CAPsman, VLAN dhcp offering lease without success

lukaszcygan112233 · April 27, 2026, 5:42pm

Hello, I have a problem with mikrotik configuration.

I have Mikrotik router and access point. I have 2 wifi network: network Home and Guest,

Home is masterm guest is slave. I can connect to network Guest, no issues but if I try to connect to Home I have this: dhcp-10-home offering lease ****** for *********** without success

Mikrotik conf. CAPSMAN

/interface bridge
add name=BRIDGE_IoT protocol-mode=none
add admin-mac=********** auto-mac=no comment=defconf name=Bridge_LAN protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=Bridge_LAN name=vlan-10-home vlan-id=10
add interface=Bridge_LAN name=vlan-20-guest vlan-id=20
add interface=Bridge_LAN name=vlan-30-IoT vlan-id=30
add interface=Bridge_LAN name=vlan-40-NoT vlan-id=40
add interface=Bridge_LAN name=vlan-1-mgnt vlan-id=111
/interface list
add name=LAN
add name=WAN
/interface wifi channel
add band=2ghz-ax disabled=no name=ch-2 skip-dfs-channels=all width=20mhz
add band=5ghz-ax disabled=no name=ch-5 skip-dfs-channels=all width=20/40/80mhz
/interface wifi datapath
add bridge=Bridge_LAN client-isolation=no disabled=no name=data-home vlan-id=10
add bridge=Bridge_LAN client-isolation=yes disabled=no name=data-guest vlan-id=20
add disabled=no name=data-iot vlan-id=30
add disabled=no name=data-not vlan-id=40
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=sec-home
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=sec-guest
/interface wifi configuration
add channel=ch-2 country=Poland datapath=data-home disabled=no mode=ap name=cfg-2-home security=sec-home ssid=Home
add channel=ch-5 country=Poland datapath=data-home disabled=no mode=ap name=cfg-5-home security=sec-home ssid=Home
add channel=ch-2 country=Poland datapath=data-guest disabled=no mode=ap name=cfg-2-guest security=sec-guest ssid=Guest
add channel=ch-5 country=Poland datapath=data-guest disabled=no mode=ap name=cfg-5-guest security=sec-guest ssid=Guest
/interface wifi

operated by CAP *******, traffic processing on CAP

add configuration=cfg-2-home disabled=no name=2GHz-CAP radio-mac=*******

operated by CAP *******, traffic processing on CAP

add configuration=cfg-2-guest disabled=no mac-address=******* master-interface=2GHz-CAP name=2GHz-CAP-v

operated by CAP *******, traffic processing on CAP

add configuration=cfg-5-home disabled=no name=5GHz-CAP radio-mac=*******

operated by CAP *******, traffic processing on CAP

add configuration=cfg-5-guest disabled=no mac-address=******* master-interface=5GHz-CAP name=5GHz-CAP-v
/interface wifi steering
add disabled=no name=steeringhome neighbor-group=dynamic-Home-4481bafe rrm=yes wnm=yes
add disabled=no name=steeringguest neighbor-group=dynamic-Guest-4481bafe rrm=yes wnm=yes
/ip pool
add name=LAN_dhcp_pool0 ranges=*******
add name=IoT_pool1 ranges=*******
add name=dhcp-10-home ranges=*******
add name=dhcp_30-IoT ranges=*******
add name=dhcp_40-NoT ranges=*******
add name=dhcp_111-mgnt ranges=*******
add name=dhcp-20-guest ranges=*******
/ip dhcp-server
add address-pool=LAN_dhcp_pool0 interface=Bridge_LAN lease-time=16m40s name="LAN dhcp1"
add address-pool=IoT_pool1 interface=BRIDGE_IoT name=IoT_dhcp1
add address-pool=dhcp_30-IoT interface=vlan-30-IoT name=dhcp-30-iot
add address-pool=dhcp_40-NoT interface=vlan-40-NoT name=dhcp-40-not
add address-pool=dhcp_111-mgnt interface=vlan-111-mgnt name=dhcp-111-mgnt
add address-pool=dhcp-10-home interface=vlan-10-home name=dhcp-10-home
add address-pool=dhcp-20-guest interface=vlan-20-guest name=dhcp-20-guest
/interface bridge port
add bridge=Bridge_LAN comment=defconf interface=ether2
add bridge=BRIDGE_IoT comment="defconf TV" interface=ether3
add bridge=BRIDGE_IoT comment="defconf LAB" interface=ether4
add bridge=Bridge_LAN comment=defconf interface=ether5
add bridge=Bridge_LAN comment=defconf interface=ether6
add bridge=Bridge_LAN comment=defconf interface=ether7
add bridge=Bridge_LAN comment="defconf LUKASZ" interface=ether8
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=Bridge_LAN tagged=Bridge_LAN,ether7 vlan-ids=10
add bridge=Bridge_LAN tagged=Bridge_LAN,ether7 vlan-ids=20
add bridge=Bridge_LAN tagged=Bridge_LAN,ether7 vlan-ids=111
add bridge=Bridge_LAN tagged=Bridge_LAN,ether7 vlan-ids=30
add bridge=Bridge_LAN tagged=Bridge_LAN,ether7 vlan-ids=40
/interface list member
add interface=Bridge_LAN list=LAN
add interface=ether1 list=WAN
add disabled=yes interface=BRIDGE_IoT list=LAN
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=vlan-111-mgnt
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg-2-home name-format=2GHz-%I slave-configurations=cfg-2-guest slave-name-format=2GHz-%I-v supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=cfg-5-home name-format=5GHz-%I slave-configurations=cfg-5-guest slave-name-format=5GHz-%I-v supported-bands=5ghz-ax
/ip address
add address=******* comment=defconf interface=Bridge_LAN network=*******
add address=******* interface=BRIDGE_IoT network=*******
add address=******* interface=vlan-111-mgnt network=*******
add address=interface=vlan-30-IoT network=
add address=******* interface=vlan-40-NoT network=*******
add address=******* interface=vlan-10-home network=*******
add address=******* interface=vlan-20-guest network=*******
/ip arp
add address=******* interface=BRIDGE_IoT mac-address=*******
/ip dhcp-client
add interface=ether1 name=client1
/ip dhcp-server lease
add address=******* client-id=******* mac-address=******* server=IoT_dhcp1
/ip dhcp-server network
add address=******* dns-server=******* gateway=*******
add address=******* dns-server=******* gateway=*******
add address=******* dns-server=******* gateway=*******
add address=******* dns-server=******* gateway=*******
add address=******* dns-server=******* gateway=*******
add address=******* dns-server=******* gateway=******* netmask=24
add address=******* dns-server=8.8.8.8,******* gateway=*******
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=******* name=router.lan type=A

