Capsman loosing connection when connected through switch

RouterOS Wireless Networking
1

I have 5009 as my main router. Connected to it via DAC (or LAN, the problem stays the same) is a 24 Port Zyxell GS1900-24 Switch where all the other devices are connected. I noticed disconnections of Caps quite a while ago, so i moved all but one LAN cables leading to caps directly on Mikrotik. I don’t have enough ports on 5009 so one cap stayed on 24 port switch and this cap still keeps randomly disconnect. All the other caps are fine now, when they are connected directly.

The error looks like this:

disconnected MikroTik@48:8F:5A:AF:4B:A3%*a, connection interrupted
and few seconds later
MikroTik@48:8F:5A:AF:4B:A3%*a joined

No ether link down, just this.

On cap side, this looks like that:

disconnected from MikroTik@48:A9:8A:25:8B:B6%*8, failed to connect
and few seconds later
selected CAPsMAN MikroTik@48:A9:8A:25:8B:B6%*8

When this starts to appear it’s happening sometimes every 2 minutes, sometimes every 10 minutes. Then it just randomly stops and starts to happen again few hours later.

Any idea what setting on switch could cause such behaviour? I only have two VLANs configured on it and IGMP snooping is ON, (v2) . I’m not noticing any other device disconnections, just caps are having problems.

2

One VLAN? What is the purpose of having a single VLAN?
Can you share the config?

/export file=anynameyoulike

Remove serial and any other private info and post between code tags by using the </> button.

3

Well they are actualy two. One for IPTV multicast, that was previusly in use and it’s curently not (3999) and one for IOT VLAN (30) for CAPsMAN. As i said the problem is not in Mikrotik, because everything works when CAPs are directly connected to CAPsMAN with LAN cable. I’m just searching suggestions what setting on switch could cause CAPs disconnections. Could IGMP snooping cause this?

Last night CAPs stopped disconnecting at 23:15 when i was already sleeping and started disconnecting again today at 9:43. There is just no logic in such behaviour.

4

Does this also happen when you set in cap the specific IP address for capsman controller ?

5

Could it be roaming related? Do you have RSTP configured?

6

I will check. For now i tried with disabling IGMP snooping on switch. If problem continues i will try to enter CAPsMAN adress on CAP.

7

I only found STP on this switch and state is disabled.

8

It worked for 5 hours, then the error repeated, so IGMP snooping probably isn’t the problem. I will now try with CAPsMAN adress entered on CAP.

9

Ok, this also doesn’t help. CAP lost connection after 30 minutes. Any other suggestions?

Is ther any way to get more detailed explanations of “connection interrupted” in log?

10

I’ll retake this request…


11

Today i also tried with connecting CAPs through one totaly dumb switch, removing Zyxel from the equation, but the problem persisted..

https://files.ekmcdn.com/itinstock/images/netgear-8-port-10-100-mbps-desktop-switch-gs608-v3-networking-equipment-(2)-34756-p.jpg

I managed to clean this a little bit, but it’s still a mess:

