hAP ax² 3 Vlans at internal Atenna

Hi, I try to add 5 Vlans to my hAP ax² and want to use 3 of them with the internal antenna. I am a bit confused using the templates you offer at https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-WiFiCAPsMAN.
Right now, 2 vlans work fine at Wlan (GUEST/PRIVATE)
But I cant see the IoT Net
What is wrong ?
Thanks for a detailed help to get the 3 ssid up and running.Thx in Advance

/interface bridge
add name=br vlan-filtering=yes

/interface vlan
add interface=br name=GUEST vlan-id=10
add interface=br name=IOT vlan-id=20
add interface=br name=MGMT vlan-id=1
add interface=br name=PRIVATE vlan-id=100
add interface=br name=SIP vlan-id=111

/interface list
add name=WAN
add name=LAN

/interface wifi datapath
add bridge=br disabled=no name=PRIVATE vlan-id=100
add bridge=br disabled=no name=GUEST vlan-id=10
add bridge=br disabled=no name=IOT vlan-id=20
add bridge=br name=DP_AC

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=Security_PRIVATE passphrase=xxxxxxxx
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=Security_GUEST passphrase=xxxxxxxxxxxxxxx
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=Security_IoT passphrase=xxxxxxxxxxx

/interface wifi configuration
add datapath=PRIVATE disabled=no name=PRIVATE security=Security_PRIVATE ssid=
PRIVATE_Network
add datapath=GUEST name=GUEST security=Security_GUEST ssid=GUEST_Network
add datapath=IOT disabled=no name=IoT security=Security_IoT ssid=IoT_Network
add datapath=DP_AC name=PRIVATE_AC security=Security_PRIVATE ssid=
PRIVATE_Network
add datapath=DP_AC name=GUEST_AC security=Security_GUEST ssid=GUEST_Network
add datapath=DP_AC disabled=no name=IoT_AC security=Security_IoT ssid=
IoT_Network

/ip pool
add name=dhcp_pool-GUEST ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool-IoT ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool-Privat ranges=192.168.100.2-192.168.100.254
add name=dhcp_pool-SIP ranges=192.168.111.2-192.168.111.254
add name=dhcp_pool-MGMT ranges=10.0.0.60-10.0.0.200

/ip dhcp-server
add address-pool=dhcp_pool-MGMT interface=MGMT lease-time=1d name=dhcp-MGMT
add address-pool=dhcp_pool-Privat interface=PRIVATE lease-time=1d name=
dhcp-PRIVATE
add address-pool=dhcp_pool-GUEST interface=GUEST lease-time=1d name=
dhcp-GUEST
add address-pool=dhcp_pool-IoT interface=IOT lease-time=1d name=dhcp-IoT
add address-pool=dhcp_pool-SIP interface=SIP lease-time=1d name=dhcp_SIP

/interface bridge vlan
add bridge=br tagged=br untagged=wifi1,wifi2,wifi3,wifi4 vlan-ids=20
add bridge=br tagged=br untagged=wifi1,wifi2,wifi3,wifi4 vlan-ids=10
add bridge=br tagged=br untagged=wifi1,wifi2,wifi3,wifi4 vlan-ids=100

/interface list member
add interface=ether1 list=WAN
add interface=GUEST list=LAN
add interface=IOT list=LAN
add interface=PRIVATE list=LAN
add interface=MGMT list=LAN

/interface wifi cap
set discovery-interfaces=br enabled=yes slaves-static=yes
/interface wifi capsman
set enabled=yes interfaces=br
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=PRIVATE_AC
slave-configurations=GUEST_AC,IoT_AC supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=PRIVATE_AC
slave-configurations=GUEST_AC,IoT_AC supported-bands=2ghz-n

/ip address
add address=192.168.88.1/24 interface=br network=192.168.88.0
add address=192.168.1.1/24 interface=MGMT network=192.168.1.0
add address=192.168.100.1/24 interface=PRIVATE network=192.168.100.0
add address=192.168.20.1/24 interface=IOT network=192.168.20.0
add address=192.168.10.1/24 interface=GUEST network=192.168.10.0

/ip dhcp-client
add interface=ether1

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.123,1.1.1.1 gateway=10.0.0.1
netmask=24
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.111.0/24 gateway=192.168.111.1
add address=192.168.100.0/24 gateway=192.168.100.1

Is your ax2 only AP in your network ? If yes then why are you using CAPsMAN ?

Local radio interfaces are managed locally, not via capsman, so radios on your ax2 are not configured by CAPsMAN, assuming ax2 is your CAPsMAN controller.

Second, you untagged all VLANs for all wireless interfaces. Why ?

Thx for Reply,

I plan at least one cAP ax, which I already ordered. Should be arrive on Tuesday. For that I want to use my ax2 as CAPsMAN controller.
The untaggt Vlans are a mistake!
Sorry I am a newbie on WLan setup. Actually I use a hex router which I want to migrate when my internal Antenna and a cap AX is up and running.
The wlan setup is a mystery for me and the blow my mind.
Thx for your support !

