How can I Isolate one port of hAP ax3 for use by cAP ax in basement for tenant

If you have CapsMan running correctly on the main router (the AX3), then when the Cap AX comes up in Caps mode, it should immediately register, and that's it.

Not sure about how you are setting up the Cap AX for Caps mode, but /system/reset-configuration/caps-mode in the CLI or in the GUI, pretty much the same: system->reset configurations, and tick the "caps mode" box.

On the ax3, under WiFi, on the far, far, right under the "Configuration" header, click "CapsMan" and make sure that it is enabled AND that all interfaces connecting to the AP's are configured as well (I believe that this defaults to just "bridge" and since you have your basement sub on a solo port, you will need to add that if not already there.)

Once this is done, the AX should appear in WiFi under the "Remote Cap" tab, and the radios populate in the Radios list along with the local devices, and you can then create provisioning for any of them from the same place. (I don't think the local will show up as a remote device, but it should be there, since the same menus configure either.)

I am not sure if we mean the same thing by "AP mode". The configuration you posted for the cAP you posted here has much more than AP fuctionality. It has dhcp, router, nat, firewall, all enabled.

The "simple" way would be to let the hAP fulfill all that functionality.

If you have changed the cAP config from what you posted before, please re-upload the new sanitized config.

And when you do, please open a </> text box before pasting in the sanitized config; that makes it easier to read (and to scroll past when not looking at the config. Instructions how to post the configuration here:
Forum rules - #5 by gigabyte091

This is what I've got setup in the AX3 under CAPsMAN. I've selected the bridge (AX3) and Ether3 (cAP AX) as the interfaces. 2 certs do appear below that screenshot.

Under the main wifi tab, only the AX3 wifi interfaces show up.

Here's the basement config from the cAP AX which is pretty much factory settings.
2026-01-08 16:21:02 by RouterOS 7.20.7

# 2026-01-08 16:21:02 by RouterOS 7.20.7
# software id = RASE-MIIC
#
# model = 
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Canada .mode=ap .ssid=basement disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Canada .mode=ap .ssid=basement disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi cap
set discovery-interfaces=ether1 enabled=yes lock-to-caps-man=no
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "

I did reset the basment cAP AX, however I still have the config on the AX3 to create an IP pool, DSHP server and such on the ether port that the cAP AX is connected. Would that be a problem for the CAPsMAN not grabbing the wifi from the cAP AX? I didnt think it would as when I click scan it does find the signal from the cAP AX. I would still want the basement to have its own IP pool to seperate the main floor from the basement. However if there's an easier way (tends to be 10-20 ways to do things in networking) then I'm all ears! lol

Here's the current AX3 config from upstairs.

# 2026-06-25 18:33:05 by RouterOS 7.23.1
# software id = 
# model = 
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Canada .mode=ap .ssid=MikroTik disabled=no name=\
    wifi24 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Canada .mode=ap .ssid=MikroTik disabled=no name=\
    wifi50 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
/interface ethernet
set [ find default-name=ether1 ] comment=entry
set [ find default-name=ether2 ] comment=Switch
set [ find default-name=ether3 ] comment=basement name=ether3-basement
set [ find default-name=ether4 ] comment=Desktop
set [ find default-name=ether5 ] comment=Cameras
/interface ethernet switch
set switch1 cpu-flow-control=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=basement include=LAN name=basement
add comment=basementandLAN include=basement,LAN name=basementLAN
/interface wifi channel
add band=5ghz-ax comment=5GHZ disabled=no frequency=\
    5180,5280,5500,5580,5660,5745 name=channel5GZ reselect-interval=\
    30m..1h30m skip-dfs-channels=disabled width=20/40/80+80mhz
add band=2ghz-ax comment=24GHZ disabled=no frequency=2412,2437,2462 name=\
    Channel2GHZ reselect-interval=30m..1h30m skip-dfs-channels=disabled \
    width=20mhz
/interface wifi datapath
add bridge=bridge client-isolation=yes disabled=no interface-list=basementLAN \
    name=basement
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment=Security_Wifi_basement \
    connect-priority=0/1 disable-pmkid=yes disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 ft-over-ds=no group-encryption=ccmp \
    group-key-update=12h management-encryption=cmac management-protection=\
    required name=sec-basement sae-anti-clogging-threshold=10 wps=disable
/interface wifi configuration
add channel=channel5GZ country=Canada datapath=basement disabled=no mode=ap \
    name=" 5GHZ_basement" security=sec-basement ssid=Basement5
add channel=Channel2GHZ country=Canada datapath=basement disabled=no mode=ap \
    name=" 24GHZ_basement" security=sec-basement ssid=Basement5
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment=basement name=poolbasement ranges=192.168.20.1-192.168.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=poolbasement interface=ether3-basement name=basment
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi24
add bridge=bridge comment=defconf interface=wifi50
/ip neighbor discovery-settings
set discover-interface-list=basementLAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=basement interface=ether3-basement list=basement
/interface ovpn-server server
add mac-address=FE:FD:68:F4:F9:13 name=ovpn-server1
/interface wifi cap
set discovery-interfaces=ether3-basement enabled=yes
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=\
    bridge,ether3-basement require-peer-certificate=yes upgrade-policy=\
    suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment=Basement24 disabled=no \
    master-configuration=" 24GHZ_basement" supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=Basement5 disabled=no \
    master-configuration=" 5GHZ_basement" supported-bands=5ghz-ax
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.20.1/24 comment=basement interface=ether3-basement \
    network=192.168.20.0
/ip arp
add address=192.168.88.100 comment=server interface=bridge mac-address=\
    
