Trouble Configuring CAPsMAN for Public Wi-Fi with VLAN on Mikrotik and Fortigate

RouterOS Wireless Networking
1

Hi everyone,

I’ve been trying to configure CAPsMAN for a public Wi-Fi network for about a month now, and I’m still having trouble. Before the Mikrotik, there’s a Fortigate where VLANs are defined, and in this case, VLAN3 is for the public Wi-Fi. Unfortunately, I’m not a network specialist and honestly, I feel like an amateur now. I’ve gone through tutorials and YouTube videos, but I can’t seem to get it configured correctly.

I need to get the public Wi-Fi (virtual AP) running. When I set the datapath bridge and VLAN 3 and enable VLAN filtering, the DHCP server stops assigning IP addresses. Can anyone help me with this? I would really appreciate any assistance or configuration examples.

I’ve attached my current configuration without the non-functional changes. This is the base setup I’ve been working with. Any advice on what I might be missing or what needs to be adjusted would be greatly appreciated.

Thank you very much!

Gabriel






# 2024-06-21 14:15:35 by RouterOS 7.14.3
# software id = 6WWU-BQIS
#
# model = RB5009UG+S+
# serial number = HFD090WB915
/interface bridge
add admin-mac=78:9A:18:BA:F6:70 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireguard
add listen-port=xxx mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan3 vlan-id=3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add country="xxx" disabled=no mode=ap name=WifiCfg1 \
    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes ssid=\
    KZP-Test steering.rrm=yes .wnm=yes
add country="xxx" datapath.bridge=bridge .interface-list=all \
    disabled=no name=WifiCfg2 security.authentication-types=wpa2-psk .ft=yes \
    .ft-over-ds=yes ssid=KZP-Test2 steering.rrm=yes .wnm=yes
/interface wifi
add configuration=WifiCfg1 disabled=no name=cap-wifi1 radio-mac=\
    78:9A:18:92:6F:4A
add configuration=WifiCfg1 disabled=no name=cap-wifi2 radio-mac=\
    78:9A:18:92:6F:49
add configuration=WifiCfg1 disabled=no name=cap-wifi3 radio-mac=\
    78:9A:18:92:6E:81
add configuration=WifiCfg1 disabled=no name=cap-wifi4 radio-mac=\
    78:9A:18:92:6E:82
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6F:4A master-interface=cap-wifi1 name=WifiGuest1
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6F:4B master-interface=cap-wifi2 name=WifiGuest2
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6F:4C master-interface=cap-wifi3 name=WifiGuest3
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6E:82 master-interface=cap-wifi4 name=WifiGuest4
/ip pool
add name=dhcp2 ranges=192.168.101.3-192.168.101.232
add name=dhcp1 ranges=10.77.77.200-10.77.77.254
add name=dhcp_pool2 ranges=192.168.3.3-192.168.3.254
/ip dhcp-server
add address-pool=dhcp2 interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 interface=vlan3 lease-time=10m name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=WifiCfg1 \
    slave-configurations=WifiCfg2
/interface wireguard peers
/ip address
add address=192.168.101.2/24 interface=bridge network=192.168.101.0
add address=10.77.77.2/8 interface=bridge network=10.0.0.0
add address=10.66.66.2/8 interface=wireguard1 network=10.0.0.0
add address=192.168.3.2/24 interface=vlan3 network=192.168.3.0
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server lease
/ip dhcp-server network
add address=10.0.0.0/8 caps-manager=10.77.77.2 dns-server=\
    10.77.77.16,192.168.101.16,192.168.101.10,10.77.77.20 domain=\
    kancelarzp.local gateway=10.77.77.1
add address=192.168.3.0/24 dns-server=212.67.64.18,8.8.4.4,8.8.8.8 gateway=\
    192.168.3.1
add address=192.168.101.0/24 dns-server=\
    10.77.77.16,192.168.101.16,10.77.77.20,192.168.101.10 domain=\
    kancelarzp.local gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes servers=\
    10.77.77.16,192.168.101.16,192.168.101.10,8.8.8.8,192.168.101.20
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=all-ethernet
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.101.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Prague
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.101.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


