Problem after upgrade Wifi Capsman controller from 6.48 to 7.20 with wAP-AX

AceBlack · December 5, 2025, 3:32pm

Good morning everyone, until a few weeks ago, I had the RB3011UiAS-RM routerboard running version ROS6.48, which was used as the capsman for all the CAPs (wAP-AC) (also running version 6.48) managed and operating with multiple SSIDs and different network subnets (CORP1-CORP2-GUEST, etc.).

The company decided to add APs but purchased the latest ones (wAP-AX), which clearly don't work with the old capsman…..
Before destroying the old capsman, I took another RB3011UiAS-RM from the warehouse and imported my routerboard's configuration. To make sure it worked, I physically replaced the old one, and everything worked fine.

At this point, on the old RB3011, I only changed the LAN IP from (192.168.10.2 to 192.168.10.5) to make them coexist on the same subnet, and then I updated it to version 7.20.
I then took one of the old APs and changed its Capsman IP to the new IP (192.168.10.5), and it works exactly as before! So far, so good.

I followed a few tutorials to connect the new wAP-AX to the new caspman, and it works. The SSIDs are displayed by the AP and managed by capsman, but when I try to connect with a device, it doesn't even receive DHCP because it doesn't seem to communicate with the 192.168.10.0/24 subnet where the DHCP server is located. However, if I connect directly to the AP, I can ping all the devices on the subnet (both the GW and the DHCP server).
My question is: what could be different about the Wi-Fi configuration that works on a device running 6.48, but no longer works on 7.20?
I don't use VLANs, just bridges to distinguish the subnets the client should participate in based on the SSID it connects to.
Thanks!

If you need it, I can also send you the configuration files for the various devices. Thanks to anyone who can answer!

mkx · December 5, 2025, 9:08pm

Are you using capsman-forwarding? Even though the new capsman recently got the configuration option, it might simply not work (yet).

AceBlack · December 7, 2025, 1:00pm

I don't think so, but is an option on Cap or on Capsman?

cpunk · December 7, 2025, 2:30pm

It would be clearer with configs posted.

But I think one cause of this could be that cAP ax is missing the datapath settings. Does it have the bridge datapath configuration shown in this example?

mkx · December 8, 2025, 7:54am

It's option on CAPsMAN.

AceBlack · December 12, 2025, 9:28am

Ok, I checked the field and it was set to default (blank) but now I set it to "On Cap" option, but the problem remains

mkx · December 12, 2025, 9:53am

As @cpunk already asked: please post configuration of your v7 CAPsMAN.

AceBlack · December 12, 2025, 10:21am

CONF OLD wAP-AC that WORKING:

# dec/05/2025 10:28:14 by RouterOS 6.48.5
# model = RouterBOARD wAP G-5HacT2HnD
/interface wireless cap
set caps-man-addresses=192.168.100.1 discovery-interfaces=ether1 enabled=yes interfaces=wlan1,wlan2
/ip address
add address=192.168.100.7/28 interface=ether1 network=192.168.100.0
/ip dns
set servers=192.168.100.1
/ip route
add distance=1 gateway=192.168.100.1
/system identity
set name=CORP_AP7

CONF NEW wAP-AX NOT WORKING:

# 2025-12-05 16:48:35 by RouterOS 7.20.5
# model = wAPG-5HaxD2HaxD
/interface bridge
add name=bridge1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1
/interface wifi cap
set caps-man-addresses=192.168.100.1 discovery-interfaces=bridge1 enabled=yes slaves-datapath=datapath1
/ip address
add address=192.168.100.6/28 interface=bridge1 network=192.168.100.0
/ip dns
set servers=192.168.100.1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/routing settings
set single-process=yes
/system identity
set name=CORP_AP6

CONF CAPSMAN CONTROLLER:

# 2025-12-05 17:33:37 by RouterOS 7.20.5
# model = RB3011UiAS
/caps-man channel
add control-channel-width=20mhz extension-channel=disabled frequency=2412,2437,2462 name=ch_list
/interface bridge
add fast-forward=no name=bridge-cowork01 port-cost-mode=short
add fast-forward=no name=bridge-ee port-cost-mode=short
add fast-forward=no name=bridge-guest port-cost-mode=short
add fast-forward=no name=bridge-management port-cost-mode=short
add fast-forward=no name=bridge-CORP port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment="LAN CORP"
set [ find default-name=ether2 ] comment="Lan EE"
set [ find default-name=ether3 ] comment=Ext_Guest
set [ find default-name=ether4 ] comment=Guest
set [ find default-name=ether5 ] comment=AP
set [ find default-name=ether6 ] comment=AP
set [ find default-name=ether7 ] comment=AP
set [ find default-name=ether8 ] comment=AP
/caps-man configuration ##THIS IS CONF FOR AP WITH OS6.48
add channel=ch_list country=no_country_set datapath.bridge=bridge-CORP .client-to-client-forwarding=yes distance=indoors mode=ap name=cfg-CORP24 security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=Zen.Agency
add country=italy datapath.bridge=bridge-CORP .client-to-client-forwarding=yes distance=indoors mode=ap name=cfg-CORP5 security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=Zen.Agency_5G
add channel=ch_list country=no_country_set datapath.bridge=bridge-ee .client-to-client-forwarding=yes distance=indoors mode=ap name=cfg-ee24 security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=EE_LAN
add country=italy datapath.bridge=bridge-ee .client-to-client-forwarding=yes distance=indoors mode=ap name=cfg-ee5 security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=EE_LAN_5G
add channel=ch_list country=no_country_set datapath.bridge=bridge-guest .client-to-client-forwarding=no .local-forwarding=no distance=indoors mode=ap name=cfg-guest24 security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=Guest
add country=italy datapath.bridge=bridge-guest .client-to-client-forwarding=no .local-forwarding=no distance=indoors mode=ap name=cfg-guest5 security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=Guest_5G
add channel=ch_list country=italy datapath.bridge=bridge-cowork01 .client-to-client-forwarding=yes distance=indoors mode=ap name=cfg-cowork01 security.authentication-types=wpa2-psk .encryption=aes-ccm .group-encryption=aes-ccm ssid=Coworking01
/caps-man interface
add channel.frequency=2462 configuration=cfg-CORP24 disabled=no l2mtu=1600 mac-address=B8:69:F4:34:D4:C6 master-interface=none name=CORP_AP7-1 radio-mac=B8:69:F4:34:D4:C6 radio-name=B869F434D4C6
add channel.frequency=2412,2437,2462 configuration=cfg-ee24 disabled=yes l2mtu=1600 mac-address=BA:69:F4:34:D4:C6 master-interface=CORP_AP7-1 name=CORP_AP7-1-1 radio-mac=00:00:00:00:00:00 radio-name=BA69F434D4C6
add configuration=cfg-guest24 disabled=no mac-address=BA:69:F4:34:D4:C7 master-interface=CORP_AP7-1 name=CORP_AP7-1-2 radio-mac=00:00:00:00:00:00 radio-name=BA69F434D4C7
add channel.frequency=5180 configuration=cfg-CORP5 disabled=no l2mtu=1600 mac-address=B8:69:F4:34:D4:C5 master-interface=none name=CORP_AP7-2 radio-mac=B8:69:F4:34:D4:C5 radio-name=B869F434D4C5
add configuration=cfg-ee5 disabled=yes l2mtu=1600 mac-address=BA:69:F4:34:D4:C5 master-interface=CORP_AP7-2 name=CORP_AP7-2-1 radio-mac=00:00:00:00:00:00 radio-name=BA69F434D4C5
add configuration=cfg-guest5 disabled=no mac-address=BA:69:F4:34:D4:C8 master-interface=CORP_AP7-2 name=CORP_AP7-2-2 radio-mac=00:00:00:00:00:00 radio-name=BA69F434D4C8
/interface wifi channel
add band=2ghz-ax disabled=no name=testchan2.4 skip-dfs-channels=all width=20/40mhz
add band=5ghz-ax disabled=no name=testchan5 skip-dfs-channels=all width=20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=CORP
/interface wifi configuration
add channel=testchan2.4 country=Italy datapath.bridge=bridge-CORP .client-isolation=no disabled=no installation=indoor mode=ap name=cfg_CORP24 security=CORP ssid=CORP
