Simple guide to setup hAP ax² CAPsMAN network!

ieleja · January 21, 2026, 10:43pm

hello,

(latest edition with working configurations for master and slave APs from Mikrotik)

situation:
there is 1 Gbps DHCP internet and 5 hAP ax² MT routers (routeros 7.21.2, wifi-qcom 7.21.2), I want setup CAPsMAN controlled wifi network

guest-wifi is working, but guest isolation is done by bridgeGuest ARP: ’reply-only’ and 2 routing rules
may be better isolation for guest wifi can be done via VLANs? (be happy with help from smart colleagues)
any comments be great!

========

(ap-master)

# model = C52iG-5HaxD2HaxD
/interface bridge
add arp=reply-only name=bridgeGuest
add name=bridgeLAN port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] mac-address=04:F4:1C:DE:79:5E
set [ find default-name=ether2 ] mac-address=04:F4:1C:DE:79:5F
set [ find default-name=ether3 ] mac-address=04:F4:1C:DE:79:60
set [ find default-name=ether4 ] mac-address=04:F4:1C:DE:79:61
set [ find default-name=ether5 ] mac-address=04:F4:1C:DE:79:62
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2G
add band=5ghz-ax disabled=no name=5G skip-dfs-channels=10min-cac
/interface wifi datapath
add bridge=bridgeLAN disabled=no name=datapathLAN
add bridge=bridgeGuest client-isolation=yes disabled=no name=datapathGuest
/interface wifi security
add authentication-types=wpa3-psk disabled=no encryption=ccmp ft=yes \
    ft-over-ds=yes group-encryption=ccmp group-key-update=20m name=Security
add authentication-types=wpa3-psk disabled=no encryption=ccmp ft=yes \
    ft-over-ds=yes group-encryption=ccmp group-key-update=20m name=\
    SecurityGuest
/interface wifi configuration
add channel=2G country=Latvia datapath=datapathLAN datapath.bridge=bridgeLAN \
    disabled=no mode=ap name=2G security=Security ssid=KS
add channel=5G country=Latvia datapath=datapathLAN datapath.bridge=bridgeLAN \
    disabled=no mode=ap name=5G security=Security ssid=KS
add channel=2G country=Latvia datapath=datapathGuest datapath.bridge=\
    bridgeGuest disabled=no mode=ap name=2Gguest security=SecurityGuest ssid=\
    KSguest
add channel=5G channel.band=5ghz-ax .skip-dfs-channels=10min-cac country=\
    Latvia datapath=datapathGuest datapath.bridge=bridgeGuest disabled=no \
    mode=ap name=5Gguest security=SecurityGuest ssid=KSguest
/ip pool
add name=dhcpLANPool ranges=192.168.88.2-192.168.88.254
add name=dhcpGuestPool ranges=192.168.188.2-192.168.188.254
/ip dhcp-server
add address-pool=dhcpLANPool interface=bridgeLAN name=dhcpLAN
add add-arp=yes address-pool=dhcpGuestPool interface=bridgeGuest name=\
    dhcpGuest
/interface bridge port
add bridge=bridgeLAN interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridgeLAN interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridgeLAN interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridgeLAN interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridgeLAN interface=*2
add bridge=bridgeLAN interface=*3
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridgeLAN list=LAN
/interface wifi cap
set enabled=yes
/interface wifi capsman
set enabled=yes interfaces=all
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=5G \
    name-format=5G-%I slave-configurations=5Gguest supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=2G \
    name-format=2G-%I slave-configurations=2Gguest supported-bands=2ghz-ax
/ip address
add address=192.168.88.1/24 interface=bridgeLAN network=192.168.88.0
add address=192.168.188.1/24 interface=bridgeGuest network=192.168.188.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.88.1
add address=192.168.188.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.188.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
    "fast-track for established,related" connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input in-interface-list=!LAN
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set ssh port=2200
set winbox address=192.168.88.0/24
set api disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes
/routing rule
add action=unreachable disabled=no dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=unreachable disabled=no dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
/system clock
set time-zone-name=Europe/Riga
/system identity
set name=MikroTik-cAP-m
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

(router-ap-slave)

# model = C52iG-5HaxD2HaxD
/interface bridge
add comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN 04:F4:1C:DE:78:D2%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: KS, channel: 5745/ax/Ceee
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
# managed by CAPsMAN 04:F4:1C:DE:78:D2%bridgeLocal, traffic processing on CAP
# mode: AP, SSID: KS, channel: 2412/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=Europe/Riga
/system identity
set name=MikroTik-cAP-s4

DuctView · January 22, 2026, 12:52am

The guide notes I use are here WiFi - RouterOS - MikroTik Documentation in English, unfortunately. However, the noted you are using look to be OK for what you are doing.

Working from Webfig or winbox, you need to set up a security profile and a datapath on the CAPsMAN, then a configuration and finally a provisioning entry. You must also enable CAPsMAN and on the CAPs you must enable the CAP.

Try just a main interface first, without vLANs. Once that works, try slave radio interfaces. If that works, connect the slave interfaces to a vlan, but initially don't try to vlan the main interface.