CAPsMAN, ROS 7.20.8, wifi-qcom - traffic on wifi is (probably) tagged

RouterOS Wireless Networking
1

Hi All,

I’m new to CAPsMAN. Running AX3 for few years. I use the router as L2 switch and wifi AP (IP forwarding is disabled), no firewalls, L3 routing etc. I decided to buy cAP AX to improve wifi signal. I followed the manual WiFi - RouterOS - MikroTik Documentation (I hope).

I have 4 VLANs, actually VLAN 1 is untagged everywhere, it’s main VLAN and is used for management as well. Other 3 VLANs are tagged on ethernet (except ethernet access ports, of course).

About CAPsMAN device (ax3): When I enabled datapath configurations, devices stayed connected to wifi but everything on wifi stopped working except devices on VLAN 1 (untagged everywhere). I didn’t see anything suspicious in the configuration. When I disabled datapath, wifi works on all VLANs.

OK, let’s continue to configuration CAP. CAP deployed all wifi AP’s as expected, but nothing works (again, except VLAN 1, untagged everywhere) Bridge on CAP became configured to tag all traffic on WIFI (except VLAN 1).

bridge-vlans
bridge-vlans1118×436 81 KB

CAPsMAN config:

[admin@ax3] /interface/wifi> datapath/print detail                     
Flags: X - disabled 
0   name="spcam" bridge=bridge vlan-id=22 

1   name="piot" bridge=bridge vlan-id=66 

2   name="pgst" bridge=bridge client-isolation=yes vlan-id=33 

3   name="Tzcocot" bridge=bridge 
[admin@ax3] /interface/wifi> 
[admin@ax3] /interface/wifi> 
[admin@ax3] /interface/wifi> 
[admin@ax3] /interface/wifi> channel/print detail                      
Flags: X - disabled 
0   name="5G" frequency=5220,5280 band=5ghz-ax width=20/40/80mhz skip-dfs-channels=disabled 

1   name="2G" frequency=2422,2467 band=2ghz-ax width=20mhz skip-dfs-channels=disabled 
[admin@ax3] /interface/wifi> 
[admin@ax3] /interface/wifi> 
[admin@ax3] /interface/wifi> configuration/print detail without-paging 
Flags: X - disabled 
0   name="spcam" mode=ap ssid="spcam" country=Czech installation=indoor security=spcam 
security.authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk .passphrase="***" .disable-pmkid=yes 
.management-protection=allowed .wps=disable .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=yes 
datapath=spcam 
datapath.bridge=bridge .vlan-id=22
channel=5G
channel.frequency=5220,5280 .band=5ghz-ax .width=20/40/80mhz .skip-dfs-channels=disabled

1   name="piot" mode=ap ssid="piot" country=Czech installation=indoor security=piot
security.authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk .passphrase="***" .disable-pmkid=yes
.management-protection=allowed .wps=disable .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=yes
datapath=piot
datapath.bridge=bridge .vlan-id=66
channel=2G
channel.frequency=2422,2467 .band=2ghz-ax .width=20mhz .skip-dfs-channels=disabled

2   name="Tzcocot" mode=ap ssid="Tzcocot" country=Czech installation=indoor security=Tzcocot
security.authentication-types=wpa3-psk .passphrase="***" .disable-pmkid=yes .management-protection=required
.wps=disable .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=yes
datapath=Tzcocot
datapath.bridge=bridge
channel=5G
channel.frequency=5220,5280 .band=5ghz-ax .width=20/40/80mhz .skip-dfs-channels=disabled

3   name="gsts" mode=ap ssid="pgst" country=Czech security=gsts
security.passphrase="pass4friends" .disable-pmkid=yes .management-protection=allowed .wps=disable .ft=yes .ft-over-ds=yes
.ft-preserve-vlanid=yes
datapath=pgst
datapath.bridge=bridge .client-isolation=yes .vlan-id=33

I spent few days to get this working, but no success. Any help welcome, thanks.

2

It's hard to tell as you only posted very limited fragments of configuration, but everything is important. So my guess is below ...

