Wifi AP roaming with android devices - stuck on far away AP2 while sitting below AP3

Hi All,

I have a setup where an RB5009 is acting CAPsMAN, and 2 cAP XL ax devices as CAP.
The house where this setup is configure is an old school from 1820 with 60 to 90cm thick walls, reason I made sure to lay a Cat6 cable from one end to the other and connect the CAP devices through the CAPsMAN.

Now, whenever I’m at one end, and I connect to that AP, and move to the other end of the house, my Android phone/tablett sticks to the AP at the other end. I really have to forget, on the android device, the AP/SSID and reconnect to the current one with entering password etc. to have the good connection.

Is there a best practice to configure the CAP’s here, on the wifi side?

What I configure (I can send the configs once back home) is AP roaming, same SSID on 5 and 2.4Ghz channels, different channels/frequencies for both AP’s. 2.4Ghz antenna gain is set to 11db wile 5Ghz is set to 17db.

The same copnfiguration, in our old house using a bunch of old AP’s worked fine (old wireless package).

Can you share the config with us (remove serial and any other private info).

Don't use antenna gain (which is fixed), use tx power instead.

here you are

CAPsMAN

2026-04-20 10:24:31 by RouterOS 7.20.8

software id = 8QJA-6DP1

model = RB5009UPr+S+

/interface bridge
add admin-mac=D4:01:C3:93:B1:59 auto-mac=no comment="LAN Bridge" name=
bridge-lan vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="2.5Gbps - connect lower floor"
name=ether1-lan-ap1 poe-out=off
set [ find default-name=ether2 ] comment="Starlink port" name=
ether2-wan-starlink poe-out=off
set [ find default-name=ether3 ] comment="AP Upper floor" name=ether3-lan-ap2
set [ find default-name=ether4 ] comment="Dock dude1 Laptop" name=
ether4-lan-jorg poe-out=off
set [ find default-name=ether5 ] comment="Ethernet dude2" name=
ether5-lan-manue poe-out=off
set [ find default-name=ether6 ] comment="Zigbee IoT" name=ether6-lan-iot
set [ find default-name=ether7 ] comment=
"mAP2nd connection (outside, PoE out)" name=ether7-lan-ap3
set [ find default-name=ether8 ] comment="Management Interface" name=
ether8-mngmt poe-out=off
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no comment=
"Dock stuff work" disabled=yes name=spf-sfpplus1-dock-work speed=
1G-baseT-full
/interface wifi

