Hello,
I already have a wireless network with a Capsman system and 56 Cap AC access points. They work well, but I bought 15 more cAP AX access points this year and they’re not joining the Capsman.
Can anyone help me with connecting the new ones while keeping the old ones connected?
My switch router model is: CCR1036-8G-2S+
Thanks in advance.
Your cap AC are most likely using “old” capsman.
You need to use wave2 capsman for AX devices, completely separate menu structure.
Good thing: you can have both capsman environments on the same controller but you need to be running at least ROS 7.13.
See here for more info:
https://help.mikrotik.com/docs/display/ROS/Wireless
Hint: those cAP ACs can theoretically be upgraded to use wave2 drivers as well but beware before you begin.
There are quite some important caveats if you rely on VLANs being assigned to various wifi SSIDs (which is mostly manual work for now, if you go down that road).
I updated my ROS to 7.16 beta, and new options appeared and I added them:
My 5G on AX cAP’s appears for a few seconds and disappears again, please check my setups one time, maybe I did something wrong.
Export of config please, no screenshots.
Use these instructions to retrieve an export and post it:
http://forum.mikrotik.com/t/forum-rules/173010/1
# 2024-08-03 14:12:01 by RouterOS 7.16beta7
#
# model = CCR1036-8G-2S+
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412,2437,2462 \
name=2.4G tx-power=20
add band=5ghz-a/n/ac control-channel-width=40mhz-turbo frequency=5180 name=5G
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath1
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name="ether1_Wan"
set [ find default-name=ether2 ] name=ether2_LAN01
set [ find default-name=ether3 ] name=ether3_LAN02
set [ find default-name=ether4 ] name=ether4_LAN03
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=security1_0101
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
name=security2_0202
/caps-man configuration
add channel=2.4G channel.band=2ghz-g/n .control-channel-width=20mhz \
.tx-power=20 country=no_country_set datapath=datapath1 datapath.bridge=\
bridge1 distance=indoors hw-protection-mode=rts-cts hw-retries=5 \
installation=indoor mode=ap name=cfg_2.4 rx-chains=0,1,2,3 security=\
security2_Student ssid=QSID_Test tx-chains=0,1,2,3
add channel=5G channel.band=5ghz-a/n/ac .control-channel-width=20mhz country=\
no_country_set datapath=datapath1 datapath.bridge=bridge1 distance=\
indoors installation=indoor mode=ap name=cfg_5G rx-chains=0,1,2,3 \
security=security1_QSID ssid=QSID_5G tx-chains=0,1,2,3
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=5ghz-ax disabled=no name=channel5ax width=20/40/80mhz
add band=2ghz-ax disabled=no name=ch2ax skip-dfs-channels=disabled width=\
20mhz
add band=5ghz-ac disabled=no name=ch5ac width=20/40/80mhz
add band=2ghz-n disabled=no name=ch2n width=20mhz
/interface wifi datapath
add bridge=bridge1 disabled=no name=data
/interface wifi security
add authentication-types=wpa-psk,wpa2-psk disabled=no ft=yes ft-over-ds=yes \
name=sec1
/interface wifi configuration
add channel=channel5ax channel.frequency=2300-7300 country="United States" \
datapath=data datapath.bridge=bridge1 disabled=no mode=ap name=cfg5ax \
security=sec1 ssid=5ax
add channel=ch2ax country="United States" datapath=data disabled=no mode=ap \
name=cfg2ax security=sec1 ssid=2ax
add channel=ch5ac country="United States" datapath=data datapath.bridge=\
bridge1 disabled=no mode=ap name=cfg5ac security=sec1 ssid=5ax
add channel=ch2n country="United States" datapath=data disabled=no mode=ap \
name=cfg2 security=sec1 ssid=2ax
/interface wifi
add configuration=cfg5ax disabled=no name=cap-wifi1 radio-mac=\
D4:01:C3:49:5D:5D
add configuration=cfg5ax disabled=no name=cap-wifi3 radio-mac=\
D4:01:C3:49:4F:9F
add configuration=cfg5ax disabled=no name=cap-wifi4 radio-mac=\
