With the wifi-qcom-ac driver, it is necessary to create the virtual interfaces on the CAP manually. Not sure if you did that?
The config is different from the wifi-qcom driver:

https://help.mikrotik.com/docs/spaces/R ... %22package:

Can you please share both CAP and CAPsMAN config?

Code: Select all

# for cap a complete export:
/export file=capconfig
[/quote][code]# for cap a complete export:
/export file=capconfig
# for capsman a specific export:
/export file=capsmanconfig

Remove serial and post between code tags by using the </> button.

Hello, thanks for reply (I was on a trip, couldn't re before). I did create interfaces manually. It wouldn't work without it... I was very unhappy when I found that I have to do it manually on 60 APs.

Here is the config of Capsman (i removed dhcp and APs enumeration):

Code: Select all

/disk
set sata1 media-interface=none media-sharing=no
/interface bridge
add name=BRIDGE-VLAN vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-TRUNK-HA0.1-POESW1
set [ find default-name=ether2 ] name=ether2-TRUNK-HA1.1-POESW1
set [ find default-name=ether3 ] name=ether3-TRUNK-HA0.1-SW1
set [ find default-name=ether4 ] name=ether4-TRUNK-HA0.1-SW2
set [ find default-name=ether5 ] name=ether5-UPLINK-STARA-MREZA
set [ find default-name=ether6 ] name=ether6-TRUNK-HA1.1-POESW1
set [ find default-name=ether7 ] name=ether7-TRUNK-HA1.2-POESW1
set [ find default-name=ether8 ] name=ether8-ACME
set [ find default-name=ether9 ] name=ether9-ACME
set [ find default-name=ether10 ] name=ether10-ACME
set [ find default-name=ether11 ] name=ether11-WAN
set [ find default-name=ether12 ] name=ether12-TEHNIKA
set [ find default-name=ether13 ] name=ether13-MGMT
/interface wireguard
add comment=back-to-home-vpn listen-port=37201 mtu=1420 name=back-to-home-vpn
add listen-port=13231 mtu=1420 name=wireguard1
/interface vlan
add interface=BRIDGE-VLAN name=vlan1-INFRASTRUKTURA vlan-id=10
add interface=BRIDGE-VLAN name=vlan2-SERVERI vlan-id=20
add interface=BRIDGE-VLAN name=vlan3-ACME vlan-id=30
add interface=BRIDGE-VLAN name=vlan4-ACME-WIFI vlan-id=40
add interface=BRIDGE-VLAN name=vlan5-TERMINALI-WIFI vlan-id=50
add interface=BRIDGE-VLAN name=vlan6-PROIZVODNJA vlan-id=60
add interface=BRIDGE-VLAN name=vlan7-TEHNIKA vlan-id=999
/interface list
add name="ACME LAN"
add name=WAN
add name=TEHNIKA
add name=MGMT
add comment="Ne sadr\9Ei WAN" name="SVI LANOVI"
add name=WINBOX
add name="ACME WIFI"
add name="SKLADISTE WIFI"
add name="NEIGHBOR DISCOVERY"
/interface wifi channel
removed for brevity 
/interface wifi datapath
add bridge=BRIDGE-VLAN client-isolation=yes disabled=no name=datapath1-ACME-WIFI vlan-id=40
add bridge=BRIDGE-VLAN disabled=no name=datapath2-ACME-DP-LINK vlan-id=30
add bridge=BRIDGE-VLAN client-isolation=yes disabled=no name=datapath3-TERMINALI-WIFI vlan-id=50
add bridge=BRIDGE-VLAN disabled=no name=datapath4-AC-DATAPATH
/interface wifi security
add authentication-types=wpa2-psk disabled=no name=sec1-ACME-WIFI
add authentication-types=wpa2-psk disabled=no name=sec2-DP-LINK
add authentication-types=wpa2-psk disabled=no name=sec3-TERMINALI-WIFI
/interface wifi configuration
add channel.band=2ghz-n .width=20mhz country=Croatia datapath=datapath4-AC-DATAPATH disabled=no mode=ap name="2GHz - AC - MASTER - ACME-WIFI" security=sec1-ACME-WIFI security.ft=yes .ft-over-ds=yes ssid=ACME tx-power=1
add datapath=datapath4-AC-DATAPATH disabled=no name="2GHz - AC - DP-LINK" security=sec2-DP-LINK ssid=DP-LINK
add datapath=datapath4-AC-DATAPATH disabled=no name="2GHz - AC - TERMINALI-WIFI" security=sec3-TERMINALI-WIFI ssid=TERMINALI
add channel.band=5ghz-ac .width=20mhz country=Croatia datapath=datapath4-AC-DATAPATH disabled=no mode=ap name="5GHz - AC - MASTER - ACME-WIFI" security=sec1-ACME-WIFI security.ft=yes .ft-over-ds=yes ssid=ACME tx-power=4