# 2024-09-17 00:41:36 by RouterOS 7.15.3
# software id = LSTE-IL0H
#
# model = RB5009UG+S+
# serial number = ******
/caps-man channel
add band=2ghz-onlyn name=channel2
add band=5ghz-onlyac name=channel5
/interface bridge
add admin-mac=4E:5E:0C:65:A1:62 auto-mac=no igmp-snooping=yes name=\
    "IOT bridge" port-cost-mode=short
add igmp-snooping=yes name="Sejanci IPTV" port-cost-mode=short
add igmp-snooping=yes name=Sejanci_Internet port-cost-mode=short
add admin-mac=48:A9:8A:25:8B:B6 auto-mac=no comment=defconf igmp-snooping=yes \
    name=bridge port-cost-mode=short
add igmp-snooping=yes name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] mac-address=4C:5E:0C:65:A1:58
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=\
    1G-baseT-full
/interface l2tp-server
add disabled=yes name=Gregor user=
add name=HapAC3_potovalni_IN user=
add disabled=yes name="L2TP_server 1" user=
add name=b535_IN user=
add name=morskitestvpn user=
/interface eoip
add local-address=192.168.32.1 mac-address=02:A5:5B:36:D9:47 mtu=1500 name=\
    Hap_Lite_LTE_EOIP remote-address=192.168.32.2 tunnel-id=500
add local-address=192.168.69.254 mac-address=02:FC:88:6C:74:D3 mtu=1500 name=\
    eoip-tunnel1 remote-address=192.168.69.1 tunnel-id=400
add local-address=192.168.32.1 mac-address=02:A5:5B:36:D9:47 mtu=1500 name=\
    eoip-tunnel3 remote-address=192.168.32.3 tunnel-id=222
/interface veth
add address=172.17.0.2/24 gateway=172.17.0.1 gateway6="" name=veth1
add address=172.17.0.3/24 comment=Iperf gateway=172.17.0.1 gateway6="" name=\
    veth2
add address=172.17.0.4/24 comment="UDPXY port 4000/status" gateway=172.17.0.1 \
    gateway6="" name=veth3
add address=172.17.0.5/24 comment="OpenSpeedTest port 3000" gateway=\
    172.17.0.1 gateway6="" name=veth4
/interface wireguard
add listen-port=51818 mtu=1420 name=RemoteWGTiks
add listen-port=51821 mtu=1420 name=WG
add comment=back-to-home-vpn listen-port=65505 mtu=1420 name=back-to-home-vpn
/interface vlan
add interface=eoip-tunnel1 name=IPTV3999 vlan-id=3999
add interface=ether5 name=Vlan30_eth5 vlan-id=30
add interface=sfp-sfpplus1 name=vlan30_SFP vlan-id=30
add interface=ether4 name=vlan30_eth4 vlan-id=30
add interface=ether6 name=vlan30_eth6 vlan-id=30
add interface=ether7 name=vlan30_eth7 vlan-id=30
add interface=ether3 name=vlan3999_ETH3 vlan-id=3999
/caps-man datapath
add bridge=bridge name=datapath1
add bridge="IOT bridge" name=datapath2
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security1
/caps-man configuration
add channel=channel2 channel.band=2ghz-g/n datapath=datapath1 \
    datapath.client-to-client-forwarding=yes .local-forwarding=no name=cfg1 \
    security=security1 ssid=Kmetija
add datapath=datapath2 datapath.client-to-client-forwarding=yes name=cfg_IOT \
    security=security1 ssid=IOT
/disk
set usb1 media-interface=none media-sharing=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridge disabled=no name=Osnovni
add bridge="IOT bridge" client-isolation=no disabled=no name=IOT
/interface wifi security
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=sec1
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=\
    sec_IOT
/interface wifi configuration
add country=Slovenia datapath=Osnovni disabled=no mode=ap name=Kmetija \
    security=sec1 ssid=Kmetija
add country=Slovenia datapath=IOT datapath.bridge="IOT bridge" disabled=no \
    mode=ap name=IOT security=sec_IOT ssid=IOT
/interface wifi
add channel.frequency=2412 configuration=Kmetija configuration.mode=ap \
    disabled=no name="CapAX_Kmetija 2" radio-mac=48:A9:8A:E3:3F:A3
add channel.skip-dfs-channels=disabled configuration=Kmetija \
    configuration.mode=ap disabled=no name="CapAX_Kmetija 5" radio-mac=\
    48:A9:8A:E3:3F:A2
add channel.frequency=2462 configuration=Kmetija configuration.mode=ap \
    disabled=no name="HapAC2_Klet_Kmetija 2" radio-mac=48:8F:5A:C9:71:79
add channel.frequency=5180 configuration=Kmetija configuration.mode=ap \
    .tx-power=22 disabled=no name="HapAC2_Klet_Kmetija 5" radio-mac=\
    48:8F:5A:C9:71:7A
add channel.frequency=2412 configuration=Kmetija configuration.mode=ap \
    disabled=no name="HapAC2_\8Atala_Kmetija 2" radio-mac=08:55:31:2B:63:8B
add configuration=Kmetija configuration.mode=ap disabled=no name=\
    "HapAC2_\8Atala_Kmetija 5" radio-mac=08:55:31:2B:63:8C
add configuration=Kmetija configuration.mode=ap disabled=no name=\
    "HapAC3_Sobica_Kmetija 2" radio-mac=48:8F:5A:AF:4B:A8
add channel.frequency=5260 configuration=Kmetija configuration.mode=ap \
    .tx-power=22 disabled=no name="HapAC3_Sobica_Kmetija 5" radio-mac=\
    48:8F:5A:AF:4B:A9
add channel.frequency=2462 configuration=Kmetija configuration.mode=ap \
    disabled=no name="WapAC_Silosi_Kmetija 2" radio-mac=08:55:31:3D:6E:22
add channel.frequency=5500 .skip-dfs-channels=disabled configuration=Kmetija \
    configuration.mode=ap disabled=no name="WapAC_Silosi_Kmetija 5" \
    radio-mac=08:55:31:3D:6E:23
add channel.frequency=2462 configuration=Kmetija configuration.mode=ap \
    disabled=no name=wifi1 radio-mac=08:55:31:23:0B:11
add channel.frequency=5660 configuration=Kmetija configuration.mode=ap \