operated by CAP 04:F4:1C:58:F4:2E%bridge-lan

add name=cap-wifi2 radio-mac=04:F4:1C:58:F4:32

operated by CAP 04:F4:1C:58:F4:2E%bridge-lan

add name=cap-wifi3 radio-mac=04:F4:1C:58:F4:33
/interface vrrp
add comment=AUTO-VRRP-LAN interface=bridge-lan name=vrrp-lan vrid=2
/interface wireguard
add comment=back-to-home-vpn listen-port=44503 mtu=1420 name=back-to-home-vpn
/interface vlan
add comment=AUTO-GUEST-VLAN interface=bridge-lan name=vlan40-guest vlan-id=40
/interface vrrp
add comment=AUTO-VRRP-GUEST interface=vlan40-guest name=vrrp-guest vrid=40
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm
name=auto-legacy-sec-sollan
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm
group-encryption=aes-ccm name=auto-legacy-sec-iot
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm
name=auto-legacy-sec-guest
/caps-man configuration
add channel.band=2ghz-b/g/n .control-channel-width=20mhz .frequency=2447
datapath.local-forwarding=yes name=auto-legacy-main security=
auto-legacy-sec-sollan ssid=Access_Denied
add datapath.local-forwarding=yes name=auto-legacy-iot security=
auto-legacy-sec-iot ssid=iot
add datapath.local-forwarding=yes .vlan-id=40 .vlan-mode=use-tag name=
auto-legacy-guest security=auto-legacy-sec-guest ssid=Access_Guest
/interface list
add comment=Uplinks name=WAN
add comment=defconf name=LAN
add name=WORK
add comment="Management interface list" name=management
add comment="All VLANs excluding management VLAN" name=vlan
/interface wifi datapath
add bridge=bridge-lan name=auto-dp-lan
add bridge=bridge-lan name=auto-dp-guest vlan-id=40
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk ft=yes ft-over-ds=yes name=
auto-sec-sollan
add authentication-types=wpa2-psk name=auto-sec-iot
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes
name=auto-sec-guest
/interface wifi configuration
add datapath=auto-dp-lan name=auto-cfg-iot security=auto-sec-iot ssid=iot
add datapath=auto-dp-guest name=auto-cfg-guest security=auto-sec-guest ssid=
Access_Guest
add channel.frequency=2462 .width=20mhz comment=cAPXLax-1f-2Ghz country=
France datapath=auto-dp-lan disabled=no name=auto-cfg-sollan-2g-ap2-1f
security=auto-sec-sollan ssid=Access_Denied steering.rrm=yes .wnm=yes
tx-power=11
add channel.frequency=5220 .skip-dfs-channels=all .width=20/40mhz-Ce comment=
cAPXLax-1f-5Ghz country=France datapath=auto-dp-lan disabled=no name=
auto-cfg-sollan-5g-ap2-1f security=auto-sec-sollan ssid=Access_Denied
steering.rrm=yes .wnm=yes tx-power=17
add channel.frequency=5180 .skip-dfs-channels=all .width=20/40mhz-Ce comment=
cAPXLax-gf-5Ghz country=France datapath=auto-dp-lan disabled=no name=
auto-cfg-sollan-5g-ap3-gf security=auto-sec-sollan ssid=Access_Denied
steering.rrm=yes .wnm=yes tx-power=17
add channel.frequency=2442 .width=20mhz comment=cAPXLax-gf-2Ghz country=
France datapath=auto-dp-lan disabled=no name=auto-cfg-sollan-2g-ap3-gf
security=auto-sec-sollan ssid=Access_Denied steering.rrm=yes .wnm=yes
tx-power=11
add datapath=auto-dp-lan disabled=no name=auto-cfg-media security=
auto-sec-sollan ssid=Access_media
/interface wifi steering
add disabled=no name=steering-main rrm=yes wnm=yes
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=pool-sollan ranges=10.0.2.100-10.0.2.199
add name=pool-iot ranges=10.0.3.100-10.0.3.199
add name=pool-guest ranges=10.0.4.100-10.0.4.199
add name=pool-management ranges=10.0.99.100-10.0.99.199
add name=pool-generic-auto ranges=10.0.2.100-10.0.2.199
add name=pool-guest-auto ranges=10.0.4.100-10.0.4.199
/ip dhcp-server
add address-pool=pool-generic-auto interface=bridge-lan lease-time=12h name=
dhcp-lan-auto
add address-pool=pool-guest-auto interface=vlan40-guest lease-time=8h name=
dhcp-guest-auto
/system logging action
set 3 remote=10.0.2.1 syslog-time-format=iso8601
/user group
add name=ftp policy="ftp,read,sensitive,!local,!telnet,!ssh,!reboot,!write,!po
licy,!test,!winbox,!password,!web,!sniff,!api,!romon,!rest-api"
add comment=Monitoring name=monitor policy="read,api,!local,!telnet,!ssh,!ftp,
!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!rom
on,!rest-api"
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-lan
/caps-man provisioning
add action=create-dynamic-enabled comment=mAP2nd master-configuration=
auto-legacy-main radio-mac=04:F4:1C:2E:12:95 slave-configurations=
auto-legacy-iot,auto-legacy-guest
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=bridge-lan auto-media-sharing=yes auto-smb-sharing=
yes
/interface bridge port
add bridge=bridge-lan comment=defconf interface=ether3-lan-ap2
add bridge=bridge-lan comment=defconf interface=ether4-lan-jorg
add bridge=bridge-lan interface=ether5-lan-manue
add bridge=bridge-lan interface=ether6-lan-iot
add bridge=bridge-lan interface=ether7-lan-ap3
add bridge=bridge-lan interface=ether8-mngmt
add bridge=bridge-lan interface=ether1-lan-ap1
add bridge=bridge-lan comment="Work Dock on Guest VLAN" frame-types=
admit-only-untagged-and-priority-tagged interface=spf-sfpplus1-dock-work
pvid=4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=loose
/interface bridge vlan
add bridge=bridge-lan comment=AUTO-LAN-UNTAGGED untagged="bridge-lan,ether1-la
n-ap1,ether3-lan-ap2,ether4-lan-jorg,ether5-lan-manue,ether6-lan-iot,ether
7-lan-ap3,ether8-mngmt" vlan-ids=1
add bridge=bridge-lan comment=AUTO-GUEST-TAGGED tagged=
bridge-lan,ether1-lan-ap1,ether3-lan-ap2,ether7-lan-ap3 vlan-ids=40
