avatar

Configuring wifi roaming "CAPsMAN V1" on mikrotik routers

Jan 26, 2025

Configuring CAPsMAN V1 on mikrotik routers "Wifi Roaming"

If you ever wondering how to cover all area of your home with wifi without having few or more router in diferrent room, and without connection to differend wifi AP points. This is whats called wifi "Roaming" so the all AP will work together as one wifi AP. and client will be reconnecting without any delay or packet loss, to another AP.

CAPsMAN stands for Controlled Access Point System Manager. It is a feature in MikroTik RouterOS that allows you to centralize the management and configuration of multiple MikroTik wireless access points (APs) from a single point, known as the CAPsMAN controller.

Note: With CAPsMAN, you can configure and manage wireless networks more efficiently, especially in scenarios where you have multiple access points spread across an area.

This is a short list of how the CAPsMAN works:

  1. CAPsMAN Controller: this is central point "main wifi router which controls all others",
  2. CAPs "Controlled Access Point" These are the wireless devices that are managed by the CAPsMAN controller. Each CAP connects to the controller, and the controller takes care of configuring and controlling the settings of each CAP.
  3. Centralized Configuration - nstead of configuring each individual access point separately, you can define configurations on the CAPsMAN controller, and it will push these settings to the connected CAPs.

To complete this setup we will be using two wifi access points "CAP ac" and the main router "firewall" is "RB2011iL-RM".

mikrotik-cap-ac-complekt.png

Before we will start let's configure our AP the "CAP ac" to have access from main router firewall, just for convinience, you can skip this step if you will configure only two access points.

Note: This is not required step, it's just for convinience of managing such routers.

Lest create this two firewall rules to be able to acess AP's from main network:

  1. Go to IP->Firewall->New: We will put next values:
    1. Chain: input
    2. Protocol: tcp
    3. In Interface: ether1 "incoming ether from main router"
    4. Action: Accept

firewall-rule-mikrotik-ac.png

  1. Go to IP->Firewall->NAT->New:
    1. Chain: dstnat
    2. Dst. Address: 192.168.88.15 "Our AP local address given by DHCP of main router"
    3. Protocol: TCP
    4. Dst Port: 80 "Web ui of the mikrotik"
    5. In Interface: ether1
    6. Action: dst-nat
    7. To Addresses: 192.168.86.1 "The local AP adresses" To Ports: 80

nat-rule-mikrotik-ac.png

Repeat same configuration on another CAP AP, with that now we have the admin UI available for both AP's from main router, which is pretty convinied for managing purposes.

Choose the master AP which will be CAPsMAN server for other AP, we have chosen one from guest room with ip address 192.168.88.14

Configure Main CAP AP as a controller

  1. Enable the CAPsMAN manager from the CAPsMAN -> CAP Interface -> Manager menu setting.

    Go to CAPsMAn -> CAP Interface -> Manager -> Enable -> yes

    enable-capsman-interface.png

  2. Enable CAP in the Wireless controller to allow the CAP Manager to control the on-board wireless capabilities. To do so, go into Wireless -> WiFi Interfaces -> CAP. Enable CAP, Add the interfaces that you wish CAPsMAN to manage (in our case, wlan1 and wlan2) and set the CAPsMAN Addresses to localhost (i.e. 127.0.0.1 - this setting specifies where to find the CAPsMAN server, and in this case this device) and then hit OK.

    mikrotik-hanlde-wifi-to-cap.png

    Note: You will notice that once these changes are made, you are no longer able to manage your wireless settings from within the Wireless tab – they are now managed under the CAPsMAN settings menu.

    mikrotik-capsman-ctonrolled-interfaces.png

    CAPsMAN is now enabled on our router, but we need to configure it in order to get it to work properly.

  3. Security profile configurations

    First, we are going to configure security. This is the equivalent of setting the password on your SSID. To do so, from the CAPsMAN Configuration window, select Security Cfg. and hit the + to create a new security configuration. Create a new security configuration as shown. Under the CAPsMAN menu click Security Cfg and hit the + button to create a new configuration. Set the Name, Authentication Type, Encryption, and the Passphrase, and hit OK when complete to save the security configuration.

    mikrotiks-capsman-security-profile.png

  4. We are going to setup a datapath. This specifies what bridge and/or vlan the CAP will attach to. Under the CAPsMAN menu click Datapaths and hit the + button to create a new configuration. Set the Name, and the bridge to attach to, and hit OK when complete to save the security configuration.

    Under the CAPsMAN menu click datapaths create a new one.

    mikrotik-capsman-datapaths.png

  5. We are going to create a new configuration file. To do so, go into CAPsMAN -> Configurations and hit the + button to create a new configuration. Please note that you will need a separate configuration for 2GHz vs 5GHz if you choose to specify the channel settings.

    On the CAPs Configuration Wireless tab, enter the following: Mode: Set mode to ap as shown SSID: Enter your Wireless SSID, in our case CAPsTEST and we specify our country and the installation type (indoor or outdoor)

    mikrotik-capsman-main-AP-configuration.png

    On the CAPsMAN Datapath page, under Datapath, select the datapath that we just created.

    mikrotik-capsman-datapath-tab.png

    On the CAPsMAN Security page, specify the Security configuration that we created earlier.

    mikrotik-capsman-security-tab.png

    Once all these have been completed, click OK to create the configuration. We end up with our configuration as shown.

  6. Now we need to provision the configuration files. Provisioning allows us to determine which configuration files get assigned to which CAPs.

    1.Open the provisioning tab and hit the + to create a new provision file. For this example, we are going to simply assign the configuration files to any device that gets assigned to the CAPsMAN controller. In the provision file, set the Master Configuration to cfg1 and set the slave configuration to cfg2 and change Name Format to identity (which will allow the CAP to show up with the actual router name in the CAPsMAN manager) and hit the OK button when completed.

    mikrotik-capsman-provision-configuration.png

Note: Our configuration on the CAPsMAN server is complete.

  1. Our configuration on the CAPsMAN server is complete. Lets configure second AP to use capsman server we defined in Maint Controller router,

    Go to Wireless -> Wirelles Configuration -> CAP

    CAPsMAN Address is the address of our Maint Controller capsman server on the AP 1 and the Discovery interface is where to look at capsman server.

    Note: In our current setup both wifi AP are connected by wire to the main firewall router, so AP is lookig at ether connection for CAPSMAN "There is already firewall rules defined to handle that by default"

    mikrotik-capsam-client-ap-configuration.png

Now, if we look at our CAPsMAN manager, you will see that all our wireless interfaces are now listed.

mikrotik-capsman-client-wifi-list.png

At this point the setup is complete you can verify it by going into main Router and list if in CAPsMAN -> CAP Interface:

Here we can see all two wifi points 5GHz and 2GHz are managed by CAPsMAN with the same security profile.

mikrotik-capsman-final-setup-look.png

So now we have 4 wifi endpoints with the same ssid and security profiles, and client's can checkout between them by choosing better signal quality withaout any packet loss ar delay, or breaking the connection.

© Nazar Klovanych — All written content on this website reflects my personal opinion and it's available under CC BY 4.0