V7.21 - CAPsMAN traffic processing with VLAN aware bridge

RouterOS Wireless Networking
1

The CAPsMAN Server runs on a remote device. CAP and CAPsMAN Server can reach each other over a WireGuard tunnel.

CAPsMAN management itself works fine. But traffic processing seems to be not working, when connecting to the WiFi, I don't get any IP. So I assume there is no Traffic passing.

Checking ether4 succeeds, I can get a IP when connecting my Computer to this port. So VLAN seems to work.

CAPsMAN Server / Switch:

/interface bridge
add auto-mac=no comment=defconf name=bridge vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4 pvid=90
/interface bridge vlan
add bridge=bridge tagged=ether1,ether2 untagged=ether4 vlan-ids=90
/interface wifi datapath
add bridge=bridge disabled=no name=datapath-vlan90 traffic-processing=on-capsman-secure vlan-id=90
/interface wifi configuration
add datapath=datapath-vlan90 disabled=no name=cfg1 security.authentication-types=wpa3-psk ssid=test-cap
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1

CAP:

/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
/interface wifi cap
set caps-man-addresses=172.16.50.55 enabled=yes
2

From the documentation:

/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp

/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp disabled=no

/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp

You are aware that when there is no tunnel available, the wireless network is down as well?

3
  • wifi - added CAPsMAN forwarding support (datapath.traffic-processing=on-capsman);
4

The configuration I posted is from the CAP, which currently seems to be incomplete.

5

CAPsMAN itself seems to work. Or what do you mean specific?
Configuring the datapath on AP itself seems to be wrong in this operating mode, I can't see the remote datapath on the AP.

/interface wifi
# managed by CAPsMAN 172.16.50.55, traffic processing on CAPsMAN
# mode: AP, SSID: test-cap, channel: 5805/ax/eeeC
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN 172.16.50.55, traffic processing on CAPsMAN
# mode: AP, SSID: test-cap, channel: 2462/ax/eC
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
6

Can CAP communicate over IP (via Wireguard) to capsman controller ?
What IP settings does cap have ?
You only show part of the config. We may need all.

Is there something in between capsman controller and cap handling the wireguard part ?

A bit more context on the complete setup might help as well.

7

Does the OP want the caps-manager to manage all connections across a VPN?

Holy S–T! Caps-Man processing used to slow access to a crawl when it was on the same network. Now you want it all to go across the VPN and come back?

Really hoping I read this wrong.

8

As a side remark: not such a strange comment.

I never have capsman setup cross a VPN or even sites. It always stays local for me.
What if your VPN burps for one reason or the other ? Down the drain goes your capsman connection and wifi "on the other side" with it. Instantly.

9

CCR-2004-12S+2XS router as CAPsMANv2, CAPsMANv1 controllers :: I am seeing a lot of random unpredictable kernel failure, reboots. I am now ‘anecdotally’ speaking attribute it to the traffic-processing=on-capsman-secure, I have now reverted to pre ROSv7.21.1 traffic-processing=on-capsman instead - seeing no kernel fail reboots now so far in the last couple of days (since I reverted the traffic-processing setting).

CAPsMANv2 settings on CCR-2004 :

(Note: For brevity I am posting setup for one SSID in both 2G Hz and 5GHz radio. I have several SSIDs over 4 VLANs,.)

/interface/wifi/configuration/print

name="Pvt2-2g-ax-cfg" mode=ap ssid="XXXXXWiFi" country=United States tx-power=14 manager=capsman-or-local multicast-enhance=enabled
security=roaming_sec
security.authentication-types=wpa2-psk .encryption=ccmp .group-encryption=ccmp .group-key-update=50m .wps=disable .ft=yes .ft-over-ds=yes
datapath=PvtDP
datapath.bridge=bridge1 .client-isolation=no .traffic-processing=on-capsman .vlan-id=4 .interface-list=PvtLAN_PHY
channel=2G-AX
channel.frequency=2412,2437,2462 .band=2ghz-ax .width=20mhz .skip-dfs-channels=all
steering=steering1-pvt-2
steering.neighbor-group=PvtLAN-2 .rrm=yes .wnm=yes

name="Pvt2-5g-ax-cfg" mode=ap ssid="XXXXXWiFi" country=United States tx-power=24 manager=capsman-or-local multicast-enhance=enabled
security=roaming_sec
security.authentication-types=wpa2-psk .encryption=ccmp .group-encryption=ccmp .group-key-update=50m .wps=disable .ft=yes .ft-over-ds=yes
datapath=PvtDP
datapath.bridge=bridge1 .client-isolation=no .traffic-processing=on-capsman .vlan-id=4 .interface-list=PvtLAN_PHY
channel=5G-AX-auto
channel.frequency=5170-5250,5250-5330,5490-5730,5735-5895 .band=5ghz-ax .width=20/40/80mhz .skip-dfs-channels=all
steering=steering1-pvt-2
steering.neighbor-group=PvtLAN-2 .rrm=yes .wnm=yes

Scrrenshot of associated Datapath “PvtDP”:

Screenshot From 2026-01-25 16-15-58
Screenshot From 2026-01-25 16-15-581174×876 120 KB

Screenshot From 2026-01-25 16-21-06
Screenshot From 2026-01-25 16-21-061199×1054 136 KB

on cap hAPax2:
/interface/wifi/datapath/print
0 capdp bridge1

/interface/wifi/cap/print
enabled: yes
discovery-interfaces: bridge1
slaves-datapath: capdp
current-caps-man-address: XX:XX:XX:XX:MAC:XX%bridge1
current-caps-man-identity: Z-CCR2004-GWRouter

hope this helps.