hAP ac² as CAP, WiFi speed and how to isolate clients

Hi. I’m new to networking, Mikrotik and I have a few questions.

I’m in process of learning networks and I’m planing using Mikrotik hardware as it have a good price, it is advanced and made by local Latvians. I’m in process to replaces all network hardware whit Mikrotik in my home, so it can be my little lab where I can learn. I have bought already hEX S, cAP ac, and borrowed RB260GSP and two hAPs. I have two room flat and My plan is to have cap ac/hap ac as APs is both rooms. Before Mikrotik I was using TP-Link EAP225 v3 as My APs, one in my bedroom and another one in corridor, in the middle of flat. Wiring I understand enough and everything works as it should, problem is whit WiFi. Last Saturday I received cap ac and setup whit Capsman in my bedroom. My issue whit it is speed on all Mikrotik APs I have tested, haps, cap acs. On 2.4ghz and 5ghz speed is half what I had whit TP-Link EAP225 v3 units. On 2.4ghz I can get around 20mbps and on 5ghz around 200mbps download and upload. Tests are done whit iperf3 and Speedtest.net (I know it is not the best test, but as second opinion its fine). hex s is My main router and it configuration is as follows:

/caps-man channel
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name=CH1
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2417 name=CH2
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2422 name=CH3
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2427 name=CH4
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2432 name=CH5
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2437 name=CH6
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2442 name=CH7
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2447 name=CH8
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2452 name=CH9
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2457 name=CH10
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name=CH11
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2467 name=CH12
add band=2ghz-onlyn control-channel-width=20mhz extension-channel=disabled \
    frequency=2472 name=CH13
add band=5ghz-onlyac frequency=5180 name=CH36
add band=5ghz-onlyac frequency=5200 name=CH40
add band=5ghz-onlyac frequency=5220 name=CH44
add band=5ghz-onlyac frequency=5240 name=CH48
add band=5ghz-onlyac frequency=5260 name=CH52
add band=5ghz-onlyac frequency=5280 name=CH56
add band=5ghz-onlyac frequency=5300 name=CH60
add band=5ghz-onlyac frequency=5320 name=CH64
add band=5ghz-onlyac frequency=5500 name=CH100
add band=5ghz-onlyac frequency=5520 name=CH104
add band=5ghz-onlyac frequency=5540 name=CH108
add band=5ghz-onlyac frequency=5560 name=CH112
add band=5ghz-onlyac frequency=5580 name=CH116
add band=5ghz-onlyac frequency=5600 name=CH120
add band=5ghz-onlyac frequency=5620 name=CH124
add band=5ghz-onlyac frequency=5640 name=CH128
add band=5ghz-onlyac frequency=5660 name=CH132
add band=5ghz-onlyac frequency=5680 name=CH136
add band=5ghz-onlyac frequency=5700 name=CH140
add band=5ghz-onlyac frequency=5745 name=CH149
add band=5ghz-onlyac frequency=5765 name=CH153
add band=5ghz-onlyac frequency=5785 name=CH157
add band=5ghz-onlyac frequency=5805 name=CH161
add band=5ghz-onlyac frequency=5825 name=CH165
/interface bridge
add admin-mac=74:4D:28:78:2A:18 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="Maigo\F2a ala"
set [ find default-name=ether5 ] comment="Koridora AP"
/caps-man configuration
add channel.tx-power=15 datapath.bridge=bridge datapath.local-forwarding=no \
    name=cfg1 rates.basic="" rates.ht-basic-mcs="" rates.ht-supported-mcs="" \
    rates.supported="" security.authentication-types=wpa2-psk \
    security.disable-pmkid=no security.encryption=aes-ccm ssid=Sleepnis
add channel.tx-power=15 datapath.bridge=bridge datapath.local-forwarding=no \
    name=cfg2 rates.basic="1Mbps,2Mbps,5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbp\
    s,24Mbps,36Mbps,48Mbps,54Mbps" rates.ht-basic-mcs="" \
    rates.ht-supported-mcs="" rates.supported="1Mbps,2Mbps,5.5Mbps,11Mbps,6Mbp\
    s,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps" \
    security.authentication-types=wpa2-psk security.disable-pmkid=no \
    security.encryption=aes-ccm ssid=test
/caps-man interface
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz \
    channel.extension-channel=disabled channel.frequency=2412 configuration=\
    cfg2 disabled=yes l2mtu=1600 mac-address=E4:8D:8C:D7:A9:D8 \
    master-interface=none name=534 radio-mac=E4:8D:8C:D7:A9:D8 radio-name=""
/caps-man rates
add basic=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps name=ieteicamie \
    supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add basic="1Mbps,2Mbps,5.5Mbps,11Mbps,6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,\