AP - this is on AP
# 2024-06-21 14:46:25 by RouterOS 7.15.1
# software id = QFUN-4ZQ0
#
# model = cAPGi-5HaxD2HaxD
# serial number = HF80911RZ8G
/interface bridge
add name=bridge1
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: KZP-Test, channel: 5885/ax/eeeC
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath.bridge=bridge1 disabled=no
# managed by CAPsMAN
# mode: AP, SSID: KZP-Test, channel: 2422/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath.bridge=bridge1 disabled=no
# managed by CAPsMAN
# mode: AP, SSID: KZP-Test2
add disabled=no mac-address=7A:9A:18:92:6E:82 master-interface=wifi2 name=\
    wifi4
# managed by CAPsMAN
# mode: AP, SSID: KZP-Test2
add disabled=no mac-address=7A:9A:18:92:6F:4C master-interface=wifi1 name=\
    wifi5
/interface bridge port
add bridge=bridge1 interface=ether1
/ip firewall connection tracking
set udp-timeout=10s
/interface wifi cap
set discovery-interfaces=bridge1 enabled=yes slaves-static=yes
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add interface=ether1
/system clock
set time-zone-name=Europe/Prague
/system note
set show-at-login=no
2

Which model are the CAPs?

3

They are these models cAPGi-5HaxD2HaxD

4

Sorry, I didn’t see that you already appended the CAP config.

A few comments:

  • On CAP the DHCP client should be bound to bridge1 and I would assign an IP address to ether2
  • On CAP the configuration of the wifi should be something like:
/interface wifi datapath
add bridge=bridge1 comment=defconf disabled=no name=capdp
/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no
/interface wifi cap
set discovery-interfaces=bridge1 enabled=yes slaves-datapath=capdp

(Even better, reset to CAP mode.)

  • On CAPsMAN, the config should be something like:
/interface wifi datapath
add bridge=bridge name=vlan3 vlan-id=3
/interface wifi configuration
add country="xxx" datapath=vlan3 \
    disabled=no name=WifiCfg2 security.authentication-types=wpa2-psk .ft=yes \
    .ft-over-ds=yes ssid=KZP-Test2 steering.rrm=yes .wnm=yes
5

It looked quite promising, but unfortunately, the same issue appeared in the end… The WiFi is on, but the client doesn’t receive a DHCP address and thus cannot connect…

6

Can you post the updated configurations (on both devices)?

7

For AP

# 2024-06-24 10:27:29 by RouterOS 7.15.1
# software id = QFUN-4ZQ0
#
# model = cAPGi-5HaxD2HaxD
# serial number = HF80911RZ8G
/interface bridge
add name=bridge1
/interface wifi datapath
add bridge=bridge1 comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: KZP-Test, channel: 5885/ax/eeeC
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=capdp datapath.bridge=bridge1 disabled=no
# managed by CAPsMAN
# mode: AP, SSID: KZP-Test, channel: 2432/ax/eC
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath=capdp datapath.bridge=bridge1 disabled=no
# managed by CAPsMAN
# mode: AP, SSID: KZP-Test2
add disabled=no mac-address=7A:9A:18:92:6E:82 master-interface=wifi2 name=\
    wifi4
# managed by CAPsMAN
# mode: AP, SSID: KZP-Test2
add disabled=no mac-address=7A:9A:18:92:6F:4C master-interface=wifi1 name=\
    wifi5
/interface bridge port
add bridge=bridge1 interface=ether1
/ip firewall connection tracking
set udp-timeout=10s
/interface wifi cap
set discovery-interfaces=bridge1 enabled=yes slaves-datapath=capdp \
    slaves-static=yes
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/ip dhcp-client
add interface=bridge1
/system clock
set time-zone-name=Europe/Prague
/system note
set show-at-login=no
8

