhcp_iot
add address=10.10.30.38 client-id=1:3c:39:e7:25:55:f0 comment=
"HW-kWh Solar 2" mac-address=3C:39:E7:25:55:F0 server=dhcp_iot
add address=10.10.30.40 client-id=1:3c:39:e7:28:20:8e comment=
"HW-Kerstverlichting Schuur" mac-address=3C:39:E7:28:20:8E server=
dhcp_iot
add address=10.10.30.41 client-id=1:3c:39:e7:23:cb:3a comment=
"HW-kWh Solar 1" mac-address=3C:39:E7:23:CB:3A server=dhcp_iot
add address=10.10.30.42 client-id=1:3c:39:e7:28:12:a8 comment=
"HW-Zwembad Pomp" mac-address=3C:39:E7:28:12:A8 server=dhcp_iot
add address=10.10.30.43 client-id=1:3c:39:e7:28:0:3a comment=HW-Kantoor
mac-address=3C:39:E7:28:00:3A server=dhcp_iot
add address=10.10.30.53 client-id=1:5c:2f:af:17:6f:ee comment=
"HW-Kerstverlichting Huis" mac-address=5C:2F:AF:17:6F:EE server=dhcp_iot
add address=10.10.30.14 client-id=1:3c:39:e7:29:43:d0 comment=HW-Afzuiging
mac-address=3C:39:E7:29:43:D0 server=dhcp_iot
add address=10.10.30.17 comment=Lilygo-Batt-2 mac-address=2C:BC:BB:A9:06:B0
server=dhcp_iot
add address=10.10.30.26 comment=Lilygo-Batt-1 mac-address=2C:BC:BB:A8:56:70
server=dhcp_iot
add address=10.10.30.45 comment="Hue Bridge" mac-address=4C:24:98:8B:B1:BD
server=dhcp_iot
/ip dhcp-server network
add address=10.10.10.0/24 comment=HomeNet dns-server=10.10.30.150,10.10.10.1
gateway=10.10.10.1
add address=10.10.20.0/24 comment=Management dns-server=
10.10.30.150,10.10.20.1 gateway=10.10.20.1
add address=10.10.30.0/24 comment=IoT dns-server=10.10.30.150,10.10.30.1
gateway=10.10.30.1
add address=10.10.99.0/24 comment=Guest dns-server=10.10.30.150,10.10.99.1
gateway=10.10.99.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB mdns-repeat-ifaces=bridge
servers=10.10.30.150,86.54.11.13,86.54.11.213
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.10.20.1 list=HA_Allowed_Targets
add address=10.10.20.2 list=HA_Allowed_Targets
add address=10.10.20.3 list=HA_Allowed_Targets
add address=10.10.20.4 list=HA_Allowed_Targets
add address=10.10.20.5 list=HA_Allowed_Targets
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack
connection-state=established,related hw-offload=yes
add action=accept chain=input comment="Accept Established/Related"
connection-state=established,related,untracked
add action=accept chain=forward comment="Accept Established/Related"
connection-state=established,related,untracked
add action=accept chain=forward comment="LAN -> HomeAssistant/DNS"
dst-address=10.10.30.150 in-interface-list=LAN
add action=accept chain=forward comment="Allow NPM HTTPS"
connection-nat-state=dstnat connection-state=new dst-port=443
in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Full Access from MGMT"
in-interface-list=MGMT
add action=accept chain=input comment="CAPsMAN Loopback" dst-address=
127.0.0.1
add action=accept chain=input comment="Allow HA to Router" dst-address=
10.10.20.1 src-address=10.10.30.150
add action=accept chain=forward comment="Allow VLANs to WAN"
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=input comment="Allow CAPsMAN" dst-port=5246,5247
protocol=udp
add action=accept chain=forward comment="Allow Port Forwards"
connection-nat-state=dstnat
add action=accept chain=forward comment="LAN -> WAN" in-interface-list=LAN
out-interface-list=WAN
add action=accept chain=forward comment="Home Assistant -> Tsjernobyl + CAPs"
dst-address-list=HA_Allowed_Targets src-address=10.10.30.150
add action=accept chain=forward comment="HOMENET -> MGMT" in-interface-list=
HOMENET out-interface-list=MGMT
add action=accept chain=input comment="Allow DNS (UDP) from LAN" dst-port=53
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS (TCP) from LAN" dst-port=53
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow ICMP from LAN"
in-interface-list=LAN protocol=icmp
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=input comment="Drop all other access to Router"
add action=drop chain=forward comment="Drop all Inter-VLAN traffic"
dst-address=10.10.0.0/16 src-address=10.10.0.0/16
add action=drop chain=forward comment="Final Catch-All Drop"
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade WAN"
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="WAN -> Nginx Proxy" dst-port=80,443
in-interface-list=WAN protocol=tcp to-addresses=10.10.30.150 to-ports=443
add action=masquerade chain=srcnat comment="Hairpin NAT" dst-address=
10.10.30.150 src-address=10.10.0.0/16
/ip service
set ftp disabled=yes
set ssh address=10.10.20.0/24,10.10.10.0/24
set telnet disabled=yes
set www address=10.10.20.0/24,10.10.10.0/24
set winbox address=10.10.20.0/24,10.10.10.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/system clock
set time-zone-name=Europe/Brussels
/system identity
set name=Tsjernobyl-Master
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool romon
set enabled=yes
/tool traffic-monitor
add disabled=yes interface=bridge name=traf1