D4:01:C3:48:41:62
add configuration=cfg5ax disabled=no name=cap-wifi5 radio-mac=\
D4:01:C3:49:56:BB
add configuration=cfg5ax disabled=no name=cap-wifi6 radio-mac=\
D4:01:C3:47:1E:26
add configuration=cfg5ax disabled=no name=cap-wifi7 radio-mac=\
D4:01:C3:D7:9D:56
add configuration=cfg5ax disabled=no name=cap-wifi8 radio-mac=\
D4:01:C3:D7:9E:52
add configuration=cfg5ax disabled=no name=cap-wifi9 radio-mac=\
D4:01:C3:D7:9D:BC
add configuration=cfg5ax disabled=no name=cap-wifi10 radio-mac=\
D4:01:C3:48:56:34
add configuration=cfg5ax disabled=no name=cap-wifi11 radio-mac=\
D4:01:C3:48:CD:EA
add configuration=cfg5ax disabled=no name=cap-wifi12 radio-mac=\
D4:01:C3:48:3E:E4
add configuration=cfg5ax disabled=no name=cap-wifi14 radio-mac=\
D4:01:C3:D7:9E:04
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=youtube regexp="\"^.+(youtube).*\$\""
add name=facebook regexp="\"^.+(facebook).*\$\""
/port
set 0 name=serial0
set 1 name=serial1
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=all \
mac-address=00:00:00:00:00:00 signal-range=-70..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=all \
mac-address=00:00:00:00:00:00 signal-range=-120..71 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=an,ac,a \
master-configuration=cfg_5G name-prefix=5G
add action=create-dynamic-enabled hw-supported-modes=g,gn,b \
master-configuration=cfg_2.4 name-prefix=2.4G
/interface bridge port
add bridge=bridge1 interface=ether2_LAN01
add bridge=bridge1 interface=ether3_LAN02
add bridge=bridge1 interface=ether4_LAN03
/ip firewall connection tracking
set udp-timeout=10s
/interface list member
add interface="ether1_Wan Eastera" list=WAN
add interface=bridge1 list=LAN
/interface wifi capsman
set enabled=yes interfaces=bridge1 package-path="" require-peer-certificate=\
no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=cfg5ax \
supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg2ax \
supported-bands=2ghz-ax
add address=172.20.0.1/22 interface=bridge1 network=172.20.0.0
add address=172.20.3.1/24 interface=bridge1 network=172.20.3.0
/ip arp
add address=172.20.1.6 interface=bridge1 mac-address=E0:D5:5E:AB:86:50
add address=172.20.2.26 interface=bridge1 mac-address=00:50:56:AF:39:C7
add address=172.20.1.8 interface=bridge1 mac-address=F8:E9:4E:88:1F:8B
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=1d name=dhcp1
/ip dhcp-server network
add address=172.20.0.0/22 gateway=172.20.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1_Wan Eastera"
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip pool
add name=dhcp_pool0 next-pool=dhcp_pool0 ranges=172.20.1.1-172.20.3.99
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=62.122.139.129 routing-table=\
main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Dushanbe
/system identity
set name=MikroTik_East
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
Try removing the channel.frequency parameter from the wifi configuration named cfg5ax.
If that does not help, where exactly does
happen? On the WiFi tab, on the radios tab, or somewhere else?
I reinstalled ROS to version 7.15.3, which removed all my setups. I set it up again, but now it doesn’t show the 2.4G Wi-Fi with the AX cAP’s. Previously, I set up a total of 4 Wi-Fi networks - with the old capsman, I set up 2.4 and 5G, and with AX cAP’s (wi-fi interface), I also set up 2.4 and 5G. But now, it’s not showing my 2.4 channels with the AX cAPs.
You have again posted just the screenshot, without the output of the /interface/wifi/export command, although the wifi-related configuration is different from the one you have posted before (at least because 7.16 has a different set of parameters than 7.15.3).
Most likely DFS frequency gets selected (AX devices seem to favor those ranges).
Again a reason why I NEVER set frequency selection to auto.
I always choose which frequency to use so I know what it should be.
