How to set Datapath? RB5009 [CAPsMAN] <-> 2x hAPax2 [CAPs] - (4xVLANs/3xWiFi)

mh45 · October 6, 2024, 11:03am

Hello together,
I’m running a central Router RB5009UG (as CAPsMAN) and two hAPax2 (as CAPs) and I’m a little bit struggling about the CAPsMAN datapath configurations.

Basic informations:
The Router itself and both APs are all configured with a central vlan-bridge (VLAN-ID=1; vlan-filtering enabled) and different VLAN-interfaces to get specific IP addresses (4 on the router, 2 on the APs):

                        RB5009UG (CAPsMAN,DHCP,etc.)         hAPax2 (CAP#1)              hAPax2 (CAP#2)
VLAN 1  (management)    192.168.1.1/24              <->      192.168.1.2/24      <->     192.168.1.3/24
VLAN 10 (private)       192.168.10.1/24             <->      192.168.10.2/24     <->     192.168.10.3/24
VLAN 20 (devices)       192.168.20.1/24             <->      x                   <->      x
VLAN 30 (guests)        192.168.30.1/24             <->      x                   <->      x

-> all Ethernet Ports configured as following:
    VLAN 1, 20, 30  tagged
    VLAN 10         untagged

The ethernet port configuration is the same for every ETH port so I don’t have to worry about what port is for what purpose - and every connected device is straight in my “private” network.
(is a tagged management VLAN over ETH the right way for CAPsMAN?)

The VLAN network itself is working correctly, no issues there. Wifi without CAPsMAN was also working correctly. But now I wanted to switch to CAPsMAN.

My current CAPsMAN configuration on Router side (focus on 2,4GHz to not make it unnecessary complex):
RB5009UG (CAPsMAN):

Interface:
    Wifi:
        Datapath:
            Add:
                Name:   dpath_wlan-private
                Bridge: vlan-bridge
                VLAN:   10
            Add:
                Name:   dpath_wlan-devices
                Bridge: vlan-bridge
                VLAN:   20
            Add:
                Name:   dpath_wlan-guests
                Bridge: vlan-bridge
                VLAN:   30
        Security
            Add:
                Name:           sec_wlan-private
                Auth. Types:    wpa2-psk,wpa3-psk
                Passphrase:     xxxx
                FT Enabled:     enabled
                FT over DS:     enabled
            Add:
                Name:           sec_wlan-devices
                Auth. Types:    wpa2-psk,wpa3-psk
                Passphrase:     xxxx
                FT Enabled:     enabled
                FT over DS:     enabled
            Add:
                Name:           sec_wlan-guests
                Auth. Types:    wpa2-psk,wpa3-psk
                Passphrase:     xxxx
                FT Enabled:     enabled
                FT over DS:     enabled
        Channel:
            Add:
                Name:           chan_2GHz-AX
                Band:           2GHz AX
                Channel Width:  20MHz
                Frequency:      2300-7300
                Reselect Interval: 00:30:00 - 01:00:00   
            Add:
                Name:           chan_5GHz-AX
                Band:           5GHz AX
                Channel Width:  20/40MHz
                Frequency:      5150-5350, 5470-5725
                Reselect Interval: 00:30:00 - 01:00:00 
        Configuration:
            Add:
                Name:           cfg_2G_wlan-private
                SSID:           wlan-private
                Channel:        chan_2GHz-AX
                Security:       sec_wlan-private
                Datapath:                                   <- not set !! (but why is it only working this way????)
            Add:
                Name:           cfg_2G_wlan-devices
                SSID:           wlan-devices
                Channel:        chan_2GHz-AX
                Security:       sec_wlan-devices
                Datapath:       dpath_wlan-devices
            Add:
                Name:           cfg_2G_wlan-guests
                SSID:           wlan-guests
                Channel:        chan_2GHz-AX
                Security:       sec_wlan-guests
                Datapath:       dpath_wlan-guests
        Remote CAP:
            CAPsMAN:
                Enabled:    true
                Interfaces: VLAN-Interface_1
        Provisioning:
            Add:
                Enabled:            true
                Supported Bands:    2GHz AX
                Action:             create dynamic enabled
                Master Configur.:   cfg_2G_wlan-private
                Slave Configur.:    cfg_2G_wlan-devices, cfg_2G_wlan-guests

and the configuration for both CAPs:
hAPax2 (CAPs):

... vlan-bridge (vlan-id=1, admit all, vlan filtering enabled) ...
... VLAN-Interface_1 for VLAN1 and VLAN-Interface_10 for VLAN10, connected with the local vlan-bridge for setting IP-sddresses...
... all ETH-ports: VLAN 1/20/30 tagged, VLAN 10 untagged ...

