hAP AX S under capsman

holvoetn · January 30, 2026, 6:59am

Just probing to get some more info ...

I tried to add an hAP AX S yesterday to my home capsman environment but somehow I can not get it to accept connections.
I dind't spend too much time on it yet but I am a bit puzzled why it doesn't work.

Client devices see the separate SSID but they simply don't want to connect to it.
In log files on RB5009 I see the devices connect to that SSID / cap and shortly after they leave without further info.

As far as I can tell hAP AX S has been configured correctly (cap-mode so everything bridged, VLAN for mgmt and capsman, IP DHCP-client on VLAN, for the rest no deviations from defconf).
Identical setup to 2 AX2 and AX Lite present in my setup.

Anyone else already tried this and made it work ?

erlinden · January 30, 2026, 7:38am

As I don't have this device (but from some experience with CAPsMAN):
Are the VLAN's correctly assigned to the wifi interfaces on the CAP?

DuctView · January 30, 2026, 7:40am

An Android client device is useful here. It will tell you how far it has gone

If the connection is refused, this probably indicates an incompatibility of encryption, iirc. But does not appear to be the case here
If it hangs on getting a IP address, then the wireless interface does not have a Layer 2 connection to a DHCP server
If it gets an IP address, but says no connection to the internet, the wireless interface either does not have a route to 0.0.0.0 or does not have DNS
In short, I think that your problem is most likely that you don't have the plumbing in place to get traffic away from your hap AX S

holvoetn · January 30, 2026, 8:33am

Same as for AX2 and AX Lite, so I would think yes.
I do see on the capsman managed radios on AX S device they have been assigned the proper VLAN id.

holvoetn · January 30, 2026, 8:34am

I have tested with Android S25.

Connection simply does not complete. It doesn't say rejected or whatever. Nothing. It simply ends saying that it does not succeed.

Will test/check further this weekend.

erlinden · January 30, 2026, 9:34am

What RouterOS and firmware version are you running?

kowal · January 30, 2026, 2:50pm

Channel width 80 or 160MHz? I’ve spotted same issue when using 160MHz ( try 2-3 times and it finally connects, but this is not a solution) starting using 80MHz fixed issue, but I have ~4 hap ax S (3x acting as standalone routers and 1x in homelab as CAP, connecting to RB5009) and I don’t remember which configuration was problematic - standalone or CAP, I’ll try at home later

holvoetn · January 30, 2026, 3:19pm

Latest beta

holvoetn · January 30, 2026, 3:30pm

Currently blank so I assume it will select 160MHz.
Il try to fix it to 40/80 and see what that brings.

holvoetn · January 30, 2026, 6:34pm

No dice.
I see it appearing in registration on controller but it doesn't connect.

holvoetn · January 30, 2026, 6:46pm

One thing I do notice as difference is that on AX2 wifi ports are added dynamically to bridge.
Not so with AX S.

All provision rules I have use "create enabled", so that shouldn't be the issue ?
I also see on AX2, on wifi interface / datapath, there is no entry visible for VLAN id.
On AX S it is filled in as if it was set manually. Removing it and opening it again, makes it show again.

holvoetn · January 31, 2026, 4:35pm

Back to basics ...

Separate network with Hex S - hAP AX S
Hex S as capsman controller, nothing VLAN yet (will build further once this step is cleared)
hAP AX S reset to capsmode

2GHz network functions.
5GHz network NOT. Can't get a connection with S25 (it doesn't even show even though I used 5180 as start), PC does connect but no lease.

This is so odd ...

DuctView · January 31, 2026, 9:22pm

Try with something else? 7.19.6?

kowal · January 31, 2026, 11:29pm

I have tested again, and it may be problem with bridge/vlan i think.

One which i have in home is under capsman, but lacks VLANs (i’ve plan to separate few things) together with L23UGSR-5HaxD2HaxD and everything works fine even with 160MHz channels.