    disabled=no name=wifi2 radio-mac=08:55:31:23:0B:12
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    0A:55:31:23:0B:11 master-interface=wifi1 name=wifi3
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    0A:55:31:23:0B:12 master-interface=wifi2 name=wifi4
add configuration=Kmetija configuration.mode=ap disabled=no name=wifi5 \
    radio-mac=78:9A:18:8C:2D:83
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:8C:2D:83 master-interface=wifi5 name=wifi6
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    4A:A9:8A:E3:3F:A3 master-interface="CapAX_Kmetija 2" name="CapAX_IOT 2"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    4A:A9:8A:E3:3F:A2 master-interface="CapAX_Kmetija 5" name="CapAX_IOT 5"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    4A:8F:5A:C9:71:79 master-interface="HapAC2_Klet_Kmetija 2" name=\
    "HapAC2_Klet_IOT 2"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    4A:8F:5A:C9:71:7A master-interface="HapAC2_Klet_Kmetija 5" name=\
    "HapAC2_Klet_IOT 5"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    0A:55:31:2B:63:8B master-interface="HapAC2_\8Atala_Kmetija 2" name=\
    "HapAC2_\8Atala_IOT 2"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    0A:55:31:2B:63:8C master-interface="HapAC2_\8Atala_Kmetija 5" name=\
    "HapAC2_\8Atala_IOT 5"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    4A:8F:5A:AF:4B:A8 master-interface="HapAC3_Sobica_Kmetija 2" name=\
    "HapAC3_Sobica_IOT 2"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    4A:8F:5A:AF:4B:A9 master-interface="HapAC3_Sobica_Kmetija 5" name=\
    "HapAC3_Sobica_IOT 5"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    0A:55:31:3D:6E:22 master-interface="WapAC_Silosi_Kmetija 2" name=\
    "WapAC_Silosi_IOT 2"
add configuration=IOT configuration.mode=ap disabled=no mac-address=\
    0A:55:31:3D:6E:23 master-interface="WapAC_Silosi_Kmetija 5" name=\
    "WapAC_Silosi_IOT 5"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.3.110-192.168.3.200
add name=IOT_pool ranges=172.16.1.100-172.16.1.254
add name=vpn ranges=192.168.23.2-192.168.23.250
add name=dhcp_pool4 ranges=192.168.45.2-192.168.45.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=23h59m59s name=defconf
add address-pool=IOT_pool interface="IOT bridge" lease-time=23h59m59s name=\
    IOTdhcp
/ip smb users
add disabled=yes name=d1
add name=user
/ppp profile
add name=Koroska use-compression=no use-encryption=yes use-mpls=no
add name=Sejanci
add name=Tadej
add name=Testni
add name=Janko
add name="VPN Unlimited CZ"
add name="VPN Unlimited  Italy"
add name=morskitestprofile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface l2tp-client
add connect-to=*.sn.mynetname.net name=IJS profile=Testni \
    use-ipsec=yes user=morski2
add connect-to=*.sn.mynetname.net disabled=no name=Janko profile=\
    Janko use-ipsec=yes user=
add connect-to=*.sn.mynetname.net name="Koro\9Aka" profile=Koroska \
    use-ipsec=yes user=
add connect-to=*.sn.mynetname.net disabled=no name=SejanciAC3 \
    profile=Sejanci use-ipsec=yes user=
add connect-to=* disabled=no name=Tadej profile=Tadej use-ipsec=\
    yes user=
add connect-to=cz.vpnunlimitedapp.com disabled=no keepalive-timeout=disabled \
    name="VPN_Unlimited CZ" profile="VPN Unlimited CZ" user=\
add connect-to=it.vpnunlimitedapp.com name="VPN_Unlimited Italy" profile=\
    "VPN Unlimited  Italy" user=\
/routing table
add fib name=t2tv
add fib name=sejanci
add fib name=koroska
add fib name=t2test
add fib name=marko
add fib name=janko
add disabled=no fib name=gregor_net
add disabled=no fib name=test
add disabled=no fib name=VPNUnlimited_CZ
add disabled=no fib name=VPNUnlimited_Italy
add disabled=no fib name=nflix
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=no disabled=no instance=\
    zt1 name=zerotier1 network=*
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 \
    slave-configurations=cfg_IOT
/container
add interface=veth3 root-dir=disk1/udpxy start-on-boot=yes
add interface=veth2 root-dir=disk1/iperf3 workdir=/
add interface=veth4 root-dir=disk1/openspeedtest start-on-boot=yes
/container config
set registry-url=https://registry-1.docker.io tmpdir=disk1/pull
/ip smb
set enabled=yes interfaces=bridge
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=sfp-sfpplus1 internal-path-cost=\
    10 path-cost=10
add bridge="Sejanci IPTV" fast-leave=yes ingress-filtering=no interface=\
    IPTV3999 internal-path-cost=10 path-cost=10
add bridge=Sejanci_Internet fast-leave=yes ingress-filtering=no interface=\
    eoip-tunnel1 internal-path-cost=10 path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
add bridge=dockers interface=veth2 internal-path-cost=10 path-cost=10
add bridge=dockers interface=veth3 internal-path-cost=10 path-cost=10
add bridge=dockers interface=veth4 internal-path-cost=10 path-cost=10
add bridge="Sejanci IPTV" interface=vlan3999_ETH3 internal-path-cost=10 \
    path-cost=10
add bridge="IOT bridge" interface=vlan30_SFP internal-path-cost=10 path-cost=\
    10
add bridge=bridge interface=Hap_Lite_LTE_EOIP
add bridge="IOT bridge" interface=vlan30_eth7
add bridge="IOT bridge" interface=vlan30_eth4
