Skip to content
MikroTik RouterOS Docs

CAPsMAN v2 Architecture and Provisioning

CAPsMAN v2 Architecture and Provisioning

Section titled “CAPsMAN v2 Architecture and Provisioning”

CAPsMAN (Controlled Access Point Manager) v2 is the centralized wireless management system for RouterOS 7’s WiFi package. This guide covers the architecture, provisioning strategies, and advanced configurations.

CAPsMAN v1 vs v2

Section titled “CAPsMAN v1 vs v2”

CAPsMAN v2 is specifically designed for the new WiFi package and differs significantly from v1:

FeatureCAPsMAN v1CAPsMAN v2
Wireless PackageLegacy wirelessWiFi package
Manager Path/caps-man/interface/wifi/capsman
Interface Path/interface/wireless/interface/wifi
CAP Config Path/interface/wireless/interface/wifi/cap
Max Data Rate866 Mbps (802.11ac)4.8 Gbps (802.11ax)
WPA3 SupportLimitedFull
802.11r/k/vBasicFull
Configuration ModelFlatProfile-based

Migration: You cannot mix v1 and v2. All CAPs must use the same package as the controller. See CAPsMAN v1 to v2 Migration Guide for details.

Architecture

Section titled “Architecture”

System Components

Section titled “System Components”
┌─────────────────┐         ┌─────────────────┐
│  CAPsMAN        │         │   CAP           │
│  Controller     │◄───────►│   (Access Point)│
│                 │  UDP    │                 │
│  - Channels     │  5246   │  - WiFi radios  │
│  - Security     │         │  - CAP interface│
│  - Datapath     │         │                 │
│  - Configs      │         │                 │
└─────────────────┘         └─────────────────┘

CAP to CAPsMAN Communication

Section titled “CAP to CAPsMAN Communication”

CAPs connect to CAPsMAN using:

  • Protocol: UDP ports 5246 (control) / 5247 (data)
  • Discovery: Broadcast or directed to controller IP
  • Transport: IP-based (not MAC-based in v2)

Discovery Mechanisms

Section titled “Discovery Mechanisms”

CAPsMAN supports two discovery modes:

Layer 2 (Broadcast) Discovery

Section titled “Layer 2 (Broadcast) Discovery”

CAPs discover the controller via broadcast on the local network segment. Works automatically when controller and CAPs are on the same subnet.

# CAP with L2 discovery (no explicit controller address needed)
/interface/wifi/cap set enabled=yes \
    discovery-interfaces=bridge-wifi

Layer 3 (IP-Based) Discovery

Section titled “Layer 3 (IP-Based) Discovery”

Required for multi-site deployments where the CAPsMAN controller is on a different subnet. CAP connects directly to the controller’s IP address.

# CAP with explicit controller address (L3/multi-site)
/interface/wifi/cap set enabled=yes \
    caps-man-addresses=10.0.0.1 \
    discovery-interfaces=bridge-wifi

Multiple controller addresses can be specified for redundancy:

/interface/wifi/cap set enabled=yes \
    caps-man-addresses=10.0.0.1,10.0.0.2 \
    discovery-interfaces=bridge-wifi

Firewall Rules for L3 CAPsMAN

Section titled “Firewall Rules for L3 CAPsMAN”

When the controller is behind a firewall, open these ports on the controller:

# Allow CAPsMAN control and data from CAPs
/ip/firewall/filter add chain=input protocol=udp dst-port=5246 action=accept comment="CAPsMAN control"
/ip/firewall/filter add chain=input protocol=udp dst-port=5247 action=accept comment="CAPsMAN data"

MTU Considerations for L3 Deployments

Section titled “MTU Considerations for L3 Deployments”

DTLS encryption adds ~60 bytes of overhead. For WAN links with MTU 1500:

  • Standard CAPsMAN tunnel: 1500 MTU is sufficient
  • CAPsMAN + DTLS over WAN: May need to reduce MTU to ~1440 or enable fragmentation
# Check for fragmentation issues on CAP
/interface/wifi/cap print detail
# If seeing drops, reduce effective MTU or disable DTLS for WAN-limited links

Critical Gotchas

Section titled “Critical Gotchas”

1. Discovery Interface MUST Be a Bridge

Section titled “1. Discovery Interface MUST Be a Bridge”

The discovery interface must be a bridge, NOT a physical port.

