No internet - Capsman config 3x CAP ax

Czeczenski · May 5, 2026, 8:12pm

Hello,

At firstI'd like to point out that I'm a beginner.

I'm having trouble accessing the internet on my 3x CAP ax.

All 3 APs are managed by the router (Capsman).

They give a Wi-Fi network, but after connecting, there's no internet access.

2026-05-05 22:04:50 by RouterOS 7.22.2

model = CCR2116-12G-4S+

serial number =

/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=ch2GHz width=20mhz
add band=5ghz-ax disabled=no frequency=5170-5250,5250-5350 name=ch5GHz width=20/40/80mhz
add band=6ghz-ax disabled=no name=ch6GHz width=20/40/80/160mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=security-siec_domowa
/interface wifi configuration
add channel=ch2GHz country=Poland disabled=no mode=ap name=cfg2GHz-siec_domowa security=security-siec_domowa ssid=KABM
add channel=ch5GHz country=Poland disabled=no mode=ap name=cfg5GHz-siec_domowa security=security-siec_domowa ssid=KABM
add channel=ch6GHz country=Poland disabled=no name=cfg6GHz-siec_domowa security=security-siec_domowa ssid=KABM
/interface wifi

operated by CAP 04:F4:1C:40:B8:2A%bridge_lan, traffic processing on CAP

add configuration=cfg5GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi1 radio-mac=04:F4:1C:40:B8:2C

operated by CAP 04:F4:1C:40:B8:2A%bridge_lan, traffic processing on CAP

add configuration=cfg2GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi2 radio-mac=04:F4:1C:40:B8:2D

operated by CAP 04:F4:1C:40:B9:44%bridge_lan, traffic processing on CAP

add configuration=cfg5GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi3 radio-mac=04:F4:1C:40:B9:46

operated by CAP 04:F4:1C:40:B9:44%bridge_lan, traffic processing on CAP

add configuration=cfg2GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi4 radio-mac=04:F4:1C:40:B9:47

operated by CAP 04:F4:1C:1A:07:80%bridge_lan, traffic processing on CAP

add configuration=cfg5GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi5 radio-mac=04:F4:1C:1A:07:82

operated by CAP 04:F4:1C:1A:07:80%bridge_lan, traffic processing on CAP

add configuration=cfg2GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi6 radio-mac=04:F4:1C:1A:07:83
/interface wifi capsman
set enabled=yes interfaces=bridge_lan require-peer-certificate=no
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg2GHz-siec_domowa name-format=%I-2_4- supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg5GHz-siec_domowa name-format=%I-5- supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg6GHz-siec_domowa name-format=%I-6- supported-bands=6ghz-ax

holvoetn · May 5, 2026, 8:35pm

Please post FULL config (excl. serial number and/or sensitive info like WAN IP,...)

I explain you why:
You have a problem.
You do not know where the issue is.
But you do decide to leave out config which might be the reason of your problems ?
Doesn't make sense.

E.g. I don't see anything related to IP settings, DHCP, ... ?

I assume those 3 cap AX are using default caps mode ?
Because that part you did not tell either.

Czeczenski · May 5, 2026, 8:38pm

Sure

2026-05-05 22:37:26 by RouterOS 7.22.2

software id = JZ53-XAA2

model = CCR2116-12G-4S+

serial number =

/interface bridge
add name=bridge_lan
/interface ethernet
set [ find default-name=ether13 ] name=ether13_mgmt
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1_wan
/interface list
add name=WAN
add name=MGMT
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=ch2GHz width=20mhz
add band=5ghz-ax disabled=no frequency=5170-5250,5250-5350 name=ch5GHz width=20/40/80mhz
add band=6ghz-ax disabled=no name=ch6GHz width=20/40/80/160mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=security-siec_domowa
/interface wifi configuration
add channel=ch2GHz country=Poland disabled=no mode=ap name=cfg2GHz-siec_domowa security=security-siec_domowa ssid=KABM
add channel=ch5GHz country=Poland disabled=no mode=ap name=cfg5GHz-siec_domowa security=security-siec_domowa ssid=KABM
/interface wifi

operated by CAP 04:F4:1C:40:B8:2A%bridge_lan, traffic processing on CAP

add configuration=cfg5GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi1 radio-mac=04:F4:1C:40:B8:2C

operated by CAP 04:F4:1C:40:B8:2A%bridge_lan, traffic processing on CAP

add configuration=cfg2GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi2 radio-mac=04:F4:1C:40:B8:2D

operated by CAP 04:F4:1C:40:B9:44%bridge_lan, traffic processing on CAP

add configuration=cfg5GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi3 radio-mac=04:F4:1C:40:B9:46

operated by CAP 04:F4:1C:40:B9:44%bridge_lan, traffic processing on CAP

add configuration=cfg2GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi4 radio-mac=04:F4:1C:40:B9:47

operated by CAP 04:F4:1C:1A:07:80%bridge_lan, traffic processing on CAP

add configuration=cfg5GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi5 radio-mac=04:F4:1C:1A:07:82

operated by CAP 04:F4:1C:1A:07:80%bridge_lan, traffic processing on CAP

add configuration=cfg2GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi6 radio-mac=04:F4:1C:1A:07:83
/ip pool
add name=pool1 ranges=10.10.0.2-10.10.0.254
/ip dhcp-server
add address-pool=pool1 interface=bridge_lan lease-time=1d name=server1_dhcp_lan
/interface bridge port
add bridge=bridge_lan interface=ether1
add bridge=bridge_lan interface=ether2
add bridge=bridge_lan interface=ether3
add bridge=bridge_lan interface=ether4
add bridge=bridge_lan interface=ether5
add bridge=bridge_lan interface=ether6
add bridge=bridge_lan interface=ether7
add bridge=bridge_lan interface=ether8
add bridge=bridge_lan interface=ether9
add bridge=bridge_lan interface=ether10
add bridge=bridge_lan interface=ether11
add bridge=bridge_lan interface=ether12
add bridge=bridge_lan interface=sfp-sfpplus2
add bridge=bridge_lan interface=sfp-sfpplus3
add bridge=bridge_lan interface=sfp-sfpplus4
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip settings
set rp-filter=loose
/interface list member
add interface=ether13_mgmt list=MGMT
add interface=sfp-sfpplus1_wan list=WAN
add interface=bridge_lan list=LAN
add interface=ether13_mgmt list=LAN
/interface wifi capsman
set enabled=yes interfaces=bridge_lan require-peer-certificate=no
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg2GHz-siec_domowa name-format=%I-2_4- supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg5GHz-siec_domowa name-format=%I-5- supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=*3 name-format=%I-6- supported-bands=6ghz-ax
/ip address
add address=10.10.0.1/24 interface=bridge_lan network=10.10.0.0
add address=192.168.77.1/30 interface=ether13_mgmt network=192.168.77.0
add address=10.10.1.1 interface=ether3 network=10.10.1.0
/ip dhcp-client
add interface=sfp-sfpplus1_wan name=client1 use-peer-dns=no
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall address-list
add address=10.10.0.Y comment="admin laptop" disabled=yes list=Authorized
add address=10.10.0.X comment="admin desktop" disabled=yes list=Authorized
add address=10.10.0.Z comment="admin smartphone/ipad" disabled=yes list=Authorized
add address=192.168.77.2 comment="admin ether13 access" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 in-interface=lo src-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access to LAN" out-interface-list=LAN src-address-list=Authorized
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="RACK - router"
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool sniffer
set filter-interface=ether3

holvoetn · May 5, 2026, 8:44pm

And what about cAP AX config ? Or is it default caps mode ?
You did not answer that.

Client device can connect to wifi, you say.
Do they get a valid ip address in the expected range or not ?

Czeczenski · May 5, 2026, 8:46pm

Oh I’m sorry.

Default CAPS mode.

Czeczenski · May 5, 2026, 8:49pm

Yes they are.

jaclaz · May 5, 2026, 9:00pm

*3

Point #21:
GP & CSA (Good Practice and Common Sense Advice) for Mikrotik devices

Czeczenski · May 5, 2026, 9:10pm

My bad.

Corrected.2026-05-05 23:08:46 by RouterOS 7.22.2

software id = JZ53-XAA2

model = CCR2116-12G-4S+

serial number =

/interface bridge
add name=bridge_lan
/interface ethernet
set [ find default-name=ether13 ] name=ether13_mgmt
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1_wan
/interface list
add name=WAN
add name=MGMT
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=ch2GHz width=20mhz
add band=5ghz-ax disabled=no frequency=5170-5250,5250-5350 name=ch5GHz width=20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=security-siec_domowa
/interface wifi configuration
add channel=ch2GHz country=Poland disabled=no mode=ap name=cfg2GHz-siec_domowa security=security-siec_domowa ssid=KABM
add channel=ch5GHz country=Poland disabled=no mode=ap name=cfg5GHz-siec_domowa security=security-siec_domowa ssid=KABM
/interface wifi

operated by CAP 04:F4:1C:40:B8:2A%bridge_lan, traffic processing on CAP

add configuration=cfg5GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi1 radio-mac=04:F4:1C:40:B8:2C

operated by CAP 04:F4:1C:40:B8:2A%bridge_lan, traffic processing on CAP

add configuration=cfg2GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi2 radio-mac=04:F4:1C:40:B8:2D

operated by CAP 04:F4:1C:40:B9:44%bridge_lan, traffic processing on CAP

add configuration=cfg5GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi3 radio-mac=04:F4:1C:40:B9:46

operated by CAP 04:F4:1C:40:B9:44%bridge_lan, traffic processing on CAP

add configuration=cfg2GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi4 radio-mac=04:F4:1C:40:B9:47

operated by CAP 04:F4:1C:1A:07:80%bridge_lan, traffic processing on CAP

add configuration=cfg5GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi5 radio-mac=04:F4:1C:1A:07:82

operated by CAP 04:F4:1C:1A:07:80%bridge_lan, traffic processing on CAP

add configuration=cfg2GHz-siec_domowa configuration.mode=ap disabled=no name=cap-wifi6 radio-mac=04:F4:1C:1A:07:83
/ip pool
add name=pool1 ranges=10.10.0.2-10.10.0.254
/ip dhcp-server
add address-pool=pool1 interface=bridge_lan lease-time=1d name=server1_dhcp_lan
/interface bridge port
add bridge=bridge_lan interface=ether1
add bridge=bridge_lan interface=ether2
add bridge=bridge_lan interface=ether3
add bridge=bridge_lan interface=ether4
add bridge=bridge_lan interface=ether5
add bridge=bridge_lan interface=ether6
add bridge=bridge_lan interface=ether7
add bridge=bridge_lan interface=ether8
add bridge=bridge_lan interface=ether9
add bridge=bridge_lan interface=ether10
add bridge=bridge_lan interface=ether11
add bridge=bridge_lan interface=ether12
add bridge=bridge_lan interface=sfp-sfpplus2
add bridge=bridge_lan interface=sfp-sfpplus3
add bridge=bridge_lan interface=sfp-sfpplus4
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip settings
set rp-filter=loose
/interface list member
add interface=ether13_mgmt list=MGMT
add interface=sfp-sfpplus1_wan list=WAN
add interface=bridge_lan list=LAN
add interface=ether13_mgmt list=LAN
/interface wifi capsman
set enabled=yes interfaces=bridge_lan require-peer-certificate=no
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg2GHz-siec_domowa name-format=%I-2_4- supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg5GHz-siec_domowa name-format=%I-5- supported-bands=5ghz-ax
/ip address
add address=10.10.0.1/24 interface=bridge_lan network=10.10.0.0
add address=192.168.77.1/30 interface=ether13_mgmt network=192.168.77.0
add address=10.10.1.1 interface=ether3 network=10.10.1.0
/ip dhcp-client
add interface=sfp-sfpplus1_wan name=client1 use-peer-dns=no
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall address-list
add address=10.10.0.Y comment="admin laptop" disabled=yes list=Authorized
add address=10.10.0.X comment="admin desktop" disabled=yes list=Authorized
add address=10.10.0.Z comment="admin smartphone/ipad" disabled=yes list=Authorized
add address=192.168.77.2 comment="admin ether13 access" list=Authorized
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 in-interface=lo src-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address-list=Authorized
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="users to services" dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access to LAN" out-interface-list=LAN src-address-list=Authorized
add action=drop chain=forward comment="drop all else"
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="RACK - router"
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server mac-winbox
set allowed-interface-list=MGMT
/tool sniffer
set filter-interface=ether3

aldek · May 6, 2026, 4:21am

Since there are no DHCP reservations, these settings are unnecessary and may cause issues if enabled:

Delete these rules because they make no sense (in the current config).

After rule “drop all else” all others make no sense (you can delete them or make enabled rule “port forwarding” and move it to before “drop else”):

… it would be better to delete this rule:

and add masquerade for your 10.10.0.0/24 network:

add action=masquerade chain=srcnat src-address=10.10.0.0/24

roe1974 · May 6, 2026, 6:12am

Isn't the following defcon rule sufficient
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
for masquerading all networks?

Czeczenski · May 6, 2026, 6:29am

NAT rule changed.

Other deleted.

No effect…

holvoetn · May 6, 2026, 6:30am

Did you clear firewall connection table ?
It may take some time. Reboot usually is faster.

Czeczenski · May 6, 2026, 6:45am

Same after reboot.

aldek · May 6, 2026, 6:46am

What affect?

Do you have an external IP assigned on the wan interface “client1” ?

/ip dhcp-client print detail

IP Routes?

/ip route print

holvoetn · May 6, 2026, 6:49am

If that device truly uses WAN (via SFP1 if I see correctly), that rule needs to be maintained.
Masquerading internal subnet should not be needed.

Czeczenski · May 6, 2026, 6:50am

Yes I have

Flags: X - DISABLED, I - INVALID, D - DYNAMIC
0 name="client1" interface=sfp-sfpplus1_wan add-default-route=yes
default-route-distance=1 default-route-tables=default check-gateway=none
use-peer-dns=no use-peer-ntp=yes allow-reconfigure=no use-broadcast=both
dhcp-options=hostname,clientid status=bound address=100.64.43.11/29
gateway=100.64.43.12 dhcp-server=100.64.43.12 primary-dns=192.168.254.1
expires-after=23h49m26s

Flags: D - DYNAMIC; A - ACTIVE; c - CONNECT, d - DHCP
Columns: DST-ADDRESS, GATEWAY, ROUTING-TABLE, DISTANCE
DST-ADDRESS GATEWAY ROUTING-TABLE DISTANCE
DAd 0.0.0.0/0 100.64.43.12 main 1
DAc 10.10.0.0/24 bridge_lan main 0
DAc 10.10.1.0/32 bridge_lan main 0
DAc 100.64.43.8/29 sfp-sfpplus1_wan main 0
DAc 192.168.77.0/30 ether13_mgmt main 0

aldek · May 6, 2026, 6:52am

Yes, only for non-IPsec-matched connections; however, IPsec is not present.

jaclaz · May 6, 2026, 8:24am

But if you connect via ethernet to (say) ether 13 a laptop, do you have internet normally?

I.e. the CCR2116 and its routes, nat and firewall work fine, it is only the CAPs that don't get internet?

Czeczenski · May 6, 2026, 10:08am

Everything works fine, I have internet from all Ethernet ports.

So there is problem on CAPs side or my defective configuration…

holvoetn · May 6, 2026, 10:09am

And still you did not answer this one.