add bridge="IOT bridge" interface=Vlan30_eth5
add bridge="IOT bridge" interface=vlan30_eth6
add bridge=bridge interface=eoip-tunnel3
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="L2TP_server 1" list=LAN
add interface=HapAC3_potovalni_IN list=LAN
add interface=b535_IN list=LAN
add interface=morskitestvpn list=LAN
add interface="IOT bridge" list=LAN
add interface=RemoteWGTiks list=LAN
add interface=zerotier1 list=LAN
add interface=WG list=LAN
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=Kmetija \
    name-format="" slave-configurations=IOT
/interface wireguard peers
add allowed-address=10.0.0.2/32 comment=Xcover6 interface=WG is-responder=yes \
    name=peer1 preshared-key="*" \
    public-key="*"
/ip address
add address=192.168.3.3/24 comment=defconf interface=bridge network=\
    192.168.3.0
add address=172.16.1.1/24 interface="IOT bridge" network=172.16.1.0
add address=192.168.13.1/24 interface="Sejanci IPTV" network=192.168.13.0
add address=10.0.0.1/24 interface=WG network=10.0.0.0
add address=172.17.0.1/24 interface=dockers network=172.17.0.0
add address=192.168.32.1/24 interface=RemoteWGTiks network=192.168.32.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-users
add allow-lan=yes comment=" samsung SM-S928B" name=RB5009UG+S+ private-key=\
    "*" public-key=\
    "*"
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.3.121 client-id=1:0:e4:0:91:3d:e6 mac-address=\
    00:E4:00:91:3D:E6 server=defconf
add address=192.168.3.130 client-id=1:c:9d:92:83:e0:1d mac-address=\
    0C:9D:92:83:E0:1D server=defconf
add address=192.168.3.8 mac-address=E4:5F:01:5F:71:CC server=defconf
add address=192.168.3.110 client-id=1:fc:d5:d9:9f:6c:f mac-address=\
    FC:D5:D9:9F:6C:0F server=defconf
add address=192.168.3.166 client-id=1:d8:8c:79:34:4:1f comment=\
    "Chromecast CZ" mac-address=D8:8C:79:34:04:1F server=defconf
add address=192.168.3.117 client-id=1:84:d6:c5:28:5d:22 comment=Solaredge \
    mac-address=84:D6:C5:28:5D:22 server=defconf
add address=192.168.3.148 client-id=1:6c:3b:6b:27:e8:c mac-address=\
    6C:3B:6B:27:E8:0C server=defconf
add address=192.168.3.4 mac-address=B8:27:EB:AE:35:60 server=defconf
add address=192.168.3.5 mac-address=B8:27:EB:8A:50:4D server=defconf
add address=192.168.3.152 client-id=1:84:d6:c5:18:5d:22 comment=\
    "Solaredge LAN_modbus" mac-address=84:D6:C5:18:5D:22 server=defconf
add address=172.16.1.102 mac-address=34:00:8A:E4:BE:95 server=IOTdhcp
add address=192.168.3.160 client-id=1:0:24:32:91:7:67 mac-address=\
    00:24:32:91:07:67 server=defconf
add address=192.168.3.131 client-id=1:b0:e4:d5:c4:a6:4c mac-address=\
    B0:E4:D5:C4:A6:4C server=defconf
add address=192.168.3.141 client-id=1:78:9a:18:8c:2d:82 mac-address=\
    78:9A:18:8C:2D:82 server=defconf
add address=192.168.3.127 mac-address=34:EA:34:42:FF:36 server=defconf
add address=192.168.3.129 client-id=1:20:f8:3b:0:9b:eb mac-address=\
    20:F8:3B:00:9B:EB server=defconf
add address=192.168.3.142 client-id=1:30:83:98:16:48:3f mac-address=\
    30:83:98:16:48:3F server=defconf
add address=192.168.3.150 client-id=1:30:83:98:16:40:b0 mac-address=\
    30:83:98:16:40:B0 server=defconf
add address=192.168.3.128 comment="Vremenska postaja" mac-address=\
    34:00:8A:E4:BE:95 server=defconf
/ip dhcp-server network
add address=172.16.1.0/24 comment=IOT dns-server=172.16.1.1 gateway=\
    172.16.1.1
add address=192.168.3.0/24 comment=DHCP dns-server=192.168.3.3 gateway=\
    192.168.3.3
/ip dns
set allow-remote-requests=yes doh-max-concurrent-queries=100 use-doh-server=\
    https://dns.nextdns.io/x verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=192.168.3.3 comment=defconf name=router.lan
add address=159.148.172.226 disabled=yes name=upgrade.mikrotik.com
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
add address=45.90.28.0 name=dns.nextdns.io
add address=45.90.30.0 name=dns.nextdns.io
/ip firewall address-list
add address=tv-front.t-2.com list=T2_TV
add address=192.168.3.0/24 list=lan
add address=*.sn.mynetname.net list=WAN_IP
add address=192.168.45.0/24 list=CZ_VPN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=WIREGUARD in-interface=WG protocol=udp
add action=accept chain=input comment=WIREGUARD_WG_TIKS disabled=yes \
    dst-port=51818 protocol=udp
add action=accept chain=input comment="WIREGUARD AX_LTE6" in-interface=\
    RemoteWGTiks protocol=udp
add action=accept chain=input comment="WIREGUARD HAP AC3_AX_lite_LTE6" \
    dst-port=13231 protocol=udp
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-mark=!ppp connection-state=established,related hw-offload=yes
add action=accept chain=input comment="BTEST Janko" disabled=yes protocol=tcp
add action=accept chain=input comment="BTEST Janko" disabled=yes protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether1 \
    protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether1 \
    protocol=udp
add action=accept chain=input comment=WIREGUARD disabled=yes in-interface=*A9 \
    protocol=udp
add action=accept chain=input comment=IGMP protocol=igmp
add action=accept chain=forward disabled=yes protocol=udp
