CAPsMAN Configuration Reference
CAPsMAN Configuration Reference
Section titled “CAPsMAN Configuration Reference”This document is a detailed parameter reference for both CAPsMAN v2 (RouterOS 7 WiFi package) and legacy CAPsMAN v1 (RouterOS 6). For architecture overview and getting-started examples, see the CAPsMAN Architecture and Provisioning guide.
CAPsMAN v2 (RouterOS 7 WiFi Package)
Section titled “CAPsMAN v2 (RouterOS 7 WiFi Package)”All CAPsMAN v2 commands live under /interface/wifi/....
Enable CAPsMAN Manager
Section titled “Enable CAPsMAN Manager”/interface/wifi/capsman set enabled=yes| Parameter | Values | Description |
|---|---|---|
enabled | yes, no | Enables or disables the CAPsMAN controller |
certificate | auto, name, none | Certificate for DTLS; auto generates self-signed |
require-peer-certificate | yes, no | Require DTLS certificate from CAPs |
package-path | path | Path for RouterOS package upgrades pushed to CAPs |
upgrade-policy | none, require-same-version, suggest-same-upgrade | CAP firmware upgrade behavior |
Channel Profile
Section titled “Channel Profile”Path: /interface/wifi/channel
/interface/wifi/channel add \ name=5GHz-80 \ band=5ghz-ax \ frequency=5180,5200,5220,5240 \ width=20/40/80mhz \ tx-power=20| Parameter | Values | Description |
|---|---|---|
band | See table below | WiFi band and generation |
frequency | MHz list or auto | Channel center frequencies; auto lets RouterOS pick |
width | 20mhz, 20/40mhz, 20/40/80mhz, 20/40/80/160mhz | Channel width (bonding) |
tx-power | integer (dBm) | Transmit power; regulatory limits still apply |
tx-chains | 0, 1, 2, 3… | Transmit antenna chain indices |
rx-chains | 0, 1, 2, 3… | Receive antenna chain indices |
skip-dfs-channels | disabled, all, indoor-only | Whether to skip DFS channels during auto-selection |
reselect-interval | time (e.g., 1h) | How often to recheck channel selection |
secondary-frequency | MHz or disabled | Secondary channel for 80+80 MHz operation |
Valid band values:
| Value | Standard | Notes |
|---|---|---|
2ghz-g | 802.11g | 2.4 GHz only |
2ghz-n | 802.11n | 2.4 GHz |
2ghz-ax | 802.11ax (Wi-Fi 6) | 2.4 GHz |
5ghz-a | 802.11a | 5 GHz only |
5ghz-ac | 802.11ac (Wi-Fi 5) | 5 GHz |
5ghz-an | 802.11n | 5 GHz |
5ghz-ax | 802.11ax (Wi-Fi 6) | 5 GHz |
Automatic Channel Selection
Section titled “Automatic Channel Selection”When frequency=auto, RouterOS scans available channels and selects the least-congested one within the allowed set:
# Let RouterOS choose the best 5 GHz channel, skip DFS/interface/wifi/channel add name=5GHz-auto \ band=5ghz-ax \ frequency=auto \ width=20/40/80mhz \ skip-dfs-channels=allAuto-selection constraints:
skip-dfs-channels=disabled— all channels including DFS (100–140) are candidates; requires CAC delay (~60 s) on first useskip-dfs-channels=all— only non-DFS channels (36–48, 149–165); instant availability, fewer channelsskip-dfs-channels=indoor-only— skips channels requiring outdoor DFS; keeps indoor DFS channels
Auto-selection runs at boot and again after reselect-interval if configured.
Channel Planning Guidelines
Section titled “Channel Planning Guidelines”2.4 GHz non-overlapping channels (20 MHz):
| Channel | Center Freq | Neighbors to avoid |
|---|---|---|
| 1 | 2412 MHz | Channels 2–5 |
| 6 | 2437 MHz | Channels 2–9 |
| 11 | 2462 MHz | Channels 7–11 |
With more than 3 APs in range of each other, 2.4 GHz will have overlap. Prefer 5 GHz where possible.
5 GHz non-DFS channels (UNII-1 + UNII-3):
| Channel | Freq | DFS? |
|---|---|---|
| 36 | 5180 | No |
| 40 | 5200 | No |
| 44 | 5220 | No |
| 48 | 5240 | No |
| 149 | 5745 | No |
| 153 | 5765 | No |
| 157 | 5785 | No |
| 161 | 5805 | No |
| 165 | 5825 | No |
Channels 52–144 require DFS and have a 60-second CAC (Channel Availability Check) before use.
