I have set up my wireless network, comprising a HEX S and a wAP ax, such that PPSK is used to place connecting users into VLANs 10(LAN), 20(IoT) & 30(Guest) depending on the passphrase entered. The configuration is set up in CAPsMAN Forwarding Mode. As far as that goes, this currently works; users can connect, are given the appropriate IP address and are able to access the internet. Other aspects of the network, however, are not entirely rosy !
Port 1 of the HEX connects to the WAN. Ports 2 and 3 of the HEX are configured to allow un-VLANned devices to connect to the network, and such devices are added to VLAN 10 with an address in the 10.10.0.25-254 range. Ports 4 & 5 of the HEX are configured to connect APs. Port 5 of the HEX is physically connected to a managed MTik switch (CSS106/RB260) which is also connected to the wAP ax. The switch is currently set up without any VLAN configuration.
The problems are:
1 - Although a computer connected to port 2 of the HEX is admitted to the network and gets a 10.10.0. address it cannot ping the wAP ax, which is on static IP 10.10.0.6, or connect to it by WinBox.
2 - A second PC, which is connected to the managed switch is not able to get an IP address from the HEX, and cannot ping the HEX even when given an appropriate static IP. It is able to ping the wAP ax. Using the switch to attach a VLAN 10 tag to traffic from this PC had no effect on the symptoms.
3 - Neither PC can ping the other.
I need devices attached to VLAN 10 to be able to interact with each other and with the infrastructure and would grateful for any help in making this happen.
My configs are as follows:
# 2025-10-14 12:53:13 by RouterOS 7.20
# software id = SDXQ-5QCY
#
# model = E60iUGS
# serial number = XXXXX
/interface bridge
add comment=defconf name=bridge-lan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="ISP WAN" name=ether1-wan
set [ find default-name=ether2 ] comment="Unused access port (vlan10)" name=\
ether2-user
set [ find default-name=ether3 ] comment=\
"IT Cupboard Switch access port (vlan10)" name=ether3-csw1
set [ find default-name=ether4 ] comment=\
"Managed Switch in the Loft (vlans10,20,30)" name=ether4-lsw1
set [ find default-name=ether5 ] comment="PoE to CAP D1 (vlans10,20,30)" \
name=ether5-capd1
/interface vlan
add comment="Home VLAN" interface=bridge-lan name=vlan10 vlan-id=10
add comment="IoT VLAN" interface=bridge-lan name=vlan20 vlan-id=20
add comment="Guest VLAN" interface=bridge-lan name=vlan30 vlan-id=30
/interface list
add comment="Home VLAN" name=HomeVlan
add comment="IoT and Guest VLANs" name=IG-Vlans
add comment="All VLANs" name=LAN
add comment="WAN interface list" name=WAN
/interface wifi datapath
add bridge=bridge-lan comment="Generic datapath for APs" disabled=no name=\
the-datapath vlan-id=1
/interface wifi security
add authentication-types=wpa-psk,wpa2-psk multi-passphrase-group=VLANS name=\
PPSK
/interface wifi steering
add disabled=no name=steering-main rrm=yes wnm=yes
/interface wifi configuration
add channel.band=2ghz-ax .frequency=2412,2437,2462 .width=20mhz comment=\
"Config for 2.4GHz WiFi" country="United Kingdom" datapath=the-datapath \
disabled=no mode=ap name=config-2.4 security=PPSK security.ft=yes \
.ft-over-ds=yes ssid=AtheLan steering=steering-main
add channel.band=5ghz-ax .frequency=5180,5765 .width=20/40/80mhz comment=\
"Config for 5GHz WiFi" country="United Kingdom" datapath=the-datapath \
disabled=no mode=ap name=config-5 security=PPSK security.ft=yes \
.ft-over-ds=yes ssid=AtheLan steering=steering-main
/interface wifi
# operated by CAP 04:F4:1C:22:A0:9D%bridge-lan, traffic processing on CAP
add configuration=config-2.4 disabled=no name=cap-wifi1 radio-mac=\
04:F4:1C:22:A0:9F
# operated by CAP 04:F4:1C:22:A0:9D%bridge-lan, traffic processing on CAP
add configuration=config-5 disabled=no name=cap-wifi2 radio-mac=\
04:F4:1C:22:A0:A0
/ip pool
add name=pool-home ranges=10.10.0.25-10.10.0.254
add name=pool-iot ranges=10.20.0.2-10.20.0.254
add name=pool-guest ranges=10.30.0.2-10.30.0.254
/ip dhcp-server
add address-pool=pool-home interface=vlan10 name=dhcp-home
add address-pool=pool-iot interface=vlan20 name=dhcp-iot
add address-pool=pool-guest interface=vlan30 name=dhcp-guest
/interface bridge port
add bridge=bridge-lan comment="IT Cupboard Switch (VLAN 10)" interface=\
ether3-csw1 pvid=10
add bridge=bridge-lan comment="Unused Port (VLAN 10)" interface=ether2-user \
pvid=10
add bridge=bridge-lan comment="Loft Switch Trunk Port" interface=ether4-lsw1