Correct:

/interface/wifi/cap set enabled=yes \
    caps-man-addresses=10.0.0.1 \
    discovery-interfaces=bridge1

Incorrect:

# This WILL NOT WORK
/interface/wifi/cap set enabled=yes \
    caps-man-addresses=10.0.0.1 \
    discovery-interfaces=ether1

2. WiFi Interfaces Must Be in Bridge on CAP

Section titled “2. WiFi Interfaces Must Be in Bridge on CAP”

On the CAP device, WiFi interfaces must be added to a bridge:

# Create bridge for wireless
/interface/bridge add name=bridge-wifi


# Add WiFi interface to bridge
/interface/bridge/port add bridge=bridge-wifi interface=wifi1
/interface/bridge/port add bridge=bridge-wifi interface=wifi2

3. CAPsMAN Interfaces Appear on Controller

Section titled “3. CAPsMAN Interfaces Appear on Controller”

Managed WiFi interfaces appear on the controller, not the CAP:

# On controller - view managed CAP interfaces
/interface/wifi/print

Configuration Profiles

Section titled “Configuration Profiles”

CAPsMAN v2 uses a profile-based architecture:

Profile Types

Section titled “Profile Types”
ProfilePurposeCommand Path
ChannelRF settings (freq, width, bands)/interface/wifi/channel
SecurityAuth & encryption/interface/wifi/security
DatapathBridge/VLAN settings/interface/wifi/datapath
ConfigurationCombines all above/interface/wifi/configuration
ProvisioningMaps CAPs to configs/interface/wifi/provisioning

Channel Profile

Section titled “Channel Profile”
/interface/wifi/channel add name=5GHz-80MHz \
    band=5ghz-ax \
    frequency=5180,5200,5220,5240 \
    width=20/40/80mhz


/interface/wifi/channel add name=2.4GHz-20MHz \
    band=2ghz-ax \
    frequency=2412,2437,2462 \
    width=20mhz

Channel Profile Options:

ParameterDescription
bandWiFi band mode (e.g., 5ghz-ax, 5ghz-ac, 2ghz-ax, 2ghz-n)
frequencyChannel center frequencies
width20mhz / 20/40mhz / 20/40/80mhz / 20/40/80/160mhz
tx-chainsTransmit antenna chains
rx-chainsReceive antenna chains

Valid band values:

BandValues
2.4 GHz2ghz-g, 2ghz-n, 2ghz-ax
5 GHz5ghz-a, 5ghz-ac, 5ghz-an, 5ghz-ax

Security Profile

Section titled “Security Profile”
/interface/wifi/security add name=Corporate \
    authentication-types=wpa2-psk,wpa3-psk \
    passphrase=YourPassword!


# Enterprise with RADIUS
/interface/wifi/security add name=Enterprise \
    authentication-types=wpa2-eap,wpa3-eap \
    radius-server=10.0.0.50 \
    radius-accounting=yes \
    certificate=server-cert

Datapath Profile

Section titled “Datapath Profile”
# Local forwarding (traffic stays on CAP)
/interface/wifi/datapath add name=Local-Fwd \
    bridge=bridge-local \
    local-forwarding=yes


# Manager forwarding (traffic via controller)
/interface/wifi/datapath add name=Manager-Fwd \
    bridge=bridge-local \
    local-forwarding=no


# VLAN tagging
/interface/wifi/datapath add name=VLAN10 \
    bridge=bridge-local \
    vlan-id=10 \
    vlan-mode=use-tag

Datapath Options:

ParameterDescription
bridgeBridge interface to attach
local-forwardingyes=local, no=controller
vlan-idVLAN ID for clients
vlan-modenone, use-tag, service-tag
client-to-client-forwardingAllow client-to-client traffic

