CAPsMAN not provisioning

RouterOS General
1

Hello. I have a problem with CAPsMAN. I tried the settings on a RB2011UIAS with a cAP AC on eth3, to dry-run the settings. But the AP doesn’t connect to CAPsMAN (also, RoMON via the router doesn’t discover the cAP AC).
I’ve set it up based on this video:
https://www.youtube.com/watch?v=LLuGby1ecVM
And adapted to our own needs. Wired employee LAN, guest wifi, wired POS printers+POS iPads.

Anyone see what is wrong?


RB2011UIAS:

# 1970-01-02 01:09:38 by RouterOS 7.14.1
# software id = T1HW-1EBQ
#
# model = RB2011UiAS-2HnD
# serial number = 7A67079B60A0
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G tx-power=20
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_MikrotikAPs
set [ find default-name=ether4 ] name=eth4_gastrofix_wired
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
/interface vlan
add interface=bridge name=EmployeeLAN_VLAN vlan-id=10
add interface=bridge name=Gastrofix_VLAN vlan-id=30
add interface=bridge name=GuestWIFI_VLAN vlan-id=20
/caps-man datapath
add bridge=bridge local-forwarding=yes name=datapath-gastrofix vlan-id=30 vlan-mode=use-tag
add bridge=bridge local-forwarding=yes name=datapath-guest vlan-id=20 vlan-mode=use-tag
/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-gastrofix
add name=security-guest
/caps-man configuration
add channel=Ch36_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch36 security=security-guest ssid=Guest_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch6 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch11 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch12 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch13 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch36_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch36 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch40 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch48 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch44 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch6 security=security-guest ssid=Guest_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch11 security=security-guest ssid=Guest_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch12 security=security-guest ssid=Guest_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch13 security=security-guest ssid=Guest_2.4GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch40 security=security-guest ssid=Guest_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch48 security=security-guest ssid=Guest_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch44 security=security-guest ssid=Guest_5GHz
/interface ethernet switch port
set 2 default-vlan-id=10 vlan-mode=secure
set 3 vlan-mode=secure
set 4 default-vlan-id=30 vlan-mode=secure
set 11 vlan-mode=secure
/interface list
add name=WAN
add name=LAN
add name=WinboxAccess
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=gastrofix_dhcp_pool ranges=192.168.7.120-192.168.7.254
add name=guest_dhcp_pool ranges=192.168.88.20-192.168.88.250
add name=dhcp_bridge ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=gastrofix_dhcp_pool interface=Gastrofix_VLAN lease-time=23h59m59s name=gastrofix_dhcp_server
add address-pool=guest_dhcp_pool interface=GuestWIFI_VLAN lease-time=2h59m name=guest_dhcp_server
add address-pool=dhcp_bridge interface=bridge name=dhcp1
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="-85..120 accept" disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=eth3_MikrotikAPs
/caps-man provisioning
add action=create-enabled comment=CAP_Bar hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch6 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch6
add action=create-enabled comment=CAP_Kontor hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch36 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch36
add action=create-enabled comment=CAP_BAR hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch40 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch40
add action=create-enabled comment=CAP_Messanin hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch44 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:9E:DA:B2 slave-configurations=cfg-5ghz-guest-ch44
add action=create-enabled comment=CAP_Chambre hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch48 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch48
add action=create-enabled comment=CAP_Kontor hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch11 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch11
add action=create-enabled comment=CAP_Chambre hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch12 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch12