CAP

/interface bridge
add admin-mac=******** auto-mac=no comment=defconf name=bridgeLocal vlan-filtering=yes
/interface vlan
add interface=bridgeLocal name=vlan-mgnt vlan-id=111
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=bridgeLocal disabled=no name=capdp
/interface wifi

managed by CAPsMAN ********, traffic processing on CAP

mode: AP, SSID: Home, channel: 2412/ax

set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.manager=capsman .mode=ap datapath=capdp datapath.client-isolation=no .vlan-id=10 disabled=no name=wifi-2-main 
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes

managed by CAPsMAN ********, traffic processing on CAP

mode: AP, SSID: Home, channel: 5220/ax/eeCe/I

set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.manager=capsman .mode=ap datapath=capdp datapath.vlan-id=10 disabled=no name=wifi-5-main security.authentication-types=
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes

managed by CAPsMAN ********, traffic processing on CAP

mode: AP, SSID: Guest

add datapath=capdp datapath.vlan-id=20 disabled=no mac-address=******** master-interface=wifi-2-main name=wifi5

managed by CAPsMAN ********, traffic processing on CAP

mode: AP, SSID: Guest

add datapath=capdp datapath.vlan-id=20 disabled=no mac-address=******** master-interface=wifi-5-main name=wifi6
/ip pool
add name=default-dhcp ranges=********
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=
"\r
\n   :if ([system leds settings get all-leds-off] = "never") do={\r
\n     /system leds settings set all-leds-off=immediate \r
\n   } else={\r
\n     /system leds settings set all-leds-off=never \r
\n   }\r
\n "
/disk settings
set auto-media-interface=bridgeLocal auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=wifi-5-main pvid=10
add bridge=bridgeLocal comment=defconf interface=wifi-2-main pvid=10
add bridge=bridgeLocal interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=10
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=20
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=111
/interface list member
add comment=defconf interface=bridgeLocal list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi cap
set caps-man-addresses=******* enabled=yes slaves-datapath=capdp slaves-static=yes
/ip address
add address=******** comment=defconf interface=bridgeLocal network=********
/ip dhcp-client
add comment=defconf interface=vlan-mgnt name=client1
/ip dhcp-server
add address-pool=default-dhcp interface=bridgeLocal name=defconf

/ip dhcp-server network
add address=******** comment=defconf dns-server=******** gateway=********
/ip dns
set allow-remote-requests=yes servers=********
/ip dns static
add address=******** comment=defconf name=router.lan type=A

erlinden · April 27, 2026, 6:15pm

Remove wifi interfaces from bridge port on the CAP, it is dynamically added by CAPsMAN.

lukaszcygan112233 · April 27, 2026, 7:57pm

I removed bridge ports wifi main 2 and 5. Now I have only dynamic for network Guest with Pvid 20. I don’t see ports with PVID 10. Still can’t connect to network Home. Don’t receive Ip address

erlinden · April 28, 2026, 5:54am

Change creatie-enabled to create-dynamisch-enabled in the provision rules.

Also remove dhcp-server from CAP, assuming you want to manage dhcp from one device.

lukaszcygan112233 · April 28, 2026, 6:24am

Still the same. Phone is connect and immediately disconecting to Home network and switch to Guest. Now I have also problem with LAN. If I open few websites in browser connection is lost and Mikrotik shown LAN dhcp lease without success.

erlinden · April 28, 2026, 7:00am

Can you share updated configs?

daensky · April 28, 2026, 7:13am

Why do you have a ip/dhcp-server/network on the CAP? That is not needed and may be your problem

here is a working config for a CAP:

/interface bridge
add name=bridgeLocal vlan-filtering=yes

/interface vlan
add interface=bridgeLocal name=vlan-10-private vlan-id=10

/interface list
add name=VLAN-10-private
/interface wifi datapath
add bridge=bridgeLocal disabled=no name=capdp




/interface wifi

set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=capdp disabled=no

set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=capdp disabled=no

/interface bridge port

add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether1

add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether2

add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether3

add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether4

add bridge=bridgeLocal frame-types=admit-only-vlan-tagged interface=ether5

/ip neighbor discovery-settings
set discover-interface-list=VLAN-10-private




/interface bridge vlan

add bridge=bridgeLocal tagged=bridgeLocal,ether1,ether2,ether3,ether4,ether5 vlan-ids=10,20,30,40,50

/interface list member

add interface=vlan-10-private list=VLAN-10-private




/interface wifi cap

set discovery-interfaces=vlan-10-private enabled=yes slaves-datapath=capdp

You leave the port where your trunc is admit-only-vlan-tagged
If you want use other ports just change them on the bridge/ports to a given pvid and set them untagged

The wifi interfaces will be dynamically created on bridge with pvid1 admit all type but thats okay, you don’t touch these.