Skip to content
MikroTik RouterOS Docs

CAPsMAN, VLAN, and VPN on a Point-to-MultiPoint Bridge with RB4011iGS+RM

CAPsMAN, VLAN, and VPN on a Point-to-MultiPoint Bridge with RB4011iGS+RM

Section titled “CAPsMAN, VLAN, and VPN on a Point-to-MultiPoint Bridge with RB4011iGS+RM”

Overview

Section titled “Overview”

This guide covers the feasibility and configuration of combining CAPsMAN VLAN tagging and a VPN tunnel in a Point-to-MultiPoint (PtMP) wireless bridge scenario, with the RB4011iGS+RM acting as the central router and CAPsMAN controller.

Topology:

ISP (AGCOMBO)
    |
RB4011iGS+RM  ← CAPsMAN controller + router + VPN endpoint
    |  ether (VLAN trunk: 10/20/30)
    |
AC bridge HUB  (mode=bridge, vlan-filtering=yes)
    |  (PtMP wireless, 5 GHz 802.11ac)
station-bridge spoke(s)  (vlan-filtering=yes)
    |
downstream CPE LAN

Key hardware note: The RB4011iGS+RM has no onboard wireless radios. It can only operate as a CAPsMAN controller — it cannot be a CAP, PtMP HUB, or station-bridge spoke itself. All wireless is on external APs or bridge radios.

Feasibility verdict: Fully feasible. The complexity is in coordinating bridge VLAN filtering at multiple hops (router bridge, HUB bridge, spoke bridge, CAP bridges) and managing MTU across PtMP + VPN. Neither is a blocker with careful, ordered configuration.

Prerequisites

Section titled “Prerequisites”
  • RouterOS 7.14 or later (stable channel) on all devices
  • RB4011iGS+RM as router and CAPsMAN controller
  • Two distinct wireless roles — two distinct software stacks:
    • PtMP bridge devices (HUB radio + spoke radios): must run the legacy wireless stack (/interface wireless). station-bridge mode is only available in this stack. Devices with the wifi-qcom or wifi-qcom-ac package (wifiwave2) do not support station-bridge; use older hardware (e.g., RB921, RB911, or SXT series) or ensure these radios have the legacy wireless package installed and wifiwave2 removed.
    • CAPsMAN-managed APs (downstream, connected via PtMP trunk): run the wifiwave2 stack (/interface wifi, wifi-qcom or wifi-qcom-ac package). Section 2 covers these devices.
  • Do not mix legacy /caps-man v1 with /interface wifi capsman v2 on the same CAPsMAN controller
  • Management access to all devices before enabling bridge VLAN filtering

Configuration

Section titled “Configuration”

1. PtMP Bridge Setup

Section titled “1. PtMP Bridge Setup”

Stack note: These commands use the legacy /interface wireless stack. The PtMP bridge devices (HUB and spokes) must have the legacy wireless package installed. This is a separate role from the CAPsMAN-managed APs configured in Section 2, which run wifiwave2.

The wireless bridge uses MikroTik’s proprietary station-bridge mode, which provides L2-transparent frames across the PtMP link.

HUB access point (mode=bridge):

/interface wireless
set [ find default-name=wlan1 ] mode=bridge ssid=PTMP-HUB \
    band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \
    frequency=auto security-profile=ptmp-sec


/interface bridge
add name=br-hub vlan-filtering=yes


/interface bridge port
add bridge=br-hub interface=wlan1
add bridge=br-hub interface=ether1


/interface bridge vlan
add bridge=br-hub vlan-ids=10 tagged=br-hub,ether1,wlan1
add bridge=br-hub vlan-ids=20 tagged=br-hub,ether1,wlan1
add bridge=br-hub vlan-ids=30 tagged=br-hub,ether1,wlan1

Spoke CPE (mode=station-bridge):

/interface wireless
set [ find default-name=wlan1 ] mode=station-bridge ssid=PTMP-HUB \
    band=5ghz-a/n/ac security-profile=ptmp-sec


/interface bridge
add name=br-cpe vlan-filtering=yes


/interface bridge port
add bridge=br-cpe interface=wlan1
add bridge=br-cpe interface=ether1


/interface bridge vlan
add bridge=br-cpe vlan-ids=10 tagged=br-cpe,wlan1 untagged=ether1
add bridge=br-cpe vlan-ids=20 tagged=br-cpe,wlan1
add bridge=br-cpe vlan-ids=30 tagged=br-cpe,wlan1

On 802.11ac PtMP, the HUB creates a separate virtual interface per associated station. Account for these per-station interfaces in bridge port and firewall rules on the HUB side.

2. CAPsMAN v2 Setup (RouterOS 7 / wifiwave2)

Section titled “2. CAPsMAN v2 Setup (RouterOS 7 / wifiwave2)”

Stack note: These commands use the wifiwave2 /interface wifi stack and apply to APs downstream of the PtMP link — not to the PtMP HUB/spoke radios in Section 1. The wifi-qcom or wifi-qcom-ac package must be installed on the managed APs.

Design assumptions: VLAN 10 = MGMT, VLAN 20 = STAFF SSID, VLAN 30 = GUEST SSID. CAP uplink carries a trunk with VLANs 10/20/30.

Step 1 — Enable CAPsMAN manager on RB4011

/interface wifi capsman
set enabled=yes

Step 2 — Security profiles

/interface wifi security
add name=sec-staff authentication-types=wpa2-psk,wpa3-psk \
    passphrase="StrongStaffPass!"
add name=sec-guest authentication-types=wpa2-psk \
    passphrase="GuestPass123!"

