Community discussions

MikroTik App
 
DrCure
just joined
Topic Author
Posts: 5
Joined: Sun Nov 06, 2022 2:00 am
Location: Kyiv, Ukraine

Hap AX3 as CAPsMan controller and Hap Ac as a Cap issue  [SOLVED]

Fri Jan 24, 2025 9:57 pm

Hey everyone!
I'm not too experienced in mikrotik's. I'm using HAP AX3 as a main router and I want to use my old hap ac as access point.
For those purpose I'm trying to use HAP AC as CAP, connected to the HAP AX3 (with enabled CAPsMan controller) via ethernet. However I am facing a problem: HAP AC connects to HAP AX3 (I see Hap AC as Remote CAP), but it is not getting wifi configuration from ax3.
both routers running on RouterOS 7.17.

Here are configs:
ax3:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no name=Ch-2-ax skip-dfs-channels=all width=\
    20/40mhz
add band=5ghz-ax disabled=no name=Ch-5-ax skip-dfs-channels=all width=\
    20/40/80mhz
add band=2ghz-n disabled=no name=Ch-2-n skip-dfs-channels=all width=20/40mhz
add band=5ghz-ac disabled=no name=Ch-5-ac width=20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=yes disabled=no ft=\
    yes ft-over-ds=yes group-encryption=ccmp group-key-update=40m \
    management-protection=allowed name=Secure-WiFi wps=disable
/interface wifi configuration
add channel=Ch-2-ax country=Ukraine disabled=no mode=ap name=Cfg-2-ax \
    security=Secure-WiFi ssid=MySSID_2GHz
add channel=Ch-5-ax country=Ukraine disabled=no mode=ap name=Cfg-5-ax \
    security=Secure-WiFi ssid=MySSID_5GHz
add channel=Ch-2-n country=Ukraine disabled=no mode=ap name=Cfg-2-n security=\
    Secure-WiFi ssid=MySSID_2GHz
add channel=Ch-5-ac country=Ukraine disabled=no mode=ap name=Cfg-5-ac \
    security=Secure-WiFi ssid=MySSID_5GHz
/interface wifi
set [ find default-name=wifi1 ] channel=Ch-5-ax configuration=Cfg-5-ax \
    configuration.mode=ap disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] configuration=Cfg-2-ax configuration.manager=\
    local .mode=ap disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/ip pool
add name=default-dhcp ranges=192.168.2.100-192.168.2.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
add mac-address=FE:73:2A:40:21:78 name=ovpn-server1
/interface wifi capsman
set enabled=yes interfaces=bridge package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=Cfg-2-n \
    name-format=2GHz-%l-n supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration=Cfg-5-ac \
    name-format=5GHz-%l-ac supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=Cfg-2-ax \
    name-format=2GHz-%l-ax supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=Cfg-5-ax \
    name-format=5GHz-%l-ax supported-bands=5ghz-ax
/ip address
add address=192.168.2.1/24 comment=defconf interface=bridge network=\
    192.168.2.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.2.250 client-id=1:f0:2f:4b:11:9b:58 mac-address=\
    F0:2F:4B:11:9B:58 server=defconf
add address=192.168.2.249 client-id=1:88:66:5a:20:4b:cb mac-address=\
    88:66:5A:20:4B:CB server=defconf
add address=192.168.2.245 client-id=1:d4:90:9c:eb:76:10 mac-address=\
    D4:90:9C:EB:76:10 server=defconf
add address=192.168.2.244 client-id=\
    ff:c0:33:b8:60:0:1:0:1:2e:83:d1:76:38:e7:c0:33:b8:60 mac-address=\
    38:E7:C0:33:B8:60 server=defconf
add address=192.168.2.237 client-id=1:cc:2d:e0:a9:45:3e mac-address=\
    CC:2D:E0:A9:45:3E server=defconf
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf dns-server=192.168.2.1 gateway=\
    192.168.2.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=pub
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name=Hap-AX3
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
ac:
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] mode=ap-bridge noise-floor-threshold=-110 \
    ssid=MikroTik
# managed by CAPsMAN
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik
/interface ethernet
set [ find default-name=ether1 ] mac-address=CC:2D:E0:A9:45:3E
set [ find default-name=sfp1 ] advertise=\
    10M-baseT-half,10M-baseT-full,100M-baseT-half,100M-baseT-full
/caps-man datapath
add bridge=bridge name=datapath-wifi
/interface wifi datapath
add bridge=bridge disabled=no name=datapath1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/interface ovpn-server server
add mac-address=FE:00:F9:5A:53:90 name=ovpn-server1
/interface wifi cap
set certificate=request discovery-interfaces=bridge enabled=yes
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/interface wireless cap
# 
set bridge=bridge certificate=CAP-CC2DE0A9452E discovery-interfaces=bridge \
    enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf interface=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Kiev
/system identity
set name=Hap-AC
/system note
set show-at-login=no
Any ideas on what could be wrong? Or what info should I provide?
Thanks for help!
 
ConnyMercier
Forum Veteran
Forum Veteran
Posts: 777
Joined: Tue Dec 17, 2019 1:08 pm

Re: Hap AX3 as CAPsMan controller and Hap Ac as a Cap issue

Sat Jan 25, 2025 1:32 am

The Mirkotik hAPac is not compatible with the newer WIFI / WiFi CAPsMAN
Additional Information can be found on Mikrotik Online Manual
https://help.mikrotik.com/docs/spaces/R ... iFiCAPsMAN
 
jaclaz
Forum Guru
Forum Guru
Posts: 2325
Joined: Tue Oct 03, 2023 4:21 pm

Re: Hap AX3 as CAPsMan controller and Hap Ac as a Cap issue

Sat Jan 25, 2025 11:38 am

Check also here:
viewtopic.php?t=212240

You can have both old and new capsman running on the Ax3, but you will lose its radios.

Besides the fun of experimenting there are different opinions among the more expert members on the board on the utility/convenience of using capsman, but it seems like the consensus is that with only one AP it is not particularly convenient, the debate is if it becomes so with 2+ or 3+ of them, JFYI:
viewtopic.php?t=204733#p1057385
 
DrCure
just joined
Topic Author
Posts: 5
Joined: Sun Nov 06, 2022 2:00 am
Location: Kyiv, Ukraine

Re: Hap AX3 as CAPsMan controller and Hap Ac as a Cap issue

Sat Jan 25, 2025 8:47 pm

Thank you all guys for the replies!