Setup
- Controller: MikroTik RB5009UG+S+ running RouterOS 7.22.1 (stable)
- Access Point: MikroTik hAP ax² (C52iG-5HaxD2HaxD) running RouterOS 7.22.1 (stable), wifi-qcom package installed
- Goal: Three SSIDs with VLAN separation using CAPsMAN local forwarding mode
Network Design
| SSID | Traffic | VLAN | Subnet |
|---|---|---|---|
| AJS-BS1 | Untagged | none | 192.168.3.0/24 (LAN) |
| AJS-Guest | Tagged | VLAN 20 | 192.168.20.0/24 |
| AJS-DMZ | Tagged | VLAN 30 | 192.168.30.0/24 |
Current Status
- AJS-BS1 works perfectly — clients connect, get 192.168.3.x DHCP lease, have internet access
- AJS-Guest and AJS-DMZ do not work — clients connect to WiFi but DHCP never completes (stays at
offered, never reachesbound)
Main Router Configuration
Bridge
/interface bridge print detail
name="bridge-lan" vlan-filtering=yes pvid=1
Bridge ports (relevant)
ether5 bridge-lan pvid=1 admit-all (hAP ax² uplink)
ether6 bridge-lan pvid=1 admit-all (second hAP, not yet connected)
ether7 bridge-lan pvid=1 admit-only-vlan-tagged (trunk to GS308E switch)
ether8 bridge-lan pvid=30 admit-only-untagged-and-priority-tagged (DMZ access port)
Bridge VLAN table
vlan-ids=1 tagged=ether7 untagged=ether5,ether6
vlan-ids=20 tagged=ether5,ether6,ether7
vlan-ids=30 tagged=ether5,ether6,ether7 untagged=ether8
(dynamic) vlan-ids=1 untagged=bridge-lan,ether3,ether4
(dynamic) vlan-ids=20,30 tagged=bridge-lan
VLAN interfaces
/interface vlan
name="Guest" vlan-id=20 interface=bridge-lan (running)
name="DMZ" vlan-id=30 interface=bridge-lan (running)
IP addresses
192.168.3.1/24 bridge-lan
192.168.20.1/24 Guest
192.168.30.1/24 DMZ
CAPsMAN
/interface wifi capsman
enabled=yes interfaces=bridge-lan
WiFi datapath
dp-bs bridge=bridge-lan (no vlan-id — untagged for AJS-BS1)
dp-guest bridge=bridge-lan vlan-id=20
dp-dmz bridge=bridge-lan vlan-id=30
WiFi security
sec-bs authentication-types=wpa2-psk
sec-guest authentication-types=wpa2-psk
sec-dmz authentication-types=wpa2-psk
WiFi channel
ch-5ghz band=5ghz-ax width=20/40/80mhz
ch-2ghz band=2ghz-ax width=20/40mhz
WiFi configuration
cfg-bs-5ghz ssid=AJS-BS1 security=sec-bs datapath=dp-bs channel=ch-5ghz country=Netherlands
cfg-bs-2ghz ssid=AJS-BS1 security=sec-bs datapath=dp-bs channel=ch-2ghz country=Netherlands
cfg-guest ssid=AJS-Guest security=sec-guest datapath=dp-guest channel=ch-2ghz country=Netherlands
cfg-dmz ssid=AJS-DMZ security=sec-dmz datapath=dp-dmz channel=ch-2ghz country=Netherlands
WiFi provisioning
supported-bands=5ghz-ax master=cfg-bs-5ghz slaves=cfg-guest,cfg-dmz
supported-bands=2ghz-ax master=cfg-bs-2ghz slaves=cfg-guest,cfg-dmz
DHCP servers
dhcp-lan interface=bridge-lan pool=192.168.3.20-192.168.3.250
dhcp-guest interface=Guest pool=192.168.20.2-192.168.20.254
dhcp-dmz interface=DMZ pool=192.168.30.2-192.168.30.254
Firewall input rules (relevant)
accept in-interface=bridge-lan
accept protocol=udp in-interface=Guest dst-port=53
accept protocol=tcp in-interface=Guest dst-port=53
accept protocol=udp in-interface=Guest dst-port=67
