I have three Mikrotik routers and set up CapsMan (one router and two Caps).
I setup everything and it works fine, however my Ubuntu laptop sometimes gets disconnected, asking for a new password. I click reconnect, and the password is accepted. Sometimes I need to click reconnect several times. So password is OK, something else is “bothering” my laptop…
NetworkManager logs says:
2025-06-16T10:51:38.809880+02:00 cryptopia NetworkManager[2356]: <info> [1750063898.8096] device (wlp3s0): Activation: (wifi) disconnected during association, asking for new key
Any idea what could be wrong?
infabo
June 17, 2025, 6:10am
2
Is this old capsman? Are you sure about the correct passphrase?
Yes, I am sure the password is correct. Because I just click “authenticate” - and do not change password - and after one or two retries, it goes through.
What do you mean by “old Capsman”?
Main router:
routerboard: yes
board-name: hAP ac^2
model: RBD52G-5HacD2HnD
revision: r3
firmware-type: ipq4000L
factory-firmware: 6.48.6
current-firmware: 6.48.6
upgrade-firmware: 7.18.2
MikroTik RouterOS 7.18.2
Cap1:
routerboard: yes
board-name: hAP lite
model: RB941-2nD
revision: r2
firmware-type: qca9531L
factory-firmware: 6.43.16
current-firmware: 6.43.16
upgrade-firmware: 7.18.2
Cap2:
routerboard: yes
board-name: hAP lite
model: RB941-2nD
revision: r3
firmware-type: qca9531L
factory-firmware: 6.49.17
current-firmware: 6.49.17
upgrade-firmware: 7.19.1
I have a problem when I am near Cap2. I am around half meter away.
OK, thanks a lot for that.
I just updated all routers to 7.19.1, hope now it will be working OK.
Firmware upgraded as well?
infabo
June 17, 2025, 8:36am
8
I would not expect a current firmware to fix this particular connection issue. It is probably related to some incompatibility with your client’s wireless card. Either settings related or driver. Maybe just post your capsman config export (without sensitive/serial) and we can spot something unusual
I have the same line of thought as you but it doesn’t hurt to make sure firmware is at the same level as ROS.
OK, so before setting up CapsMan, I used three routers (each had different SSID and subnet) and there were no issues. Two of them were Mikrotik (one is now main router and the other is now Cap1). Then I bought another Mikrotik and installed CapsMan, in order to have normal “roaming” in my house.
So I guess there should not be incompatibility with my client’s wireless card?
On the other hand, I am now experiencing this problem with Cap2, so theoretically there could be some incompatibility between my wireless card and Cap2 Mikrotik router…?
This is the config from the main router (I hope you meant this):
# 2025-06-17 15:58:54 by RouterOS 7.19.1
# software id = 22DJ-2C12
#
# model = RBD52G-5HacD2HnD
# serial number = xxxxx
/interface bridge
add admin-mac=18:FD:74:3C:BE:34 auto-mac=no comment=defconf name=bridgeLocal \
port-cost-mode=short
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(17dBm), SSID: MySSID, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=slovenia disabled=no \
mode=ap-bridge ssid=MySSID tx-power=19 tx-power-mode=all-rates-fixed \
wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5560/20-eeCe/ac/DP(24dBm), SSID: MySSID, local forwarding
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=slovenia disabled=no \
mode=ap-bridge ssid=MySSID tx-power=19 tx-power-mode=all-rates-fixed \
wireless-protocol=802.11
/interface wireguard
add listen-port=51821 mtu=1420 name=wireguard1
/caps-man configuration
add country=slovenia datapath.bridge=bridgeLocal \
.client-to-client-forwarding=yes .local-forwarding=yes distance=dynamic \
mode=ap name=Config security.authentication-types=wpa2-psk .encryption=\
aes-ccm ssid=MySSID
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.10.100-192.168.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridgeLocal lease-time=10m name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridgeLocal
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config
/interface bridge port
add bridge=bridgeLocal comment=defconf disabled=yes ingress-filtering=no \
interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf ingress-filtering=no interface=ether3 \
internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf ingress-filtering=no interface=ether4 \
internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf ingress-filtering=no interface=ether5 \
internal-path-cost=10 path-cost=10
add bridge=bridgeLocal ingress-filtering=no interface=wlan2 \