add address=192.168.88.99 comment=VM interface=bridge mac-address=\
    
add address=192.168.88.228 comment=cameras interface=bridge mac-address=\
    
/ip dhcp-client
add comment=defconf interface=ether1 name=ether1
/ip dhcp-server network
add address=192.168.20.0/24 comment=basement dns-server=192.168.20.1 gateway=\
    192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip nat-pmp
set enabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Toronto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

omg! I've managed to get the basement AP to connect to the AX3 upstairs! After having watched so many video on how this could be setup I had checked the "require peer cert" option under capsman on the AX3 upstairs which made the basement in CAPS mode not able to detect the CAPsMAN host and yet was getting an IP address. Now that this is setup I need to make the basement isolated in a way that it cannot access anything locally besides the internet from upstairs. I presume there's no other way but to use another DSHP server and IP pool so that the basement wifi is on that pool and not mine upstairs?

I see you made a post since I started this response. But still could be useful to you or to someone else that comes later.

That may be the defconf, but the defconf is a config that makes the device act like a "wifi router", not an access point. By that I mean that defconf does set it up with an integrated access point, but it also includes many other things in the settings.

What is most useful in your case is to have the cAP ax act only as a wireless access point that is bridged (at layer 2, like an ethernet switch) with the wired ethernet connection to ether3.

If you reset the config so the only thing it saves is your username, it will have config that has no ip address configured at all, then the only way to access it for the initial setup will be to use winbox and the mac address of the cAP's ether1 interface. This should show up in the neighbors display on winbox.

There are multiple ways to do what you want, if you are going to be controlling the basement device, it appears the easy way would be to use CAPsMAN on your hapax3 an set up the cap ax as a CAP device using its own provisioning configuration (so the basement would have its own separate wifi SSIDs and wifi passwords).

This is the first video I would watch
CAPsMAN basics: expand your WiFi network a MikroTip by MikroTik. Note what he states at 2:50 in the video.

If you want a more indepth video, see
CAPsMAN for WiFi6 and beyond - everything you need to know also by MikroTik.

Another way would be to set things up manually without CAPsMAN, but if you want a centrally managed way, CAPsMAN would be better. And if you think you may ever add an additional access point upstairs, then using CAPsMAN from the start would be the best option.

Here's the youtube video that is most applicable to manual setup method. Remember, I have no experience with any MikroTik wireless devices, but on my RB760iGS if I use the command:
Doing the following will reset it with nothing configured (and you will have to use winbox to access it using a mac address)

/system/reset-configuration keep-users=yes skip-backup=yes no-defaults=yes

This is the state the video appears to start with.

How to setup MikroTik cAP ax Gen 6 Setup | Unboxing & Review by TechTalk and Tech Unboxed

It's not a highly polished presentation, but it has a demonstration of what is being done.

It does the following: (starting from a reset without defconf state).

  1. connects to mac address with winbox
  2. logs in and resets password (if you do a reset with save-users, this won't be needed).
  3. adds wifi1 wifi2 ether1 and ether2 to the bridge
  4. configures wifi using wifi tab in winbox (not wireless). Manually sets everything up

Here's an old redit thread that described what worked for them

The AX3 must provide DHCP and such for ether3, or the AX will have nothing to offer the clients. The AX must be initialized in CAPS mode (as I described earlier)

If you have a DHCP server or pool on the AX, the config is completely buggered and WRONG for use with CapsMan! The Cap AX should NOT be running DHCP, a NAT, firewalls, etc. Just reinit in in CAP mode AND LEAVE IT ALONE!

(I can't help but feel that 90%+ of your issues are due to trying to grossly ivercomplicate things. As I'vensaid before, start SIMPLE! Onxe the Cap AX is up in CAP mode, you really don't need to do anything on it for 100% function! CapsMan does that!

