Dear All,
I'm trying to understand the difference between the master and slave configuration in CAPsMAN's provisioning tab. I'm using AX devices, so I'm able to define datapath VLANs from the controller, and everything works fine for all slaves configuration, while the master configuration does not send packets throughout the defined datapath.
If I set up a "radio parameter only configuration" (so with no SSID defined), the slave configurations stop working.
As a workaround, I've created a "temp" network with a hidden SSID, but I'm quite sure that this is not the right way to proceed.
Thank you so much for your help.
Slave configuration is what you apply on the master radio as separate wifi interface.
A virtual interface using the same carrier, if you want.
It uses the same physical settings as master radio (=frequency, channel width, ...) but all the rest can be different (SSID, security, roaming, ...).
So on slave configurations, you only start from those settings, leave physical settings for master.
Without seeing your config, it will be difficult for anyone to see where you went wrong with your setup.
My first guess would be datapath used for master.
Or maybe you applied a configuration for 2GHz radio on 5GHz radio ? That will not work either.
Did you have a close look at the examples provided in Mikrotik Help pages ?
They are dense but should allow you to understand how it has to be done.
If i do not provide any SSID (like only country), the slaves configurations stop working.
That's my doubt too.
No, there are no differences.
Using /interface/wifi/capsman
[admin@coreSwitch] /interface/wifi/capsman> print
enabled: yes
interfaces: MGNG
require-peer-certificate: no
package-path:
upgrade-policy: suggest-same-version
generated-ca-certificate: WiFi-CAPsMAN-CA-F41E57E27EE7
generated-certificate: WiFi-CAPsMAN-F41E57E27EE7
I know that this information is not so useful, but I didn't find any other way to export that (except multiple screenshots).
Yes, but why they provide also SSID in master config?
You have to provide ssid on slave config.
But not country.
See examples again.
Dear Holvoetn,
I've check, again, the examples and the county is assigned to the master configuration (in the one with no VLAN).
/interface wifi configuration
add country=Latvia name=5ghz security=sec1 ssid=CAPsMAN_5
...
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=5ghz slave-configurations=5ghz_v supported-bands=\
I don't want to be rude, but I’m really not understanding
How would you like it to work?
You have to have a master and zero or more slave configurations.
Can you provide your current config?
/export file=anynameyoulike
Remove serial and any other private info, post between preformatted text tags by using the </> button.
Here you are
# 2025-08-08 08:21:44 by RouterOS 7.19.4
# software id = W0I6-ZT20
#
# model = RB5009UG+S+
# serial number = <hidden>
/interface bridge
add admin-mac=F4:1E:57:E2:7E:E8 auto-mac=no comment=defconf name=bridge \
protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=bridge loop-protect=off name=MGNG vlan-id=99
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add comment="This network is required to make the slaves configurations work" \
country=Italy disabled=no mode=ap name=master \
security.authentication-types=wpa2-psk ssid=temp
add comment="waiting for Andrea to connect some devices to new ssid" \
disabled=no hide-ssid=yes name=magazzino-tmp \
security.authentication-types=wpa2-psk ssid=Magazzino
/interface wifi datapath
add bridge=bridge disabled=no name=office-path traffic-processing=on-cap \
vlan-id=10
add bridge=bridge disabled=no name=home-datapath traffic-processing=on-cap \
vlan-id=20
/interface wifi configuration
add comment="waiting for Andrea to connect some devices to new ssid" country=\
Italy datapath=office-path disabled=no hide-ssid=yes name=Ufficio-tmp \
security.authentication-types=wpa2-psk ssid=Ufficio
/interface wifi security
add authentication-types=wpa2-psk disabled=no ft=yes ft-mobility-domain=0x2 \
ft-over-ds=yes ft-preserve-vlanid=yes group-key-update=1h name=\
home-password wps=disable
add authentication-types=wpa2-psk disabled=no ft=yes ft-mobility-domain=0x1 \
ft-over-ds=yes ft-preserve-vlanid=yes group-key-update=1h name=\
office-password wps=disable
/interface wifi steering
add disabled=no name=home-steering neighbor-group=dynamic-Badia-Casa-f41832a9 \
rrm=yes wnm=yes
add disabled=no name=office-steering neighbor-group=\
dynamic-Badia-Ufficio-62cbb492 rrm=yes wnm=yes
/interface wifi configuration
add channel.skip-dfs-channels=disabled country=Italy datapath=home-datapath \
datapath.bridge=bridge disabled=no mode=ap name=badia-casa security=\
home-password ssid=Badia-Casa steering=home-steering
add channel.skip-dfs-channels=disabled country=Italy datapath=office-path \
datapath.bridge=bridge disabled=no mode=ap name=badia-ufficio security=\
office-password ssid=Badia-Ufficio steering=office-steering
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=temp ranges=192.168.99.100-192.168.99.199
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether1
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether2
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether3
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether4
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether5
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether6 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether7 pvid=99
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=office tagged=\
ether1,ether2,ether3,ether4,ether5,sfp-sfpplus1 untagged=ether6 vlan-ids=\
10
add bridge=bridge comment=home tagged=\
ether1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 vlan-ids=20
add bridge=bridge comment=MGNG tagged=\
bridge,ether1,ether2,ether3,ether4,ether5,ether6,sfp-sfpplus1 untagged=\
ether7 vlan-ids=99
/interface list member
add comment=defconf interface=bridge list=LAN
/interface wifi access-list
add action=reject disabled=no signal-range=-120..-78
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
-77..0
/interface wifi capsman
set enabled=yes interfaces=MGNG package-path="" require-peer-certificate=no \
upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=master \
slave-configurations=badia-casa,badia-ufficio,Ufficio-tmp,magazzino-tmp
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
add default-route-tables=main interface=MGNG
/ip dhcp-server network
add address=192.168.99.0/24 comment="temp for dhcp" dns-server=1.1.1.1 \
gateway=192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip service
set www-ssl disabled=no
set winbox address=0.0.0.0/0
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=coreSwitch
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Thank you so much in advance for your help
Eerrm ... I hope that router is not connected directly to the World ...
