No DHCP IP through CAP

I have had a hAP ac2 working as my home router for couple years. Wireless interfaces on hAP ac2 are setup to be managed by CAPsMAN (I setup some networks with CAPs before, and they work; applying the same config) and it has been working standalone. Bog stand WAN->ROUTER(DHCP) → WIFI setup.

I recently acquired a CAP lite to boost the reach of my home wifi. For the life of me, I can’t seem to get IP from the CAP.

Both devices have the latest 6.49 firmware, and CAP was reset in CAP mode.

CAPsMAN sees and seemingly provisions everything. I can see the SSID from CAP (Wifi analyzer shows 1x 5ghz from hAP, 1x 2.4ghz from hAP, and 1x 2.4ghz from CAP), but cannot acquire IP from it. I de-provision the two hAP interfaces so to force my device to go through the CAP. Something seems to be blocking the traffic from reaching DHCP server and I can’t figure out what’s missing (firewall rule perhaps?).

Help appreciated.

Below are the configurations; top section is CAP, the bottom section is hAP; I can’t seem to get two code tags to render correctly.

# oct/09/2021 13:22:42 by RouterOS 6.49
# software id = T3JY-V9M9
#
# model = RouterBOARD cAP L-2nD
/interface bridge
add admin-mac=6C:3B:6B:EC:92:B2 auto-mac=no fast-forward=no name=bridgeLocal
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(30dBm), SSID: MonkeyHome, local forwarding
set [ find default-name=wlan1 ] antenna-gain=0 country=no_country_set disabled=no frequency-mode=manual-txpower rx-chains=0 ssid=MikroTik tx-chains=0
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface wireless cap
# 
set bridge=bridgeLocal certificate=request discovery-interfaces=ether1 enabled=yes interfaces=wlan1 lock-to-caps-man=yes static-virtual=yes
/ip dhcp-client
add disabled=no interface=ether1
/system clock
set time-zone-name=Asia/Hong_Kong
/system identity
set name=cap-lite-room
/system routerboard settings
set auto-upgrade=yes
======================================================================================================
# oct/09/2021 12:50:21 by RouterOS 6.49
# software id = PKZ5-LSG9
#
# model = RouterBOARD D52G-5HacD2HnD-TC
/caps-man channel
add band=2ghz-onlyn extension-channel=Ce name=2ghz-cap-channel reselect-interval=5m skip-dfs-channels=yes
add band=5ghz-n/ac extension-channel=Ceee name=5ghz-cap-channel reselect-interval=3m skip-dfs-channels=yes
/interface bridge
add admin-mac=CC:2D:E0:EB:62:51 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether2 ] rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether3 ] rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether4 ] rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether5 ] rx-flow-control=auto speed=100Mbps tx-flow-control=auto
/interface wireless
# managed by CAPsMAN
# channel: 2422/20-Ce/gn(30dBm), SSID: MonkeyHome, local forwarding
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n channel-width=20/40mhz-Ce country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge name=wlan2.4-iface ssid=MonkeyHome station-roaming=enabled \
    wireless-protocol=802.11
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(17dBm), SSID: MonkeyHome, local forwarding
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country="hong kong" disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge name=wlan5-iface ssid=MonkeyHome station-roaming=enabled \
    wireless-protocol=802.11
/caps-man datapath
add bridge=bridge client-to-client-forwarding=no local-forwarding=yes name=share-datapath
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=monkey-home-security passphrase=fathinfathin
/caps-man configuration
add channel=2ghz-cap-channel datapath=share-datapath datapath.bridge=bridge name=2ghz-config security=monkey-home-security ssid=MonkeyHome
add channel=5ghz-cap-channel datapath=share-datapath datapath.bridge=bridge name=5ghz-config security=monkey-home-security ssid=MonkeyHome
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk disable-pmkid=yes mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=badpw wpa2-pre-shared-key=badpw
/ip pool
add name=dhcp ranges=192.168.88.100-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp-default
/ipv6 dhcp-server
add address-pool=ISP-ipv6 allow-dual-stack-queue=no interface=bridge lease-time=30m name=mikrotik-dhcp-server-v6
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=require-same-version
/caps-man provisioning
add action=create-dynamic-enabled comment=2ghz hw-supported-modes=gn,g master-configuration=2ghz-config name-format=prefix-identity name-prefix=2ghz-vlan
add action=create-dynamic-enabled comment=5ghz hw-supported-modes=ac,an master-configuration=5ghz-config name-format=prefix-identity name-prefix=5ghz-vlan
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan2.4-iface
add bridge=bridge comment=defconf interface=wlan5-iface
add bridge=bridge interface=dynamic
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN
/interface wireless cap
# 
set bridge=bridge certificate=request discovery-interfaces=bridge enabled=yes interfaces=wlan2.4-iface,wlan5-iface lock-to-caps-man=yes static-virtual=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=10.0.10.1/24 comment="bridge vlan admin  address" network=10.0.10.0
add address=10.0.20.1/24 comment="bridge vlan guest address" network=10.0.20.0
add address=192.168.88.10/24 interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1-wan
/ip dhcp-server lease
add address=192.168.88.104 client-id=1:70:85:c2:30:3a:bc mac-address=70:85:C2:30:3A:BC server=dhcp-default
add address=192.168.88.105 client-id=1:dc:a6:32:1b:c5:36 mac-address=DC:A6:32:1B:C5:36 server=dhcp-default
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 domain=home gateway=192.168.88.10
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,2001:4860:4860::8888,2001:4860:4860::8844
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="CAPsMAN local" dst-address-type=local src-address-type=local
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
/ipv6 address
add address=::ce2d:e0ff:feeb:6251 from-pool=ISP-ipv6 interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-wan pool-name=ISP-ipv6 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked 
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] interface=bridge managed-address-configuration=yes other-configuration=yes ra-lifetime=15m
/ipv6 nd prefix
add autonomous=no interface=bridge
/system clock
set time-zone-name=Asia/Hong_Kong
/system identity
set name=monkey
/system ntp client
set enabled=yes primary-ntp=118.143.17.82 secondary-ntp=162.159.200.123
/system ntp server
set enabled=yes
/system routerboard settings
set auto-upgrade=yes cpu-frequency=auto
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Is the bottom part the complete config of the hAP AC ?
I don’t see a datapath section for the Cap Lite, which makes me think it is missing on the CAPSMAN side.
From Wiki:https://wiki.mikrotik.com/wiki/Manual:CAPsMAN#Datapath_Configuration

Most of the datapath settings are used only when in manager forwarding mode, because in local forwarding mode CAPsMAN does not have control over data forwarding.

PS on Code:
Also have that problem. It seems to help to add some regular text with a return/line after the closing quote before opening a new quote.
Puzzles me why this doesn’t work.

First code part

Code 1

Something new

Code 2

Absolute Legend.

I read the link you gave, it makes sense is a sort of “WTF is Mikrotik smoking” kind of way. Added the CAP’s Ethernet interface to the CAP’s local bridge and it starts working.

What I do not understand is why the default bridge configuration does not include both the WLAN and Ethernet interfaces? It feels really dumb that the default CAP configuration does not bridge the two at all. Or perhaps the default configuration does not enable local-forwarding I guess (but then non-local-forward puts loads of traffic on the CAPsMAN device, no?).

Anyway, is there a way to centrally define this property (you alluded to me missing some bit on the CAPsMAN datapath?)? Or is this something which has to be configured on each and every CAP?

For anyone who landed on this page, below is the CAP’s local configuration, added this line and it works. Hoping there’s a better way though.

/interface bridge port
add bridge=bridgeLocal interface=ether1

What I do not understand is why the default bridge configuration does not include both the WLAN and Ethernet interfaces? It feels really dumb that the default CAP configuration does not bridge the two at all. Or perhaps the default configuration does not enable local-forwarding I guess (but then non-local-forward puts loads of traffic on the CAPsMAN device, no?).

The bridging of the wlan interfaces is part of the capsman configuration being send. My assumption is they want to circumvent not knowing upfront if forwarding is to be done locally or centrally.
For local radios it doesn’t matter since most likely the wlan itfs are already part of the bridge there. For remote radios it needs to be specified.

As for local or non-local forwarding: that depends on your setup and what you want to achieve.
Some cases local forwarding can indeed be sufficient but sometimes (e.g. some special firewall rules to be applied etc.) it can be easier to have it centrally managed. Then there is also only one place where al the special things need to be managed for that aspect.

Anyway, is there a way to centrally define this property (you alluded to me missing some bit on the CAPsMAN datapath?)? Or is this something which has to be configured on each and every CAP?

CAPSMAN - tab datapath - make your definition for the datapath.
And then on tab configuration, there is a subtab datapath where you can refer back to the previous made datapath.
It can be done in one sweep on that subtab datapath, I prefer to keep it separate.
Every CAP you add then, will get that setting. Mind you, if needed you can specify different configs/profiles and provision those based on MAC, radio-capability, CAP name, IP, …

Thanks for the explanation. I understand what you are getting at, but I think I am still missing a piece of the puzzle.

My CAPsMAN configuration for data-path, “shared-datapath”, indeed includes a bridge “bridge”; that works against the hAP’s setup where there is a bridge of the same name.

When the CAP comes up, it already contains a bridge called “bridgeLocal” which includes WLAN (still, there is no eth1 though). There is no “bridge” on the CAP, and the bridge which does exist does not include eth1. I am not sure how I can add “all LAN port” in this data-path definition.

Thank you once again for your patience.

I am not 100% sure I understand what you mean with this:

When the CAP comes up, it already contains a bridge called “bridgeLocal” which includes WLAN (still, there is no eth1 though). There is no “bridge” on the CAP, and the bridge which does exist does not include eth1.

On any Mikrotik, default eth1 is considered WAN interface and therefor not part of the initial bridge.
This can be changed if you want but since your Mikrotik is facing the Big Bad Web, I’d suggest not to.

The datapath definition on capsman is only for the wifi interface of your CAPs devices (any Mikrotik device with a wireless interface).

Where I am confused:
If you use local forwarding, your wlan will indeed still be part of the local bridge.
The wlan itf itself however, will show “managed by capsman”.
Or are you saying AFTER the CAPs device becomes managed, the wlan port disappears from the bridge ? Which should mean you got capsman forwarding in place. It overrules the wlan assignment of local bridge.
Wlan traffic is send to and managed by the CAPSMAN bridge now.

Anyhow, eth1 does not need to be part of any bridge to have routing working as it should.

Thank you so much, this did the trick for me too. I have two devices one cAP and cAP Lite. The cAP Lite worked flawless, however cAp did not worked with the same configuration (the issue is the same like LoneGunMan, I could connect to the cAP, but did not received IP address via DHCP). Based on your description I just ticked the “Local forwarding” checkbox under datapath configuration, and it worked immediately also on cAP.

Thanks again,
Regards, Z.