Hi everybody,

maybe I’m asking a completely stupid question, but has anyone encountered any problems migrating from the old CAPsMAN to the new CAPsMAN?

Everything has been working on my old CAPsMAN with cAP AC + VLAN for a few years now, however on the new one CAPsMAN I get the error “— SSID not set” after provision of APs.

Setup:
RouterOS v7.15.3
RB4011iGS+ (all ports are in bridge trunk with CAPsMAN)
cAP AC or cAP AX - nothing works

Could you please help me? Are there any limitations with the new CAPsMAN? Am I missing something?

Thank you in advance,
Michal

2024-08-14 13:52:52 by RouterOS 7.15.3

software id = ZXE1-B2UV

model = RB4011iGS+

/caps-man channel
add control-channel-width=20mhz extension-channel=XX name=channel
reselect-interval=8h skip-dfs-channels=yes
/interface bridge
add name=bridge_vlan
/interface ethernet
set [ find default-name=ether1 ] comment=TRUNK
set [ find default-name=ether2 ] comment=CAP_P_1
set [ find default-name=ether3 ] comment=CAP_P_3
/interface wifi
add name=cap-wifi1 radio-mac=D4:01:C3:D4:21:D3
add name=cap-wifi2 radio-mac=D4:01:C3:D4:21:D2
/caps-man datapath
add bridge=bridge_vlan name=vlan_guest vlan-id=99 vlan-mode=use-tag
add bridge=bridge_vlan name=vlan_internal_users vlan-id=10 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=sec-XXX
add authentication-types=wpa2-psk encryption=aes-ccm name=sec-XXX
add authentication-types=wpa2-eap eap-methods=eap-tls encryption=aes-ccm
name=sec-XXX_eap tls-certificate=S-MikroTik tls-mode=verify-certificate
/caps-man configuration
add channel=channel country=“czech republic” datapath=vlan_internal_users
installation=indoor mode=ap name=config_internal_users security=
sec-XXX ssid=“XXX”
add channel=channel country=“czech republic” datapath=vlan_guest
installation=indoor mode=ap name=config_guests security=sec-guest
ssid=“Guest”
add channel=channel country=“czech republic” datapath=vlan_internal_users
installation=indoor mode=ap name=config_internal_eap security=sec-XXX_eap
ssid=“TEST”
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add disabled=no name=channel skip-dfs-channels=all width=20/40/80mhz
/interface wifi datapath
add bridge=bridge_vlan client-isolation=yes disabled=no name=
vlan_internal_users vlan-id=10
add bridge=bridge_vlan client-isolation=yes disabled=no name=vlan_guest
vlan-id=99
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=“” ft=yes
ft-over-ds=yes name=sec-XXX wps=disable
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=“” ft=yes
ft-over-ds=yes name=sec-guest wps=disable
/interface wifi configuration
add channel=channel country=Czech datapath=vlan_internal_users disabled=no
mode=ap name=config_internal_users security=sec-XXX
security.authentication-types=“” .encryption=“” .ft=no ssid=DEF
steering.rrm=yes
add channel=channel country=Czech datapath=vlan_guest disabled=no mode=ap
name=config_guests security=sec-guest security.authentication-types=
“” .ft=no .ft-over-ds=no ssid=ABC steering.rrm=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/caps-man access-list
add action=accept allow-signal-out-of-range=5s disabled=no signal-range=
-70..120 ssid-regexp=“”
add action=reject allow-signal-out-of-range=10s disabled=no ssid-regexp=“”
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=config_internal_users
name-format=identity slave-configurations=
config_internal_eap,config_guests
/interface bridge port
add bridge=bridge_vlan interface=ether1
add bridge=bridge_vlan interface=ether2
add bridge=bridge_vlan interface=ether3
add bridge=bridge_vlan interface=ether4
add bridge=bridge_vlan interface=ether5
add bridge=bridge_vlan interface=ether6
add bridge=bridge_vlan interface=ether7
add bridge=bridge_vlan interface=ether8
add bridge=bridge_vlan interface=ether9
add bridge=bridge_vlan interface=ether10
add bridge=bridge_vlan interface=sfp-sfpplus1
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp-sfpplus1 list=LAN
/interface wifi capsman
set enabled=yes interfaces=bridge_vlan package-path=“”
require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled common-name-regexp=“” disabled=no identity-regexp=
“” master-configuration=config_internal_users radio-mac=00:00:00:00:00:00
slave-configurations=config_guests
/ip address
add address=192.168.66.4/24 interface=bridge_vlan network=192.168.66.0
/ip dns
set servers=192.168.66.1,8.8.8.8

How many CAPs are we talking about?