    48Mbps,54Mbps" name=visi supported="1Mbps,2Mbps,5.5Mbps,11Mbps,6Mbps,9Mbps\
    ,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps"
/caps-man interface
add channel=CH11 configuration=cfg1 disabled=no l2mtu=1600 mac-address=\
    E4:8D:8C:CB:90:49 master-interface=none name=532 radio-mac=\
    E4:8D:8C:CB:90:49 radio-name=E4:8D:8C:CB:90:49 rates=ieteicamie
add channel=CH6 channel.tx-power=8 configuration=cfg1 disabled=no l2mtu=1600 \
    mac-address=C4:AD:34:D9:4B:06 master-interface=none name=\
    "Maigonja istaba 2.4GHz" radio-mac=C4:AD:34:D9:4B:06 radio-name=\
    C4AD34D94B06 rates=ieteicamie
add arp=enabled channel=CH36 configuration=cfg1 \
    datapath.client-to-client-forwarding=yes datapath.local-forwarding=no \
    disabled=no l2mtu=1600 mac-address=C4:AD:34:D9:4B:07 master-interface=\
    none mtu=1500 name="Maigonja istaba 5GHz" radio-mac=C4:AD:34:D9:4B:07 \
    radio-name=C4AD34D94B07 rates=ieteicamie
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=ovpn-pool ranges=192.168.77.2-192.168.77.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=8h name=defconf
/ppp profile
add local-address=192.168.77.1 name=ovpn remote-address=ovpn-pool
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/system logging action
set 1 disk-file-count=10 disk-file-name=disk1/log disk-lines-per-file=10000
/tool traffic-generator port
add interface=ether5 name=port1
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=\
    "Maigonja istaba 2.4GHz" mac-address=D8:50:E6:9A:83:9D ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any \
    mac-address=D8:50:E6:9A:83:9D ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no interface=\
    "Maigonja istaba 5GHz" mac-address=F0:86:20:89:85:24 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any \
    mac-address=F0:86:20:89:85:24 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no interface=532 \
    mac-address=40:CD:7A:D1:3B:20 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any \
    mac-address=40:CD:7A:D1:3B:20 ssid-regexp=""
add action=accept signal-range=-70..120
add action=reject
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set certificate=server
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.2 mac-address=E0:D5:5E:A3:EF:5B server=defconf
add address=192.168.88.3 mac-address=C4:AD:34:D9:4B:04 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=91.198.156.20 gateway=\
    192.168.88.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat dst-port=63718 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.88.2 to-ports=63718
add action=dst-nat chain=dstnat dst-port=5135 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.88.2 to-ports=5135
add action=dst-nat chain=dstnat disabled=yes dst-port=1194 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.88.1 to-ports=1194
add action=dst-nat chain=dstnat disabled=yes dst-port=8050 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.88.2 to-ports=8050
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
    src-address=192.168.89.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=vpn
add name=client1 profile=ovpn
add name=client2 profile=ovpn
/system clock
set time-zone-name=Europe/Riga
/system identity
set name="Sleepnja Kastiite"
/system logging
set 0 disabled=yes
set 1 disabled=yes
set 2 disabled=yes
set 3 disabled=yes
add action=disk topics=info
add action=disk topics=error
add action=disk topics=critical
add action=disk topics=warning
/system ntp client
set enabled=yes primary-ntp=91.240.246.1 secondary-ntp=91.240.246.1
/system scheduler
add interval=1d name="Auto Upgrade" on-event=\
    "/system script run \"Auto Upgrade\"" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/11/2019 start-time=03:00:00
/system script
add dont-require-permissions=no name="Auto Upgrade" owner=maigonis policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    #\r\
    \n##   Automatically upgrade RouterOS and Firmware\r\
    \n##   https://github.com/massimo-filippi/mikrotik\r\
    \n##\r\
    \n##   script by Maxim Krusina, maxim@mfcc.cz\r\
    \n##   based on: http://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS\r\
    \n##   created: 2014-12-05\r\
    \n##   updated: 2019-01-26\r\
    \n##   tested on: RouterOS 6.43.8 / multiple HW devices\r\
    \n##\r\
    \n########## Set variables\r\
    \n## Update channel can take values before 6.43.8: bugfix    | current | d\
    evelopment | release-candidate\r\
    \n## Update channel can take values after  6.43.8: long-term | stable  | d\
    evelopment | testing\r\
    \n:local updChannel       \"stable\"\r\
    \n## Notify via Slack\r\
    \n:local notifyViaSlack   false\r\
    \n:global SlackChannel    \"#log\"\r\