add action=accept chain=input disabled=yes protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="WIREGUARD HAP AC3" disabled=yes \
    dst-port=51821 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=L2TP dst-port=4500,500,1701 protocol=\
    udp
add action=accept chain=input comment=CAPSMAN src-address=192.168.3.3
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="CAPSMAN PORTS" port=5246,5247 \
    protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Accept GRE" protocol=gre
add action=accept chain=forward comment="Zerotier Forward" in-interface=\
    zerotier1
add action=accept chain=input comment="Zerotier Input" in-interface=zerotier1
add action=add-src-to-address-list address-list="Port Scanners" \
    address-list-timeout=2h46m40s chain=input comment="Port Scanners to list" \
    in-interface-list=WAN log=yes log-prefix=scanner protocol=tcp psd=\
    21,3s,3,1
add action=drop chain=input comment="Drop Port Scanners" in-interface-list=\
    WAN src-address-list="Port Scanners"
add action=drop chain=forward comment="Disable LAN to LAN traffic" disabled=\
    yes dst-address=192.168.0.0/16 src-address=192.168.0.0/16
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Tadej L2TP drop" in-interface=Tadej
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="Drop traffic between IOT and Bridge" \
    in-interface="IOT bridge" out-interface=bridge
add action=drop chain=input comment=\
    "Drop traffic between IOT and Bridge_routerIP" disabled=yes src-address=\
    172.16.1.0/24
add action=drop chain=forward comment="Drop traffic between Bridge and IOT" \
    in-interface=bridge out-interface="IOT bridge"
add action=add-src-to-address-list address-list=bruteforce_blacklist \
    address-list-timeout=1d chain=input comment=Blacklist connection-state=\
    new dst-port=22 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3 \
    address-list-timeout=1h chain=input comment="Third attempt" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection2,!secured
add action=add-src-to-address-list address-list=connection2 \
    address-list-timeout=15m chain=input comment="Second attempt" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=\
    connection1
add action=add-src-to-address-list address-list=connection1 \
    address-list-timeout=5m chain=input comment="First attempt" \
    connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
    !bruteforce_blacklist
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=clamp-to-pmtu \
    passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-connection chain=forward comment=\
    "Mark PPP connections to exclude them from fasttrack" \
    new-connection-mark=ppp out-interface=all-ppp passthrough=no
add action=mark-routing chain=prerouting disabled=yes dst-address=\
    !192.168.3.0/24 new-routing-mark=sejanci passthrough=yes src-address=\
    192.168.3.130
add action=mark-routing chain=prerouting disabled=yes dst-address=\
    !192.168.3.0/24 new-routing-mark=koroska passthrough=yes src-address=\
    192.168.3.130
add action=mark-routing chain=prerouting comment="Chromecast Timotej" \
    disabled=yes dst-address=!192.168.3.0/24 new-routing-mark=VPNUnlimited_CZ \
    passthrough=yes src-address=192.168.3.166
add action=mark-routing chain=prerouting disabled=yes dst-address=\
    !192.168.45.0/24 new-routing-mark=sejanci passthrough=yes src-address=\
    192.168.45.4
add action=mark-routing chain=prerouting disabled=yes dst-address=\
    !192.168.3.0/24 new-routing-mark=VPNUnlimited_CZ passthrough=yes \
    src-address=192.168.3.130
add action=mark-routing chain=prerouting disabled=yes dst-address=\
    !192.168.3.0/24 new-routing-mark=test src-address=192.168.3.183
add action=mark-routing chain=prerouting disabled=yes dst-address=\
    !192.168.3.0/24 new-routing-mark=VPNUnlimited_Italy src-address=\
    192.168.3.140
add action=mark-routing chain=prerouting disabled=yes dst-address=89.212.88.4 \
    new-routing-mark=t2test passthrough=yes src-address=192.168.3.116
add action=mark-routing chain=prerouting disabled=yes dst-address=\
    !192.168.3.0/24 new-routing-mark=janko passthrough=yes src-address=\
    192.168.3.130
add action=mark-routing chain=prerouting comment="Chromecast Spalnica LAN" \
    dst-address-list=T2_TV new-routing-mark=t2tv passthrough=yes \
    src-mac-address=00:24:32:91:07:67
add action=mark-routing chain=prerouting comment="Chromecast Spalnica WiFi" \
    dst-address-list=T2_TV new-routing-mark=t2tv passthrough=yes \
    src-mac-address=B0:E4:D5:C4:A6:4C
add action=mark-routing chain=prerouting disabled=yes dst-address=\
    !192.168.3.0/24 new-routing-mark=gregor_net passthrough=yes src-address=\
    192.168.3.130
add action=add-dst-to-address-list address-list="Netflix adress list" \
    address-list-timeout=23h59m59s chain=prerouting comment=Netflix content=\
    netflix
add action=mark-routing chain=prerouting comment="Netflix routing test" \
    dst-address-list="Netflix adress list" new-routing-mark=nflix \
    passthrough=yes
add action=change-mss chain=forward comment="Clamp MTU to PMTU" disabled=yes \
    new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Masuarade Wireguard between Mikrotiks" disabled=yes src-address=\
