Apologies for the delayed response: learning has taken a great deal longer than planned. Very much appreciate your responses. You have gotten me on the right track. Very much improved. Even if I still have much to learn. I'm glad to have veered toward capsman. I now think I would have been chasing rabbits if I had chosen to implement wave 2 or continued trying to manually manage each AP. CAPsMAN is what's needed to make these devices work together. Took me a minute to see that. Thanks for steering me that way.
Discovery Interfaces to ether1, and then .... nothing. It does not auto discover the manager.
Try turning on the DHCP-client on ether1 ROS will immediately tell you the reason.
discovery-interfaces=bridge
Everything works as described in the documentation.
I believe the reason this occurred is because I was trying to modify an existing configuration instead of starting from scratch which would have made things significantly easier in this case. Mostly because of my complete ignorance of how capsman works. I'm not sure if it was because my connection to the router from the AP was through a trunk port, but when I reset the AP and set the router port to an access port, it was able to find it without having to specify the address manually.
I told you it would be hard to learn on the forum. It's easier for me to connect remotely and configure than to write a detailed manual.
<whining comment="there is no point in reading this blabbering">
This was hard to learn from every source I scraped together: Mikrotik docs, YouTube, Udemy courses, blogs, forum threads. Like anything I've done with MikroTik so far, finding instruction is incredibly difficult. (very satisfied with the equipment, just not the available instruction.) I'd pay a couple hundred bucks for a good book. A lot of stuff out there is out of date. A lot of that is likely still valid and useful, but some of it is way off. There's a guy on Udemy with a bunch of courses, which I've enrolled in most of, has taught me some, but he's prone to often just going through the steps, not really teaching how to do anything outside of the specific way he's setting it up. There's some good stuff on YouTube. Some out of date. Some newer, but prone to some times just going through the steps without instruction, explanations, theory. There's one guy, new, who's also been very helpful, but who is prone to guided tours: "here's this setting here and if you click on the drop down you can see all the options you can set to. You can set it to this or that. Here's another setting here with some more options." That is not exaggerated dialog. Those are nearly his words. No explanations at all. It's just very hard to learn this stuff. I have learned much from some conference talks on YouTube. Some of it is also outdated, but there is some good stuff. I just have to go through tons and tons from of all those sources it to find the information needed. There is also some quite good stuff on the MikroTik YouTube though they are too brief and don't cover enough of the available features and different options for implementing them.
</whining>
Before you start setting up, you need to do a WIFI network project.
1. On the plan of the building to place access points and to determine their number, approximate coverage areas, and approximately the power access point
2. Place the access point in the desired location and draw a heat map. For each access point. Correct the location and power if necessary.
The coverage zone is calculated at -67 dBm, overlapping zones by 20%... Network calculation is done for 5GHz, because 2.4GHz penetrates further and the zone is always easy to reduce the power.
3. At each point, scan the air and select the most suitable channel.
Only then connect CAPsMAN and make the necessary settings. This is the L1 level, which network engineers do not pay attention to.
This is just for home use, for my homelab and personal use. Not a big company or institution. All the tools I could find for heat maps and stuff where outside of my budget for this. So I just used little Android apps (iPad seems to be hamstrung), to select best channels for 2G. And punted. I'm still ignorant on 5G and it is set to auto, I think. There is a ton of information on setting up 2G, but I haven't found much of anything at all on 5G, channel widths, and such. I need to find more help on that.
I've done the best I could for the moment and it is TONS better than it ever has been. Solved some problems I had that I hadn't got around to figuring out yet, some iot devices buryied in the wall that weren't connecting. I thought something happened on the devices config. Never occurred to me that they were having connection problems. For some reason, it never occurred to me that add more APs would cause more connection issue.
Regarding the principle of CAPsMAN. WLAN interface with an encrypted channel is connected to the device manager, the result is that the device manager is one access point with multiple remote radio interfaces. Now an important question there are two modes of routing data. First, the access point sends all traffic to the device manager and there is already routing. In this case in the data path Local Forwarding is unchecked and on the access point itself the WLAN interface cannot be bridged to a wired interface, otherwise there is a loop between the physical and virtual interfaces on device CAPsMAN. The second option is used when there are dozens of access points, then the data is sent to the network by the access point itself, the Local Forwarding checkbox is on and the WLAN interface is added to the bridge. This mode is used when you need to unload the device CAPsMAN.