    \n## Notify via E-mail\r\
    \n:local notifyViaMail    false\r\
    \n:local email            \"your@email.com\"\r\
    \n########## Upgrade firmware\r\
    \n## Let's check for updated firmware\r\
    \n:local rebootRequired false\r\
    \n/system routerboard\r\
    \n\r\
    \n:if ( [get current-firmware] != [get upgrade-firmware]) do={\r\
    \n\r\
    \n   ## New version of firmware available, let's upgrade\r\
    \n   ## Notify via Log\r\
    \n   :log info (\"Upgrading firmware on router \$[/system identity get nam\
    e] from \$[/system routerboard get current-firmware] to \$[/system routerb\
    oard get upgrade-firmware]\")\r\
    \n   ## Notify via Slack\r\
    \n   :if (\$notifyViaSlack) do={\r\
    \n       :global SlackMessage \"Upgrading firmware on router *\$[/system i\
    dentity get name]* from \$[/system routerboard get current-firmware] to *\
    \$[/system routerboard get upgrade-firmware]*\";\r\
    \n       :global SlackMessageAttachements  \"\";\r\
    \n       /system script run \"Message To Slack\";\r\
    \n   }\r\
    \n   ## Notify via E-mail\r\
    \n   :if (\$notifyViaMail) do={\r\
    \n       /tool e-mail send to=\"\$email\" subject=\"Upgrading firmware on \
    router \$[/system identity get name]\" body=\"Upgrading firmware on router\
    \_\$[/system identity get name] from \$[/system routerboard get current-fi\
    rmware] to \$[/system routerboard get upgrade-firmware]\"\r\
    \n   }\r\
    \n   ## Upgrade (it will no reboot, we'll do it later)\r\
    \n   upgrade\r\
    \n   :set rebootRequired true\r\
    \n\r\
    \n}\r\
    \n\r\
    \n\r\
    \n########## Upgrade RouterOS\r\
    \n\r\
    \n## Check for update\r\
    \n/system package update\r\
    \nset channel=\$updChannel\r\
    \ncheck-for-updates\r\
    \n## Wait on slow connections\r\
    \n:delay 15s;\r\
    \n## Important note: \"installed-version\" was \"current-version\" on olde\
    r Roter OSes\r\
    \n:if ([get installed-version] != [get latest-version]) do={\r\
    \n   ## Notify via Log\r\
    \n   :log info (\"Upgrading RouterOS on router \$[/system identity get nam\
    e] from \$[/system package update get installed-version] to \$[/system pac\
    kage update get latest-version] (channel:\$[/system package update get cha\
    nnel])\")\r\
    \n   ## Notify via Slack\r\
    \n   :if (\$notifyViaSlack) do={\r\
    \n       :global SlackMessage \"Upgrading RouterOS on router *\$[/system i\
    dentity get name]* from \$[/system package update get installed-version] t\
    o *\$[/system package update get latest-version] (channel:\$[/system packa\
    ge update get channel])*\";\r\
    \n       :global SlackMessageAttachements  \"\";\r\
    \n       /system script run \"Message To Slack\";\r\
    \n   }\r\
    \n\r\
    \n   ## Notify via E-mail\r\
    \n   :if (\$notifyViaMail) do={\r\
    \n       /tool e-mail send to=\"\$email\" subject=\"Upgrading RouterOS on \
    router \$[/system identity get name]\" body=\"Upgrading RouterOS on router\
    \_\$[/system identity get name] from \$[/system package update get install\
    ed-version] to \$[/system package update get latest-version] (channel:\$[/\
    system package update get channel])\"\r\
    \n   }\r\
    \n   ## Wait for mail to be sent & upgrade\r\
    \n   :delay 15s;\r\
    \n   install\r\
    \n} else={\r\
    \n    :if (\$rebootRequired) do={\r\
    \n        # Firmware was upgraded, but not RouterOS, so we need to reboot \
    to finish firmware upgrade\r\
    \n        ## Notify via Slack\r\
    \n        :if (\$notifyViaSlack) do={\r\
    \n            :global SlackMessage \"Rebooting...\";\r\
    \n            :global SlackMessageAttachements  \"\";\r\
    \n            /system script run \"Message To Slack\";\r\
    \n        }\r\
    \n        /system reboot\r\
    \n    } else={\r\
    \n        # No firmware nor RouterOS upgrade available, nothing to do, jus\
    t log info\r\
    \n        :log info (\"No firmware nor RouterOS upgrade found.\")\r\
    \n        ## Notify via Slack\r\
    \n        :if (\$notifyViaSlack) do={\r\
    \n            :global SlackMessage \"No firmware nor RouterOS upgrade foun\
    d.\";\r\
    \n            :global SlackMessageAttachements  \"\";\r\
    \n            /system script run \"Message To Slack\";\r\
    \n        }\r\
    \n    }\r\
    \n}"
add dont-require-permissions=yes name=netdownreboot owner=maigonis policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
    if ([/ping 8.8.8.8 interval=5 count=60] =0) do={\r\
    \nlog info \"my ping watchdog is down\" ; /system reboot\r\
    \n}"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool netwatch
add down-script="/system script run netdownreboot" host=8.8.8.8
/tool sniffer
set file-name=weee