add action=create-enabled comment=CAP_Messanin hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch13 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:9E:DA:B1 slave-configurations=cfg-2.4-guest-ch13
/interface bridge port
add bridge=bridge interface=eth2_kontor
add bridge=bridge interface=eth3_MikrotikAPs
add bridge=bridge interface=eth4_gastrofix_wired
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch rule
add dst-address=192.168.1.0/24 new-dst-ports="" ports=eth2_kontor switch=switch1
add dst-address=192.168.7.0/24 new-dst-ports="" ports=eth3_MikrotikAPs,eth4_gastrofix_wired switch=switch1
add dst-address=192.168.88.0/24 new-dst-ports="" ports=eth3_MikrotikAPs switch=switch1
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,eth2_kontor switch=switch1 vlan-id=10
add independent-learning=yes ports=switch1-cpu,eth3_MikrotikAPs switch=switch1 vlan-id=20
add independent-learning=yes ports=switch1-cpu,eth3_MikrotikAPs,eth4_gastrofix_wired switch=switch1 vlan-id=30
/interface list member
add interface=eth1_WAN list=WAN
add interface=eth2_kontor list=LAN
add interface=eth3_MikrotikAPs list=LAN
add interface=Gastrofix_VLAN list=LAN
/ip address
#hidden IP for forum:
add address=xxxxx/24 interface=eth1_WAN network=xxxx
add address=192.168.1.1/24 interface=EmployeeLAN_VLAN network=192.168.1.0
add address=192.168.7.1/24 interface=Gastrofix_VLAN network=192.168.7.0
add address=192.168.88.1/24 interface=GuestWIFI_VLAN network=192.168.88.0
add address=192.168.99.1/24 interface=bridge network=192.168.99.0
/ip arp
add address=192.168.7.41 interface=Gastrofix_VLAN mac-address=FE:67:3A:11:0F:D0
/ip cloud
set update-time=no
/ip dhcp-server lease
add address=192.168.7.247 client-id=1:78:8a:20:4b:4:a6 mac-address=78:8A:20:4B:04:A6 server=gastrofix_dhcp_server
/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=193.75.75.75,192.168.7.1 gateway=192.168.7.1 netmask=24
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=193.75.75.75,193.75.75.193 gateway=192.168.88.1
add address=192.168.99.0/24 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193
/ip firewall address-list
add address=192.168.1.0/24 list=AdminAccess
add address=0.0.0.0/8 list=bogons
add address=172.16.0.0/12 list=bogons
add address=10.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=224.0.0.0/4 list=bogons
add address=198.18.0.0/15 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=100.64.0.0/10 list=bogons
add address=240.0.0.0/4 list=bogons
add address=192.88.99.0/24 list=bogons
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=forward dst-address=77.66.21.133 in-interface=GuestWIFI_VLAN
add action=accept chain=input comment="Admin Access to Router" src-address-list=AdminAccess
add action=accept chain=input comment="allow LAN to DNS-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="allow LAN to DNS-UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN accept all local traffic" dst-port=5246,5247 protocol=udp src-address=127.0.0.1
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 log=yes log-prefix="acceot local loopback CAPsMAN"
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address-type=local src-address-type=local
add action=drop chain=input comment="Drop All Else" log-prefix=DROP-FIREWALL
add action=drop chain=forward dst-address=77.66.21.133 in-interface=GuestWIFI_VLAN
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow all LAN (Office, Guest and POS) Traffic to Internet" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP ALL Else"
add action=accept chain=forward comment="Allow Port Fowarding if required" connection-nat-state=dstnat
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="DROP All Else"
/ip firewall nat
add action=redirect chain=dstnat comment="Force Users to Router DNS -TCP" dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment="Force Users to Router DNS -UDP" dst-port=53 protocol=udp
add action=accept chain=srcnat disabled=yes ipsec-policy=out,none out-interface=eth1_WAN
/ip firewall raw
add action=drop chain=prerouting comment="Drop all non-internet networks" src-address-list=bogons
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2200
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/lcd
set default-screen=stat-slideshow
/system clock
set time-zone-name=Europe/Oslo
/system identity
set name=Router-Kontor
/system logging
add action=disk topics=info,critical,error,info
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=79.160.13.250
add address=162.159.200.1
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool romon
set enabled=yes secrets=mysecret

cAP AC:

