WifiWave2 "no connection to CAPsMAN"

Hi,

I have very simple configuration with mikrotik devices: router and AP. I would like to manage AP by CAPsMan, but it’s not work. On AP wifiwave2 interfaceses I havve information “managed by CAPsMAN”, but on router wifiwave 2 cap interfaces i have information “no connection to CAPsMAN, managed locally”. Can you see my configuration and tell me what’s wrong?

cAP ax (arm64) v7.11.2

# 1970-01-02 00:03:53 by RouterOS 7.11.2
# software id = NVFZ-WWS8
#
# model = cAPGi-5HaxD2HaxD
# serial number = <removed>
/interface bridge
add admin-mac=78:9A:18:4E:6C:A3 auto-mac=no comment=defconf name=bridgeLocal
/interface wifiwave2 datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifiwave2
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp \
    disabled=no
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp \
    disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifiwave2 cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system note
set show-at-login=no

RB3011 UiAS-RM (arm) v.7.11.2

# 1970-01-02 01:43:37 by RouterOS 7.11.2
# software id = 12FA-JLNX
#
# model = RB3011UiAS
# serial number = <removed>
/interface bridge
add name=br vlan-filtering=yes
/interface vlan
add interface=br name=VLAN20 vlan-id=20
add interface=br name=VLAN30 vlan-id=30
/interface wifiwave2 channel
add frequency=5180,2412 name=CH
/interface wifiwave2 datapath
add bridge=br name=VLAN20 vlan-id=20
add bridge=br name=VLAN30 vlan-id=30
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk name=security
/interface wifiwave2 configuration
add channel=CH country=Latvia datapath=VLAN20 disabled=no manager=\
    capsman-or-local name=2Ghz_main security=security ssid=2G_MAIN
add channel=CH country=Latvia datapath=VLAN30 name=2Ghz_guest security=\
    security ssid=2G_Guest
add channel=CH country=Latvia datapath=VLAN20 disabled=no manager=\
    capsman-or-local name=5Ghz_main security=security ssid=5G_MAIN
add channel=CH country=Latvia datapath=VLAN30 name=5Ghz_guest security=\
    security ssid=5G_Guest
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=br name=dhcp1
add address-pool=dhcp_pool1 interface=VLAN20 name=dhcp2
add address-pool=dhcp_pool2 interface=VLAN30 name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=br interface=ether9
add bridge=br interface=ether10
add bridge=br interface=ether8
/interface bridge vlan
# ether5 not a bridge port
add bridge=br tagged=ether5,br vlan-ids=20
# ether5 not a bridge port
add bridge=br tagged=ether5,br vlan-ids=30
/interface wifiwave2 capsman
set enabled=yes interfaces=br package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled master-configuration=2Ghz_main name-format=\
    2G-%I slave-configurations=2Ghz_guest supported-bands=2ghz-ax
add action=create-dynamic-enabled master-configuration=5Ghz_main name-format=\
    5G-%I slave-configurations=5Ghz_guest supported-bands=5ghz-ax
/ip address
add address=192.168.1.1/24 interface=br network=192.168.1.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/system logging
add prefix=debug topics=caps
add topics=debug,caps
add topics=interface,debug
add topics=wireless,debug
add prefix=debug topics=interface
add prefix=debug topics=wireless
/system note
set show-at-login=no

Is your cAP ax comnceted to ether5 of your RB3011 ?

Correct question.

shmitd2 :
You config is listening to bridge br for caps but ether5 is no part of that bridge.
So nothing will come in if those caps are connected via ether5.

Looking at config, only ether 8,9 and 10 are bridge members. What is with the other ports ?

As @holvoetn said, you set listening interface to bridge but ether5 is not a bridge member so it’s normal that there is no connection between cap and manager.

Add ether5 as bridge member, untag PVID 1 on ether5 as this is your mgmt network I presume, tag PVID 20, 30 and bridge and then it should work.

But this is not default configuration, what are you trying to achieve ?

it’s connected to eth10

Why you thinking capsman listening on eth5?
As we see here:

/interface wifiwave2 capsman
set enabled=yes interfaces=br package-path="" require-peer-certificate=no \
    upgrade-policy=none

Capsman listening on the bridge interface.

This is configuration from https://help.mikrotik.com/docs/display/ROS/WifiWave2

question was not about where capsman is “listening”, but where you physically plugged in the cAP device. That we can’t know from the config.