I will not post cap ac and hap configurations as they have minimal changes from default CAPs mode. I have just setup password and changed identity after resetting them.

I have tested cap ac and hap in standalone mode and they are capable of speed I expect, ~40mbps on 2.4ghz, and ~300mbps on 5ghz. They lose throughput in Caps mode. I have researched this a bit, how caps mode work and I basically understand whit there is bigger CPU usage on APs, but I don’t understand why speed drops. At work, I work in school, I have setup temporary haps as new network that was deployed by “professionals” (Zibenszeļļi, you rock boys) have very bad WiFi signal in classrooms. They setup UniFi AP-HD in hallways, in classrooms behind tick wall RSSI is below -70dbm on mobile device like phones or tablets, so you can imagine how massive problems we have (all config was left on auto, etc, I will not continue rant about this and them). So I deployed haps so at least we can have proper RSSI, but speed 20mbps on 30-70 devices will not be enough. If I can squeeze 40mbps is would help until proper solution is placed.

Second question is about hAP ac². Can it be set in Caps mode? I want to use this on my work desk as it is more stylish than cap ac and more ports will be useful. I performance the same as cap ac?

Third question is about client isolation. I have iot devices and I want to isolate them. There is no better way than vlans?

If you had the TP-245 units AC1750 going to the capac hapac would probably been a slight step down in wifi.
However they should perform equally as well as the TP225 units. Getting the settings right on the MT wifi products is critical to decent throughput.
Heck if your in Latvia I would drive right to the factory and get a tour and assistance on the spot, if we were allowed to travel and visit LOL.

Here is a good place to start…
https://mum.mikrotik.com/presentations/UK18/presentation_5900_1539209343.pdf

There is also the wifi forum which probably has several threads on common wifi issues.

You have to define better what you mean by isolate clients.
Think of the challenge as writing a use case (set of requirements to build to - without any discussion of equipment or config).
a. I want guest users to use only wifi
b. I want guest users only to have internet access
c. I want guest users not to be able to reach each other on wifi (isolated from each other).
d. OPTIONAL (just for the disscusion) I want guest users to be able to use the house printer.

So this clearly points to a group of users, that will only be using wifi service, will only have access to the internet and should be isolated from each other.
This paints a very clear picture.

The quick answer on isolate wifi clients is by UNCHECKING the FORWARD box
In Winbox, select “WIRELESS” on the left hand menu. The table that pops up is called ‘Wireless Tables’. The default Tab being displayed should be
“WiFi INTERFACES”. Select the WIFI Interface (wlan1, or wlan2 or a virtual wlan you have created)
The selected INTERFACE WIFI will show in another pop-up menu. The default tab selected should be “GENERAL”
Select the “Wireless” Tab (second from the left). The Wirless pop-up menu will be displayed.
Now take your view to the bottom where there are two checkboxes. UNCHECK default forward.
Done. Clients on that Interface are now isolated from each other.

Tnx for you answer. EAP225, what I still have, is a bit more expensive unit and I put cap ac and EAP225 in the same basked. I may be mistaken, but EAP225 and cap ac have the same 5ghz data rate, they are rated 867 Mbit/s. EAP225 have a bit better 2.4ghz, but still. I can get 40mbps in standalone mode on cap ac and hap, the same speed as EAP225. Caps mode slows it down. I know that Mikrotiks configuration is critical, that why I’m here.

Tnx for presentation. I watched this on Youtube last week.

We are on isolation as rest of world, so no Mikrotik tours.

I have searched this issue on Google and forums and I didn’t find answer, or at least that I understand.