Well…

Start by removing this radio MAC address:

/interface wifi provisioning
add action=create-enabled common-name-regexp="" disabled=no identity-regexp=\
"" master-configuration=config_internal_users radio-mac=00:00:00:00:00:00 \
slave-configurations=config_guests

This will probably solve the provisioning to the cAP AX.

Furthermore:

• You can have all device managed by the same CAPsMAN instance (or you can run two) by using the wifi-qcom-ac driver on the cAP ac
• Your channels suck: extension channel is used on both bands (currently 2.4GHz is set to 40MHz) → old CAPsMAN
• Your channels suck: bandwidth is used on both radios (currently 2.4GHz is set to 80MHz) → wifi CAPsMAN

Follow the guide step by step to get it to work and continue from there:
https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-WiFiCAPsMAN

That’s too far.. What about VLANs?

Excellent, thanks a lot. Disable or delete of "radio-mac" solved my problem with cAP AXs provisioning.

Only think that I actually fighting with is VLAN tagging for cAP ACs model that is obviously problem of SW?

"Reading further in the documentation, it says 802.11ac chipsets do not support this type of VLAN tagging , but they can be configured as VLAN access ports in bridge settings."

I have found out several topics as well in cookbook, but it seems that it will be not for my setup, so I have to read and find something else.

Once again, thank you!

What device is used for DHCP?
Are you aware that you are not tagging or untagging any ports on CAPsMAN device?
Are you aware that you are not using VLAN filtering on the bridge?
Are you sure that you want to use DHCP client directly on the bridge and not on some VLAN?
Do you need to use both, Wireless and Wifi CAPsMANs together?

..and that brings me to my initial question: how many caps are we talking about?

..but yeah, Wifi CAPsMAN can not automatically set VLAN on CAPs for devices with wifi-qcom-ac package (it can be done manually)

Here in the documentation you can find it:
https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-CAPusing"wifi-qcom-ac"package:

Maybe I didn’t describe it enough at the beginning…

The complete setup is:

FortiGate 60F → RB4011 → cAP AC (4x) and cAP AX (1x test phase)

The network is completely managed from FortiGate, it used to be from RB4011.
VLAN (trunk) + DHCP and other network services are given by FortiGate.

Now I really just want to migrate old CAPsMAN (including VLAN segmentation) to work 1:1 on the new CAPsMAN, including cAP AC and cAP AX.

However, I am now in a state where after migrating to the new CAPsMAN everything works as I want on cAP AX, but unfortunately not on cAP AC.
cAP AC simply not working with VLAN.

If any of you would like, we can have a look together remotely and I’ll pay you.
Meantime I will try it with the cookbook and with your remarks.

Regards,
Michal

Forget about the CAPsMAN and wifi for now… Are you sure that your VLANs really work? Because you don’t have vlan-filtering enabled on the bridge and there are no access or trunk ports..

You should remove all settings that related to old Wireless CAPsMAN and focus on VLANs. Bridge VLAN Table



It could look like this:

/interface bridge
add name=bridge_vlan vlan-filtering=yes

/interface vlan
add interface=bridge_vlan name=vlan10 vlan-id=10

/interface bridge port
add bridge=bridge_vlan frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge_vlan frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge_vlan frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge_vlan frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge_vlan frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge_vlan frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge_vlan frame-types=admit-only-vlan-tagged interface=ether7
add bridge=bridge_vlan frame-types=admit-only-vlan-tagged interface=ether8
add bridge=bridge_vlan frame-types=admit-only-vlan-tagged interface=ether9
add bridge=bridge_vlan frame-types=admit-only-untagged-and-priority-tagged interface=ether10 pvid=10
add bridge=bridge_vlan frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1

/interface bridge vlan
add bridge=bridge_vlan tagged=bridge_vlan,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9 \
    untagged=ether10 vlan-ids=10
add bridge=bridge_vlan tagged=bridge_vlan,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9 \
    vlan-ids=99

/ip address
add address=192.168.66.4/24 interface=vlan10 network=192.168.66.0

All ports except ether10 are configured as trunks, ether10 is access port for vlan10
There is VLAN interface vlan10 and ip adress is asigned to it