Interface:
    Wifi:
        Datapath:
            Add:
                Name:                   dpath_cap
                Bridge:                 vlan-bridge         #local bridge, without VLAN-ID
        Wifi:
            edit wifi1:
                name:                   wifi1_5G
                Configuration.Manager:  capsman
                Datapath:               dpath_cap
            edit wifi2:
                name:                   wifi2_2G
                Configuration.Manager:  capsman
                Datapath:               dpath_cap
        Wifi - CAP:
            Enabled:                    true
            Discovery Interfaces:       VLAN-Interface_1    #vlan-bridge in here was not working
            Slaves Datapath:            dpath_cap

So, right now it’s working somehow… but why?

The strange behaviour is, if I set the datapath “dpath_wlan-private” into configuration “cfg_2G_wlan-private” on CAPsMAN side, there is following behaviour:

wlan-private > devices can join the network, but will not get an IP address from DHCP / there is no connectivity
wlan-devices > working correct
wlan-guests > working correct

If I then switch the master/slave configuration under provisioning in CAPsMAN (master = cfg_2G_wlan-devices; slave = cfg_2G_wlan-private, cfg_2G_wlan-guests)

wlan-private > working correct
wlan-devices > devices can join the network, but will not get an IP address from DHCP / there is no connectivity
wlan-guests > working correct

So the not working SSID is glued to the wifi master configuration - why?
Did I do anything wrong? Is there any obvious misconfiguration?

neki · October 6, 2024, 7:39pm

rule #1 - never use VLAN 1

bridge is always local entity, CAPsMAN can NOT see/access bridges on CAPs and vice versa. So, datapath configuration profile shouldn’t point to any bridge. That must be done on CAPs themselfs. It exists only on device where it was defined.

…and it’s best to post raw output of export

mh45 · October 6, 2024, 9:27pm

Thanks for your reply.
Why do you think the use of VLAN 1 is no good idea?
A reference to a bridge can only be done locally, thats clear. My bridge on CAPsMAN Router has the same naming as the bridge on the CAPs (“vlan-bridge”).

I thought it would be better to simplify the topic. If full configuration is helpful, here it is:

Router (CAPsMAN):