But another one acts as typical home router, but with vlans for iptv. After defining datapath wifi interfaces are dynamically assigned to bridge and:

-S24 ultra sometimes can’t connect, manually connecting works after 2-3 tries, no matter if it’s 80 or 160MHz;

HP Laptop with Intel AX211 and Ubuntu connect always regardless channel width

SFP - loaded with GPON module, 2,5G works, tagged vlans 150 and 1400
V11- internal LAN
V150- vlan for internet, PPPoE client active
V1400 - IPTV vlan (unicast) but with multicast works the same, but I think to move iptv port to ether1 as it is directly connected to CPU like sfp port

/interface bridge vlan
add bridge=br1-lan tagged=br1-lan,sfp1 vlan-ids=150
add bridge=br1-lan tagged=br1-lan,WiFi2G,WiFi5G untagged=\
    ether1,ether2,ether3,ether4 vlan-ids=11
add bridge=br1-lan tagged=sfp1 untagged=ether5 vlan-ids=1400
/interface bridge port
add bridge=br1-lan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 internal-path-cost=10 multicast-router=disabled \
    path-cost=10 pvid=11
add bridge=br1-lan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 internal-path-cost=10 path-cost=10 pvid=11
add bridge=br1-lan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 internal-path-cost=10 path-cost=10 pvid=11
add bridge=br1-lan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 internal-path-cost=10 path-cost=10 pvid=1400
add bridge=br1-lan frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 multicast-router=disabled pvid=11
add bridge=br1-lan frame-types=admit-only-vlan-tagged interface=sfp1 \
    multicast-router=disabled pvid=666
/interface wifi datapath
add bridge=br1-lan disabled=no interface-list=LANs name=dp1 vlan-id=11

holvoetn · February 1, 2026, 7:01am

Testing again...
First made sure Hex S also had the same version as hAP AX S (it was still on 7.22b3, my bad).
Test clients:
PC = W11 - Intel AX201 160MHz
S25

Setup: RB5009 (iperf container) - L009 (managed switch) - Hex S - hAP AX S on ether 1
2437 and 40Mhz width
5260 and 80MHz width.

Both 2GHz and 5GHz connect now, on S25 and PC.
Iperf testing doesn't bring me a lot more then about 360-370Mbps using S25, CPU stays below 50%.
(on PC it's even lower )

Moved uplink on AX S to ether2
S25 connected to 5GHz
Iperf moves a bit closer towards 400 but rarely over. CPU mostly stays below 40% here.
Coincidence ? With only 1 ether port connected there should be no difference in performance if that port is ether1 or ether2. Wifi interfaces are never offloaded so basically the CPU load should stay the same, I think ?

Moving 5GHz to 5745, channel 160MHz.
No connection possible. Not on PC, not on S25, not even on 2GHz anymore ??
Checking interface wifi radio reg-info for Belgium, I can understand why.
It only goes to 5725-5872 and normally block for 160Mhz is from 5475 to 5895 (which is not included)

/interface/wifi/radio> reg-info country=Belgium number=1
  ranges: 5150-5250/23/indoor    
          5250-5350/20/indoor/dfs
          5470-5725/26/dfs       
          5725-5875/13

Even lowering width to 80Mhz, doesn't make it usable.

Going back to 5180/160 on 5Ghz.
Can't connect both S25 nor PC
Lowering width to 80Mhz, same. No connection possible.
Rebooting everything ...

After reboot, still can't connect S25 nor PC to 2GHz.
5GHz does work, for a moment, and then gets kicked out.
After some retries, it connects again.

This product is far from stable with current ROS versions !

CGGXANNX · February 1, 2026, 7:25am

Can you repeat the 160Mhz test with Panama as country?

mkx · February 1, 2026, 10:16am

It will take a while before @holvoetn will be able to perform this test ... Panama is a bit away from Belgium and takes time to relocate

CGGXANNX · February 1, 2026, 10:33am

No if you change the country setting to Panama, you'll get something that remove all DFS channel restriction and almost all power restriction, and can use everything in the 5GHz range. Probably like MikroTik's Superchannel setting? I've never use WiFi with MikroTik devices, but for other manufacturers, changing the country selection to Panama is a way to bypass the countries' regulations.

holvoetn · February 1, 2026, 10:34am

That's what I understood you were aiming for.
Will check later today.

holvoetn · February 1, 2026, 10:54am

Again, coincidence or not (but I will put it as "good call") ?
Changed country to Panama, first time right connection to 5GHz using 80MHz.
Changed bandwidth to 160MHz, reprovision, also connection !

But normal speed test doesn't show much better results on wifi (I suspect my ISP line is acting up since with PC connected to ethernet, it's about the same).
Internal iperf3 goes to 450-ish, stays around that number.
2Ghz goes towards 120Mbps but never more.

wAP AX which also can use 160MHz channels, can do 900-ish. Just as a reference ...

Swapped connections a couple of times between 5GHz and 2Ghz, each time connection now.
Apart from country, nothing was changed.