Skip to content
MikroTik RouterOS Docs

CAPsMAN with VLANs

CAPsMAN with VLANs

Section titled “CAPsMAN with VLANs”

Summary

Section titled “Summary”

CAPsMAN (Controlled Access Point Manager) provides centralized management for multiple access points. When combined with VLAN tagging, CAPsMAN enables sophisticated network segmentation where different SSIDs or different physical APs map to different VLANs.

This guide explains how to assign VLAN IDs to wireless packets based on the access point and SSID that a client connects to. CAPsMAN with VLANs can be achieved using either Local Forwarding Mode or CAPsMAN Forwarding Mode:

  • Local Forwarding Mode: Traffic can be switched locally by a switch between APs and the CAPsMAN router, achieving larger throughput
  • CAPsMAN Forwarding Mode: All traffic is forwarded to the CAPsMAN router for processing, useful when traffic must always be filtered centrally

In this example, we assign:

  • VLAN10 to clients connecting to WiFi_WORK
  • VLAN20 to clients connecting to WiFi_GUEST

Local Forwarding Mode

Section titled “Local Forwarding Mode”

In Local Forwarding Mode, the CAPsMAN router distributes configuration across all CAPs. Traffic is not required to go through the CAPsMAN router; it can be sent directly through a switch. This mode allows tagging traffic to a specific VLAN ID before it enters the network.

+------------------+       +------------+       +---------+
|  CAPsMAN Router  |<----->|   Switch   |<----->|  CAP 1  |
|   (VLAN Tags)    |       |            |       +---------+
+------------------+       | (VLANs to  |       +---------+
                           |  ports)    |<----->|  CAP 2  |
                           +------------+       +---------+

CAPsMAN Router Configuration

Section titled “CAPsMAN Router Configuration”

Create CAP configurations for each VLAN with local-forwarding=yes:

/caps-man configuration
add country=latvia datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=use-tag name=Config_WORK \
    security.authentication-types=wpa-psk,wpa2-psk security.passphrase=secret_work_password ssid=WiFi_WORK
add country=latvia datapath.local-forwarding=yes datapath.vlan-id=20 datapath.vlan-mode=use-tag name=Config_GUEST \
    security.authentication-types=wpa-psk,wpa2-psk security.passphrase=secret_guest_password ssid=WiFi_GUEST

Create a single CAPsMAN provisioning rule to create both SSIDs on each CAP:

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_WORK slave-configurations=Config_GUEST

Limit CAPsMAN to a specific interface for security:

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether1


/caps-man manager
set enabled=yes

Set up DHCP servers for each VLAN:

/interface vlan
add interface=ether1 name=VLAN10 vlan-id=10
add interface=ether1 name=VLAN20 vlan-id=20


/ip address
add address=192.168.10.1/24 interface=VLAN10
add address=192.168.20.1/24 interface=VLAN20


/ip pool
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254


/ip dhcp-server
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 name=dhcp10
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20


/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1

Switch Configuration

Section titled “Switch Configuration”

Use Bridge VLAN Filtering to filter unknown VLANs and assign devices to appropriate networks:

/interface bridge
add name=bridge1 vlan-filtering=yes


/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4 pvid=10
add bridge=bridge1 interface=ether5 pvid=20


/interface bridge vlan
add bridge=bridge1 tagged=ether1,ether2,ether3 untagged=ether4 vlan-ids=10
add bridge=bridge1 tagged=ether1,ether2,ether3 untagged=ether5 vlan-ids=20

In this configuration, untagged traffic is used to communicate between CAPs and the CAPsMAN Router. By default, untagged traffic is forwarded between ports with the same PVID value.

CAP Configuration

Section titled “CAP Configuration”

Create a bridge and assign the port connected to the CAPsMAN router:

/interface bridge
add name=bridge1


/interface bridge port
add bridge=bridge1 interface=ether1

Enable CAP mode on the AP:

/interface wireless cap
set bridge=bridge1 discovery-interfaces=bridge1 enabled=yes interfaces=wlan1

After CAPs connect to the CAPsMAN router, dynamic interfaces are created and added as bridge ports with appropriate VLAN IDs:

[admin@CAP_1] /interface bridge port pr
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
 #     INTERFACE                     BRIDGE                    HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0   H ether1                        bridge1                   yes    1     0x80         10                 10       none
 1  D  wlan1                         bridge1                         10     0x80         10                 10       none
 2  D  wlan5                         bridge1                         20     0x80         10                 10       none

CAPsMAN Forwarding Mode

Section titled “CAPsMAN Forwarding Mode”

In CAPsMAN Forwarding Mode, all traffic from CAPs is encapsulated with a special CAPsMAN header that can only be removed by a CAPsMAN router. A switch cannot distinguish VLAN IDs set by the CAP since the VLAN tag is also encapsulated. This mode limits Layer 2 traffic diversion but enables forwarding over Layer 3 networks for distant CAPsMAN routers.

+-------------+   Encapsulated   +--------------+   Tagged   +---------+
|    CAP 1    |<--------------->| CAPsMAN Router|<---------->| Network |
+-------------+                 +--------------+            +---------+
                                           |
                                    (All traffic goes
                                     through CAPsMAN)

CAPsMAN Router Configuration

Section titled “CAPsMAN Router Configuration”

Set up Bridge VLAN filtering to limit interfaces to appropriate VLANs:

/interface bridge
add name=bridge1 vlan-filtering=yes


/interface bridge port
add bridge=bridge1 interface=ether1 pvid=10
add bridge=bridge1 interface=ether2 pvid=20


/interface bridge vlan
add bridge=bridge1 tagged=bridge1 untagged=ether1 vlan-ids=10
add bridge=bridge1 tagged=bridge1 untagged=ether2 vlan-ids=20

CAPsMAN automatically adds appropriate entries to the bridge VLAN table for CAP interfaces (RouterOS v6.43+).