I think the former is the correct choice for my small home network: no Local Forwarding, everything to the router/capsman. The bridge is now correctly configured for that scenario.
And then everything is simple
On the device CAPsMAN open tab CAP Interface click the + button and in the window of a new interface on the general fill MAC address of the radio interface access point it is inserted and in the window of radio MAC. well further fill all the tabs, just as with the usual setup wireless interface (the top line on the tabs are blank by default). After that turn on the access point in the CAP mode and it connects to the manager.
If you use Provision then you should not set action=create-dynamic-enabled, but action=create-enabled then the automatically created CAP-interface can be edited manually.
I think I've got things mostly correct now. But I've thought that before. Everything seems to be working, much better than it ever has. I could probably tweak the rates and the signal range in the Access Control a little better, but I have a couple devices inside a shop out from the house about 25m. I need to set up a wireless wire to get signal inside the shop. The wAP covers the backyard very well but doesn't penetrate the shop. I've also still got a few questions to resolve:
What do I need to know about 5G?
Certificates. I reset one or another CAP several times while learning. Took me a while to figure out I need to delete the old cert on the capsman that was issued to the CAP. But how to identify which one? I compared them to the remaining caps to see which was in use and deleted the remaining one. I'm sure that is terribly wrong, but didn't see an easier way other than deleting all certs and reissuing to all CAPs.
Also not sure if there are other security issues I need to be aware of.
I hate to ask anyone to stare at a wall of code, but if anyone is inclined to poke holes and ridicule me, please do!
Thanks again for the great info you've provided. I've read through it numerous times and it has gotten me far though I'm sure I'm still missing much.
Router/CAPsMAN
# jun/05/2022 08:36:24 by RouterOS 7.2.3
# model = RB5009UG+S+
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=\
channel-2G-Ch1
add band=2ghz-g/n control-channel-width=20mhz frequency=2437 name=\
channel-2G-Ch6
add band=2ghz-g/n control-channel-width=20mhz frequency=2462 name=\
channel-2G-Ch11
/interface bridge
add admin-mac=DC:2C:6E:47:0F:C0 auto-mac=no name=bridge protocol-mode=none \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether7 ] name=ether7-Access
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,10000M-full \
speed=1Gbps
/interface vlan
add interface=bridge name=vlan-base vlan-id=99
add interface=bridge name=vlan-guest vlan-id=101
add interface=bridge name=vlan-iot vlan-id=107
add interface=bridge name=vlan-security vlan-id=119
add interface=bridge name=vlan-server vlan-id=200
add interface=bridge name=vlan-voip vlan-id=111
/caps-man datapath
add bridge=bridge name=datapath-base vlan-id=99 vlan-mode=use-tag
add bridge=bridge name=datapath-guest vlan-id=101 vlan-mode=use-tag
add bridge=bridge name=datapath-iot vlan-id=107 vlan-mode=use-tag
add bridge=bridge name=datapath-security vlan-id=119 vlan-mode=use-tag
add bridge=bridge name=datapath-nest vlan-id=107 vlan-mode=use-tag
/caps-man rates
add basic=6Mbps name=rate-Minimum supported=\
6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-base
add authentication-types=wpa2-psk encryption=aes-ccm name=security-guest
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
security-iot
add authentication-types=wpa2-psk encryption=aes-ccm name=security-security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-voip
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
security-nest
/caps-man configuration
add channel=channel-2G-Ch1 country="united states3" datapath=datapath-base \
installation=any mode=ap name=cfg-BASE-2G-Ch1-DP-base-Sec-base rates=\
rate-Minimum security=security-base ssid=1736StrtfrdRmsCt
add channel=channel-2G-Ch11 country="united states3" datapath=datapath-base \
installation=any mode=ap name=cfg-BASE-2G-Ch11-DP-base-Sec-base rates=\
rate-Minimum security=security-base ssid=1736StrtfrdRmsCt