/interface wifi channel
add band=2ghz-ax disabled=no name=ch-2ax width=20mhz
add band=5ghz-ax disabled=no name=ch-5ax skip-dfs-channels=all width=
20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=sec1_Staff
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=sec2_Student
/interface wifi
add channel=ch-5ax channel.band=5ghz-ax configuration=cfg2_5ax
configuration.mode=ap .ssid=TIS_Staff datapath=data-cap disabled=no name=
cap-wifi1 radio-mac=D4:01:C3:48:3E:E4 security=sec1_Staff
add channel=ch-2ax channel.band=2ghz-ax configuration=cfg1_2ax
configuration.mode=ap .ssid=TIS_Staff datapath=data-cap disabled=no name=
cap-wifi2 radio-mac=D4:01:C3:48:3E:E5 security=sec2_Student
security.authentication-types=wpa2-psk,wpa3-psk
add channel=ch-5ax channel.band=5ghz-ax configuration=cfg2_5ax
configuration.mode=ap .ssid=TIS disabled=no name=cap-wifi3
radio-mac=D4:01:C3:D7:9E:04 security=sec1_Staff
add channel=ch-2ax channel.band=2ghz-ax configuration=cfg1_2ax
configuration.mode=ap .ssid=TIS_Staff datapath=data-cap disabled=no name=
cap-wifi4 radio-mac=D4:01:C3:D7:9E:05 security=sec1_Staff
security.authentication-types=wpa2-psk,wpa3-psk
/interface wifi capsman
set enabled=yes interfaces=bridge1 package-path=“” require-peer-certificate=no
upgrade-policy=none
/interface wifi configuration
add chains=0,1 channel=ch-2ax country=Uzbekistan datapath=data-cap
datapath.bridge=bridge1 disabled=no mode=ap name=cfg1_2ax security=
sec1_Staff ssid=TIS_Staff tx-chains=0,1
add chains=0,1 channel=ch-5ax country=Uzbekistan datapath=data-cap
datapath.bridge=bridge1 disabled=no mode=ap name=cfg2_5ax security=
sec1_Staff ssid=TIS_Student tx-chains=0,1
/interface wifi datapath
add bridge=bridge1 disabled=no name=data-cap
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg2_5ax
slave-configurations=cfg1_2ax
add action=create-dynamic-enabled disabled=yes master-configuration=cfg1_2ax
name-format=5GHz-%I-ax- slave-configurations=cfg2_5ax
add action=create-dynamic-enabled disabled=no master-configuration=*4
slave-configurations=*3 supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=yes identity-regexp=.AC.
master-configuration=*3 name-format=2GHz-%I-n- supported-bands=2ghz-n
[admin@MikroTik_East] >
What is the correct decision: to use AC and AX caps in the Wi-Fi section? Or AC caps with the old CAPsMAN and AX CAPs with the Wi-Fi option?
Can you please help me decide on the appropriate channels to select for 2.4GHz and 5GHz for ax cAPs?
It depends on your preferences. If dynamic assignment of SSIDs and users into VLANs is a must, you have to use the wireless package on the ac devices (and control them using the corresponding CAPsMAN). If you don’t, you can use the wifi-qcom-ac package on the ac devices, somewhat improving coverage and benefiting from the assisted roaming functionalities.
Could you please provide a brief description of this item?
I will set up a connection to the network only with mac address.
In some environments the WiFi users use individual credentials (it is called WPAx-enterprise authentication), so the RADIUS server can inform the wireless network not only about success or failure of the authentication but also to which VLAN to connect the user. So instead of having a dedicated SSID for each category of users, you can use a single one and use the individual credentials to control their connection.
On a lower level, the WiFi CAPsMAN can specify a VLAN ID as a datapath parameter; this also only works with the ax devices whereas for the ac devices running wifi-qcom-ac, you have to set the VLAN tag for a wifi interface manually, by means of bridge port configuration.
I will try to do this one during winter break.
I updated wireless to wifi-qcom-ac and I did reset it and selected a cap mode option, and after reset, I added PORTS on a bridge, but it still not connect to my new capsman.
/interface bridge
add admin-mac=CC:2D:E0:EC:CF:3C auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal interface=wifi1
add bridge=bridgeLocal interface=wifi2
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=Asia/Dushanbe
/system note
set show-at-login=no
The wireless interfaces look disabled, can you enable them?
I turned them on, but it still did not connect to the wi-fi capsman.
Looks like your CAPsMAN has some errors:
/interface wifi provisioning
**add action=create-dynamic-enabled disabled=no master-configuration=*4
slave-configurations=3 supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=yes identity-regexp=.AC.
master-configuration=3 name-format=2GHz-%I-n- supported-bands=2ghz-n
Your provision rules refer to *3 which is a non exisiting config.
/interface wifi channel
add band=2ghz-ax disabled=no name=ch-2ax width=20mhz
add band=5ghz-ax disabled=no name=ch-5ax skip-dfs-channels=all width=
20/40/80mhz
Remove band to make these rules generic, it would make sense to add frequency, especially for the 2.4GHz radio
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=sec1_Staff
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=sec2_Student
Consider using wpa2-psk only with encrytion CCMP.