# jan/02/1970 00:02:06 by RouterOS 6.49.10
# software id = JMR2-YE58
#
# model = RBcAPGi-5acD2nD
# serial number = BECD0BC7D2E7
/interface bridge
add admin-mac=C4:AD:34:9E:DA:AF auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/tool romon
set enabled=yes secrets=mysecret
2

Think your cap isn’t a cap at the moment (not 100% sure about the correct syntax):

/interface wireless cap enabled=yes
3

It’s enabled (I used the reset configuration → CAPS mode).
Confirmed it with:

[admin@MikroTik] > /interface wireless cap print
                            enabled: yes
                         interfaces: wlan1,wlan2
                        certificate: none
                   lock-to-caps-man: no
               discovery-interfaces: bridgeLocal
                 caps-man-addresses: 
                     caps-man-names: 
  caps-man-certificate-common-names: 
                             bridge: bridgeLocal
                     static-virtual: no
[admin@MikroTik] >

Anyway, I think RoMON should discover the cAP AC, even is CAPsMAN<->CAP wasn’t functioning properly?
I suspect it’s some kind of bridge/port/switch setting I’ve made wrong so something doesn’t see each other or is somewhat isolated?

4

It likely doesn’t connect because although CAPsMAN is enabled, you have forbid it to run on all interfaces:
/caps-man manager interface
set [ find default=yes ] forbid=yes
You should add some exceptions there, or remove forbid.

5

You are missing an important part of making VLAN available on a router: VLAN filtering on the bridge.
Please have a look at this topic, that will help you understand configuring VLAN the right way:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

6

I’m stuck. I red the posts, and adapted to the examples, but still no provisioning. Both 2.4 and 5GHz radios showed up under Wireless->CAPsMAN->Radio for 5-10 seconds, but then disappeared. And haven’t been seen since (after many reboots, power downs, unplugging/plugging, etc). And no 2.4/5GHz LED on cAP, or wireless network available.


