Hi,
I’m working with a MikroTik setup using centralized Wi-Fi management through CAPsMAN. The topology includes:
A router running CAPsMAN and DHCP server
A CRS switch with VLAN trunking (bridge-main, VLAN filtering enabled)
Multiple CAP devices (AP2, AP3)
SSIDs assigned to VLAN 20 (FREE) and VLAN 30 (PRIVATE)
Clients are able to connect to the SSID (association succeeds), but they are not assigned an IP address.
All devices are running RouterOS 7.19.1.
Configuration exports AP-Router:
# 2025-06-17 11:24:41 by RouterOS 7.18.2
# software id = JG93-NV9B
#
# model = cAPGi-5HaxD2HaxD
# serial number = <edit1>
/interface bridge
add comment="Hlavni Bridge pro VLANy a WAN" name=bridge-vlan-main \
protocol-mode=none
/interface vlan
add comment="VLAN pro Management" interface=bridge-vlan-main name=vlan10-mgmt \
vlan-id=10
add comment="VLAN pro Free WiFi (internet only)" interface=bridge-vlan-main \
name=vlan20-wifi-free vlan-id=20
add comment="VLAN pro Privatni WiFi" interface=bridge-vlan-main name=\
vlan30-wifi-private vlan-id=30
add comment="VLAN pro IP Kamery" interface=bridge-vlan-main name=\
vlan40-kamery vlan-id=40
add comment="VLAN pro Pokladny" interface=bridge-vlan-main name=vlan50-kasy \
vlan-id=50
add comment="VLAN pro Rezervu" interface=bridge-vlan-main name=vlan60-rezerv \
vlan-id=60
/interface wifi datapath
add bridge=bridge-vlan-main client-isolation=yes disabled=no name=\
dp-wifi-free vlan-id=20
add bridge=bridge-vlan-main name=dp-wifi-private vlan-id=30
add bridge=bridge-vlan-main comment=defconf disabled=no name=capdp
/interface wifi security
add disabled=no name=sec-wifi-free
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=no ft-over-ds=no \
name=sec-wifi-private
/interface wifi configuration
add country=Czech datapath=dp-wifi-free disabled=no name=cfg-wifi-free \
security=sec-wifi-free ssid=wifi-free
add country=Czech datapath=dp-wifi-private disabled=no name=cfg-wifi-private \
security=sec-wifi-private ssid=wifi_Private
/ip pool
add name=pool-vlan20-wifi-free ranges=192.168.20.2-192.168.21.254
add name=pool-vlan30-wifi-private ranges=192.168.30.2-192.168.30.254
add name=pool-vlan40-kamery ranges=192.168.40.2-192.168.40.254
add name=pool-vlan50-kasy ranges=192.168.50.2-192.168.50.254
add name=pool-vlan60-rezerv ranges=192.168.60.2-192.168.60.254
add name=pool-vlan10-mgmt ranges=192.168.10.100-192.168.10.200
/ip dhcp-server
add address-pool=pool-vlan20-wifi-free interface=vlan20-wifi-free name=\
dhcp-vlan20-wifi-free
add address-pool=pool-vlan30-wifi-private interface=vlan30-wifi-private name=\
dhcp-vlan30-wifi-private
add address-pool=pool-vlan40-kamery interface=vlan40-kamery name=\
dhcp-vlan40-kamery
add address-pool=pool-vlan50-kasy interface=vlan50-kasy name=dhcp-vlan50-kasy
add address-pool=pool-vlan60-rezerv interface=vlan60-rezerv name=\
dhcp-vlan60-rezerv
add address-pool=pool-vlan10-mgmt interface=vlan10-mgmt name=dhcp-vlan10-mgmt
/queue simple
add max-limit=30M/30M name=free_wifi_limit_30m target=192.168.20.0/23
/interface bridge port
add bridge=bridge-vlan-main comment="Pripojeni na CRS328 (Trunk)" interface=\
ether1
/interface wifi cap
set caps-man-addresses=127.0.0.1 caps-man-names=capsman-manager.local \
discovery-interfaces=vlan10-mgmt enabled=yes
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=\
bridge-vlan-main package-path="" require-peer-certificate=no \
upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
cfg-wifi-free slave-configurations=cfg-wifi-private supported-bands=\
5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
cfg-wifi-free slave-configurations=cfg-wifi-private supported-bands=\
2ghz-ax
/ip address
add address=192.168.10.1/24 comment="GW pro Management VLAN" interface=\
vlan10-mgmt network=192.168.10.0
add address=192.168.20.1/23 comment="GW pro Free WiFi VLAN" interface=\
vlan20-wifi-free network=192.168.20.0
add address=192.168.30.1/24 comment="GW pro Privatni WiFi VLAN" interface=\
vlan30-wifi-private network=192.168.30.0
add address=192.168.40.1/24 comment="GW pro Kamery VLAN" interface=\
vlan40-kamery network=192.168.40.0
add address=192.168.50.1/24 comment="GW pro Kasy VLAN" interface=vlan50-kasy \
network=192.168.50.0
add address=192.168.60.1/24 comment="GW pro Rezerva VLAN" interface=\
vlan60-rezerv network=192.168.60.0
/ip dhcp-client
