Good morning dear community,
I am new to the field of microtronics.
My TEST SETUP - My router (MikroTik L009UiGS-RM) is set up and receives Internet from the Fritzbox. CAPsMAN (WIFI => CAPsMAN) has been activated and all WLAN settings have been set (WIFI => Channel, Security, Datapath, etc.).
Now on my Mikrotik CAP (MikroTik RBcAPGi-5acD2nD - cAP ac), which also gets an IP address from the router (port 8 with POE), mode set to "Home AP Dual", I can see the WLAN "Mikrotik" on the smartphone and can also connect to it.
Now I have to activate CAP, in the WinBox I see the menu "WIFI" and "Wireless", both have the CAP button. I should actually go to Wireless => Activate CAP and enter the data from CAPSMAN. If I do this, I see "managed by CAPSMAN" for the WLAN. Then the CAP LEDs for 2.4ghz and 5ghz no longer light up and the AP goes into CAP mode. In the router I see no WLAN or cannot configure a WLAN as there is no "master". In the router on the "remote CAPSMAN" tab, I also don't see that the AP is connected.
If I now undo this and activate it via WIFI => CAP and enter the data, I can see in the router on the "remote CAPSMAN" tab that the AP is connected, with IP (in Home AP dual mode), without IP (in CAP mode). But here too, no WLAN is available and cannot be configured, as there is no "master". With your variants, I no longer see any WLAN "Mikrotik" on my smartphone.
I must have overlooked another setting somewhere, or am I doing something completely wrong? Do you have any ideas as to what else I could test?
VG
Mirco
From a quickscan this can be caused by using the wireless driver on the cAP ac. Is that correct (you can see for yourself in /system/packages)?
What exact version of RouterOS (and firmware) are you running?
With the introduction of AX devices, MikroTik supplied an alternative wifi driver (called wifi-qcom-ac) that integrates better with the AX devices.
More info can be found here:
1 Like
As indicated, you first have to make a choice:
use wifi-qcom-ac drivers on cap AC, in that case you can use L009 as-is.
Or stay with wireless drivers on cap AC, in that case you need to add wireless package to L009 and configure capsman from wireless/capsman menu.
I have the same setup, L009UiGS-RM and cAP ac RBcAPGi-5acD2nD.
On the L009, I only have the WiFi menu. I use only the wifi-qcom package not wifi-qcom-ac. This package is not essential to operation, but is needed in order to specify radio options for Webfig when configuring. On the cAP ac I use the wifi-qcom-ac package. I suggest you clean up your set up to use just the package on the cAP ac and try again.
@erlinden has provided the link for the documentation which applies if you follow my selections of driver packages.
1 Like
You don't need that package on L009UiGS-RM.
Base hooks are present in ROS as of 7.13 for wifi-qcom capsman function.
2 Likes
Thanks for that. The L009 can run without the package, but it is essentially to setting up in Webfig at least.
1 Like
@holvoetn I have just revisited the router in question and there are some strong caveats on not needing the wireless driver. Having taken away the wifi-qcom package, the existing configuration does indeed continue to work. HOWEVER, in Webfig, the options to set country for wifi and all of the radio options are no longer available. This means that you do need the wifi-qcom package in order to set up the L009 or any other CAPsMAN server, which does not itself have wireless. I kind of imagine that it would still be possible to set up from the CLI without the package, but otherwise, I would say the package is essential
1 Like
It shouldn't be.
In that case those are bugs.
1 Like
Hello,
Thank you very much for your support.
I installed the file “wifi-qcom-ac-7.20.6-arm.npk” on the CAP AC, which automatically removed the “CAP mode” and now I only have “home ap dual” available. I can now configure the Wi-Fi in the router (CAPSMAN) and it is displayed on my smartphone.
However, I cannot connect to the Wi-Fi with my smartphone. I then installed the file “wifi-qcom-7.20.6-arm.npk” in the router, as described here.
Unfortunately, I still cannot connect to the Wi-Fi with my smartphone – regardless of whether it is 2.4 GHz or 5 GHz. The router and the CAP have version 7.20.6 (stable).
Does anyone have any ideas on how I can now connect to the Wi-Fi?
Best regards
It's all in the config, you can please share it with us?
/export file=anynameyoulike
Remove serial and any other private info, post as Preformatted text by using the </> button.
1 Like
Are you using Webfig in Quickset mode? Because that is probably best described as a single use 'wizard' which should never be used after an initial set up.
1 Like
I use WinBox.
I don't use Quick Assistant.
I hope I have redacted all relevant data.
