Managing and monitoring from a single point is a great way to avoid network errors and complications. Mikrotik CAPsMAN is a free access point controller system for all devices and routers. This article will present a simple and affordable user guide to start monitoring and controlling the access point using the configuration of a wireless controller. Configuring CAPsMAN will make it easy to manage even a large network of dozens of ports in the future. A plus of the utility is a multi-level data integration system that allows you to choose the optimal settings depending on the type of device.
More about technology
Before proceeding with the configuration of CAPsMAN, you need to understand the purpose of the utility. It is not always used and is a means to optimize routine processes. CAPsMAN is a Mikrotik implementation that allows the user to centrally manage access points of the same brand, defining Wi-Fi networks, passwords, and also allows you to decide where to control traffic, whether in the dispatcher or in the access point. The wireless controller of this manufacturer can be deployed on any equipment from the Mikrotik RouterOS company (for example, Haplite series routers).
When using the CAPsMAN function, the network will consist of several “controlled access points” (CAPs), which provide a wireless connection, and a “system manager”, which manages the configuration of the access points, as well as provides client authentication and, possibly, data transfer. When the CAP controls the technology, it only needs the minimum configuration needed to establish a connection to the primary communication source. The functions that were typically performed by the AP (such as access control, client authentication) are now performed by the utility. When configuring CAPsMAN, you can choose for yourself the necessary boot and connection parameters.
Users familiar with this technology can immediately think of a similar feature of UniFi, Ubiquiti’s central corporate wireless platform. However, there are serious differences in them that directly indicate that these two system utilities cannot work on the same communication protocol.
Thus, the concept of CAPsMAN involves the use of an existing Internet router (only released by MikroTik) and the addition of an additional package to be reviewed in the extension article.
How the type of extensions works
The utility is capable of processing incoming signals and routing them from ten or more devices simultaneously. CAPsMAN configuration is integrated into the main network connection and branded devices from the manufacturer. The utility cannot be used for third-party network equipment manufacturers.
First you need to install the CAPsMAN wireless package on the router and all access points. If you use CAP, you do not need to do this. However, if the CAPs come with technology version 1, and you want version 2, download it from the official MikroTIk website, drag the file into the general information window and reboot all the devices.
To integrate the CAPsMAN configuration, you will need to perform simple steps. They are as follows:
Once the router receives the CAPsMAN package, open Winbox and enable the utility manager service.
Then create a bridge interface for dynamically added CAPs when they appear on the network.
Add an IP address, a DHCP server, and a NAT rule. You can learn how to do this elsewhere, for example, on wiki.mikrotik.com. There, all the current settings of the dynamic address in each specific region are glazed.
Add a new CAPsMAN configuration.
Add a new communication rule.
Next, you just need to reboot the entire network node, after which the utility will be ready for use. However, to apply all the available extension functionality, you may need to perform a number of other actions, which will be described below. Setting up CAPsMAN MikroTIk may seem quite complicated at first glance. In the article, all actions are divided into blocks that explain why each individual installation of network parameters is performed.
CAP setup
When setting up seamless roaming, there are 2 options. Each of them is selected depending on the type of connection and the necessary integration to expand communication. Configuring CAPsMAN MikroTIk through this parameter allows you to synchronize and vice versa split several connection types at once. This is especially convenient if several providers are used at once.
Option 1: Using a RouterBoard MAP or CAP
These are specially designed devices that are used to configure network routing interfaces. They already have a built-in default setting that is suitable for stand-alone configuration. Basically, this is a wireless access point with a DHCP server in a WLAN, a DHCP client in an Ethernet network. Configuring CAPsMAN MikroTIk 2 SSID allows you to set advanced parameters for connecting bridges. The integration of each service is carried out separately.
Please note that most CAPs and MAPs come with software version 1, so before you use the hardware switch to set them to CAP mode, update the package of the CAPsMAN monitored utility. Only after that it will be possible to proceed to the next steps.