hAP AX3 Configuration

1. Create the bridge
/interface bridge
add name=bridgeLocal vlan-filtering=yes

2. Add ether1 (uplink) to bridge
/interface bridge port
add bridge=bridgeLocal interface=ether1

3. Configure the Bridge VLAN to allow Management traffic (VLAN 20)
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=20

4. Set up the VLAN interface for CAPsMAN communication
/interface vlan
add interface=bridgeLocal name=vlan-mgmt vlan-id=20

5. Enable CAP mode
/interface wifi cap
set enabled=yes discovery-interfaces=vlan-mgmt slaves-datapath=bridgeLocal

SpeedHeed · January 7, 2026, 8:01pm

You need to create an Datapath with the bridge on CAP and set the wifi interfaces to be managed by capsman.

Here is the default config from the docs:

/interface bridge
add name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add interface=bridgeLocal disabled=no

Your Capsman is missing the Provisioning rules and it is better that the local wifi interfaces are managed by capsman so that roaming is working.

Here are some general tips for the Wifi Capsman:

Enable Multicast Enhance
Enable Station Roaming
Enable RRM and WNM
Create a neighbor group for roaming (ft and Station Roaming has to be active for it to work)
Enable FT and FT over DS
You can define multiple channels in the Channel Config tab; the APs will then choose the best channel for themselves. Additionally, it is recommended to add a reselect time (range) so the APs can automatically switch channels to avoid Wi-Fi issues. However, this depends on the environment. You cant set it for each AP seperately.
Do not use DFS channels; in MikroTik you can skip them by setting Skip DFS Channels to all

For more information please look at the official Mikrotik docs.

DuctView · January 7, 2026, 9:52pm

I am going to add myself in on this thread, with a quite similar problem

Everything running RouterOS 7.19.6
Same CAPsMAN, L009, with wifi-qcom driver
Successfully running cAP ac as Access Point with wifi-qcom-ac driver
wAP ax, however, with wifi-qcom driver reports wifi interfaces managed by CAPsMAN and doing traffic processing, whereas the L009 reports SSID not set

I have tried a lot on this, but will cut the story down to this. After much fiddling I reset the wAP ax [System -> Reset Configuration] opting to put the unit into CAP mode. Checked and found that all of the default config given by @SpeedHeed is in place automatically. So I would say nothing left to do on the Access Point [unless there is some setting which often gets set, but is forgotten and not in the documentation]. I only changed the CAP config to give the explicit CAPsMAN address, but it was using the Discovery Interface to the same extent ie the CAPsMAN reporting SSID not set

Turning now to the CAPsMAN, I have duplicated a Security Config, a Config and a provisioning rule, sufficient I would hope to just bring up a Master wireless interface on 2 and 5GHz. Similar results. Meanwhile the existing config for the cAP ac is concurrently working fine.