add channel=testchan5 country=Italy datapath.bridge=bridge-CORP .client-isolation=no disabled=no installation=indoor mode=ap name=cfg_CORP5 security=CORP ssid=CORP_5G
/interface wifi
# operated by CAP 04:F4:1C:64:B0:05%bridge-management, traffic processing on CAP
add configuration=cfg_CORP24 configuration.mode=ap datapath.interface-list=all disabled=no name=CORP-AP6-1 radio-mac=04:F4:1C:64:B0:07
# operated by CAP 04:F4:1C:64:B0:05%bridge-management, traffic processing on CAP
add configuration=cfg_CORP5 configuration.mode=ap disabled=no name=CORP-AP6-2 radio-mac=04:F4:1C:64:B0:08
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
add dns-name=hotspot.guest hotspot-address=10.5.50.1 name=hsprof1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=20m shared-users=unlimited status-autorefresh=5m
/ip pool
add name=pool-guest ranges=10.5.50.3-10.5.50.253
add name=pool-coworking01 ranges=10.7.70.3-10.7.70.253
/ip dhcp-server
add address-pool=pool-guest authoritative=after-2sec-delay interface=bridge-guest lease-time=3h name=dhcp-guest
add address-pool=pool-coworking01 authoritative=after-2sec-delay disabled=yes interface=bridge-cowork01 lease-time=3h name=dhcp-cowork01
/ip hotspot
add address-pool=pool-guest disabled=no interface=bridge-guest name=hotspot1 profile=hsprof1
/queue simple
add comment="only for GUEST" max-limit=10M/30M name=BRIDGE-GUEST queue=hotspot-default/hotspot-default target=bridge-guest total-queue=hotspot-default
/caps-man manager
set enabled=yes
/interface bridge filter
add action=accept chain=forward comment="Accept DHCP packets x guest" dst-address=255.255.255.255/32 dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF dst-port=67 in-bridge=bridge-guest ip-protocol=udp mac-protocol=ip out-bridge=bridge-guest src-address=0.0.0.0/32 src-port=68
add action=drop chain=forward comment="Drop multicast, broadcast, client to client in guest bridge" in-bridge=bridge-guest out-bridge=bridge-guest
/interface bridge port
add bridge=bridge-CORP ingress-filtering=no interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge-ee hw=no ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge-management ingress-filtering=no interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge-management hw=no ingress-filtering=no interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge-management hw=no ingress-filtering=no interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge-management hw=no ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge-guest hw=no ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge-CORP interface=CORP-AP6-1
add bridge=bridge-CORP interface=CORP-AP6-2
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=bridge-management list=discover
add interface=bridge-CORP list=discover
/interface wifi capsman
set enabled=yes interfaces=bridge-management package-path="" require-peer-certificate=no upgrade-policy=none
/ip address
add address=192.168.10.5/24 comment=Lan_CORP interface=ether1 network=192.168.10.0
add address=10.10.10.2/24 comment=Lan_EE interface=ether2 network=10.10.10.0
add address=192.168.100.1/28 interface=bridge-management network=192.168.100.0
add address=10.5.50.1/24 interface=bridge-guest network=10.5.50.0
add address=172.16.0.2/24 comment="EXT - FW ee" interface=ether3 network=172.16.0.0
add address=10.7.70.1/24 interface=bridge-cowork01 network=10.7.70.0
/ip dhcp-server network
add address=10.5.50.0/24 comment="Hotspot Guest" gateway=10.5.50.1
add address=10.7.70.0/24 comment=Coworking01 gateway=10.7.70.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall filter
add action=accept chain=input #only for test
add action=accept chain=forward #only for test
/ip firewall nat
add action=masquerade chain=srcnat comment="masq Hotspot Guest" src-address=10.5.50.0/24
add action=masquerade chain=srcnat comment="masq for AP on internet" src-address=192.168.100.0/28
add action=masquerade chain=srcnat comment="masq ALL x Ext" out-interface=ether3