Then you should tag your VLANs 20 and 30 for ether10 as well because you are expecting those VLANs on CAP. Untag ether10 for VLAN1 because on default VLAN you have 192.168.1.0/24 network and it’s assigned to bridge, and that is where CAPsMAN is listening.

cAP is connected to eth10

I corrected config, but is still saying “no connection to CAPsMAN, managed locally”

# 1970-01-02 00:13:11 by RouterOS 7.11.2
# software id = 12FA-JLNX
#
# model = RB3011UiAS
/interface bridge
add name=br vlan-filtering=yes
/interface vlan
add interface=br name=VLAN20 vlan-id=20
add interface=br name=VLAN30 vlan-id=30
/interface wifiwave2 channel
add frequency=5180,2412 name=CH
/interface wifiwave2 datapath
add bridge=br name=VLAN20 vlan-id=20
add bridge=br name=VLAN30 vlan-id=30
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk name=security
/interface wifiwave2 configuration
add channel=CH country=Latvia datapath=VLAN20 disabled=no name=2Ghz_main \
    security=security ssid=2G_MAIN
add channel=CH country=Latvia datapath=VLAN30 disabled=no name=2Ghz_guest \
    security=security ssid=2G_Guest
add channel=CH country=Latvia datapath=VLAN20 disabled=no name=5Ghz_main \
    security=security ssid=5G_MAIN
add channel=CH country=Latvia datapath=VLAN30 disabled=no name=5Ghz_guest \
    security=security ssid=5G_Guest
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=br name=dhcp1
add address-pool=dhcp_pool1 interface=VLAN20 name=dhcp2
add address-pool=dhcp_pool2 interface=VLAN30 name=dhcp3
/port
set 0 name=serial0
/interface bridge port
add bridge=br interface=ether9
add bridge=br interface=ether10
add bridge=br interface=ether8
add bridge=br interface=ether2
add bridge=br interface=ether3
add bridge=br interface=ether4
add bridge=br interface=ether5
add bridge=br interface=ether6
add bridge=br interface=ether7
/interface bridge vlan
add bridge=br tagged=ether10,br vlan-ids=20
add bridge=br tagged=ether10,br vlan-ids=30
/interface wifiwave2 capsman
set enabled=yes interfaces=br package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled master-configuration=2Ghz_main name-format=\
    2G-%I slave-configurations=2Ghz_guest supported-bands=2ghz-ax
add action=create-dynamic-enabled master-configuration=5Ghz_main name-format=\
    5G-%I slave-configurations=5Ghz_guest supported-bands=5ghz-ax
add action=create-dynamic-enabled master-configuration=2Ghz_main name-format=\
    2G-%I slave-configurations=2Ghz_guest supported-bands=2ghz-ax
add action=create-dynamic-enabled master-configuration=5Ghz_main name-format=\
    5G-%I slave-configurations=5Ghz_guest supported-bands=5ghz-ax
/ip address
add address=192.168.1.1/24 interface=br network=192.168.1.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.30.1/24 interface=VLAN30 network=192.168.30.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/system logging
add prefix=debug topics=caps
add topics=debug,caps
add topics=interface,debug
add topics=wireless,debug
add prefix=debug topics=interface
add prefix=debug topics=wireless
add prefix=debug topics=caps
add topics=debug,caps
add topics=interface,debug
add topics=wireless,debug
add prefix=debug topics=interface
add prefix=debug topics=wireless
/system note
set show-at-login=no

Can you go to Winbox → Terminal, there enter this:

/interface/bridge/vlan print detail

and show what you get ?

[admin@MikroTik] > /interface/bridge/vlan print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE  VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0 D br             1                  br              
                                      ether9          
                                      ether10         
1   br            20  br                              
                      ether10                         
2   br            30  br                              
                      ether10

When you connect PC or laptop to ether10, do you get IP address from 192.168.1.0/24 network ?

Yes, i got IP from the 192.168.1.0/24 network

You don’t have any firewall rules ?

Something like this:

;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1

I didn’t set up yet.

My advice, reset to default configuration on RB3011 and we will start from there then. You will get default firewall rules that are good enough for like 99% of the users.

Try to manually specify the IP address of the capsman device in the “CAP” menu of the cAP

I found the issue. I always configured cAP through the router. I tried another way.

1. I connected cAP to the computer first and reset configuration.
2. Turned on in CAPS mode.
3. Disconnected my computer from cAP and connected to the router.
4. CAPsMAN was turned off. Certificates were removed. CAPsMAN was turned on. Certs auto generated.
5. cAP was connected to the router via eth10 port.

cAP connected to the CAPsMAN. Wifi started to work. Thanks guys for help.

I set CAPsMAN up for the first time today, some takeaways for me when I reset my CAP was I couldn’t get in to the CAP until I tried ssh which then promted me to change the password phew! I do love the control from 1 item aspect, things like this make me smile hard…

/interface/wifiwave2/monitor 0,1,2,3   
                 state: running      running running      running
               channel: 5560/ax/eeeC 2412/ax 5220/ax/eeCe 2462/ax
      registered-peers: 0            2       3            1
      authorized-peers: 0            2       3            1
              tx-power: 22           14      18           15
    available-channels: 5560/ax/eeeC 2412/ax 5180/ax/Ceee 2462/ax
                                             5200/ax/eCee 
                                             5220/ax/eeCe 
                                             5240/ax/eeeC

My next quest is to get FT working, I did enable it on all the above which has 2 seperate SSID’s I’m not sure if that is how it works or not but some of my stuff just wouldn’t connect after enabling FT Enabled and FT Over DS in winbox. I don’t use a central config.

Oh my days… I wonder why Ipad-Air2
https://support.apple.com/en-gb/101917