RubbereR · January 8, 2026, 1:40am

Don't know if I exactly understand your point. Are you saying that by using the CAP configuration reset it worked for your setup? Idid make same changes according to the official documentation and will check tomorrow if that makes a difference. Personally I think that the issue is with the hAP AX3. Do you know how I can start it as standard CAP device?

DuctView · January 8, 2026, 9:37am

Sorry, just to clarify. Similar results is getting SSID not set on the wAP ax while the cAP ac is concurrently working fine. All I was pointing out there is that a reset into CAPs mode puts in place all of the configuration on the CAP.

erlinden · January 8, 2026, 9:53am

Can you share the config of the CAPsMAN, @DuctView? SSID not set is an indication of misconfiguration.

@SpeedHeed, station-roaming is an option for roaming if mode is set to (any) station. For mode=ap this setting is ignored.

RubbereR · January 8, 2026, 10:30am

@erlinden is there any obvious issue in my configuration?

erlinden · January 8, 2026, 10:41am

For the CAPS:

I prefer to set bridge and ether1 (on /interface bridge port) to frame-types=admit-only-vlan-tagged:

/interface bridge
add admin-mac=REDACTED auto-mac=no frame-types=admit-only-vlan-tagged name=bridgeLocal protocol-mode=none vlan-filtering=yes

/interface bridge port
add bridge=bridgeLocal comment=defconf frame-types=admit-only-vlan-tagged interface=ether1

Make sure all VLAN's are created on the bridge:

/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 vlan-ids=10
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=20
add bridge=bridgeLocal tagged=ether1 vlan-ids=30
add bridge=bridgeLocal tagged=ether1 vlan-ids=99

Will look at the CAPsMAN as well...

DuctView · January 8, 2026, 10:38pm

Thanks, I would appreciate another pair of eyes on this. I agree, having got to the stage of finding the required code on the CAP after a reset, it now looks like a misconfiguration on the CAPsMAN

10.40.40.1 is the CAPsMAN. L009. 7.19.6 with wifi-qcom
10.40.40.5 is a CAP. cAP AC 7.19.6 with wifi-qcom-ac. This works.
10.40.40.8 is a CAP wAP ax 7.19.6 with wifi-qcom. This one gives SSID not set on the CAPsMAN

Note there is a certain amount of rubbish in this config for a hotspot I tried, which should not be active, but I left it there in case I wanted to come back to it.