Create CAP configurations for each VLAN:

/caps-man configuration
add country=latvia datapath.bridge=bridge1 datapath.vlan-id=10 datapath.vlan-mode=use-tag name=Config_WORK \
    security.authentication-types=wpa-psk,wpa2-psk security.passphrase=secret_work_password ssid=WiFi_WORK
add country=latvia datapath.bridge=bridge1 datapath.vlan-id=20 datapath.vlan-mode=use-tag name=Config_GUEST \
    security.authentication-types=wpa-psk,wpa2-psk security.passphrase=secret_guest_password ssid=WiFi_GUEST

Create the provisioning rule:

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_WORK slave-configurations=Config_GUEST

Limit CAPsMAN to interfaces where CAPs connect:

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=ether3
add disabled=no interface=ether4


/caps-man manager
set enabled=yes

Set up DHCP servers (on bridge VLAN interfaces in this mode):

/interface vlan
add interface=bridge1 name=VLAN10 vlan-id=10
add interface=bridge1 name=VLAN20 vlan-id=20


/ip address
add address=192.168.10.1/24 interface=VLAN10
add address=192.168.20.1/24 interface=VLAN20


/ip pool
add name=dhcp_pool10 ranges=192.168.10.2-192.168.10.254
add name=dhcp_pool20 ranges=192.168.20.2-192.168.20.254


/ip dhcp-server
add address-pool=dhcp_pool10 disabled=no interface=VLAN10 name=dhcp10
add address-pool=dhcp_pool20 disabled=no interface=VLAN20 name=dhcp20


/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=8.8.8.8 gateway=192.168.20.1

CAP Configuration

Section titled “CAP Configuration”

Enable CAP mode on each AP:

/interface wireless cap
set discovery-interfaces=ether1 enabled=yes interfaces=wlan1

After CAPs connect to the CAPsMAN router, dynamic CAP interfaces are created and added as bridge ports:

[admin@CAPsMAN_Router] /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload
 #     INTERFACE                       BRIDGE                      HW  PVID PRIORITY  PATH-COST INTERNAL-PATH-COST    HORIZON
 0     ether1                          bridge1                     yes   10     0x80         10                 10       none
 1     ether2                          bridge1                     yes   20     0x80         10                 10       none
 2  D  cap16                           bridge1                           10     0x80         10                 10       none
 3  D  cap17                           bridge1                           20     0x80         10                 10       none


[admin@CAPsMAN_Router] /interface bridge vlan print
Flags: X - disabled, D - dynamic
 #   BRIDGE                         VLAN-IDS  CURRENT-TAGGED                         CURRENT-UNTAGGED
 0 D bridge1                        1                                                bridge1
 1   bridge1                        10        cap16                                  ether1
 2   bridge1                        20        cap17                                  ether2

Without Virtual APs

Section titled “Without Virtual APs”

Using Virtual APs reduces total throughput since the radio must share time between networks. For deployments where each physical AP serves a single purpose, you can assign configurations based on CAP identity using provisioning rules with RegEx expressions.

Assign Config_WORK to CAPs with identity starting with AP_WORK_ and Config_GUEST to CAPs with identity starting with AP_GUEST_:

/caps-man provisioning remove [f]


/caps-man provisioning
add action=create-dynamic-enabled identity-regexp=^AP_GUEST_ master-configuration=Config_GUEST
add action=create-dynamic-enabled identity-regexp=^AP_WORK_ master-configuration=Config_WORK

Set appropriate identities on the CAPs:

/system identity
set name=AP_WORK_Office1

Forwarding Mode Comparison

Section titled “Forwarding Mode Comparison”
FeatureLocal ForwardingCAPsMAN Forwarding
Traffic pathCan go directly through switchMust go through CAPsMAN
Switch VLAN awarenessYes (tags visible)No (encapsulated)
Layer 3 CAPsMANNot requiredRequired for remote APs
ThroughputHigher (local switching)Lower (all through CAPsMAN)
Centralized filteringLimitedFull control

datapath Options

Section titled “datapath Options”

The datapath configuration in CAPsMAN controls forwarding behavior:

ParameterLocal ForwardingCAPsMAN Forwarding
local-forwardingyesno (default)
bridgeOptional (local bridge)Required (CAPsMAN bridge)
vlan-idClient VLANClient VLAN
vlan-modeTagging behaviorTagging behavior

Troubleshooting

Section titled “Troubleshooting”

CAPs Not Connecting to CAPsMAN

Section titled “CAPs Not Connecting to CAPsMAN”

Verify that:

  • CAPsMAN manager is enabled
  • CAPsMAN manager interface includes the correct interface
  • CAP discovery-interfaces includes the interface connected to CAPsMAN
  • Firewall allows CAPsMAN protocol (TCP 5246, UDP 5247)

VLANs Not Applied to Clients

Section titled “VLANs Not Applied to Clients”

Check that:

  • vlan-mode=use-tag is set in CAPsMAN datapath
  • vlan-id is configured in CAPsMAN datapath
  • Bridge VLAN filtering is enabled on the CAPsMAN router
  • Bridge VLAN table includes CAP interfaces with correct VLAN IDs

Clients Cannot Reach Network

Section titled “Clients Cannot Reach Network”

Ensure that:

  • DHCP servers are configured on the correct interfaces
  • Firewall rules allow traffic from the VLANs
  • Routes exist for the VLAN subnets
  • Bridge ports have correct PVID values if using untagged access ports

See Also

Section titled “See Also”