This is a weird one.
Basically the router does not work unless I have a working device plugged in into ether[6-10]. Caps-man shuts down provisions, Management DHCP server does not give out address, when set to static I can’t ping the gateway anymore. I’ve unplugged everything else except my PC to check if there any downstream device that is causing it. But no, if there is no devices connected to AAA or BBB network on interfaces ether[6-10] the router stops working. Unfortunately, I’m going away for a month so I can’t debug this further until I return, but if I don’t find out what is wrong I will rack my brain the whole month.
Device is RB4011iGS+ running RouterOS 7.8
/caps-man channel
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XXXX frequency=5180,5260,5500,5580,5660,5745 name=non-overlapping-5ghz
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412,2437,2462 name=non-overlapping-2ghz
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=AAA_DEVICES_DATAPATH vlan-id=27 vlan-mode=use-tag
add client-to-client-forwarding=yes local-forwarding=yes name=BBB_DEVICES_DATAPATH vlan-id=28 vlan-mode=use-tag
/interface bridge
add ingress-filtering=no name=BR protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1_UPLINK
set [ find default-name=ether10 ] poe-out=off
/interface wireguard
add listen-port=13231 mtu=1420 name=WG-AAA
/interface vlan
add interface=BR name=BBB_DEVICES_VLAN vlan-id=28
add interface=BR name=AAA_DEVICES_VLAN vlan-id=27
add interface=BR name=MANAGEMENT_VLAN vlan-id=10
/caps-man security
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=AAA_DEVICES_SECURITY
add authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=1h name=BBB_DEVICES_SECURITY
/caps-man configuration
add channel=non-overlapping-2ghz country=croatia datapath=AAA_DEVICES_DATAPATH distance=indoors guard-interval=long installation=indoor mode=ap name=AAA_DEVICES_CONFIGURATION security=AAA_DEVICES_SECURITY ssid=AAA
add channel=non-overlapping-2ghz country=croatia datapath=BBB_DEVICES_DATAPATH distance=indoors guard-interval=long installation=indoor mode=ap name=BBB_DEVICES_CONFIGURATION security=BBB_DEVICES_SECURITY ssid=BBB
add channel=non-overlapping-5ghz country=croatia datapath=AAA_DEVICES_DATAPATH distance=indoors guard-interval=long installation=indoor mode=ap name=AAA_DEVICES_CONFIGURATION_5g security=AAA_DEVICES_SECURITY ssid=AAA_5G
add channel=non-overlapping-5ghz country=croatia datapath=BBB_DEVICES_DATAPATH distance=indoors guard-interval=long installation=indoor mode=ap name=BBB_DEVICES_CONFIGURATION_5g security=BBB_DEVICES_SECURITY ssid=BBB_5G
/interface list
add name=MANAGEMENT
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=MANAGEMENT_POOL ranges=172.29.10.200-172.29.10.254
add name=BBB_DEVICES_POOL ranges=192.168.28.100-192.168.28.254
add name=AAA_DEVICES_POOL ranges=192.168.27.100-192.168.27.254
/ip dhcp-server
add address-pool=MANAGEMENT_POOL interface=MANAGEMENT_VLAN name=MANAGEMENT_DHCP
add address-pool=BBB_DEVICES_POOL interface=BBB_DEVICES_VLAN name=BBB_DEVICES_DHCP
add address-pool=AAA_DEVICES_POOL interface=AAA_DEVICES_VLAN name=AAA_DEVICES_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=g master-configuration=AAA_DEVICES_CONFIGURATION name-format=prefix-identity name-prefix=2G slave-configurations=BBB_DEVICES_CONFIGURATION
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=AAA_DEVICES_CONFIGURATION_5g name-format=prefix-identity name-prefix=5G slave-configurations=BBB_DEVICES_CONFIGURATION_5g
/interface bridge port
add bridge=BR ingress-filtering=no interface=ether2
add bridge=BR ingress-filtering=no interface=ether3 pvid=10
add bridge=BR ingress-filtering=no interface=ether4
add bridge=BR ingress-filtering=no interface=ether9 pvid=28