Module management
The reset switch is located on the bottom of the device, next to the Ether connector. Hold it and apply power through the supplied POE adapter. Hold it for 10 seconds. The wireless indicator changes from blinking to solid. Then release it and it will load the CAP configuration and look for the controller on the local network. Detection option “Level 3” for the case when the utility is in another segment of connection and communication. Configuring CAPsMAN MikroTIk 2 SSID will be convenient in case of creating a home network. All reset actions when connecting this parameter are carried out in an identical way.
Network card options
The Mikrotik CAPsMAN setting using a network device is used when integrating a common Internet connection service. On the side of the device is a reset switch. Hold it and apply power through the supplied POE adapter. Hold the switch for 10 seconds. The AP / CAP indicator changes from constant to blinking. Then release. Next, the CAP protocol will be launched, which allows you to manually search for the necessary communication sources.
In any case, forget about the LEDs and hold the switch for exactly 10 seconds, and everything will be ready to work. When you release the switch, the LEDs should blink quickly, 2-3 of them will do this at the same time, telling you that they use integrated configurations.
Option 2: Convert the MAP system to CAP
When setting up Mikrotik CAPsMAN using the second method, it is possible to do the reverse action of dividing channels from one common one, if additional connection nodes are necessary. It is very simple. First, download CAPsMAN version 2 and drag it into the file window. Reboot and then configure the AP by first deleting any existing configuration. Then configure it as a CAP using the following script, which you can copy and paste into the terminal window:
/ wireless interface;
set [find default name = wlan1] l2mtu = 1600 ssid = MikroTik;
/ wireless card interface;
set discovery-interfaces = ether1 interfaces = wlan1 enabled = yes;
/ ip dhcp-client;
add default-route-distance = 0 dhcp-options = hostname, client disconnected = no interface = ether1.
The device will then contact the setup and become a CAP. As soon as the service is configured, CAPsMAN will show its status, and the utility will inform you that the control passes to other software. Next, actions are taken to integrate external services. Setting CAPsMAN MikroTIk to seamless roaming allows you to quickly redirect different connection channels between two or more providers.
At this stage, you can make many changes, for example, add additional SSIDs or security keys, but this is the basic setting. All additional CAPs added to the local network will be automatically configured as required by the utility if they are in integration mode.
Link Level Setting
Configuring CAPsMAN MikroTIk in seamless roaming is performed according to a common scenario. There is one communication protocol that does not require a set of separate configurations for connecting a shared network. In the service integration scenario, there will be a router from Mikrotik, which makes the user a manager, where traffic is also controlled, and acts as an access point. Here you will need to create two Wi-Fi networks, one of which is connected to the local one at level 2 (access via ether5), and the other to access devices that require, for example, only Internet access.
CAPsMAN version 2 is configured based on the set of properties of a system connection to a common source. Configuring the AP to communicate with the "Manager" can be performed in two ways, at level 2 (MAC addressing) or at level 3 (IP addressing).
Manager Installation
Configuring CAPsMAN v2 requires the connection of a personal account. It houses the user control panel and terminal for entering commands. The first thing to do is set up a manager. As noted above, there will be two Wi-Fi networks. When configuring an access point using CAPsMAN, you should create virtual interfaces, which can be dynamic or static, for each network space generated at the access points. These interfaces need to become part of the overall coverage, because, for example, they will be interfaces that use the same SSID, even if the communication nodes are part of different access points. Network bridges are used for this.
Configuring CAPsMAN 2 MikroTIk should contain synchronization nodes through which bridges lead their connections. To do this, you need to define two network bridges, which will be needed later. One for LAN and one for Wi-Fi Internet. In addition, you must add the ether5 interface, which connects the local network to the LAN bridge. When the CAP interfaces are generated, you will need to configure these connected connection types to automatically be included in their corresponding bridge.
When setting up, it is best to choose traffic sharing in the VLAN whenever possible. Therefore, you must create a VLAN to manage the access points and the communication between them and the manager. The interface on which VLAN will need to be generated is the bridge that was created earlier, since ether5 is the port of this communication channel.
The setting looks like this:
The line is entered - / interface vlan add interface = bridge1 name = vlan100 vlan-id = 100.
Then IP is added to the interface.
The command - / IP address is entered.
