CAPsMAN Common Gotchas
CAPsMAN Common Gotchas
Section titled “CAPsMAN Common Gotchas”This guide addresses common issues encountered when deploying and managing MikroTik CAPsMAN (Centralized Access Point Manager). These pitfalls frequently trip up administrators, particularly those new to RouterOS 7’s CAPsMAN implementation.
Summary
Section titled “Summary”CAPsMAN provides powerful centralized wireless management, but several configuration details can cause unexpected behavior. This guide covers the most common issues and their solutions.
1. WiFi vs Wireless Interface Incompatibility
Section titled “1. WiFi vs Wireless Interface Incompatibility”Problem
Section titled “Problem”CAPs using different interface types cannot be managed by the same CAPsMAN controller.
Symptoms
Section titled “Symptoms”- CAP appears in CAPsMAN remote-cap list with “Ok” state
- Provisioning never applies; SSID not set
- CAP connects but wireless interface remains disabled
RouterOS 7 split wireless into two packages:
wifi- Wave2/QCA chipsets (newer hardware)wireless- Legacy Atheros/MediaTek chipsets
A CAPsMAN controller using wifi interfaces cannot manage CAPs using wireless interfaces, and vice versa.
Solution
Section titled “Solution”Ensure CAPsMAN controller and all CAPs use the same interface type:
# Check interface types on controller/interface/print/interface/wifi/print/interface/wireless/printFor legacy devices (mAP-lite, cAP ac, etc.), install the wireless package on the controller.
2. Provisioning Rules Not Applying
Section titled “2. Provisioning Rules Not Applying”Problem
Section titled “Problem”CAPs connect to CAPsMAN but configuration doesn’t get provisioned.
Incorrect radio-mac setting in provisioning rules. Using 00:00:00:00:00:00 explicitly causes provisioning to fail.
Solution
Section titled “Solution”Leave radio-mac blank and use supported-bands instead of matching specific MACs:
Correct provisioning config:
/interface/wifi/provisioningadd action=create-dynamic-enabled master-configuration=5ghz-cfg supported-bands=5ghz-axadd action=create-dynamic-enabled master-configuration=2ghz-cfg supported-bands=2ghz-axWrong (legacy format that doesn’t work in RouterOS 7):
add action=create-dynamic-enabled master-configuration=5ghz-cfg radio-mac=00:00:00:00:00:003. CAP Discovery Interface Configuration
Section titled “3. CAP Discovery Interface Configuration”Problem
Section titled “Problem”CAPs cannot discover or connect to CAPsMAN controller.
Solution
Section titled “Solution”Use a bridge interface for discovery, not physical ethernet ports. This is critical when CAPs are behind network infrastructure like powerline adapters.
CAP configuration:
/interface/wifi/capset discovery-interfaces=bridgeLocal enabled=yesCAPsMAN controller:
/interface/wifi/capsmanset enabled=yes interfaces=bridgeLocal4. VLAN Filtering Breaks CAPsMAN Communication
Section titled “4. VLAN Filtering Breaks CAPsMAN Communication”Problem
Section titled “Problem”When VLAN filtering is enabled on the bridge, CAPsMAN communication fails or CAPs lose connectivity.
Symptoms
Section titled “Symptoms”- CAP was working, then stops after enabling VLAN filtering
- Management VLAN doesn’t work properly
Solution
Section titled “Solution”Add the management VLAN and bridge itself to the allowed VLANs:
/interface/bridge/vlanadd bridge=bridge1 tagged=bridge1,ether1 vlan-ids=100Important: Reboot CAP after enabling VLAN filtering - this is required for proper operation.
5. AC Devices Don’t Auto-Propagate VLAN IDs
Section titled “5. AC Devices Don’t Auto-Propagate VLAN IDs”Problem
Section titled “Problem”AX devices can set VLAN ID in datapath and it propagates automatically; AC devices cannot.