So when your AP arrive I think it would be the best to write here what are you trying to achieve.

So how many SSIDs, VLANs etc and then we start from that.

ok thx, as you kike !
but I already have all the info in the configuration setup.
5 Vlans:

/interface vlan
add interface=br name=GUEST vlan-id=10
add interface=br name=IOT vlan-id=20
add interface=br name=MGMT vlan-id=1
add interface=br name=PRIVATE vlan-id=100
add interface=br name=SIP vlan-id=111

3 ssids (I have no idea what the DP_AC good for. I catched that from the user guide)

/interface wifi configuration
add datapath=PRIVATE disabled=no name=PRIVATE security=Security_PRIVATE ssid=
PRIVATE_Network
add datapath=GUEST name=GUEST security=Security_GUEST ssid=GUEST_Network
add datapath=IOT disabled=no name=IoT security=Security_IoT ssid=IoT_Network
add datapath=DP_AC name=PRIVATE_AC security=Security_PRIVATE ssid=
PRIVATE_Network
add datapath=DP_AC name=GUEST_AC security=Security_GUEST ssid=GUEST_Network
add datapath=DP_AC disabled=no name=IoT_AC security=Security_IoT ssid=
IoT_Network

and very easy:

PRIVATE_Network use VLAN100
GUEST_Network use VLAN10
IoT_Network use VLAN20

the other Vlans are only for eth. connection.

the cap ac is up and running (standalone) default config is still there.
Its connected to my ax2 via eth4
Pls advise what I have to do to setup the internal and the caps wlan,
Thx in advance!

First of all, are you planning to use older AC devices or newer AX? It seems like you have only AX devices but you follow AC guide, but it should work anyway…

Do you have cAP ac or ax ? You mentioned ax, not ac… Anyway, if you have cAP ac you can install wifi package and use CAPsMAN v2

Have fun with capsman on this one LOL… More hair pulled out, turned grey, whilst a non-capsman config is up and running in 15 minutes.
Heck i could probably do it in 10 minutes if drunk.

now I totally confused.
I have a ax2. First I ordered a Cap (with mips) Then I was told, that I have to use the one with the arm Cpu. So I ordered the AC one. I thought that I have to de install the wireless package and install the qcom package. This is maybe wrong !

Is it possible to use the ax router with the Cap AC in a good way ? Is the ax much better ?

I am confused with the syntax and numbering. Maybe I should send this one back as well and order the cAPGi-5HaxD2HaxD which should be the cAP ax.

maybe in the meantime somebody could help me to setup my ax2 in the right way. Thx for your support !

I would definetly return the AC and bought the AX one. If you have some free return policy and can afford the AX go for it. Not because of the configuration complications but because of newer technology, there is huge difference between 802.11ax and 802.11ac.

I will try to help you with the config (if anav lets me..)

@anav here doesn’t like CAPsMAN I agree with neki, if possible return ac and buy ax, if not, ac will suffice.

As for preparing configuration, you have all VLANs you need ?

What I do is I prepare hybrid port, so untagged mgmt vlan and other vlans tagged.

Create datapaths for desired VLANs.

I can see you have a lot of that configured already.

ok, I will move to the cAp-AX . Till delivery I will set up the internal radio and Vlan. I reset all config and just install the wifi-qcam package. The Ax2 is connected to my hex router, which is the master till the ax2 works fine. As mentioned in my earlier post, I need 5 Vlans, 3 of them are used in the wireless environment.
What will be the best way to start ?
Thx for help !

Best way to start is to define which device will be your CAPsMAN controller.

Will it be ax2 or hex ?

When you define that then start creating VLANs and test them so you are sure you are getting IP address, you have internet connection etc.

Prepare your desired port for your CAP device. So mgmt VLAN untagged, other VLANs tagged.

Define SSIDs, passwords, channels and so on.

I would do the following
Add the needed datapaths, 1 for each VLAN

/interface wifi datapath
add name=PRIVATE vlan-id=100
add name=GUEST vlan-id=10
add name=IOT vlan-id=20

Then, use these datapaths on your WiFi configuration.
No need to manually put them into the bridge afterwards

Thx .. thats a good start.
Before I post the config. Some Statements and general questions.

• The hex will leave, when the ax2 is running fine. Right now the ax2 is connect via eth1 (called to-Modem) to the hex.
• I changed some Vlan IDs, because in the near future there are dhcpserver at both routers at the same No. Maybe not necessary, but its easier for me to set it up.

Questions: I see only Wifi1 and wifi2. I can only connect one Datapath (done Private/IoT) to them . What is my miss understanding? I add some things to

/interface wifi
/ip dhcp-server network

. But sure with missing things or other mistakes.