add channel=channel-2G-Ch6 country="united states3" datapath=datapath-base \
installation=any mode=ap name=cfg-BASE-2G-Ch6-DP-base-Sec-base rates=\
rate-Minimum security=security-base ssid=1736StrtfrdRmsCt
add datapath=datapath-guest mode=ap name=cfg-slave-GUEST-DP-guest-Sec-guest \
rates=rate-Minimum security=security-guest ssid=1736StrtfrdRmsCt-Guest
add datapath=datapath-iot mode=ap name=cfg-slave-IOT-DP-iot-Sec-iot rates=\
rate-Minimum security=security-iot ssid=1736StrtfrdRmsCt-IOT
add datapath=datapath-nest mode=ap name=cfg-slave-NEST-DP-nest-Sec-nest \
rates=rate-Minimum security=security-nest ssid="Randy's Nest"
add channel.band=5ghz-n/ac country="united states3" datapath=datapath-base \
installation=any mode=ap name=cfg-BASE-5G-DP-base-SEC-base rates=\
rate-Minimum security=security-base ssid=1736StrtfrdRmsCt5
add datapath=datapath-guest mode=ap name=\
cfg-slave-GUEST-5G-DP-guest-Sec-guest rates=rate-Minimum security=\
security-guest ssid=1736StrtfrdRmsCt5-Guest
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool-base ranges=192.168.99.100-192.168.99.199
add name=dhcp_pool-guest ranges=192.168.101.21-192.168.101.254
add name=dhcp_pool-iot ranges=192.168.107.21-192.168.107.254
add name=dhcp_pool-security ranges=192.168.119.21-192.168.119.254
add name=dhcp_pool-voip ranges=192.168.111.21-192.168.111.254
add name=dhcp_pool-server ranges=192.168.200.200-192.168.200.249
/ip dhcp-server
add address-pool=dhcp_pool-base interface=vlan-base name=dhcp-base
add address-pool=dhcp_pool-guest interface=vlan-guest name=dhcp-guest
add address-pool=dhcp_pool-iot interface=vlan-iot name=dhcp-iot
add address-pool=dhcp_pool-security interface=vlan-security name=\
dhcp-security
add address-pool=dhcp_pool-voip interface=vlan-voip name=dhcp-voip
add address-pool=dhcp_pool-server interface=vlan-server name=dhcp-server
/system logging action
set 3 remote=192.168.200.14
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
identity="abcdef" name=zt1 port=9993
/zerotier interface
add instance=zt1 name=zerotier1 network=1234567890
/caps-man access-list
# Keep stupid Amazon Echo devices off other SSIDs
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
74:E2:0C:A2:49:D5 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
74:E2:0C:A2:49:D5 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
08:A6:BC:33:B0:13 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
08:A6:BC:33:B0:13 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
F8:54:B8:97:35:2D ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
F8:54:B8:97:35:2D ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
74:A7:EA:F1:DB:E5 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
74:A7:EA:F1:DB:E5 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
10:96:93:C4:0F:47 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
10:96:93:C4:0F:47 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
C8:6C:3D:03:D4:E5 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
C8:6C:3D:03:D4:E5 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
FC:49:2D:A7:3D:29 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
FC:49:2D:A7:3D:29 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
0C:EE:99:E6:93:BA ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
0C:EE:99:E6:93:BA ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
D8:BE:65:54:93:23 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
D8:BE:65:54:93:23 ssid-regexp=""
# Drop wifi devices that have low signal strength
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
-80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no ssid-regexp=""
/caps-man manager
set ca-certificate=CAPsMAN-CA-DC2C6E470FBF certificate=CAPsMAN-DC2C6E470FBF \
enabled=yes require-peer-certificate=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vlan-base
/caps-man provisioning
add action=create-dynamic-enabled comment="AP01-Office [Audience]" \
master-configuration=cfg-BASE-2G-Ch1-DP-base-Sec-base name-format=\
identity radio-mac=08:55:31:69:F3:31 slave-configurations="cfg-slave-GUEST\
-DP-guest-Sec-guest,cfg-slave-IOT-DP-iot-Sec-iot,cfg-slave-NEST-DP-nest-Se\
c-nest"
add action=create-dynamic-enabled comment="AP01-Office [Audience] (5GHz)" \
master-configuration=cfg-BASE-5G-DP-base-SEC-base name-format=identity \