# 2026-01-08 22:36:07 by RouterOS 7.19.6
# software id = MZ8L-V0BM
#
# model = L009UiGS
# serial number = 
/interface bridge
add admin-mac=04:F4:1C:65:9E:17 auto-mac=no comment=defconf name=Local.Bridge \
    vlan-filtering=yes
add disabled=yes name=TestBridge pvid=50 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether8 ] poe-out=off
/interface wifi
add configuration.mode=ap disabled=no name=cap-wifi1 radio-mac=\
    04:F4:1C:B3:DF:18
add configuration.mode=ap disabled=no name=cap-wifi2 radio-mac=\
    04:F4:1C:B3:DF:19
/interface pppoe-client
add add-default-route=yes allow=pap,chap dial-on-demand=yes disabled=no \
    interface=ether1 name=WAN.pppoe use-peer-dns=yes user=\
    abb-difrenchal@aquiss.com
/interface vlan
add interface=Local.Bridge name=GN.vlan vlan-id=30
add interface=Local.Bridge name=Home.vlan vlan-id=4
add interface=Local.Bridge name=vlan50 vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=Local.Bridge disabled=yes name=~House.datapath
add disabled=yes interface-list=LAN name=~Guest.datapath
add bridge=Local.Bridge client-isolation=yes disabled=no name=GN.datapath \
    vlan-id=30
add bridge=Local.Bridge disabled=no name=House.old.datapath \
    traffic-processing=on-cap
add bridge=Local.Bridge disabled=no name=DP_AC.datapath
add bridge=Local.Bridge disabled=no name=VOWL.datapath
add bridge=Local.Bridge disabled=no name=House.datapath vlan-id=4
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes name=Guest.Security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes name=House.Security \
    wps=disable
/interface wifi configuration
add channel.skip-dfs-channels=10min-cac disabled=no mode=ap name=\
    GN.Old.Config security=Guest.Security ssid=VelingradGN
add channel.skip-dfs-channels=10min-cac country="United Kingdom" datapath=\
    House.old.datapath disabled=no mode=ap name=House.Old.Config security=\
    House.Security ssid=Velingrad
add datapath=DP_AC.datapath disabled=no name=House.AC.config security=\
    House.Security ssid=Velingrad
add disabled=no name=GN.AC.Config security=Guest.Security ssid=VelingradGN
add datapath=House.datapath disabled=no mode=ap name=House.Config security=\
    House.Security ssid=newVelingrad
add country="United Kingdom" datapath=GN.datapath disabled=no mode=ap name=\
    GN.Config security=Guest.Security ssid=NewVelingradGN
/interface wifi
# operated by CAP 10.40.40.12, traffic processing on CAP
add configuration=House.Old.Config disabled=no name=Topolovgrad radio-mac=\
    48:A9:8A:2B:C2:31
# operated by CAP 10.40.40.12, traffic processing on CAP
add configuration=House.Old.Config disabled=no name=Topolovgrad2 radio-mac=\
    48:A9:8A:2B:C2:30
# operated by CAP 10.40.40.12, traffic processing on CAP
add configuration=GN.Old.Config disabled=no mac-address=4A:A9:8A:2B:C2:31 \
    master-interface=Topolovgrad name=TopolovgradGN
# operated by CAP 10.40.40.12, traffic processing on CAP
add configuration=GN.Old.Config disabled=no mac-address=4A:A9:8A:2B:C2:30 \
    master-interface=Topolovgrad2 name=TopolovgradGN3
/ip hotspot profile
add dns-name=vowl.local hotspot-address=192.168.144.1 login-by=http-chap \
    name=VOWL.Hotspot.Profile
/ip hotspot user profile
add add-mac-cookie=no !mac-cookie-timeout name=Universal.HotspotUser.Profile \
    shared-users=40
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=GN.Pool ranges=192.168.30.40-192.168.30.159
add name=Local.Fixed.Pool ranges=10.40.40.20-10.40.40.79
add name=Home.Pool ranges=172.23.4.80-172.23.4.159
/ip dhcp-server
add address-pool=GN.Pool comment=GN.dhcpServer interface=GN.vlan lease-time=\
    53m20s name=GN.dhcpServer
/ip pool
add name=Local.General.Pool next-pool=Local.Fixed.Pool ranges=\
    10.40.40.80-10.40.40.239
/ip dhcp-server
add address-pool=Local.General.Pool interface=Local.Bridge lease-time=53m20s \
    name=House.dhcpServer
/ipv6 pool
add name=IPv6.Pool prefix=::/64 prefix-length=64