I don't see CAP being configured with a trunk port towards CAP device. I'll assume ether1 is used ... so ether1 should be tagged member of VLANs 22,33 and 66. OTOH bridge doesn't have to be tagged member of these VLANs as CAP device (the IP stack of it) doesn't interact with those VLANs (probably).

And similar configuration has to be done on CAPsMAN device.

If you want to get a more concrete advice, then post complete configurations of both CAP and CAPsMAN devices.

3

Print is a terrible way to get your config...in a reading perspective. Please provide an export:

/export file=anynameyoulike

Remove serial and any other private info, post as Preformatted text by using the </> button.

4

Thanks, I thought print is readable better. I cleaned the configuration, tried to learn more, but no success/no change.Also tried to to change the bridge as untagged member of VLAN1 - no change.AX3, the device with CAPsMAN, works well when all datapath are disabled. Doesn’t matter if CAP is connected or not or CAPsMAN itself is enabled or disabled.

About VLANs on CAP - in the Mikrotik’s example in Confluence no VLANs are defined on CAP. This is why I’ve VLANs defined, but disabled.

CAPsMAN configuration:

# 2026-02-15 21:59:18 by RouterOS 7.20.8
# software id = xxxx
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = xxxx
/interface bridge
add admin-mac=48:A9:8A:0D:D9:B9 auto-mac=no name=bridge port-cost-mode=short \
    protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] comment="Broken, 100M only" disabled=yes
set [ find default-name=ether4 ] disabled=yes
/interface vlan
add interface=bridge loop-protect=off name=vlan22 vlan-id=22
add interface=bridge loop-protect=off name=vlan33 vlan-id=33
add interface=bridge loop-protect=off name=vlan66 vlan-id=66
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5220,5280 name=5G skip-dfs-channels=\
    disabled width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2422,2467 name=2G skip-dfs-channels=\
    disabled width=20mhz
/interface wifi datapath
add bridge=bridge disabled=no name=spcam vlan-id=22
add bridge=bridge disabled=no name=piot vlan-id=66
add bridge=bridge client-isolation=yes disabled=no name=pgst vlan-id=33
add bridge=bridge disabled=no name=Tzcocot
/interface wifi security
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk disable-pmkid=yes \
    disabled=no ft=yes ft-over-ds=yes ft-preserve-vlanid=yes \
    management-protection=allowed name=spcam wps=disable
add authentication-types=wpa3-psk disable-pmkid=yes disabled=no ft=yes \
    ft-over-ds=yes ft-preserve-vlanid=yes management-protection=required \
    name=Tzcocot wps=disable
add authentication-types=wpa2-psk,wpa2-psk-sha2,wpa3-psk disable-pmkid=yes \
    disabled=no ft=yes ft-over-ds=yes ft-preserve-vlanid=yes \
    management-protection=allowed name=piot wps=disable
add disable-pmkid=yes disabled=no ft=yes ft-over-ds=yes ft-preserve-vlanid=\
    yes management-protection=allowed name=gsts wps=disable
/interface wifi configuration
add channel=5G country=Czech datapath=spcam disabled=no installation=indoor \
    mode=ap name=spcam security=spcam ssid=spcam
add channel=2G country=Czech datapath=piot disabled=no installation=indoor \
    mode=ap name=piot security=piot ssid=piot
add channel=5G country=Czech datapath=Tzcocot disabled=no installation=indoor \
    mode=ap name=Tzcocot security=Tzcocot ssid=Tzcocot
add country=Czech datapath=pgst disabled=no installation=indoor mode=ap name=\
    gsts security=gsts ssid=pgst
/interface wifi
set [ find default-name=wifi2 ] channel=2G configuration=piot \
    configuration.mode=ap disabled=no name=2g_iot
set [ find default-name=wifi1 ] configuration=spcam configuration.mode=ap \
    disabled=no name=5g_spcam
add configuration=Tzcocot configuration.country=Czech .mode=ap disabled=no \
    mac-address=4A:A9:8A:0D:D9:BD master-interface=5g_spcam name=5g_tzcocot
add configuration=gsts configuration.country=Czech .mode=ap mac-address=\
