CaPsMAN: Which ports are being used?

kbabioch · February 23, 2026, 12:13am

The default configuration and official documentation of CaPsMAN suggest that only UDP/5246 and UDP/5247 are being used for communication of data between CaPsMAN and CAPs.

After some changes to my firewall and rebooting the manager, all CAPs went offline and didn’t come back. Took me a while, to figure out that they also communicate via TCP/5246, which was blocked.

Now, that everything is back up and running, I’m really dissatisfied that something like this isn’t documented officially.

I’m running with “request-peer-certificate=yes” and restricting everything on a specific VLAN / L3, maybe this changes the (default) behavior. Nevertheless this should be documented and/or reflected in the defconf.

Here are my current insights:

[kbabioch@rtr1.example.com] > /ip firewall connection print where dst-port=5246 or dst-port=5247
Flags: S - SEEN-REPLY; A - ASSURED; C - CONFIRMED
Columns: PROTOCOL, SRC-ADDRESS, SRC-PORT, DST-ADDRESS, DST-PORT, TCP-STATE, TIMEOUT, ORIG-RATE, REPL-RATE, ORIG-PACKETS, REPL-PACKETS, ORIG-BYTES, REPL-BYTES
#     PROTOCOL  SRC-ADDRESS   SRC-PORT  DST-ADDRESS  DST-PORT  TCP-STATE    TIMEOUT    ORIG-RATE  REPL-RATE  ORIG-PACKETS  REPL-PACKETS  ORIG-BYTES  REPL-BYTES
3 SAC tcp       10.24.63.102     43628  10.24.63.1       5246  established  23h59m59s  1416bps    1520bps           6 187         8 034   1 068 468     634 995
4 SAC tcp       10.24.63.101     55868  10.24.63.1       5246  established  23h59m58s  6.3kbps    2.8kbps           5 142         6 343     961 176     524 807
5 SAC tcp       10.24.63.103     55388  10.24.63.1       5246  established  23h59m58s  0bps       0bps              7 638         9 515   1 318 722     724 911

[kbabioch@rtr1.example.com] > /interface/wifi/capsman/remote-cap/print 
Columns: ADDRESS, IDENTITY, STATE, BOARD-NAME, VERSION, CONNECTED-TIME
#  ADDRESS       IDENTITY             STATE  BOARD-NAME        VERSION  CONNECTED-TIME
0  10.24.63.101  apkg.example.com  Ok     cAPGi-5HaxD2HaxD  7.21.2   41m18s        
1  10.24.63.102  apeg.example.com  Ok     cAPGi-5HaxD2HaxD  7.21.2   41m18s        
2  10.24.63.103  apog.example.com  Ok     cAPGi-5HaxD2HaxD  7.21.2   41m17s

[kbabioch@rtr1.example.com] > /interface/wifi/print 
Flags: M - MASTER; D - DYNAMIC; B - BOUND
Columns: NAME, CONFIGURATION.SSID, CHANNEL.FREQUENCY, CHANNEL.WIDTH
#     NAME       CONFIGURATION.SSID  CHANNEL.FREQUENCY  CHANNEL.WIDTH
;;; operated by CAP 10.24.63.101, traffic processing on CAP
0 MDB cap-wifi1  guest                       5745  20/40/80mhz  
;;; operated by CAP 10.24.63.101, traffic processing on CAP
1 MDB cap-wifi2  guest                       2462  20mhz        
;;; operated by CAP 10.24.63.102, traffic processing on CAP
2 MDB cap-wifi3  guest                       5260  20/40/80mhz  
;;; operated by CAP 10.24.63.102, traffic processing on CAP
3 MDB cap-wifi4  guest                       2437  20mhz        
;;; operated by CAP 10.24.63.103, traffic processing on CAP
4 MDB cap-wifi5  guest                       5180  20/40/80mhz  
;;; operated by CAP 10.24.63.103, traffic processing on CAP
5 MDB cap-wifi6  guest                       2412  20mhz

Wondering if anyone knows more about this, and/or if there is an official statement / documentation from Mikrotik itself. All of this CaPsMAN stuff is great, when it works, but isn't really well documented - especially since there seem to be major changes with RouterOS 7, wifi-qcom and wifiwave 2 compared to the past.