experimenting with a hap AX3 and cap AX, both running 17.18.2
My problem is the provisioning of Wifi from the AX3 to the cap AX (in default CAP config) ONLY works for the “main” network - no sign of “guest” network.
I am probably doing something wrong, but for the life of me can’t sort it out.
/interface wifi
# operated by CAP D4:01:C3:FD:AC:A7%bridge, traffic processing on CAP
add configuration=main configuration.mode=ap disabled=no name=cap-wifi1 radio-mac=D4:01:C3:FD:AC:A9
# operated by CAP D4:01:C3:FD:AC:A7%bridge, traffic processing on CAP
add configuration=main disabled=no name=cap-wifi2 radio-mac=D4:01:C3:FD:AC:AA
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac configuration=main \
configuration.mode=ap disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac configuration=main \
configuration.mode=ap disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
add configuration=guest configuration.mode=ap disabled=no mac-address=F6:1E:57:2D:A3:2E master-interface=wifi1 \
name=wifi3 security.authentication-types=wpa2-psk,wpa3-psk
add configuration=guest configuration.mode=ap disabled=no mac-address=F6:1E:57:2D:A3:2F master-interface=wifi2 \
name=wifi4 security.authentication-types=wpa2-psk,wpa3-psk
/interface wifi cap
set discovery-interfaces=bridge enabled=yes
/interface wifi capsman
set enabled=yes interfaces="" package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi configuration
add country="United States" datapath.bridge=bridge disabled=no name=main security.authentication-types=\
wpa2-psk,wpa3-psk ssid=main
add datapath.bridge=bridge disabled=no name=guest security.authentication-types=wpa2-psk,wpa3-psk ssid=guest
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=main slave-configurations=guest supported-bands=\
2ghz-ax,5ghz-ax
What am I doing wrong?
From a DRY perspective, could you please try the below (just edit:
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk name=main_sec ft=yes ft-over-ds=yes passphrase=HaveAg00dDay
add authentication-types=wpa2-psk,wpa3-psk name=guest_sec ft=yes ft-over-ds=yes passphrase=HaveAg00dDay
/interface wifi channel
add disabled=no name=chan skip-dfs-channels=10min-cac reselect-interval=1h..2h
/interface wifi configuration
add country="United States" name=main_config security=main_sec ssid=main channel=chan
add name=guest_config security=guest_sec ssid=guest
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=main_config slave-configurations=guest_config
/interface wifi
# operated by CAP D4:01:C3:FD:AC:A7%bridge, traffic processing on CAP
add configuration=main_config disabled=no name=cap-wifi1 radio-mac=D4:01:C3:FD:AC:A9
# operated by CAP D4:01:C3:FD:AC:A7%bridge, traffic processing on CAP
add configuration=main_config disabled=no name=cap-wifi2 radio-mac=D4:01:C3:FD:AC:AA
set [ find default-name=wifi1 ] channel=chan configuration=main_config
set [ find default-name=wifi2 ] channelchan configuration=main_config
add configuration=guest_config disabled=no mac-address=F6:1E:57:2D:A3:2E master-interface=wifi1 name=wifi3
add configuration=guest_config disabled=no mac-address=F6:1E:57:2D:A3:2F master-interface=wifi2 name=wifi4
Be aware that all wifi clients are in the same network.
If you want to have seperation in networks, either consider using VLAN’s or have a look at the wiki from @tangent:
https://tangentsoft.com/mikrotik/wiki?name=Isolated%20Guest%20WiFi%20Sans%20VLANs
Sometimes a manual provion is required to make things work. Might be in your case as well…your config is just a mess, hence the above recomentations.
Thanks for the response - I learnt much from it.
I isolate the guest network using filters on the bridge (guest clients are isolated from everything but the WAN - this is how the “quickset” for a home user works, and indeed is what was used to setup the wifi - aside from the provisioning!) Pity to hear that the style of the quickset is “a mess.”
With that said, I tried your config (fixing the typo “channelchan”) there is still no provisioning of the “slave”
In the interest of “creeping elegance” I would like to avoid manual config … indeed I am experimenting to work out how to handle whenthere are many cap AX access points.
Have you tried a (re)provision?
To “re-provision.”
- removed provisioning rule on ax3
- turn off cap on cap AX
- turn off capsman on ax3
- turn on capsman on ax3
- turn on cap on AX
Still no luck.
Mind boggling to me.
Press the provision button on CAPsMAN on the wifi - remote cap
Also check log on both CAPsMAN and CAP.
Thanks for persevering.
I am not sure which button you speak of .... I am using WinBox 4.0beta 20
I disabled the provisioning rule and re-enabled it (reseting the cap AX configuration to CAPs mode).
Here are the logs ... all seem to be fine to me.
ax3:
caps,info
Mikrotik@D4:01:C3:FD:AC:A7%*9 joined
cap AX:
caps,info
selected CAPsMAN Mikrotik-hap AX3@F4:1E:57:2D:A3:2A%*6
caps,info
connected to CAPsMAN Mikrotik-hap AX3@F4:1E:57:2D:A3:2A%*6
Mind you I’m on webfig via my phone but it’s under WiFi → Remote Cap
Then you select the cap you want to provision, click actions and click provision.
Thanks for the help …
Prior to the “provision” cap AX wifi was showing:
(5G) managed by CAPSMAN F4:1E:57:2D:A3:2A@bridgelocal, traffic processing on CAP; mode: AP, SSID main, channel: 5885/ax/eeeC
(2G) managed by CAPSMAN F4:1E:57:2D:A3:2A@bridgelocal, traffic processing on CAP; mode: AP, SSID main, channel: 2437/ax/eC
After provision:
(5G) managed by CAPSMAN F4:1E:57:2D:A3:2A@bridgelocal
(2G) managed by CAPSMAN F4:1E:57:2D:A3:2A@bridgelocal
I investigated the hap ax3 and learnt the the cap AX is directly wired on ether5, MAC address: F4:1E:57:2D:A3:2D (confirmed by pinging the cap and un/re-plugging the ethernet on ether 5)
This is very strange given that the cap AX is managed by MAC F4:1E:57:2D:A3:2A (I guess that is the MAC given to the bridge on the hap ax3).
So, just to be sure I moved the cable for the cap AX to the MAC address … 2A and no change.
Note: I could not get the hap ax3 to provision the “main” network without restoring the setup from backup.
Any direction?
(I am leaning towards the advice of “just do it manually”, but I am stubborn)