    4A:A9:8A:0D:D9:BE master-interface=2g_iot name=2g_gsts
add configuration=gsts configuration.country=Czech .mode=ap mac-address=\
    4A:A9:8A:0D:D9:BF master-interface=5g_spcam name=5g_gsts
/ip dhcp-server
add bootp-support=none disabled=yes interface=bridge lease-time=10m name=\
    dhcp_main
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip pool
add name=dhcp_pool_spcam ranges=192.168.22.190-192.168.22.199
add name=dhcp_pool_gsts ranges=192.168.33.11-192.168.33.99
add name=dhcp_pool_iot ranges=192.168.66.190-192.168.66.199
/ip dhcp-server
add address-pool=dhcp_pool_spcam bootp-support=none disabled=yes interface=\
    vlan22 lease-time=2h name=dhcp_spcam
add address-pool=dhcp_pool_gsts bootp-support=none disabled=yes interface=\
    vlan33 lease-time=2h name=dhcp_gsts
add address-pool=dhcp_pool_iot bootp-support=none disabled=yes interface=\
    vlan66 lease-time=2h name=dhcp_iot
/port
set 0 name=serial0
/queue interface
set "2g_gsts" queue=only-hardware-queue
set "2g_iot" queue=only-hardware-queue
set "5g_gsts" queue=only-hardware-queue
set "5g_spcam" queue=only-hardware-queue
set "5g_tzcocot" queue=only-hardware-queue
/system logging action
set 3 remote=192.168.91.1 syslog-severity=notice
add name=Mayo remote=192.168.91.1 remote-log-format=syslog src-address=\
    192.168.91.252 syslog-facility=local0 syslog-severity=info target=remote
/certificate settings
set builtin-trust-anchors=not-trusted
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=5g_tzcocot internal-path-cost=10 path-cost=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=5g_spcam internal-path-cost=10 path-cost=10 pvid=22
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=2g_iot internal-path-cost=10 path-cost=10 pvid=66
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=2g_gsts internal-path-cost=10 path-cost=10 pvid=33
add bridge=bridge disabled=yes interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=5g_gsts internal-path-cost=10 path-cost=10 pvid=33
add bridge=bridge ingress-filtering=no interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=33
add bridge=bridge disabled=yes interface=ether4
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=*2000011
/ip settings
set ip-forward=no secure-redirects=no send-redirects=no
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge comment=vlan22 tagged=ether5,bridge,ether1 untagged=\
    5g_spcam vlan-ids=22
add bridge=bridge comment=vlan1 tagged=bridge untagged=\
    ether5,ether1,5g_tzcocot vlan-ids=1
add bridge=bridge comment=vlan33 tagged=ether5,bridge,ether1 untagged=\
    ether3,2g_gsts,5g_gsts vlan-ids=33
add bridge=bridge comment=vlan66 tagged=ether5,ether1,bridge untagged=2g_iot \
    vlan-ids=66
/interface wifi access-list
add action=accept client-isolation=yes comment=cam4 disabled=no mac-address=\
    xxxxx ssid-regexp="^spcam\$"
add action=accept comment=van+ disabled=no mac-address=xxxx
    ssid-regexp="^Tzcocot\$"

# about 30 MACs removed

add action=accept disabled=no ssid-regexp="^pgst\$"
add action=accept disabled=no ssid-regexp="^pgst\$"
add action=reject comment="Last entry - reject all" disabled=no
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment=5G disabled=no \
    master-configuration=spcam slave-configurations=Tzcocot,gsts \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled comment=2G disabled=no \
    master-configuration=piot slave-configurations=gsts supported-bands=\
    2ghz-ax
/ip address
add address=192.168.91.252/24 interface=bridge network=192.168.91.0
add address=192.168.22.252/24 interface=vlan22 network=192.168.22.0
add address=192.168.33.252/24 interface=vlan33 network=192.168.33.0
add address=192.168.66.252/24 interface=vlan66 network=192.168.66.0
/ip cloud
set update-time=no
/ip dhcp-server config
set accounting=no store-leases-disk=never
/ip dhcp-server lease
add address=192.168.66.40 comment=Riden mac-address=xxxxxx server=\
    dhcp_iot