# 2024-10-06 22:23:55 by RouterOS 7.16
# software id = P16G-U29N
#
# model = RB5009UG+S+
# serial number = HF6095ZRZTP
/interface bridge
add comment=VLAN-Bridge name=vlan-bridge port-cost-mode=short vlan-filtering=\
    yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_trunk
set [ find default-name=ether2 ] name=ether2_trunk
set [ find default-name=ether3 ] name=ether3_trunk
set [ find default-name=ether4 ] l2mtu=1568 mac-address=xx:xx:xx:xx:xx:xx \
    name=ether4_trunk
set [ find default-name=ether5 ] l2mtu=1568 mac-address=xx:xx:xx:xx:xx:xx \
    name=ether5_trunk
set [ find default-name=ether6 ] l2mtu=1568 mac-address=xx:xx:xx:xx:xx:xx \
    name=ether6_trunk
set [ find default-name=ether7 ] l2mtu=1568 mac-address=xx:xx:xx:xx:xx:xx \
    name=ether7_trunk
set [ find default-name=ether8 ] l2mtu=1568 mac-address=xx:xx:xx:xx:xx:xx \
    name=ether8_WAN
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1_trunk
/interface wifi
add name=cap-wifi1 radio-mac=xx:xx:xx:xx:xx:xx
add name=cap-wifi2 radio-mac=xx:xx:xx:xx:xx:xx
/interface veth
add address=172.19.19.2/24,172.19.19.2/24 gateway=172.19.19.1 gateway6="" \
    name=mDNSTrunk
add address=172.19.19.2/24 gateway=172.19.19.1 gateway6="" name=mDNSTrunk
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard_10_private
/interface vlan
add interface=vlan-bridge name=VLAN-Interface_1 vlan-id=1
add interface=vlan-bridge name=VLAN-Interface_10 vlan-id=10
add interface=vlan-bridge name=VLAN-Interface_20 vlan-id=20
add interface=vlan-bridge name=VLAN-Interface_30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2300-7300 name=chan_2GHz-AX \
    reselect-interval=30m..1h width=20mhz
add band=5ghz-ax disabled=no frequency=5150-5350,5470-5725 name=chan_5GHz-AX \
    reselect-interval=30m..1h skip-dfs-channels=all width=20/40/80mhz
/interface wifi datapath
add bridge=vlan-bridge disabled=no name=dpath_wlan-private vlan-id=10
add bridge=vlan-bridge disabled=no name=dpath_wlan-devices vlan-id=20
add bridge=vlan-bridge disabled=no name=dpath_wlan-guests vlan-id=30
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no ft=\
    yes ft-over-ds=yes name=sec_wlan-private
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no ft=\
    yes ft-over-ds=yes name=sec_wlan-devices
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0 disabled=no ft=\
    yes ft-over-ds=yes name=sec_wlan-guests
/interface wifi configuration
add channel=chan_2GHz-AX channel.reselect-interval=30m..1h country=Germany \
    disabled=no name=cfg_2G_wlan-private security=sec_wlan-private \
    security.connect-priority=0 ssid=wifi-private
add channel=chan_5GHz-AX channel.frequency=5150-5350,5470-5725 \
    .reselect-interval=30m..1h country=Germany disabled=yes name=\
    cfg_5G_wlan-private security=sec_wlan-private security.connect-priority=0 \
    ssid=wifi-private_5G
add channel=chan_2GHz-AX channel.reselect-interval=30m..1h country=Germany \
    datapath=dpath_wlan-devices disabled=no name=cfg_2G_wlan-devices \
    security=sec_wlan-devices security.connect-priority=0 ssid=wifi-devices
add channel=chan_5GHz-AX channel.frequency=5150-5350,5470-5725 \
    .reselect-interval=30m..1h country=Germany datapath=dpath_wlan-devices \
    disabled=yes name=cfg_5G_wlan-devices security=sec_wlan-devices \
    security.connect-priority=0 ssid=wifi-devices_5G
add channel=chan_2GHz-AX channel.reselect-interval=30m..1h country=Germany \
    datapath=dpath_wlan-guests disabled=no name=cfg_2G_wlan-guests security=\
    sec_wlan-guests security.connect-priority=0 ssid=wifi-guests
add channel=chan_5GHz-AX channel.frequency=5150-5350,5470-5725 \
    .reselect-interval=30m..1h datapath=dpath_wlan-guests disabled=yes name=\
    cfg_5G_wlan-guests security=sec_wlan-guests security.connect-priority=0 \
    ssid=wifi-guests_5G
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_private_10 ranges=192.168.10.100-192.168.10.254
add name=dhcp_pool_guests_30 ranges=192.168.30.100-192.168.30.254
add name=dhcp_pool_devices_20 ranges=192.168.20.100-192.168.20.254
add name=dhcp_pool_management_1 ranges=192.168.1.100-192.168.1.254
add name=wireguard_pool_private ranges=10.10.10.1-10.10.10.99
/ip dhcp-server
add address-pool=dhcp_pool_private_10 interface=VLAN-Interface_10 lease-time=\
    23h name=dhcp_private_10
add address-pool=dhcp_pool_devices_20 interface=VLAN-Interface_20 lease-time=\
    23h name=dhcp_devices_20
add address-pool=dhcp_pool_guests_30 interface=VLAN-Interface_30 lease-time=\
    4h name=dhcp_devices_30
add address-pool=dhcp_pool_management_1 interface=VLAN-Interface_1 \
    lease-time=23h name=dhcp_router_1 relay=192.168.1.1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/container
add envlist=mdns hostname=mDNS interface=mDNSTrunk logging=yes root-dir=\
    docker/container/mdns_repeater start-on-boot=yes
/container envs
add key=VLANS name=mdns value="10 20 30"
/interface bridge port
add bridge=vlan-bridge comment="defconf - TRUNK" interface=ether1_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment="defconf - TRUNK" interface=ether2_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment="defconf - TRUNK" interface=ether3_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment="defconf - TRUNK" interface=ether4_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment="defconf - TRUNK" interface=ether5_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment="defconf - TRUNK" interface=ether6_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment="defconf - TRUNK" interface=sfp-sfpplus1_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment="defconf - TRUNK" interface=ether7_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment=mDNSTrunk interface=mDNSTrunk \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=15360
