I have a Chateau Pro AX up and running as router. Wifi and guest wifi, everything running.
I want to add a new wAP AX as repeater using CAPsMAn because I want to use mesh.
So I tried following some guides, might have mixed something up as most are for older versions.
wAP reset to search for CAPsMAN, the default wifi disappears but it does not show up under “Remote CAP”s
propably problem :
/interface wifi capsman
set enabled=yes interfaces=wifi2,wifi5 package-path="" \
require-peer-certificate=no upgrade-policy=suggest-same-version
Try instead: /interface wifi capsman
set enabled=yes interfaces=bridge package-path="" \
require-peer-certificate=no upgrade-policy=suggest-same-version
Thanks, that did not change anything though. It might work, but I doubt it unless I see the CAP showing up.
I might have missed something in config or provisioning. Or sec profiles?
I used QuickSet for the first setup, maybe that’s why?
It should work, its simple, i have many installations like this ( first router is hap ax2 instead of chateau, but it doesnt matter)
What wap ax says? Can’t connect to capsman or managed by capsman?
How do I connect to the wAP? It doesn’t have it’s own wifi up and running, do I need to run a network cable to it? From android possible?
I missed one word - repeater - sorry. I thought that Chateau and wAP are wire connected to each other ( notably this is only good solution in my opinion ) but if they aren’t, try this → https://www.youtube.com/watch?v=mBLI2shv94E
Will that be a real mesh with clients switching seamlessly? if not I’ll grab a way cheaper non-mikrotik repeater and forget about all the hassle.
There are a few things about the configuration that look suspect to me (no master config in the provisioning entry, for example, and a default CAPsMAN client config on wAP, which I don't think would work for this). But I think a more fundamental problem is that this has a lot of moving parts and you're trying to tackle it all in one go.
If I was going to do this I would probably break it down into a few test stages.
It seems like if you are using CAPsMAN for one radio on the wAP, and have ft and ft-over-ds enabled, you should get good client roaming from the main router to the wAP. Which is what I think you mean when you say mesh in that context. But that is still subject to client roaming choices.
If you need help, add the main router and wAP config as Peformatted text (the </> button) in a reply.
Remember to remove your serial number from the config.
Yeah, a lot of moving parts might be nice way of saying what’s going on haha
wAP is reset to default, do not see default wifi though argh. wired setup? to main ap? uhm, not gonna be easy hm unless i abuse something for a while
removed serial number and here we go
reverted a lot of stuff, probably not enough
I think capsman setup on main ap is fcked
20260122-config.txt (11.4 KB)
Yeah, the wifi configuration is a mess in general. Here's step zero
0.-Create new WiFi Security, Channel and Configuration entries that match what you want for your main SSID. Create them in that order, and don't repeat yourself (don't set security options in the Configuration tab except to select the Security config by name). Test with it applied to one local radio. Make sure it is working.
0.a. Add a slave guest config to that one working config. Test.
0.b. Repeat for the other radio/freq.
0.c. After testing, disable all the older stuff and test again.
0.d. Delete the disabled entries.
It will be a lot easier to troubleshoot after you do this.
On the Interface Wifi security tab I had to set Auth type and encryption so it would use the password.
it feels a lot cleaner already, thanks for that part!
20260122v2.rsc (11.7 KB)
Sure, those are Security settings. They should be set only in Security.
The main thing is to not have any security settings or channel settings set separately on the Configuration. When you open a Configuration entry in WinBox and look at the Channel and Security tab, the only selected entry should be the top one, where you’re choosing the Security or Channel entry that has all the configuration you need. That top line will have a white background, the options below have a gray background, meaning it’s coming from the named Channel or Security entry, not from this Configuration interface.
An example is the authentication-types. It is set properly here:
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes group-encryption=ccmp \
group-key-update=1m15s management-protection=allowed name=sec-int wps=\
disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes group-encryption=ccmp \
group-key-update=1m19s management-protection=allowed name=sec-guest wps=\
disable
Two security entries, one main, one guest. Perfect.