add datapath=datapath4-AC-DATAPATH disabled=no name="5GHz - AC - DP-LINK" security=sec2-DP-LINK ssid=DP-LINK
add datapath=datapath4-AC-DATAPATH disabled=no name="5GHz - AC - TERMINALI" security=sec3-TERMINALI-WIFI ssid=TERMINALI
/interface wifi
removed for brevity
/ip pool
add name=pool1-infrastruktura ranges=10.44.10.2-10.44.10.254
add name=pool2-serveri ranges=10.44.20.100-10.44.20.254
add name=pool3-dinop ranges=10.44.30.2-10.44.30.254
add name=pool4-dinop-wifi ranges=10.44.40.2-10.44.40.254
add name=pool5-terminali-wifi ranges=10.44.50.2-10.44.50.254
add name=pool6-proizvodnja ranges=10.44.60.2-10.44.60.254
add name=pool7-tehnika ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=pool1-infrastruktura interface=vlan1-INFRASTRUKTURA lease-time=1w1d30m name=server1-infrastruktura
add address-pool=pool2-serveri interface=vlan2-SERVERI lease-time=1w1d30m name=server2-serveri
add address-pool=pool3-dinop interface=vlan3-ACME lease-time=1w1d30m name=server3-dinop
add address-pool=pool4-dinop-wifi interface=vlan4-ACME-WIFI lease-time=1d30m name=server4-dinop-wifi
add address-pool=pool5-terminali-wifi interface=vlan5-TERMINALI-WIFI lease-time=1w1d30m name=server5-terminali-wifi
add address-pool=pool6-proizvodnja interface=vlan6-PROIZVODNJA lease-time=1w1d30m name=server6-proizvodnja
add address-pool=pool7-tehnika interface=vlan7-TEHNIKA lease-time=1w1d30m name=server7-tehnika
/port
set 0 name=serial0
set 1 name=serial1
/interface bridge port
add bridge=BRIDGE-VLAN frame-types=admit-only-vlan-tagged interface=ether1-TRUNK-HA0.1-POESW1
add bridge=BRIDGE-VLAN frame-types=admit-only-vlan-tagged interface=ether2-TRUNK-HA1.1-POESW1
add bridge=BRIDGE-VLAN frame-types=admit-only-vlan-tagged interface=ether3-TRUNK-HA0.1-SW1
add bridge=BRIDGE-VLAN frame-types=admit-only-vlan-tagged interface=ether4-TRUNK-HA0.1-SW2
add bridge=BRIDGE-VLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether5-UPLINK-STARA-MREZA pvid=30
add bridge=BRIDGE-VLAN frame-types=admit-only-vlan-tagged interface=ether6-TRUNK-HA1.1-POESW1
add bridge=BRIDGE-VLAN frame-types=admit-only-vlan-tagged interface=ether7-TRUNK-HA1.2-POESW1
add bridge=BRIDGE-VLAN interface=ether8-ACME pvid=30
add bridge=BRIDGE-VLAN interface=ether9-ACME pvid=30
add bridge=BRIDGE-VLAN interface=ether10-ACME pvid=30
add bridge=BRIDGE-VLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether12-TEHNIKA pvid=999
add bridge=BRIDGE-VLAN frame-types=admit-only-untagged-and-priority-tagged interface=ether13-MGMT pvid=10
/ip neighbor discovery-settings
set discover-interface-list="NEIGHBOR DISCOVERY"
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=BRIDGE-VLAN comment=INFRASTRUKTURA tagged=BRIDGE-VLAN,ether1-TRUNK-HA0.1-POESW1,ether2-TRUNK-HA1.1-POESW1,ether3-TRUNK-HA0.1-SW1,ether4-TRUNK-HA0.1-SW2,ether6-TRUNK-HA1.1-POESW1,ether7-TRUNK-HA1.2-POESW1 untagged=ether13-MGMT vlan-ids=10
add bridge=BRIDGE-VLAN comment=SERVERI tagged=BRIDGE-VLAN,ether1-TRUNK-HA0.1-POESW1,ether2-TRUNK-HA1.1-POESW1,ether3-TRUNK-HA0.1-SW1,ether4-TRUNK-HA0.1-SW2,ether6-TRUNK-HA1.1-POESW1,ether7-TRUNK-HA1.2-POESW1 vlan-ids=20
add bridge=BRIDGE-VLAN comment=ACME tagged=BRIDGE-VLAN,ether1-TRUNK-HA0.1-POESW1,ether2-TRUNK-HA1.1-POESW1,ether3-TRUNK-HA0.1-SW1,ether4-TRUNK-HA0.1-SW2,ether6-TRUNK-HA1.1-POESW1,ether7-TRUNK-HA1.2-POESW1 vlan-ids=30
add bridge=BRIDGE-VLAN comment=ACME-WIFI tagged=BRIDGE-VLAN,ether1-TRUNK-HA0.1-POESW1,ether2-TRUNK-HA1.1-POESW1,ether3-TRUNK-HA0.1-SW1,ether4-TRUNK-HA0.1-SW2,ether6-TRUNK-HA1.1-POESW1,ether7-TRUNK-HA1.2-POESW1 vlan-ids=40
add bridge=BRIDGE-VLAN comment=TERMINALI tagged=BRIDGE-VLAN,ether1-TRUNK-HA0.1-POESW1,ether2-TRUNK-HA1.1-POESW1,ether3-TRUNK-HA0.1-SW1,ether4-TRUNK-HA0.1-SW2,ether6-TRUNK-HA1.1-POESW1,ether7-TRUNK-HA1.2-POESW1 vlan-ids=50
