Hey everyone,
Has anyone managed to get CAPsMAN to work with WifiWave2 package?
I’ve been dealing with this issue for about a week now, and I’m starting to lose patience..
I’ve tried datapath, reset my device, various configurations and even copying officail docs doesn’t work.
If you can help me out, I’ll be really thankful.
Thank you! 
A week? Like a whole week?
I have waited 4 years for a radio fix that is still labeled as “We will get back to you.”
I’m a huge fan of your patience 
Found an engineering team that would actually listen… Then Changed wifi providers.
They had a serious issue in their way they passed DNS packets… But they actually hunted it down.
So that was the end of caps-man for me.
I’m sure it is a sensitive subject in the forum, but are you willing to share which vendor you moved to? I am always interested in hearing who else is out there that is listening!
Hey,
I am struggling too with this.
Maybe someone can help?`
Main Router: RB3011UiAS r2 @7.10
PoE Switch CSS610-8P-2S+IN @SWOS 2.16
Cap ax @ 7.10
For now, I simply tried to use the easy configuration example from here: https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-CAPsMAN-CAPVLANconfigurationexample:, and rebooted the CAP into CAPs mode.
What I am left with:
(No connection to CAPSMan)
https://imgur.com/a/ttZ5UHj
If I am reading correctly, enabling CAP under the WiFI Wave2 tab (on the AX) enables a CAPSMAN server on the AX itself, right? Enabling it under “Remote CAP” makes the device listen for capsman servers on the configured network?
If so, why does booting to CAPSMAN mode not enable Remote Capsman on the AX? If I enable it, both the CAPs server and my Main router show up as Remote Caps, and the both wifi interfaces appear as “managed by CAPsMAN”. However, since nothing shows up on my wifi scanner, I suspect it actually picks the “unconfigured” capsman server from the AX itself.
If I disable CAP on the AX, only the Remote CAP from the Main router shows up, but still… (No connection to CAPSMan).
Regardless of what I do, I cannot get anything from the AX to show up on my main router.
There are no VLANs in place and the main router has no special firewall rules applied. I am happy to provice any further configuration, if needed.
Any help would be greatly appreciated
I setup a 5009 as a capsman and a hap ax2 as the cap, see below for my config:
CAPSMAN:
/interface wifiwave2 security
add disabled=no name=sec1 ....
/interface wifiwave2 configuration
add channel.band=2ghz-ax country="United Kingdom" disabled=no name=2ghz security=sec1 ssid=CapsmanTest2
add country="United Kingdom" datapath=datapath1 disabled=no name=5ghz security=sec1 ssid=CapsmanTest5
/interface wifiwave2 datapath
add bridge=bridge1 disabled=no interface-list=all name=datapath1
/interface wifiwave2 cap
set enabled=no
/interface wifiwave2 capsman
set ca-certificate=none enabled=yes interfaces=bridge1 package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-enabled disabled=no master-configuration=5ghz slave-configurations=5ghzv supported-bands=5ghz-ax,5ghz-ac
add action=create-enabled disabled=no master-configuration=2ghz supported-bands=2ghz-ax
CAP:
/interface wifiwave2
set [ find default-name=wifi2 ] arp-timeout=auto configuration.manager=capsman-or-local .mode=ap name=wifi2
/interface wifiwave2 datapath
add bridge=bridge1 disabled=no name=datapath1
/interface wifiwave2
set [ find default-name=wifi1 ] arp-timeout=auto configuration.manager=capsman-or-local .mode=ap datapath=datapath1 name=wifi1
/interface wifiwave2 cap
set certificate=none discovery-interfaces=bridge1 enabled=yes
Note that if you have capsman-or-local as the manager option then you need to disable the native wireless interfaces on the cap, then capsman will take over !
It’s more or less the other way around.
Enabling CAP under the wifiwave2 tab, puts the device in caps mode.
