I’m trying to configure CAPsMAN, right now is for learning and testing purposes and my setup is ax3 as controller and two cap ax as access points.
This is my configuration on controller:
# 2023-07-01 19:54:45 by RouterOS 7.11beta2
# software id =
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/disk
set usb2 type=hardware
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=TRUNK
set [ find default-name=ether3 ] comment=VLAN10_TEA_RADNI_PC
set [ find default-name=ether4 ] comment=VLAN88_HOME
set [ find default-name=ether5 ] comment=VLAN88_HOME
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
disabled .width=20/40/80mhz comment="5 GHz" configuration.country=Croatia \
.manager=local .mode=ap .ssid=Mikrotik mtu=1500 \
security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2412 \
.skip-dfs-channels=disabled .width=20mhz comment="2.4 GHz" \
configuration.country=Croatia .manager=local .mode=ap .ssid=Mikrotik \
security.authentication-types=wpa2-psk,wpa3-psk
/interface veth
add address=10.10.88.100/24 comment=IPERF3 gateway=10.10.88.1 name=\
veth1-iperf3
/interface vlan
add interface=bridge name=VLAN10_TEA_PC vlan-id=10
add interface=bridge name=VLAN20_SECURITY vlan-id=20
add interface=bridge name=VLAN30_IOT vlan-id=30
add interface=bridge name=VLAN40_IPTV vlan-id=40
add interface=bridge name=VLAN88_HOME vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=HOME
/interface wifiwave2 configuration
add channel.band=5ghz-ax .frequency=5180 .width=20/40/80mhz country=Croatia \
disabled=no mode=ap name=cfg1-5 security.authentication-types=\
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes ssid=Mikrotik
add channel.band=2ghz-ax .frequency=2437 .width=20/40mhz country=Croatia \
disabled=no mode=ap name=cfg2-2.4 security.authentication-types=\
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes ssid=Mikrotik
add channel.band=2ghz-ax .frequency=2412 .width=20/40mhz country=Croatia \
disabled=no mode=ap name=cfg3-2.4@2412MHz security.authentication-types=\
wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes ssid=Mikrotik
/interface wifiwave2
add channel.frequency=5500 configuration=cfg1-5 configuration.mode=ap \
disabled=no name=cap-wifi1
add channel.frequency=2437 configuration=cfg3-2.4@2412MHz configuration.mode=\
ap disabled=no name=cap-wifi2
add channel.frequency=5500 configuration=cfg1-5 configuration.mode=ap \
disabled=no name=cap-wifi3
add channel.frequency=2437 configuration=cfg2-2.4 configuration.mode=ap \
disabled=no name=cap-wifi4
/ip pool
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.5
add name=dhcp_pool2 ranges=10.10.20.2-10.10.20.150
add name=dhcp_pool3 ranges=10.10.30.2-10.10.30.254
add name=dhcp_pool4 ranges=10.10.40.2-10.10.40.50
add name=dhcp_pool5 ranges=10.10.88.2-10.10.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN10_TEA_PC lease-time=1d name=\
dhcp_VLAN10
add address-pool=dhcp_pool2 interface=VLAN20_SECURITY lease-time=1d name=\
dhcp_VLAN20
add address-pool=dhcp_pool3 interface=VLAN30_IOT lease-time=1d name=\
dhcp_VLAN30
add address-pool=dhcp_pool4 interface=VLAN40_IPTV lease-time=1d name=\
dhcp_VLAN40
add address-pool=dhcp_pool5 interface=VLAN88_HOME lease-time=1d name=\
dhcp_VLAN88
/port
set 0 name=serial0
/container
add interface=veth1-iperf3 logging=yes start-on-boot=yes workdir=/
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether2
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=88
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=88
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi1 pvid=88
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi2 pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=veth1-iperf3 pvid=88
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=wifi1,wifi2,ether4,ether5 \
vlan-ids=88
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether2 vlan-ids=30
add bridge=bridge tagged=bridge,ether2 vlan-ids=40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN10_TEA_PC list=LAN
add interface=VLAN20_SECURITY list=LAN
add interface=VLAN30_IOT list=LAN
add interface=VLAN40_IPTV list=LAN
add interface=VLAN88_HOME list=LAN
add interface=VLAN88_HOME list=HOME
add interface=veth1-iperf3 list=LAN
add interface=*F list=LAN
add interface=*11 list=LAN
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=\
no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1-5 \
supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=cfg2-2.4 \
slave-configurations=cfg3-2.4@2412MHz supported-bands=2ghz-ax
/ip address
add address=10.10.10.1/24 comment="VLAN10 _TEA_PC" interface=VLAN10_TEA_PC \
network=10.10.10.0
add address=10.10.20.1/24 comment=VLAN20_SECURITY interface=VLAN20_SECURITY \
network=10.10.20.0
add address=10.10.30.1/24 comment=VLAN30_IOT interface=VLAN30_IOT network=\
10.10.30.0
add address=10.10.40.1/24 comment=VLAN40_IPTV interface=VLAN40_IPTV network=\
10.10.40.0
add address=10.10.88.1/24 comment=VLAN88_HOME interface=VLAN88_HOME network=\
10.10.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.40.0/24 gateway=10.10.40.1
add address=10.10.88.0/24 dns-server=10.10.88.13 gateway=10.10.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Prekid prometa od VLAN10 na VLAN88" \
in-interface=VLAN10_TEA_PC out-interface=VLAN88_HOME
add action=drop chain=forward comment="Prekid prometa od VLAN20 na VLAN88" \
in-interface=VLAN20_SECURITY out-interface=VLAN88_HOME
add action=drop chain=forward comment="Prekid prometa od VLAN30 na VLAN88" \
in-interface=VLAN30_IOT out-interface=VLAN88_HOME
add action=drop chain=forward comment="Prekid prometa od VLAN40 na VLAN88" \
in-interface=VLAN40_IPTV out-interface=VLAN88_HOME
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Dokeri_net src-address=10.10.100.2
add action=dst-nat chain=dstnat comment=Pihole_HTTP dst-address=10.10.88.1 \
dst-port=81 protocol=tcp to-addresses=10.10.100.2 to-ports=80
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=hAP_ax3_router
/system note
set show-at-login=no
/system package update
set channel=testing
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=HOME
I enabled FT and FT over DS options but how to know if clients are actually roaming between two APs ?
EDIT: I presume this log means it’s working 
At what signal level devices roams to another AP ? I went upstairs and my phone remained connected to downstairs AP, signal level was -63, i disable and enable wifi and then phone connected to upstairs AP