I am trying to setup two Mikrotik devices, with one device being the CAPsMAN and the other device being the CAP.
My smartphone can see the SSID and also tries to connect. However, the smartphone tries connecting for some seconds and then aborts. I highly assume that the reason is about a problem in the connection of the SSID to my VLAN 61. If I configure the CAP device to retrieve an IP via DHCP directly on VLAN 61, it works. But I think that the smartphone does not get an IP configuration (via DHCP) when it tries to connect to the SSID.
# /interface wifiwave2 export hide-sensitive
/interface wifiwave2
# managed by CAPsMAN
# mode: AP, SSID: MySSID, channel: 5700/ax/eeCe
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: MySSID, channel: 2427/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
/interface wifiwave2 cap
set certificate=request discovery-interfaces=VLAN_20 enabled=yes lock-to-caps-man=yes
I skipped the VLAN configuration on the bridge here, because the CAP device can successfully connect to other devices on this VLAN, only the SSID seems to not reach the VLAN.
Shouldn’t the Datapath config be enough for connecting an SSID to a VLAN?
On the CAPsMAN the datapath is part of the provisioned WiFi configuration. Is it really necessary to additionally specify it on the CAPs?
Maybe, I don’t get the point of CAPsMAN, but isn’t its job to completely manage the WiFis on the CAPsMAn and simply provisioning them to the CAPs?
I have to check it later today and will come back with the result. (But even if it will work, I don’t understand the concept of Wifiwave2 and what has to be configured where for CAPsMAN usage)
In contrast with legacy wifi/capsman, wifiwave2 and new capsman are very intertwined, that’s a fact.
But they work more or less in the same way (as opposed to legacy wifi and old capsman, completely different environments. Old capsman structure was , as far as I can see, the base for wifiwave2 and new capsman. Still with me ? ).
How does it go:
You specify a configuration which needs to be used.
You can choose to isolate channel and security settings etc. in the separate tabs but be aware left tabs have preference over settings on the right side.
So if you set a security setting in configuration tab, it will not be taken anymore from security tab.
Then:
For dedicated ap, you assign that configuration to the interface. Be aware 2.4GHz and 5GHz interfaces require different settings ! (frequency, band, …)
For capsman, you first need to enable the function on the controller. And the AP needs to be in CAPS mode so it will request config from the controller.
And then you assign the same configuration to the radio. Not the physical interface, but the radio which will announce itself to be controlled by capsman.
Sounds complicated but once you do it a couple of times, it is very logical (to me, it is ).
Again, very high level and a lot of things deeper in which can be tweaked further.
I have tried it and got it working via the following steps:
In datapath of the CAP set the bridge to my bridge (but not set the VLAN-ID in the same menu, otherwise the WiFi client will only see the tagged VLAN)
Add the WiFi interface on the CAP to Bridge/VLAN as untagged.
Additionally the logs showed that I ran into the “rejected, can’t find PMKSA” issue. After disabling WPA3 it works.
So, thanks a lot for your help so far
However, I still have some problems in understanding the benefits of CAPsMAN (even after the very detailled explanation). It is not “very logical” to me, yet (but hopefully soon ).
Is my experience correct, that the VLAN-ID in the datapath only provides tagged VLANs to the WiFi clients and not untagged VLANs?
If I have to add the bridge to the datapath on the CAPs and have to add the WiFi interfaces manually to the bridge on the CAPs, what is the huge benefit of CAPsMAN? Is it more about seamless roaming instead of simple configuration at one place?
How can I change the WiFi interface names on the CAPsMAN? With the old Wireless (not Wifiwave2) I have seen that the interface names can be generated out of the CAP identity, some prefic, etc. Is this also possible with Wifiwave2? I cannot find how to do this in Wifiwave2, maybe I overlook something.
How do I have to add Slave WiFi interfaces? Has this to be done on the CAPsMAN or on the CAPs?
As you can see, I am still a bit confused about the CAPsMAN and Wifiwave2
The way I understood how it works:
1- VLAN id is added from wifi radio to bridge. Tagged, as far as I know. Clients will not (should not ?) see VLAN tag
2- When I toyed with those VLAN settings on wifiwave2-capsman it was 7.8-chain. At that point you had to set the CAPS bridge to disable VLAN filtering. And then it worked “out of the box via CAPSMAN”.