# 2025-12-21 21:12:10 by RouterOS 7.20.6
# software id = ZBK6-CY3X
#
# model = L009UiGS
# serial number = XXXXXXX
/interface bridge
add admin-mac=XXXXXXXx auto-mac=no comment=defconf name=bridge-router
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-n disabled=no frequency=2412-2472 name=ch24 width=20mhz
add band=5ghz-ac disabled=no name=ch5 width=20/40/80mhz
/interface wifi datapath
add bridge=bridge-router disabled=no name=dpLocal
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp-256 \
name=mySecurity
/interface wifi configuration
add channel=ch24 country=Germany datapath=dpLocal disabled=no installation=\
indoor name=cfg24 security=mySecurity ssid=LMEINWLAN-24
add channel=ch5 country=Germany datapath=dpLocal disabled=no name=cfg5 \
security=mySecurity ssid=MEINWLAN-5
/interface wifi
# operated by CAP XX:XX:XXX:DE%bridge-router, traffic processing on CAP
add channel=ch24 configuration=cfg24 configuration.mode=ap datapath=dpLocal \
disabled=no mtu=1500 name=cap-wifi1 radio-mac=XX:XXX:XXX:E0 security=\
mySecurity
# operated by CAP XX:XX:XX:DE%bridge-router, traffic processing on CAP
add channel=ch5 configuration=cfg5 configuration.mode=ap datapath=dpLocal \
disabled=no mtu=1500 name=cap-wifi2 radio-mac=XX:XX:XX:E1 security=\
mySecurity
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge-router name=defconf
/port
set 0 name=serial0
/disk settings
set auto-media-interface=bridge-router auto-media-sharing=yes auto-smb-sharing=\
yes
/interface bridge port
add bridge=bridge-router comment=defconf interface=ether2
add bridge=bridge-router comment=defconf interface=ether3
add bridge=bridge-router comment=defconf interface=ether4
add bridge=bridge-router comment=defconf interface=ether5
add bridge=bridge-router comment=defconf interface=ether6
add bridge=bridge-router comment=defconf interface=ether7
add bridge=bridge-router comment=defconf interface=ether8
add bridge=bridge-router comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-router list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi cap
set caps-man-addresses=192.168.88.1 certificate=request discovery-interfaces=\
dynamic
/interface wifi capsman
set ca-certificate=none certificate=auto enabled=yes interfaces=all \
package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg24 radio-mac=\
00:00:00:00:00:00
add action=create-enabled disabled=no master-configuration=cfg5 radio-mac=\
00:00:00:00:00:00
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge-router network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1 netmask=24 ntp-server=192.168.88.1 wins-server=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name="MikroTik Router"
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=[0.pool.ntp.org](http://0.pool.ntp.org/)
add address=[1.pool.ntp.org](http://1.pool.ntp.org/)
add address=[2.pool.ntp.org](http://2.pool.ntp.org/)
add address=[3.pool.ntp.org](http://3.pool.ntp.org/)
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Remove radio mac, that only worked on the old CAPsMAN. Also add supported-bands to make distinction between 5GHz and 2GHz:
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg24 supported-bands=2ghz-n
add action=create-enabled disabled=no master-configuration=cfg5 supported-bands=5ghz-n
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp-256 name=mySecurity
For better support set encryption to: encyption=ccmp,gcmp:
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp,gcmp name=mySecurity
1 Like
May be. I'm running 7.19.6 and that won't change for a while, so I am not going to be able to investigate against a current version at the moment.
I have a couple of capsman installations for a customer running (with CRS326/328 as controller) and none of them have wifi-qcom package present.
At home I use RB5009 (and 1 installation on customer premises also has RB5009): no wifi-qcom package.
Just base ROS and nothing else.
But I rarely use webfig. I mostly use Winbox (about 99.5% of the time).
I just tested again on home-RB5009 (7.21rc1): all things you mention simply show there.
It might be tied to 7.19.x chain ? 7.20.x is definitely to be avoided when you use Webfig.
Hey,
I've applied the settings you suggested.
Unfortunately, I still can't connect to the Wi-Fi on my smartphone. I get the message “IP configuration error,” but no further information.
At least that is a step ahead. After any config change, please share it here as well (both CAPsMAN and CAPS). Sounds like a misconfigured CAPS, did you set it in CAPS Mode manually or through /system reset capsmode?
Hello,
at the moment I have only changed the configuration on the CAPSMAN, i.e. on the router.
I have activated the CAP via the "reset button - power supply - wait 10 seconds" method.
However, as already described, in the quick setup of the CAPS I see no CAP mode, only home ap dual.
Forget about Quickset...please. Really...never ever touch it.
Just reset the CAPS as you described and leave it as it is. If you see the CAPS as "Remote CAP" (assuming you are using Winbox), the CAP is just fine.
1 Like