But it’s also set here, as security.authentication-types=””, which is not good. Likewise the ft setting is duplicated here as well. I think if you look at the Configuration entries you will see these options with a white background in WinBox. Unset them and let these options be passed via the sec-int and sec-guest configs.
This may have come from using quickset or from an older default. If you want to use CAPsMAN I would recommend cleaning that up so that you know exactly where each option is set and it is set only once.
/interface wifi configuration
add antenna-gain=0 channel=channel5ghz country=Austria disabled=no mode=ap \
name=cfg5 security=sec-int ssid=FAKE
add antenna-gain=5 channel=channel5ghz country=Austria disabled=no name=\
cfg5guest security=sec-guest security.authentication-types="" .ft=yes \
.ft-over-ds=yes ssid=FAKE
add antenna-gain=5 channel=channel2ghz country=Austria disabled=no mode=ap \
name=cfg2 security=sec-int security.authentication-types=\
wpa2-psk,wpa3-psk .encryption=ccmp,gcmp,ccmp-256,gcmp-256 ssid=\
FAKE
add antenna-gain=5 channel=channel2ghz country=Austria disabled=no name=\
cfg2guest security=sec-guest security.authentication-types="" ssid=\
FAKE
And then encryption-types is also set here. As is encryption and mode=ap. You don’t need or want those here. All of that information should be passed via the configuration=cfg5 or cfg5guest entry. Setting it again could create problems when you need a change.
/interface wifi
set [ find default-name=wifi1 ] channel.frequency=5745 configuration=cfg5 \
configuration.mode=ap disabled=no name=wifi5 \
security.authentication-types=wpa2-psk,wpa3-psk .encryption=\
ccmp,gcmp,ccmp-256,gcmp-256
add configuration=cfg5guest configuration.mode=ap disabled=no mac-address=\
FAKE master-interface=wifi5 name=guest5 \
security.authentication-types=wpa2-psk,wpa3-psk .encryption=\
ccmp,gcmp,ccmp-256,gcmp-256
Once you get your main router config sorted and it has a CAPsMAN configuration, I would move the wAP next to it and wire it up to test. Have the wAP in a basic CAPsMAN client config via reset.
Once you get that working, here is where I would start with the cAP/wAP config if I was trying to get this working as you want. One radio repeater, one radio CAPsMAN-managed-ap.
This example is mostly from the help for Configuring repeater, but with only the wifi2 (2.4GHz) radio as uplink and the wifi1 (5GHz) radio provisioned via CAPsMAN. And enabling CAPsMAN discovery.
/interface wifi
set [ find default-name=wifi2 ] configuration.mode=station-bridge configuration.country=Austria .ssid=MYSSID disabled=no security.authentication-types=wpa2-psk,wpa3-psk .passphrase=MYPASS
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge
add auto-mac=no comment=defconf name=bridge
/interface bridge port
add interface=all bridge=bridge
/interface list member
add comment=defconf interface=bridge list=LAN
/ip dhcp-client
add interface=bridge
/interface wifi cap
set discovery-interfaces=bridge enabled=yes
There isn’t as much need to keep the configuration “pure” for the wAP since you won’t be managing it directly. So the station-bridge radio config entry should have everything necessary to connect to your main router. You could opt to do this more cleanly with more lines.
The wifi1 line is the basic config for a CAPsMAN cAP client device.
The second block above bridges the ethernet ports with wifi (giving you the option to wire devices to this wAP, bridged to main router over wifi), and turns on dhcp-client on the bridge to obtain an IP address via dhcp so that you could manage it via IP with WinBox if desired.
The last line tells the wAP to discover the CAPsMAN on any interface on the bridge. So it should work wired or wireless.
That’s probably where I would start testing. Edit this as needed, save as an .rsc file. Upload the file to the wAP and reset it with the option selected to keep users, and run the uploaded .rsc after reset (options highlighted below).