For main unit

# 2024-06-24 10:27:15 by RouterOS 7.14.3
# software id = 6WWU-BQIS
#
# model = RB5009UG+S+
# serial number = HFD090WB915
/interface bridge
add admin-mac=78:9A:18:BA:F6:70 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wireguard
add listen-port=xxx mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan3 vlan-id=3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add country="United States" disabled=no mode=ap name=WifiCfg1 \
    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes ssid=\
    KZP-Test steering.rrm=yes .wnm=yes
/interface wifi
add configuration=WifiCfg1 disabled=no name=cap-wifi1 radio-mac=\
    78:9A:18:92:6F:4A
add configuration=WifiCfg1 disabled=no name=cap-wifi2 radio-mac=\
    78:9A:18:92:6F:49
add configuration=WifiCfg1 disabled=no name=cap-wifi3 radio-mac=\
    78:9A:18:92:6E:81
add configuration=WifiCfg1 disabled=no name=cap-wifi4 radio-mac=\
    78:9A:18:92:6E:82
/interface wifi datapath
add bridge=bridge name=vlan3 vlan-id=3
/interface wifi configuration
add country="United States" datapath=vlan3 disabled=no name=WifiCfg2 \
    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes ssid=\
    KZP-Test2 steering.rrm=yes .wnm=yes
/interface wifi
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6F:4A master-interface=cap-wifi1 name=WifiGuest1
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6F:4B master-interface=cap-wifi2 name=WifiGuest2
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6F:4C master-interface=cap-wifi3 name=WifiGuest3
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6E:82 master-interface=cap-wifi4 name=WifiGuest4
/ip pool
add name=dhcp2 ranges=192.168.101.3-192.168.101.232
add name=dhcp1 ranges=10.77.77.200-10.77.77.254
add name=dhcp_pool2 ranges=192.168.3.3-192.168.3.254
/ip dhcp-server
add address-pool=dhcp2 interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 interface=vlan3 lease-time=10m name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=WifiCfg1 \
    slave-configurations=WifiCfg2
/ip address
add address=192.168.101.2/24 interface=bridge network=192.168.101.0
add address=10.77.77.2/8 interface=bridge network=10.0.0.0
add address=10.66.66.2/8 interface=wireguard1 network=10.0.0.0
add address=192.168.3.2/24 interface=vlan3 network=192.168.3.0
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server lease
/ip dhcp-server network
add address=10.0.0.0/8 caps-manager=10.77.77.2 dns-server=\
    10.77.77.16,192.168.101.16,192.168.101.10,10.77.77.20 domain=\
    kancelarzp.local gateway=10.77.77.1
add address=192.168.3.0/24 dns-server=212.67.64.18,8.8.4.4,8.8.8.8 gateway=\
    192.168.3.1
add address=192.168.101.0/24 dns-server=\
    10.77.77.16,192.168.101.16,10.77.77.20,192.168.101.10 domain=\
    kancelarzp.local gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes servers=\
    10.77.77.16,192.168.101.16,192.168.101.10,8.8.8.8,192.168.101.20
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=all-ethernet
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.101.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Prague
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.101.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
9

The CAP looks good.

I don’t understand why you are configuring wifi interfaces on the RB5009UG.
I mean that the following rows should not be present:

/interface wifi
add configuration=WifiCfg1 disabled=no name=cap-wifi1 radio-mac=\
    78:9A:18:92:6F:4A
add configuration=WifiCfg1 disabled=no name=cap-wifi2 radio-mac=\
    78:9A:18:92:6F:49
add configuration=WifiCfg1 disabled=no name=cap-wifi3 radio-mac=\
    78:9A:18:92:6E:81
add configuration=WifiCfg1 disabled=no name=cap-wifi4 radio-mac=\
    78:9A:18:92:6E:82

/interface wifi
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6F:4A master-interface=cap-wifi1 name=WifiGuest1
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6F:4B master-interface=cap-wifi2 name=WifiGuest2
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6F:4C master-interface=cap-wifi3 name=WifiGuest3
add configuration=WifiCfg2 configuration.mode=ap disabled=no mac-address=\
    7A:9A:18:92:6E:82 master-interface=cap-wifi4 name=WifiGuest4

Then, I think that you should also add

/interface bridge vlan
add bridge=bridge tagged=bridge,etherXX vlan-ids=3

with XX replaced with the ID of the port where the CAP is/are connected to.

In addition, you should also set vlan-filtering=yes to the bridge. But I suggest you to first remove one of the ethernet port from the bridge and set an IP to that port.

10

Unfortunately, this adjustment didn’t help either. Some of the steps are the same as what I tried myself, but unfortunately, the result is still the same. Previously, only the new WiFi wasn’t working, but now the old WiFi is behaving the same way as well.