Remote Cap is on the device acting as capsman controller, where you will see the remote radios joining that capsman controller.
Thank you, holvoetn, that makes sense now.
I basically copied your config, still, no luck. Even if I disable both WIFI interfaces on the CAP, it still says “no connection to CAPsMAN”.
Is there anything I need to configure on the RB3011 firewall?
The CAP does not show up on the RB3011 “remote CAP” tab.
The logs contain nothing the would give me a hint on what’s wrong.
Thanks for your help and your config, it helped me out. The problem was different, I was trying to make CAP and CAPsMAN on 1 device and turns out it doesn’t work properly right now.
Also I’ve upgraded to 7.11beta2 and it worked. Maybe this will help someone.
Hmm still no luck. Also upgraded to 7.11 beta, and reset the CAP to default cap config:
Capsman config:
# 2023-07-01 09:41:46 by RouterOS 7.11beta2
# software id = SP6J-F3VR
#
# model = RB3011UiAS
# serial number = XXXXX
/interface bridge
add admin-mac=2C:C8:1B:BD:5D:09 arp=proxy-arp auto-mac=no comment=defconf \
name=bridge
/interface ethernet
set [ find default-name=ether10 ] poe-out=off
set [ find default-name=sfp1 ] rx-flow-control=auto tx-flow-control=auto
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifiwave2 channel
add band=2ghz-ax disabled=no frequency=2300-7300 name=channel1 width=20mhz
/interface wifiwave2 datapath
add bridge=bridge disabled=no interface-list=all name=datapath
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no name=sec1
/interface wifiwave2 configuration
add channel.band=5ghz-ax country=Austria datapath=datapath disabled=no name=\
5ghz security=sec1 ssid="SomeSSID"
add channel=channel1 channel.band=2ghz-ax country=Austria datapath=datapath \
disabled=no manager=local name=2ghz security=sec1 \
security.authentication-types="" ssid="SomeSSID"
/ip pool
add name=dhcp ranges=10.0.0.200-10.0.0.254
add name=vpn-pool ranges=10.0.0.100-10.0.0.150
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/ppp profile
add dns-server=8.8.8.8 local-address=10.0.0.10 name=vpn-profile only-one=yes \
remote-address=vpn-pool use-encryption=yes
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether1
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=all lan-interface-list=\
LAN
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp1 list=WAN
/interface ovpn-server server
set auth=sha1 certificate="VPN Server Template" cipher=aes256-cbc \
default-profile=vpn-profile enabled=yes
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/interface wifiwave2 cap
set discovery-interfaces=bridge
/interface wifiwave2 capsman
# failed to create CA certificate: name must be unique! (6)
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-enabled disabled=no master-configuration=5ghz \
supported-bands=5ghz-ax,5ghz-n
add action=create-enabled disabled=no master-configuration=2ghz \
supported-bands=2ghz-ax
/ip address
add address=10.0.0.10/16 comment=LAN interface=bridge network=10.0.0.0
add address=192.168.178.10/24 comment="FritzBox access" interface=ether10 \
network=192.168.178.0
/ip arp
add address=10.0.0.2 interface=bridge mac-address=3C:2A:F4:3B:7E:BC
add address=10.0.10.101 interface=bridge mac-address=5A:CB:C7:F9:66:B5
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=sfp1
/ip dhcp-server lease
add address=10.0.0.15 client-id=1:48:a9:8a:ba:22:7e comment="Wifi AP ax 1" \
mac-address=48:A9:8A:BA:22:7E server=defconf
/ip dhcp-server network
add address=10.0.0.0/16 gateway=10.0.0.10 netmask=16
/ip dns
set allow-remote-requests=yes servers=10.0.0.10
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment=OpenVPN connection-state=\
invalid,established,related,new,untracked dst-port=1194 hotspot="" \
protocol=tcp tcp-flags=""
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat comment="Modem Access" dst-address=\
192.168.178.1 to-addresses=192.168.178.10