/interface list member
add comment="Satellite link Starlink" interface=ether2-wan-starlink list=WAN
add interface=bridge-lan list=LAN
add interface=vlan40-guest list=LAN
add interface=vrrp-guest list=LAN
add interface=vrrp-lan list=LAN
/interface ovpn-server server
add mac-address=FE:67:D0:7B:0D:DB name=ovpn-server1
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge-lan
package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment=cAPXLax-1f-2.4Ghz disabled=no
master-configuration=auto-cfg-sollan-2g-ap2-1f radio-mac=
04:F4:1C:A3:03:F6 slave-configurations=auto-cfg-iot,auto-cfg-guest
supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=cAPXLax-1f-5Ghz disabled=no
master-configuration=auto-cfg-sollan-5g-ap2-1f radio-mac=
04:F4:1C:A3:03:F5 slave-configurations=auto-cfg-iot,auto-cfg-guest
supported-bands=5ghz-ax
add action=create-dynamic-enabled comment=cAPXLax-gf-2.4Ghz disabled=no
master-configuration=auto-cfg-sollan-2g-ap3-gf radio-mac=
04:F4:1C:DD:07:03 slave-configurations=auto-cfg-iot,auto-cfg-guest
supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=cAPXLax-gf-5Ghz disabled=no
master-configuration=auto-cfg-sollan-5g-ap3-gf radio-mac=
04:F4:1C:DD:07:02 slave-configurations=auto-cfg-guest,auto-cfg-media
supported-bands=5ghz-ax
/ip address
add address=10.0.2.252/24 interface=bridge-lan network=10.0.2.0
add address=10.0.4.252/24 comment=AUTO-GUEST-RB interface=vlan40-guest
network=10.0.4.0
add address=10.0.2.240 comment="VRRP VIP LAN" interface=vrrp-lan network=
10.0.2.240
add address=10.0.4.240 comment="VRRP VIP GUEST" interface=vrrp-guest network=
10.0.4.240
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-user
add allow-lan=yes comment="RB5009-poe-router | RB5009UPr+S+" name=
"BraX3 de J\C3\B6rg" public-key=
"XXXXXXXX="
add allow-lan=yes comment="RB5009-poe-router | RB5009UPr+S+" name=
"BraX3 de J\C3\B6rg" public-key=
"XXXXXXXX="
/ip dhcp-client
add comment=AUTO-STARLINK-DHCP default-route-distance=20 interface=
ether2-wan-starlink use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.2.211 comment="Weather Station" mac-address=
BC:FF:4D:0F:E0:80
add address=10.0.2.19 comment="Framework16 dock" mac-address=
D8:D0:90:24:25:B6
add address=10.0.2.24 comment="Framework16 Wifi" mac-address=
9C:BF:0D:00:4B:2C
add address=10.0.2.250 comment=mAP2nd mac-address=04:F4:1C:2E:12:93
add address=10.0.2.252 comment=RB5009 mac-address=D4:01:C3:93:B1:59
add address=10.0.2.200 client-id=1:10:9:f9:a9:ae:77 comment=FireTV
mac-address=10:09:F9:A9:AE:77
add address=10.0.2.210 comment="HP10 weathercam" mac-address=
EC:62:60:C9:0D:08
add address=10.0.2.98 comment="AC Librarie" mac-address=C0:39:37:59:97:B0
add address=10.0.2.96 comment="AC Atelier" mac-address=C0:39:37:59:98:2E
add address=10.0.2.97 comment="AC Chambre amis" mac-address=94:24:B8:F6:13:F0
add address=10.0.2.99 comment="AC Parents" mac-address=50:2C:C6:A2:C7:B2
add address=10.0.2.95 comment="AC Cuisine" mac-address=94:24:B8:0B:56:71
add address=10.0.2.203 client-id=1:b4:22:0:61:6e:46 comment=
"MFC2750dw ethernet" disabled=yes mac-address=B4:22:00:61:6E:46
add address=10.0.2.212 client-id=1:20:f8:3b:1:9a:87 comment="Home Assistant"
mac-address=20:F8:3B:01:9A:87
add address=10.0.2.94 comment="Refoss Smartswitch Pompe piscine" mac-address=
48:E1:E9:DC:71:2A
add address=10.0.2.103 comment="Watchdog camera" mac-address=
00:C1:41:32:11:27
add address=10.0.2.214 client-id=1:5a:e6:c5:46:9a:44 comment="Zigbee Bridge"
mac-address=5A:E6:C5:46:9A:44
add address=10.0.2.201 client-id=1:a0:67:20:9:ab:cd comment="Vero V Wifi"
mac-address=A0:67:20:09:AB:CD
add address=10.0.2.203 client-id=1:f8:89:d2:2f:5d:5f comment=MFC2750dw
mac-address=F8:89:D2:2F:5D:5F
add address=10.0.2.117 client-id=1:4:cb:1:11:b9:e4 comment="Samsung TV"
mac-address=04:CB:01:11:B9:E4 server=dhcp-lan-auto
/ip dhcp-server network
add address=10.0.2.0/24 comment=AUTO-DHCP-LAN dns-server=10.0.2.1 gateway=
10.0.2.240
add address=10.0.4.0/24 comment=AUTO-DHCP-GUEST dns-server=8.8.8.8,1.1.1.1
gateway=10.0.4.240
/ip dns
set servers=10.0.2.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
add address=10.0.2.19 comment="Jorg Dock" list=owner-list
add address=10.0.2.24 comment="Jorg FW16 WiFi" list=owner-list
add address=10.0.2.254 list=AllowDNS
add address=10.0.2.1 list=AllowDNS
add address=10.0.3.212 list=AllowDNS
add address=10.0.3.110 list=AllowDNS
add address=10.0.0.0/8 comment=AUTO-RFC1918 list=RFC1918-AUTO
add address=172.16.0.0/12 comment=AUTO-RFC1918 list=RFC1918-AUTO
add address=192.168.0.0/16 comment=AUTO-RFC1918 list=RFC1918-AUTO
add address=10.0.2.0/24 list=RouterAccess
add address=10.0.16.0/24 list=RouterAccess
add address=10.0.2.117 comment=TV list=AllowDNS
/ip firewall filter
add action=log chain=input disabled=yes dst-port=44503 log-prefix=
WireGuard_Attempt protocol=udp
add action=drop chain=input comment="Block brute force attackers" log=yes
log-prefix=FWSSHBlacklist src-address-list=bruteforce_blacklist
add action=accept chain=input comment=
"AUTO input established/related/untracked" connection-state=
established,related
add action=drop chain=input comment="AUTO input drop invalid"
connection-state=invalid
add action=add-src-to-address-list address-list=bruteforce_blacklist
address-list-timeout=1d chain=input comment=Blacklist connection-state=
new dst-port=22 protocol=tcp src-address-list=connection3