add bridge=BRIDGE-VLAN comment=PROIZVODNJA tagged=BRIDGE-VLAN,ether1-TRUNK-HA0.1-POESW1,ether2-TRUNK-HA1.1-POESW1,ether3-TRUNK-HA0.1-SW1,ether4-TRUNK-HA0.1-SW2,ether6-TRUNK-HA1.1-POESW1,ether7-TRUNK-HA1.2-POESW1 vlan-ids=60
add bridge=BRIDGE-VLAN comment=TEHNIKA tagged=BRIDGE-VLAN,ether1-TRUNK-HA0.1-POESW1,ether2-TRUNK-HA1.1-POESW1,ether3-TRUNK-HA0.1-SW1,ether4-TRUNK-HA0.1-SW2,ether6-TRUNK-HA1.1-POESW1,ether7-TRUNK-HA1.2-POESW1 untagged=ether12-TEHNIKA vlan-ids=999
/interface list
add include="ACME LAN,*2000011,MGMT" name=INTERNO
/interface list member
add interface=ether1-TRUNK-HA0.1-POESW1 list="ACME LAN"
add interface=ether2-TRUNK-HA1.1-POESW1 list="ACME LAN"
add interface=ether3-TRUNK-HA0.1-SW1 list="ACME LAN"
add interface=ether4-TRUNK-HA0.1-SW2 list="ACME LAN"
add interface=ether5-UPLINK-STARA-MREZA list="ACME LAN"
add interface=vlan7-TEHNIKA list=TEHNIKA
add interface=ether11-WAN list=WAN
add interface=vlan1-INFRASTRUKTURA list=WINBOX
add interface=vlan3-ACME list=WINBOX
add interface=ether6-TRUNK-HA1.1-POESW1 list="ACME LAN"
add interface=ether7-TRUNK-HA1.2-POESW1 list="ACME LAN"
add interface=ether8-ACME list="ACME LAN"
add interface=ether9-ACME list="ACME LAN"
add interface=ether10-ACME list="ACME LAN"
add interface=vlan1-INFRASTRUKTURA list="SVI LANOVI"
add interface=vlan2-SERVERI list="SVI LANOVI"
add interface=vlan3-ACME list="SVI LANOVI"
add interface=vlan4-ACME-WIFI list="SVI LANOVI"
add interface=vlan5-TERMINALI-WIFI list="SVI LANOVI"
add interface=vlan6-PROIZVODNJA list="SVI LANOVI"
add interface=vlan7-TEHNIKA list="SVI LANOVI"
add interface=vlan1-INFRASTRUKTURA list="NEIGHBOR DISCOVERY"
add interface=vlan3-ACME list="NEIGHBOR DISCOVERY"
add interface=vlan2-SERVERI list="NEIGHBOR DISCOVERY"
add interface=back-to-home-vpn list="NEIGHBOR DISCOVERY"
add interface=back-to-home-vpn list=WINBOX
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=vlan1-INFRASTRUKTURA package-path="" require-peer-certificate=yes upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration="2GHz - AC - MASTER - ACME-WIFI" name-format="2G - %I - MSTR " slave-configurations="2GHz - AC - TERMINALI-WIFI,2GHz - AC - DP-LINK" slave-name-format="2G - %I - V " supported-bands=2ghz-n
add action=create-enabled disabled=no master-configuration="5GHz - AC - MASTER - ACME-WIFI" name-format="5G - %I - MSTR " slave-configurations="5GHz - AC - TERMINALI,5GHz - AC - DP-LINK" slave-name-format="5G - %I - V " supported-bands=5ghz-ac
/ip address
add address=10.44.10.1/24 interface=vlan1-INFRASTRUKTURA network=10.44.10.0
add address=10.44.20.1/24 interface=vlan2-SERVERI network=10.44.20.0
add address=10.44.30.1/24 interface=vlan3-ACME network=10.44.30.0
add address=10.44.40.1/24 interface=vlan4-ACME-WIFI network=10.44.40.0
add address=10.44.50.1/24 interface=vlan5-TERMINALI-WIFI network=10.44.50.0
add address=10.44.60.1/24 interface=vlan6-PROIZVODNJA network=10.44.60.0
add address=192.168.1.1/24 interface=vlan7-TEHNIKA network=192.168.1.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-users
add allow-lan=yes comment="iPhone 14 Pro" name="HA0.1 - GLAVNI ROUTER | RB1100Dx4"
/ip dhcp-client
add interface=ether11-WAN
/ip dhcp-server lease
removed for brevity
/ip dhcp-server network
add address=10.44.10.0/24 caps-manager=10.44.10.1 dns-server=10.44.10.1 gateway=10.44.10.1 ntp-server=10.44.10.1
add address=10.44.20.0/24 dns-server=10.44.20.1 domain=dinop.local gateway=10.44.20.1 ntp-server=10.44.20.1
add address=10.44.30.0/24 dns-server=10.44.30.1 domain=dinop.local gateway=10.44.30.1 ntp-server=10.44.30.1
add address=10.44.40.0/24 dns-server=10.44.40.1 gateway=10.44.40.1 ntp-server=10.44.40.1
add address=10.44.50.0/24 dns-server=10.44.50.1 gateway=10.44.50.1 ntp-server=10.44.50.1