Step 3 — Datapaths (SSID-to-VLAN mapping)

/interface wifi datapath
add name=dp-staff bridge=br-lan vlan-id=20
add name=dp-guest bridge=br-lan vlan-id=30

Step 4 — Wi-Fi configurations

/interface wifi configuration
add name=cfg-staff ssid="STAFF" country=no_country_set \
    security=sec-staff datapath=dp-staff
add name=cfg-guest ssid="GUEST" country=no_country_set \
    security=sec-guest datapath=dp-guest

Step 5 — Provisioning rules

/interface wifi provisioning
add action=create-dynamic-enabled \
    master-configuration=cfg-staff \
    slave-configurations=cfg-guest

Step 6 — CAP join configuration (run on each CAP device)

Use an explicit manager IP — L2 autodiscovery can fail across PtMP bridged segments:

/interface wifi cap
set enabled=yes discovery-interfaces=br-mgmt \
    caps-man-addresses=10.10.10.1

Step 7 — Bridge VLAN integration on controller

Critical: Pre-populate the VLAN table before enabling vlan-filtering=yes. Enabling filtering first drops management traffic and disconnects CAPs.

/interface bridge
add name=br-lan vlan-filtering=yes


/interface bridge port
add bridge=br-lan interface=ether1 frame-types=admit-only-vlan-tagged


/interface bridge vlan
add bridge=br-lan vlan-ids=10 tagged=br-lan,ether1
add bridge=br-lan vlan-ids=20 tagged=br-lan,ether1
add bridge=br-lan vlan-ids=30 tagged=br-lan,ether1

Include br-lan (CPU port) as tagged member for every VLAN the router must process.

Step 8 — L3 VLAN interfaces and DHCP on RB4011

/interface vlan
add interface=br-lan name=vlan10-mgmt vlan-id=10
add interface=br-lan name=vlan20-staff vlan-id=20
add interface=br-lan name=vlan30-guest vlan-id=30


/ip address
add address=10.10.10.1/24 interface=vlan10-mgmt
add address=10.20.0.1/24 interface=vlan20-staff
add address=10.30.0.1/24 interface=vlan30-guest

Configure /ip dhcp-server on each VLAN interface as required.

3. WireGuard VPN Configuration

Section titled “3. WireGuard VPN Configuration”

WireGuard is the recommended VPN protocol over PtMP — low overhead, UDP-based, and simple to configure. MTU planning is mandatory.

WireGuard interface with reduced MTU:

/interface wireguard
add name=wg-vpn listen-port=51820 mtu=1420

WireGuard peer:

/interface wireguard peers
add interface=wg-vpn public-key="<remote-peer-pubkey>" \
    endpoint-address=<remote-ip> endpoint-port=51820 \
    allowed-address=10.100.0.0/24

TCP MSS clamp (apply on both directions — prevents PMTUD black-holing):

/ip firewall mangle
add chain=forward action=change-mss new-mss=clamp-to-pmtu \
    protocol=tcp tcp-flags=syn out-interface=wg-vpn
add chain=forward action=change-mss new-mss=clamp-to-pmtu \
    protocol=tcp tcp-flags=syn in-interface=wg-vpn

Verification

Section titled “Verification”

PtMP bridge:

/interface wireless registration-table print
/interface bridge port print detail
/interface bridge vlan print

CAPsMAN:

/interface wifi capsman print
/interface wifi cap print
/interface wifi registration-table print
/ip dhcp-server lease print

WireGuard:

/interface wireguard peers print
/interface wireguard print
/ping 10.100.0.1 count=5

MTU validation — run from both ends before production:

/ping <far-end-ip> size=1472 do-not-fragment

If large pings fail, reduce WireGuard MTU by 10-byte increments until stable, then re-apply MSS clamp.

Troubleshooting

Section titled “Troubleshooting”
SymptomLikely causeFix
CAPs drop off after enabling bridge VLAN filteringVLAN table not pre-populatedAdd MGMT VLAN entry before enabling filtering; re-enable vlan-filtering=yes
SSID active but clients get no IPdatapath vlan-id does not match bridge VLAN table or trunk allowed listCheck /interface bridge vlan and datapath config
CAP discovery fails across PtMP segmentsL2 broadcast not reliably forwardedSet explicit caps-man-addresses on each CAP
Large-frame packet loss through VPNMTU/fragmentation mismatchLower wg-vpn MTU; verify MSS clamp is applied
IPSec fails behind ISP NATNAT-T disabled or blockedEnable NAT-T; check ISP CGNAT pass-through for UDP 4500
station-bridge spoke does not associateThird-party radio at HUB or mismatched modeBoth ends must be MikroTik; HUB=bridge, spoke=station-bridge
station-bridge mode option missingDevice has wifiwave2 package installedstation-bridge is legacy-stack only; remove wifi-qcom/wifi-qcom-ac and ensure legacy wireless package is present
Bridge VLAN filtering bypasses hardware offloadFeature requires CPU forwarding on RB4011Benchmark throughput under load; consider routing-at-spoke instead

Routing at spoke — when to use it

Section titled “Routing at spoke — when to use it”

If true L2 transparency is not required, terminate the PtMP as L3 at each CPE (each spoke routes its own subnet). This avoids a shared broadcast domain over radio, improves fault isolation, and scales better for many spokes. It is the recommended approach for most multi-spoke deployments.

See Also

Section titled “See Also”