add action=add-src-to-address-list address-list=connection3
address-list-timeout=1h chain=input comment="Third attempt"
connection-state=new dst-port=22 protocol=tcp src-address-list=
connection2
add action=add-src-to-address-list address-list=connection2
address-list-timeout=15m chain=input comment="Second attempt"
connection-state=new dst-port=22 protocol=tcp src-address-list=
connection1
add action=add-src-to-address-list address-list=connection1
address-list-timeout=5m chain=input comment="First attempt"
connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment="Allow SSH access to router" dst-port=
22 protocol=tcp src-address-list=RouterAccess
add action=accept chain=input comment="AUTO input management from lan"
in-interface=bridge-lan src-address-list=RouterAccess
add action=accept chain=input comment="AUTO input icmp" protocol=icmp
add action=accept chain=input comment="AUTO input vrrp lan" in-interface=
bridge-lan protocol=vrrp
add action=accept chain=input comment="AUTO input vrrp guest" in-interface=
vlan40-guest protocol=vrrp
add action=accept chain=input comment="AUTO input dhcp client on wan"
dst-port=68 in-interface=ether2-wan-starlink protocol=udp src-port=67
add action=drop chain=input comment="AUTO input drop all"
add action=accept chain=forward comment="AUTO fwd established/related"
connection-state=established,related
add action=drop chain=forward comment="AUTO fwd drop invalid"
connection-state=invalid
add action=accept chain=forward comment="WG to LAN" dst-address=10.0.16.0/24
src-address=10.0.2.0/24
add action=accept chain=forward comment="LAN to WG" dst-address=10.0.2.0/24
src-address=10.0.16.0/24
add action=accept chain=forward comment="WG to LAN" dst-address=
192.168.216.0/24 src-address=10.0.2.0/24
add action=accept chain=forward comment="LAN to WG" dst-address=10.0.2.0/24
src-address=192.168.216.0/24
add action=drop chain=forward comment="AUTO guest block private"
dst-address-list=RFC1918-AUTO src-address=10.0.4.0/24
add action=accept chain=forward comment="AUTO guest allow dns udp" dst-port=
53 protocol=udp src-address=10.0.4.0/24
add action=accept chain=forward comment="AUTO guest allow dns tcp" dst-port=
53 protocol=tcp src-address=10.0.4.0/24
add action=accept chain=forward comment="AUTO allowdns udp" dst-port=53
log-prefix=DNSAccess protocol=udp src-address-list=AllowDNS
add action=accept chain=forward comment="AUTO allowdns tcp" dst-port=53
log-prefix=DNSAccess protocol=tcp src-address-list=AllowDNS
add action=drop chain=forward comment="AUTO block external dns udp" dst-port=
53 protocol=udp src-address=!10.0.4.0/24
add action=drop chain=forward comment="AUTO block external dns tcp" dst-port=
53 protocol=tcp src-address=!10.0.4.0/24
add action=accept chain=forward comment="AUTO lan to internet"
in-interface-list=LAN out-interface-list=WAN
add action=drop chain=forward comment="AUTO fwd drop all"
add action=accept chain=output connection-state=established,related
log-prefix=acceptedOuput
add action=drop chain=output connection-state=invalid
add action=accept chain=output log-prefix=AcceptOutputNew
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=ether2-wan-starlink
new-routing-mark=*400
/ip firewall nat
add action=masquerade chain=srcnat comment="AUTO nat starlink"
out-interface-list=WAN
/ip firewall raw
add action=drop chain=prerouting in-interface-list=WAN log=yes log-prefix=
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add comment="GW through FTTH Red" disabled=yes distance=1 dst-address=
0.0.0.0/0 gateway=10.0.2.254 routing-table=main scope=30
suppress-hw-offload=no target-scope=10
/ip service
set ftp address=10.0.2.0/24
set ssh address=10.0.2.0/24,10.0.16.0/24
set telnet disabled=yes
set www address=10.0.2.0/24,10.0.16.0/24
set winbox address=10.0.2.0/24,10.0.16.0/24,192.168.216.0/24
set api address=10.0.2.0/24
set api-ssl address=10.0.2.0/24
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="AUTO6 input established/related"
connection-state=established,related
add action=drop chain=input comment="AUTO6 input drop invalid"
connection-state=invalid
add action=accept chain=input comment="AUTO6 input icmpv6" protocol=icmpv6
add action=accept chain=input comment="AUTO6 input vrrp lan" in-interface=
bridge-lan protocol=vrrp
add action=accept chain=input comment="AUTO6 input vrrp guest" in-interface=
vlan40-guest protocol=vrrp
add action=accept chain=input comment="AUTO6 input management from lan"
in-interface=bridge-lan
add action=accept chain=input comment="AUTO6 input dhcpv6 client wan"
dst-port=546 in-interface=ether2-wan-starlink protocol=udp src-address=
fe80::/10
add action=drop chain=input comment="AUTO6 input drop all"
add action=accept chain=forward comment="AUTO6 fwd established/related"
connection-state=established,related
add action=drop chain=forward comment="AUTO6 fwd drop invalid"
connection-state=invalid
add action=accept chain=forward comment="AUTO6 fwd icmpv6" protocol=icmpv6
add action=accept chain=forward comment="AUTO6 guest allow dns udp" dst-port=
53 in-interface=vlan40-guest protocol=udp
add action=accept chain=forward comment="AUTO6 guest allow dns tcp" dst-port=
53 in-interface=vlan40-guest protocol=tcp
add action=accept chain=forward comment="AUTO6 allowdns udp" dst-port=53
protocol=udp src-address-list=AllowDNSv6
add action=accept chain=forward comment="AUTO6 allowdns tcp" dst-port=53