Haven’t tried anymore with 7.9 nor 7.10. One normal week, then a week holidays but I do plan to tackle that part again afterwards since I need a solution for a customer where I am installing it. VLAN or separate subnets and firewall rules.
Hopefully at that time there is a version where it will just work like it did with old capsman
4- It’s Capsman
Tab Provisioning and then in the provisioning rule look at Slave Configurations, just below master, so hard to miss.
Add as many as you want with the drop-down arrow (but keep it a bit practical )
Which means you can finetune this per radio (or use regex expressions to bundle APs based on identity or so)
But you need to have created those configurations upfront and keep in mind, a slave config can not change anything on the radio from master interface.
I make slave configs only having SSID and security, nothing else, since the rest will come from master.
Would it make sense to add additional bridges for the different VLANs and setting them to “Disable VLAN Filtering”, just to make the configuration via CAPsMAN a bit simpler? I’m just afraid, that additional bridges could bring performance drawbacks with them.
This seems to be another unfinished point in the new CAPsMAN
If it makes you feel any better I went on the same journey myself and ended up wondering what had happened to CAPsMAN vs the way it works with the non-wifiwave2 devices.
From what I’ve read, ‘improvements are coming…’ so hopefully I think for now we have to wait. Looking forward to it!
Has anybody on 7.10 figured out the ‘right’ way to do this? The help documentation: https://help.mikrotik.com/docs/display/ROS/WifiWave2#WifiWave2-CAPsMAN-CAPVLANconfigurationexample: (anchor link isn’t working, “CAPsMAN - CAP VLAN configuration example:” is what to look for) isn’t very clear. I’m not quite sure I understand adding the datapath on the cap devices, then the slave-datapath setting in the cap section, when I’m defining the datapath/etc configuration on the capsman side. It does not appear to work, either way.
To be clear, I am configuring capsman on my router, which is connected to a switch, which then the caps are connected to. I want the various SSIDs on the caps to be associated with various VLAN IDs (tagged on switch port uplinked to APs). slaves-datapath has a blank description on the help site, so I have no idea what that’s supposed to do.
[Edit: You have to disable bridge vlan-filtering on the caps. I did have to do the slave-datapath and the datapath definition on the caps, I have no idea why, but it appears to work with those set.]
Am I supposed to do the VLAN ID in the datapath on the cap itself? And set up Bridge VLANs on the cap itself and add the wifi interfaces into the bridge on the cap itself?
Shouldn’t capsman take care of the full Cap configuration?
What about on the Capsman though. Do I add the same cap interfaces into bridge vlans on there? Nothing seems to work for me anyway.
Also, the provisioning doesn’t add the cap interfaces into a bridge on the capsman controller. Is that because it’s not doing forwarding?
I am trying to end up with a configuration where I can plug an CAP ax into any of the bridged eth2 - eth5 ports and have a guest wifi and standard wifi come down the one cable as separate VLANs.
I can make it work with local interfaces on the Capsman controller (hap AX2), but not the cap.
Seems that on the CAP, you have to make sure you create the datapath and add it to bridge, but without specifying VLAN.
Create another datapath for slave config for other vlan/guest wifi, add to the same bridge, again no need to specify actual VLAN ID
Turn off vlan filtering on the CAP bridge, don’t put in any VLAN configuration on the CAP bridge.
Since I am using the Capsman as the main router with DHCP, I have to add the VLAN Interfaces into the lan-bridge on the capsman.
On capsman bridge>vlan, create an entry for my two VLANs (one entry for both VLANs will do), add each of the LAN ports that the caps devices might be plugged in to, into the tagged list, and also either the bridge itself, or just the VLAN interfaces. Edit: Actually, no, it seems I have to add the lan-bridge or the slave/guest doesn’t get DHCP. Seems weird but it works. Adding the VLAN Interfaces and physical LAN ports isn’t enough.
Confirm in the bridge > hosts tab on capsman that the wifi client device is showing there with the correct VLAN ID.
I’m still a bit sketchy with this but I will spend more time trying to learn it.
).
(even after the very detailled explanation). It is not “very logical” to me, yet (but hopefully soon 
).