Configuration Profile

Section titled “Configuration Profile”
/interface/wifi/configuration add name=Office-5GHz \
    channel=5GHz-80MHz \
    security=Corporate \
    datapath=Local-Fwd \
    ssid=Office-5G \
    country=United States \
    hide-ssid=no

Configuration Options:

ParameterDescription
channelChannel profile name
securitySecurity profile name
datapathDatapath profile name
ssidWireless network name
countryRegulatory domain
hide-ssidHide SSID from broadcasts
ftEnable 802.11r Fast Transition
rrmEnable 802.11k RRM
bss-transitionEnable 802.11v BSS Transition

Provisioning Rules

Section titled “Provisioning Rules”

Provisioning rules determine how CAP radios are configured when they connect to CAPsMAN.

Basic Provisioning

Section titled “Basic Provisioning”
/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    master-configuration=Office-5GHz

Band-Based Provisioning

Section titled “Band-Based Provisioning”

Match configurations to CAP hardware capabilities using supported-bands:

# 5GHz for WiFi 6 (ax) capable devices
/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    supported-bands=5ghz-ax \
    master-configuration=5GHz-Master


# 2.4GHz for WiFi 6 devices
/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    supported-bands=2ghz-ax \
    master-configuration=2.4GHz-Master

Note: Use supported-bands (not hw-supported-modes) in CAPsMAN v2. Do not use radio-mac for band matching — leave it blank and use supported-bands instead.

Identity-Based Provisioning

Section titled “Identity-Based Provisioning”

Match by router identity (system identity):

/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    identity-regexp="^Office-.*" \
    master-configuration=Office-AP


/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    identity-regexp="^Warehouse-.*" \
    master-configuration=Warehouse-AP

MAC-Based Provisioning

Section titled “MAC-Based Provisioning”

Provision specific CAPs by MAC address:

/interface/wifi/provisioning add \
    action=create-static-enabled \
    mac-address=AA:BB:CC:DD:EE:FF \
    master-configuration=Specific-AP

Provisioning Reference

Section titled “Provisioning Reference”
ParameterDescription
actionnone, create-dynamic-enabled, create-dynamic-disabled, create-static-enabled
supported-bandsBand filter: 5ghz-ax, 5ghz-ac, 2ghz-ax, 2ghz-n, etc.
identity-regexpRegex to match CAP identity
mac-addressSpecific CAP MAC address
master-configurationConfiguration profile to apply
name-formatidentity, mac, hostname
name-prefixPrefix for interface names

Forwarding Modes

Section titled “Forwarding Modes”

Local Forwarding (Default)

Section titled “Local Forwarding (Default)”

Traffic is forwarded locally by each CAP:

Client <-> CAP <-> Local Switch <-> Network

Best for:

  • Low-latency applications
  • Reducing controller load
  • Most deployments
/interface/wifi/datapath add name=local-fwd \
    bridge=bridge-local \
    local-forwarding=yes

Manager Forwarding

Section titled “Manager Forwarding”

All traffic passes through CAPsMAN controller:

Client <-> CAP <-> CAPsMAN Controller <-> Network

Use when:

  • Centralized firewall policies needed
  • Client isolation required
  • Traffic shaping at controller
/interface/wifi/datapath add name=manager-fwd \
    bridge=bridge-local \
    local-forwarding=no

VLAN Configuration

Section titled “VLAN Configuration”

Simple VLAN

Section titled “Simple VLAN”
/interface/wifi/datapath add name=Corp-VLAN \
    bridge=bridge-corp \
    vlan-id=10 \
    vlan-mode=use-tag

Multi-SSID (Multiple VLANs)

Section titled “Multi-SSID (Multiple VLANs)”

Create multiple SSIDs, each with different VLAN:

# Security profiles
/interface/wifi/security add name=Staff-Sec authentication-types=wpa2-psk passphrase=StaffPass!
/interface/wifi/security add name=Guest-Sec authentication-types=wpa2-psk passphrase=GuestPass!