I now see that you got CapsMan to connect (reply above was to your 0rior post). Again, why did you overcomplicate? When did anyone say to do anything other than enable CapsMan and set the ports? (If you request a cert, you need to create that cert, and apply it to BOTH ends - CapMan server and Cap. Setting CapsMan to auto, and nothing on the Cap but defining the connected interface there is all you need.)

I thought ether3 was a different subnet already, which would require a separate DHCP address pool. Do that, and firewall the two subnets/interfaces from reaching each other.

For the firewall, add two rules: forward chain, in interface: bridge, out interface: ether3, action: drop. NOTHING more! And set the opposite. This should prevent packet exchange of any and all traffic between those two subnets (not setting a protocol should grab everything).

Good day @tadawson and @Buckeye ! Thanks for the continued comments in this tread. So here's what I did last night.

  1. remoted into the basement CAP AX and went in System > reset config > selected "CAPS mode". That rebooted the device into CAPS only mode. I was going under Wifi and just activating CAPS which isn't the right way.

  2. On the AX3 (upstairs, aka main router) I went in CAPSMAN settings and turned off "require peer cert" which was selected from another youtube video I had watched on how to configure this. That allowed the basement cAP to sync with CAPsMAN and display the 2 wifi devices from the basement under "wifi" tab, including the 2 wifi devices from the AX3 that are not controlled by CAPsMAN. The previously configured profiles (config, channel, security, datapath, provisioning) that I had completed from that youtube video also got grabbed when it synced so there was nothing else to do. well from a wifi extension POV if all I wanted was to extend my existing WIFI without any guest restrictions.

  3. I had started to look into firewall rules as well but when I set the rules I keep getting this error.

Things to ponder about...lol

I'm still not sure if all I need is to set those firewall rules to isolate the basement or also establish a DSHP server/IP pool/etc on the AX3 so the basement cAP AX uses another pool of IPs.

If you are subnetting, ether3 should NOT be a part of the bridge (and I recall someone telling you this prior). That's why it's griping about it being a slave. Get it OUT of the bridge and with it's own DHCP pool!

I've added the DSHP settings that I previously had (.20 network) for the basement cAP and the cAP now has an IP .20.3 and when I connect my phone I got a .20.4 IP so that works like a charm now. Just to summerize what I've done to get that pool active.

IP > pool - create new pool 192.168.20.0/24
IP > addresses - create new address for ether3 (192.168.20.1/24)
IP > DHCP server - create new server using ether3 (port where basement cAP is tied) using new address pool, 20.1 as DNS server and gateway.

The problem I have now that I've done these changes is that the basement cAP doesn't reach the internet. I must of missed something on how to direct that IP pool out to the internet somewhere.

If ether3-basement is still in the bridge, it's on the wrong IP block for the bridge, so not surprising it won't route.

You have the DHCP (not sure wtf "DSHP" is . . . ) server on ether3, but it's also on the bridge . . . It's screaming at you about this (the firewall issue) as have others. Why is it there?

Get ether3-basement OFF the bridge, and make sure that it is in the "LAN" (internal) interface list, and the existing NAT/masquerade rule should give it internet (unless you have overcomplicated that as well . . . )

It's hard for anyone to give useful advice if we can't see what the active config is.

The last config you posted showed that ether3 was not in the bridge, so it fhat was the active config when you got the (ether3-basement) is slave error, then I don't understand why.

Here's the relevant section:

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi24
add bridge=bridge comment=defconf interface=wifi50

Note that ether3 (or ether3-basement) is not included in the bridge ports.

The last posted config already had those. Did you reset the hAP ax3 since posting the config?

Please post latest sanitized config (but dont sanitize out the model, that is useful info, and not sensitive)

Also, take at look here for firewall advice (the web archive copy of a deleted post) The DEFACTO DEFAULT FIREWALL Setup

I didnt reset the AX3 but simply had disabled those when setting up the CAPsMAN to get the basics going with the basement cAP. Here's the latest config from the upstairs.