There is no decent firewall ?
Excuse me for saying this but this config looks like a mess...
Where is the main router for that setup ? I am missing quite a bit of VLAN info.
You define VLAN 99 for MGNG but where are 10 and 20 ?
You use them in your datapath settings so they have to be somewhere.
What is your uplink trunk towards the router doing the VLAN stuff ?
Wifi part:
you define a configuration but no channel on master interface. So it's left to AUTO. Personally, I NEVER do that. I want to know which frequency goes where. But that's me.
However, on your slave configs you DO specify country, channel, channel.skip-dfs-channels=disabled, ... That's an error. Those settings come from the master config. Not to be used on slave config.
This part:
/interface wifi access-list
add action=reject disabled=no signal-range=-120..-78
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
-77..0
Remove. Client devices may totally avoid your APs when they get treated like this. This is what roaming/steering is for (IF properly set up).
Generic:
This part is indication of miss-config:
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
You can not have a DHCP client on an interface which is part of bridge. And from what I see, ether1 is part of bridge (is that the uplink trunk ?).
Where is the default route then to your other router (if there is one) ?
How I do it (DRY principle = Don't Repeat Yourself):
1- define seperate security profiles for all needed SSIDs. In those profiles, also indicate if steering needs to be used or not. Don't touch steering section anymore later on ! One place to configure it. Not all over the place.
2- define channels to be used (again, I don't leave things to auto, I want to know what AP gets which frequency)
3- create needed datapath settings (but make sure your VLAN settings are ok).
4- create master config for 2Ghz using SSID, security from 1, channel from 2, country settings, datapath from 3, etc.
5- repeat for 5Ghz
6- create all required slave profiles only using SSID and security from 1, datapath from 3
7- provision radio (I use MAC address) using master from 4 or 5 (depending on what radio it is) and slave (or multiple) from 6
Then ... in Radio tab (or Remote CAP), select all lines and hit Provision.
Theoretically it should do this automatically but in my experience it doesn't always (mostly not).
But you first need to sort out the generic IP settings and/or VLAN part as well.
The device is behind an OPNSense firewall, and now is used only as a switch and for CAPsMAN.
It's the first time using a MikroTik's device, I'm here to learn something new 
These are the ones where the clients connect. They are different logical networks, with, of course, different firewall rules.
I'm using them as Tagged port in Bridge --> VLANs tab. Since i don't wont that the webfig page is accessible from these VLANs, i do not create any Interfaces -> VLAN configuration. (so on that is working as layer 2 device).
Ok, thank you
Sorry, you are right. This configuration has remained unchanged from the default configuration.
I exactly follow this suggestions, but this error still persists.
it seams that i have the same issues as @mattiarainieri… do not know how to map my thoughts to CAPSMAN config.
let have a higher level example:
cAPs are located in some countries C1, C2, … with their local regulations
country specific is at least COUNTRY and CHANNEL
AND i want to provide on all location the same SIDs, security setting, …
design idea:
basic level is: all country specifics (like COUNTRY, CHANNELs, …)
global level is: SIDs, Security, …
So, i set up:
a CONFIGURATION with the COUNTRY, link CHANNEL config for each country (but no SID … because that is the global level)
i set up a CONFIGURATION with the global setting like SID, Security, …
now i create a PROVISIONING with basic level as MASTER, and all global levels as slave
the result is, that i get a erro message for master “SSID not set” (Which is true .. by design) and all the slaves do not come up.
OK .. i understand that my design is not matching configuration requirements 
BUT how to achieve a running system , easy to config/maintain
@holvoetn what is your suggestion? 
For starters,I never create a capsman setup spanning multiple 'locations", let be countries ? 
?
How are you ging to handle network hiccups ( and they WILL be there, it is not a matter of if but when).
Each time communication with controller goes down, all APs for that location/ country will go down as well.
good point .. i was assuming (like it is in my current solution) , if AP is in local forwarding mode, AP is also forwarding, if Controller is temporary unavailable.
however … do you know where to drop feature request to mikrotik?
Support at mikrotik dot com
Only 1 place.