Issues with Slave WLAN

bloodynetworker · May 3, 2026, 11:11am

I’m having a bit of an issue here:

I have two APs (both hAP ax S connected as CAPsMAN / CAP) and I want do dissect my home network into multiple WLANs. I made a guest SSID called home.34_2_NTR, but the issue is that for some reason devices cannot join that SSID from my CAPsMAN, but joining from the CAP works perfectly fine. Roaming from the CAP to the CAPsMAN doesn’t cut the connection, its hold up. The issue is only that devices near my CAPsMAN cannot join that network.

I followed this guide by MikroTik https://www.youtube.com/watch?v=37aff6d14Xk&t=480.

Side question: I can see that my master SSIDs are both marked as master as well as slaves, why is that. Is that something to worry about?

/interface bridge
add admin-mac=D0:EA:11:3D:E0:96 auto-mac=no comment=defconf fast-forward=no \
    name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5150-5250,5250-5350,5470-5725 name=\
    channel_5ghz skip-dfs-channels=10min-cac width=20/40mhz
add band=2ghz-ax disabled=no frequency=2412,2432,2472 name=channel_2ghz width=\
    20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp ft=yes \
    ft-over-ds=yes ft-preserve-vlanid=yes management-encryption=cmac \
    management-protection=allowed name=sec_FAM wps=disable
add authentication-types=wpa2-psk,wpa3-psk comment="includes NTR and IOT" \
    disabled=no encryption=ccmp ft=yes ft-over-ds=yes ft-preserve-vlanid=yes \
    management-encryption=cmac management-protection=allowed name=sec_not_FAM \
    wps=push-button
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-home.34_5-7e02348a rrm=\
    yes wnm=yes
/interface wifi configuration
add channel=channel_5ghz country=Germany disabled=no mode=ap name=cfg_home.34_5 \
    security=sec_FAM security.authentication-types=wpa2-psk,wpa3-psk \
    .encryption=ccmp .management-encryption=cmac ssid=home.34_5 steering=\
    steering1
add channel=channel_2ghz country=Germany disabled=no mode=ap name=cfg_home.34_2 \
    security=sec_FAM security.authentication-types=wpa2-psk,wpa3-psk \
    .encryption=ccmp ssid=home.34_2 steering=steering1
add channel=channel_2ghz country=Germany disabled=no mode=ap name=\
    cfg_home.34_2_NTR security=sec_not_FAM security.authentication-types=\
    wpa2-psk,wpa3-psk .encryption=ccmp ssid=home.34_2_NTR steering=steering1
add channel=channel_2ghz channel.frequency=2412,2432,2472 country=Germany \
    disabled=no mode=ap name=cfg_home.34_2_IOT security=sec_not_FAM \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp ssid=\
    home.34_2_IOT steering=steering1 steering.neighbor-group=\
    dynamic-home.34_5-7e02348a
/interface wifi
set [ find default-name=wifi1 ] channel=channel_2ghz configuration=\
    cfg_home.34_2 configuration.mode=ap .ssid=home.34_2 disabled=no name=\
    home.34_2 security=sec_FAM security.authentication-types=wpa2-psk,wpa3-psk \
    .encryption=ccmp steering=steering1
add configuration=cfg_home.34_2_IOT configuration.mode=ap disabled=no \
    mac-address=D2:EA:11:3D:E0:9C master-interface=home.34_2 mtu=1500 name=\
    home.34_2_IOT security=sec_not_FAM security.authentication-types=\
    wpa2-psk,wpa3-psk .encryption=ccmp steering=steering1 \
    steering.neighbor-group=dynamic-home.34_5-7e02348a
add configuration=cfg_home.34_2_NTR configuration.mode=ap disabled=no \
    mac-address=D2:EA:11:3D:E0:9B master-interface=home.34_2 mtu=1500 name=\
    home.34_2_NTR security=sec_not_FAM security.authentication-types=\
    wpa2-psk,wpa3-psk .encryption=ccmp steering=steering1
set [ find default-name=wifi2 ] channel=channel_5ghz configuration=\
    cfg_home.34_5 configuration.mode=ap .ssid=home.34_5 disabled=no name=\
    home.34_5 security=sec_FAM security.authentication-types=wpa2-psk,wpa3-psk \
    .encryption=ccmp steering=steering1
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=home.34_2
add bridge=bridge comment=defconf interface=home.34_5
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add disabled=yes interface=ether1 list=WAN
/interface wifi capsman
set enabled=yes upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    cfg_home.34_2 slave-configurations=cfg_home.34_2_NTR,cfg_home.34_2_IOT \
    supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    cfg_home.34_5 supported-bands=5ghz-ax
/ip address
add address=10.0.0.10/24 comment=defconf interface=bridge network=10.0.0.0
/ip dhcp-client
add disabled=yes interface=ether2 name=client1
/ip dhcp-server
add address-pool=*1 disabled=yes interface=bridge name=defconf
/ip dns
set allow-remote-requests=yes servers=10.0.0.1
/ip dns static
add address=10.0.0.10 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=10.0.0.1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Main