hap ac2 switch chip vlan and WIFI setup with remote capsman

Hello
Have RB5009Upr+S+ with configured vlans and capsman with to network (https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-CAPsMAN-CAPVLANconfigurationexample: )
Also two hap ax2 connected to it (config from examples) and two hap ac2.
With configuration from documentation -

 /interface bridge
add name=bridgeLocal vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no
add disabled=no  master-interface=wifi1 name=wifi21
add disabled=no  master-interface=wifi2 name=wifi22
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal interface=wifi2 pvid=10
add bridge=bridgeLocal interface=wifi22 pvid=10
add bridge=bridgeLocal interface=wifi1 pvid=20
add bridge=bridgeLocal interface=wifi21 pvid=20
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 untagged=wifi2,wifi22 vlan-ids=10
add bridge=bridgeLocal tagged=ether1 untagged=wifi1,wifi21 vlan-ids=20
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-static=yes

Everything work, but ho hardware offload on ethernet ports.
So i try configuration with switch chip vlans but cannot understand how to configure wifi. My config

/interface bridge
add name=LAN-BRIDGE
/interface ethernet
set [ find default-name=ether1 ] name=Trunk
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Satan's Home, channel: 2412/n
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Satan's Home, channel: 5805/ac/eeeC
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    disabled=no
/interface vlan
add interface=LAN-BRIDGE name=MAIN vlan-id=10
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=10 vlan-mode=secure
set 2 default-vlan-id=10 vlan-mode=secure
set 3 default-vlan-id=10 vlan-mode=secure
set 4 default-vlan-id=10
set 5 vlan-mode=secure
/interface wifi datapath
add bridge=LAN-BRIDGE client-isolation=no disabled=no name=datapath1 vlan-id=\
    10
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Satan's Guests
add configuration.mode=ap datapath=datapath1 datapath.vlan-id=20 disabled=no \
    mac-address=BA:69:F4:2A:D8:DE master-interface=wifi1 name=wifi3
# managed by CAPsMAN
# mode: AP, SSID: Satan's Guests
add configuration.mode=ap datapath=datapath1 datapath.vlan-id=20 disabled=no \
    mac-address=BA:69:F4:2A:D8:DF master-interface=wifi2 name=wifi4
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=LAN-BRIDGE frame-types=admit-only-vlan-tagged interface=Trunk
add bridge=LAN-BRIDGE frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=10
add bridge=LAN-BRIDGE frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=10
add bridge=LAN-BRIDGE frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=10
add bridge=LAN-BRIDGE interface=wifi1 pvid=10
add bridge=LAN-BRIDGE interface=wifi2 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ethernet switch vlan
add independent-learning=yes ports=\
    Trunk,switch1-cpu,ether2,ether3,ether4,ether5 switch=switch1 vlan-id=10
add independent-learning=yes ports=Trunk,switch1-cpu switch=switch1 vlan-id=\
    20
/interface wifi cap
set caps-man-addresses=192.168.50.1 enabled=yes slaves-datapath=datapath1 \
    slaves-static=yes
/ip address
add address=192.168.50.5/23 interface=MAIN network=192.168.50.0
/ip dns
set servers=192.168.50.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.50.1 routing-table=main \
    suppress-hw-offload=no
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name="Hap AC2 "
/system note
set show-at-login=no

In such configuration WIfi connect to capsman, Client’s can authenticate but cannot get ip via dhcp from rb5009
log’s are empty (only connect-disconect msg for wifi client)
is it possible to create config with vlans using switch chip features and working wifi?
Where to look for possible misconfiguration/how to debug such situation ?
Thank you

Have you checked current topics:

http://forum.mikrotik.com/t/vlans-creation-and-testing-ax2/173504/1
http://forum.mikrotik.com/t/new-capsman-client-works-on-hap-ac2-but-not-on-wap-ac/173530/1
http://forum.mikrotik.com/t/unable-to-get-vlan-working-between-rb5009-and-ax2/173545/1

It is possible, but it involves quite a few tricks outside “the beaten path” … so not for the faint of heart. Before taking that path one has to ask himself what gains are expected … realistically.

Are you planning to use wired ports on your devices or you just want wireless ? In that case you really don’t need to complicate your life with VLANs on switch chip. You just do it like usual and in that case no configuration has to be done on CAP, only on CAPsMAN controller itself.

Yes,. I’m see that posts, but see nothing useful for me as all of it completely about another cases. Of cause it just IMHO.

No offense but -

1. Yes. I have plans to use ports and also need different vlans on some of it.
2. Yes I really want to have normal fast working vlans but not slow software one,
3. I don’t want easy way, I wont say… old school geek way where using available hardware resources normal.
4. Lern/Fun/etc ^)

Doesn’t see any problem to spend free time to make some interesting configuration and if at the end there be some benefit (eg. full speed on ether ports ) why not?
It’s not for production or office use. It’s mo like homelab.
It’s interesting for me.