/interface bridge vlan
add bridge=vlan-bridge comment=VLAN-Tagging-1 tagged="vlan-bridge,sfp-sfpplus1\
    _trunk,ether1_trunk,ether2_trunk,ether3_trunk,ether4_trunk,ether5_trunk,et\
    her6_trunk,ether7_trunk,mDNSTrunk" vlan-ids=1
add bridge=vlan-bridge comment=VLAN-Tagging-10 tagged=\
    vlan-bridge,mDNSTrunk vlan-ids=10
add bridge=vlan-bridge comment=VLAN-Tagging-20 tagged="vlan-bridge,sfp-sfpplus\
    1_trunk,ether1_trunk,ether2_trunk,ether3_trunk,ether4_trunk,ether5_trunk,e\
    ther6_trunk,ether7_trunk,mDNSTrunk" vlan-ids=20
add bridge=vlan-bridge comment=VLAN-Tagging-30 tagged="vlan-bridge,sfp-sfpplus\
    1_trunk,ether1_trunk,ether2_trunk,ether3_trunk,ether4_trunk,ether5_trunk,e\
    ther6_trunk,ether7_trunk,mDNSTrunk" vlan-ids=30
/interface list member
add comment=defconf interface=VLAN-Interface_1 list=LAN
add comment=defconf interface=ether8_WAN list=WAN
add interface=VLAN-Interface_10 list=LAN
/interface wifi capsman
set enabled=yes interfaces=VLAN-Interface_1 package-path="" \
    require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment=2GHz-Band disabled=no \
    master-configuration=cfg_2G_wlan-private slave-configurations=\
    cfg_2G_wlan-devices,cfg_2G_wlan-guests supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=5GHz-Band_#2 disabled=yes \
    master-configuration=cfg_5G_wlan-private radio-mac=48:A9:8A:53:14:BB \
    slave-configurations=cfg_5G_wlan-devices,cfg_5G_wlan-guests \
    slave-name-format="" supported-bands=5ghz-ax
add action=create-dynamic-enabled comment=5GHz-Band_#3 disabled=yes \
    master-configuration=cfg_5G_wlan-private radio-mac=48:A9:8A:CE:56:B7 \
    slave-configurations=cfg_5G_wlan-devices,cfg_5G_wlan-guests \
    supported-bands=5ghz-ax
/interface wireguard peers
add allowed-address=10.10.10.3/32 interface=wireguard_10_private \
    name=peer2 preshared-key="xxxxx" public-key="xxxxx"
add allowed-address=10.10.10.2/32 interface=wireguard_10_private \
    name=peer3 preshared-key="xxxxx" public-key="xxxxx"
add allowed-address=10.10.10.10/32 interface=wireguard_10_private \
     name=peer5 preshared-key="xxxxx" private-key="xxxxx" public-key="xxxxx"
/ip address
add address=192.168.1.1/24 interface=VLAN-Interface_1 network=192.168.1.0
add address=192.168.10.1/24 interface=VLAN-Interface_10 network=192.168.10.0
add address=192.168.20.1/24 interface=VLAN-Interface_20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN-Interface_30 network=192.168.30.0
add address=10.10.10.1/24 interface=wireguard_10_private network=10.10.10.0
/ip dhcp-client
add comment=defconf interface=ether8_WAN
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.10.0/24 comment=defconf dns-server=192.168.10.10 gateway=\
    192.168.10.1 netmask=24
add address=192.168.20.0/24 comment=devices dns-server=192.168.10.10 gateway=\
    192.168.20.1
add address=192.168.30.0/24 comment=guests dns-server=192.168.10.10 gateway=\
    192.168.30.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,149.112.112.112 use-doh-server=\
    https://dns.quad9.net/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
/ip firewall filter
add action=accept chain=forward comment="# ENABLE for transparent firewall" \
    disabled=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input comment="accept Wireguard" \
    dst-port=13231 in-interface-list=WAN protocol=udp
add action=accept chain=input disabled=yes src-address=10.10.10.0/24
add action=accept chain=forward dst-address=192.168.10.10 dst-port=53 \
    in-interface=wireguard_10_private protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=\
    "ENABLE - allow DNSserver connection (UDP)" dst-address=192.168.10.10 \
    dst-port=53 protocol=udp
add action=accept chain=forward comment=\
    "ENABLE - allow DNSserver connection (TCP)" dst-address=192.168.10.10 \
    dst-port=53 protocol=tcp
add action=accept chain=forward comment=\
    "ENABLE - devices on device subnet to reach each other" dst-address=\
    192.168.20.0/24 in-interface=VLAN-Interface_20 src-address=\
    192.168.20.0/24
add action=accept chain=forward comment=\
    "ENABLE - Spotify Connect for guests -> devices" dst-port=1400,7000,33499 \
    in-interface=VLAN-Interface_30 out-interface=VLAN-Interface_20 protocol=\
    tcp
add action=accept chain=forward comment=\
    "ENABLE - Airplay for guests -> devices" in-interface=VLAN-Interface_30 \
    out-interface=VLAN-Interface_20 port=80,443,554,3689,4070,49152-65535 \
    protocol=tcp
add action=accept chain=forward comment=\
    "ENABLE - Airplay for guests -> devices" dst-port=30000-65535 \
    in-interface=VLAN-Interface_30 out-interface=VLAN-Interface_20 protocol=\
    udp
add action=drop chain=forward comment="devices - no access to private network" \
    dst-address-list=not_in_internet log-prefix=DROP_REQ_20->x src-address=\
    192.168.20.0/24
add action=drop chain=forward comment="guests - no access to private network" \
    dst-address-list=not_in_internet log-prefix=DROP_REQ_30->x src-address=\
    192.168.30.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.20.15
/ip route
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik-#1
/system leds
set 0 leds="" type=poe-out
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ptbtime1.ptb.de
add address=ptbtime2.ptb.de
add address=ptbtime3.ptb.de
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

