I am currently implementing a CAPSMAN based VLAN deployment using a Hex S 2025 to run CAPSMAN and the first of 3 cAP ac wireless access points. My process is based closely on that provided in the tutorial post: Tutorial: Home VLAN configuration (RB5009, cAP ACs, multiple SSIDs)
Both the Hex S and the cAP ac are running ROS7.20 and the cAP ac is also running the wifi-qcom-ac 7.20 package.
At the end of the process both Hex S and cAP ac were up and running and the master wifi’s were both transmitting. Neither slave SSID was being offered, however, and when I checked in WinBox the slave interfaces, although marked as enabled, has a status of disabled.
Both devices were rebooted, in case that made a difference, but that had no effect. There is nothing in the log to suggest why the slave interfaces were not coming up.
Hex S config is:
2025-10-06 14:02:38 by RouterOS 7.20
# software id = SDXQ-5QCY
#
# model = E60iUGS
# serial number = XXXXXXX
/interface bridge
add comment="LAN bridge" name=bridge-lan vlan-filtering=yes
/interface ethernet
set \[ find default-name=ether1 \] comment="ISP WAN" name=ether1-wan
set \[ find default-name=ether2 \] comment=
"Dedicated unbridged port for management access" name=ether2-mgmt
set \[ find default-name=ether3 \] comment="Switch in the IT Cupboard" name=
ether3-csw1
set \[ find default-name=ether4 \] comment="Managed Switch in the Loft" name=
ether4-lsw1
set \[ find default-name=ether5 \] comment="PoE CAP D1" name=ether5-capd1
/interface vlan
add comment="Home VLAN" interface=bridge-lan name=vlan10-home vlan-id=10
add comment="IoT VLAN" interface=bridge-lan name=vlan20-iot vlan-id=20
add comment="Guest VLAN" interface=bridge-lan name=vlan30-guest vlan-id=30
add comment="Management VLAN" interface=bridge-lan name=vlan99-mgmt vlan-id=
99
/interface list
add comment="Management interface list" name=mgmt
add comment="Home VLAN" name=homevlan
add comment="IoT and Guest VLANs" name=IGvlans
add comment="WAN interface list" name=wan
/interface wifi datapath
add bridge=bridge-lan comment="Generic datapath for cAP ac APs" disabled=no
name=dp-ac-generic
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment="Home WiFi security"
disabled=no ft=yes name=sec-home
add authentication-types=wpa-psk,wpa2-psk,wpa3-psk comment=
"IoT WiFi security" disabled=no ft=no name=sec-iot
add authentication-types=wpa2-psk,wpa3-psk comment="Guest WiFi security"
disabled=no ft=yes name=sec-guest
/interface wifi configuration
add comment="Config for IoTNet WiFi SSID" country="United Kingdom"
datapath=dp-ac-generic disabled=no name=config-iot-wifi security=sec-iot
ssid=IoTNet
/interface wifi steering
add disabled=no name=steering-main rrm=yes wnm=yes
/interface wifi configuration
add comment="Config for HomeNet WiFi SSID" country="United Kingdom"
datapath=dp-ac-generic disabled=no name=config-home-wifi security=
sec-home ssid=HomeNet steering=steering-main
add comment="Config for GuestNet WiFi SSID" country="United Kingdom"
datapath=dp-ac-generic disabled=no name=config-guest-wifi security=
sec-guest ssid=GuestNet steering=steering-main
/interface wifi
# operated by CAP C4:AD:XX:YY:ZZ:F8%vlan99-mgmt, traffic processing on CAP
# must specify passphrase for PSK
add configuration=config-home-wifi configuration.mode=ap disabled=no name=
cap-wifi1 radio-mac=C4:AD:XX:YY:ZZ:FA
add configuration=config-iot-wifi configuration.mode=ap disabled=no
mac-address=C6:AD:XX:YY:ZZ:FA master-interface=cap-wifi1 name=
cap-wifi1-virtual1
add configuration=config-guest-wifi configuration.mode=ap disabled=no
mac-address=C6:AD:XX:YY:ZZ:FB master-interface=cap-wifi1 name=
cap-wifi1-virtual2
# operated by CAP C4:AD:XX:YY:ZZ:F8%vlan99-mgmt, traffic processing on CAP
# must specify passphrase for PSK
add configuration=config-home-wifi configuration.mode=ap disabled=no name=
cap-wifi2 radio-mac=C4:AD:XX:YY:ZZ:FB
add configuration=config-iot-wifi configuration.mode=ap disabled=no
mac-address=C6:AD:XX:YY:ZZ:FC master-interface=cap-wifi2 name=
cap-wifi2-virtual1
add configuration=config-guest-wifi configuration.mode=ap disabled=no
mac-address=C6:AD:XX:YY:ZZ:FD master-interface=cap-wifi2 name=
cap-wifi2-virtual2
/ip pool
add name=pool-home ranges=10.10.0.25-10.10.0.254
add name=pool-iot ranges=10.20.0.2-10.20.0.254
add name=pool-guest ranges=10.30.0.2-10.30.0.254
add name=pool-mgmt ranges=10.99.0.25-10.99.0.254
/ip dhcp-server
add address-pool=pool-home interface=vlan10-home lease-time=1d name=dhcp-home
