Devices are not able to connect to wifi

RouterOS Beginner Basics
1

Hello all,

currently I’m working on a setup to replace my current infrastructure. Right now it will only be a router (CCR) and some AP (CAP ax) with CAPSMAN as this is the core function which has to work before I swich over the HW. So right now it is still some preliminary setup and WAN, DHCP, VLAN and firewall is not setup yet to its final state, instead I’m only using bridge with DHCP client to existing setup for updates etc. and which is working right now.
So my main focus is to get the whole wireless thing working before continuing with more CAPs, WAN etc. afterwards.

My problem right now is that everything looks good, provisioning is working. I can see all my current SSIDs, but I’m unable to connect to from devices. I tried different and lower wifi standards and narrower band widths, but nothing makes a difference
Meanwhile I managed to get some logs from at least 2 devices which I can also see under resistration for a brief time, for the other devices there is no log at all.

 2025-05-14 19:57:18 wireless,info 30:56:XXX@CAP-H-OG-cfg1-5GHz disconnected, connection lost, signal strength -72
 2025-05-14 19:57:18 wireless,debug 30:56:XXX@CAP-H-OG-cfg1-5GHz disassociated, connection lost, signal strength -72
 2025-05-14 19:57:20 wireless,debug 30:56:XXX@CAP-H-OG-cfg1-5GHz associated, signal strength -61
 2025-05-14 19:57:20 wireless,info 30:56:XXX@CAP-H-OG-cfg1-5GHz connected, signal strength -64
 2025-05-14 19:57:27 wireless,debug FE:5F:XXX@CAP-H-OG-cfg1-5GHz associated, signal strength -61
 2025-05-14 19:57:27 wireless,info FE:5F:XXX@CAP-H-OG-cfg1-5GHz connected, signal strength -61
 2025-05-14 19:57:38 wireless,info 30:56:XXX@CAP-H-OG-cfg1-5GHz disconnected, connection lost, signal strength -59
 2025-05-14 19:57:38 wireless,debug 30:56:XXX@CAP-H-OG-cfg1-5GHz disassociated, connection lost, signal strength -59
 2025-05-14 19:57:41 wireless,debug 30:56:XXX@CAP-H-OG-cfg1-5GHz associated, signal strength -54
 2025-05-14 19:57:41 wireless,info 30:56:XXX@CAP-H-OG-cfg1-5GHz connected, signal strength -65

Does anyone has any idea what could be a possible reason fo that?
On the one hand I think it might be an authentication issue but every tutorial or video I’ve seen so far seems to configure it similarly. On the other hand it might be related to radio config itself as I would expect to see at least some log entry for physical connection if it is only an authentication issue. But dunno how detailed the logging on MikroTik is or should be in that case.

Here is my config of my CCR:

# 2025-05-14 18:07:39 by RouterOS 7.18.2
# software id = 713R-C5JC
#
# model = CCR2004-1G-12S+2XS
# serial number = xxx
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=MNGMT
set [ find default-name=sfp-sfpplus3 ] disabled=yes
set [ find default-name=sfp-sfpplus4 ] disabled=yes
set [ find default-name=sfp-sfpplus5 ] disabled=yes
set [ find default-name=sfp-sfpplus6 ] disabled=yes
set [ find default-name=sfp-sfpplus7 ] disabled=yes
set [ find default-name=sfp-sfpplus8 ] disabled=yes
set [ find default-name=sfp-sfpplus9 ] disabled=yes
set [ find default-name=sfp-sfpplus11 ] disabled=yes
set [ find default-name=sfp-sfpplus12 ] comment=
set [ find default-name=sfp28-1 ] disabled=yes
set [ find default-name=sfp28-2 ] disabled=yes
/interface pppoe-client
add add-default-route=yes interface=sfp-sfpplus1 mrru=1500 name=xxx user=\
    xxx
/interface vlan
add interface=bridge1 name=vlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2437 name=24_6 width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2462 name=24_11 width=20/40/80mhz
add band=5ghz-ax comment=5680 disabled=no frequency=5680 name=5_56 width=\
    20/40/80mhz
add band=5ghz-ax disabled=no frequency=5560 name=5_112 width=20/40/80mhz
/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1
add bridge=bridge1 disabled=no name=datapath2_guest vlan-id=20
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=yes disabled=no \
    encryption=ccmp,ccmp-256 group-encryption=ccmp group-key-update=30s \
    management-protection=allowed name=FRITZBoxFonWLAN7390
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 group-encryption=ccmp group-key-update=30s name=\
    "FRITZBoxFonWLAN7390 Guest"
/interface wifi steering
add disabled=no name=steering1
/interface wifi configuration
add channel.band=5ghz-ax .reselect-interval=1s..5s .width=20/40/80mhz country=\
    Germany datapath=datapath1 datapath.bridge=bridge1 disabled=no mode=ap name=\
    "FRITZBoxFonWLAN7390 5Ghz_1" security=FRITZBoxFonWLAN7390 \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp,ccmp-256 \
    ssid=FRITZBoxFonWLAN7390 steering=steering1
add channel.band=2ghz-ax .reselect-interval=1m..10h .width=20mhz country=Germany \
    datapath=datapath2_guest disabled=no mode=ap name=\
    "FRITZBoxFonWLAN7390 Guest" security="FRITZBoxFonWLAN7390 Guest" \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp,ccmp-256 \
    ssid="FRITZBoxFonWLAN7390 Guest" steering=steering1 tx-power=8
add channel.band=2ghz-ax .reselect-interval=1s..5s .width=20/40mhz country=\
    Germany disabled=no mode=ap name="FRITZBoxFonWLAN7390 24Ghz_1" security=\
    FRITZBoxFonWLAN7390 security.authentication-types=wpa2-psk,wpa3-psk \
    .encryption=ccmp,ccmp-256 .group-encryption=ccmp ssid=\
    "FRITZBoxFonWLAN7390 2.4" steering=steering1 tx-power=8
add channel.band=5ghz-ax .reselect-interval=1s..5s .width=20/40/80mhz country=\
    Germany datapath=datapath1 datapath.bridge=bridge1 disabled=no mode=ap name=\
    "FRITZBoxFonWLAN7390 5Ghz_2" security=FRITZBoxFonWLAN7390 \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp,ccmp-256 \
    ssid=FRITZBoxFonWLAN7390 steering=steering1 tx-power=14
add channel.band=2ghz-ax .reselect-interval=1s..5s .width=20/40mhz country=\
    Germany disabled=no mode=ap name="FRITZBoxFonWLAN7390 24Ghz_2" security=\
    FRITZBoxFonWLAN7390 security.authentication-types=wpa2-psk,wpa3-psk \
    .encryption=ccmp,ccmp-256 .group-encryption=ccmp ssid=\
    "FRITZBoxFonWLAN7390 2.4" steering=steering1 tx-power=8
/ip dhcp-server option
add code=138 name="CAPWAP AC" value="'192.168.1.2'"
/ip dhcp-server option sets
add name=set1 options="CAPWAP AC"
/ip pool
add name=dhcp_pool0 ranges=192.168.X.X-192.168.X.X
add name=dhcp_pool1 ranges=192.168.X.X,192.168.X.X-192.168.X.X
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=yes interface=bridge1 name=dhcp1 \
    server-address=192.168.X.X
/port
set 0 name=serial0
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=sfp-sfpplus2
add bridge=bridge1 interface=sfp-sfpplus3
add bridge=bridge1 interface=sfp-sfpplus4
add bridge=bridge1 interface=sfp-sfpplus5
add bridge=bridge1 interface=sfp-sfpplus6
add bridge=bridge1 interface=sfp-sfpplus7
add bridge=bridge1 interface=sfp-sfpplus8
add bridge=bridge1 interface=sfp-sfpplus9
add bridge=bridge1 interface=sfp-sfpplus10
add bridge=bridge1 interface=sfp-sfpplus11
add bridge=bridge1 interface=sfp-sfpplus12
add bridge=bridge1 interface=sfp28-1
add bridge=bridge1 interface=sfp28-2
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=all \
    wan-interface-list=all
/interface list member
add interface=ether1 list=LAN
add interface=sfp-sfpplus1 list=LAN
add disabled=yes interface=sfp-sfpplus2 list=LAN
add disabled=yes interface=sfp-sfpplus3 list=LAN
add disabled=yes interface=sfp-sfpplus4 list=LAN
add disabled=yes interface=sfp-sfpplus5 list=LAN
add disabled=yes interface=sfp-sfpplus6 list=LAN
add disabled=yes interface=sfp-sfpplus7 list=LAN
add disabled=yes interface=sfp-sfpplus8 list=LAN
add disabled=yes interface=sfp-sfpplus9 list=LAN
add disabled=yes interface=sfp-sfpplus10 list=LAN
add disabled=yes interface=sfp-sfpplus11 list=LAN
add interface=sfp-sfpplus12 list=LAN
add disabled=yes interface=sfp28-1 list=LAN
add disabled=yes interface=sfp28-2 list=LAN
add interface=iNeXio list=WAN
/interface ovpn-server server
add mac-address=XXX name=ovpn-server1
/interface wifi cap
set certificate=none discovery-interfaces=bridge1
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge1 \
    package-path=/packages require-peer-certificate=no upgrade-policy=\
    suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment=cfg1_5 disabled=no identity-regexp=\
    "cfg1\$" master-configuration="FRITZBoxFonWLAN7390 5Ghz_1" name-format=\
    %I-5GHz supported-bands=5ghz-ax
add action=create-dynamic-enabled comment=cfg1_24 disabled=no identity-regexp=\
    "cfg1\$" master-configuration="FRITZBoxFonWLAN7390 24Ghz_1" name-format=\
    %I-24GHz slave-configurations="FRITZBoxFonWLAN7390 Guest" slave-name-format=\
    %I-24GHz_G supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=cfg2_5 disabled=no identity-regexp=\
    "cfg2\$" master-configuration="FRITZBoxFonWLAN7390 5Ghz_2" name-format=\
    %I-5gHz supported-bands=5ghz-ax
add action=create-dynamic-enabled comment=cfg2_24 disabled=no identity-regexp=\
    "cfg2\$" master-configuration="FRITZBoxFonWLAN7390 24Ghz_2" name-format=\
    %I-24gHz slave-configurations="FRITZBoxFonWLAN7390 Guest" slave-name-format=\
    %I-24gHz_G supported-bands=2ghz-ax
/iot lora traffic options
set crc-errors=no
set crc-errors=no
/ip address
add address=192.168.X.X/24 disabled=yes interface=sfp-sfpplus1 network=\
    192.168.X.X
add address=192.168.X.X disabled=yes interface=bridge1 network=192.168.X.X
/ip dhcp-client
add disabled=yes interface=sfp-sfpplus1
add interface=bridge1
/ip dns
set servers=192.168.X.X
/ip firewall address-list
add address=192.168.X.X-192.168.X.Xlist=X
/ip firewall nat
# iNeXio not ready
add action=masquerade chain=srcnat in-interface=bridge1 out-interface=XXX
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik_
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=de.pool.ntp.org
/system routerboard settings
set enter-setup-on=delete-key