Whit client isolation I mean that my Xiaomi smart light bulbs can’t spy on my internal network. :(D) They can’t see anyone on internal network and no other devices on my network can ping them. That will be a good start. B and C answers on your list. I know about “client to client forwarding” in Capsman, but I need that feature for my phone and smart TV. I just want to isolate light bulbs.

Yes but my understanding is that forwarding checkbox is for isolating clients from each other inside the same WLAN interface and has nothing to do with capsman. (I could be wrong but that is my impression).

In terms of isolating clients, this is easily accomplished using vlans for each segment of your network. I have 15 vlans in my house for example.
Typically
vlan 10 - home lan (and home wifi)
vlan 20 - guest wifi
vlan 30 - smart devices, google etc.
vlan 40 - video around home
vlan 50 - shared devices such as a printer (where home lan as connectivity in both directions, whereas other users may only have one way access)

Basically can setup a vlan for whatever you want to accomplish in terms of identifying and potenially isolating traffic.
Makes it very easy to decide who gets internet or other functionality, DNS control etc…

Personally, I would setup wifi WITHOUT CAPSMAN to learn about the devices and how to optimize them.
Layering on learning CAPSMAN at the same time is frankly asking for trouble IMHO.

I had basically the same idea. I don’t have that much devices, but vlans will be handy in work, so I need to learn that anyway. I’m sticking whit Capsman as learning it can be more beneficial, but I might drop it if it will cause more issues than resolutions.

I am not saying do not use capsman, just saying learn the wifi on the devices at first. Meanwhile read all the threads on capsman you can lay your hand on, there are a ton, then layer in the capsman on the config.

Tnx for your input. But not all features are available on Capsman etc. Under social isolation I have more free time so learning it is.

@anav in case CapsMan is used, in order to isolate clients, you must go on the CapsMan Datapath configuration and there set the propery client-to-client-forwarding to yes…

I have done that. My issue was that some how still I can ping some clients, but after reapplying config all is good now. I asked about isolation because there might be a time when you want client to client forwarding, but isolate just some clients. As I mentioned, some iot devices.

No you cant select who to isolate from who… Its either Global or not!
In any other case you might consider using VLANs…

Or if you dont want to use VLANs, you could create a second configuration on your CapsMAN, with different SSID and create a different subnet etc…
Then with the use of Firewall you could block communication between devices as needed…

Awesome!, Glad its working out for you!!
Maybe I might come askign for some capsman advice if I get brave enough to try it for my two capacs.

Yes, @Zacharias, I know. Thats why I asked about it. Is vlans then the best solution? I don’t prefer more SSIDs as they use more router resources ans fill up airtime, so vlans it is.

@anav , I hope that I will find how to boost those speeds.

Well, now that am thinking about it, if you want to isolate WiFi Clients so that they cant sommunicate to each other, all of them or just a part of them, am not really sure if it can happen since every WiFi client connected will be in the same VLAN, will have the same tag…
@anav what is your opinion on that ?

I Capsman Access list I can add selectively clients and add vlan ids to them. I have no experience whit vlans, am I wrong? It will not work?

The connectivity on WLAN between clients (isolating them) is what unchecking the forward box does on the wireless setup page, so its not an issue at that point.
Someone with niche knowledge may be able to state either way if this also stops traffic on hardware if they are on the same VLAN. (if the traffic goes back to the router and says yes of course you can talk back you go… it still has to go through the WLAN interface???
Since the controlling entity is the WLAN and thus I think not but I could be wrong.

I Capsman Access list I can add selectively clients and add vlan ids. I have no experience whit vlans, am I wrong? It will not work?

Yes you can… but how would you isolate a client X talking to client Y through access list? Not possible !

I guess what I am saying is that client X trying to talk to client Y on the same WLAN would get blocked at the WLAN interface and never get back to the router for routing purposes.

Wait @anav, what has access list to do with talking one client to another ?

Exactly, we are talking wifi users on the same wlan being isolated from each other.
The question is will being on the same vlan somehow negate them from being isolated (and specifically we are talking about isolating them by unchecking the forward box in wirless sub menu). This has nothing to do with the forwarding of the firewall as far as I understand. The firewall rules are on the main router side, not the AP side. My inclination is that client to client attempts at exchanging packets on the same WLAN will be blocked from occurring at the WLAN interface and not even get to the router for any routing. It would be the same as if they were on the same subnet and not on a VLAN. THe isolate feature doesnt care which vlan or subnet it simply blocks traffic from wifi clients to other wifi clients on the SAME WLAN interface.