[admin@MikroTik] > export
# 1970-01-02 00:16:41 by RouterOS 7.14.1
# software id = T1HW-1EBQ
#
# model = RB2011UiAS-2HnD
# serial number = 7A67079B60A0
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=Ch01_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=Ch06_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=Ch11_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2467 name=Ch12_20M_24G tx-power=10
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=Ch13_20M_24G tx-power=10
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5180 name=Ch36_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5200 name=Ch40_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5220 name=Ch44_20M_5G tx-power=20
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=disabled frequency=5240 name=Ch48_20M_5G tx-power=20
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=eth1_WAN
set [ find default-name=ether2 ] name=eth2_kontor
set [ find default-name=ether3 ] name=eth3_MikrotikAPs
set [ find default-name=ether4 ] name=eth4_gastrofix_wired
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=Router
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=Employee_VLAN vlan-id=10
add interface=BR1 name=Gastrofix_VLAN vlan-id=30
add interface=BR1 name=GuestWIFI_VLAN vlan-id=20
/caps-man datapath
add bridge=BR1 local-forwarding=yes name=datapath-guest vlan-id=20 vlan-mode=use-tag
add bridge=BR1 local-forwarding=yes name=datapath-gastrofix vlan-id=30 vlan-mode=use-tag
/caps-man rates
add basic=9Mbps name="GN Only - No B rates" supported=9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vht-basic-mcs=""
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-gastrofix
add name=security-guest
/caps-man configuration
add channel=Ch36_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch36 security=security-guest ssid=Guest_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch6 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch11 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch12 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-2.4-gastrofix-ch13 security=security-gastrofix ssid=Gastrofix_2.4GHz
add channel=Ch36_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch36 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch40 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch48 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-gastrofix distance=indoors installation=indoor mode=ap name=cfg-5ghz-gastrofix-ch44 security=security-gastrofix ssid=Gastrofix_5GHz
add channel=Ch06_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch6 security=security-guest ssid=Guest_2.4GHz
add channel=Ch11_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch11 security=security-guest ssid=Guest_2.4GHz
add channel=Ch12_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch12 security=security-guest ssid=Guest_2.4GHz
add channel=Ch13_20M_24G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-2.4-guest-ch13 security=security-guest ssid=Guest_2.4GHz
add channel=Ch40_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch40 security=security-guest ssid=Guest_5GHz
add channel=Ch48_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch48 security=security-guest ssid=Guest_5GHz
add channel=Ch44_20M_5G country=norway datapath=datapath-guest distance=indoors installation=indoor mode=ap name=cfg-5ghz-guest-ch44 security=security-guest ssid=Guest_5GHz
/caps-man interface
add channel=Ch01_20M_24G channel.frequency=2412 configuration=cfg-2.4-gastrofix-ch11 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=74:4D:28:F9:AF:19 master-interface=none name=Gastrofix_2.4GHz-AP_Bar radio-mac=\
    74:4D:28:F9:AF:19 radio-name=744D28F9AF19
add channel=Ch11_20M_24G channel.frequency=2462 configuration=cfg-2.4-gastrofix-ch11 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=74:4D:28:F9:AA:6C master-interface=none name=Gastrofix_2.4GHz-AP_Chambre radio-mac=\
    74:4D:28:F9:AA:6C radio-name=744D28F9AA6C
add channel=Ch06_20M_24G channel.frequency=2437 configuration=cfg-2.4-gastrofix-ch11 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=C4:AD:34:14:34:2A master-interface=none name=Gastrofix_2.4GHz-AP_Kontor radio-mac=\
    C4:AD:34:14:34:2A radio-name=C4AD3414342A
add channel=Ch12_20M_24G channel.frequency=2467 configuration=cfg-2.4-gastrofix-ch11 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=C4:AD:34:9E:DA:B1 master-interface=none name=Gastrofix_2.4GHz-AP_Messanin radio-mac=\
    C4:AD:34:9E:DA:B1 radio-name=C4AD349EDAB1
add channel=Ch40_20M_5G channel.frequency=5200 configuration=cfg-5ghz-guest-ch36 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=74:4D:28:F9:AF:1A master-interface=none name=Gastrofix_5GHz-AP_Bar radio-mac=74:4D:28:F9:AF:1A \
    radio-name=744D28F9AF1A
add channel=Ch48_20M_5G channel.frequency=5240 configuration=cfg-5ghz-guest-ch36 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=74:4D:28:F9:AA:6D master-interface=none name=Gastrofix_5GHz-AP_Chambre radio-mac=74:4D:28:F9:AA:6D \
    radio-name=744D28F9AA6D