Security Profile
Section titled “Security Profile”Path: /interface/wifi/security
/interface/wifi/security add \ name=Corporate \ authentication-types=wpa2-psk,wpa3-psk \ passphrase=SecurePassword! \ encryption=ccmp,gcmp| Parameter | Values | Description |
|---|---|---|
authentication-types | wpa2-psk, wpa3-psk, wpa2-eap, wpa3-eap | Auth methods; multiple can be listed |
passphrase | string | PSK passphrase (8–63 chars for WPA) |
encryption | ccmp, gcmp, ccmp-256, gcmp-256 | Cipher suites; list multiple for compatibility |
group-encryption | ccmp, gcmp, tkip | Group (broadcast) cipher |
group-key-update | time (e.g., 5m) | Group key rotation interval |
wps | disabled, push-button, pin | WPS mode |
pmkid-mode | enabled, disable | PMKID caching for fast reconnect |
ft | yes, no | Enable 802.11r Fast Transition (requires ft-* also) |
ft-preserve-vlanid | yes, no | Preserve VLAN ID during fast roaming |
management-protection | disabled, allowed, required | 802.11w Management Frame Protection |
owe-transition-interface | interface name | OWE transition mode (open + OWE dual-SSID) |
Enterprise (EAP/RADIUS) options:
| Parameter | Description |
|---|---|
radius-server | IP of RADIUS server |
radius-port | RADIUS UDP port (default: 1812) |
radius-secret | RADIUS shared secret |
radius-accounting | yes/no — enable RADIUS accounting |
radius-accounting-port | Accounting port (default: 1813) |
certificate | TLS certificate for EAP-TLS |
tls-mode | verify-certificate, no-certificates, dont-verify-certificate, verify-certificate-with-crl |
# WPA3-Enterprise/interface/wifi/security add name=Enterprise \ authentication-types=wpa3-eap \ radius-server=10.0.0.50 \ radius-secret=RadiusSecret \ radius-accounting=yes \ certificate=server-cert \ tls-mode=verify-certificateDatapath Profile
Section titled “Datapath Profile”Path: /interface/wifi/datapath
/interface/wifi/datapath add \ name=LocalFwd \ bridge=bridge-lan \ local-forwarding=yes| Parameter | Values | Description |
|---|---|---|
bridge | bridge name | Bridge interface on CAPsMAN controller to attach managed interface |
local-forwarding | yes, no | yes = data stays on CAP; no = data tunneled through controller |
client-to-client-forwarding | yes, no | Allow direct L2 between WiFi clients |
vlan-mode | none, use-tag, service-tag | VLAN tagging mode |
vlan-id | 1–4095 | VLAN tag for client traffic |
interface-list | interface list name | Add managed interface to an interface list |
Forwarding mode comparison:
| Mode | Data path | Best for | Tradeoff |
|---|---|---|---|
local-forwarding=yes | CAP → local bridge → network | Most deployments; best performance | CAP must have correct bridge/VLAN config |
local-forwarding=no | CAP → CAPsMAN → bridge → network | Centralized firewall, client isolation | Controller becomes throughput bottleneck |
Performance note: With manager forwarding, all client data traverses the CAP↔CAPsMAN tunnel. For high-throughput deployments (e.g., Wi-Fi 6 APs capable of 1+ Gbps), the controller CPU becomes the limiting factor. Use local forwarding unless you specifically need centralized forwarding.
Configuration Profile
Section titled “Configuration Profile”Path: /interface/wifi/configuration
/interface/wifi/configuration add \ name=Office-5G \ channel=5GHz-80 \ security=Corporate \ datapath=LocalFwd \ ssid=Office \ country="United States" \ hide-ssid=no \ ft=yes \ rrm=yes \ bss-transition=yes| Parameter | Values | Description |
|---|---|---|
channel | channel profile name | Channel profile to use |
security | security profile name | Security profile to use |
datapath | datapath profile name | Datapath profile to use |
ssid | string | WiFi network name (up to 32 chars) |
country | country name | Regulatory domain; sets power/channel limits |
hide-ssid | yes, no | Suppress SSID from beacons |
ft | yes, no | Enable 802.11r Fast Transition |
ft-over-ds | yes, no | Fast Transition over the Distribution System |
rrm | yes, no | Enable 802.11k Radio Resource Management (neighbor reports) |
bss-transition | yes, no | Enable 802.11v BSS Transition Management (roaming hints) |
multicast-enhance | disabled, enabled | Multicast to unicast conversion |
beacon-interval | integer (ms) | Beacon interval (default: 100) |
dtim-period | integer | DTIM period (affects power-save clients) |
max-sta-count | integer | Maximum clients per interface |
mode | ap | Operating mode (always ap for CAPsMAN) |
disabled | yes, no | Disable this configuration profile |
Provisioning Rules
Section titled “Provisioning Rules”Path: /interface/wifi/provisioning
Rules are evaluated top-down; the first match wins for each CAP radio.