# Datapaths
/interface/wifi/datapath add name=Staff-DP bridge=bridge-staff vlan-id=10 vlan-mode=use-tag
/interface/wifi/datapath add name=Guest-DP bridge=bridge-guest vlan-id=20 vlan-mode=use-tag


# Configurations
/interface/wifi/configuration add name=Staff-AP \
    channel=5GHz \
    security=Staff-Sec \
    datapath=Staff-DP \
    ssid=Corporate-Staff


/interface/wifi/configuration add name=Guest-AP \
    channel=5GHz \
    security=Guest-Sec \
    datapath=Guest-DP \
    ssid=Corporate-Guest


# Provisioning rules
/interface/wifi/provisioning add master-configuration=Staff-AP
/interface/wifi/provisioning add master-configuration=Guest-AP

VLAN Filtering on CAP

Section titled “VLAN Filtering on CAP”

When VLAN filtering is enabled on the CAP bridge:

# On each CAP
/interface/bridge/vlan add bridge=bridge-wifi vlan-ids=10,20 tagged=bridge-wifi
/interface/bridge set bridge-wifi vlan-filtering=yes

Note on AX vs AC devices: AX devices propagate VLAN IDs automatically from the datapath config. For AC/legacy devices, VLANs must be manually configured on each CAP.

Access List

Section titled “Access List”

The access list (/interface/wifi/access-list) controls per-client admission on managed WiFi interfaces. Rules are evaluated top-down; the first matching rule wins. There is no implicit deny — to enforce allowlisting, add an explicit reject-all rule at the bottom.

Access list rules apply to CAPsMAN-managed interfaces the same way as standalone WiFi interfaces. Provisioning creates the interfaces; the access list then handles per-client admission on those interfaces.

MAC Address Filtering

Section titled “MAC Address Filtering”
# Allow a specific client
/interface/wifi/access-list
add mac-address=AA:BB:CC:DD:EE:FF action=accept


# Deny a specific client
/interface/wifi/access-list
add mac-address=11:22:33:44:55:66 action=reject


# Allowlist: accept known MACs, reject all others
/interface/wifi/access-list
add mac-address=AA:BB:CC:DD:EE:FF action=accept
add mac-address=11:22:33:44:55:66 action=accept
add action=reject

To block clients using randomized (locally administered) MACs:

/interface/wifi/access-list
add mac-address=02:00:00:00:00:00 mac-address-mask=02:00:00:00:00:00 action=reject

Signal Strength Thresholds

Section titled “Signal Strength Thresholds”

signal-range defines minimum and maximum RSSI (in dBm) for association. The AP re-checks signal after connection; clients outside the allowed range are disconnected after allow-signal-out-of-range seconds.

# Only allow clients with -70 to 0 dBm; disconnect after 2 minutes out of range
/interface/wifi/access-list
add signal-range=-70..0 allow-signal-out-of-range=2m action=accept
add action=reject

This is useful for managing sticky clients that cling to a distant AP when a closer one is available.

Time-Based Rules

Section titled “Time-Based Rules”

The time parameter accepts a time window and optional days list. Clients are periodically re-validated; those that fall outside the time window are disconnected.

# Guest access only on weekdays 07:00–19:00
/interface/wifi/access-list
add ssid-regexp="Guest" time=7h-19h days=mon,tue,wed,thu,fri action=accept
add ssid-regexp="Guest" action=reject

Per-Client VLAN Assignment

Section titled “Per-Client VLAN Assignment”

Matched clients can be placed into a specific VLAN via the vlan-id action parameter:

/interface/wifi/access-list
add mac-address=AA:BB:CC:DD:EE:FF action=accept vlan-id=30
add mac-address=BB:CC:DD:EE:FF:00 action=accept vlan-id=40

Note for wifi-qcom-ac devices: VLAN ID assignment via access-list requires the bridge interface pvid to be configured first. AX-based devices handle this automatically.

