Caspman Config

Hello everyone,

I’m setting up a WLAN CAPsMAN for my customers, which will include 30 CAP XL devices. However, I’m running into an issue: my CAPsMAN configuration isn’t working with the default CAPs. To get it to work, I have to manually connect to each CAP individually via cable or Wi-Fi, reset the configuration, and then apply my settings. This is manageable with a few devices, but with 30 CAPs, it becomes quite time-consuming.

Do you have any suggestions or might I be missing something in my setup?

Thanks in advance for your help!

The most logical answer: something is wrong in your setup.
You saw that one coming, right ?

Please post config of capsman controller and one of the caps.
Terminal, /export file=anynameyouwish
Move to text editor, remove any sensitive info (serial, public IP, passwds, …)

Post back here between [__code] quotes.

ya you are right

# 2024-09-03 19:20:03 by RouterOS 7.15.3
# software id = J362-WE7S
#
# model = RB5009UPr+S+
# serial number = xxxxxx
/interface bridge
add mtu=1480 name=bridge1 port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether2 ] poe-out=off
set [ find default-name=ether3 ] name="ether3 - NVR" poe-out=off
set [ find default-name=ether4 ] advertise=\
    100M-baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full name=\
    "ether4 - AJAX" poe-out=off
set [ find default-name=ether5 ] disabled=yes poe-out=off
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add disabled=no interface=ether1 name=pppoe-out1 user=\
    xxxxxx
/interface vlan
add interface=bridge1 name=Gast-VLAN vlan-id=20
add interface=bridge1 name=Intern-VLAN vlan-id=10
/interface list
add name=Intern-List
/interface wifi channel
add band=5ghz-ax disabled=no name=channel5G
add band=2ghz-ax disabled=no name=channel2G
/interface wifi datapath
add bridge=bridge1 client-isolation=yes disabled=no name=Intern vlan-id=10
add bridge=bridge1 disabled=no name=Gast vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=sec1
add authentication-types="" disabled=no ft=yes ft-over-ds=yes name=sec2
/interface wifi configuration
add channel=channel5G country=Germany datapath=Intern disabled=no name=\
    Config-Intern-5G security=sec1 ssid=Intern_OG
add channel=channel2G country=Germany datapath=Intern disabled=no name=\
    Config-Intern-2G security=sec1 security.wps=push-button ssid=\
    Intern_OG
add channel=channel2G country=Germany datapath=Gast disabled=no name=\
    Config-Gast-2G security=sec2 ssid=Gast_OG
add channel=channel2G country=Germany datapath=Gast disabled=no name=\
    Config-Gast-5G security=sec2 ssid=Gast_OG
/ip hotspot profile
add hotspot-address=192.168.20.1 http-cookie-lifetime=1w login-by=\
    cookie,http-chap,http-pap,trial name=hsprof1 trial-uptime-limit=1w \
    trial-uptime-reset=1w
/ip hotspot user profile
set [ find default=yes ] mac-cookie-timeout=1d
add mac-cookie-timeout=1d name=emails
/ip pool
add name=Bridge-Pool ranges=192.168.1.50-192.168.1.254
add name=Gast-Pool ranges=192.168.20.50-192.168.20.254
add name=Intern-Pool ranges=192.168.10.50-192.168.10.254
/ip dhcp-server
add address-pool=Intern-Pool interface=Intern-VLAN lease-time=1h name=\
    DHCP-Intern
add address-pool=Gast-Pool interface=Gast-VLAN lease-time=1h name=DHCP-Gast
add address-pool=Bridge-Pool interface=bridge1 lease-time=1h name=DHCP-Bridge
/ip hotspot
add address-pool=Gast-Pool disabled=no interface=Gast-VLAN name=hotspot1 \
    profile=hsprof1
/ip smb users
add disabled=yes name=admin
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface="ether3 - NVR" internal-path-cost=10 path-cost=\
    10
add bridge=bridge1 interface="ether4 - AJAX" internal-path-cost=10 path-cost=\
    10
add bridge=bridge1 interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether8 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge1 tagged=\
    "ether8,ether7,ether6,ether2,ether3 - NVR,ether4 - AJAX,bridge1" \
    vlan-ids=10
add bridge=bridge1 tagged=\
    "ether8,ether7,ether6,ether2,ether3 - NVR,ether4 - AJAX,bridge1" \
    vlan-ids=20
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=Intern-VLAN list=Intern-List
add interface=bridge1 list=Intern-List