    192.168.32.0/24
add action=accept chain=srcnat comment=WG_Test disabled=yes dst-address=\
    192.168.3.3 dst-port=13231 protocol=udp
add action=redirect chain=dstnat comment="DNS Redirect" dst-port=53 protocol=\
    tcp
add action=redirect chain=dstnat comment="DNS Redirect" dst-port=53 protocol=\
    udp
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.23.0/24
add action=masquerade chain=srcnat comment=PPP_Out_Masquarade out-interface=\
    all-ppp
add action=masquerade chain=srcnat comment="Masquarade for DOCKER" \
    src-address=172.17.0.0/24
add action=dst-nat chain=dstnat comment=\
    "Hairpin NAT WWW dostop od zunaj na RPI4" disabled=yes dst-address-list=\
    WAN_IP dst-port=12000 protocol=tcp to-addresses=192.168.3.8 to-ports=8000
add action=masquerade chain=srcnat comment="Hairpin NAT dostop kot od zunaj" \
    dst-address=192.168.3.0/24 src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="masq. Wireguard vpn traffic" \
    src-address=10.0.0.0/24
    to-ports=17000
add action=dst-nat chain=dstnat comment=Test_double_redirection disabled=yes \
    dst-port=18000 in-interface=ether1 protocol=tcp to-addresses=\
    192.168.11.20 to-ports=80
add action=dst-nat chain=dstnat comment=WOL_Mansarda dst-port=6030 \
    in-interface=ether1 protocol=udp to-addresses=192.168.3.130 to-ports=9
add action=dst-nat chain=dstnat comment=WOL_7 dst-port=7 in-interface=ether1 \
    protocol=udp to-addresses=192.168.3.255 to-ports=7
add action=dst-nat chain=dstnat comment=WOL_9 dst-port=9 in-interface=ether1 \
    protocol=udp to-addresses=192.168.3.255 to-ports=7
/ip firewall service-port
set rtsp disabled=no
/ip kid-control
add name=kid1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=Tadej routing-table=t2tv
add disabled=yes distance=1 dst-address=10.6.0.0/24 gateway=192.168.3.6 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=SejanciAC3 pref-src=\
    0.0.0.0 routing-table=sejanci scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.60.0/24 gateway=Janko \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Janko pref-src=\
    0.0.0.0 routing-table=janko scope=30 suppress-hw-offload=no target-scope=\
    10
add disabled=yes distance=1 dst-address=192.168.4.0/24 gateway=\
    HapAC3_potovalni_IN pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.11.0/24 gateway=SejanciAC3 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.71.0/24 gateway=Gregor \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=Gregor \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Gregor pref-src="" \
    routing-table=gregor_net scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=IJS pref-src=0.0.0.0 \
    routing-table=test scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=192.168.88.0/24 gateway=IJS pref-src=\
    "" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.8.0/24 gateway=morskitestvpn \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway="VPN_Unlimited CZ" \
    pref-src="" routing-table=VPNUnlimited_CZ scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
    "VPN_Unlimited Italy" pref-src=0.0.0.0 routing-table=VPNUnlimited_Italy \
    scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.80.0/24 gateway=morskitestvpn \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=192.168.62.0/24 gateway=Janko routing-table=main \
    suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=morskitestvpn \
    pref-src=0.0.0.0 routing-table=test scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=SejanciAC3 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=172.20.0.0/24 gateway=SejanciAC3 routing-table=\
    main suppress-hw-offload=no
add disabled=yes distance=1 dst-address=192.168.88.0/24 gateway=b535_IN \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no distance=1 dst-address=192.168.40.0/24 gateway=RemoteWGTiks \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.100.0/24 gateway=RemoteWGTiks \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp address=192.168.3.0/24 disabled=yes
set www disabled=yes port=8000
set ssh address=192.168.3.0/24
set api disabled=yes
set winbox address=0.0.0.0/0
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
add directory=usb1 name="256 GB"
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=*
add name=* profile=default-encryption
add name=* profile=default-encryption
add name=* profile=default-encryption
add name=* profile=default-encryption
add local-address=192.168.89.1 name=b535 profile=default-encryption \
    remote-address=192.168.23.247
add name=morskitest profile=morskitestprofile
add local-address=192.168.89.1 name=vinograd remote-address=192.168.23.249
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface="Sejanci IPTV" upstream=yes
add interface=dockers
/system clock
set time-zone-name=Europe/Ljubljana
/system logging
set 0 topics=info,!wireguard
add topics=caps
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=193.2.1.117
add address=193.2.4.2
/tool bandwidth-server
set authenticate=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no host=10.255.255.0 interval=25m timeout=1s type=simple
12