Access List Reference

Section titled “Access List Reference”
ParameterDescription
mac-addressClient MAC to match
mac-address-maskMask for MAC matching (e.g., FF:FF:FF:00:00:00)
signal-rangeAllowed RSSI range in dBm (e.g., -75..0)
allow-signal-out-of-rangeGrace period before disconnecting (e.g., 2m)
timeTime window for access (e.g., 8h-18h)
daysComma-separated days (mon,tue,wed,thu,fri,sat,sun)
ssid-regexpRegex to match SSID name
interfaceSpecific WiFi interface to scope the rule
actionaccept, reject, or query-radius
vlan-idVLAN to assign to matched client (1–4095)

Complete Dual-Band Baseline Configuration

Section titled “Complete Dual-Band Baseline Configuration”

This section provides a minimal, validated dual-band CAPsMAN configuration that can be copy-pasted and will work out of the box. This is the fastest way to get a dual-band CAPsMAN system running.

Prerequisites

Section titled “Prerequisites”
  • RouterOS 7.x with WiFi package installed
  • One CAPsMAN controller (this router)
  • One or more CAP access points connected to the same network
  • A bridge interface already configured on both controller and CAP

Controller Configuration (Copy-Paste)

Section titled “Controller Configuration (Copy-Paste)”

Execute these commands on the CAPsMAN controller:

# 1. Enable CAPsMAN
/interface/wifi/capsman set enabled=yes


# 2. Create channel profiles for each band
/interface/wifi/channel add name=5GHz band=5ghz-ax frequency=5180,5200,5220,5240 width=20/40/80mhz
/interface/wifi/channel add name=2.4GHz band=2ghz-ax frequency=2437 width=20mhz


# 3. Create security profile
/interface/wifi/security add name=Corporate \
    authentication-types=wpa2-psk,wpa3-psk \
    passphrase=YourSecurePassword!


# 4. Create datapath (local forwarding)
/interface/wifi/datapath add name=Local-Forward bridge=bridge-local local-forwarding=yes


# 5. Create configuration profiles - SAME SSID on both bands
/interface/wifi/configuration add name=5GHz-Config \
    channel=5GHz \
    security=Corporate \
    datapath=Local-Forward \
    ssid=MyNetwork \
    country=United States


/interface/wifi/configuration add name=2.4GHz-Config \
    channel=2.4GHz \
    security=Corporate \
    datapath=Local-Forward \
    ssid=MyNetwork \
    country=United States


# 6. Create provisioning rules - assign 5GHz config to 5GHz radios, 2.4GHz to 2.4GHz
/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    supported-bands=5ghz-ax \
    master-configuration=5GHz-Config


/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    supported-bands=2ghz-ax \
    master-configuration=2.4GHz-Config

CAP Configuration (Copy-Paste)

Section titled “CAP Configuration (Copy-Paste)”

Execute these commands on each CAP access point:

# 1. Ensure WiFi interfaces are in a bridge
/interface/bridge add name=bridge-wifi


/interface/bridge/port add bridge=bridge-wifi interface=wifi1
/interface/bridge/port add bridge=bridge-wifi interface=wifi2


# 2. Add physical ports to the same bridge (for network access)
/interface/bridge/port add bridge=bridge-wifi interface=ether1


# 3. Enable CAP mode
/interface/wifi/cap set enabled=yes \
    caps-man-addresses=10.0.0.1 \
    discovery-interfaces=bridge-wifi

Important: Replace 10.0.0.1 with your CAPsMAN controller’s IP address, bridge-local with your controller’s bridge name, and bridge-wifi with your CAP’s bridge name.

Verify the Setup

Section titled “Verify the Setup”

On the CAPsMAN controller, verify CAPs are connected:

# View connected CAPs
/interface/wifi/capsman/remote-cap print


# View all managed WiFi interfaces on controller
/interface/wifi/print


# View client connections
/interface/wifi/registration-table print

You should see two managed interfaces per CAP - one for 2.4GHz and one for 5GHz, both broadcasting the same SSID “MyNetwork”.