/interface wifi access-list
add action=accept client-isolation=no disabled=no mac-address=\
    AA:70:96:5E:E7:11
add action=accept disabled=no mac-address=F8:A2:6D:3F:34:78
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=bridge1 package-path="" \
    require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    Config-Intern-5G slave-configurations=Config-Gast-5G supported-bands=\
    5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    Config-Intern-2G slave-configurations=Config-Gast-2G supported-bands=\
    2ghz-ax
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.20.1/24 interface=Gast-VLAN network=192.168.20.0
add address=192.168.10.1/24 interface=Intern-VLAN network=192.168.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add add-default-route=no interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.1.252 client-id=1:d4:1:c3:58:69:c4 mac-address=\
    D4:01:C3:58:69:C4 server=DHCP-Bridge
add address=192.168.10.254 client-id=1:f8:a2:6d:3f:34:78 mac-address=\
    F8:A2:6D:3F:34:78 server=DHCP-Intern
add address=192.168.1.250 client-id=1:f4:b1:c2:ca:9d:6d mac-address=\
    F4:B1:C2:CA:9D:6D server=DHCP-Bridge
add address=192.168.1.249 client-id=1:9c:75:6e:14:30:e2 mac-address=\
    9C:75:6E:14:30:E2 server=DHCP-Bridge
add address=192.168.1.253 client-id=1:d4:1:c3:58:5f:ce mac-address=\
    D4:01:C3:58:5F:CE server=DHCP-Bridge
add address=192.168.1.254 client-id=1:d4:1:c3:58:6a:3c mac-address=\
    D4:01:C3:58:6A:3C server=DHCP-Bridge
add address=192.168.10.253 client-id=1:d4:43:e:73:47:3e mac-address=\
    D4:43:0E:73:47:3E server=DHCP-Intern
add address=192.168.10.252 client-id=1:d4:43:e:27:41:94 mac-address=\
    D4:43:0E:27:41:94 server=DHCP-Intern
add address=192.168.20.93 client-id=1:e8:aa:cb:f9:31:32 mac-address=\
    E8:AA:CB:F9:31:32 server=DHCP-Gast
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.254 list="Authorized "
add address=192.168.10.253 list="Authorized "
add address=192.168.10.252 list="Authorized "
add address=xxxx list="Walled Garden"
add address=xxxx list="Walled Garden"
add address=xxxx list="Walled Garden"
add address=192.168.20.93 list="Authorized "
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=forward comment="Printer Access" in-interface=\
    Intern-VLAN log=yes out-interface=Gast-VLAN src-address-list=\
    "!Authorized "
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat disabled=yes out-interface=pppoe-out1 port=\
    35380 protocol=tcp to-addresses=192.168.178.1 to-ports=80
add action=dst-nat chain=dstnat disabled=yes in-interface=ether1 port=443 \
    protocol=tcp to-addresses=192.168.1.246 to-ports=443
add action=dst-nat chain=dstnat disabled=yes in-interface=ether1 port=8000 \
    protocol=tcp to-addresses=192.168.1.246 to-ports=8000
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.20.0/24
/ip hotspot ip-binding
add address=192.168.20.93 mac-address=E8:AA:CB:F9:31:32 server=hotspot1 \
    to-address=192.168.20.93 type=bypassed
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no !dst-address dst-address-list="Walled Garden" \
    !dst-port !protocol !src-address !src-address-list
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.178.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=35322
set api address=213.130.145.109/32
set winbox port=35300
set api-ssl disabled=yes
/ip smb shares
add directory=hotspot name=share1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Router
/system note
set show-at-login=no
/tool sniffer
set filter-interface=Intern-VLAN filter-src-mac-address=\
    AA:70:96:5E:E7:11/FF:FF:FF:FF:FF:FF
/user group
add name=ssh policy="ssh,!local,!telnet,!ftp,!reboot,!read,!write,!policy,!tes\
    t,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!rest-api"

Your CAPs have wifi-qcom-ac or wireless package installed?

I only see config on RB5009.
Where is the config of one of the caps ?

wifi-qcom

My issue is with pre-configured CAPs. Every time I purchase new CAPs, I have to reset them using Ether2 and apply my configurations. Now imagine if I have 30 CAPs — I’d need to reset each one, configure it via Ether2, and then switch the cable back to Ether1.