I’m not using CAPsMAN (my hAP ac2 is currently wireless-less), so only like 2/3 of required config:

interface bridge
add admin-mac=BA:69:F4:xx:yy:zz auto-mac=no name=bridge port-cost-mode=short
add admin-mac=B2:69:F4:xx:yy:zz auto-mac=no name=bridge41
add admin-mac=BE:69:F4:xx:yy:zz auto-mac=no name=bridge42
/interface bridge port
add bridge=bridge interface=ether1-trunk internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether3-TV internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether4-TV internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether5-WAN internal-path-cost=10 path-cost=10
add bridge=bridge42 interface=wifi-5-vlan42
add bridge=bridge41 interface=vlan-41
add bridge=bridge42 interface=vlan-42

/interface ethernet
set [ find default-name=ether1 ] name=ether1-trunk
set [ find default-name=ether3 ] name=ether3-TV
set [ find default-name=ether4 ] name=ether4-TV
set [ find default-name=ether5 ] name=ether5-WAN
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=42 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=40 vlan-mode=secure
set 3 default-vlan-id=40 vlan-mode=secure
set 4 default-vlan-id=2 vlan-mode=secure
set 5 vlan-mode=secure
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,ether1-trunk switch=switch1 vlan-id=99
add independent-learning=yes ports=switch1-cpu,ether1-trunk,ether2 switch=switch1 vlan-id=42
add independent-learning=yes ports=switch1-cpu,ether1-trunk,ether5-WAN switch=switch1 vlan-id=2
add independent-learning=yes ports=ether1-trunk,ether3-TV,ether4-TV,ether5-WAN switch=switch1 vlan-id=3999
add independent-learning=yes ports=switch1-cpu,ether1-trunk,ether3-TV,ether4-TV switch=switch1 vlan-id=40
add independent-learning=yes ports=switch1-cpu,ether1-trunk switch=switch1 vlan-id=41

Basically: you need a bridge for every VLAN needed for wifi interfaces. And the missing part: how to configure capsman datapath so that provisioned interface is attached to the right bridge.

Not gonna comment much on the config above, if you’re up to the task, you won’t need any comments

Perfect. I get main idea about separate bridge for every vlan with wifi. Sound logical. Will try ti play with it. Thank you.

Just leave this config here, maybe somebody will have interest to explain how it’s work ^)
Yesterday while experimenting with adding wifi via additional bridge and see incorrect l2 configuration from mikrotik doc’s decide try just fo fan… strange
There config work perfect - no cpu load while traffic pass from physical port to physical port. wifi also perfectly work, of cause traffic going via CPU in such case

[satan@HAP-AC2-TEST] > export compact 
# 2024-02-13 18:18:13 by RouterOS 7.13.4
# software id = 0G6N-6W60
#
# model = RBD52G-5HacD2HnD
# serial number = zzzzzzzzzzzzzzzz
/interface bridge
add admin-mac=B8:69:F4:aa:bb:cc auto-mac=no name=Guest-BR
add admin-mac=B8:69:F4:aa:bb:cc auto-mac=no name=MAIN-BRIDGE port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=Trunk
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Satan TEST, channel: 2452/n
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Satan TEST, channel: 5745/ac/Ceee
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: Satan TEST2
add configuration.mode=ap disabled=no mac-address=BA:69:F4:xx:yy:DE master-interface=wifi1 name=wifi3
# managed by CAPsMAN
# mode: AP, SSID: Satan TEST2
add configuration.mode=ap disabled=no mac-address=BA:69:F4:xx:yy:DF master-interface=wifi2 name=wifi4
/interface veth
add address="" gateway="" gateway6="" name=veth1
/interface vlan
add interface=MAIN-BRIDGE name=GUEST-VL vlan-id=20
add interface=MAIN-BRIDGE name=MAIN vlan-id=10
/interface ethernet switch port
set 0 vlan-mode=secure
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 5 vlan-mode=secure
/interface wifi datapath
add bridge=Guest-BR disabled=no name=datapath1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=MAIN-BRIDGE interface=Trunk internal-path-cost=10 path-cost=10
add bridge=MAIN-BRIDGE interface=ether2 internal-path-cost=10 path-cost=10
add bridge=MAIN-BRIDGE interface=ether3 internal-path-cost=10 path-cost=10
add bridge=MAIN-BRIDGE edge=yes interface=ether4 internal-path-cost=10 path-cost=10 point-to-point=yes
add bridge=MAIN-BRIDGE interface=ether5 internal-path-cost=10 path-cost=10
add bridge=Guest-BR frame-types=admit-only-vlan-tagged interface=GUEST-VL
add bridge=Guest-BR frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=10
add bridge=Guest-BR frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=10
add bridge=Guest-BR frame-types=admit-only-untagged-and-priority-tagged interface=wifi3 pvid=20
add bridge=Guest-BR frame-types=admit-only-untagged-and-priority-tagged interface=wifi4 pvid=20
add bridge=Guest-BR frame-types=admit-only-untagged-and-priority-tagged interface=veth1 pvid=20
/ipv6 settings
set accept-redirects=no accept-router-advertisements=no disable-ipv6=yes
/interface ethernet switch vlan
add independent-learning=yes ports=switch1-cpu,Trunk,ether2,ether3,ether4 switch=switch1 vlan-id=10
add independent-learning=yes ports=switch1-cpu,Trunk switch=switch1 vlan-id=20
/interface wifi cap
set caps-man-addresses=192.168.50.1 enabled=yes slaves-datapath=datapath1 slaves-static=yes
/ip address
add address=192.168.50.5/23 interface=MAIN network=192.168.50.0
add address=192.168.20.2/24 interface=veth1 network=192.168.20.0
/ip dns
set servers=192.168.50.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.50.1 routing-table=main suppress-hw-offload=no
/system identity
set name=HAP-AC2-TEST

Bridge MAC addresses are obfuscated, so not sure if this is relevant: I strongly recommend to set different MAC addresses to bridges. Just in case.