add address=10.44.60.0/24 dns-server=10.44.60.1 gateway=10.44.60.1 ntp-server=10.44.60.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 ntp-server=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-size=512000KiB servers=1.1.1.3,1.0.0.3
/ip dns adlist
add ssl-verify=no url=https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
add ssl-verify=no url=https://raw.githubusercontent.com/mkb2091/blockconvert/master/output/domains.txt
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=0.0.0.0/8 comment="defconf: RFC6890" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: multicast" list=no_forward_ipv4
add address=255.255.255.255 comment="defconf: RFC6890" list=no_forward_ipv4
/ip firewall filter
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow BTH input" in-interface=back-to-home-vpn
add action=accept chain=input comment="Allow DNS UDP" dst-port=53 in-interface=!ether11-WAN protocol=udp
add action=accept chain=input comment="Allow DNS TCP" dst-port=53 in-interface=!ether11-WAN protocol=tcp
add action=accept chain=input comment="Allow NTP" dst-port=123 in-interface=!ether11-WAN protocol=udp
add action=accept chain=input comment="Allow DHCP" dst-port=67 in-interface=!ether11-WAN protocol=udp
add action=accept chain=input comment="Allow TCP WinBox input on port 8291" dst-port=8291 in-interface-list=WINBOX protocol=tcp
add action=accept chain=input comment="DEBUG - Allow LOCAL LAN Full Access" disabled=yes in-interface-list="SVI LANOVI"
add action=drop chain=input comment="Drop everythign else" log-prefix="LAST INPUT RULE - DROP"
add action=passthrough chain=input disabled=yes
add action=accept chain=forward comment="Accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=Fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="Drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow BTH forward" in-interface=back-to-home-vpn
add action=accept chain=forward comment="Allow ACME LAN to ACME LAN" in-interface=vlan3-ACME out-interface=vlan3-ACME
add action=accept chain=forward comment="Allow ACME LAN to TEHNIKA LAN" in-interface=vlan3-ACME out-interface=vlan7-TEHNIKA
add action=accept chain=forward comment="Allow TEHNIKA LAN to TEHNIKA LAN" in-interface=vlan7-TEHNIKA out-interface=vlan7-TEHNIKA
add action=reject chain=forward comment="Block SKLADISTE WIFI RDP access to the Internet, except for RDP (3389)" dst-port=!3389 in-interface=vlan5-TERMINALI-WIFI out-interface=ether11-WAN protocol=tcp reject-with=icmp-admin-prohibited
add action=accept chain=forward comment="Allow general internet access" out-interface=ether11-WAN
add action=drop chain=forward comment="Drop Bogons" dst-address-list=not_in_internet out-interface=ether11-WAN
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether11-WAN
add action=drop chain=forward comment="Drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=drop chain=forward comment="Drop everything else" log=yes log-prefix="DROP ALL FORWARD"
add action=passthrough chain=forward disabled=yes
/ip firewall nat
add action=accept chain=srcnat comment="Accept all that matches IPSec policy" ipsec-policy=out,ipsec
add action=masquerade chain=srcnat comment="LAN masqerade" ipsec-policy=out,none out-interface=ether11-WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=BRIDGE-VLAN type=internal
add interface=*10 type=external
add interface=*11 type=internal
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name="HA0.1 - GLAVNI ROUTER"
/system logging
add disabled=yes topics=wireguard
add topics=caps,wireless
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes multicast=yes
/system ntp client servers
add address=hr.pool.ntp.org
add address=europe.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=WINBOX
/tool mac-server mac-winbox
set allowed-interface-list=WINBOX
/tool romon
set enabled=yes