2x hAPax2 (CAPs):

# 2024-10-06 22:27:07 by RouterOS 7.16
# software id = EE37-T5A7
#
# model = C52iG-5HaxD2HaxD
# serial number = HEH08HPHFZ0
/interface bridge
add comment=VLAN-Bridge name=vlan-bridge port-cost-mode=short vlan-filtering=\
    yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_trunk
set [ find default-name=ether2 ] name=ether2_trunk
set [ find default-name=ether3 ] name=ether3_trunk
set [ find default-name=ether4 ] name=ether4_trunk
set [ find default-name=ether5 ] name=ether5_trunk
/interface vlan
add interface=vlan-bridge name=VLAN-Interface_1 vlan-id=1
add interface=vlan-bridge name=VLAN-Interface_10 vlan-id=10
add interface=vlan-bridge name=VLAN-Interface_20 vlan-id=20
add interface=vlan-bridge name=VLAN-Interface_30 vlan-id=30
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi datapath
add bridge=vlan-bridge disabled=no name=dpath_cap
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=dpath_cap disabled=no mac-address=xx:xx:xx:xx:xx:xx name=\
    wifi1_5.0G security.connect-priority=0
# managed by CAPsMAN
# mode: AP, SSID: wifi-private, channel: 2462/ax
set [ find default-name=wifi2 ]  \
    configuration.manager=capsman .mode=ap datapath=dpath_cap disabled=no \
    name=wifi2_2G security.connect-priority=0
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/interface bridge port
add bridge=vlan-bridge comment=defconf interface=ether2_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment=defconf interface=ether3_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment=defconf interface=ether4_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment="defconf - TRUNK" interface=ether1_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi1_5.0G \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi2_2G \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge interface=ether5_trunk internal-path-cost=10 \
    path-cost=10 pvid=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=15360
/interface bridge vlan
add bridge=vlan-bridge comment=VLAN-Tagging-1 tagged="vlan-bridge,ether1_trunk\
    ,ether2_trunk,ether3_trunk,ether4_trunk,ether5_trunk" vlan-ids=1
add bridge=vlan-bridge comment=VLAN-Tagging-10 tagged=vlan-bridge vlan-ids=10
add bridge=vlan-bridge comment=VLAN-Tagging-20 tagged="vlan-bridge,ether1_trun\
    k,ether2_trunk,ether3_trunk,ether4_trunk,ether5_trunk" vlan-ids=20
add bridge=vlan-bridge comment=VLAN-Tagging-30 tagged="vlan-bridge,ether1_trun\
    k,ether2_trunk,ether3_trunk,ether4_trunk,ether5_trunk" vlan-ids=30
/interface list member
add comment=defconf interface=VLAN-Interface_1 list=LAN
add interface=VLAN-Interface_10 list=LAN
/interface wifi cap
set discovery-interfaces=VLAN-Interface_1 enabled=yes slaves-datapath=\
    dpath_cap
/ip address
add address=192.168.1.3/24 interface=VLAN-Interface_1 network=192.168.1.0
add address=192.168.10.3/24 interface=VLAN-Interface_10 network=192.168.10.0
add address=192.168.20.3/24 disabled=yes interface=VLAN-Interface_20 network=\
    192.168.20.0
add address=192.168.30.3/24 disabled=yes interface=VLAN-Interface_30 network=\
    192.168.30.0
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan type=A