Export on CAPs is quite shorter:

# 2024-09-17 00:58:37 by RouterOS 7.15.3
# software id = 4VF2-IWBE
#
# model = RBD53iG-5HacD2HnD
# serial number = *
/interface bridge
add name=bridgeIOT
add admin-mac=48:8F:5A:AF:4B:A3 auto-mac=no comment=defconf name=bridgeLocal \
    port-cost-mode=short
/interface vlan
add interface=ether1 name=vlan30_Ether1 vlan-id=30
/ip smb users
set [ find default=yes ] disabled=yes
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: *, channel: 2427/n/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=*1 disabled=no
# managed by CAPsMAN
# mode: AP, SSID: *, channel: 5260/ac/Ceee
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath=*1 disabled=no
# managed by CAPsMAN
# mode: AP, SSID: IOT
add disabled=no mac-address=4A:8F:5A:AF:4B:A8 master-interface=wifi1 name=\
    wifi15
# managed by CAPsMAN
# mode: AP, SSID: IOT
add disabled=no mac-address=4A:8F:5A:AF:4B:A9 master-interface=wifi2 name=\
    wifi16
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal interface=wifi1
add bridge=bridgeLocal interface=wifi2
add bridge=bridgeIOT interface=vlan30_Ether1
add bridge=bridgeIOT interface=wifi15
add bridge=bridgeIOT interface=wifi16
/ip firewall connection tracking
set udp-timeout=10s
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-static=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/*
/system note
set show-at-login=no
13

