Hi, I am a beginner user of RouterOS. I have encountered a problem of not being able to connect to one of the vlans. I have 3 villans, one mgmt for capsamana and 2 configured the same for users, one connects without a problem, the ip address is stuck. However, I cannot connect to the other, the message is network connection error.
I have the same rules for vlans on FW.
Can I ask you for support, suggestions
Sure…go ahead.
Like: share config:
/export file=anynameyoulike
Remove the serial and any other private info.
You did read the documentation?
https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-CAPsMAN-CAPVLANconfigurationexample:
Hey, thanks for such a quick response
Yes of course I read it, without the documentation and YT, I wouldn’t do it. Although I don’t hide the fact that not everything is clear to me in the documentation.
So ,i can connect to the Stou_CAP_Iot network, but I cannot connect to the Stou_CAP_home network.
my config :
# 2024-09-29 18:51:32 by RouterOS 7.15.3
# software id = 9L00-VFBB
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add admin-mac=auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.mode=ap
set [ find default-name=wifi2 ] configuration.mode=ap
/interface vlan
add interface=bridge name=vlan-10-home vlan-id=10
add interface=bridge name=vlan-20-iot vlan-id=20
add interface=bridge name=vlan-33-mgmt vlan-id=33
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412 name=ch-2G-ax width=20mhz
add band=2ghz-n disabled=no name=ch-2G-n width=20mhz
add band=5ghz-ax disabled=no frequency=5180 name=ch-5G-ax skip-dfs-channels=\
all width=20/40/80mhz
add band=5ghz-ac disabled=no name=ch-5G-ac skip-dfs-channels=all width=\
20/40/80mhz
/interface wifi datapath
add client-isolation=no disabled=no name=datapath-home vlan-id=10
add client-isolation=yes disabled=no name=datapath-iot vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
name=sec-home
add authentication-types=wpa-psk,wpa2-psk disabled=no ft=yes ft-over-ds=yes \
name=sec-iot
/interface wifi configuration
add channel=ch-2G-ax country="United States" datapath=datapath-home disabled=\
no mode=ap name=cfg-home-2G-ax security=sec-home ssid=Stou_CAP_home \
tx-power=22
add channel=ch-2G-n country="United States" datapath=datapath-home disabled=\
no mode=ap name=cfg-home-2G-n security=sec-home ssid=Stou_CAP_home \
tx-power=22
add channel=ch-5G-ax country="United States" datapath=datapath-home disabled=\
no mode=ap name=cfg-home-5G-ax security=sec-home ssid=Stou_CAP_home \
tx-power=22
add channel=ch-5G-ac country="United States" datapath=datapath-home disabled=\
no mode=ap name=cfg-home-5G-ac security=sec-home ssid=Stou_CAP_home \
tx-power=22
add channel=ch-2G-n country=Poland datapath=datapath-iot disabled=no mode=ap \
name=cfg-iot-2G-n security=sec-iot ssid=Stou_CAP_iot
add channel=ch-2G-ax country=Poland datapath=datapath-iot disabled=no mode=ap \
name=cfg-iot-2G-ax security=sec-iot ssid=Stou_CAP_iot
add channel=ch-5G-ac country=Poland datapath=datapath-iot disabled=no mode=ap \
name=cfg-iot-5G-ac security=sec-iot ssid=Stou_CAP_iot
add channel=ch-5G-ax country=Poland datapath=datapath-iot disabled=no mode=ap \
name=cfg-iot-5G-ax security=sec-iot ssid=Stou_CAP_iot
/interface wifi steering
add disabled=no name=steering_Stou_CAP_home neighbor-group=\
dynamic-Stou_CAP_home-f18a66d1 rrm=yes wnm=yes
add disabled=no name=steering_Stou_CAP_iot neighbor-group=\
dynamic-Stou_CAP_iot-c6d7975b rrm=yes wnm=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool2 ranges=20.20.20.2-20.20.20.254
add name=dhcp_pool3 ranges=10.33.33.2-10.33.33.254
add name=dhcp_pool6 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=dhcp_pool2 interface=vlan-20-iot name=dhcp-vlan-20
add address-pool=dhcp_pool3 interface=vlan-33-mgmt name=dhcp-vlan-33
add address-pool=dhcp_pool6 interface=vlan-10-home name=dhcp-vlan-10
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=20
add bridge=bridge tagged=bridge,ether2,ether3 vlan-ids=33
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=vlan-33-mgmt package-path="" \
require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
cfg-home-2G-ax slave-configurations=cfg-iot-2G-ax supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
cfg-home-5G-ax slave-configurations=cfg-iot-5G-ax supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=.*ac.* \
master-configuration=cfg-home-2G-n slave-configurations=cfg-iot-2G-n \
supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no identity-regexp=.*ac.* \
master-configuration=cfg-home-5G-ac slave-configurations=cfg-iot-5G-ac \
supported-bands=5ghz-ac
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=10.10.10.1/24 interface=vlan-10-home network=10.10.10.0
add address=20.20.20.1/24 interface=vlan-20-iot network=20.20.20.0