add comment="DHCP klient pro WAN (Internet) na bridge" interface=\
bridge-vlan-main
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.20.0/23 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1
add address=192.168.60.0/24 dns-server=192.168.60.1 gateway=192.168.60.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.10.1 name=capsman-manager.local type=A
/ip firewall address-list
add address=192.168.10.0/24 list=VLAN_MGMT
add address=192.168.20.0/23 list=VLAN_FREE
add address=192.168.30.0/24 list=VLAN_PRIVATE_WIFI
add address=192.168.40.0/24 list=VLAN_KAMERY
add address=192.168.50.0/24 list=VLAN_KASY
add address=192.168.60.0/24 list=VLAN_REZERV
add address=192.168.10.0/24 list=Local_Networks
add address=192.168.30.0/24 list=Local_Networks
add address=192.168.40.0/24 list=Local_Networks
add address=192.168.50.0/24 list=Local_Networks
add address=192.168.60.0/24 list=Local_Networks
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=icmp src-address-list=VLAN_MGMT
add action=accept chain=input protocol=icmp src-address-list=VLAN_KASY
add action=accept chain=input protocol=icmp src-address-list=VLAN_REZERV
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
VLAN_MGMT
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
VLAN_MGMT
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
VLAN_KASY
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
VLAN_KASY
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
VLAN_REZERV
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
VLAN_REZERV
add action=accept chain=input dst-port=67 protocol=udp src-port=68
add action=accept chain=input dst-port=53 protocol=udp src-address-list=\
VLAN_MGMT
add action=accept chain=input dst-port=53 protocol=udp src-address-list=\
VLAN_FREE
add action=accept chain=input dst-port=53 protocol=udp src-address-list=\
VLAN_PRIVATE_WIFI
add action=accept chain=input dst-port=53 protocol=udp src-address-list=\
VLAN_KAMERY
add action=accept chain=input dst-port=53 protocol=udp src-address-list=\
VLAN_KASY
add action=accept chain=input dst-port=53 protocol=udp src-address-list=\
VLAN_REZERV
add action=drop chain=input
add action=accept chain=forward comment=\
"Povolit nav\C3\A1zan\C3\A9 a souvisej\C3\ADc\C3\AD spojen\C3\AD" \
connection-state=established,related
add action=drop chain=forward comment=\
"Zahodit provoz z Free WiFi do lok\C3\A1ln\C3\ADch s\C3\ADt\C3\AD" \
dst-address-list=Local_Networks src-address-list=VLAN_FREE
add action=accept chain=forward comment=\
"Povolit provoz z Free WiFi do Internetu" out-interface=bridge-vlan-main \
src-address-list=VLAN_FREE
add action=accept chain=forward comment=\
"Povolit provoz mezi lok\C3\A1ln\C3\ADmi s\C3\ADt\C4\9Bmi" \
dst-address-list=Local_Networks src-address-list=Local_Networks
add action=accept chain=forward comment=\
"Povolit provoz z lok\C3\A1ln\C3\ADch s\C3\ADt\C3\AD do Internetu" \
out-interface=bridge-vlan-main src-address-list=Local_Networks
add action=drop chain=forward comment=\
"Zahodit ve\C5\A1ker\C3\BD ostatn\C3\AD provoz ve forward chainu"
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"NAT pro vsechny VLANy na Internet" out-interface=bridge-vlan-main
add action=masquerade chain=srcnat out-interface=bridge-vlan-main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24,192.168.50.0/24,192.168.60.0/24 disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address="192.168.10.0/24,192.168.30.0/24,192.168.40.0/24,192.168.50\
.0/24,192.168.60.0/24"
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="AP Router"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=216.239.35.4
add address=216.239.35.8
add address=217.31.205.1
add address=195.113.144.201
/tool sniffer
set file-name=dhcp-free-wifi.pcap filter-interface=vlan20-wifi-free \
filter-port=bootps,bootpc
Configuration exports Switch:
# 2025-03-10 12:52:43 by RouterOS 7.18.2
# software id = AB9G-1WT7
#
# model = CRS328-24P-4S+
# serial number = <edit2>
/interface bridge
add name=bridge-main vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] mac-address="skrytá polozka"
/interface vlan
add interface=bridge-main name=vlan10-mgmt-switch vlan-id=10
/interface list
add name=WAN
add name=LAN
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-main interface=ether1
add bridge=bridge-main interface=ether2