add name=GN.IPv6Pool prefix=fd21:21b1:150d:1::/64 prefix-length=64
/port
set 0 name=serial0
/disk settings
set auto-media-interface=Local.Bridge auto-media-sharing=yes \
    auto-smb-sharing=yes
/interface bridge port
add bridge=Local.Bridge comment=defconf interface=ether2
add bridge=Local.Bridge comment=defconf interface=ether3
add bridge=Local.Bridge comment=defconf interface=ether4 pvid=4
add bridge=Local.Bridge comment=defconf interface=ether5 pvid=4
add bridge=Local.Bridge comment=defconf interface=ether6 pvid=4
add bridge=Local.Bridge comment=defconf interface=ether7
add bridge=Local.Bridge comment=defconf interface=ether8
add bridge=Local.Bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Local.Bridge comment="Guest Network" tagged=ether7,ether8,ether3 \
    vlan-ids=30
add bridge=Local.Bridge comment="Home Network" tagged=ether7,ether8 untagged=\
    ether4,ether5,ether6 vlan-ids=4
/interface list member
add comment=defconf interface=Local.Bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=WAN.pppoe list=WAN
add interface=Home.vlan list=LAN
/interface wifi cap
set discovery-interfaces=Local.Bridge,LAN
/interface wifi capsman
set enabled=yes interfaces=Local.Bridge package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled address-ranges=10.40.40.12- disabled=no \
    master-configuration=House.Old.Config name-format=%I \
    slave-configurations=GN.Old.Config slave-name-format=%IGN \
    supported-bands=2ghz-ax,5ghz-ax
add action=create-dynamic-enabled address-ranges=10.40.40.4-10.40.40.5 \
    disabled=no master-configuration=House.AC.config slave-configurations=\
    GN.AC.Config
add action=create-dynamic-enabled address-ranges=10.40.40.8- disabled=no \
    master-configuration=House.Config name-format=%I slave-name-format=%GN
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=\
    Local.Bridge network=192.168.88.0
add address=10.40.40.1/24 comment=Cutthroat! interface=Local.Bridge network=\
    10.40.40.0
add address=192.168.30.1/24 interface=GN.vlan network=192.168.30.0
add address=10.40.44.1/24 comment="Get out of Jail last resort" interface=\
    Local.Bridge network=10.40.44.0
add address=192.168.31.1/24 interface=*E0 network=192.168.31.0
add address=172.23.4.1/24 interface=Home.vlan network=172.23.4.0
add address=10.40.50.1/24 interface=vlan50 network=10.40.50.0
/ip dhcp-client
add comment=defconf default-route-tables=main disabled=yes interface=ether1
/ip dhcp-server lease
add address=10.40.40.80 client-id=1:4:92:26:d8:f6:30 comment=Pirin \
    mac-address=04:92:26:D8:F6:30 server=House.dhcpServer
add address=10.40.40.42 client-id=1:ec:74:d7:1f:1f:5 comment=\
    "VOIP - nantucket" mac-address=EC:74:D7:1F:1F:05 server=House.dhcpServer
add address=10.40.40.100 client-id=1:fc:b9:df:e2:b7:5d comment=Belitsa \
    mac-address=FC:B9:DF:E2:B7:5D server=House.dhcpServer
add address=10.40.40.81 client-id=1:4:92:26:d8:f3:26 comment=Rila \
    mac-address=04:92:26:D8:F3:26 server=House.dhcpServer
add address=10.40.40.7 client-id=1:dc:2c:6e:7b:28:5e comment=OldVelingrad \
    disabled=yes mac-address=DC:2C:6E:7B:28:5E server=House.dhcpServer
add address=10.40.40.5 client-id=1:74:4d:28:b5:4:20 comment=Svilengrad \
    disabled=yes mac-address=74:4D:28:B5:04:20 server=House.dhcpServer
add address=10.40.40.2 client-id=1:74:4d:28:52:5d:93 comment=Asenovgrad \
    disabled=yes mac-address=74:4D:28:52:5D:93 server=House.dhcpServer \
    use-src-mac=yes
add address=10.40.40.4 comment=Topolovgrad disabled=yes mac-address=\
    48:A9:8A:2B:C2:2F server=House.dhcpServer
add address=10.40.40.40 comment="VoIP - Peking" mac-address=DC:A6:32:41:92:79 \
    server=House.dhcpServer
add address=10.40.40.41 comment="VoIP -Dandong" mac-address=C0:74:AD:40:C6:3F \
    server=House.dhcpServer
add address=10.40.40.82 comment=Smolevo mac-address=90:E8:68:96:AD:21 server=\
    House.dhcpServer
add address=10.40.40.83 comment=Septemvri mac-address=58:02:05:20:A9:3D \