# leases removed, DHCP servers are all time disabled, turned on for specific reason only, rare condition

/ip dhcp-server network
add address=192.168.22.0/24 dns-server=192.168.22.1 gateway=192.168.22.1 \
    netmask=24
add address=192.168.33.0/24 dns-server=192.168.33.1 gateway=192.168.33.1
add address=192.168.66.0/24 dns-server=192.168.66.1 gateway=192.168.66.1 \
    netmask=24
add address=192.168.91.0/24
/ip ipsec policy
set 0 disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set winbox disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Prague
/system identity
set name=ax3
/system leds settings
set all-leds-off=after-1h
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 action=memory disabled=yes
add action=Mayo prefix=mikrotik topics=!debug
add topics=!debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.91.1
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool graphing interface
add store-on-disk=no
/tool graphing queue
add store-on-disk=no
/tool graphing resource
add store-on-disk=no
/tool mac-server
set allowed-interface-list=*2000011
/tool mac-server mac-winbox
set allowed-interface-list=*2000011
/tool sniffer
set filter-interface=ether1 filter-ip-address=192.168.66.77/32 memory-limit=\
    1000KiB only-headers=yes

CAP configuration:

# 2026-02-15 21:59:31 by RouterOS 7.20.8
# software id = xxxx
#
# model = cAPGi-5HaxD2HaxD
# serial number = xxxx
/interface bridge
add name=bridge port-cost-mode=short protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] loop-protect=off
set [ find default-name=ether2 ] disabled=yes loop-protect=off poe-out=off
/interface vlan
add disabled=yes interface=bridge loop-protect=off name=vlan22 vlan-id=22
add disabled=yes interface=bridge loop-protect=off name=vlan33 vlan-id=33
add disabled=yes interface=bridge loop-protect=off name=vlan66 vlan-id=66
/interface wifi datapath
add bridge=bridge disabled=no name=capdp
/interface wifi
# managed by CAPsMAN 48:A9:8A:0D:D9:B9%bridge, traffic processing on CAP
# mode: AP, SSID: spcam, channel: 5280/ax/eCee/DI
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
# managed by CAPsMAN 48:A9:8A:0D:D9:B9%bridge, traffic processing on CAP
# mode: AP, SSID: piot, channel: 2467/ax
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
/system logging action
set 3 remote=192.168.91.1
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
/ip settings
set ip-forward=no secure-redirects=no send-redirects=no
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=1
/interface wifi cap
set caps-man-addresses=192.168.91.252 discovery-interfaces=bridge enabled=yes
/ip address
add address=192.168.91.130/24 interface=bridge network=192.168.91.0
/ip cloud
set update-time=no
/ip ipsec policy
set 0 disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set winbox disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Prague
/system identity
set name=capx
/system leds settings
set all-leds-off=after-1h
/system logging
set 3 action=memory
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.91.1

I think why wifi stopps working for all VLANs except VLAN1 on CAPsMAN device should be solved first. Maybe became tagged similar to CAP?

Thanks for help.

5

I spent lot of hourts trying to enable datapath and not stop wifi working. CAP device turned off, I’ve in datapath just name, bridge and vlan-id, nothing else. Datapath shouldn’t affect wifi on CAPsMAN device, right? But it does. Or it’s not possible to have AP’s on CAPsMAN device itself and on CAP at the sane time?

I’m going to give it up :frowning:

6

It’s resolved. I’ve to say big thanks to Google AI - the root cause is AX device. AX devices handle VLAN tags on wifi interfaces in the driver (chipset, unsure). It means wifi interfaces on AX capsman should be added as tagged bridge ports. When a VLAN is is in datapath, the driver’s behaviour will change.

I hope it will not violate rules if I’ll attach an abstract of the AI discussion

ai-abstract.pdf (59.3 KB)