Assuming that you know the basics of how to set up a Mikrotik router (or think you do), the following is how to program CAPsMan on a Mikrotik router. The router used for the main controller is the RB2011 (although everything shown will apply to pretty much any of their other routers too). Access Points used are the RBcAP2n. The firmware at the time of this document is 6.35.1 for all devices. I programmed the devices using Winbox version 3.4.


Overview –

CAPsMAN is simply another section within a Mikrotik router starting at 6.21 which enables the router to double as a wireless Access Point Controller. It does not have to be set up as a router to run CAPsMAN, I have installations where this is the case which is especially handy if you inherited or are in the process of taking over someone else’s network. If you do this, however, be sure to get your settings right for DHCP, subnetting etc. as you can really jack up a network if you don’t. The AP’s (or endpoint devices) are essentially slaves to the controller – as with just about any managed WiFi setup. In the beginning, you will access the APs directly either with Winbox or a browser – I highly recommend using Winbox but there after you will spend 95% of your WiFi time in the controller. Winbox will find any Mikrotik device on the network whether it has an IP address or not and will list them in the ‘Neighbors’ tab as long as you’re on the same network.

Some Advice …

If you are starting from scratch, and are NOT using the RB2011 (or any of the routers eg 751, 951) as a main router, reset all the devices to default and do not use the factory setting. Most Mikrotik purists do this anyway but for the record, you want as little in the units as possible. If, however, you are working with a router that is already in production, make sure that nothing has been set in the CAPsMAN section and still reset the access points themselves with no factory programming. This will take a lot of the guess work and head scratching out of the equation if you have to trouble shoot.

Step 1 – Check the installed Packages.

For all devices, go to System/Packages and make sure that “wireless-cm2” is not greyed out. If it is, highlight it and click on the Enable button at the top and then reboot the router. FYI – In previous versions, they used to use the “wireless-fp”.

Step 2 – Configure the Bridge

If you have totally defaulted the devices without any factory settings, you will need to create your bridge. In the RB2011, ports 1 through 5 are Gigabit and 6 through 10 are 10/100MB and for now you can put them all on the same bridge. There is also a fiber port denoted as “sfp1” which can go on there as well even if you’re not going to use it. Since the RB2011 does not have any WiFi interface (which, btw, is why I like using it as a router/controller) you don’t have to add that to the bridge. If your device has a wireless interface then be sure to add it.
If you are working on a system that is already in production, then most of the above is already done. It won’t hurt to verify it though.

Step 3 – Setting up the controller

This is where you will set up the main controller – here the RB2011. Open the main CAPsMAN section, make sure the “Interfaces” tab is selected and then click on the “Manager” button. Check the “Enabled” checkbox and then “Apply” or “Ok”.

Next, click on the Configurations tab, click the “+” sign to add a configuration and go through the tabs described below.


Wireless Tab

Name = [name, default is “cfg1”] Mode = ap [this is your only choice btw] SSID = [what you want users to see when searching for the WiFi, eg, “ABC Company WiFi] Country = United States


For the rest, just leave them as they are. In a future release, we’ll talk about guest WiFi accounts and hiding your SSID but let’s just get this one going first.

Channel Tab

Leave it default.

Datapath Tab

Select the Bridge field and from the dropdown menu, select your bridge. Leave everything else blank.


Security Tab

Authentication Type – Enable WPA PSK, WPA2 PSK (don’t enable WPA EAP or WPA2 EAP because the user will be prompted to enter a user name along with the password which tends to confuse them, and trust me, it doesn’t take much to confuse them!)
Encryption – Enable aes ccm only
Passphrase = [the password you set]


Next, go to the CAPsMAN/Provisioning tab and click “+” to add a provisioning profile
Action = create dynamic enable
Master Configuration = [cfg1 (default) or whatever you named it].


What this does is dynamically provision any cAP device that requests to join up. By dynamic, I mean that the registering device will get all the settings and a name with the prefix you set incremented by 1 each time a device registers (or re-registers). If you don’t put anything in the “Name Prefix” field, it will default to “cap[number]”. The convenient side to this is that it’s a “one and done” setting. Any new AP’s will automatically get their settings and a new name in the Name-Prefix+1 format. The annoying part is that if you have a device that is constantly going up and down due to a poor connection or some sort of network flakiness, it will increment to the next number forever.


For this basic set up, leave the rest as they are. There are going to be times when you will tweak these but this isn’t one of them.

Step 4 – Setting up the APs

At this point, you have the controller set up and ready to receive an AP. At the AP, select Wireless/Interfaces and click on CAP. Click the enable checkbox and make sure the Interfaces, Discovery Interfaces and Bridge field are set (correctly!) and click Apply/OK. When done, you should see the screens below from your AP device and for your controller.


Once things are set up for both the AP and Controller, you will see the AP’s appearing on the CAPsMAN/Interfaces tab. You can modify the columns that appear in this table by clicking on the far right arrow To the left of the Name field is the current status of the AP;


D = Dynamic – this is what should be there when you have selected “Create Dynamic” for an “Action” in the Provisioning tab. If you are provisioning the AP’s manually (we’ll see that in a later installment of CAPsMAN), then it will not be there.

R = Running – this will be there as long as a device is connected to that interface.
SMB = Slave/Master/Bound and simply indicates that the device is bound as a slave to the master interface of the controller.

Monitoring WiFi Activity

As the administrator, from here on out you will spend most of your WiFi admin time looking at the Remote CAP, Radio and Registration tabs. Some of the information will be redundant but each tab will have something unique.

Remote CAP
= This is the loose equivalent of a ‘Properties’ window in W7/W10 etc. without the IP address. You’ll see the serial number, wlan1 MAC, the type of device (i.e. RBcAP2n or something else), etc. You can also force the device to re-provision by clicking the “Provision” box.


= MAC for the ether1 and wlan, the Identity of the AP (very helpful when you’re trying to figure out which AP is which) and its interface on the controller.


Registration Table
= This is the one you will probably look at the most especially if you have more than 3 or 4 AP’s. Here you will see every device that is connected to the CAPsMAN WiFi, what their Transmit (Tx Rate) and Receive rate (Rx Rate) is and, most importantly, which AP they are connected to – all in real time.


One cool setting I recommend is to enable the “Show Categories” that you will see if you click on the down arrow at the far right. Your preference either way but I think it’s helpful to see who-is-connected-to-what at a glance. This option was there – sort of – in 6.32 but not as handy as it is in 6.35.


At this point – in theory – you should be up and running with throngs of happy WiFi users high-fiving you as you parade triumphantly down the hallways of your office. Be sure to tell them how complex it was but you applied yourself and met the challenge. If not, blame the misinformation you got on the internet. That, by the way, would be Dallan and not me.