Troubleshooting Baseline

Section titled “Troubleshooting Baseline”

If CAPs don’t appear or SSID doesn’t broadcast:

  1. CAP not registering:

    # Check CAPsMAN is enabled
    /interface/wifi/capsman print
    

    # Verify discovery interface is a BRIDGE (not physical port)
    /interface/wifi/cap print

  2. Only one band appearing:

    # Verify provisioning rules exist
    /interface/wifi/provisioning print
    

    # Check provisioning match
    /interface/wifi/print detail

  3. Clients can’t connect:

    # Verify datapath bridge exists on controller
    /interface/bridge print
    

    # Check security profile
    /interface/wifi/security print

Complete Example

Section titled “Complete Example”

Controller Configuration

Section titled “Controller Configuration”
# Enable CAPsMAN
/interface/wifi/capsman set enabled=yes


# Create channel list
/interface/wifi/channel add name=5GHz-80MHz band=5ghz-ax frequency=5180,5200,5220,5240 width=20/40/80mhz
/interface/wifi/channel add name=2.4GHz-20MHz band=2ghz-ax frequency=2437 width=20mhz


# Create security
/interface/wifi/security add name=Corp-Sec authentication-types=wpa2-psk,wpa3-psk passphrase=SecurePass!


# Create datapath
/interface/wifi/datapath add name=Corp-DP bridge=bridge-local local-forwarding=yes


# Create configurations
/interface/wifi/configuration add name=5GHz-AP channel=5GHz-80MHz security=Corp-Sec datapath=Corp-DP ssid=Office-5G country=United States ft=yes
/interface/wifi/configuration add name=2.4GHz-AP channel=2.4GHz-20MHz security=Corp-Sec datapath=Corp-DP ssid=Office-2G country=United States ft=yes


# Provisioning - match by supported band
/interface/wifi/provisioning add action=create-dynamic-enabled supported-bands=5ghz-ax master-configuration=5GHz-AP
/interface/wifi/provisioning add action=create-dynamic-enabled supported-bands=2ghz-ax master-configuration=2.4GHz-AP

CAP Configuration

Section titled “CAP Configuration”
# Ensure WiFi interfaces are in a bridge
/interface/bridge add name=bridge-wifi


/interface/bridge/port add bridge=bridge-wifi interface=wifi1
/interface/bridge/port add bridge=bridge-wifi interface=wifi2


# Configure CAP interface
/interface/wifi/cap set enabled=yes \
    caps-man-addresses=10.0.0.1 \
    discovery-interfaces=bridge-wifi

Connection Security

Section titled “Connection Security”

DTLS (Encrypted CAPsMAN)

Section titled “DTLS (Encrypted CAPsMAN)”

Enable DTLS for encrypted control channel:

# Controller - requires certificate
/interface/wifi/capsman set certificate=auto


# CAP - requires CA certificate
/interface/wifi/cap set certificate=auto

Requirements for DTLS

Section titled “Requirements for DTLS”
  1. Valid certificate on controller
  2. CA certificate installed on CAP
  3. Time synchronized (NTP)
  4. Same certificate authority
# Import CA certificate on CAP
/certificate import file-name=capisman-ca.crt


# Verify certificates
/certificate print

Monitoring

Section titled “Monitoring”

View Connected CAPs

Section titled “View Connected CAPs”
/interface/wifi/capsman/remote-cap print detail
/interface/wifi/print detail

View Managed Interfaces

Section titled “View Managed Interfaces”
/interface/wifi/print

View Clients

Section titled “View Clients”
/interface/wifi/registration-table print

Monitoring Commands

Section titled “Monitoring Commands”
# Monitor specific interface
/interface/wifi/monitor [find name="wifi1"]

Troubleshooting

Section titled “Troubleshooting”

CAP Not Registering

Section titled “CAP Not Registering”
  1. Verify discovery interface is a bridge:
/interface/wifi/cap print
# Should show discovery-interfaces=bridgeX, NOT a physical port
  1. Check connectivity:
/ping 10.0.0.1
  1. Verify CAPsMAN is enabled:
/interface/wifi/capsman print
  1. Check logs:
/log print where message~"capsman"