internal-path-cost=10 path-cost=10
add bridge=bridgeLocal ingress-filtering=no interface=wlan1 \
internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
add interface=bridgeLocal list=LAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:0B:69:35:9A:8E name=ovpn-server1
/interface wireguard peers
add allowed-address=10.xx.xx.0/24 endpoint-address=xx.xx.xx.xx \
endpoint-port=51194 interface=wireguard1 name=peer1 persistent-keepalive=\
5s preshared-key="xxx" \
public-key="xxx"
/interface wireless cap
#
set bridge=bridgeLocal caps-man-addresses=127.0.0.1 discovery-interfaces=\
bridgeLocal enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.10.1/24 interface=bridgeLocal network=192.168.10.0
add address=10.xx.xx.xx interface=wireguard1 network=10.xx.xx.xx
/ip dhcp-client
add comment=defconf interface=bridgeLocal
add interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=192.168.10.0/24 gateway=192.168.10.1 netmask=24
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=CAPsMAN dst-port=5246,5247 protocol=udp \
src-address=127.0.0.1
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input comment="Access from Wireguard network" \
in-interface=wireguard1 src-address=10.xx.xx.xx
add action=drop chain=input in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add dst-address=10.xx.xx.0/24 gateway=wireguard1
/ip smb shares
set [ find default=yes ] directory=/flash/pub
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=RouterOS
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
/system scheduler
add comment="Wait one minute after reboot before connecting to internet." name=\
WaitWhenPowerOutage on-event=\
"/ip dhcp-client disable [find];:delay 60;/ip dhcp-client enable [find]" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-mac-address=0C:B8:15:2E:37:50/FF:FF:FF:FF:FF:FF streaming-enabled=\
yes streaming-server=192.168.10.254
On Cap1 I have;
/interface wireless
# managed by CAPsMAN
# channel: 2447/20-Ce/gn(18dBm), SSID: MySSID, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
On Cap2 I have:
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(18dBm), SSID: MySSID, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
Update, yesterday I had the same issue on Cap1 router (I was near it), so it seems it is not related to specific router but to CapsMan in general.
Also, logs from Mikrotik do not show anyting suspicious:
Time: 2025-06-18 09:40:35
Buffer: memory
Topics: dhcp
info
Message: dhcp1 assigned 192.168.xx.xx for xx:xx:xx:xx:xx:xx laptop
This was after I got the request for entering new password and then in the next step I clicked authenticate and got connected successfully.
OK, is i possible that the problem is, that TWO of my Caps devices are on the same channel?
This is what Wifi Analyzer shows:
How came to that? Isn’t it so, that CapsMan automatically select and manage channels? Wha are in my case both devices on the same channel?
Perfectly possible if you leave it to auto. Which is why I NEVER leave it to auto. I want to know where my frequencies are (and yes, I am lucky to have most of my devices in areas which are relatively interference free).
At a certain point (and usually that’s at boot time) radio will scan for an unused frequency. If it finds one, it goes further and uses that one.
There should be some new parameters with latest versions which can be used to reselect frequency at a random interval but personally, as already indicated, I have no need for it.
normis
July 1, 2025, 6:09am
15
This most likely was not the cause of the issue. If a device asks for a wireless password to be entered again, but you are sure you are using the correect one, one other possible issue is that your encryption settings are not supported by this device. Some older operating systems don’t support some WPA2 encryption types.
I am using Ubuntu 24.04.2 LTS, it would be very weird if encryption would not be supported.
CapsMan (CAPs Configuration > Config) is in AP mode, for authentication mode I have WPA2 PSK, and encryption aes ccm.
Now I solved (at least partially) by setting Capsman manager - Access List - Signal Range: -70..120.
Also I set Caps Configuration - Config, Disconnect timeout: 5s.
Now it happens much, much less time.
I encountered this problem many years ago. At that time, the wireless encryption was aes/tkip. I set it to aes only to solve this problem.
Hmm, I have this:
And today it is still happening a lot. So it must be some other problem…
