Hello. Please help me with advice.

What I want: connect "traveling" mAP lite to any of available WiFi networks at place. Once connected to WiFi, automatically connect to home vpn. Then automatically get only one of 2.4GHz configs provisioned to mAP lite (from capsman), so other devices can connect to this AP it just like if they're at home.

What I have:
1) home: hex poe (RB960PGS). It runs DHCP servers, vlans, capsman and vpn configured. VPN is set as per "Road Warrior setup using IKEv2 with RSA authentication".
Capsman provisions configs to wAP AC (RBwAPG-5HacT2HnD). It has 1x 5GHz AP and 5x 2.4GHz APs (1 master and 4x slaves), all running in separate vlans (networks like 10.10.10.0/, 10.10.20.0/, etc.) except for 5GHz AP that is bridged with ethernet ports and runs without vlan (network 10.10.0.0/).
2) remote: mAP lite (RBmAPL-2nD)
3) some very basic knowledge/experience in networking

Is it possible, and if "yes", is it sort of standart/easy configuration?

If "yes", maybe you can point me to any guides/wiki that should help me to get it configured step by step.
I wasn't sucesfull in finding one, but maybe I was using weak search query.

Few other topics I've found on the matter have configs that differs from mine, so knowing devil is in details, I wasn't sure I can apply them (viewtopic.php?f=7&t=114744 , viewtopic.php?f=7&t=130504, viewtopic.php?t=95402, https://www.reddit.com/r/mikrotik/comme ... _wireless/).

So I would like to clarify upfront if what I want is possible and then start configuration.

Thank you!

It is possible, but in the general case it is very tricky.

I'm building myself a travel router with a mAP Lite, mostly following the ideas from Lorenzo Bussatti ( https://www.youtube.com/watch?v=VeZetH9uX_Y ).

I have it mostly working with a few VPN networks dialled on demand to route private ranges for different purposes, but there are a few problems:

• I want the connections be all wireless in the usual use case, to avoid having an ethernet/USB cable plugged in my laptop all the time. This implies that the master intefaces (I called it sta1) needs to be the one in station mode, and the different APs are virtual interfaces. Every time the master interface gets disconnected or roams all APs get annoyingly disabled. This could be solved if you can use a dual radio AP, where you can connect the 2.4 radio as station and keep the different APs in the 5MHz one, assuming that all of your target devices are 5Mz-capable
• Roaming as per /interface wilreless connect-list does not clear dhcp-lease, which means problems, that I mostly solved through a script, but some APs don't like the illegal leases appearing and spurious releases and the mAP ends up banned from dhcp...
• There is no easy way to add and prioritize new security-profile/connect-list entries, especially when the AP is not working because the station is roaming/looking for AP
• The android AP does not show correctly the station SSID in use or allow me to set it in the from screen, and I think does not work in the presence of connect-lists with different ssids (I would not be too difficult to handle from it)

I am trying to organise and modularise the configuration/scripts in the line of eworm's configuration management at https://github.com/eworm-de/routeros-scripts/ and in his great MUM talk and publish the non private parts of it, but it will take some time.

It is possible, but in the general case it is very tricky.

@nostromog - sorry, I hadn't say thank you last time I've read your post as I had issues with accessing the forum and then it just felt away.
So thank you! Good luck solving all the puzzles and if by chance you've already came by with stable/robust solution - please share if you feel comfortable doing so!

You can't do that. You have either local wireless configuration or device is connected to capsman. Both is not possible, at least not with a single band device.
You could use wAP ac (or similar dual band device), connect 2.4GHz to hotel wifi und use 5GHz for your SSID via capsman.

What is possible, though, is to run a STA mode and an AP mode on the same wireless interface. So you can set up the physical wireless interface to station mode, connect to the hotel WiFi, and on the same channel and with the same physical settings, run several virtual interfaces in AP mode, using the station one as master-interface. Hence all your devices will get the SSIDs they are used to, but depending on how you set up the VPN tunnel (L2 or L3), they will or will not get IP addresses from the same range like at home. So no CAPsMAN, but otherwise doable even with mAP with its single radio.