add address=10.33.33.1/24 interface=vlan-33-mgmt network=10.33.33.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=192.168.88.1 gateway=10.10.10.1
add address=10.33.33.0/24 dns-server=192.168.88.1 gateway=10.33.33.1
add address=10.40.40.0/24 dns-server=192.168.88.1 gateway=10.40.40.1
add address=20.20.20.0/24 dns-server=192.168.88.1 gateway=20.20.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
add address=192.168.90.0/24 gateway=192.168.90.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=accept chain=input in-interface=vlan-10-home
add action=accept chain=input in-interface=vlan-20-iot
add action=accept chain=input in-interface=vlan-33-mgmt
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Warsaw
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# 2024-09-29 18:52:17 by RouterOS 7.15.3
# software id = V4TH-LBHQ
#
# model = cAPGi-5HaxD2HaxD
# serial number =
/interface bridge
add name=bridge-wifi vlan-filtering=yes
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Stou_CAP_home, channel: 5180/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Stou_CAP_home, channel: 2412/ax
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
disabled=no
/interface vlan
add interface=bridge-wifi name=vlan-33-mgmt vlan-id=33
/interface wifi datapath
add bridge=bridge-wifi disabled=no name=data-cap
/interface bridge port
add bridge=bridge-wifi interface=ether1
/interface bridge vlan
add bridge=bridge-wifi tagged=bridge-wifi,ether1 vlan-ids=10
add bridge=bridge-wifi tagged=bridge-wifi,ether1 vlan-ids=20
add bridge=bridge-wifi tagged=bridge-wifi,ether1 vlan-ids=33
/interface wifi cap
set caps-man-addresses=10.33.33.1 enabled=yes slaves-datapath=data-cap
/ip dhcp-client
add interface=vlan-33-mgmt
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=CAP_1_Flor
/system note
set show-at-login=no
You are missing bridge configuration for wifi interfaces.
CAPsMAN
/interface wifi
set [ find default-name=wifi1 ] configuration.mode=ap datapath.bridge=bridge
set [ find default-name=wifi2 ] configuration.mode=ap datapath.bridge=bridge
CAP
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap
disabled=no datapath.bridge=bridge-wifi
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap
disabled=no datapath.bridge=bridge-wifi
Do not forget that CAPsMAN can not control local interfaces, just apply configuration directly to the interface.
It works!! 
Thank you for your help and commitment
I have one more question, to assign for example vlan 10 to ether5 port, I should do this:
add bridge=bridge interface=ether5 pvid=10
theoretically it works and gets the right address, but is this ok?
by the way, great material, f you are a beginner like me I recommend:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Appart from using ether5 instead of wlan5 (typo?), indeed all you have to do is:
/interface bridge port
add bridge=bridge1 interface=ether5 pvid=10
# optional
/interface bridge vlan
add bridge=BR1 tagged=bridge1 untagged=ether5 vlan-ids=10
yes, my mistake. Thanks for the confirmation and alternative solution
That’s not really “alternate” solution, you should use both settings. And also set frame-types allowed on the port…
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether2 pvid=10
admit-only-vlan-tagged for trunks and admit-only-untagged-and-priority-tagged for access ports.
I’m trying to implement something like this :
the diagram used by user “pcunite” from the post http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 has been modified for educational purposes.
I wonder if what you wrote is necessary in this case?
I’m some how missing the other CAP in that picture?
this is what it looks like
I have one more question for you. I connected 3 Cap, when in the cap options I select certificate request, I cannot connect to capsman. However, when I choose the no certificate option, it works fine. The remaining 2 work with a certificate
Don’t you have require-peer-certificate set to yes? (on CAPsMAN)
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=vlan-33-mgmt package-path="" \
require-peer-certificate=no upgrade-policy=none
Exactly. But when I connected the previous 2 CAPs, the certificates were granted without any problems. Should I now export the certificate and add it to the third CAp? I don’t understand why there was no problem with the other 2.
Please.. Do not overthink that.. Simply set it to no, join another CAP and then enable it again..
Hi, of course I did it before writing the post 
, unfortunately it didn’t help. Even resetting the CAP configuration didn’t help. When I enable the option: Certificate - request and immediately loses connection with capsman, regardless of whether I enable or disable the certificate in capsman.
The problem was solved, deleting the certificates and re-issuing solved the problem