Hi,

you were right, it seems to be working now.
What do you think of the config? Is it better?

cAP AC:

model = RBcAPGi-5acD2nD

/interface bridge
add admin-mac=XX:YY auto-mac=no comment=defconf name=bridgeLocal
vlan-filtering=yes
/interface wifi

managed by CAPsMAN

mode: AP, SSID: INTERNAL, channel: 2412/n/Ce

set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap
disabled=no

managed by CAPsMAN

mode: AP, SSID: INTERNAL, channel: 5640/ac/eeeC

set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap
disabled=no

managed by CAPsMAN

mode: AP, SSID: Guest

add disabled=no mac-address=XX:YY master-interface=wifi1 name=
wifi21

managed by CAPsMAN

mode: AP, SSID: Guest

add disabled=no mac-address=XX:YY master-interface=wifi2 name=
wifi22
/interface list
add name=WAN
add name=LAN
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal interface=wifi1 pvid=10
add bridge=bridgeLocal interface=wifi21 pvid=99
add bridge=bridgeLocal interface=wifi2 pvid=10
add bridge=bridgeLocal interface=wifi22 pvid=99
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 untagged=wifi1,wifi2 vlan-ids=10
add bridge=bridgeLocal tagged=ether1 untagged=wifi21,wifi22 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=bridgeLocal list=LAN
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
slaves-static=yes
/ip address
add address=192.168.66.7/24 interface=bridgeLocal network=192.168.66.0
add address=192.168.88.88/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes

cAP AX:

model = cAPGi-5HaxD2HaxD

/interface bridge
add admin-mac=D4:01:C3:D4:21:D0 auto-mac=no comment=defconf name=bridgeLocal
/interface list
add name=WAN
add name=LAN
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi

managed by CAPsMAN

mode: AP, SSID: Guest, channel: 5745/ax/Ceee

set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap
datapath=capdp disabled=no

managed by CAPsMAN

mode: AP, SSID: Guest, channel: 2412/ax/Ce

set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap
datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
/interface list member
add interface=ether1 list=WAN
add interface=bridgeLocal list=LAN
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip address
add address=192.168.66.8/24 interface=bridgeLocal network=192.168.66.0
add address=192.168.88.88/24 interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1

RB4011:

model = RB4011iGS+

/caps-man channel
add control-channel-width=20mhz extension-channel=XX name=channel
reselect-interval=8h skip-dfs-channels=yes
/interface bridge
add name=bridge_vlan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=TRUNK
set [ find default-name=ether2 ] comment=CAP_P_1
set [ find default-name=ether3 ] comment=CAP_P_3
/interface vlan
add interface=bridge_vlan name=vlan10 vlan-id=10
/caps-man datapath
add bridge=bridge_vlan name=vlan_guest vlan-id=99 vlan-mode=use-tag
add bridge=bridge_vlan name=vlan_internal_users vlan-id=10 vlan-mode=use-tag
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add disabled=no name=channel reselect-interval=1s..8h skip-dfs-channels=all
/interface wifi datapath
add bridge=bridge_vlan client-isolation=yes disabled=no name=
vlan_internal_users vlan-id=10
add bridge=bridge_vlan client-isolation=yes disabled=no name=vlan_guest
vlan-id=99
add bridge=bridge_vlan client-isolation=yes disabled=no name=DP_AC
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=Security_INTERNAL
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=Security_GUEST
/interface wifi configuration
add channel=channel country=Czech datapath=vlan_internal_users disabled=no
mode=ap name=config_internal security=Security_INTERNAL
security.authentication-types=wpa2-psk,wpa3-psk .encryption=“” .ft=yes
.ft-over-ds=no ssid=“INTERNAL” steering.rrm=yes
add channel=channel country=Czech datapath=vlan_guest disabled=no mode=ap
name=config_guests security=Security_GUEST security.authentication-types=
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=no ssid=“Guest”
steering.rrm=yes
add datapath=DP_AC disabled=no name=config_guest_cAP_AC security=
Security_GUEST security.ft=yes .ft-over-ds=no ssid=“Guest”
add datapath=DP_AC disabled=no name=config_internal_cAP_AC security=
Security_INTERNAL security.ft=yes .ft-over-ds=no ssid=“INTERNAL”
/interface wifi
add configuration=config_guests disabled=no name=cap-wifi1 radio-mac=
D4:01:C3:D4:21:D2
add configuration=config_internal disabled=no mac-address=D6:01:C3:D4:21:D2
master-interface=cap-wifi1 name=cap-wifi2
add configuration=config_guests disabled=no name=cap-wifi7 radio-mac=
D4:01:C3:D4:21:D3
add configuration=config_internal disabled=no mac-address=D6:01:C3:D4:21:D3
master-interface=cap-wifi7 name=cap-wifi8
/interface bridge port
add bridge=bridge_vlan interface=ether1
add bridge=bridge_vlan interface=ether2
add bridge=bridge_vlan interface=ether3
add bridge=bridge_vlan interface=ether4
add bridge=bridge_vlan interface=ether5
add bridge=bridge_vlan interface=ether7
add bridge=bridge_vlan interface=ether8
add bridge=bridge_vlan interface=ether9
add bridge=bridge_vlan interface=ether10
add bridge=bridge_vlan interface=sfp-sfpplus1
/interface bridge vlan
add bridge=bridge_vlan tagged=“bridge_vlan,ether1,ether2,ether3,ether4,ether5,
ether7,ether8,ether9,ether10” vlan-ids=10
add bridge=bridge_vlan tagged=“bridge_vlan,ether1,ether2,ether3,ether4,ether5,
ether7,ether8,ether9,ether10” vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=sfp-sfpplus1 list=LAN
/interface wifi capsman
set enabled=yes interfaces=all package-path=“” require-peer-certificate=no
upgrade-policy=none
/interface wifi provisioning
add action=create-enabled common-name-regexp=“” disabled=no identity-regexp=
“” master-configuration=config_guests slave-configurations=
config_internal supported-bands=5ghz-ax
add action=create-enabled common-name-regexp=“” disabled=no identity-regexp=
“” master-configuration=config_guests slave-configurations=
config_internal supported-bands=2ghz-ax
add action=create-dynamic-enabled common-name-regexp=“” disabled=no
identity-regexp=“” master-configuration=config_internal_cAP_AC
slave-configurations=config_guest_cAP_AC supported-bands=5ghz-ac
add action=create-dynamic-enabled common-name-regexp=“” disabled=no
identity-regexp=“” master-configuration=config_internal_cAP_AC
slave-configurations=config_guest_cAP_AC supported-bands=2ghz-n
/ip address
add address=192.168.66.4/24 interface=bridge_vlan network=192.168.66.0
add address=192.168.88.1/24 interface=ether6 network=192.168.88.0

Thank you in advance,
Michal

Just to by sure, are you using wifi-qcom-ac on AC caps?

Yes, wifi-qcom-ac, v7.15.3

And RB4011 is with or without wifi?

RB4011 is without Wi-Fi, using the same RouterOS version.

It’s still basicaly wrong..

On the router, make backup and config export, save both to computer and uninstall wireless package. Then reset configuration with “no default configuration” option.

Then apply this:
*admin account has no password with “no defaults”
**you have to set wifi SSID and password
***ether6 in bridge ports is disabled = you can connect over MAC, if you enable it, it will be access for VLAN 10 and you will be able to connect over IP

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface wifi channel
add disabled=no frequency=2412,2437,2462 name=channel-2G width=20mhz
add disabled=no frequency=5180,5220,5745,5785 name=channel-5G \
skip-dfs-channels=all width=20/40mhz-Ce
/interface wifi datapath
add client-isolation=yes disabled=no name=datapath-vlan10 vlan-id=10
add client-isolation=yes disabled=no name=datapath-vlan99 vlan-id=99
add client-isolation=yes disabled=no name=datapath-ac
/interface wifi steering
add disabled=no name=steering-internal rrm=yes wnm=yes
add disabled=no name=steering-guests rrm=yes wnm=yes
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
name=security-internal
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
name=security-guests
/interface wifi configuration
add channel=channel-2G country=Czech datapath=datapath-vlan10 disabled=no \
name=config-internal-2G security=security-internal ssid="INTERNAL" steering=steering-internal
add channel=channel-5G country=Czech datapath=datapath-vlan10 disabled=no \
name=config-internal-5G security=security-internal ssid="INTERNAL" steering=steering-internal
add datapath=datapath-vlan99 disabled=no \
name=config-guests-2G security=security-guests ssid="Guest" steering=steering-guests
add datapath=datapath-vlan99 disabled=no \
name=config-guests-5G security=security-guests ssid="Guest" steering=steering-guests
add channel=channel-2G country=Czech datapath=datapath-ac disabled=no \
name=config-internal-2G-ac security=security-internal ssid="INTERNAL" steering=steering-internal
add channel=channel-5G country=Czech datapath=datapath-ac disabled=no \
name=config-internal-5G-ac security=security-internal ssid="INTERNAL" steering=steering-internal
add datapath=datapath-ac disabled=no \
name=config-guests-2G-ac security=security-guests ssid="Guest" steering=steering-guests
add datapath=datapath-ac disabled=no \
name=config-guests-5G-ac security=security-guests ssid="Guest" steering=steering-guests
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged  interface=ether1
add bridge=bridge1 frame-types=admit-only-vlan-tagged  interface=ether2
add bridge=bridge1 frame-types=admit-only-vlan-tagged  interface=ether3
add bridge=bridge1 frame-types=admit-only-vlan-tagged  interface=ether4
add bridge=bridge1 frame-types=admit-only-vlan-tagged  interface=ether5
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether6 pvid=10 disabled=yes
add bridge=bridge1 frame-types=admit-only-vlan-tagged  interface=ether7
add bridge=bridge1 frame-types=admit-only-vlan-tagged  interface=ether8
add bridge=bridge1 frame-types=admit-only-vlan-tagged  interface=ether9
add bridge=bridge1 frame-types=admit-only-vlan-tagged  interface=ether10
/interface bridge vlan
add bridge=bridge1 tagged="bridge1,ether1,ether2,ether3,ether4,ether5,\
ether7,ether8,ether9,ether10" vlan-ids=10
add bridge=bridge1 tagged="bridge1,ether1,ether2,ether3,ether4,ether5,\
ether7,ether8,ether9,ether10" vlan-ids=99
/interface wifi capsman
set enabled=yes interfaces=vlan10 require-peer-certificate=no \
upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no name-format=%I-wifi \
master-configuration=config-internal-2G slave-configurations=config-guests-2G supported-bands=2ghz-ax
add action=create-enabled disabled=no name-format=%I-wifi \
master-configuration=config-internal-5G slave-configurations=config-guests-5G supported-bands=5ghz-ax
add action=create-enabled disabled=no name-format=%I-wifi \
master-configuration=config-internal-2G-ac slave-configurations=config-guests-2G-ac supported-bands=2ghz-n
add action=create-enabled disabled=no name-format=%I-wifi \
master-configuration=config-internal-5G-ac slave-configurations=config-guests-5G-ac supported-bands=5ghz-ac
/ip address
add address=192.168.66.4/24 interface=vlan10 network=192.168.66.0
/system identity
set name=RB4011iGS

If you want, create backups for CAPs and again, reset with “no default configuration”..

For AX cap:
*adjust system identity, you have just one so… 01

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
datapath.bridge=bridge1 disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
datapath.bridge=bridge1 disabled=no
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether2 pvid=10
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 untagged=ether2 vlan-ids=10
add bridge=bridge1 tagged=ether1 vlan-ids=20
/interface wifi cap
set discovery-interfaces=vlan10 enabled=yes
/ip address
add address=192.168.66.8/24 interface=vlan10 network=192.168.66.0
/system identity
set name=cAP-ax-??

For AC caps:
*again, identity 01…04
**adjust device IPs

/interface bridge
add name=bridge1 vlan-filtering=yes
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
datapath.bridge=bridge1 disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
datapath.bridge=bridge1 disabled=no
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
interface=ether2 pvid=10
add bridge=bridge1 interface=wifi1 pvid=10
add bridge=bridge1 interface=wifi21 pvid=99
add bridge=bridge1 interface=wifi2 pvid=10
add bridge=bridge1 interface=wifi22 pvid=99
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 untagged=ether2,wifi1,wifi2 vlan-ids=10
add bridge=bridge1 tagged=ether1 untagged=wifi21,wifi22 vlan-ids=99
/interface wifi cap
set discovery-interfaces=vlan10 enabled=yes slaves-static=yes
/ip address
add address=192.168.66.7/24 interface=vlan10 network=192.168.66.0
/system identity
set name=cAP-ac-??

Later you can apply this firewall rules on all devices:

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=vlan10
add action=drop chain=input disabled=yes

If counters for accept vlan10 will rise, you can enable the last drop rule.

Hello,

so after a few tests it seems, that one error still persist.
cap-AC still getting an error “—client was disconnected because could not assign vlan”.

Do you have any idea what is the problem?

Regards,
Michal

Let’s see your configs…