I have 2 hAP ax S routers configured as access points and connected to my CCR 2004 Router. They have identical configurations. From one device I can reach the internet, ping google etc. From the other I cannot do either. I can access both from the IP addresses I've set. One AP is set up for CVAPsMan provisioning, the other is not. Help appreciated. The configs are below:

Working:
2026-02-11 14:48:58 by RouterOS 7.21.2

software id = CB5C-CM4Y

model = E62iUGS-2axD5axT

serial number = HKA0AH2YRP1

/interface bridge
add name=bridge1
/interface wifi

managed by CAPsMAN D4:01:C3:12:64:BC%bridge1, traffic processing on CAP

mode: AP, SSID: KBC, channel: 5805/ac

set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap
disabled=no name=Sanct-Piano_5

managed by CAPsMAN D4:01:C3:12:64:BC%bridge1, traffic processing on CAP

mode: AP, SSID: KBC, channel: 2462/n

set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap
disabled=no name=Sanct_Piano_2
/interface bridge port
add bridge=bridge1 interface=all
/interface wifi cap
set caps-man-addresses=192.168.50.1 discovery-interfaces=bridge1 enabled=yes
/ip address
add address=192.168.50.239/24 interface=bridge1 network=192.168.50.0
/ip cloud
set update-time=no
/ip dns
set servers=1.1.1.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.50.1
routing-table=main scope=30 target-scope=10
/system clock
set time-zone-name=America/Chicago
/system identity
set name="Sanctuary Balcony"
/system leds
add leds=poe-led type=poe-out
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org

Non Working:

2025-11-04 06:23:13 by RouterOS 7.20.4

software id = GS7G-P5MH

model = E62iUGS-2axD5axT

serial number = HK80ATM3805

/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=all
/ip address
add address=192.168.50.240/24 interface=bridge1 network=192.168.50.0
/ip cloud
set update-time=no
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.50.1 routing-table=main
suppress-hw-offload=no
/system clock
set time-zone-name=US/Central
/system identity
set name="Sanctuary Piano"
/system ntp client
set enabled=yes
/system ntp client servers
add address=pool.ntp.org

The configuration are not identical, and the non working device Is on a different time zone (and Is not ntp synced).
But the differences do not seem to justify the failed connection.
Could It be something specific to the .240 address?

Post also the configuration of the CCR2004.

What I would try first thing Is to exchange first the two ethernet ports on the CCR2004 and then the two devices, so that cables and ports can be excluded.
On the non-working device you have not any wifi interface, but you have the same settings of "all" added to bridge1.
I would try adding to the bridge only a couple ether ports, let's say ether1 and ether2, and see if It changes anything.

The "non working" device has no wifi configuration at all ... neither is it set to connect CAPsMAN nor is it set up with local WiFi settings.

Also the non-working device is running older ROS version ... and in context of hAP ax S that might be a major difference (since device is pretty new, there are many changes between two ROS versions which directly affect how these devices work). So by all means, get the non-working device to the same ROS version and same (or very similar) configuration as the working one.

Just do not get tempted to make the configuration identical by saving a backup on one of them and restoring it on the other, as doing so would clone all MAC addresses from the “template” device to the “copy” one and would require a subsequent cleanup. Use export and import instead, but that way also requires some additional (or rather preparational) steps, see other topics here for details.

Thanks to all for your suggestions. To remove all variables, I reset two identical hAP ax S devices with the same ROS version. I configured each individually with the basic AP config. Both are connected to the sites CCR2004 Router. The two configuration files are attached. As before, one can ping 8.8.8.8, and outside sites. The other cannot ping these, not even ping the main router. The 'non working' router works at my home with my RB5009 router, but not at the site with the CCR2004. I've also attached the CCR2004 config file. Again, all help appreciated.

I started a new topic for this same issue, with the files attached rather than verbose text in the body of the topic. Please see that new topic.

I have 2 hAP ax S routers configured as access points and connected to my CCR 2004 Router. They have identical configurations. From one device I can reach the internet, ping google etc. From the other I cannot do either. I can access both from the IP addresses I've set. These are identical hAP ax S units. I started with 'no configuration' and set each unit identically. The config files are attached, along with the config of the main CR2004 router. All help appreciated. The configs are below.

One other note, since I couldn't upgrade ROS from within the router (System/packages/check for updates), I found the correct ROS version 7.21.2 ARM, and dragged the file to the file area of the router. After rebooting, the NPK package was gone for the file area, but ROS was NOT updated. Maybe this is a clue??

CCR2004_12FEB26.rsc (46.7 KB)
Non-working-at-site.rsc (429 Bytes)
Working.rsc (480 Bytes)

The only difference I can see is the timezone setting ? It also shows in your config export. Date is quite different.

When manually updating, you need to make sure ALL packages are present before rebooting.
In this case you also need wifi-mediatek together with base ROS package.

The time is off because the device can't get to the NTP server pool. The WiFi MediaTek package is in there. I'm baffled!

It's worth noting that for the 'non working' router, I can take it home and set it up similarly with my RB5009 router, and it works fine. I can provision the WIFi radios with CAPsMan and all works properly.

The other topic Is here:

Maybe the two should be merged.

I can only suggest using the usual steps:

• have the routers change places, leaving cables, psu, everything else the same
• connect them in reverse order
• power them up in reverse order
• power up only one at a time
• take binary backups of the configurations and exchange them (mac address and all)
  ...and so on.

One thing I wouldn't do is set different stp cost modes for interconnected routers, though.

New information. I can ping the MAC address of the Main router. I cannot ping the IP address.

Check if auto-negotiation is working properly on the ccr2004. I had some issues pairing up the hap ax s via sfp might be an ethernet issue as well?

The strange thing is, I have 6 of the hAP ax S setup up as access points. I provision them with CAPsMan. 4 work well with the simple configuration i posted at the top of this thread. 2 do not. I can ping the main router by its MAC address, but not by the assigned IP address.

And so it has been done ...

In my testing I have been having issues on the HAP AX S where it functions fine in a router setup, but as soon as I configure it as an AP (Standalone or CAP) then certain wireless clients can’t pass traffic.

Don’t know if the same issue is causing your inconsistencies.

What is the use of this setting on the CCR2004?

/ip arp
add address=192.168.50.240 interface=bridge_LAN mac-address=6C:3B:6B:11:D7:D8

Proxy arp is also enabled.

That ARP entry was listed as 'permanent'. I honestly don't know where that came from, and the MAC address was incorrect. I deleted that entry, and it all worked properly. Thank you for taking the time to help. Much appreciated!

I don't know why proxy-arp is set. My other routers just use regular arp, and work fine. What's the use of proxy-arp??