add bridge=bridge-main interface=ether3
add bridge=bridge-main interface=ether4
add bridge=bridge-main interface=ether5 pvid=40
add bridge=bridge-main interface=ether6 pvid=40
add bridge=bridge-main interface=ether7 pvid=40
add bridge=bridge-main interface=ether8 pvid=40
add bridge=bridge-main interface=ether9 pvid=40
add bridge=bridge-main interface=ether10 pvid=40
add bridge=bridge-main interface=ether11 pvid=50
add bridge=bridge-main interface=ether12 pvid=50
add bridge=bridge-main interface=ether13 pvid=50
add bridge=bridge-main interface=ether14 pvid=50
add bridge=bridge-main interface=ether15 pvid=50
add bridge=bridge-main interface=ether16 pvid=60
add bridge=bridge-main interface=ether17 pvid=60
add bridge=bridge-main interface=ether18 pvid=60
add bridge=bridge-main interface=ether19 pvid=60
add bridge=bridge-main interface=ether20 pvid=60
add bridge=bridge-main interface=ether21 pvid=60
add bridge=bridge-main interface=ether22 pvid=60
add bridge=bridge-main interface=ether23 pvid=60
add bridge=bridge-main interface=ether24 pvid=10
add bridge=bridge-main interface=sfp-sfpplus1 pvid=60
add bridge=bridge-main interface=sfp-sfpplus2 pvid=60
add bridge=bridge-main interface=sfp-sfpplus3 pvid=60
add bridge=bridge-main interface=sfp-sfpplus4 pvid=60
/interface bridge vlan
add bridge=bridge-main comment=VLAN_MGMT tagged=\
bridge-main,ether2,ether3,ether4 untagged=ether24 vlan-ids=10
add bridge=bridge-main comment=VLAN_WIFI_FREE tagged=\
bridge-main,ether2,ether3,ether4 vlan-ids=20
add bridge=bridge-main comment=VLAN_WIFI_PRIVATE tagged=\
bridge-main,ether2,ether3,ether4 vlan-ids=30
add bridge=bridge-main comment=VLAN_KAMERY tagged=\
bridge-main,ether2,ether3,ether4 untagged=\
ether5,ether6,ether7,ether8,ether9,ether10 vlan-ids=40
add bridge=bridge-main comment=VLAN_KASY tagged=\
bridge-main,ether2,ether3,ether4 untagged=\
ether11,ether12,ether13,ether14,ether15 vlan-ids=50
add bridge=bridge-main comment=VLAN_REZERV tagged=\
bridge-main,ether2,ether3,ether4 untagged="ether16,ether17,ether18,ether19\
,ether20,ether21,ether22,ether23,sfp-sfpplus1,sfp-sfpplus2,sfp-sfpplus3,sf\
p-sfpplus4" vlan-ids=60
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=ether11 list=LAN
add interface=ether12 list=LAN
add interface=ether13 list=LAN
add interface=ether14 list=LAN
add interface=ether15 list=LAN
add interface=ether16 list=LAN
add interface=ether17 list=LAN
add interface=ether18 list=LAN
add interface=ether19 list=LAN
add interface=ether20 list=LAN
add interface=ether21 list=LAN
add interface=ether22 list=LAN
add interface=ether23 list=LAN
add interface=ether24 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/ip address
add address=192.168.10.2/24 comment=IP_for_CRS_Management interface=\
vlan10-mgmt-switch network=192.168.10.0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system identity
set name=Switch
/system note
set show-at-login=no
/system routerboard settings
set enter-setup-on=delete-key
Configuration export AP2,3
# 2025-06-17 10:57:19 by RouterOS 7.18.2
# software id = 1K6A-VPJ4
#
# model = cAPGi-5HaxD2HaxD
# serial number = <edit3>
/interface bridge
add name=bridgeLocal
/interface wifi
# managed by CAPsMAN F4:1E:57:30:F5:C7%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: Absurdia, channel: 5320/ax/eeeC/DI
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
disabled=no
# managed by CAPsMAN F4:1E:57:30:F5:C7%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: Absurdia, channel: 2467/ax/eC
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
disabled=no
/interface vlan
add interface=bridgeLocal name=vlan10-mgmt vlan-id=10
/interface bridge port
add bridge=bridgeLocal interface=ether1
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=10
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=20
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=30
/interface wifi cap
set caps-man-addresses=192.168.10.1 caps-man-names="" discovery-interfaces=\
bridgeLocal enabled=yes
/ip dhcp-client
add default-route-tables=main interface=vlan10-mgmt
/ip dns
set allow-remote-requests=yes servers=192.168.10.1,8.8.8.8,8.8.4.4
/system clock
set time-zone-name=Europe/Prague
/system identity
set name="AP 2"
/system note
set show-at-login=no
Any ideas or suggestions are welcome. Thank you!