add bridge=bridge-lan comment="CAPD1 Trunk Port with PoE" interface=\
ether5-capd1
/ip neighbor discovery-settings
set discover-interface-list=HomeVlan
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether4-lsw1,ether5-capd1 vlan-ids=\
10,20,30
/interface list member
add comment=defconf interface=bridge-lan list=LAN
add interface=vlan10 list=HomeVlan
add interface=vlan20 list=IG-Vlans
add interface=vlan30 list=IG-Vlans
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan30 list=LAN
add comment="WAN interface" interface=ether1-wan list=WAN
/interface wifi capsman
set enabled=yes interfaces=bridge-lan require-peer-certificate=no
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=config-2.4 \
supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=config-5 \
supported-bands=5ghz-ax
/interface wifi security multi-passphrase
add disabled=no group=VLANS vlan-id=10
add disabled=no group=VLANS vlan-id=20
add disabled=no group=VLANS vlan-id=30
/ip address
add address=10.10.0.1/24 comment="Home VLAN addresses " interface=vlan10 \
network=10.10.0.0
add address=10.20.0.1/24 comment="IoT VLAN addresses " interface=vlan20 \
network=10.20.0.0
add address=10.30.0.1/24 comment="Guest VLAN addresses" interface=vlan30 \
network=10.30.0.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=ether1-wan
/ip dhcp-server network
add address=10.10.0.0/24 comment="Home DHCP Network" dns-server=10.10.0.1 \
gateway=10.10.0.1
add address=10.20.0.0/24 comment="IoT DHCP Network" dns-server=10.20.0.1 \
gateway=10.20.0.1
add address=10.30.0.0/24 comment="Guest DHCP Network" dns-server=10.30.0.1 \
gateway=10.30.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment="Allow established connections" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow local loopback for CAPsMAN" \
dst-address=127.0.0.1
add action=accept chain=input comment="Allow UDP LAN DNS queries" dst-port=53 \
in-interface-list=!WAN protocol=udp
add action=accept chain=input comment="Allow TCP LAN DNS queries" dst-port=53 \
in-interface-list=!WAN protocol=tcp
add action=accept chain=input comment=\
"Allow full access to the management interfaces" in-interface-list=\
HomeVlan
add action=drop chain=input comment="Drop all other inputs"
add action=fasttrack-connection chain=forward comment=\
"Fasttrack established connections" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="Allow established connections" \
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=accept chain=forward comment="Allow Home -> IoT traffic" \
connection-state=new in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward comment="Allow Home -> Guest traffic" \
connection-state=new in-interface=vlan10 out-interface=vlan30
add action=accept chain=forward comment="Allow internet access for home VLAN" \
connection-state=new in-interface-list=HomeVlan out-interface-list=WAN
add action=accept chain=forward comment=\
"Allow internet access for all other VLANs" connection-state=new \
in-interface-list=IG-Vlans out-interface-list=WAN
add action=drop chain=forward comment="Drop all other forwarded traffic"
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for internet access" \
out-interface-list=WAN
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=MikroTikCore
/system ntp client
set enabled=yes
/system ntp server
set broadcast-addresses=10.10.0.1 use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=HomeVlan
/tool mac-server mac-winbox
set allowed-interface-list=HomeVlan
# 2025-10-14 08:22:14 by RouterOS 7.16.2
# software id = YY9Y-WU21
#
# model = wAPG-5HaxD2HaxD
# serial number = XXXXX
/interface bridge
add name=bridge-cap protocol-mode=none
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: AtheLan, channel: 2462/ax
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
datapath.bridge=bridge-cap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: AtheLan, channel: 5765/ax/eCee
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
datapath.bridge=bridge-cap disabled=no
/interface bridge port
add bridge=bridge-cap interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface wifi cap
set discovery-interfaces=bridge-cap enabled=yes
/ip address
add address=10.10.0.6/24 interface=bridge-cap network=10.10.0.0
/ip dns
set allow-remote-requests=yes servers=10.10.0.1
/ip route
add distance=1 gateway=10.10.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system identity
set name=MikroTikCAPU1
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
Thanks, in advance.