protocol=tcp src-address-list=AllowDNSv6
add action=drop chain=forward comment="AUTO6 block external dns udp"
dst-port=53 in-interface=!vlan40-guest protocol=udp
add action=drop chain=forward comment="AUTO6 block external dns tcp"
dst-port=53 in-interface=!vlan40-guest protocol=tcp
add action=accept chain=forward comment="AUTO6 lan to internet" in-interface=
bridge-lan out-interface=ether2-wan-starlink
add action=accept chain=forward comment="AUTO6 guest to internet"
in-interface=vlan40-guest out-interface=ether2-wan-starlink
add action=drop chain=forward comment="AUTO6 fwd drop all"
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=RB5009-poe-router
/system leds settings
set all-leds-off=after-1min
/system logging
set 0 action=remote
add topics=firewall,debug
add disabled=yes topics=wireless,debug
add action=remote topics=error
add action=remote topics=critical
add action=remote topics=warning
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.2.1
/system package update
set channel=long-term
/system scheduler
add comment="Scheduler backup dump" interval=1d name=Backup on-event=
"/system backup save name=daily_backup dont-encrypt=yes" policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2025-08-25 start-time=01:01:01
add comment="Monitor Starlink connection" interval=15s name=
sch-monitor-starlink on-event="/system script run monitor-starlink"
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-time=startup
add comment="Download blocklist" interval=1d name=dl-jorg-blacklist on-event=
Jorgs-Blacklist-download policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2000-01-01 start-time=00:05:00
add comment="Replace active blocklist" interval=1d name=ins-jorg-blacklist
on-event=Jorgs-blacklist-replace policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=2000-01-01 start-time=00:10:00
/system script
add comment="puts out interfaces" dont-require-permissions=no name=interfaces
owner=admin policy=ftp,read,policy,test,sniff source="[
\n/interface ethernet
\n:put "Name\tModified name\t\t\t\tOrig-mac\t\tCurrent-mac\t\tMT
U\tL2MTU"
\n:foreach IF in=[find] do={
\n:local var2 [get $IF default-name]
\n:local var3 [get $IF name]
\n:local var4 [get $IF orig-mac-address]
\n:local var5 [get $IF mac-address]
\n:local var6 [get $IF mtu]
\n:local var7 [get $IF l2mtu]
\n
\n:local var20
\n:if ([:len $var3] > 0) do={:set $var20 " \t\t\t "}
\n:if ([:len $var3] > 8) do={:set $var20 " \t\t "}
\n:if ([:len $var3] > 16) do={:set $var20 " \t "}
\n:if ([:len $var3] > 22) do={:set $var20 " "}
\n:put "$var2\t$var3\t$var20\t$var4\t$var5\t$var6\t$var7"
\n}
\n]
\n/"
add dont-require-permissions=no name=auto-starlink-vrrp-health owner=smurphy
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source="
\n    :local p1 [/tool/ping address=1.1.1.1 interface=ether2-wan-starlink
count=2 interval=500ms];
\n    :local p2 [/tool/ping address=8.8.8.8 interface=ether2-wan-starlink
count=2 interval=500ms];
\n    :local newprio 150;
\n    :if (($p1 = 0) and ($p2 = 0)) do={ :set newprio 10; }
\n
\n    /interface vrrp set [find where name="vrrp-lan"] priority=$newpri
o;
\n    /interface vrrp set [find where name="vrrp-guest"] priority=$newp
rio;
\n"
add dont-require-permissions=no name=monitor-starlink owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":
global slFail
\n:global slOk
\n
\n:if ([:typeof $slFail] = "nothing") do={ :set slFail 0 }
\n:if ([:typeof $slOk]   = "nothing") do={ :set slOk 0 }
\n
\n:local ok false
\n
\n:if ([/ping 1.1.1.1 interface=ether2 count=2] > 0) do={ :set ok true }
\n:if ($ok = false) do={
\n  :if ([/ping 8.8.8.8 interface=ether2 count=2] > 0) do={ :set ok true }
\n}
\n
\n:if ($ok = true) do={
\n  :set slOk ($slOk + 1)
\n  :set slFail 0
\n  :if ($slOk >= 3) do={
\n    :if ([/interface vrrp get vrrp-lan priority] < 90) do={
\n      /interface vrrp set vrrp-lan priority=100
\n      :log warning "STARLINK OK stable ->  vrrp-lan priority 100"
\n      /interface vrrp set vrrp-guest priority=100
\n      :log warning "STARLINK OK stable -> vrrp-guest priority 100"
\n    }
\n    :set slOk 3
\n  }
\n} else={
\n  :set slFail ($slFail + 1)
\n  :set slOk 0
\n  :if ($slFail >= 3) do={
\n    :if ([/interface vrrp get vrrp-lan priority] > 60) do={
\n      /interface vrrp set vrrp-lan priority=50
\n      :log warning "STARLINK DOWN ->  vrrp-lan priority 50"
\n      /interface vrrp set vrrp-guest priority=50
\n      :log warning "STARLINK DOWN ->  vrrp-guest priority 50"
\n    }
\n    :set slFail 3
\n  }
\n}
\n"
add comment="Jorgs blacklist download" dont-require-permissions=no name=
Jorgs-Blacklist-download owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/
tool fetch url="https://intranet.solsys.org/blacklist.rsc\" mode=https"
add comment="Activate Jorgs blacklist" dont-require-permissions=no name=
Jorgs-blacklist-replace owner=admin policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/
ip firewall address-list remove [find where list="jorgs-blacklist"]; /im
port file-name=blacklist.rsc; /file remove blacklist.rsc"
/tool bandwidth-server
set enabled=no
/tool graphing interface
add allow-address=10.0.2.0/24 interface=ether2-wan-starlink
add allow-address=10.0.2.0/24 interface=ether1-lan-ap1
/tool mac-server
set allowed-interface-list=management
/tool mac-server mac-winbox
set allowed-interface-list=management
/tool sniffer
set filter-ip-address=10.0.4.199/32

