CAPsMAN v2 centralized forwarding (wifi-qcom & wifi-qcom-ac)

Hi there,
I have a rather simple but really bothering problem. In my network I use multiple devices: cAP ac, wAP ac, wAP ax and cAP ax.
All of them are connected to HEX S acting as a CAPsMAN v2.
All of the devices run ROS and FW version of 7.21.2

Now given the ammount of switches between the APs I wanted to make a maximal use of the new capsman-forwading mode (all the traffic goes to capsman and is proccessed there (with VLANs)). Everything works with the cAP ax/wAP ax devices flawlessly. But when it comes to cAP ac and wAP ac, they both give the same error: “data channel not supported”. I know that VLANs are not supported on the wifi-qcom-ac, so I tried withou them… but the exact same result.

My questions are:

1. Am I doing something wrong, is there a way to make it work? Or is it not supported?
2. If it’s not supported, are you MikroTik going to add the support? (it wold be awesome, utilization of ac devices is still up to date)
3. And if so, is the capsman-forwarding mode going to be able to implement the VLANs the same way as wifi-qcom driver (bcs it is proccessed on the capsman it self)?

Otherwise great work with the new drivers and devices, I was able to implement them in quite a few new project and they are capable of handling not a small numer of devices roaming all over the place. And also the detailed “registered” view is absolutely awesome debugging tool.

Thanks if you try to help!!

CAPsMAN config (WiFi part):

# 2026-02-22 21:33:21 by RouterOS 7.21.2
# software id = **********
#
# model = RB760iGS
# serial number = ********
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5180 name=channel-5GHz width=20/40mhz-Ce
add band=2ghz-ax disabled=no frequency=2412 name=channel-2,4GHz width=20mhz
/interface wifi security
add authentication-types=wpa2-psk disable-pmkid=no disabled=no encryption=ccmp ft=yes ft-over-ds=yes ft-preserve-vlanid=yes group-encryption=ccmp management-encryption=cmac management-protection=allowed name=sec1-Doma
add authentication-types=wpa2-psk disabled=no encryption=ccmp ft=yes ft-over-ds=yes ft-preserve-vlanid=yes group-encryption=ccmp management-protection=allowed name=sec2-Doma-IoT
/interface wifi steering
add disabled=no name=steering rrm=yes transition-request-count=5 transition-request-period=30s transition-threshold=-75 transition-threshold-time=5s wnm=yes
/interface wifi
# operated by CAP 10.0.0.22, traffic processing on CAPsMAN (no encryption)
add channel=channel-2,4GHz channel.frequency=2437 configuration=config-Doma configuration.mode=ap disabled=no name=cap-obyvak-2 radio-mac=F4:1E:57:2D:2C:06
# operated by CAP 10.0.0.22, traffic processing on CAPsMAN (no encryption)
add channel=channel-5GHz channel.frequency=5180 configuration=config-Doma configuration.mode=ap disabled=no name=cap-obyvak-5 radio-mac=F4:1E:57:2D:2C:07
# operated by CAP 10.0.0.21, traffic processing on CAPsMAN (no encryption)
add channel=channel-2,4GHz channel.frequency=2412 configuration=config-Doma configuration.mode=ap disabled=no name=cap-puda-2 radio-mac=F4:1E:57:2E:94:9E
# operated by CAP 10.0.0.21, traffic processing on CAPsMAN (no encryption)
add channel=channel-5GHz channel.frequency=5220 configuration=config-Doma configuration.mode=ap disabled=no name=cap-puda-5 radio-mac=F4:1E:57:2E:94:9F
# operated by CAP 10.0.0.24
# data channel not supported
add channel=channel-2,4GHz channel.frequency=5180 configuration=config-Doma configuration.mode=ap disabled=no name=cap-stodola-2 radio-mac=18:FD:74:55:FD:84
# operated by CAP 10.0.0.24
# data channel not supported
# vlan-id configured, but interface does not support assigning vlans
add channel=channel-5GHz configuration=config-Doma configuration.mode=ap disabled=no name=cap-stodola-5 radio-mac=18:FD:74:55:FD:85
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=vlan99-MGMT
/interface wifi configuration
add datapath.bridge=bridge1 disabled=no mode=ap multicast-enhance=enabled name=config-Doma-IoT security=sec2-Doma-IoT ssid=Doma-IoT
add country="United States" datapath=datapath1-LAN disabled=no dtim-period=10 mode=ap multicast-enhance=enabled name=config-Doma security=sec1-Doma security.wps=disable ssid=Doma steering=steering
/interface wifi datapath
add bridge=bridge1 client-isolation=no disabled=no name=datapath1-LAN traffic-processing=on-capsman vlan-id=10