/ip hotspot ip-binding
add address=10.5.50.0/24 comment=Temp_Bypass_ALL type=bypassed
/ip hotspot user
add name=guest server=hotspot1
/ip route
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-table=main scope=30 suppress-hw-offload=no target-scope=12
/routing settings
set single-process=yes
/system identity
set name=CORP_AP_Controller

Thanks all

mkx · December 12, 2025, 4:51pm

If you run on cAP command

/interface/bridge/port/print

what does it return?

I'm not sure how one should interpret settings /interface/wifi/datapath bridge on both CAPsMAN and CAP ... but in certain interpretation bridge named in mentiobed setting would have to exist on CAP (for traffic handling), but in your case it doesn't.

AceBlack · December 12, 2025, 5:00pm

/interface/bridge/port/print
Flags: I - INACTIVE; D - DYNAMIC
Columns: INTERFACE, BRIDGE, HW, HORIZON, TRUSTED, FAST-LEAVE, BPDU-GUARD, EDGE, POINT-TO-POINT, PVID, FRAME-TYPES
#    INTERFACE  BRIDGE   HW   HORIZON  TRUSTED  FAST-LEAVE  BPDU-GUARD  EDGE  POINT-TO-POINT  PVID  FRAME-TYPES
0    ether1     bridge1  yes  none     no       no          no          auto  auto               1  admit-all  
1 I  ether2     bridge1  yes  none     no       no          no          auto  auto               1  admit-all  
2  D wifi1      bridge1       none     no       no          no          auto  no                 1  admit-all  
3  D wifi2      bridge1       none     no       no          no          auto  no                 1  admit-all

AceBlack · December 12, 2025, 5:10pm

I tried disabling the wireless packet on Capsman to see if the old AP configuration was causing the issue, but it didn't change anything at all.
I can see the Wi-Fi network on the new AP (which means the connection between Cap and Capsman is working). It lets me connect, but it doesn't get an IP address because the DHCP server for the 192.168.10.0/24 network is 192.168.10.20, which I can't reach from the connected client while it's being pinged by the AP (Cap).

Ca6ko · December 12, 2025, 5:50pm

You seem to have gaps in your knowledge of computer networks.
A device located on the 192.168.100.0/28 network belonging to the bridge-management bridge will never be able to connect to a DHCP server operating on the 192.168.10.0/24 network on the bridge-CORP bridge.
Set up a separate DHCP server on the bridge-management bridge and your devices will receive IP addresses.
You need to use VLAN.

cpunk · December 12, 2025, 5:56pm

I haven’t used the older /caps-man, so please correct me if I’m wrong .local-forwarding=no in the older config tells the cAP to direct traffic to the CAPsMAN for forwarding between networks/ssids, right? The CAPsMAN receives wifi client traffic on the management LAN and forwards it out to the various bridges on the CAPsMAN server.

If you are trying to do that on v7.20.x with the new CAPsMAN with ax devices on the wifi-qcom driver it won’t work. Only local forwarding is currently supported, per the info on Datapath at that page. With the new driver/CAPsMAN the cAP can’t send the forwarding traffic to the CAPsMAN - it can only do local forwarding. This changes in 7.21 and it should be supported.

So I think in order to make this work on 7.20.x you would need to change to a VLAN approach to datapaths from that page.