radio-mac=08:55:31:69:F3:32 slave-configurations=\
cfg-slave-GUEST-5G-DP-guest-Sec-guest
add action=create-dynamic-enabled comment="AP02-Patio [wAP AC]" \
master-configuration=cfg-BASE-2G-Ch6-DP-base-Sec-base name-format=\
identity radio-mac=08:55:31:D9:23:A4 slave-configurations="cfg-slave-GUEST\
-DP-guest-Sec-guest,cfg-slave-IOT-DP-iot-Sec-iot,cfg-slave-NEST-DP-nest-Se\
c-nest"
add action=create-dynamic-enabled comment="AP02-Patio [wAP AC] (5GHz)" \
master-configuration=cfg-BASE-5G-DP-base-SEC-base name-format=identity \
radio-mac=08:55:31:D9:23:A5 slave-configurations=\
cfg-slave-GUEST-5G-DP-guest-Sec-guest
add action=create-dynamic-enabled comment="AP03-FamilyRoom [cAP XL AC]" \
master-configuration=cfg-BASE-2G-Ch11-DP-base-Sec-base name-format=\
identity radio-mac=DC:2C:6E:1E:81:FA slave-configurations="cfg-slave-GUEST\
-DP-guest-Sec-guest,cfg-slave-IOT-DP-iot-Sec-iot,cfg-slave-NEST-DP-nest-Se\
c-nest"
add action=create-dynamic-enabled comment=\
"AP03-FamilyRoom [cAP XL AC] (5GHz)" master-configuration=\
cfg-BASE-5G-DP-base-SEC-base name-format=identity radio-mac=\
DC:2C:6E:1E:81:FB slave-configurations=\
cfg-slave-GUEST-5G-DP-guest-Sec-guest
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge interface=zerotier1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=101
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=107
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=119
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=111
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=200
/interface list member
add interface=ether1-WAN list=WAN
add interface=vlan-guest list=VLAN
add interface=vlan-iot list=VLAN
add interface=vlan-base list=BASE
add interface=vlan-base list=VLAN
add interface=ether7-Access list=BASE
add interface=vlan-security list=VLAN
add interface=vlan-server list=VLAN
add interface=vlan-voip list=VLAN
add interface=zerotier1 list=VLAN
add interface=zerotier1 list=BASE
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.99.1/24 interface=vlan-base network=192.168.99.0
add address=192.168.101.1/24 interface=vlan-guest network=192.168.101.0
add address=192.168.107.1/24 interface=vlan-iot network=192.168.107.0
add address=192.168.9.11/24 interface=ether7-Access network=192.168.9.0
add address=192.168.119.1/24 interface=vlan-security network=192.168.119.0
add address=192.168.111.1/24 interface=vlan-voip network=192.168.111.0
add address=192.168.200.1/24 interface=vlan-server network=192.168.200.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add interface=ether1-WAN use-peer-dns=no
/ip dhcp-server lease
add address=192.168.99.15 client-id=1:60:12:8b:5c:43:5b comment=\
"Canon MB5320 Printer" mac-address=60:12:8B:5C:43:5B server=dhcp-base
add address=192.168.200.14 client-id=1:e4:5f:1:95:b2:43 mac-address=\
E4:5F:01:95:B2:43 server=dhcp-server
add address=192.168.200.200 mac-address=36:59:4B:91:03:74 server=dhcp-server
add address=192.168.200.201 client-id=\
ff:2f:bd:15:e7:0:1:0:1:2a:23:8d:e4:76:f:2f:bd:15:e7 mac-address=\
76:0F:2F:BD:15:E7 server=dhcp-server
add address=192.168.99.20 client-id=1:50:eb:f6:7e:73:de mac-address=\
50:EB:F6:7E:73:DE server=dhcp-base
add address=192.168.99.11 client-id=1:8:55:31:69:f3:2f mac-address=\
08:55:31:69:F3:2F server=dhcp-base
add address=192.168.99.12 client-id=1:dc:2c:6e:1e:81:f8 mac-address=\
DC:2C:6E:1E:81:F8 server=dhcp-base
add address=192.168.99.13 client-id=1:8:55:31:d9:23:a2 mac-address=\
08:55:31:D9:23:A2 server=dhcp-base
/ip dhcp-server network
add address=192.168.99.0/24 caps-manager=192.168.99.1 dns-server=192.168.99.1 \
gateway=192.168.99.1 ntp-server=192.168.99.1
add address=192.168.101.0/24 dns-server=192.168.99.1 gateway=192.168.101.1 \
ntp-server=192.168.99.1
add address=192.168.107.0/24 dns-server=192.168.99.1 gateway=192.168.107.1 \
ntp-server=192.168.99.1
add address=192.168.111.0/24 dns-server=192.168.99.1 gateway=192.168.111.1 \
ntp-server=192.168.99.1
add address=192.168.119.0/24 dns-server=192.168.99.1 gateway=192.168.119.1 \
ntp-server=192.168.99.1
add address=192.168.200.0/24 dns-server=192.168.99.1 gateway=192.168.200.1 \
ntp-server=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=\
1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.200.10 name=zadkiel.home.arpa
