New Capsman - Cap Devices are not connected to the selected bridge

dl1nux · December 20, 2025, 9:21pm

Hi, I was running the old capsman for years with some older cAPs without problems.

I’m migration to a newer setup (CRS328) with new cAPs (wAP ax, cAP ax) and want (or have to) to use the “new” capsman for that. It workes a little bit different, but after some time I managed to integrate a wAP ax.

The CAPs and the CRS328 are all connected in the same network, there is no VLAN or something else configured. It’s a home network.

My problem is, that the cAPs are not being automatically connected to the configured bridge in the datapath section.

I have one LAN-Bridge, where normal LAN Users and IoT devices are working. And a second bridge, which Guests are using. There are 3 SSIDs configured. The correct bridges are added in the datapath section.

I can connect via WiFi to the Network, gut the clients do not receive any IP configuration. The desired bridge is selected in the datapath configuration.

What I can see:

Capsman Registration Tab: Client is connected
DHCP Server: No client received an IP Adress (dhcp works via wired connection)
Bridge Tab: The Caps are not added dynamically to the configured bridge.

In the old capsman, the CAPs have been dynamically added to the configured bridge. The new one, doesn’t do it. Thats why the client have no IP connection. When the CAP isn’t added to the bridge, the clients wont have any IP connection.

RouterOS is the actual 7.20.6 on both, the CRS328 and the wAP ax.

I dont get it, did I missed anything? Thanks in advance.

/interface wifi channel
add band=2ghz-ax disabled=no frequency=2422 name=2422-UG-GA width=20/40mhz-Ce
add band=5ghz-ax disabled=no frequency=5200 name=5200-GA skip-dfs-channels=\
    disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5280 name=5280-OG skip-dfs-channels=\
    disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5540 name=5540-UG skip-dfs-channels=\
    disabled width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2462 name=2462-OG width=20/40mhz-Ce

/interface wifi datapath
add bridge=bridge-LAN disabled=no name=datapath-LAN traffic-processing=on-cap
add bridge=bridge-LAN disabled=no name=datapath-IoT traffic-processing=on-cap
add bridge=bridge-GAST client-isolation=yes disabled=no name=datapath-GAST \
    traffic-processing=on-cap

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=GAST wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=IoT wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=LAN

/interface wifi
# operated by CAP 04:F4:1C:13:B8:14%bridge-LAN, traffic processing on CAP
add channel=2422-UG-GA configuration=LAN configuration.mode=ap disabled=no \
    name="wAP Garten 2G LAN" radio-mac=04:F4:1C:13:B8:16
# operated by CAP 04:F4:1C:13:B8:14%bridge-LAN, traffic processing on CAP
add channel=5200-GA configuration=LAN configuration.mode=ap disabled=no name=\
    "wAP Garten 5G LAN" radio-mac=04:F4:1C:13:B8:17
# operated by CAP 04:F4:1C:13:B8:14%bridge-LAN, traffic processing on CAP
add configuration=GAST configuration.mode=ap disabled=no mac-address=\
    06:F4:1C:13:B8:16 master-interface="wAP Garten 2G LAN" name=\
    "wAP Garten 2G Gast"
# operated by CAP 04:F4:1C:13:B8:14%bridge-LAN, traffic processing on CAP
add configuration=IoT configuration.mode=ap disabled=no mac-address=\
    06:F4:1C:13:B8:17 master-interface="wAP Garten 2G LAN" name=\
    "wAP Garten 2G IoT"
# operated by CAP 04:F4:1C:13:B8:14%bridge-LAN, traffic processing on CAP
add configuration=GAST configuration.mode=ap disabled=no mac-address=\
    06:F4:1C:13:B8:18 master-interface="wAP Garten 5G LAN" name=\
    "wAP Garten 5G Gast"
# operated by CAP 04:F4:1C:13:B8:14%bridge-LAN, traffic processing on CAP
add configuration=IoT configuration.mode=ap disabled=no mac-address=\
    06:F4:1C:13:B8:19 master-interface="wAP Garten 5G LAN" name=\
    "wAP Garten 5G IoT"

/interface wifi configuration
add country=Germany datapath=datapath-LAN disabled=no mode=ap name=LAN \
    security=LAN ssid=DeltaQuadrant+
add country=Germany datapath=datapath-GAST disabled=no mode=ap name=GAST \
    security=GAST ssid=Garak+
add country=Germany datapath=datapath-IoT disabled=no mode=ap name=IoT \
    security=IoT ssid=IoT-NET+