add action=dst-nat chain=dstnat comment="Port Forward for Webserver" \
dst-address=my.static.public.ip dst-port=80,443 in-interface-list=all log=yes \
protocol=tcp to-addresses=10.0.0.3
add action=dst-nat chain=dstnat comment="Hairpin NAT for Reverse-Proxy" \
disabled=yes dst-address-type=local protocol=tcp src-port=0-65535 \
to-addresses=10.0.0.3 to-ports=0-65535
add action=masquerade chain=srcnat dst-address=10.0.0.3 dst-port="" \
out-interface=bridge protocol=tcp src-address=10.0.0.0/16 to-ports=\
0-65535
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
src-address=192.168.89.0/24
/ip firewall service-port
set sip disabled=yes
/lcd pin
set pin-number=0000
/lcd screen
set 1 disabled=yes
set 5 disabled=yes
/ppp profile
set *FFFFFFFE dns-server=10.0.0.10 local-address=10.0.11.1 remote-address=*2
/ppp secret
add name=philipp profile=vpn-profile
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=MainRouter
/system note
set show-at-login=no
/system package update
set channel=development
/tool graphing interface
add interface=sfp1 store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
CAP:
# 2023-07-01 09:46:21 by RouterOS 7.11beta2
# software id = WXWN-8FAI
#
# model = cAPGi-5HaxD2HaxD
# serial number = XXXX
/interface bridge
add admin-mac=48:A9:8A:BA:22:7E auto-mac=no comment=defconf name=bridgeLocal
/interface wifiwave2
# no connection to CAPsMAN
add configuration.manager=capsman .mode=ap
/interface wifiwave2 datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifiwave2
# no connection to CAPsMAN
add configuration.manager=capsman datapath=capdp
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifiwave2 cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=Europe/Vienna
/system note
set show-at-login=no
Any ideas? 
Does that cap get an IP address ?
Since it seems to indicate there is no connection to capsmanager.
I have the same problem.
- I applied your configuration.
- I updated mikrotiki to the latest beta version.
Router:
CAP:
@edit Weird. How to add certificates everything started working. It doesn’t work without a certificate.
Yes it does get an IP. The CAP is reachable on 10.0.0.15 (eth1) and the rb3011 is 10.0.0.10
Looks like your manager is not running.
interface wifiwave2 capsman
failed to create CA certificate: name must be unique! (6)
Whoa, that was it! Apparently some simple certificate issues. I deleted all the existing cert and it immediately worked… Thank you very much!
I have a question to Mikrotik’s developer: Will be the Capsman separated from the wifi driver anytimes? It would be need to Capsman can to control any CAPs independent on wifi driver (the legacy wifi or wifiwave 2) used by CAPs.
Logically thinking this can not be done that easily.
Capsman IS effectively CONTROLLING the wifi channels of the caps devices.
Is also the reason why legacy and wifiwave2 devices can not be mixed for capsman.
Or they would have to create another layer in between which does the translation to legacy or wifiwave2.
Then, theoretically, it would be possible to create a capsman controller which does not care about what sort wifi the caps have.
But since AX line came, I suppose legacy wifi is slowly going to fade out, so why bother ?
Since ac devices with the legacy wifi driver are still being manufactured and sold, it will not fade out so quickly.
And yes, creating some of communication API layer between the CapsMan and CAPs would solve this problem and I think, that’s exactly what Mikrotik should do.
I have a CCR2004 with several cAPs managed by CAPsMAN (all running 7.11.2).
Today two brand new cAP ax - devices arrived.
I have no luck integrating them into the existing CAPsMAN - what am I doing wrong?
Reset to CAPS mode was already tried without success.
The devices are in the same subnet and got DHCP-config like all the other working cAPs.
A red hint ‘— no connection to CAPsMAN’ is shows above wifi1 and wifi2 in WiFi Wave2 - tab.
Thanks for any hints.