/interface/wifi/provisioning add \ action=create-dynamic-enabled \ supported-bands=5ghz-ax \ master-configuration=Office-5G \ name-format=identity \ name-prefix=cap| Parameter | Values | Description |
|---|---|---|
action | none, create-dynamic-enabled, create-dynamic-disabled, create-static-enabled | What to do when rule matches |
supported-bands | band string | Match radios supporting this band (e.g., 5ghz-ax, 2ghz-ax) |
identity-regexp | regex | Match by CAP system identity |
mac-address | MAC | Match by CAP MAC address |
radio-mac | MAC | Match by radio MAC (leave blank for band-based matching) |
master-configuration | config profile name | Configuration profile to assign |
slave-configurations | config profile name list | Additional SSIDs (slave interfaces) |
name-format | identity, mac, identity-or-mac | How to name the created interface |
name-prefix | string | Prefix added to interface name |
common-name-regexp | regex | Match by CAP DTLS common name |
action values:
| Value | Effect |
|---|---|
none | Don’t provision (skip this CAP radio) |
create-dynamic-enabled | Create dynamic interface, enabled |
create-dynamic-disabled | Create dynamic interface, disabled |
create-static-enabled | Create static (persistent) interface, enabled |
Advanced Provisioning Patterns
Section titled “Advanced Provisioning Patterns”Pattern: Multiple SSIDs per radio (slave configurations)
# Create a second SSID config for guest access/interface/wifi/configuration add name=Guest-5G \ channel=5GHz-80 \ security=GuestSec \ datapath=GuestDP \ ssid=Guest-5G
# Provision with both staff and guest SSIDs/interface/wifi/provisioning add \ action=create-dynamic-enabled \ supported-bands=5ghz-ax \ master-configuration=Office-5G \ slave-configurations=Guest-5GPattern: Priority-based matching (specific overrides first)
# Rule 1: Specific AP gets its own config (highest priority — top of list)/interface/wifi/provisioning add \ action=create-static-enabled \ mac-address=AA:BB:CC:DD:EE:FF \ master-configuration=Lobby-AP
# Rule 2: All 5 GHz APs get office config (lower priority)/interface/wifi/provisioning add \ action=create-dynamic-enabled \ supported-bands=5ghz-ax \ master-configuration=Office-5GPattern: Identity regex for site-based provisioning
/interface/wifi/provisioning add \ action=create-dynamic-enabled \ supported-bands=5ghz-ax \ identity-regexp="^building-a-.*" \ master-configuration=BuildingA-5G
/interface/wifi/provisioning add \ action=create-dynamic-enabled \ supported-bands=5ghz-ax \ identity-regexp="^building-b-.*" \ master-configuration=BuildingB-5GForce re-provisioning:
When provisioning rules change, existing interfaces keep their current config until reprovisioned:
# Force all CAPs to re-apply provisioning rules/interface/wifi/provisioning provisionAccess List
Section titled “Access List”Path: /interface/wifi/access-list
Rules are evaluated top-down; the first match wins. No implicit deny — add an explicit reject rule at the bottom to enforce allowlisting.
/interface/wifi/access-list add \ mac-address=AA:BB:CC:DD:EE:FF \ action=accept| Parameter | Values | Description |
|---|---|---|
mac-address | MAC | Client MAC to match |
mac-address-mask | mask | Match a range of MACs (e.g., FF:FF:FF:00:00:00) |
interface | interface name | Scope rule to specific managed interface |
ssid-regexp | regex | Match by SSID name |
signal-range | dBm range (e.g., -75..0) | Allowed RSSI range; clients outside are rejected |
allow-signal-out-of-range | time (e.g., 2m) | Grace period before disconnecting a client that drifts out of range |
time | time range (e.g., 8h-18h) | Time window for access |
days | mon,tue,wed,thu,fri,sat,sun | Days of week |
action | accept, reject, query-radius | What to do when matched |
vlan-id | 1–4095 | Assign this VLAN to matched client |
comment | string | Description |
Block randomized MAC clients:
# Locally administered MACs have bit 1 of byte 0 set (0x02)/interface/wifi/access-listadd mac-address=02:00:00:00:00:00 mac-address-mask=02:00:00:00:00:00 action=reject \ comment="Block randomized MACs"RADIUS-based admission:
/interface/wifi/access-listadd action=query-radius comment="RADIUS-controlled admission"When query-radius is used, the RADIUS server’s Accept/Reject response controls admission. RADIUS can also return per-client VLAN assignments via VSAs.
