Skip to content
MikroTik RouterOS Docs

CAPsMAN with Bridge Integration

CAPsMAN with Bridge Integration

Section titled “CAPsMAN with Bridge Integration”

Overview

Section titled “Overview”

This guide covers integrating CAPsMAN with RouterOS bridge interfaces. Understanding how CAPsMAN interacts with bridges is essential for:

  • Complex network topologies with multiple VLANs
  • Remote CAP deployments over Layer 3 networks
  • Seamless bridging between wireless and wired networks
  • Proper traffic forwarding between CAPs and the network

Key Concepts

Section titled “Key Concepts”

Bridge in Datapath

Section titled “Bridge in Datapath”

When configuring CAPsMAN datapath profiles, you must specify a bridge interface rather than physical ports. This is a common source of confusion—specifying physical ports does not automatically include associated bridges and VLANs.

# Correct: Use bridge interface
/caps-man datapath add name=Corporate bridge=corporate-bridge vlan-id=10


# Incorrect: Using physical interface (will not work as expected)
/caps-man datapath add name=Corporate bridge=ether1 vlan-id=10

Discovery Interface

Section titled “Discovery Interface”

The CAP discovery interface must be configured correctly for CAPs to find and register with CAPsMAN. This is especially important in complex topologies where CAPs connect through switches or over non-Ethernet media.

Configuration Scenarios

Section titled “Configuration Scenarios”

Scenario 1: Simple Bridge Integration

Section titled “Scenario 1: Simple Bridge Integration”

The most common deployment—CAPs connect to a switch, and the CAPsMAN router uses a bridge to combine wireless and wired networks.

# On CAPsMAN Router


# Create bridge for wireless traffic
/interface bridge
add name=bridge-wireless


# Add physical interfaces to bridge
/interface bridge port
add bridge=bridge-wireless interface=ether2
add bridge=bridge-wireless interface=ether3


# Enable CAPsMAN manager
/caps-man manager set enabled=yes


# Create datapath using bridge
/caps-man datapath add name=Wireless-DP bridge=bridge-wireless


# Create configuration
/caps-man configuration add name=Office-AP \
    datapath=Wireless-DP \
    security=Corp-Security \
    ssid=Office-Network


# Create provisioning rule
/caps-man provisioning add action=create-dynamic-enabled \
    master-configuration=Office-AP

On each CAP:

# On CAP device
/interface bridge
add name=bridge-local


/interface bridge port
add bridge=bridge-local interface=ether1


/interface wifi cap set enabled=yes \
    capsman-addresses=10.0.0.1 \
    discovery-interface=bridge-local \
    interface=wifi1

Scenario 2: Bridge with VLAN Filtering

Section titled “Scenario 2: Bridge with VLAN Filtering”

When you need to segment wireless traffic into multiple VLANs using bridge VLAN filtering:

# On CAPsMAN Router
/interface bridge
add name=bridge-main vlan-filtering=yes


# Physical ports - Ether1 to switch, Ether2-3 for future CAPs
/interface bridge port
add bridge=bridge-main interface=ether1
add bridge=bridge-main interface=ether2
add bridge=bridge-main interface=ether3


# VLAN filtering - VLAN10 for corporate, VLAN20 for guest
/interface bridge vlan
add bridge=bridge-main tagged=bridge-main,ether1 vlan-ids=10
add bridge=bridge-main tagged=bridge-main,ether1 vlan-ids=20


# CAPsMAN datapath for Corporate VLAN
/caps-man datapath add name=Corp-DP \
    bridge=bridge-main \
    vlan-id=10 \
    vlan-mode=use-tag


# CAPsMAN datapath for Guest VLAN
/caps-man datapath add name=Guest-DP \
    bridge=bridge-main \
    vlan-id=20 \
    vlan-mode=use-tag


# Configurations
/caps-man configuration add name=Corporate-AP \
    datapath=Corp-DP \
    security=Corp-Security \
    ssid=Corporate-Network


/caps-man configuration add name=Guest-AP \
    datapath=Guest-DP \
    security=Guest-Security \
    ssid=Guest-Network


# Provisioning - create both SSIDs on each CAP
/caps-man provisioning add action=create-dynamic-enabled \
    master-configuration=Corporate-AP \
    slave-configurations=Guest-AP

Scenario 3: Discovery Across Complex Networks

Section titled “Scenario 3: Discovery Across Complex Networks”

When CAPs connect through switches or over non-Ethernet media (like powerline adapters), the discovery interface must be a bridge:

# On CAP - using bridge for discovery
/interface bridge
add name=bridge-local


/interface bridge port
add bridge=bridge-local interface=ether1


# CRITICAL: Use bridge interface for discovery, not physical port
/interface wifi cap set enabled=yes \
    capsman-addresses=10.0.0.1 \
    discovery-interface=bridge-local \
    interface=wifi1