AP1

# 2026-04-20 10:23:28 by RouterOS 7.20.8
# software id = Q86T-M2U5
#
# model = cAPGi-5HaxD2HaxD
/interface bridge
add name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] comment="Ethernet POE"
set [ find default-name=ether2 ] comment="Management Interface" name=\
    ether2-mngmt
/interface list
add name=WAN
add name=LAN
/interface wifi datapath
add bridge=bridge-lan name=capdp-lan
/system logging action
set 3 remote=10.0.2.1 syslog-time-format=iso8601
/user group
add name=ftp policy="ftp,read,sensitive,!local,!telnet,!ssh,!reboot,!write,!po\
    licy,!test,!winbox,!password,!web,!sniff,!api,!romon,!rest-api"
add comment="Monitoring users" name=monitor policy="read,api,!local,!telnet,!s\
    sh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensit\
    ive,!romon,!rest-api"
/interface wifi
# managed by CAPsMAN D4:01:C3:93:B1:59%bridge-lan, traffic processing on CAP
# mode: AP, SSID: Access_Denied, channel: 5180/ax/Ce/I
set [ find default-name=wifi1 ] channel.skip-dfs-channels=all comment=5Ghz \
    configuration=*3 configuration.manager=capsman .mode=ap .station-roaming=\
    no datapath=capdp-lan disabled=no security=*4 \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .sae-anti-clogging-threshold=0
# managed by CAPsMAN D4:01:C3:93:B1:59%bridge-lan, traffic processing on CAP
# mode: AP, SSID: Access_Denied, channel: 2442/ax
set [ find default-name=wifi2 ] comment=2.4Ghz configuration=*3 \
    configuration.manager=capsman .mode=ap datapath=capdp-lan disabled=no \
    mtu=1500 security=*4 security.authentication-types=wpa2-psk,wpa3-psk \
    .disable-pmkid=no
/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=*7
add action=drop chain=forward disabled=yes out-interface=*7
/interface bridge port
add bridge=bridge-lan interface=all
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set allow-fast-path=no disable-ipv6=yes forward=no
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether2-mngmt list=LAN
add interface=wifi2 list=LAN
add interface=wifi1 list=LAN
add interface=ether1 list=LAN
/interface wifi access-list
add action=reject comment=WeatherCam disabled=no interface=*7 mac-address=\
    EC:62:60:C9:0D:08
add action=reject comment=WeatherCam disabled=no interface=*7 mac-address=\
    EC:62:60:C9:0D:08
add action=reject comment=WeatherCam disabled=no interface=*7 mac-address=\
    EC:62:60:C9:0D:08
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=*7 mac-address=48:E1:E9:DC:71:2A
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=*7 mac-address=48:E1:E9:DC:71:2A
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=*7 mac-address=48:E1:E9:DC:71:2A
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=*A mac-address=48:E1:E9:DC:71:2A
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=*A mac-address=48:E1:E9:DC:71:2A
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=*A mac-address=48:E1:E9:DC:71:2A
/interface wifi cap
set caps-man-addresses=10.0.2.252 discovery-interfaces=bridge-lan enabled=yes \
    slaves-datapath=capdp-lan
/ip address
add address=10.0.2.253/24 interface=bridge-lan network=10.0.2.0
/ip cloud
set update-time=no
/ip dhcp-relay
add dhcp-server=10.0.2.252 interface=wifi2 name=relay1
/ip dns
set servers=10.0.2.1
/ip firewall nat
add action=accept chain=srcnat disabled=yes out-interface=wifi2
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.2.240 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp address=10.0.2.0/24
set ssh address=10.0.2.0/24,10.0.16.0/24
set telnet disabled=yes
set www address=10.0.2.0/24
set winbox address=10.0.2.0/24,10.0.16.0/24
set api address=10.0.2.0/24
set api-ssl address=10.0.2.0/24
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=cAP-XL-ax-gf
/system logging
set 0 action=remote
add disabled=yes prefix=WiFi topics=wireless,debug
add topics=event
add action=remote topics=error
add action=remote topics=critical
add action=remote topics=warning
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.2.1
/system package update
set channel=long-term
/system scheduler
add comment="Scheduler backup dump" interval=1d name=Daily on-event=\
    "/system backup save name=daily_backup dont-encrypt=yes" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-08-27 start-time=01:01:01