Why do you have both capsman versions enabled on RB5009 ?
Are you sure the missing cap is not visible in the other controller environment ?
Are you sure ALL of your caps devices use wave2 drivers ?

It might also be best to have the export of the caps not showing.

14

Forgot to turn it off. Some time back i had one Hap Lite in use, that needed old version of CAPsMAN.

Yes, i’m sure, all other CAPs are on new wave2 drivers and one is already AX device.

No such thing in CAP export, that could be used for bad purpose.

15

I mean export of cap device which is not showing… is that the AX device or also an AC device ?

And .. if you have a mix of wifi-qcom-ac (AC) and wifi-qcom (AX) devices, there are some things to take into consideration.
You surely already had a decent look here ?
https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-CAPusing"wifi-qcom-ac"package:

Looks like you are using VLANs.
Are you sure your switch is capable of handling them properly ? A dumb switch will cause problems in a VLAN enabled network.

16

Well, that is strange, i see it normaly. Let me try again:

# 2024-09-17 00:58:37 by RouterOS 7.15.3
# software id = 4VF2-IWBE
#
# model = RBD53iG-5HacD2HnD
# serial number = *
/interface bridge
add name=bridgeIOT
add admin-mac=48:8F:5A:AF:4B:A3 auto-mac=no comment=defconf name=bridgeLocal \
    port-cost-mode=short
/interface vlan
add interface=ether1 name=vlan30_Ether1 vlan-id=30
/ip smb users
set [ find default=yes ] disabled=yes
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: *, channel: 2427/n/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=*1 disabled=no
# managed by CAPsMAN
# mode: AP, SSID: *, channel: 5260/ac/Ceee
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath=*1 disabled=no
# managed by CAPsMAN
# mode: AP, SSID: IOT
add disabled=no mac-address=4A:8F:5A:AF:4B:A8 master-interface=wifi1 name=\
    wifi15
# managed by CAPsMAN
# mode: AP, SSID: IOT
add disabled=no mac-address=4A:8F:5A:AF:4B:A9 master-interface=wifi2 name=\
    wifi16
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridgeLocal interface=wifi1
add bridge=bridgeLocal interface=wifi2
add bridge=bridgeIOT interface=vlan30_Ether1
add bridge=bridgeIOT interface=wifi15
add bridge=bridgeIOT interface=wifi16
/ip firewall connection tracking
set udp-timeout=10s
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-static=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/*
/system note
set show-at-login=no/code]
17

(I added some comments in my previous post, in case you missed it …)

18

Export is from Hap Ac3. But i also have one CAP AX on network. All other devices are AC.

Switch as i said is a Zyxel GS1900-24 managed switch. It’s completly capable of working with VLANs.

Im making another test now, with some random TpLink POE switch that i had at hand. I connected some CAPs through this switch and now i’m waiting what will happen.

19

Did you enable all needed VLAN handling on that switch ?
You have to add at least the needed VLANs for wifi channels and cap-mgmt connection.

About that RB5009 config … why multiple bridges ? For docker I understand but the rest ? You’re complicating things quite a bit this way.

20

Yes, VLANs ware enabled. I just added tagged VLAN 30 and 3999 (not needed anymore on switch, only on 5009) on all ports. Not realy sure what you mean with cap-mgmt connection. My main natwork is on primary VLAN (1) and CAPsMAN and CAPs communicate over this. Then there is another VLAN 30 for IOT devices. I’m slowly moving away from WIFI sockets that ware on separate IOTnetwork to the use of Zigbee protocol but that is not important for that case. I don’t use VLAN filtering (too litle knowledge to use this), i just added firewall rules to prevent some traffic between IOT and main Bridge.

Then there is docker bridge for known reasons and also two bridges that i use for getting IPTV that uses Multicast from another provider on another location. This uses one bridge for VLAN with Multicast and one bridge for internet from that location (so that IPs are the same as on that network). Evrything works over EOIP without problems.

2 hours and still no disconnection with the use of TpLink switch:
https://www.tp-link.com/us/business-networking/unmanaged-switch/tl-sg1005p/

Ironicly i have more of those TpLink POE switches and on one of them there is WapAC (arm) connected and it has no problems with disconnections.

Currently there is something like this: 5009 – 80 meters of LAN cable – HapAC2–40 meters of LAN cable – TpLink SG1005P (with POE cameras) - WapAC. (No problem on such connection)

As soon as i connect Zyxel GS1900 managed switch or Netgear (some kind of green, power saving switch) after 5009, problems start again. I just don’t see no logic in this.

I will now wait for few hours to see if problems start to appear with the use of TpLink switch behind 5009 and let you know.