# 2026-06-26 13:50:18 by RouterOS 7.23.1
# software id = 0NPM-LQPK
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Canada .mode=ap .ssid=MikroTik disabled=no name=\
    wifi24 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.country=Canada .mode=ap .ssid=MikroTik disabled=no name=\
    wifi50 security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .ft-over-ds=yes
/interface ethernet
set [ find default-name=ether1 ] comment=entry
set [ find default-name=ether2 ] comment=Switch
set [ find default-name=ether3 ] comment=basement name=ether3-basement
set [ find default-name=ether4 ] comment=Desktop
set [ find default-name=ether5 ] comment=Cameras
/interface ethernet switch
set switch1 cpu-flow-control=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add comment=basement include=LAN name=basement
add comment=basementandLAN include=basement,LAN name=basementLAN
/interface wifi channel
add band=5ghz-ax comment=5GHZ disabled=no frequency=\
    5180,5280,5500,5580,5660,5745 name=channel5GZ reselect-interval=\
    30m..1h30m skip-dfs-channels=disabled width=20/40/80+80mhz
add band=2ghz-ax comment=24GHZ disabled=no frequency=2412,2437,2462 name=\
    Channel2GHZ reselect-interval=30m..1h30m skip-dfs-channels=disabled \
    width=20mhz
/interface wifi datapath
add bridge=bridge client-isolation=yes disabled=no name=basement
add bridge=bridge client-isolation=no disabled=no name=upstairs
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment=Security_Wifi_basement \
    connect-priority=0/1 disable-pmkid=yes disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 ft-over-ds=no group-encryption=ccmp \
    group-key-update=12h management-encryption=cmac management-protection=\
    required name=sec-basement sae-anti-clogging-threshold=10 wps=disable
add authentication-types=wpa2-psk,wpa3-psk comment=Security_Wifi_Upstairs \
    connect-priority=0/1 disable-pmkid=yes disabled=no encryption=\
    ccmp,gcmp,ccmp-256,gcmp-256 ft-over-ds=no group-encryption=ccmp \
    group-key-update=12h management-encryption=cmac management-protection=\
    required name=sec-upstairs sae-anti-clogging-threshold=10 wps=disable
/interface wifi configuration
add channel=channel5GZ disabled=no mode=ap name=" 5GHZ_basement" security=\
    sec-basement security.authentication-types=wpa2-psk,wpa3-psk ssid=\
    Basement5
add channel=Channel2GHZ disabled=no mode=ap name=" 24GHZ_basement" security=\
    sec-basement security.authentication-types=wpa2-psk,wpa3-psk ssid=\
    Basement5
add channel=channel5GZ disabled=no mode=ap name=5GHZ_upstairs security=\
    sec-upstairs security.authentication-types=wpa2-psk,wpa3-psk ssid=\
    upstairs50
add channel=Channel2GHZ country=Canada datapath=upstairs disabled=no mode=ap \
    name=" 24GHZ_upstairs" security=sec-upstairs \
    security.authentication-types=wpa2-psk,wpa3-psk ssid=upstairs24
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add comment=basement name=poolbasement ranges=192.168.20.1-192.168.20.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
add address-pool=poolbasement interface=ether3-basement name=basment
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi24
add bridge=bridge comment=defconf interface=wifi50
/ip neighbor discovery-settings
set discover-interface-list=basementLAN
/ipv6 settings
set disable-ipv6=yes forward=no
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=basement interface=ether3-basement list=basement
/interface ovpn-server server
add mac-address= name=ovpn-server1
/interface wifi cap
set discovery-interfaces=ether3-basement
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes \
    require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment=Basement24 disabled=no \
    master-configuration=" 24GHZ_basement" supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=Basement5 disabled=no \
    master-configuration=" 5GHZ_basement" supported-bands=5ghz-ax
add action=create-dynamic-enabled comment=upstairs24 disabled=no \
    master-configuration=" 24GHZ_upstairs" supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=upstairs5 disabled=no \
    master-configuration=5GHZ_upstairs supported-bands=5ghz-ax
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.20.1/24 comment=basement interface=ether3-basement \
    network=192.168.20.0
/ip arp
add address=192.168.88.100 comment=server interface=bridge mac-address=\
    
add address=192.168.88.99 comment=VM interface=bridge mac-address=\
    
add address=192.168.88.228 comment=cameras interface=bridge mac-address=\
    
/ip dhcp-client
add comment=defconf interface=ether1 name=ether1
/ip dhcp-server network
add address=192.168.20.0/24 caps-manager=192.168.88.1 comment=basement \
    dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface=bridge out-interface=\
    ether3-basement
add action=drop chain=forward in-interface=ether3-basement out-interface=\
    bridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip nat-pmp
set enabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Toronto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I see that "ether3-basement" is NOT in the LAN list . . . That is what is likely killing your connectivity. It can be done with your own list, but you need to recreate all the rules.

Again, don't overcomplicate and break things!

The specific rule killing you is:

add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN

That was it!!! I never added that firewall rule though as you can see as it comes from the default config. Thanks for all the help on this! So long story short, don't use VLANS and use the KISS principal as much as possible. I'm going to save my config right now! lol

Yup! It's amazing how well the defaults work as a baseline . . . A core concept with Mikrotik configs - jusr because you have not specificallynset or selected something does NOT mean that an acceptible default will not be used.

Default firewall config is pretty much "Your (internal) side == LAN, external == WAN" . . .

Glad to have been able to help!