You will have several possible outcomes:
Once that’s figured out…
If you want to also broadcast your SSID on the wAP 2.4GHz radio (so it’s repeating and ap) you could try adding this:
/interface/wifi
add configuration.mode=ap .ssid=MYSSID disabled=no master-interface=wifi2 name=wifi3 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=MYPASS
For best performance I wouldn’t do this unless you must. And since it’s not provisioned via CAPsMAN I don’t think ft will happen. It might be that you could do this with manager=capsman. Not sure about that.
Thanks for all the detailed input, I’m working my way through it.
One thing: I have the security profiles set up, with auth type and encryption set. Plus passphrase (and management protection enabled and wps disabled)
I add these profiles to the configs. But as soon as I remove “Auth type” from the interface wifi itself, then the wifi is accessible without passphrase. So I have to duplicate those settings there. (Or I could remove them from security which seems nonsensical.
Then CAPsMAN enabled, interface bridge, upgrade suggest same version, and the two generated certs. That should be it for the router. Yikes.
If you look at a /interface/wifi/configuration export with authentication-types set on the Security tab of the Configuration you will see it in that config entry in the export.
With any optional setting in the UI, if you clear the entry it will result in the setting still being in the export output, but with =””, making it set as an empty value. I think that’s why you’re seeing the behavior you noted.
To unset a value rather than clear it, click the minus (-) next to a value, or in the case of a multi-select like authentication-types, click the arrow/chevron/caret (^) button next to the value name to collapse the items (making the button a down arrow). When you do that and apply it, the authentication-types setting should not appear in /interface/wifi/configuration export output.
well, progress is being mademain-router works, and finds wired ap and two new wifis show up when wired into the network
over wifi? nothing.
Also ap just won’t upgrade to new routeros but that’s something else entirely
I have a stupid datapath in there, and FT enabled
rest should be fine, but no dice
2026-02-02 13:59:22 by RouterOS 7.18.2
software id = DQU5-4G9S
model = wAPG-5HaxD2HaxD
serial number = FAKE
/interface bridge
add admin-mac=FAKE auto-mac=no comment=defconf name=bridgeLocal
/interface list
add name=LAN
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
managed by CAPsMAN FAKEC1:DF%bridgeLocal
set [ find default-name=wifi1 ] configuration.country=Austria .manager=
capsman .mode=station-bridge .ssid=FAKE datapath=capdp
disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes
.ft-over-ds=yes
managed by CAPsMAN FAKEF%bridgeLocal
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap .ssid=
FAKE datapath=capdp disabled=no security.authentication-types=
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
add configuration.mode=ap .ssid=FAKE disabled=no mac-address=
FAKE master-interface=wifi1 name=wifi3
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface list member
add comment=defconf interface=bridgeLocal list=LAN
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=Europe/Vienna
/system note
set show-at-login=no
Your station bridge should not be managed by CAPsMAN, remove .manager=capsman from wifi1.
Next add .manager=capsman to wifi3. This interface should be controlled by CAPsMAN.
Last, add wifi1 as interface to /interface bridge port
not possible in WinBox
“device already added as bridge port”
I would expect it to work from CLI. Also from Winbox...sure wifi1 was no longer managed?
The message “device already added as bridge port” indicates that it was dynamically added by CAPsMAN. Did you remove (.manager=capsman) as mentioned prior to adding manually to the bridge?
Better...can you show the /interface wifi export?
/interface wifi
set [ find default-name=wifi1 ] configuration.country=Austria .mode=
station-bridge .ssid=WorldWideWeber datapath=capdp disabled=no
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
managed by CAPsMAN F4:1E:57:7B:C1:DF%bridgeLocal
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap .ssid=
FAKE datapath=capdp disabled=no security.authentication-types=
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
add configuration.mode=ap .ssid=FAKE disabled=no mac-address=
06:F4:1C:65:23:E8 master-interface=wifi1 name=wifi3
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp