If you have more than one MikroTik wireless access point (AP), managing each device individually becomes a nightmare. Different SSIDs, mismatched passwords, and no client roaming. CAPsMAN (Controlled Access Point System Manager) solves this by turning your router into a central WiFi controller. This guide walks you through setting up CAPsMAN on RouterOS v7 – from basic configuration to advanced features like datapath bridging and band steering.
Why Use CAPsMAN?
- Central configuration – Change SSID, password, or channel once, and it applies to all CAPs.
- Seamless roaming – Clients move between APs without disconnecting (when using local forwarding or CAPsMAN forwarding with proper settings).
- Simplified monitoring – View all connected WiFi clients, signal strengths, and data rates from one dashboard.
- Automatic CAP discovery – New APs can be adopted automatically.
- Band steering – Encourage dual‑band clients to use 5 GHz for better performance.
Prerequisites
- One MikroTik router as CAPsMAN server (can be any RouterOS device).
- One or more MikroTik devices as CAPs (Controlled Access Points) – these can be routers or dedicated wireless interfaces.
- All devices must run RouterOS v7 (v6 works but with different menus).
- The CAPs must be able to reach the CAPsMAN server over Layer 2 (same VLAN) or Layer 3 (routed).
Step 1: Enable CAPsMAN on the Manager (Router)
On your central router, enable the CAPsMAN service.
/caps-man manager set enabled=yes
/caps-man manager set package-path=/WinBox: Wireless → CAPsMAN → Manager tab → check Enabled → OK.
The package-path allows CAPs to download required wireless packages if they don't have them.
Step 2: Create a CAPsMAN Configuration (Provisioning Rule)
Provisioning rules tell the CAPsMAN how to configure CAPs when they connect. You can have different rules for different APs (e.g., based on MAC address or radio MAC).
First, create a datapath (defines how traffic flows between CAP and manager).
/caps-man datapath add name=datapath1 bridge=bridge-local local-forwarding=yeslocal-forwarding=yes means WiFi traffic goes directly from the CAP to your LAN/internet without tunnelling to CAPsMAN. This is more efficient.
Now create a configuration (SSID, security, country, etc.):
/caps-man configuration add name=cfg-main ssid=MyOfficeNetwork country=united-states datapath=datapath1 security=sec-defaultYou also need a security profile:
/caps-man security add name=sec-default authentication-types=wpa2-psk encryption=aes-ccm passphrase=YourStrongPasswordFinally, create a provisioning rule that applies this configuration to all CAPs:
/caps-man provisioning add action=create-dynamic-enabled master-configuration=cfg-mainWinBox alternative: Under CAPsMAN → Configurations, create Datapath, Security, Configuration, then under Provisioning add a rule with action create dynamic enabled.
Step 3: Configure the CAP (Access Point)
On each MikroTik device that will act as an AP (CAP):
/caps-man cap set enabled=yes interfaces=wlan1 discovery-interfaces=bridge-localReplace wlan1 with your actual wireless interface name. The CAP will automatically discover the CAPsMAN manager on the same subnet (broadcast) or via specified IP.
If CAPsMAN is on a different subnet, specify its IP:
/caps-man cap set enabled=yes interfaces=wlan1 caps-man-addresses=192.168.1.10After a few seconds, the CAP should appear in the CAPsMAN → Remote CAPs tab. It will receive the configuration and start broadcasting the SSID.
Step 4: Verify and Monitor
On the CAPsMAN server, view connected CAPs:
/caps-man remote-cap print
/caps-man registration-table printWinBox: CAPsMAN → Remote CAPs shows each AP; Registration Table shows connected WiFi clients.
Step 5: Advanced – Band Steering and Channel Planning
To improve performance, define channel settings and enable band steering.
Create a channel configuration:
/caps-man channel add name=ch-2ghz band=2ghz-g/n frequency=2412,2437,2462 width=20
/caps-man channel add name=ch-5ghz band=5ghz-a/n/ac frequency=5180,5200,5220,5240 width=20/40/80Assign channels to your main configuration:
/caps-man configuration set cfg-main channel=ch-2ghzFor dual‑band radios, you need separate configurations or a second interface (e.g., wlan2). Create a second config for 5 GHz:
/caps-man configuration add name=cfg-5ghz ssid=MyOfficeNetwork-5G country=united-states datapath=datapath1 security=sec-default channel=ch-5ghzThen modify provisioning to assign 2 GHz to one radio and 5 GHz to another based on radio MAC or interface name. Simpler: On the CAP itself, ensure both wlan1 (2 GHz) and wlan2 (5 GHz) are listed in the CAP configuration:
/caps-man cap set interfaces=wlan1,wlan2The provisioning rule will apply the master configuration to both – you might want to use radio‑mac matching for different configs.
Step 6: Enable Fast Roaming (802.11r)
For seamless VoIP or video calls while moving between APs, enable 802.11r (Fast Transition).
/caps-man security set sec-default ft=yes ft-over-ds=yesNote: Older clients may not support 802.11r, but most modern devices do.
Step 7: Layer 3 CAPsMAN (CAPs Over Different Subnets)
If your CAPs are in different IP subnets (e.g., remote office), you need to tell CAPs the manager's IP and ensure UDP ports are open.
On CAP:
/caps-man cap set caps-man-addresses=203.0.113.10On CAPsMAN, add the remote subnet to the allowed addresses or ensure no firewall blocks UDP 5246 and 5247 (CAPsMAN protocol).
Also, the CAP must be able to reach the manager's IP – configure routing and firewall accordingly.
Step 8: Troubleshooting CAPsMAN
- CAP does not appear in Remote CAPs: Check that CAPsMAN is enabled. On the CAP, run
/caps-man cap printto verify it's enabled and the interface name is correct. Ensure no firewall on the CAP blocks UDP 5246/5247 outbound. - CAP appears but has no configuration: Verify provisioning rule exists and that the CAP's radio MAC matches any specific rules (or use a catch‑all). Check the logs:
/log print where topics~"caps". - Clients cannot connect or get no IP: Ensure the datapath's bridge is correct and that the bridge has an IP and DHCP server. If using local forwarding, the CAP's bridge must be properly configured (usually a bridge containing the CAP's LAN and wlan interface).
- Performance issues or disconnections: Check channel interference. Use
/caps-man access-listto reject weak clients or enforce minimum signal strength. - CAPsMAN not working after RouterOS upgrade: In v7, CAPsMAN moved to
/caps-man(was/caps-manin v6 but with different syntax). Ensure you're using v7 commands.
Step 9: Using Access Lists for Client Management
You can accept or reject clients based on MAC address, signal strength, or SSID. For example, to block a specific client:
/caps-man access-list add mac-address=AA:BB:CC:DD:EE:FF action=rejectTo require minimum signal strength of -70 dBm:
/caps-man access-list add signal-range=-70..120 action=acceptStep 10: Backing Up CAPsMAN Configuration
The CAPsMAN configuration is stored on the manager router. Back it up regularly:
/export file=capsman-backup
/caps-man export file=wifi-configTo restore, simply import the script on a new manager – the CAPs will automatically reconnect and receive the config.
Real‑World Deployment Examples
Example 1: Small Office with Two APs (Same Subnet)
Manager = main router (192.168.1.1). CAPs = two hAP ac lite units connected via Ethernet. Use local forwarding, same SSID, 2.4 GHz only. Provisioning rule applies to all CAPs. Clients roam naturally (though not as seamless as 802.11r).
Example 2: Warehouse with Three APs and 5 GHz Backhaul
Use CAPsMAN on a central CCR. Set up two SSIDs: "Staff" (WPA2) and "IoT" (open with captive portal). Use VLANs to separate traffic. Enable band steering to push 5 GHz‑capable clients to 5 GHz.
Example 3: Remote Branch Offices with Local CAPsMAN Forwarding
Each branch has its own CAPsMAN manager (or one central manager over Layer 3). Use local forwarding so internet traffic doesn't hairpin to headquarters. For management traffic, only control plane goes to CAPsMAN.
Comparison: CAPsMAN vs. Standalone APs vs. Other Controllers
| Feature | CAPsMAN | Standalone APs | UniFi Controller |
|---|---|---|---|
| Central management | ✅ Yes | ❌ No | ✅ Yes |
| Cost | Free (with MikroTik hardware) | Free (per device config) | Free software + UniFi hardware |
| Roaming support | ✅ Yes (802.11r) | 🟡 Client‑managed | ✅ Yes |
| VLAN per SSID | ✅ Yes | ✅ Yes (manual) | ✅ Yes |
| Client isolation | ✅ Yes | ✅ Yes | ✅ Yes |
Conclusion
CAPsMAN transforms a collection of individual MikroTik APs into a cohesive, centrally managed wireless network. Whether you're running a small office with two APs or a campus with dozens, CAPsMAN saves time, ensures consistency, and improves the roaming experience for users.
Once you master the basics, explore CAPsMAN over VLANs for multi‑tenant networks, WPA3 support in RouterOS v7, and spectrum analysis for interference detection. For large deployments, consider using CAPsMAN in a CHR virtual machine to offload processing from your main router.