# 2024-06-24 11:48:29 by RouterOS 7.14.3
# software id = 6WWU-BQIS
#
# model = RB5009UG+S+
# serial number = HFD090WB915
/interface bridge
add admin-mac=78:9A:18:BA:F6:70 auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short vlan-filtering=yes
/interface wireguard
add listen-port=xxx mtu=1420 name=wireguard1
/interface vlan
add interface=bridge name=vlan3 vlan-id=3
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add country="United States" disabled=no mode=ap name=WifiCfg1 \
    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes ssid=\
    KZP-Test steering.rrm=yes .wnm=yes
/interface wifi datapath
add bridge=bridge name=vlan3 vlan-id=3
/interface wifi configuration
add country="United States" datapath=vlan3 disabled=no name=WifiCfg2 \
    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes ssid=\
    KZP-Test2 steering.rrm=yes .wnm=yes
/ip pool
add name=dhcp2 ranges=192.168.101.3-192.168.101.232
add name=dhcp1 ranges=10.77.77.200-10.77.77.254
add name=dhcp_pool2 ranges=192.168.3.3-192.168.3.254
/ip dhcp-server
add address-pool=dhcp2 interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 interface=vlan3 lease-time=10m name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether6 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether7 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether8 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf disabled=yes interface=sfp-sfpplus1 \
    internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether3,ether6,ether7 vlan-ids=3
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=WifiCfg1 \
    slave-configurations=WifiCfg2
/interface wireguard peers
add allowed-address=10.66.66.56/32,::/0 comment="Test Gabriel Melena" \
    endpoint-port=51820 interface=wireguard1 public-key=\
    "l8nV7+FftOPstF2U3SCY+CJqjfnA0SJDo/EMcoIhOkE="
add allowed-address=10.66.66.60/32,::/0 comment="Test Martin Mejzr" \
    endpoint-port=51820 interface=wireguard1 public-key=\
    "9z/3HGDnpvHxqS+LKplyOwoFx5QekrhKimJ5+xZzdic="
/ip address
add address=192.168.101.2/24 interface=bridge network=192.168.101.0
add address=10.77.77.2/8 interface=ether2 network=10.0.0.0
add address=10.66.66.2/8 interface=wireguard1 network=10.0.0.0
add address=192.168.3.2/24 interface=vlan3 network=192.168.3.0
/ip dhcp-client
add comment=defconf interface=sfp-sfpplus1
/ip dhcp-server lease
/ip dhcp-server network
add address=10.0.0.0/8 caps-manager=10.77.77.2 dns-server=\
    10.77.77.16,192.168.101.16,192.168.101.10,10.77.77.20 domain=\
    kancelarzp.local gateway=10.77.77.1
add address=192.168.3.0/24 dns-server=212.67.64.18,8.8.4.4,8.8.8.8 gateway=\
    192.168.3.1
add address=192.168.101.0/24 dns-server=\
    10.77.77.16,192.168.101.16,10.77.77.20,192.168.101.10 domain=\
    kancelarzp.local gateway=192.168.101.1
/ip dns
set allow-remote-requests=yes servers=\
    10.77.77.16,192.168.101.16,192.168.101.10,8.8.8.8,192.168.101.20
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=all-ethernet
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.101.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Prague
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.101.1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
11

I suppose that the non-guest wifi does not work since you are not specifying a datapath for configuration WifiCfg1. You should probably add a datapath in this way:

/interface wifi datapath
add bridge=bridge name=dpbridge
/interface wifi configuration
add country="United States" datapth=dpbridge disabled=no mode=ap name=WifiCfg1 \
    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes ssid=\
    KZP-Test steering.rrm=yes .wnm=yes

I’m sorry. This is the best I can do.

12

I am very grateful for any help. I also have a UniFi AP, which is directly connected to the Fortigate. It broadcasts the networks KZP and KZP-Public. Mikrotik broadcasts KZP-Test, which is the same as KZP, and everything works fine. However, I am unable to set KZP-Test2 to use VLAN ID3.

The VLAN is defined on the Fortigate along with firewall rules, but the DHCP for the VLAN is provided by Mikrotik. When I enabled VLAN filtering, DHCP stopped working even for the UniFi (KZP-Public).
https://imgur.com/a/BacBDjt

13

Can you fully describe your network? A diagram is better than a thousand words. :slight_smile:
I’m not sure to understand your topology.

14

Unfortunately, I cannot provide a full description or a diagram of the network as it is a corporate network. The AP is connected directly to the Mikrotik and it does receive an IP address from the VLAN ID 3 range, yet it still doesn’t work.

15

I see. I apologize, but I am out of ideas. Being a corporate network, probably the best is to hire a consultant.

16

im no guru but do you have a pool for that IP for the vlans??
that’s the think that sticks out to me looking at your config on main router
As I said I’m no expert learning as you are

17

Just to summarize:

Fortigate offers VLAN ID 3 for public Wi-Fi. Any other VLAN ID (or untagged) for anything else?
That is offered to the RB5009, right?
But there is no VLAN set on the WAN interface, right?

You have to come up with a network diagram, showing all VLAN ID’s and the Fortigate, RB5009 and AP’s).
Because your current situation is unclear, the reason for having this RB5009 is unclear and the way you want it to work is unclear.

And…otherwise, get professional help (on the network, no pun intended).

18

The issue has been identified. VLAN filtering had to remain disabled. Thank you for your cooperation. The problem was caused by the L2 switch.

I still appreciate the expert oversight, and I made adjustments to the configuration based on the contributions. This case can now be closed.