Solution
Section titled “Solution”Manually create VLAN interfaces on each CAP and configure datapath on CAP pointing to local bridge:
CAP side:
/interface/wifi/capset slaves-static=yes
/interface vlanadd interface=bridge1 name=vlan100-mgmt vlan-id=100
/interface/wifi/datapathadd bridge=bridge1 name=capdp
/interface/wifiset [find] datapath=capdp6. Bridge Required in Datapath Configuration
Section titled “6. Bridge Required in Datapath Configuration”Problem
Section titled “Problem”CAPs connect but traffic doesn’t forward; clients can’t get IP.
Datapath configured to use physical interface instead of bridge.
Solution
Section titled “Solution”In datapath configuration, reference the bridge, not physical interfaces:
Correct:
/interface/wifi/datapathadd bridge=bridge1 name=datapath-cfgWrong (common mistake):
add bridge=ether1 name=datapath-cfgUsing the bridge ensures all VLANs carried by the bridge are available to wireless clients.
7. Performance: Local Forwarding vs CAPsMAN Forwarding
Section titled “7. Performance: Local Forwarding vs CAPsMAN Forwarding”Problem
Section titled “Problem”CAPsMAN-managed WiFi is significantly slower than autonomous AP configuration.
All wireless traffic must pass through the CAPsMAN controller in CAPsMAN forwarding mode, creating a central bottleneck.
Solution
Section titled “Solution”Enable local forwarding in datapath for better performance:
/interface/wifi/datapathadd bridge=bridge1 local-forwarding=yes name=datapath-cfg| Mode | Performance | Central Control |
|---|---|---|
| Local forwarding | Better | Less |
| CAPsMAN forwarding | CPU bottleneck | Full |
For high-throughput deployments, consider using CAPsMAN only for configuration management while enabling local forwarding.
8. Reset to CAPs Mode Before Provisioning
Section titled “8. Reset to CAPs Mode Before Provisioning”Problem
Section titled “Problem”CAPs have residual local WiFi configurations that interfere with provisioned settings.
Symptoms
Section titled “Symptoms”- After provisioning, CAP interfaces show “SSID not set”
- Manual provisioning works but automatic doesn’t
Solution
Section titled “Solution”Reset CAP to factory defaults, then configure only CAP mode:
On CAP device:
/system/reset-configuration no-defaults=yes skip-backup=yesThen configure only:
/interface/wifi/capset enabled=yes discovery-interfaces=bridgeLocalRemove any local /interface/wifi/configuration, /interface/wifi/security on the CAP - let CAPsMAN push all configuration.
9. hAP ax Roaming Issues Require RSTP
Section titled “9. hAP ax Roaming Issues Require RSTP”Problem
Section titled “Problem”Clients can’t roam properly between hAP ax2/hAP ax3 access points; constant connect/disconnect cycles.
Solution
Section titled “Solution”Enable RSTP on the CAP bridge:
/interface/bridgeset bridge1 protocol-mode=rstpNote: This is specifically required for hAP ax devices (wifi-qcom chipset).
10. Certificate Issues When Reassigning CAPs
Section titled “10. Certificate Issues When Reassigning CAPs”Problem
Section titled “Problem”CAP won’t connect to new CAPsMAN controller or after controller change.
Solution
Section titled “Solution”Delete existing certificates on the CAP before reassigning:
On CAP:
/system/certificate/print/system/certificate/remove [find]Then reconnect to new CAPsMAN.
Quick Troubleshooting Checklist
Section titled “Quick Troubleshooting Checklist”| Issue | First Check |
|---|---|
| CAP not appearing | Discovery interface set to bridge? |
| Provisioning not applying | radio-mac blank? Using supported-bands? |
| No WiFi SSID | Reset CAP to CAPs mode? |
| Clients can’t get IP | Datapath uses bridge (not ether)? |
| Slow performance | Try local-forwarding=yes |
| Roaming fails | RSTP enabled on hAP ax? |
| VLAN issues | AC devices need manual VLAN config? |
| Can’t reassign CAP | Delete certificates first? |
Related Documentation
Section titled “Related Documentation”- CAPsMAN - Main CAPsMAN documentation
- CAPsMAN with VLANs - VLAN deployment guide
- CAPsMAN with Bridge - Bridge integration
- CAPsMAN Migration Brief - RouterOS 6 to 7 migration