    server=House.dhcpServer
add address=10.40.40.101 comment=Melnik mac-address=FC:B9:DF:DA:8D:84 server=\
    House.dhcpServer
add address=10.40.40.102 comment=Tsepina mac-address=08:CC:27:51:99:6E \
    server=House.dhcpServer
add address=10.40.40.103 comment=Zornitsa mac-address=04:D3:95:10:11:D9 \
    server=House.dhcpServer
add address=10.40.40.200 comment="USB Adaptor [0]" mac-address=\
    30:68:93:65:6C:A3 server=House.dhcpServer
add address=192.168.30.82 comment=Smolevo-win mac-address=90:E8:68:96:AD:21 \
    server=GN.dhcpServer
add address=192.168.30.83 comment=Septemvri-win mac-address=58:02:05:20:A9:3D \
    server=GN.dhcpServer
add address=192.168.30.97 comment=Satnav mac-address=E4:04:39:FE:C7:3C \
    server=GN.dhcpServer
/ip dhcp-server network
add gateway=10.40.40.1
add address=10.40.40.0/24 gateway=10.40.40.1 netmask=24 ntp-server=10.40.40.1
add address=10.40.44.0/24 gateway=10.40.44.1 netmask=24 ntp-server=10.40.44.1
add address=172.23.4.0/24 gateway=172.23.4.1 netmask=24 ntp-server=10.40.40.1
add address=192.168.30.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.30.1 \
    netmask=24
add address=192.168.31.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.31.1 \
    netmask=24 ntp-server=192.168.31.1
/ip dns
set allow-remote-requests=yes mdns-repeat-ifaces=Local.Bridge,Home.vlan
/ip dns static
add address=10.40.40.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=192.168.0.0/16 list=GuestNetworks
add address=172.16.0.0/12 list=PrivateNetworks
add address=10.0.0.0/8 list=LocalNetworks
/ip firewall filter
add action=accept chain=forward comment="Hotspot http to own server" \
    disabled=yes dst-address=192.168.144.1 dst-port=443,80 protocol=tcp \
    src-address=192.168.144.0/24
add action=reject chain=forward comment="Hotspot no http" disabled=yes \
    dst-port=80,443 protocol=tcp reject-with=icmp-network-unreachable \
    src-address=192.168.144.0/24
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment=\
    "defconf: drop all not coming from LAN [inc PNs]" in-interface-list=!LAN
add action=drop chain=forward comment="Drop all from GNs for PNs" \
    dst-address-list=PrivateNetworks src-address-list=GuestNetworks
add action=drop chain=forward comment="Drop all from PN's to WAN" \
    out-interface-list=WAN src-address-list=PrivateNetworks
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=172.23.4.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.144.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.144.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.144.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.144.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.144.0/24
/ip hotspot
add address-pool=*6 interface=*E0 name=VOWL.Hotspot profile=\
    VOWL.Hotspot.Profile
/ip hotspot user
add name=admin
add comment="Universal User" name=HotspotUser profile=\
    Universal.HotspotUser.Profile
/ip service
set ftp address=10.40.0.0/16
set ssh address=10.40.0.0/16
set telnet address=10.40.0.0/16
set www address=10.40.0.0/16
set winbox address=10.40.0.0/16
/ipv6 address
add address=fd21:21b1:150d:: comment=ULA interface=Local.Bridge
add from-pool=General.IPv6.Pool interface=Local.Bridge
add disabled=yes from-pool=GN.IPv6Pool interface=GN.vlan
/ipv6 dhcp-client
add default-route-tables=main interface=WAN.pppoe pool-name=General.IPv6.Pool \
    request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/London
/system identity
set name=R1-Velingrad
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes
/system ntp client servers
add address=2001:4860:4806:c::
add address=2001:4860:4806:4::
add address=2001:4860:4806:8::
add address=2001:4860:4806::
add address=time.google.com
/system routerboard settings
set enter-setup-on=delete-key
/tool graphing interface
add allow-address=10.40.40.0/24
/tool graphing resource
add allow-address=10.40.40.0/24 store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN