No internet - Capsman config 3x CAP ax

Czeczenski · May 6, 2026, 10:14am

I did, on 5th post.

Default CAPS, didn’t change a thing.

Usbuild · May 6, 2026, 11:35am

my config has datapath set. not sure if its important

/interface wifi datapath
add bridge=bridge_lan disabled=no name=datapath1

erlinden · May 6, 2026, 11:58am

Nice catch @Usbuild ...without, the (wifi) interfaces are not attached to the CAPsMAN's brdige.

Czeczenski · May 6, 2026, 3:25pm

Datapath added at Capsman.

I don't know why it doesn't generate automatically after Capsman start.

Still no internet.

Capsman configured again after router reset (I was hope that this change something).

Actual config:

2026-05-06 17:32:39 by RouterOS 7.22.2

software id =

model = CCR2116-12G-4S+

serial number =

/interface bridge
add name=bridge_lan
/interface ethernet
set [ find default-name=ether13 ] name=ether13_mgmt
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1_wan
/interface list
add name=WAN
add name=MGMT
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=ch-2GHz width=20mhz
add band=5ghz-ax deprioritize-unii-3-4=no disabled=no frequency=
5170-5250,5250-5330 name=ch-5GHz width=20/40/80mhz
/interface wifi datapath
add bridge=bridge_lan disabled=no name=capdp
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=sec-dom
/interface wifi configuration
add channel=ch-2GHz country=Poland disabled=no mode=ap name=cfg-2GHz security=
sec-dom ssid=KABM
add channel=ch-5GHz country=Poland disabled=no mode=ap name=cfg-5GHz security=
sec-dom ssid=KABM
/ip pool
add name=pool1 ranges=10.10.0.2-10.10.0.254
/ip dhcp-server
add address-pool=pool1 interface=bridge_lan lease-time=1d name=server1_dhcp_lan
/interface bridge port
add bridge=bridge_lan interface=ether1
add bridge=bridge_lan interface=ether2
add bridge=bridge_lan interface=ether3
add bridge=bridge_lan interface=ether4
add bridge=bridge_lan interface=ether5
add bridge=bridge_lan interface=ether6
add bridge=bridge_lan interface=ether7
add bridge=bridge_lan interface=ether8
add bridge=bridge_lan interface=ether9
add bridge=bridge_lan interface=ether10
add bridge=bridge_lan interface=ether11
add bridge=bridge_lan interface=ether12
add bridge=bridge_lan interface=sfp-sfpplus2
add bridge=bridge_lan interface=sfp-sfpplus3
add bridge=bridge_lan interface=sfp-sfpplus4
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface list member
add interface=ether13_mgmt list=MGMT
add interface=sfp-sfpplus1_wan list=WAN
add interface=bridge_lan list=LAN
add interface=ether13_mgmt list=LAN
/interface wifi capsman
set enabled=yes interfaces=bridge_lan upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg-2GHz
name-format=%I-2GHz- supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg-5GHz
name-format=%I-5GHz- supported-bands=5ghz-ax
/ip address
add address=10.10.0.1/24 interface=bridge_lan network=10.10.0.0
add address=192.168.77.1/30 interface=ether13_mgmt network=192.168.77.0
/ip dhcp-client
add interface=sfp-sfpplus1_wan name=client1 use-peer-dns=no
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall address-list
add address=192.168.77.2 comment="admin ether13 access" list=Authorized
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
in-interface=lo src-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address-list=
Authorized
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=forward comment="internet access" connection-nat-state=
!dstnat in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="admin access to LAN"
out-interface-list=LAN src-address-list=Authorized
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.10.0.0/24
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="RACK - router"
/system routerboard settings
set enter-setup-on=delete-key
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

erlinden · May 6, 2026, 3:43pm

You are missing the datapath setting in the config, it should be:

/interface wifi configuration
add channel=ch-2GHz country=Poland datapath=capdp disabled=no mode=ap name=cfg-2GHz security=
sec-dom ssid=KABM
add channel=ch-5GHz country=Poland datapath=capdp disabled=no mode=ap name=cfg-5GHz security=
sec-dom ssid=KABM

Are you familiar with the documentation?
WiFi - RouterOS - MikroTik Documentation

Czeczenski · May 6, 2026, 3:45pm

I read it, but the first time isn't the easiest...

Corrected with no effect…

jaclaz · May 6, 2026, 4:02pm

It is not about being familiar with it.

The first given example has NOT ANY datapath setting.

The setting is introduced later, in an extremely confusing matter, with the VLAN example.

As I see it noone will ever be able to configure properly a CAPSMAN/CAPS setup by simply reading that page.

@Czeczenski
Post the export of one of the CAPs, maybe the issue is on them and not on the CAPSMAN.

Czeczenski · May 6, 2026, 4:08pm

2026-05-05 21:31:55 by RouterOS 7.22.2

software id =

model = cAPGi-5HaxD2HaxD

serial number =

/interface bridge
add admin-mac=04:F4:1C:40:B8:2A auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi

managed by CAPsMAN 04:F4:1C:44:A8:0C%bridgeLocal, traffic processing on CAP

mode: AP, SSID: KABM, channel: 5320/ax/eeeC/DI

set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap
datapath=capdp disabled=no

managed by CAPsMAN 04:F4:1C:44:A8:0C%bridgeLocal, traffic processing on CAP

mode: AP, SSID: KABM, channel: 2462/ax

set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap
datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal name=client1
/system identity
set name="CAP - D\C3\93\C5\81"

infabo · May 6, 2026, 4:19pm

You can add this to your dictionary. "Mikrotik configuration examples" -> "collection of scripts to confuse users by not providing all necessary information needed". Something like that.

roe1974 · May 6, 2026, 7:13pm

Under ‘/interface wifi configuration add.....’, the datapath must also be defined as ‘datapath=capdp’

Usbuild · May 6, 2026, 9:32pm

last posted config is not showing connected caps unlike first config. Are they enabled?

/interface wifi

operated by CAP 04:F4:1C:40:B8:2A%bridge_lan, traffic processing on CAP

Czeczenski · May 7, 2026, 12:01pm

dd action=masquerade chain=srcnat src-address=10.10.0.0/24

This rule completely stops my internet access.

SO I roll back to first config, and still no success with internet access.

Now with one AP it’s looks like this.

Build from scratch.

2026-05-07 13:59:00 by RouterOS 7.22.2

software id =

model = CCR2116-12G-4S+

serial number =

/interface bridge
add name=bridge_lan

/interface ethernet
set [ find default-name=ether13 ] name=ether13_mgmt
set [ find default-name=sfp-sfpplus1 ] name=sfp-sfpplus1_wan

/interface list
add name=WAN
add name=MGMT
add name=LAN

/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=ch-2GHz width=20mhz
add band=5ghz-ax disabled=no frequency=5170-5250,5250-5330 name=ch-5GHz width=
20/40mhz

/interface wifi datapath
add bridge=bridge_lan disabled=no name=capdp traffic-processing=on-cap

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=sec-dom

/interface wifi configuration
add channel=ch-2GHz country=Poland datapath=capdp disabled=no mode=ap name=
cfg-2GHz security=sec-dom ssid=KABM
add channel=ch-5GHz country=Poland datapath=capdp datapath.bridge=bridge_lan
disabled=no mode=ap name=cfg-5GHz security=sec-dom ssid=KABM

/interface wifi

operated by CAP 04:F4:1C:40:B8:2A%bridge_lan, traffic processing on CAP

add configuration=cfg-5GHz configuration.mode=ap datapath=capdp disabled=no
name=cap-wifi1 radio-mac=04:F4:1C:40:B8:2C

operated by CAP 04:F4:1C:40:B8:2A%bridge_lan, traffic processing on CAP

add configuration=cfg-2GHz configuration.mode=ap datapath=capdp disabled=no
name=cap-wifi2 radio-mac=04:F4:1C:40:B8:2D

operated by CAP 04:F4:1C:40:B9:44%bridge_lan, traffic processing on CAP

add configuration=cfg-2GHz configuration.mode=ap disabled=no name=cap-wifi3
radio-mac=04:F4:1C:40:B9:47

operated by CAP 04:F4:1C:1A:07:80%bridge_lan, traffic processing on CAP

add configuration=cfg-2GHz configuration.mode=ap disabled=no name=cap-wifi4
radio-mac=04:F4:1C:1A:07:83

/ip pool
add name=pool1 ranges=10.10.0.2-10.10.0.254

/ip dhcp-server
add address-pool=pool1 interface=bridge_lan lease-time=1d name=server1_dhcp_lan
/interface bridge port
add bridge=bridge_lan interface=ether1
add bridge=bridge_lan interface=ether2
add bridge=bridge_lan interface=ether3
add bridge=bridge_lan interface=ether4
add bridge=bridge_lan interface=ether5
add bridge=bridge_lan interface=ether6
add bridge=bridge_lan interface=ether7
add bridge=bridge_lan interface=ether8
add bridge=bridge_lan interface=ether9
add bridge=bridge_lan interface=ether10
add bridge=bridge_lan interface=ether11
add bridge=bridge_lan interface=ether12
add bridge=bridge_lan interface=sfp-sfpplus2
add bridge=bridge_lan interface=sfp-sfpplus3
add bridge=bridge_lan interface=sfp-sfpplus4

/ip neighbor discovery-settings
set discover-interface-list=MGMT

/ip settings
set rp-filter=loose

/interface list member
add interface=ether13_mgmt list=MGMT
add interface=sfp-sfpplus1_wan list=WAN
add interface=bridge_lan list=LAN
add interface=ether13_mgmt list=LAN

/interface wifi capsman
set enabled=yes interfaces=bridge_lan upgrade-policy=suggest-same-version

/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg-2GHz
name-format=%I-2GHz- supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg-5GHz
name-format=%I-5GHz- supported-bands=5ghz-ax

/ip address
add address=10.10.0.1/24 interface=bridge_lan network=10.10.0.0
add address=192.168.77.1/30 interface=ether13_mgmt network=192.168.77.0
add address=10.10.1.1 interface=ether3 network=10.10.1.0

/ip dhcp-client
add interface=sfp-sfpplus1_wan name=client1 use-peer-dns=no

/ip dhcp-server network
add address=10.10.0.0/24 dns-server=10.10.0.1 gateway=10.10.0.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1

/ip firewall address-list
add address=192.168.77.2 comment="admin ether13 access" list=Authorized

/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
in-interface=lo src-address=127.0.0.1
add action=accept chain=input comment="admin access" src-address-list=
Authorized
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=forward comment="internet access" in-interface-list=LAN
out-interface-list=WAN
add action=accept chain=forward comment="admin access to LAN"
out-interface-list=LAN src-address-list=Authorized
add action=drop chain=forward comment="drop all else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=
out,none out-interface-list=WAN

/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes

/system clock
set time-zone-name=Europe/Warsaw

/system identity
set name="RACK - router"

/system routerboard settings
set enter-setup-on=delete-key

/tool mac-server mac-winbox
set allowed-interface-list=MGMT

/tool sniffer
set filter-interface=ether3

Usbuild · May 7, 2026, 1:13pm

How do you configure your CAPs into CAPs mode?

Usbuild · May 7, 2026, 2:50pm

https://youtube.com/shorts/9c28A-vJyH8?si=F_rHSVGoaDPhXfPo

Here is another cryptic/confusing example