What is possible, though, is to run a STA mode and an AP mode on the same wireless interface. So you can set up the physical wireless interface to station mode, connect to the hotel WiFi, and on the same channel and with the same physical settings, run several virtual interfaces in AP mode, using the station one as master-interface. Hence all your devices will get the SSIDs they are used to, but depending on how you set up the VPN tunnel (L2 or L3), they will or will not get IP addresses from the same range like at home. So no CAPsMAN, but otherwise doable even with mAP with its single radio.

Thank you! Will keep this post open for few more years:)

You could use wAP ac (or similar dual band device), connect 2.4GHz to hotel wifi und use 5GHz for your SSID via capsman.

1/2 of the idea was to use travel/mini router:) Maybe MT will sometime release 2 radio upgrade to mAP:) though unlikely.

Anyway, thanks. Speaking of "use 5GHz for your SSID via capsman" - have you seen configs that get's it UP via VPN (that is 2nd half of the idea)?
Awkward workaround is to take two mAP lite but I still need to find out how to do capsman over VPN.

I still need to find out how to do capsman over VPN.

It depends on through what parts of the world you plan to travel. CAPsMAN prefers L2 transparency between the cAPs and the CAPsMAN master, but if it doesn't have one, it is happy with routed UDP, so there is no need to waste bandwidth on tunnelling of L2 over VPN twice (because already the communication between the cAP and the CAPsMAN master is actually an L2 tunnel). However, the CAPsMAN communication is very sensitive about packet loss, so you may find your cAP's wireless interfaces to be restarting unpleasantly often. Hence I'd definitely prefer some kind of configuration synchronisation, which would configure the virtual APs on your "pocket home" according to the CAPsMAN configuration if your motivation is that you change the settings so often that manually copying these changes to the pocket home would be annoying.

I still need to find out how to do capsman over VPN.

It depends on through what parts of the world you plan to travel. CAPsMAN prefers L2 transparency between the cAPs and the CAPsMAN master, but if it doesn't have one, it is happy with routed UDP, so there is no need to waste bandwidth on tunnelling of L2 over VPN twice (because already the communication between the cAP and the CAPsMAN master is actually an L2 tunnel). However, the CAPsMAN communication is very sensitive about packet loss, so you may find your cAP's wireless interfaces to be restarting unpleasantly often. Hence I'd definitely prefer some kind of configuration synchronisation, which would configure the virtual APs on your "pocket home" according to the CAPsMAN configuration if your motivation is that you change the settings so often that manually copying these changes to the pocket home would be annoying.

You're right, assuming there is no "out of the box" solution and also there are side effects, it is indeed easier and more robust to run config manually - wifi and vpn, at least till the moment such OoB config appears:) Thank you!

I have to similar use case like yours, except I don;t use Capsman ( I used VPN from time to time but not these days)
I used map lite, sometimes hap lite or hap ac2 when travel.
It also depends if you want to go into your rental place, connect you device and its done, or if fiddiling around without during
your vacation is part of the vacation .

To me actually map lite is not the best "one fits all solution" for your use case (its the smallest ok).
The ideal device for this (size and form and cost) is: Hap Mini (even less cost than the map lite) as it offers 3 Eth ports, one for LAN (config)
one for WAN (plus one for whatever you need it).
- Many Hotel's , rental flats, rental homes do often have Internet via Eth port in the room or access to the DSL/GPON box in rental places.
- With HAP mini you can easily set up the device via the ETH port. At the same time you can also directly plug it into an available WAN port of a box/hotel room.
So in case you have WAN port somewhere you just plug it in and you are done!!! No need to take
your laptop with you etc...

Coming back to your config.
I have most of my router boards (single band/dual band/ triple band) all set up the same. I can unplug one and replug another, all works.
My travel devices "shows" same SSID ( 6 in total) as at home (same isolation, VLAN etc.) as at home.
The only changes I might need to make is when a new phone or devices comes in and I have to add it into the access list of all devices. But that is really simple.
I also sometimes use VPN (Cyberghost/NordVPN etc.) on travel device to be able to access geolocked films etc. from our Pay TV provider on my Chromecast device
that travels with me.

most of all, it always works, will not depend on connection to your home etc.
So for me using Capsman for what you want to achieve is complete overblow (I understand the "beauty of the concept" ).
Just use the right device (I recommend the small hap mini) and mirror your home config and you spend less time on setup and more on "enjoy"!