CAP config (whole system, deleted unrelated):

# 2026-01-28 13:58:03 by RouterOS 7.21.2
# software id = ********
#
# model = RBwAPG-5HacD2HnD
# serial number = ******
/interface bridge
add name=bridge-cap vlan-filtering=yes
/interface wifi
# managed by CAPsMAN 10.0.0.1
set [ find default-name=wifi1 ] configuration.manager=capsman
# managed by CAPsMAN 10.0.0.1
set [ find default-name=wifi2 ] configuration.manager=capsman
/interface vlan
add interface=bridge-cap name=vlan99-MGMT vlan-id=99
/interface bridge port
add bridge=bridge-cap interface=ether1
add bridge=bridge-cap interface=ether2
/interface bridge vlan
add bridge=bridge-cap tagged=ether1,ether2,bridge-cap vlan-ids=99
/interface wifi cap
set caps-man-addresses=10.0.0.1 certificate=request enabled=yes lock-to-caps-man=no
/ip address
add address=10.0.0.24/24 interface=vlan99-MGMT network=10.0.0.0
/ip dns
set servers=10.10.0.1
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1

I've try this and perfs are not there. If you want to catch more than 50Mb, let your's caps process everything and capsman only for configuration.
HEXs is a smal CPU, it will be satured quickly ; i've try with CRS310 and RB5009. This is my results

I've no labs with both ac/ax systems ; due to vlan datapath complexity.

Try reading the documentation

“CAPsMAN forwarding is not supported by wifi-qcom-ac devices (wifi-qcom-ac drivers only support local forwarding).”

Basically, what @Ca6ko says.

I used to have a mix of ac and ax devices, with slightly different configurations as described below, but I moved the ac devices to the cardboard box because they require a different configuration. Having said that, they all interoperated off the one CAPsMAN server. The distinction is this:

ax devices use wifi-qcom package and the datapath can be set on the CAPsMAN. So on the ax Access Point, the wireless interfaces appear with the vLAN specified by the CAPsMAN and are connected [automatically? I don't remember] to the vLANs tagged.

ac devices use the wifi-qcom-ac package and the datapath cannot be set by the CAPsMAN. So on the ac Access Point, the wireless interfaces appear with no vLAN specified and must be connected to the vLANs untagged.

edited: On the CAPsMAN, [as best as I can remember it] separate main configurations are required for ax and ac devices, with the datapath specified or not. These configurations can share security profiles. An auxiliary configuration is also required for the ac devices as indicated in the link provided by @Ca6ko This auxiliary configuration has the datapath DP_AC. Further configuration pairs of main and auxiliary are required for slaves such as Guest and IoT networks.

edited: This is then brought together at provisioning, when two rules providing the main configurations for master and slaves for ac and ax respectively. A third provisioning rule then provides the auxiliary configurations for masters and slaves to the ac devices only.

Thanks for the test and I completely agree with them. Capsman forwarding on the new capsman is quit CPU heavy and I my self found the huge speed difference between the modes. I'm actually interested to do some more tests by my self bcs it seems like the capsman works in a way: 1 connection 1 core.. I have never really got the HEX CPU usage over 30% with single device test.

This network is my own at home so I'm really mainly trying new things there. And in past I used to run old CAPsMAN with CAPsMAN-forwarding and I got speeds over 150Mbps (WiFi bottleneck).

Hope MikroTik will increase forward mode efficiency, but it's really nice to see that they are moving forward with adding support for those features.

Yea at start, I must have overlooked the note in documentation (no harm I had those devices for a long time now, just trying to get the max out of them), sorry.

And to your point I agree, it's frustrating.. and even more so, that almost everything else works well (most of the time), but the VLANs, in modern networks, they are absolutely crucial. Having the ability to do VLANs config only at CAPsMAN for as devices is huge time saver and allows to be much more dynamic with WiFi networks (e.g. start new WiFi for some event in a matter of minutes).

I would be quite interested in your opinion guys, if would MikroTik add the support for similar VLAN configuration on 802.11ac devices, would you use them?

And is there anything else that's problematic for you?