SSID Not Broadcasting

Section titled “SSID Not Broadcasting”
  1. Verify provisioning matched:
/interface/wifi/provisioning print detail
/interface/wifi/print detail
  1. Force re-provisioning (required when changing provisioning rules):
/interface/wifi/provisioning provision
  1. Check configuration applied:
/interface/wifi/print detail
  1. Verify country is set:
/interface/wifi/configuration print
# Must have country set

Clients Can’t Connect

Section titled “Clients Can’t Connect”
  1. Check security profile:
/interface/wifi/security print
  1. Verify datapath:
/interface/wifi/datapath print
/interface/bridge print
  1. Check registration table:
/interface/wifi/registration-table print

VLANs Not Working

Section titled “VLANs Not Working”
  1. Verify bridge has VLAN filtering:
/interface/bridge print
  1. Check VLANs on bridge:
/interface/bridge/vlan print
  1. For AX vs AC devices:
    • VLAN propagation is automatic on AX devices
    • For AC devices, VLANs must be manually configured on CAP (see VLAN section)

Best Practices

Section titled “Best Practices”

  1. Use bridges for discovery - Always use bridge interface for discovery-interfaces

  2. Local forwarding for performance - Use local-forwarding=yes unless specifically needed

  3. Separate SSIDs for VLANs - Each VLAN should have its own SSID and configuration

  4. Enable fast roaming - Use WPA2 + 802.11r for seamless roaming

  5. Plan channel assignments - Manually assign non-overlapping channels

  6. Use certificates in production - Set up proper PKI for DTLS

  7. Monitor with scripts - Set up Dude or external monitoring

  8. Backup configurations - Export CAPsMAN configs regularly

Verification

Section titled “Verification”

Hardware tested on staging-router-02 (RouterOS 7.15.3, CHR). WiFi package CAPsMAN commands require physical hardware with WiFi radios; the following non-WiFi commands were validated directly:

Firewall rules (tested on staging-router-02, ROS 7.15.3):

[admin@staging-router-02] /ip/firewall/filter> add chain=input protocol=udp dst-port=5246 action=accept comment="CAPsMAN control"
[admin@staging-router-02] /ip/firewall/filter> add chain=input protocol=udp dst-port=5247 action=accept comment="CAPsMAN data"
[admin@staging-router-02] /ip/firewall/filter> print
Flags: X - disabled, I - invalid; D - dynamic
 0    ;;; CAPsMAN control
      chain=input action=accept protocol=udp dst-port=5246


 1    ;;; CAPsMAN data
      chain=input action=accept protocol=udp dst-port=5247

Bridge VLAN filtering (tested on staging-router-02, ROS 7.15.3):

[admin@staging-router-02] /interface/bridge> add name=bridge-wifi
[admin@staging-router-02] /interface/bridge/vlan> add bridge=bridge-wifi vlan-ids=10,20 tagged=bridge-wifi
[admin@staging-router-02] /interface/bridge> set bridge-wifi vlan-filtering=yes
[admin@staging-router-02] /interface/bridge/vlan> print
Flags: D - DYNAMIC
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
#   BRIDGE       VLAN-IDS  CURRENT-TAGGED  CURRENT-UNTAGGED
0   bridge-wifi        10  bridge-wifi
                       20
1 D bridge-wifi         1                  bridge-wifi

CAPsMAN v2 path corrections (validated against official RouterOS WiFi package documentation):

  • WiFi CAPsMAN v2 uses /interface/wifi/... paths throughout — NOT the legacy /capsman or /caps-man paths
  • Provisioning uses supported-bands (e.g., 5ghz-ax, 2ghz-ax) — NOT hw-supported-modes
  • CAP discovery parameter is discovery-interfaces (plural) — NOT discovery-interface
  • CAP controller address parameter is caps-man-addresses — NOT capsman-addresses
  • staging-router-01 was offline at time of validation; staging-router-02 used for CHR-testable commands
Section titled “Related Documentation”