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik-#3
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ptbtime1.ptb.de
add address=ptbtime2.ptb.de
add address=ptbtime3.ptb.de
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

neki · October 7, 2024, 5:05pm

Reason why it was working as described is slaves-datapath under interface wifi cap. By default slave interfaces inherit datapath from master interface, anyway setup script, for some reason, creates bridge, then datapath and then sets this datapath to slaves-datapath. So it overrides default behavior but initially the result is same.
If you screwed your datapath.bridge configuration for your master interface, slaves were working because they were using different setting.

/interface wifi cap
set discovery-interfaces=VLAN-Interface_1 enabled=yes slaves-datapath=\
    dpath_cap

You surely played with those, because it’s renamed. Question is, it’s now working or not?

There is now datapath.bridge set on master interface… Was it like this initially?

/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=dpath_cap disabled=no mac-address=xx:xx:xx:xx:xx:xx name=\
    wifi1_5.0G security.connect-priority=0

I will completely avoid VLANs, because I think it’s wrong, but if you are sure what are you doing…

I would also change:
Set identities to something more meaningful, like RB5009, hAP-ax2-01 and so on..
Set name-format in provisioning to something like %I-2G-wifi, that way you will end up with nice list of interfaces..
Stop using reselect-interval, I would rather use frequency that I want..
And for that you will need to provision your interfaces with create-enabled instead of create-dynamic-enabled so you can manually adjust interface settings..

And looking on your config again (CAP):

/interface bridge port
add bridge=vlan-bridge comment=defconf interface=ether2_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment=defconf interface=ether3_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment=defconf interface=ether4_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment="defconf - TRUNK" interface=ether1_trunk \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi1_5.0G \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=wifi2_2G \
    internal-path-cost=10 path-cost=10 pvid=10
add bridge=vlan-bridge interface=ether5_trunk internal-path-cost=10 \
    path-cost=10 pvid=10

It looks like you manually added wifi interfaces as ports to your bridge, this should be done dynamically by… surprise surprise datapath.bridge on the interface itself.

And another look, don’t you have wireless package on your RB5009? You don’t need it for AX devices…

mh45 · October 9, 2024, 5:16pm

Thanks a lot again!

So first of all great hint regarding the naming of the wifi-interfaces - that bothered me a lot..

I read your comment in detail and tried to understand it - it gave me a good hint.
I then read threw the “old” mikrotik “wiki”:
https://wiki.mikrotik.com/Manual:CAPsMAN
Sub-menu: /caps-man configuration
datapath.bridge : Bridge to which particular interface should be automatically added as port. Required only when local-forwarding is not used.

Then AGAIN read threw the new mikrotik “Help” for Capsman (from new wifi package)
https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-Datapathproperties
They distinguish between configs for AC- and AX-devices. I tried to understand the difference.