CAP-Side Configuration
Section titled “CAP-Side Configuration”On each CAP access point:
/interface/wifi/cap set \ enabled=yes \ caps-man-addresses=10.0.0.1 \ discovery-interfaces=bridge-wifi \ certificate=auto| Parameter | Values | Description |
|---|---|---|
enabled | yes, no | Enable CAP mode |
caps-man-addresses | IP list | Controller IP(s); multiple for redundancy |
discovery-interfaces | interface list | Interface(s) for CAPsMAN discovery — must be bridges |
caps-man-names | string list | Connect only to controllers with matching identity |
certificate | auto, name, none | DTLS certificate; auto generates self-signed |
lock-to-caps-man | yes, no | Prevent CAP from switching controllers |
static-virtual-clients | yes, no | Keep virtual interface after CAP disconnects |
bridge | bridge name | Bridge to join managed interfaces to |
Legacy CAPsMAN v1 (RouterOS 6 / Wireless Package)
Section titled “Legacy CAPsMAN v1 (RouterOS 6 / Wireless Package)”Legacy CAPsMAN uses the /caps-man tree. It is still available in RouterOS 7 but only for hardware using the wireless package (not the wifi package). All legacy v1 commands are shown here for reference; new deployments should use v2.
Enable Manager
Section titled “Enable Manager”/caps-man manager set enabled=yesChannel Profile
Section titled “Channel Profile”/caps-man channel add \ name=5GHz \ band=5ghz-a/n/ac \ control-channel-width=20mhz \ frequency=5180| Parameter | Values | Description |
|---|---|---|
band | 2ghz-b, 2ghz-b/g, 2ghz-b/g/n, 5ghz-a, 5ghz-a/n, 5ghz-a/n/ac | Wireless mode |
frequency | MHz | Channel frequency |
control-channel-width | 10mhz, 20mhz | Primary channel width |
extension-channel | disabled, Ce, Ceee, eC, eeCe, eCee | 40/80 MHz extension |
tx-power | integer | Transmit power |
save-selected | yes, no | Save auto-selected channel across reboot |
skip-dfs-channels | yes, no | Skip DFS channels during auto selection |
Security Profile
Section titled “Security Profile”/caps-man security add \ name=Corp \ authentication-types=wpa2-psk \ encryption=aes-ccm \ passphrase=SecurePass!| Parameter | Values | Description |
|---|---|---|
authentication-types | wpa-psk, wpa2-psk, wpa-eap, wpa2-eap | Auth methods |
encryption | aes-ccm, tkip | Client unicast cipher |
group-encryption | aes-ccm, tkip | Group (broadcast) cipher |
passphrase | string | PSK passphrase |
group-key-update | time | Group key rotation interval |
Datapath Profile
Section titled “Datapath Profile”/caps-man datapath add \ name=LocalDP \ bridge=bridge1 \ local-forwarding=yes \ client-to-client-forwarding=no| Parameter | Values | Description |
|---|---|---|
bridge | bridge name | Bridge to attach interface |
local-forwarding | yes, no | Local vs manager forwarding |
client-to-client-forwarding | yes, no | L2 isolation between clients |
vlan-id | 1–4094 | VLAN for client traffic |
vlan-mode | none, use-tag, use-service-tag | VLAN tagging |
arp | enabled, disabled, proxy-arp, reply-only | ARP handling |
Configuration Profile
Section titled “Configuration Profile”/caps-man configuration add \ name=Office \ ssid=CorpWiFi \ country=latvia \ mode=ap \ channel=5GHz \ security=Corp \ datapath=LocalDP| Parameter | Values | Description |
|---|---|---|
ssid | string | WiFi network name |
mode | ap | Mode (always ap for CAPsMAN) |
channel | channel name | Channel profile |
security | security name | Security profile |
datapath | datapath name | Datapath profile |
country | country code/name | Regulatory domain |
hw-protection-mode | none, rts-cts, cts-to-self | RTS/CTS protection |
guard-interval | any, long | Guard interval (long = 800ns, any = short allowed) |
max-station-count | integer | Max clients per interface |
tx-power-mode | default, card-rates, all-rates-fixed | TX power control mode |
rates | rate list | Supported data rates (e.g., 6Mbps,12Mbps,24Mbps) |