add bridge=BR ingress-filtering=no interface=ether5 pvid=2610
add bridge=BR ingress-filtering=no interface=ether6 pvid=27
add bridge=BR ingress-filtering=no interface=ether7 pvid=27
add bridge=BR ingress-filtering=no interface=ether8 pvid=27
add bridge=BR ingress-filtering=no interface=ether10 pvid=28
/ip neighbor discovery-settings
set discover-interface-list=MANAGEMENT
/ip settings
set max-neighbor-entries=8192 tcp-syncookies=yes
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=BR tagged=BR,ether2,ether4 vlan-ids=10
add bridge=BR tagged=BR,ether2 vlan-ids=28
add bridge=BR tagged=BR,ether2 vlan-ids=27
/interface list member
add interface=MANAGEMENT_VLAN list=MANAGEMENT
add interface=BR list=LAN
add interface=ether1_UPLINK list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.32.2/32 comment=WG-AAA-TRAVEL interface=WG-AAA persistent-keepalive=25s public-key="redacted"
/ip address
add address=192.168.100.99/24 interface=ether1_UPLINK network=192.168.100.0
add address=172.29.10.1/24 interface=MANAGEMENT_VLAN network=172.29.10.0
add address=172.29.17.101/24 interface=sfp-sfpplus1 network=172.29.17.0
add address=192.168.28.1/24 interface=BBB_DEVICES_VLAN network=192.168.28.0
add address=192.168.27.1/24 interface=AAA_DEVICES_VLAN network=192.168.27.0
add address=192.168.32.1/24 interface=WG-AAA network=192.168.32.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server network
add address=172.29.10.0/24 dns-server=1.1.1.1 gateway=172.29.10.1
add address=192.168.27.0/24 dns-server=10.27.30.10 gateway=192.168.27.1
add address=192.168.28.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.28.1
/ip dns
set servers=1.1.1.1
/ip firewall address-list
add address=172.29.10.0/24 comment="list of addresses to have internet access" list=INTERNET_ACCESS
add address=redacted.sn.mynetname.net list=WANIP
add address=192.168.28.0/24 list=INTERNET_ACCESS
add address=192.168.27.0/24 list=INTERNET_ACCESS
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow access to router from management network" dst-address=172.29.10.1 in-interface=MANAGEMENT_VLAN src-address=172.29.10.0/24
add action=accept chain=input comment="if using router's DNS resolver, enable this rule" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=WG-AAA dst-port=13231 protocol=udp
add action=drop chain=input comment="drop everything else"
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow all from WAN DSTNATed" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="allow access to the internet" out-interface-list=WAN src-address-list=INTERNET_ACCESS
add action=accept chain=forward comment="allow managemnt network full access to the network" in-interface=MANAGEMENT_VLAN
add action=accept chain=forward comment="allow local server network" dst-address=10.0.0.0/8
add action=drop chain=forward comment="drop everything else" connection-state=new log=yes log-prefix=FORWARD_DROP
/ip firewall nat
add action=masquerade chain=srcnat comment=NAT out-interface=ether1_UPLINK
add action=masquerade chain=srcnat disabled=yes out-interface=sfp-sfpplus1
/ip route
add check-gateway=ping disabled=no dst-address=0.0.0.0/0 gateway=192.168.100.1
add dst-address=10.0.0.0/8 gateway=172.29.17.1
add dst-address=192.168.88.0/24 gateway=192.168.32.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=40080
set ssh address=172.29.10.0/24
set www-ssl port=40443
set api disabled=yes
set winbox address=172.29.10.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=RB01
/system logging
add action=*5 topics=firewall
/system resource irq rps
set sfp-sfpplus1 disabled=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=MANAGEMENT
/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
/tool mac-server ping
set enabled=no