And config of one of the CAPs:

# 2025-05-14 18:26:59 by RouterOS 7.18.2
# software id = 39LG-L846
#
# model = cAPGi-5HaxD2HaxD
# serial number = XXX
/interface bridge
add admin-mac=XXX auto-mac=no comment=defconf name=bridgeLocal
/interface wifi
# managed by CAPsMAN XXX%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: FRITZBoxFonWLAN7390, channel: 5500/ax/Ceee/D
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=\
    no
# managed by CAPsMAN XXX%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: FRITZBoxFonWLAN7390 2.4, channel: 2462/ax/eC
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=\
    no
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifi cap
set certificate=request discovery-interfaces=bridgeLocal enabled=yes \
    lock-to-caps-man=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=CAP-H-cfg2
/system leds settings
set all-leds-off=after-1h
/system note
set show-at-login=no

Thank you

2

Quick look and it seems to me that your VLAN configuration is wrong.

You defined VLAN interface and it’s attached to the bridge which is good. Then you assign IP address to the bridge instead of the VLAN interface which is bad.

Also DHCP server should be set on that VLAN, not the bridge.

Also why are you hiding your subnets ? It’s safe to show them.

3

Found the error(s) already.
Seems that sometimes MikroTik sometiimes doesn’t automatically add wifi interfaces to bridges. Sometimes it does, sometimes it doesn’t. Added wifi interface manually and fixed error 1.

Error 2 is not yet completely fixed. Issue is that although SSID has multiple security methods assigned (wpa2, wpa3) fallback to wpa2 if devices dont support wpa3 doenst work reliable.
For now I’ve added another SSID with only wpa2 active and this allowed to add few devices which were not able to connect before, but unfortunately not all of them yet.

4

That’s not the problem with AP, it’s a problem with client device. AP broadcasts capability values and it’s up to station to negotiate ctoss-section of supported features. But some client devices are brain-dead enough to barf on seeing capabilities they don’t support (for them it’s a “reserved for future use” bit set and they refuse to communicate). And yes, in this case the only wax is to configure AP in the way they don’t get upset. Security method is per SSID so it’s enough to add a slave interface. Some devices barf on radio features (e.g. ax standard) and that means a serious degradation of whole AP might be required.