Add WiFi/CAPsMAN config and fix Xiaomi OUI misidentification

- Created docs/19-WIFI-CAPSMAN-CONFIG.md documenting working WiFi settings
- Fixed 38:1F:8D:04:6F:E4 OUI - was incorrectly labeled as Tuya, is actually Xiaomi
- XTRM2 (2.4GHz) requires WPA+WPA2 with TKIP for legacy device compatibility
- CAPsMAN working with CAP XL ac on 2.4GHz

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/03-VLAN-DEVICE-ASSIGNMENT.md

@@ -1,6 +1,6 @@
 # VLAN Device Assignment Map
 
-**Last Updated:** 2026-01-25  
+**Last Updated:** 2026-02-01  
 **Purpose:** Complete inventory of all network devices with VLAN assignments
 
 ---
@@ -76,10 +76,10 @@
 | 192.168.31.116 | 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | Home Connect app |
 | 192.168.31.117 | 192.168.30.22 | C8:D7:78:D6:DC:FC | Bosch Washer | Kids Bathroom| Home Connect app |
 | 192.168.31.106 | 192.168.30.31 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. |
-| 192.168.31.113 | 192.168.30.32 | 38:1F:8D:04:6F:E4 | Tuya Smart Device | - | OUI: Tuya Smart Inc. |
+| 192.168.31.113 | 192.168.30.32 | 38:1F:8D:04:6F:E4 | Xiaomi Smart Device | - | OUI: Xiaomi |
 | 192.168.31.149 | 192.168.30.33 | D4:AD:FC:BE:13:B0 | Tuya Smart Device | - | OUI: Tuya Smart Inc. |
 | 192.168.31.106 | 192.168.30.34 | 18:DE:50:5B:C8:A6 | Tuya Smart Device | - | OUI: Tuya Smart Inc. |
-| 192.168.31.113 | 192.168.30.35| 38:1F:8D:04:6F:E4 | Tuya Smart Device | - | OUI: Tuya Smart Inc. |
+| 192.168.31.113 | 192.168.30.35| 38:1F:8D:04:6F:E4 | Xiaomi Smart Device | - | OUI: Xiaomi |
 | 192.168.31.149 | 192.168.30.38| D4:AD:FC:BE:13:B0 | Shenzhen Intellirocks | - | Smart Device |
 | 192.168.31.101 | 192.168.30.39 | C8:5C:CC:52:EA:53 | Xiaomi Air Purifier | - | Mi Home app |
 ---
@@ -162,7 +162,7 @@ C8:D7:78:D6:DC:FC  Bosch Washer
 C8:D7:78:40:65:40  Bosch Dishwasher
 50:2C:C6:7A:55:39  GREE Appliance
 18:DE:50:5B:C8:A6  Tuya Device 1
-38:1F:8D:04:6F:E4  Tuya Device 2
+38:1F:8D:04:6F:E4  Xiaomi Smart Device
 D4:AD:FC:BE:13:B0  Intellirocks Device
 ```
 
@@ -209,7 +209,7 @@ D0:C9:07:8C:C9:46  Private Vendor 2
 | DC:03:98 | LG Innotek | TV/Displays (WiFi) |
 | 50:2C:C6 | GREE Electric Appliances (Zhuhai) | AC/Appliances |
 | 18:DE:50 | Tuya Smart Inc. | IoT Platform |
-| 38:1F:8D | Tuya Smart Inc. | IoT Platform |
+| 38:1F:8D | Xiaomi | Smart Home Devices |
 | D4:AD:FC | Shenzhen Intellirocks Tech | Smart Devices |
 | AC:87:A3 | Apple Inc. | Consumer Electronics |
 | D0:C9:07 | Private (IEEE hidden) | Unknown |
@@ -235,7 +235,7 @@ D0:C9:07:8C:C9:46  Private Vendor 2
 |------|----|---------|
 | 30 (IoT) | 192.168.31.139 | GREE Air Conditioner |
 | 30 (IoT) | 192.168.31.106 | Tuya Smart Device #1 |
-| 30 (IoT) | 192.168.31.113 | Tuya Smart Device #2 |
+| 30 (IoT) | 192.168.31.113 | Xiaomi Smart Device |
 | 30 (IoT) | 192.168.31.149 | Shenzhen Intellirocks Smart Device |
 | 50 (Guest) | 192.168.31.15 | Apple device (unknown owner) |
 | 50 (Guest) | 192.168.31.142 | Privacy MAC device |

docs/19-WIFI-CAPSMAN-CONFIG.md

@@ -0,0 +1,200 @@
+# WiFi and CAPsMAN Configuration
+
+**Last Updated:** 2026-02-01
+**Purpose:** Document WiFi network settings, CAPsMAN configuration, and device compatibility requirements
+
+---
+
+## Network Overview
+
+| SSID | Band | Purpose | Password |
+|------|------|---------|----------|
+| XTRM | 5GHz | Primary network (fast devices) | `M0stW4nt3d@home` |
+| XTRM2 | 2.4GHz | IoT/Legacy devices | `M0stW4nt3d@IoT` |
+
+---
+
+## XTRM (5GHz) - wifi1
+
+**Target:** Modern devices (phones, laptops, tablets)
+
+| Setting | Value |
+|---------|-------|
+| SSID | XTRM |
+| Band | 5GHz |
+| Mode | 802.11ax (WiFi 6) |
+| Channel | Auto (DFS enabled) |
+| Width | 80MHz |
+| Security | WPA2-PSK + WPA3-PSK |
+| Cipher | CCMP (AES) |
+| 802.11r (FT) | Enabled |
+| Password | `M0stW4nt3d@home` |
+
+---
+
+## XTRM2 (2.4GHz) - wifi2