Add address = 10.10.10.1 / 24 interface = vlan100 network = 10.10.10.0.
After that, an option is installed that indicates that this Mikrotik is a manager. To do this, go to CAPsMAN -> Interfaces -> Manager and enable the option.
/ caps-man manager.
set enabled = yes.
Now let's move on to the important section of the configuration. Next, you need to determine the security profiles, channels, and data path first.
CAPsMAN -> Security Cfg.
This section creates the security profiles that users need. In this particular case, they will generate two, one for each Wi-Fi.
For example, CAPsMAN -> Channels. This section defines the channels that will use previously installed access points. There is an additional set of options for editing external data. Configuring CAPsMAN MikroTIk 6.43 uses these parameters through synchronized channels of information.
It is worth remembering the following, usually if there are several access points where it is necessary to use a common physical space, such as an office or an industrial warehouse, you first need to determine where the communication nodes should be placed, and make a map of their location in the future. Once this is done, you must assign channels to these access points. When configuring CAPsMAN 6.43, you will need to use all synchronization tools. It is important that network connections are activated.
In case the CAPs are far apart, you can determine the desired channels, as well as enable the extension channel.
Parameter CAPsMAN -> Datapath. In this section, you determine in which bridge the generated CAP interfaces will be integrated, and also assign the option to forward communications by clients. This setting determines whether devices connected to a Wi-Fi network can see each other. In the case of a network that gives access to a local network, you should mark it, and in the case of Wi-Fi Internet, leave it without control.
To configure, you must specify the following parameters:
/ caps-man channel.
add band = 2ghz-b / g / n frequency = 2412 name = channel1 width = 20.
add band = 2ghz-b / g / n frequency = 2437 name = channel6 width = 20.
add strip = 2ghz-b / frequency g / n = 2462 name = width.
channel 11 = 20 add band = 2ghz-b / g / n extension-channel = frequency Ce = frequency 2412 name = channel1-ext width = 20.
/ caps-man data feed.
add bridge = bridge1 client-to -client-forwarding = yes name =.
data path1 add bridge = bridge_name2 / channel_name-2.
/ safety caps-man.
add authentication types = comment wpa2-psk = corporate encryption = group encryption aes-ccm = aes-ccm-name = passphrase-security-password = passw0rd.
add authentication types = comment wpa2-psk = encryption WifiInternet = group encryption aes-ccm = name aes-ccm = security phrase2 = password W0rdpass.
You must determine the configurations that you intend to use. In this case, with the SSID Wifi-Corporate, the only thing that will change at the access points is the channel. If you have the “Wifi-guests” SSID, this will depend on the configuration of the main interface (main), and you do not need to determine the channels, but only change the parameters related to the data network and security. Therefore, you will need to define the configurations as follows: three configurations with a different channel for the SSID and one configuration for the second SSID. When using the MikroTIk CAPsMAN v2 settings for a secure connection, it is important to create a key record in advance. After saving the network branch, it will be impossible to integrate the key there.
In CAPsMAN -> Configurations, an example of setting up a Wifi-Corporate SSID with channel 1, in the example there are some parameters related to Wi-Fi, if you are going to use export, it is recommended to check the Max Station Count parameter, which determines how many devices you can connect at a time:
add channel = channel1 country = data path Russia = distance to data channel1 = protection interval indoors = any protection mode hw = retries cts-to-self = 15 max-sta-count = 15 mode = ap multicast -helper = full name = \.
corporate-channel1 rx-chain = 0,1,2 security = security1 ssid = Wifi-Corporate tx-chain = 0,1,2.
add channel = channel 6 country = Russia datapath = distance to datapath1 = indoor protection -interval = any hw-protection-mode = cts-to-self hw-retries = 15 max-sta-count = 15 mode = ap multicast-helper = full name = \.
corporate-channel6 rx-chain = 0,1,2 security = security1 ssid = Wi-Fi corporate tx chains = 0,1,2.
add channel = channel11 country = Russia DataPath = DataPath1 distance = Internal protection interval = any mode HW-Protection = CTS-for-myself HW-Retries = 15 max-sta-count = 15 mode = ap multicast-helper = full name = \ .
corporate-channel11 rx-chain = 0,1,2 security = security1 ssid = Wifi-Corporate tx-chains = 0,1,2.
add datapath = datapath2 name = guests security = security2 ssid = Wifi guests.