CAP:

Code: Select all

/interface bridge
add admin-mac= auto-mac=no name=bridgeLocal vlan-filtering=yes
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: ACME, channel: 2462/n
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: TERMINALI
add configuration.mode=ap disabled=no mac-address= master-interface=wifi1 name=wifi1-1
# managed by CAPsMAN
# mode: AP, SSID: DP-LINK
add configuration.mode=ap disabled=no mac-address= master-interface=wifi1 name=wifi1-2
# managed by CAPsMAN
# mode: AP, SSID: ACME, channel: 5500/ac
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN
# mode: AP, SSID: TERMINALI
add configuration.mode=ap disabled=no mac-address= master-interface=wifi2 name=wifi2-1
# managed by CAPsMAN
# mode: AP, SSID: DP-LINK
add configuration.mode=ap disabled=no mac-address= master-interface=wifi2 name=wifi2-2
/interface vlan
add interface=bridgeLocal name=vlan1-INFRASTRUKTURA vlan-id=10
/interface bridge port
add bridge=bridgeLocal comment=TRUNK interface=ether1 trusted=yes
add bridge=bridgeLocal comment="BACKUP MGMT" interface=ether2
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1 pvid=40
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1-1 pvid=50
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi2 pvid=40
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-2 pvid=30
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi2-1 pvid=50
add bridge=bridgeLocal frame-types=admit-only-untagged-and-priority-tagged interface=wifi1-2 pvid=30
/ip settings
set ip-forward=no
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,bridgeLocal vlan-ids=10
add bridge=bridgeLocal tagged=ether1 untagged=wifi1,wifi2 vlan-ids=40
add bridge=bridgeLocal tagged=ether1 untagged=wifi1-1,wifi2-1 vlan-ids=50
add bridge=bridgeLocal tagged=ether1 untagged=wifi1-2,wifi2-2 vlan-ids=30
/interface wifi cap
set certificate=request discovery-interfaces=vlan1-INFRASTRUKTURA enabled=yes slaves-static=yes
/ip dhcp-client
add interface=vlan1-INFRASTRUKTURA
/ip firewall filter
add action=accept chain=input comment="Allow established and related" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="Allow in management range" src-address=10.44.10.0/24
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Block eveything else"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name="HA0.2 - CAP - B2"
/system logging
add topics=caps
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/tool romon
set enabled=yes

use create-enabled instead of create-dynamic-enabled (which is the default).

It is set to create enabled. Not sure if dynamic would work at all? Maybe with one SSID and no VLANs.

On CAPsMAN I see you have multiple datapaths. A single datapath is sufficient, VLAN filtering is handled by the bridge:

Code: Select all

/interface wifi datapath
add bridge=bridge-LAN disabled=no name=DP_AC

You can always reset the CAP to CAPS Mode and add VLAN settings. Firewall seems unnecessary afaik. Hope it helps...
There is nothing I can see that could cause your problems.