accept protocol=udp in-interface=DMZ dst-port=53
accept protocol=tcp in-interface=DMZ dst-port=53
accept protocol=udp in-interface=DMZ dst-port=67
drop (default)
Firewall forward rules (relevant)
accept in-interface=bridge-lan out-interface=wan
accept in-interface=Guest out-interface=wan
accept in-interface=DMZ out-interface=wan
drop in-interface=Guest (block inter-VLAN)
drop in-interface=DMZ out-interface=bridge-lan
drop (default)
hAP ax² Configuration
Bridge
/interface bridge print detail
name="bridge-cap" vlan-filtering=yes
Bridge ports
ether1 bridge-cap pvid=1 admit-all (uplink to RB5009 ether5)
wifi1 bridge-cap pvid=1 admit-all (AJS-BS1 5GHz)
wifi2 bridge-cap pvid=1 admit-all (AJS-BS1 2.4GHz)
wifi7 bridge-cap pvid=20 admit-all (AJS-Guest 2.4GHz slave of wifi2)
wifi8 bridge-cap pvid=30 admit-all (AJS-DMZ 2.4GHz slave of wifi2)
wifi9 bridge-cap pvid=20 admit-all (AJS-Guest 5GHz slave of wifi1)
wifi10 bridge-cap pvid=30 admit-all (AJS-DMZ 5GHz slave of wifi1)
Bridge VLAN table
vlan-ids=20 tagged=ether1,bridge-cap untagged=wifi7,wifi9
vlan-ids=30 tagged=ether1,bridge-cap untagged=wifi8,wifi10
(dynamic) vlan-ids=1 untagged=bridge-cap,ether1,wifi1,wifi2
DHCP client
/ip dhcp-client
interface=bridge-cap status=bound address=192.168.3.20/24
CAP
/interface wifi cap
enabled=yes discovery-interfaces=bridge-cap
What Works
- hAP connects to CAPsMAN controller, state=Ok
- All 6 WiFi interfaces provisioned (AJS-BS1 x2, AJS-Guest x2, AJS-DMZ x2)
- AJS-BS1: clients connect, get 192.168.3.x lease, have internet ✓
- Tagged VLAN 20 frames arrive on ether5 with correct VID (confirmed via bridge host table)
- DHCP discover reaches Guest interface (confirmed via torch — saw 0.0.0.0:68 → 255.255.255.255:67)
- DHCP offer sent by router (confirmed via torch — saw 192.168.20.4 offered to client)
What Doesn't Work
- AJS-Guest: DHCP stays at
offered, never reachesbound - AJS-DMZ: same issue
DHCP Lease Output (when client connected to AJS-Guest)
0 D 192.168.20.4 7E:D1:23:94:B4:CD MacBookPro dhcp-guest offered 9s
The lease never progresses from offered to bound. The client ends up with a 169.254.x.x APIPA address.
Things Already Tried
- Verified DHCP pool ranges are correct (192.168.20.x for Guest, 192.168.30.x for DMZ)
- Verified firewall allows DHCP and DNS from Guest and DMZ interfaces
- Set security to wpa2-psk only (removed wpa3-psk) — no change
- Forced DHCP renewal via
sudo ipconfig set en0 DHCPon macOS — no change - Verified bridge VLAN table has correct tagged/untagged entries on both router and hAP
- Verified dynamic bridge entry has bridge-lan tagged for VLANs 20 and 30
Question
Why does the DHCP offer reach the client but the handshake never completes for VLAN 20 and 30 SSIDs, while VLAN 1 (untagged, AJS-BS1) works perfectly? Is there something specific to the bridge-cap configuration on the hAP that would cause DHCP REQUEST packets from the client to be dropped after receiving the offer?
Any help or pointers would be greatly appreciated!