multicast-helper | default, disabled, full | Multicast to unicast conversion |
keepalive-frames | enabled, disabled | Send keepalive frames to clients |
disconnect-timeout | time | Time before inactive client disconnected |
on-fail-retry-time | time | Retry interval after failed provisioning |
Access List
Section titled “Access List”/caps-man access-list add \ mac-address=AA:BB:CC:DD:EE:FF \ action=accept
# Deny by signal strength/caps-man access-list add \ signal-range=-120..-80 \ action=reject| Parameter | Values | Description |
|---|---|---|
mac-address | MAC | Client MAC |
interface | interface name | Scope to specific interface |
ssid-regexp | regex | Match by SSID |
signal-range | dBm range | RSSI filter |
time | time range | Time-of-day filter |
action | accept, reject, query-radius | Action |
vlan-id | integer | VLAN assignment for client |
private-passphrase | string | Per-client PSK override (WPA2-PSK only) |
radius-accounting | yes, no | Enable RADIUS accounting for matched client |
Provisioning Rules
Section titled “Provisioning Rules”/caps-man provisioning add \ action=create-dynamic-enabled \ master-configuration=Office
# Band-specific (using hw-supported-modes in v1)/caps-man provisioning add \ action=create-dynamic-enabled \ hw-supported-modes=a/n/ac \ master-configuration=Office-5G| Parameter | Values | Description |
|---|---|---|
action | none, create-dynamic-enabled, create-dynamic-disabled, create-static-enabled | Provisioning action |
hw-supported-modes | mode string | Match by hardware capability (v1 equivalent of v2 supported-bands) |
identity-regexp | regex | Match by CAP identity |
ip-address-ranges | CIDR | Match by CAP IP range |
radio-mac | MAC | Match by radio MAC |
master-configuration | config name | Primary configuration |
slave-configurations | config name list | Additional SSIDs |
name-format | cap, identity, prefix-mac | Interface naming |
name-prefix | string | Name prefix |
CAP-Side (Legacy)
Section titled “CAP-Side (Legacy)”/interface wireless cap set \ enabled=yes \ interfaces=wlan1,wlan2 \ caps-man-addresses=10.0.0.1 \ discovery-interfaces=bridge1Monitoring Commands (Legacy)
Section titled “Monitoring Commands (Legacy)”# View all managed interfaces/caps-man interface print
# View connected CAPs/caps-man remote-cap print
# View client associations/caps-man registration-table print/caps-man registration-table print detail/caps-man registration-table print stats
# Monitor a client/caps-man registration-table monitor [find mac-address="AA:BB:CC:DD:EE:FF"]Version/Path Comparison
Section titled “Version/Path Comparison”| Object | CAPsMAN v1 (ROS 6) | CAPsMAN v2 (ROS 7 WiFi) |
|---|---|---|
| Manager | /caps-man manager | /interface/wifi/capsman |
| Channel | /caps-man channel | /interface/wifi/channel |
| Security | /caps-man security | /interface/wifi/security |
| Datapath | /caps-man datapath | /interface/wifi/datapath |
| Configuration | /caps-man configuration | /interface/wifi/configuration |
| Provisioning | /caps-man provisioning | /interface/wifi/provisioning |
| Access List | /caps-man access-list | /interface/wifi/access-list |
| Interfaces | /caps-man interface | /interface/wifi (filter managed) |
| Remote CAPs | /caps-man remote-cap | /interface/wifi/capsman/remote-cap |
| Registration | /caps-man registration-table | /interface/wifi/registration-table |
| CAP-side | /interface wireless cap | /interface/wifi/cap |
| Band filter | hw-supported-modes | supported-bands |
Related Documentation
Section titled “Related Documentation”- CAPsMAN Architecture and Provisioning — architecture overview, getting-started guide
- CAPsMAN Common Gotchas — common pitfalls and solutions
- CAPsMAN with VLANs — VLAN deployment guide
- Fast Roaming — 802.11r/k/v configuration
- Security Profiles — WPA2/WPA3 in depth