AP2

# 2026-04-20 10:22:40 by RouterOS 7.20.8
# software id = 63NX-J02B
#
# model = cAPGi-5HaxD2HaxD
/interface bridge
add name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] comment="Ethernet POE"
set [ find default-name=ether2 ] comment="Management Interface" name=\
    ether2-mngmt
/interface list
add name=WAN
add name=LAN
/interface wifi datapath
add bridge=bridge-lan name=capdp-lan
/system logging action
set 3 remote=10.0.2.1 syslog-time-format=iso8601
/user group
add name=ftp policy="ftp,read,sensitive,!local,!telnet,!ssh,!reboot,!write,!po\
    licy,!test,!winbox,!password,!web,!sniff,!api,!romon,!rest-api"
add comment="Monitoring users" name=monitor policy="read,api,!local,!telnet,!s\
    sh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensit\
    ive,!romon,!rest-api"
/interface wifi
# managed by CAPsMAN D4:01:C3:93:B1:59%bridge-lan, traffic processing on CAP
# mode: AP, SSID: Access_Denied, channel: 5220/ax/Ce/I
set [ find default-name=wifi1 ] channel.skip-dfs-channels=all comment=5Ghz \
    configuration=*3 configuration.manager=capsman .mode=ap .station-roaming=\
    no datapath=capdp-lan disabled=no security=*4 \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .sae-anti-clogging-threshold=0
# managed by CAPsMAN D4:01:C3:93:B1:59%bridge-lan, traffic processing on CAP
# mode: AP, SSID: Access_Denied, channel: 2462/ax
set [ find default-name=wifi2 ] comment=2.4Ghz configuration=*3 \
    configuration.manager=capsman .mode=ap datapath=capdp-lan disabled=no \
    mtu=1500 security=*4 security.authentication-types=wpa2-psk,wpa3-psk \
    .disable-pmkid=no
/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=*7
add action=drop chain=forward disabled=yes out-interface=*7
/interface bridge port
add bridge=bridge-lan interface=all
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set allow-fast-path=no disable-ipv6=yes forward=no
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether2-mngmt list=LAN
add interface=wifi2 list=LAN
add interface=wifi1 list=LAN
add interface=ether1 list=LAN
/interface wifi access-list
add action=reject comment=WeatherCam disabled=no interface=wifi39 \
    mac-address=EC:62:60:C9:0D:08
add action=reject comment=WeatherCam disabled=no interface=wifi39 \
    mac-address=EC:62:60:C9:0D:08
add action=reject comment=WeatherCam disabled=no interface=wifi39 \
    mac-address=EC:62:60:C9:0D:08
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=wifi39 mac-address=48:E1:E9:DC:71:2A
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=wifi39 mac-address=48:E1:E9:DC:71:2A
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=wifi39 mac-address=48:E1:E9:DC:71:2A
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=wifi41 mac-address=48:E1:E9:DC:71:2A
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=wifi41 mac-address=48:E1:E9:DC:71:2A
add action=reject comment="Refoss Smartswitch Pompe piscine" disabled=no \
    interface=wifi41 mac-address=48:E1:E9:DC:71:2A
add action=reject comment="Vero 4K not allowed on 1st floor" disabled=no \
    interface=wifi2 mac-address=A0:67:20:09:AB:CD
/interface wifi cap
set caps-man-addresses=10.0.2.252 discovery-interfaces=bridge-lan enabled=yes \
    slaves-datapath=capdp-lan
/ip address
add address=10.0.2.251/24 interface=bridge-lan network=10.0.2.0
/ip cloud
set update-time=no
/ip dhcp-relay
add dhcp-server=10.0.2.252 interface=wifi2 name=relay1
/ip dns
set servers=10.0.2.1
/ip firewall nat
add action=accept chain=srcnat disabled=yes out-interface=wifi2
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.0.2.240 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp address=10.0.2.0/24
set ssh address=10.0.2.0/24,10.0.16.0/24
set telnet disabled=yes
set www address=10.0.2.0/24
set winbox address=10.0.2.0/24,10.0.16.0/24
set api address=10.0.2.0/24
set api-ssl address=10.0.2.0/24
/ipv6 nd
set [ find default=yes ] disabled=yes
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=cAP-XL-ax-1st
/system leds settings
set all-leds-off=after-1min
/system logging
set 0 action=remote
add disabled=yes prefix=WiFi topics=wireless,debug
add topics=event
add action=remote topics=error
add action=remote topics=critical
add action=remote topics=warning
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.2.1
/system package update
set channel=long-term
/system scheduler
add comment="Scheduler backup dump" interval=1d name=Daily on-event=\
    "/system backup save name=daily_backup dont-encrypt=yes" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-08-27 start-time=01:01:01

Point #21 here:
GP & CSA (Good Practice and Common Sense Advice) for Mikrotik devices

Been there, but nothing that would help me with the WiFi issues

Sorry, that’s what I use (coffee not making effect yet )

Well, you have configurations where there is an asterisk instead of the proper names, which means that those items are "undefined".

