It can’t get worse. Old driver has no support for any “roaming standard”. If it was working for you, then it was because of same SSID and client chose to change BSSID itself. For new capsman you have 802.11r/v/k. But I’d expect devices to “roam” from e.g. AC lite to AX2 as long security settings are identical.
They will.
But without proper roaming mechanism they will hang on to the current AP as long as they can, up to the point where connection drops.
Only then they will scan the area again and see " oh, there is another AP here with better signal, let’s use it".
So drops/ interruptions will happen.
That’s exactly how “roaming” with legacy capsman worked: stations noticed another AP broadcasting same SSID but remained connected to old AP to the point it was not sustainable any more. At which point then they reselected a better AP. And I expect to see the same happening when station would move from one of APs controlled by new capsman towards AP controlled by legacy capsman.
Legacy Capsman is not ideal, but it gives important features, compared to the “pseudo-roaming” created by APs with same SSID and password:
- there is only one SSID, and not many as AP are available, you never now which is the closest on many device, really unpleasant.
- devices are not keeping the connection until the connection drops, as they do with pseudo-roaming, the firmware understand this is a capsman (probably same MAC address) and jump to the closest. That’s not that bad.
- Capsman can kick connection under some levels, that also helps
Mikrotik could at least create a connection between the two versions capsman, to keep compatibility and introduce AX to the existing networks, without the need to replace everything
As said: You have your legacy Capsman config that you already have. Then you add wifi capsman config for all your wifi-qcom(-ac) devices. That’s it. As long you use the identical security config (same SSIDs with same passphrase and same encryption) it should work.
I haven’t tested it but I bet as result devices will display 2 SSID with the same name. To get the roaming you should hope that the preevious SSID goes unavailable to connect to the closest one, most of the time you still locked to the previous one and you get crazy why your device working so bad.
This is not an option for me.
PS: I still wait help how to connect AX2 to wave2, I can see the AX2 but I can’t use its radios. I’ve tried on AX2 to create capsman wave2, provisioned the macs of radio, enabled capsman and caps, but nothing changes. With the legacy I had geed back “managed by capsman”, even if capsman was not available, where nothing, the same as before.
There is only 1 ax device.
Forget about using capsman then.
Not worth the effort.
If you set up things local on that AX2 or on a capsman controller, is 95% the same settings.
I’ve tried to test it, to know in future if it’s worth tu buy AX or not. I haven’t succeed, I’ve no idea why
# 2025-06-17 23:02:27 by RouterOS 7.19.1
# software id = YS85-U5L7
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add admin-mac=F4:1E:57:46:9D:8E auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
10min-cac .width=20/40mhz configuration.mode=ap .ssid=MikroTik-469D92 \
disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
.ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=5ghz-ax configuration.mode=ap \
.ssid=test disabled=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add channel.band=2ghz-ax disabled=no mode=ap name=cfg-2GHz ssid=test-2GHz
add channel.band=5ghz-ax disabled=no mode=ap name=cfg-5GHz ssid=test-5GHz
/interface wifi datapath
add bridge=bridge disabled=no name=datapath1
/interface wifi security
add disabled=no name="no password"
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=*7
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge interface=ether1 multicast-router=disabled
/ip neighbor discovery-settings
# ipv6 neighbor configuration has changed, please restart the device in order to a
ply the new settings
set discover-interface-list=LAN
/ipv6 settings
# ipv6 neighbor configuration has changed, please restart the device in order to a
ply the new settings
set allow-fast-path=no disable-ipv6=yes forward=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
/interface ovpn-server server
add mac-address=FE:03:64:47:86:83 name=ovpn-server1
/interface wifi cap
set caps-man-addresses=127.0.0.1 certificate=none discovery-interfaces=bridge \
enabled=yes
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg-2GHz \
radio-mac=F4:1E:57:46:9D:93
add action=create-dynamic-enabled disabled=no master-configuration=cfg-5GHz \
radio-mac=F4:1E:57:46:9D:92
/ip address
add address=192.168.43.5/24 interface=bridge network=192.168.43.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.43.1 suppress-hw-offload=no
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Moscow
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Your capsman controller on that device is set to local.
127.0.0.1 is local loopback address.
That’s wrong for wave2
You can not control local radios on the controller itself.
I already pointed you the documentation w.r.t. wave 2 capsman.
I suggest you read it.
amazing, so a device with radios can’t be included on the capsman domain? that’s a no sense. Things here are going worst.
The same confing on the HEX, with legacy capsman disabled and wave2 enabled, doesn’t remove the radios from the "local"state. AX2 connects to HEX, both are showing that and reports on log, joined, that’s all. Radios keep local, no way to change that
When configuring wifi CAPsMAN, you better forget about how things are done in wireless CAPsMAN, they are pretty different beasts. The only common thing is use of profiles (where wireless drivers for configuring local interfaces don’t have profiles, wireless CAPsMAN does).
So read the documents, linked by @holvoetn, and try to be “open minded” while doing it. You’ll see that it’s not that bad after all.
A few facts:
- mobility features work between APs, controlled by the same ROS entity. It doesn’t matter if they are local device wifi interfaces or capsman-provisioned ones. So it’s perfectly fine to have local interfaces configured “locally” and provision CAPs interfaces at the same time. The trick is to extensively use wifi configuration profiles
- legacy CAPsMAN did not affect station mobility in any way … there were no such settings in capsman configuration. The only way of affecting station behaviour were ACLs … and those are “rude” (forcing station disconnect … making station re-select before it would if left alone). And this works the same when adjacent APs are controlled by different CAPsMANs (you can still configure ACLs on wifi CAPsMAN … just beware that ACLs work equally for all stations, also those about to roam between mobility-enhanced pair of APs)