/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge-LAN \
    package-path=/firmware require-peer-certificate=no upgrade-policy=\
    require-same-version

/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=LAN \
    slave-configurations=GAST,IoT

pts0 · December 20, 2025, 10:28pm

With 7.20.6 i m experiencing big troubles with capsman and connection. Client get registered but then disconnect. They request an IP, dhcpd is given the ip but then no connection. I seem to be mostly on 2.4 band and G or N. But quite random. Some clients works, oher not. Still tapping in dark

whatever · December 20, 2025, 10:52pm

With local forwarding (traffic-processing=on-cap), which is the default in wifi-capsman, you have to configure the bridge on the CAPs(!) in their wifi interface datapath bridge configuration.

The interfaces on capsman are just there for configuration, they will never see any traffic. There is no point in connecting them to a capsman bridge because the traffic will go through the interface on the cap instead, which can be connected to a bridge on the cap.

pts0 · December 21, 2025, 8:32am

you mean i need to log in on all caps and do some local settings ? (that i tried, without sucess). Is not really what somebody will expect with a central configuration/management. Big sites will not be managable. Think about a campus with 100 CAP …

what i find out, vlan seem to not be tagged as they should on the created interfaces. I have wifi6 on VLAN 28 but this is not tagged on the caps, that broke the traffic. Or maybe is just winbox not showing …

BartoszP · December 21, 2025, 8:49am

CAPSMAN manages just WiFi interfaces, not bridges or other settings in CAPs.
If you manage big network then I assume that CAPs are deployed with the same standard model dependent configuration which should have local bridge created and set with proper settings.

DuctView · December 21, 2025, 9:28am

Yes, you cannot set the datapath from the CAPsMAN if you are using the wifi-qcom-ac driver on the CAP. I believe this limitation does not apply if the wifi-qcom driver is used.

According to Mikrotik CAPsMAN help :

Passing datapaths "MAIN/GUEST" from the start of the example to "wifi-qcom-ac" CAP would be misconfiguration, make sure to use datapath without "vlan-id" specified to such devices.

With wifi-qcom-ac drivers, datapath setting on the CAPSMAN is not needed. The example, simply, showcases that "vland-id" must be omitted.

dl1nux · December 21, 2025, 10:14am

Hi, thanks for all information. Well, this is a little bit disappointing. I used (old) capsman over the years, and never had to make a brigde on the cap. It worked out of the box.

And actually there is no capsman forwarding possible on the new capsman. According to Mikrotik Wiki it will come with RouterOS 7.21. So cap forwarding is the only option actually which works.

As I don’t use VLANs, I think I need a bridge on the cap bridgeing ether1+wifi1+wifi2 ? Is this correct?

DuctView · December 21, 2025, 2:12pm

I use vLANs for this now and I have forgotten details on how to do the bridge method. As I remember it, the new bridge takes an IP address on a defined network but is not interfaced to the main bridge [in much the same way that the interface for the internet does not appear on the main bridge]. A route is created automatically if the network and gateway are defined in the dhcp server settings.

This can only work for one AP, for more AP's you have to replicate the setup with a different subnet and dhcp server for each access point, otherwise the main server does not know where to send return traffic for the guest network. It is for that reason it is better to use a vLAN for the guest network.

dl1nux · December 21, 2025, 3:02pm

Hi. I tried out with a bridge on the cap. But thats not good for my setup. Because I would need a local bridge for every network (LAN Guest). Then I am again in the VLAN sector. I don’t wan to use VLAN actually.

I found an other solution. I have installed ROS 7.21.rc2. Beginning with 7.21 there is an option to route the traffic via capsman. This was possible in the old capsman also.

Now I have the old behaviour, that the traffic is always routed through capsman and the caps are automatically bridged in the capsman device to the right bridge.

Why does this feature of the new capsman comes so late?

OK, I found this solution, and I think I can wait with replacement until the stable 7.21 comes out. Maybe the RC2 will also work well for me.

Thanks for all comments.

gotsprings · December 21, 2025, 3:23pm

You should really learn VLANs.

It makes it a lot easier to yank the Mikrotik wireless when it lets you down. And it speeds up everything not having to waste all that extra processing.