You may want to fix those as FIRST thing, doesn't matter if they are part of the issue or not, they are invalid settings.

In the access filters, You’re right, but not relevant. They apply to an external AP by the pool where the IoT try to connect to the internal AP when the pool ap reboots.
Is the access list also handled by the CAPsMAN?

The others – Caps-based, nothing I can do. It’s the pulled caps configuration.
Bridge interface filters are disabled on both CAPs

Do you actually use legacy Capsman? Your CAPs seem to use wifi-qcom-ac.

AP1

set [ find default-name=wifi1 ] channel.skip-dfs-channels=all comment=5Ghz \
    configuration=*3 configuration.manager=capsman .mode=ap .station-roaming=\
    no datapath=capdp-lan disabled=no security=*4 \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=yes \
    .sae-anti-clogging-threshold=0
# managed by CAPsMAN D4:01:C3:93:B1:59%bridge-lan, traffic processing on CAP
# mode: AP, SSID: Access_Denied, channel: 2442/ax
set [ find default-name=wifi2 ] comment=2.4Ghz configuration=*3 \
    configuration.manager=capsman .mode=ap datapath=capdp-lan disabled=no \
    mtu=1500 security=*4 security.authentication-types=wpa2-psk,wpa3-psk \
    .disable-pmkid=no

You have invalid configuration. Strip all these orphaned id reference (*xxx).

/interface bridge filter
add action=drop chain=forward disabled=yes in-interface=*7
add action=drop chain=forward disabled=yes out-interface=*7

Broken bridge filters are no good either.

And so much configuration which do not belong on an AP. NAT and custom DNS settings, etc.

If I were you I would start over from scratch. /system/reset-configuration caps-mode=yes.

Yes. I have a mAP2nd running outside.

the CAP’s (cAP XL ax) are running

cAP-XL-ax-1st] /system/package> print
Flags: X - DISABLED; A - AVAILABLE
Columns: NAME, VERSION, BUILD-TIME, SIZE
 #    NAME            VERSION  BUILD-TIME           SIZE     
 0    routeros        7.20.8   2026-01-30 09:17:54  12.6MiB  
 1    wifi-qcom       7.20.8   2026-01-30 09:17:54  10.2MiB

I’ll remove the bridge filters as I don’t use these anymore.
And these are not orphaned configurations etc. - I use slave interfaces (guest, Iot and media + regular). It just won’t show these on the CAP’s in the export command apparently.
I’ll see if I can disable/remove non require entries.

And, I’ll try to see if I can recreate the CAP’s with the reset configuration.
Is there a way for me to set the:

1. the interface IP (for me to access the cAP’s
2. Create the access list to prevent the external IoT devices to connect to the faint internal AP signal instead of the mAP2nd external AP?

otr do I have to do that affter?

No roaming between the cAP AX’s you mean? Or is the old device involved?

Could you supply connecties rates and signal strengths?

That is correct. Roaming is supposed to work between the 2 ax’s devices.
I can provide the connect rates when back home. But usually when I change sides of the house, I am usually first connected to 5Ghz 5bars, the it switches to 2.4Ghz and goes down to 1 or 0 bars and remains there. I still have some connectivity, but barely usable. And I am sitting literally under the next AP while it sticks to the connection from the remote AP at the other end of the house.

Though being managed, there are a lot of properties set on the the wifi interface of the CAP.

Can you make sure that it looks like:

/interface wifi
set [ find default-name=wifi1 ] configuration.manager=capsman disabled=no
set [ find default-name=wifi2 ] configuration.manager=capsman disabled=no

Well, yes there are quite some properties I set over time. Mainly due to the Intel chipset WiFi being broken by design (forces WPA3 even though the AP is outside and barely reachable).

configuration.manager disabled=no on all CAPs.

Just looked into it, and can’t do it.
The router is connected to the LAN through eth1 as it require PoE. So no go here.

Am I correct in assuming, that whatever is configure onto the Wifi / configuration on the AP is ignored? means I can remove it?

Can you better explain?

The:

/system/reset-configuration caps-mode=yes

is intended to be run on each CAP device, what has the router connection have to do with it?

The cAP-XL-ax has 2 ethernet ports.

• ether1/PoE-In = WAN
• ether2/Poe-Out = LAN.

Last time I tried, I had to dismount the entire AP to gain access to the device again remotely. HGence my reluctance.

Through it is big, the correct name is cAP-AX.