For example, in my last project, the electrical technician had already installed all the cables and sockets, and connected everything to Ether1. After that, I couldn’t change the CAP’s configuration because I didn’t have direct access to the CAP via the router. So, I had to connect to each CAP individually via WLAN or Ether2 to change the configuration. This is because with pre-configured CAPs, you don’t have access to them through Ether1.

Just to clear some things out …
Are we talking about cAP AX devices or cAP XL AC devices ?

Former are pure AX devices and should work when put in caps mode.
Latter are AC devices and need wifi-qcom-ac package to be used with wave-capsman (under wifi menu structure) AND there are quite a bit of caveats w.r.t. VLAN handling etc.

That needs to be cleared first so there is no misunderstanding.

Thank for your Replay.
both of them, my next project are with Cap AC.

Please be clear.

Your first post says cAP XL. There is only cAP XL AC having “XL” in the name so we have to assume you are referring to that one.
Then you say they use wifi-qcom (which is simply wrong for that device, it should use wifi-qcom-ac and then you have all the caveats I mentioned with it).

What is it ?

Hi again,

I’m not referring to a single configuration or project, but rather the default configuration of CAPs in general. It doesn’t matter which model. My issue is: why can’t I access new CAPs (straight out of the box and installed directly on the wall) using Winbox?

It doesn’t seem very professional to install 30 CAPs and then, for the first setup, have to physically connect to each one individually via Ether2 or WLAN just to open Winbox and apply my configuration.

Any insights on how to streamline this process?

It DOES matter which cap device you use, as indicated above.

If you are unwilling to answer, then I am wasting my time here.

Oh, sorry, I don’t want to waste your time, and I really appreciate your efforts to help me.

For the setup I mentioned earlier, I used 3 cAP ax devices. After configuring everything in the router, I still had to physically go to each of the 3 CAPs, connect my laptop directly via cable, and reset the pre-configuration.

Why can’t I connect to the CAPs using Winbox from the router? Why do I have to physically go to each CAP just to apply my configuration?

this is my Config on Caps AX:

# 2024-09-11 21:32:35 by RouterOS 7.15.2
# software id = 5Y52-S492
#
# model = cAPGi-5HaxD2HaxD
# serial number = xxxxxxxxxxxx
/interface bridge
add name=bridge1 port-cost-mode=short
/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Intern_OG, channel: 5580/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=datapath1 disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Intern_OG, channel: 2437/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath=datapath1 disabled=no
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface wifi cap
set discovery-interfaces=bridge1 enabled=yes slaves-datapath=datapath1
/ip dhcp-client
add interface=bridge1
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=WiFi-Mitte
/system note
set show-at-login=no

Did you reset those cap ax to caps mode ?
Because if not, that would explain why you can not reach them straight away.

Does this mean I need to connect each CAP to PoE and reset it before installing it on the wall?

If you can reach the reset button when attached to wall then: no.

Is there any other option to avoid resetting the CAPs? Sometimes the electricians install the CAPs on the wall before I even begin setting up the router.

Reset them to caps mode before handing over the devices.
That’s what I do.

Alternatives

• always have ether2 connected as well to cable
• connect to device default wifi and then reset to caps mode
• pre configure device before it is being installed.

Because out of factory, default config for most MT models is “home router” mode … in which first ether port (ether1) is used as WAN port and to protect device from being exploited before the ignorant users do the initial configuration (it’s been said that some users never do), remote management access to device is blocked via WAN port. Changing over to CAP mode can be done by pressing button while powering device up … and that’s about the simplest procedure possible (even some installer should be able to do it while mounting the device on the ceiling).

Default config has the rest of ether ports (and wireless) bridged and set as LAN … from which management access to device is possible. Hence the suggestion to isntall ether2 cable as well (but that one should be removed after device comissioning if location is accessible to non-authorized people … and that involvec climbing to the device itself again).

So I agree that it’s best to do basic comissioning prior to handing devices out to installers.

If device is fully bridged it doesn’t matter if ether1 and 2 are connected. Both are accessible then to non-authorized people.
You need to protect the other end of the cables, where they are plugged into the switch(es).
And that’s usually a restricted area with lock (network cabinet or whole room).
My view …

And as for router access itself: all of us being sensible admins do change default password, don’t we ?

Agree to that. I was just explaining to @OP why he can’t manage device via ether1 if they’re running factory default config (which doesn’t bridge ether1 with the rest of ports AFAIK).