add address-pool=pool-iot interface=vlan20-iot lease-time=1d name=dhcp-iot
add address-pool=pool-guest interface=vlan30-guest lease-time=1h name=
dhcp-guest
add address-pool=pool-mgmt interface=vlan99-mgmt lease-time=1d name=dhcp-mgmt
/interface bridge port
add bridge=bridge-lan comment="IT Cupboard Switch (VLAN 10)" frame-types=
admit-only-untagged-and-priority-tagged interface=ether3-csw1 pvid=10
add bridge=bridge-lan comment="Loft Switch Trunk Port" frame-types=
admit-only-vlan-tagged interface=ether4-lsw1
add bridge=bridge-lan comment="CAPD1 Trunk Port with PoE" frame-types=
admit-only-vlan-tagged interface=ether5-capd1
/ip neighbor discovery-settings
set discover-interface-list=mgmt
/interface bridge vlan
add bridge=bridge-lan comment="Access port for IT cupboard switch to VLAN10"
tagged=bridge-lan,ether4-lsw1,ether5-capd1 untagged=ether3-csw1 vlan-ids=
10
add bridge=bridge-lan comment="IoT VLAN with access only via Wi-FI AP trunks"
tagged=bridge-lan,ether4-lsw1,ether5-capd1 vlan-ids=20
add bridge=bridge-lan comment=
"Guest VLAN with access only via Wi-FI AP trunks" tagged=
bridge-lan,ether4-lsw1,ether5-capd1 vlan-ids=30
add bridge=bridge-lan comment="Management VLAN" tagged=
bridge-lan,ether4-lsw1,ether5-capd1 vlan-ids=99
/interface list member
add comment="Dedicated management port" interface=ether2-mgmt list=mgmt
add comment="Management VLAN" interface=vlan99-mgmt list=mgmt
add comment="Home VLAN" interface=vlan10-home list=homevlan
add comment="IoT VLAN" interface=vlan20-iot list=IGvlans
add comment="Guest VLAN" interface=vlan30-guest list=IGvlans
add comment="WAN interface" interface=ether1-wan list=wan
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=vlan99-mgmt
/interface wifi provisioning
add action=create-enabled comment="Provision config to all APs" disabled=no
master-configuration=config-home-wifi slave-configurations=
config-iot-wifi,config-guest-wifi
/ip address
add address=10.10.0.1/24 comment="Home VLAN addresses" interface=vlan10-home
network=10.10.0.0
add address=10.20.0.1/24 comment="IoT VLAN addresses" interface=vlan20-iot
network=10.20.0.0
add address=10.30.0.1/24 comment="Guest VLAN addresses" interface=
vlan30-guest network=10.30.0.0
add address=10.99.0.1/24 comment="Management VLAN addresses" interface=
vlan99-mgmt network=10.99.0.0
/ip cloud
set update-time=no
/ip dhcp-client
# Interface not active
add interface=ether1-wan
/ip dhcp-server network
add address=10.10.0.0/24 comment="Home DHCP Network" dns-server=10.10.0.1
gateway=10.10.0.1
add address=10.20.0.0/24 comment="IoT DHCP Network" dns-server=10.20.0.1
gateway=10.20.0.1
add address=10.30.0.0/24 comment="Guest DHCP Network" dns-server=10.30.0.1
gateway=10.30.0.1
add address=10.99.0.0/24 comment="Management DHCP Network" dns-server=
10.99.0.1 gateway=10.99.0.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=10.10.0.20 comment="Jon Desktop" list=Jon-webfig
add address=10.10.0.21 comment="Jon laptop " list=Jon-webfig
add address=10.10.0.22 comment="Jon Phone" list=Jon-webfig
/ip firewall filter
add action=accept chain=input comment="Allow established connections"
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid packets" connection-state=
invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow local loopback for CAPsMAN"
dst-address=127.0.0.1
add action=accept chain=input comment="Allow UDP LAN DNS queries" dst-port=53
in-interface-list=!wan protocol=udp
add action=accept chain=input comment="Allow TCP LAN DNS queries" dst-port=53
in-interface-list=!wan protocol=tcp
add action=accept chain=input comment=
"Allow full access to the management interfaces" in-interface-list=mgmt
add action=accept chain=input comment=
"Allow restricted webfig access to the router" dst-port=80,443
in-interface=vlan10-home protocol=tcp src-address-list=Jon-webfig
add action=drop chain=input comment="Drop all other inputs"
add action=fasttrack-connection chain=forward comment=
"Fasttrack established connections" connection-state=established,related
hw-offload=yes
add action=accept chain=forward comment="Allow established connections"
connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid packets"
connection-state=invalid
add action=accept chain=forward comment="Allow Home -> IoT traffic"
connection-state=new in-interface=vlan10-home out-interface=vlan20-iot
add action=accept chain=forward comment="Allow Home -> Management traffic"