add channel=Ch36_20M_5G channel.frequency=5180 configuration=cfg-5ghz-guest-ch36 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=C4:AD:34:14:34:2B master-interface=none name=Gastrofix_5GHz-AP_Kontor radio-mac=C4:AD:34:14:34:2B \
    radio-name=C4AD3414342B
add channel=Ch44_20M_5G channel.frequency=5220 configuration=cfg-5ghz-guest-ch36 configuration.frame-lifetime=10ms disabled=yes l2mtu=1600 mac-address=C4:AD:34:9E:DA:B2 master-interface=none name=Gastrofix_5GHz-AP_Messanin radio-mac=\
    C4:AD:34:9E:DA:B2 radio-name=C4AD349EDAB2
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=guest_dhcp_pool ranges=192.168.88.20-192.168.88.250
add name=gastrofix_dhcp_pool ranges=192.168.7.120-192.168.7.254
/ip dhcp-server
add address-pool=guest_dhcp_pool interface=GuestWIFI_VLAN lease-time=2h59m name=guest_dhcp_server
add address-pool=gastrofix_dhcp_pool interface=Gastrofix_VLAN lease-time=23h59m59s name=gastrofix_dhcp_server
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=3000
set 1 disk-file-count=10 disk-lines-per-file=3000
/caps-man access-list
add action=accept allow-signal-out-of-range=10s comment="-85..120 accept" disabled=no signal-range=-85..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment="-120..-86 reject" disabled=no signal-range=-120..-86 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=eth3_MikrotikAPs
/caps-man provisioning
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" disabled=yes hw-supported-modes=gn master-configuration=cfg-5ghz-guest-ch36 name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" disabled=yes hw-supported-modes=ac master-configuration=cfg-5ghz-guest-ch36 name-format=prefix-identity name-prefix=5GHz-
add action=create-dynamic-enabled comment="2.4GHz 802.11g capable radios" disabled=yes hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch12 name-format=prefix-identity name-prefix=2.4GHz-
add action=create-dynamic-enabled comment="5GHz 802.11ac capable radios" disabled=yes hw-supported-modes=ac master-configuration=cfg-2.4-gastrofix-ch6 name-format=prefix-identity name-prefix=5GHz-
add action=create-enabled comment=CAP_Bar hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch6 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch6
add action=create-enabled comment=CAP_Kontor hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch36 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch36
add action=create-enabled comment=CAP_BAR hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch40 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch40
add action=create-enabled comment=CAP_Messanin hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch44 name-format=prefix-identity name-prefix=5GHz- radio-mac=C4:AD:34:9E:DA:B2 slave-configurations=cfg-5ghz-guest-ch44
add action=create-enabled comment=CAP_Chambre hw-supported-modes=ac master-configuration=cfg-5ghz-gastrofix-ch48 name-format=prefix-identity name-prefix=5GHz- slave-configurations=cfg-5ghz-guest-ch48
add action=create-enabled comment=CAP_Kontor hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch11 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch11
add action=create-enabled comment=CAP_Chambre hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch12 name-format=prefix-identity name-prefix=2.4GHz- slave-configurations=cfg-2.4-guest-ch12
add action=create-enabled comment=CAP_Messanin hw-supported-modes=gn master-configuration=cfg-2.4-gastrofix-ch13 name-format=prefix-identity name-prefix=2.4GHz- radio-mac=C4:AD:34:9E:DA:B1 slave-configurations=cfg-2.4-guest-ch13
/interface bridge port
add bridge=BR1 interface=eth3_MikrotikAPs
add bridge=BR1 interface=eth2_kontor
add bridge=BR1 interface=eth4_gastrofix_wired
/interface bridge vlan
add bridge=BR1 tagged=BR1,eth2_kontor vlan-ids=10
add bridge=BR1 tagged=BR1,eth3_MikrotikAPs vlan-ids=20
add bridge=BR1 tagged=BR1,eth3_MikrotikAPs,eth4_gastrofix_wired vlan-ids=30
add bridge=BR1 tagged=BR1,eth2_kontor,eth3_MikrotikAPs,eth4_gastrofix_wired vlan-ids=99
/interface list member
add interface=eth1_WAN list=WAN
add interface=Employee_VLAN list=VLAN
add interface=GuestWIFI_VLAN list=VLAN
add interface=Gastrofix_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=193.90.223.118/24 interface=eth1_WAN network=193.90.223.0
add address=10.0.10.1/24 interface=Employee_VLAN network=10.0.10.0
add address=10.0.10.1/24 interface=GuestWIFI_VLAN network=10.0.10.0
add address=10.0.10.1/24 interface=Gastrofix_VLAN network=10.0.10.0
/ip dhcp-server network
add address=192.168.7.0/24 comment="DHCP for Gastrofix" dns-server=193.75.75.75,192.168.7.1 gateway=192.168.7.1 netmask=24
add address=192.168.88.0/24 comment="DHCP for Guests" dns-server=193.75.75.75,193.75.75.193 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=193.75.75.75,193.75.75.193
/ip firewall filter
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward comment=Drop
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" out-interface-list=WAN
/system note
set show-at-login=no
7

Any suggestions?