It remains only to provide wireless access point interfaces in CAPsMAN -> Provisioning. The parameter is fully open and can be edited at almost any time. This is convenient because it allows you to add new networks even when actively connected. Configuring the MikroTIk CAPsMAN hotspot is also possible. When saved, it can activate the restart of shared connections.
Verify Configurations
Setting up a guest network in CAPsMAN is carried out according to the principle described above. The only difference is that entries in the connection protocols and encryption keys will be added. In essence, you set the MAC address of the wireless interface of one of the access points that you are going to control. Further, it is indicated that the “create on” action, which generates the CAP interface in the manager and remains static. It is necessary to note the main configuration, which in this case is the corporate channel1, and you also indicate that it will create a virtual interface with guest configuration. The name format is used to identify the CAP name after it is created on the CAPsMAN -> Interfaces tab. You can do this on your own, in the case of an identifier, he will select a value in the System -> Identity of the Mikrotik device interface. Further, the settings will activate according to the appointed schedule or automatically when prompted by the system.
Network settings in MikroTIk CAPsMAN can be applied when connecting a new gateway. First, you must activate the previously established security protocol for the individual bridge. Next, when you have done this, you need to configure CAP to communicate with the manager. , , 3, . VLAN , , ether1, , CAP PoE. IP VLAN, .
, Wireless -> Interfaces -> CAP CAP. , :
/ interface wireless cap.
set caps-man-address = 10.10.10.1 = yes interfaces = wlan1.
, , . .
CAPsMAN MikroTIk 5ghz . . System Manager Controlled Access Point . . CAPsMAN , , , .
Support for the utility at the access point Mikrotik can work with any RouterOS device, starting with firmware version v6.11, and does not require a wireless interface. To use the CAPsMAN function, the device must have at least a Level4 RouterOS license. The utility can work with both NAT and bridge mode and does not require IP settings on the AP side.
Restrictions introduced
Setting up the MikroTIk CAPsMAN guest network allows you to set bans on a number of actions. Basically, the function is used to limit the number of connections and subscribers so as not to overload each of the available gateways.
The CAP configuration is simple and convenient and should be used when using more than 10 access points on the same network. Monitoring and controlling a wireless data channel is quite simple and quickly moves through the network when switching different data channels.
You can use any device with the operating system of the router v6.11 and higher with a license of level 4. CAPsMAN can work inside the access point itself, if there is no need to use any dedicated router for the system manager of the controlled access point.
Physical connection diagram
Configuring CAPsMAN MikroTIk 6.42 also requires refinement of a number of basic parameters. Without entering individual parameters, failures may occur in the connection and transmission of information. To further configure the router and connect additional channels of information, the settings are made in the following sections:
Enable CAPs Manager.
Add channel.
Add DataPath.
Wi-Fi security setting.
Wireless configuration.
Submission Rules.
Access Point Configuration
Enable CAP.
Configure the CAP interface and discovery interface.
Follow the instructions to configure the Mikrotik controller for the centralized access point management server. They are available in Russian and appear automatically when editing the above sections. HAP ac is configured in CAPsMAN in two ranges. To do this, a service manager is used, which is installed in the utility by default.
Enabling Caps Manager in the router:
Log in to your Mikrotik Router using Winbox.
See the CAPsMAN option in the second menu option on the left.
If there is no utility option in the menu, please make sure that you have the firmware version of the router OS v6.11 or higher. Try updating your router if you cannot find the files you need.
Now go to the CAP interface.
Click on the manager button.
Enable: check the box to enable and click the “Apply” button.
After enabling CAP, now go to the following steps:
Add channel for Mikrotik CAP.
Now add a channel to provide APs on the network. If you are using a dual-band access point and a single-channel access point, add both channels. Only the addition of a 2.4 GHz channel is described here. Repeat the same steps to add more channels and bands.