This resolves issues where CAPs fail to register with CAPsMAN when connected through:

  • Powerline adapters
  • Managed switches with complex VLAN configurations
  • Multiple network hops
  • Wireless backhaul links

Scenario 4: Local Forwarding with Bridge

Section titled “Scenario 4: Local Forwarding with Bridge”

In local forwarding mode, traffic is switched locally by the CAP. The bridge on the CAP must include both the wireless interface and the uplink port:

# On CAP
/interface bridge
add name=bridge-local


# Add wireless and uplink to bridge
/interface bridge port
add bridge=bridge-local interface=ether1
add bridge=bridge-local interface=wlan1


# Enable CAP mode with local forwarding
/interface wifi cap set enabled=yes \
    capsman-addresses=10.0.0.1 \
    discovery-interface=bridge-local \
    interface=wlan1


# On CAPsMAN - datapath with local-forwarding=yes
/caps-man datapath add name=Local-FWD \
    bridge=bridge-main \
    local-forwarding=yes \
    vlan-id=10 \
    vlan-mode=use-tag

Common Issues and Troubleshooting

Section titled “Common Issues and Troubleshooting”

Issue 1: CAP Not Registering with CAPsMAN

Section titled “Issue 1: CAP Not Registering with CAPsMAN”

Symptoms: CAP never appears in /caps-man interface print

Solutions:

  1. Verify CAPsMAN is enabled:

    /caps-man manager print
    # Ensure enabled=yes

  2. Check CAP discovery interface:

    /interface wifi cap print
    # Verify discovery-interface is set correctly

  3. Use bridge interface for discovery:

    /interface wifi cap set discovery-interface=bridge-local

  4. Verify network connectivity:

    /ping 10.0.0.1
    # From CAP, ping CAPsMAN router

  5. Check firewall on CAPsMAN router:

    /ip firewall filter print
    # Ensure CAPsMAN ports are not blocked (TCP 5246, UDP 5247)

Issue 2: Wireless Clients Connected but No Traffic

Section titled “Issue 2: Wireless Clients Connected but No Traffic”

Symptoms: Clients associate but cannot pass traffic

Solutions:

  1. Verify datapath bridge is correct:

    /caps-man datapath print
    # Check bridge parameter points to valid bridge

  2. Check bridge port membership:

    /interface bridge port print
    # Ensure CAP interface is added to bridge

  3. For VLANs, verify bridge VLAN filtering:

    /interface bridge vlan print
    # Ensure VLAN IDs are configured

  4. Check PVID on CAP interfaces:

    /interface bridge port print
    # Verify PVID matches expected VLAN

Issue 3: Bridge Not Included in CAPsMAN Traffic

Section titled “Issue 3: Bridge Not Included in CAPsMAN Traffic”

Symptoms: Traffic not passing through bridge to wired network

Cause: Physical interface specified instead of bridge in datapath

Solution:

# Wrong - physical interface
/caps-man datapath add name=DP1 bridge=ether1


# Correct - bridge interface
/caps-man datapath add name=DP1 bridge=bridge-main

Issue 4: CAPsMAN Over Switch

Section titled “Issue 4: CAPsMAN Over Switch”

Symptoms: CAPs connect through a switch but cannot reach CAPsMAN

Solution:

  1. On CAPsMAN router, allow CAPsMAN on switch-facing interface:

    /caps-man manager interface
    add interface=ether2

  2. Ensure switch allows CAPsMAN traffic (UDP 5246/5247)

  3. If using VLANs, ensure management VLAN is allowed on trunk

Provisioning with Bridge Interfaces

Section titled “Provisioning with Bridge Interfaces”

Use provisioning rules to automatically assign CAP configurations based on identity or other attributes:

# Provision based on CAP identity
/caps-man provisioning add \
    action=create-dynamic-enabled \
    identity-regexp="^Office-" \
    master-configuration=Office-AP


/caps-man provisioning add \
    action=create-dynamic-enabled \
    identity-regexp="^Warehouse-" \
    master-configuration=Warehouse-AP


# Provision based on MAC address
/caps-man provisioning add \
    action=create-static-enabled \
    mac-address=AA:BB:CC:DD:EE:FF \
    master-configuration=Office-AP

Best Practices

Section titled “Best Practices”

  1. Always use bridge interfaces in datapath configuration, never physical ports

  2. Use bridge for discovery - Especially important in complex network topologies

  3. Enable VLAN filtering on bridge - Required for multi-VLAN deployments

  4. Match PVID values - Ensure bridge port PVID matches the datapath VLAN ID

  5. Use local forwarding - Default and recommended for most deployments unless centralized control is needed

  6. Monitor with CAPsMAN interface - Regular checks with /caps-man interface print

See Also

Section titled “See Also”