/interface bridge
add name=bridge1 vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=eth1-to-Modem
set [ find default-name=ether4 ] name=eth4-to-CAP-AX
set [ find default-name=ether5 ] name=eth5-to-Switch

/interface vlan
add interface=bridge1 name=GUEST vlan-id=10
add interface=bridge1 name=IOT vlan-id=22
add interface=bridge1 name=MGMT vlan-id=1
add interface=bridge1 name=PRIVATE vlan-id=123
add interface=bridge1 name=SIP vlan-id=111

/interface list
add name=WAN
add name=LAN

/interface wifi datapath
add disabled=no name=PRIVATE vlan-id=123
add name=GUEST vlan-id=10
add name=IOT vlan-id=22

/interface wifi
set [ find default-name=wifi1 ] configuration.country=Germany .mode=ap .ssid=test-wifi1 datapath=PRIVATE disabled=no security.encryption=ccmp passphrase=12345678
set [ find default-name=wifi2 ] configuration.country=Germany .mode=ap .ssid=test-wifi2 datapath=IOT disabled=no security.encryption=ccmp .passphrase=12345678
	
/ip pool
add name=dhcp_pool-GUEST ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool-IoT ranges=192.168.22.2-192.168.22.254
add name=dhcp_pool-Privat ranges=192.168.123.2-192.168.123.254
add name=dhcp_pool-SIP ranges=192.168.111.2-192.168.111.254
add name=dhcp_pool-MGMT ranges=10.0.0.60-10.0.0.200
/ip dhcp-server

add address-pool=dhcp_pool-MGMT interface=MGMT lease-time=1d name=dhcp-MGMT
add address-pool=dhcp_pool-Privat interface=PRIVATE lease-time=1d name=dhcp-PRIVATE
add address-pool=dhcp_pool-GUEST interface=GUEST lease-time=1d name=dhcp-GUEST
add address-pool=dhcp_pool-IoT interface=IOT lease-time=1d name=dhcp-IoT
add address-pool=dhcp_pool-SIP interface=SIP lease-time=1d name=dhcp_SIP

/interface bridge port
add bridge=bridge1 disabled=yes interface=eth1-to-Modem
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=eth4-to-CAP-AX
add bridge=bridge1 interface=eth5-to-Switch
										
/interface list member
add interface=eth1-to-Modem list=WAN
add interface=bridge1 list=LAN
			  																						 
/ip address
add address=192.168.200.1/24 interface=bridge1 network=192.168.200.0
add address=10.0.0.72/24 interface=eth1-to-Modem network=10.0.0.0
add address=192.168.1.1/24 interface=MGMT network=192.168.1.0
add address=192.168.123.1/24 interface=PRIVATE network=192.168.123.0
add address=192.168.22.1/24 interface=IOT network=192.168.22.0
add address=192.168.10.1/24 interface=GUEST network=192.168.10.0
add address=192.168.111.1/24 interface=SIP network=192.168.111.0

/ip dhcp-client
add disabled=yes interface=eth1-to-Modem

/ip dhcp-server network
add address=10.0.0.0/24 dns-server=10.0.0.123,1.1.1.1 gateway=10.0.0.1 netmask=24
			  
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 gateway=192.168.10.1
add address=192.168.22.0/24 gateway=192.168.22.1
add address=192.168.111.0/24 gateway=192.168.111.1
add address=192.168.123.0/24 gateway=192.168.123.1
					 
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
														
/system identity
set name="Mikro hAP-AX2"

The beauty of simplicity, no capsman, works with any MT AP, the setup remains the SAME, regardless, ac, ax etc. !!
Gigabyte, I am just jealous of your capsman skills!

@Jaja2000

Where do you see only wifi1 and wifi2 ?

Wireless interface on CAPsMAN controller is not controlled by CAPsMAN, it’s managed locally. Only remote CAPs are controlled by CAPsMAN.

Hex is working as router and ax2 is working as router ? What hex device do you have ? What do you mean until ax2 is running fine ?

Why do you want to configure devices so many times ? Just wait until cAP ax arrives.

@anav

What capsman skills ??

Even better the config you make without capsman on the capac is IDENTICAL to the setup for the capsman AX, minor wifi setting difference but everything else the same. Copy and paste into terminal and go!

Oh my bad, you paid for the pain misery and frustration advice… Enjoy!

@gigabyte091
You ask: Where do you see only wifi1 and wifi2 ?
see

my old router is a hEX (5x Gigabit Ethernet, Dual Core 880MHz CPU, 256MB RAM, USB)
This one will be replaced by the ax2.

Because of bad experience and a little knowledge about routers, I will be absolute safe, that everything including the new wlan is working fine, before i disable the hex.
At the hex I run some Cisco APs which will be replaced

The reason, why I start now and don’t wait until the delivery of the new cap is because I have to learn and understand a lot and that takes a while…
As you can see for example in my config, I have problems with easy thinks like to configure the /interface wifi. I will be happy if the internal wlan works till I receive teh new cAP