Go to the tab and click Channel plus (+) buttons.
New CAPs Channel - Name - enter the name of the channel.
Frequency - type of frequency. Use 2412, 2437, and 2462 for 2.4 GHz to avoid overlap.
Control channel width: if your network bandwidth is less than 50 Mbps, use another 20, use 20/40 MHz.
Frequency band: for 2.4 G use 2 GHz b / g / n, and for 5G use 5 GHz a / b / n / ac.
Click the Apply button to save.
Add DataPath to Caps. A data path is required to decide how your traffic goes to the access point. You need to select an interface here to select the CAPs controller for the data link for the CAP APs.
Go to the Datapaths tab and click the plus button (+).
New CAPs Datapaths configuration:
Name - enter the name that you want to use for data channels.
Bridge: Select the interface that you added to Bridge to connect to your Caps AP networks. If you are using a router with more than 3 LAN ports, use a bridge to use all the ports in the connection paths.
Local forwarding and redirection rules from client to client (if you want to create some kind of forwarding).
If your network operates in a VLAN, you can use the VLAN ID and VLAN type with this option to use multiple services.
Wi-Fi Security Configuration for CAP
Security is the most important part of the configuration as it provides you with secure wireless networks. For this, the system parameters are also entered. Configuring the MikroTIk CAPsMAN WiFi guest network should contain all the necessary security profiles. Without them, the communication node may be compromised.
To configure, perform the following steps:
Go to cfg security. Press and press the plus (+) button.
Name: use the name for the security profile (EXP-2.4G security key).
Authentication Type: Use WPA PAS and WPAS2PSK (Recommended).
Encryption - use aes CCM.
Password: enter your password here.
Click Apply and click OK to confirm.
To increase the security of 5 GHz wireless communications, repeat the same steps again with the plus (+) button.
Wifi control system
Now is the step to configure the wireless SSID and wireless name that initiate the CAP access points. Inside the wireless network, you must select a configured setting, such as a security profile, channels and data paths. Thus, the wireless configuration has 3-4 tabs to configure.
Go to the configuration tab and use the + plus button to add wireless settings:
Type: wireless.
Name: enter the name of the Wi-Fi network for identification in the controller.
Mode - AP.
SSID: Enter the Wi-Fi name to connect with mobile.
Mikrotik CAPsMAN load balancing group.
Type: Channel.
Now click on the channel tab and select the one you added earlier.
Mikrotik CAPsMAN create dynamics "on".
Now click on the Datapaths tab.
Select the Datapaths you created.
Click the Security tab to select the security profile that you created for both wireless ranges.
Select a security profile and click Apply.
Now, in the last stages of configuration, the CAP controller side will be configured:
Click on the Provisioning tab from CAPsMAN.
Click the + Plus button to create new rules.
Radio MAC: leave it as it is (AP mac will appear on the list).
Select Create Dynamic Enabled.
Basic configuration: Select the wireless configuration you created.
Salve configuration: this is for the Virtual AP configuration (if there is a VAP configuration).
Name format: select the name you want to receive in the list of Caps registration points.
Your side configuration is complete. Now you need to configure the AP side:
Configure an access point for CAP.
Log in using Winbox and follow the instructions to enable CAP.
Enable CAP.
After logging in, click Wireless in the settings menu on the left.
Press the CAP button.
Turn on the security system.
Interface: Select a wireless interface to enable CAP.
Discovery interface: select the plug-in AP interface to switch from the available CAPsMAN controller.
Bridge: select a mode interface. If you created another bridge on an option, select the same one.
Click "Apply" and OK after all the settings.
If you are using a dual-band access point, re-configure the CAP resolution again for the WLAN2 interfaces. After turning on the utility, the general profile will be disabled on the access point’s interface and it will be possible to control the CAPsMAN controller through the user's personal account.
Conclusion
CAPsMAN is a great way to manage your large wireless network from a central location without physically monitoring the status of the device. This allows you to update reboot, reset and configuration from individual points. Therefore, if you use more than 10 access points, you must use the CAPsMAN controller to create a simple network.