CAPSMAN info dump

I was asked by a friend to give a quick rundown on Mikrotik CAPSMAN configuration, so I dumped the config and added some notes. :)


I’m currently running v6.38 but was running about v6.2 only a week or so ago - make sure you have the “wireless” package enabled. Older RouterOS versions required the capsman-v2 package, which is now deprecated.

  > /sys package print
  Flags: X - disabled
   #   NAME                   VERSION
   0   routeros-mipsbe          6.38
   1   system    				6.38
   2   ipv6      				6.38
   3   wireless  6.38

If there was an X, enable it (in this example /sys package enable 3) - remember you’ll need to reboot after enabling a package.

CAPSMAN router config

There’s a bunch of variables below for you to replace BEFORE putting into config, my default values are in brackets. This goes on your “head end” router.

  • $WIFISSID - duh (housenet)
  • $WIFIPSK - wifi password (nope)
  • $DATAPATH - configuration for virtual wires (housenet-datapath)
  • $BRIDGE - the name of the bridge your router has for other things (bridge-cap)
  • $SECURITY - security policy name (housenet-security)
  • $APNAMES - generic prefix for the mikrotik device names (AP)


/caps-man manager set enabled=yes

This sets how the devices communicate globally

/caps-man datapath
 add bridge=$BRIDGE client-to-client-forwarding=yes name=$DATAPATH

Wireless security config

/caps-man security
add authentication-types=wpa2-psk\
 encryption=aes-ccm group-encryption=aes-ccm\
 name=$SECURITY passphrase=$WIFIPSK

Templated configuration

/caps-man configuration
add country=australia\
   datapath=$DATAPATH datapath.bridge=$BRIDGE\
   datapath.client-to-client-forwarding=yes \
   mode=ap name=$CONFIGURATION security=$SECURITY\

Provisioning profile, it sets up the APs

/caps-man provisioning
 add action=create-dynamic-enabled master-configuration=$CONFIGURATION\
   name-format=prefix name-prefix=$APNAMES

DHCP Configuration

Just like pxe, you have to tell the CAPs to find the manager. This goes on my main router, but if you’ve got a separate DHCP router or something, it’s important to set it.

/ip dhcp-server
add add-arp=yes address-pool=dhcp authoritative=yes disabled=no interface=$BRIDGE lease-time=8h name=lan

caps-manager is important here, points devices to the manager.

/ip dhcp-server network
 add address= caps-manager= dns-server=\ gateway= netmask=24 ntp-server=

This is the bridge config for the parent router.

/interface bridge
add name=$BRIDGE
/interface bridge port
add bridge=$BRIDGE interface=ether2-master-local
/interface bridge settings
set use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes

CAP config

This is the configuration from one of my AP’s; I’m fairly sure this is all default, if not here’s the useful stuff.

# build a bridge
/interface bridge
add name=bridge1
# add the port
/interface bridge port
add bridge=bridge1 interface=ether1
# pull dhcp
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=bridge1
# enable capwap config
/interface wireless cap
set discovery-interfaces=ether1 enabled=yes interfaces=wlan1

#Mikrotik #CAPSMAN #wireless