add address=192.168.99.20 name=cassiel.home.arpa
add address=192.168.200.14 name=raziel.home.arpa
add address=192.168.200.10 name=proxmox.home.arpa
add address=192.168.99.1 name=uriel.home.arpa
/ip firewall address-list
add address=ec1a0fcc6b92.sn.mynetname.net list=WAN_IP
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept DNS (udp)" dst-port=53 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Accept DNS (tcp)" dst-port=53 \
in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Accept NTP" dst-port=123,12300 \
in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow BASE" in-interface-list=BASE
add action=reject chain=input comment="Reject icmp-admin-prohibited" \
in-interface-list=VLAN reject-with=icmp-admin-prohibited
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="Allow VLAN access Internet" \
connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE to Server VLAN" \
in-interface-list=BASE out-interface=vlan-server
add action=accept chain=forward comment="Allow Server VLAN to BASE" \
in-interface=vlan-server out-interface-list=BASE
add action=accept chain=forward comment="Allow Inter-VLAN" in-interface=\
vlan-base out-interface=vlan-security
add action=accept chain=forward comment=\
"Allow dst-nat from both WAN and LAN (including port forwarding)" \
connection-nat-state=dstnat
add action=reject chain=forward comment="Reject icmp-admin-prohibited" \
reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="Drop everything else" log=yes \
log-prefix="** DROP ALL:"
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Fwd for WWW" dst-address-list=\
WAN_IP dst-port=80,443 in-interface-list=WAN protocol=tcp to-addresses=\
192.168.99.20
add action=src-nat chain=srcnat comment=\
"Translate NTP from 123 to 12300 to bypass AT&T block of port 123" \
protocol=udp src-port=123 to-ports=12300
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.99.0/24,192.168.9.0/24,10.173.18.0/24
set api disabled=yes
set winbox address=192.168.99.0/24,192.168.9.0/24,10.173.18.0/24
set api-ssl disabled=yes
/ip smb shares
add comment="default share" directory=/pub name=pub
add comment="default share" directory=/pub name=pub
/ip smb users
add name=guest
add name=guest
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=RT1-Office-NR2
/system logging
add action=remote topics=critical,warning,info,debug,error
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=2.north-america.pool.ntp.org
add address=3.north-america.pool.ntp.org
/system scheduler
add interval=25w5d name=schedule-UpdateCACerts on-event=\
"/system/script/run script-UpdateCACerts" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=dec/30/2021 start-time=02:30:00
/system script
add dont-require-permissions=no name=script-UpdateCACerts owner=Yosef policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
\r\
\n :do {\r\
\n /tool fetch url=https://mkcert.org/generate/ check-certificate=yes\
\_dst-path=cacert.pem;\r\
\n /certificate remove [ find where authority expired ];\r\
\n /certificate import file-name=cacert.pem passphrase=\"\";\r\
\n /file remove cacert.pem;\r\
\n :log info (\"CACERT: Updated certificate trust store\");\r\
\n } on-error={\r\
\n :log error (\"CACERT: Failed to update certificate trust store\");\
\r\
\n };\r\
\n}"
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool romon
set enabled=yes
All of my CAPs are set exactly the same:
# jun/05/2022 08:36:58 by RouterOS 7.2.3
# model = RBD25G-5HPacQD2HPnD
/interface bridge
add admin-mac=08:55:31:69:F3:2F auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm), SSID: 1736StrtfrdRmsCt, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(26dBm), SSID: 1736StrtfrdRmsCt5, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
set [ find default-name=wlan3 ] ssid=MikroTik
/interface list
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface list member
add interface=ether1 list=MGMT
/interface wireless cap
set bridge=bridgeLocal certificate=CAP-08553169F32F discovery-interfaces=\
bridgeLocal enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=AP01-Office
/system ntp client
set enabled=yes mode=multicast
/system ntp client servers
add address=192.168.99.1
/tool mac-server
set allowed-interface-list=MGMT
/tool mac-server mac-winbox
set allowed-interface-list=MGMT