connection-state=new in-interface=vlan10-home out-interface=vlan99-mgmt
add action=accept chain=forward comment=
"Allow internet access for management VLAN" connection-state=new
in-interface-list=mgmt out-interface-list=wan
add action=accept chain=forward comment="Allow internet access for home VLAN"
connection-state=new in-interface-list=homevlan out-interface-list=wan
add action=accept chain=forward comment=
"Allow internet access for all other VLANs" connection-state=new
in-interface-list=IGvlans out-interface-list=wan
add action=drop chain=forward comment="Drop all other forwarded traffic"
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for internet access"
out-interface-list=wan
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system identity
set name=MikroTikCore
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mgmt
/tool mac-server mac-winbox
set allowed-interface-list=mgmt“
cAP ac config is:
“2025-10-06 12:31:12 by RouterOS 7.20
# software id = 94FJ-DJMY
#
# model = RBcAPGi-5acD2nD
# serial number = XXXXXXX
/interface bridge
add comment="CAP bridge" name=cap-bridge vlan-filtering=yes
/interface wifi
# managed by CAPsMAN 04:F4:XX:YY:ZZ:38%vlan99-mgmt, traffic processing on CAP
set \[ find default-name=wifi1 \] configuration.manager=capsman .mode=ap
disabled=no name=master-2ghz-vlan10
# managed by CAPsMAN 04:F4:XX:YY:ZZ:38%vlan99-mgmt, traffic processing on CAP
set \[ find default-name=wifi2 \] configuration.manager=capsman .mode=ap
disabled=no name=master-5ghz-vlan10
add configuration.mode=ap disabled=no mac-address=C6:AD:XX:YY:ZZ:FA
master-interface=master-2ghz-vlan10 name=slave-2ghz-vlan20
add configuration.mode=ap disabled=no mac-address=C6:AD:XX:YY:ZZ:FC
master-interface=master-2ghz-vlan10 name=slave-2ghz-vlan30
add configuration.mode=ap disabled=no mac-address=C6:AD:XX:YY:ZZ:FB
master-interface=master-5ghz-vlan10 name=slave-5ghz-vlan20
add configuration.mode=ap disabled=no mac-address=C6:AD:XX:YY:ZZ:FD
master-interface=master-5ghz-vlan10 name=slave-5ghz-vlan30
/interface vlan
add interface=ether1 name=vlan99-mgmt vlan-id=99
/interface list
add comment="Management interface list" name=mgmt
/interface wifi datapath
add bridge=cap-bridge name=cap-datapath
/interface bridge port
add bridge=cap-bridge comment="Trunk port" frame-types=admit-only-vlan-tagged
interface=ether1
add bridge=cap-bridge comment="Access port VLAN 10 - 2Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=master-2ghz-vlan10
pvid=10
add bridge=cap-bridge comment="Access port VLAN 10 - 5Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=master-5ghz-vlan10
pvid=10
add bridge=cap-bridge comment="Access port VLAN 20 - 2Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=slave-2ghz-vlan20 pvid=
20
add bridge=cap-bridge comment="Access port VLAN 20 - 5Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=slave-5ghz-vlan20 pvid=
20
add bridge=cap-bridge comment="Access port VLAN 30 - 2Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=slave-2ghz-vlan30 pvid=
30
add bridge=cap-bridge comment="Access port VLAN 30 - 5Ghz" frame-types=
admit-only-untagged-and-priority-tagged interface=slave-5ghz-vlan30 pvid=
30
/ip neighbor discovery-settings
set discover-interface-list=mgmt
/interface bridge vlan
add bridge=cap-bridge tagged=cap-bridge,ether1 vlan-ids=99
add bridge=cap-bridge tagged=cap-bridge,ether1 untagged=
master-2ghz-vlan10,master-5ghz-vlan10 vlan-ids=10
add bridge=cap-bridge tagged=cap-bridge,ether1 untagged=
slave-2ghz-vlan20,slave-5ghz-vlan20 vlan-ids=20
add bridge=cap-bridge tagged=cap-bridge,ether1 untagged=
slave-2ghz-vlan30,slave-5ghz-vlan30 vlan-ids=30
/interface list member
add comment="Dedicated management port" interface=ether2 list=mgmt
add comment="Management VLAN" interface=vlan99-mgmt list=mgmt
/interface wifi cap
set certificate=request discovery-interfaces=vlan99-mgmt enabled=yes
slaves-datapath=cap-datapath slaves-static=yes
/ip address
add address=10.99.0.2/24 interface=vlan99-mgmt network=10.99.0.0
/ip cloud
set update-time=no
/ip dns
set servers=10.99.0.1
/ip route
add distance=1 gateway=10.99.0.1
/ip service
set ftp disabled=yes
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system identity
set name=MikroTikCAPU1
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=mgmt
/tool mac-server mac-winbox
set allowed-interface-list=mgmt“
I would be very grateful for any help with this.
Thanks in advance.