The AX-example doesn’t configure VLANs on CAP side at all, speaking only with CAPSMAN over the “untagged ethernet line”. (?)
In this example the CAPsMAN config has datapaths to his own bridge (with VLAN tags) → to inject the traffic on CAPsMAN side to the right VLAN (like the behavior of the old wireless capsman if local-forwarding was disabled). (?)
The AC-example does configure the full vlan-functionality on CAPs side, create wifi slaves / add them manually to the local bridge.
So VLAN assignment is done on CAP side and traffic is injected to the VLANs there.

What I did in my config (more like the AC-config):

on capsman side:
    Interface:
        Wifi:
            Datapath:
                Add:                            # added this datapath, deleted all others. 
                                                # This datapath is then used for the wifi configurations for provisioning.
                    Name:   dpath_bridge
                    Bridge: vlan-bridge
            Remote CAP:
                CAPsMAN:
                    Edit:
                        Enabled:    true
                        Interfaces: VLAN-Interface_1


on CAP side:
... manually created wifi slave interfaces ...
... manually added all wifi interfaces as bridge ports + untagged this interfaces under Bridge->VLAN ...

    Interface:
        Wifi - CAP:
            Enabled:                    true
            Discovery Interfaces:       VLAN-Interface_1
            Slaves Static:              true        # added this setting
            Slaves Datapath:            -           # so no datapath at all on CAP side

So now it is working as intended. Even if I don’t know if I’m completely right.

I’ve one additional question regarding the provisioning option “create-enabled”.
Where should I set the fixed frequency? I set the frequency from the wifi interface overview on my RB5009 (CAPsMAN).
Two problems with this solution:

when the device restarts / new provisioning occur the setting is lost and I have to set the frequency again.
The fixed frequency is provisioned, but is not used. See following image ((1) for provisioned frequency, (2) current used frequency) - image from the CAPs own wifi list

neki · October 9, 2024, 7:31pm

Just few hints…

Wiki is/was for ROS 6 only, so it’s obsolete for ROS 7 and especially for WiFi CAPsMAN. Old Wireless CAPsMAN had two modes, local forwarding and manager forwarding and you have to be careful when you are looking at configs on internet because most of the users took manager forwarding as standard. New WiFi CAPsMAN has only one mode, local forwarding. That means that each AP have to decide what will happen with each packed that it handles.

1 That’s not how it works, local forwarding… everything is decided on CAP side, period.
2 wifi-qcom-ac is basically afterthought and not every feature is available there, notably for CAPsMAN, it can not asign VLAN dynamically. You don’t have any AC device, so you don’t have to care…

Provisioning should be used “ONCE”, it is NOT “configuration propagation”. It is basically introduction of new interface and that’s it. If you re-provision interface all settings made manually will be lost, that is expected, but again it should be used just once, so it shouldn’t be issue. This shouln’t happen on reboot! If it does, there is something wrong…

For the naming, nice try but you should follow my advice to the letter. %I is variable, capital i as identity, it will be replaced by… device identity. So you can get something like hAP-ax2-01-wifi1

Anyway… if you want help or check config post your configs …in raw format

Just as addition, this is how it looks when you have (D) dynamically assigned VLANs by datapath

mh45 · February 2, 2025, 12:35pm

Solution:
I tried again to change my capsman configuration to what it should be.
After some retry and seeing the same weird behavior I realized something important, “Wireless” package was installed on my capsman Router.
If capsman should only talk to AX-devices there should be NO “wireless” package installed (nor “wifi-qcom”, if the Router has no wifi itself).

Hint to: https://preview.redd.it/replacing-wireless-package-with-wifi-qcom-ac-v0-a7hio9537ptc1.jpeg?width=2340&format=pjpg&auto=webp&s=0303d8c6622ec9371f34ebd84f157d4e54b97cdf

After uninstalling the package - and configuring capsman how it’s described in the mikrotik support page - the wifi’s were created on the CAP + bridged with the right VLAN-Address to the bridge!
What I’ve done differently in my config, compared to the manual:

configuring the VLAN for all ether ports manually on the CAPs
it worked only if discovery interface = VLAN-Interface-1 on capsman&cap side (instead of bridges)

Thanks for support!