+
+**Target:** IoT devices, legacy devices, smartwatches
+
+### CRITICAL COMPATIBILITY REQUIREMENTS
+
+Some devices (Tuya JMWZG1 gateway, Amazfit TREX3, iPad 2) require legacy settings:
+
+| Setting | Value | Reason |
+|---------|-------|--------|
+| SSID | XTRM2 | |
+| Band | 2.4GHz | IoT compatibility |
+| Mode | **802.11g** | Legacy device support |
+| Channel | **1 (2412 MHz)** | Most compatible |
+| Width | **20MHz** | Required for old devices |
+| Security | **WPA-PSK + WPA2-PSK** | WPA needed for legacy |
+| Cipher | **TKIP + CCMP** | TKIP required for old devices |
+| 802.11r (FT) | **Disabled** | Causes issues with IoT |
+| Password | `M0stW4nt3d@IoT` | |
+
+### Devices Requiring WPA + TKIP
+
+| Device | MAC Address | Model | Notes |
+|--------|-------------|-------|-------|
+| Amazfit TREX3 | TBD | Smartwatch | Requires WPA+TKIP |
+| Tuya Smart Gateway | TBD | JMWZG1 | Requires WPA+TKIP |
+| iPad 2 | TBD | A1395/A1396 | Legacy device |
+
+### RouterOS Commands for XTRM2
+
+```routeros
+# Working configuration for legacy devices
+/interface wifi set wifi2 \
+    channel.frequency=2412 \
+    channel.band=2ghz-g \
+    channel.width=20mhz \
+    security.authentication-types=wpa-psk,wpa2-psk \
+    security.encryption=tkip,ccmp \
+    security.ft=no \
+    security.ft-over-ds=no \
+    security.passphrase="M0stW4nt3d@IoT"
+```
+
+### Fallback (Maximum Compatibility)
+
+If devices still can't connect, use WPA-only with TKIP-only:
+
+```routeros
+/interface wifi set wifi2 \
+    security.authentication-types=wpa-psk \
+    security.encryption=tkip
+```
+
+---
+
+## CAPsMAN Configuration
+
+### Manager (HAP ax³ - 192.168.10.1)
+
+| Setting | Value |
+|---------|-------|
+| Enabled | Yes |
+| Interfaces | bridge, vlan10-mgmt |
+| Certificate | Auto-generated |
+
+### CAP Device (CAP XL ac - 192.168.10.2)
+
+| Setting | Value |
+|---------|-------|
+| caps-man-addresses | 192.168.10.1 |
+| certificate | request |
+| SSH Port | 2222 |
+
+### CAP Interfaces
+
+| Interface | Radio | Band | SSID | Status |
+|-----------|-------|------|------|--------|
+| cap-wifi1 | wifi1 | 2.4GHz | XTRM2 | Working |
+| cap-wifi2 | wifi2 | 5GHz | XTRM | Channel issues (disabled) |
+
+### CAP Access List Rule
+
+CAP clients bypass VLAN assignment (go to VLAN 10):
+
+```routeros
+/interface wifi access-list add \
+    interface=cap-wifi1 \
+    action=accept \
+    comment="CAP clients - no VLAN" \
+    place-before=0
+```
+
+---
+
+## WiFi Access List (VLAN Assignment)
+
+Devices are assigned to VLANs based on MAC address:
+
+| VLAN | Purpose | Example Devices |
+|------|---------|-----------------||
+| 20 | Trusted | MacBooks, iPhones, Samsung phones |
+| 25 | Kids | Kids devices |
+| 30 | IoT | Smart home devices, Chromecast, Bosch appliances |
+| 40 | Catch-All | Unknown devices (default) |
+
+### Current Access List
+
+```routeros
+/interface wifi access-list print
+```
+
+---
+
+## Troubleshooting
+
+### Device can see XTRM2 but can't connect
+
+1. Check security settings - device may need WPA (not WPA2)
+2. Check cipher - device may need TKIP (not CCMP/AES)
+3. Try 802.11g mode instead of 802.11n
+4. Use channel 1, 6, or 11
+
+### Device connects but disconnects immediately
+
+1. Check if 802.11r (Fast Transition) is disabled
+2. Check VLAN assignment - CAP clients need special rule
+3. Check channel width - use 20MHz for stability
+
+### CAP not connecting to CAPsMAN
+
+1. Check certificate - remove old cert and re-request
+2. Check firewall - ports 5246-5247 UDP must be open
+3. Check interface binding - CAPsMAN must listen on correct interface
+
+---
+
+## Backup Files
+
+| File | Location | Purpose |
+|------|----------|---------|
+| wifi-backup-working.rsc | Router files | WiFi config export |
+| config-backup-working.backup | Router files | Full system backup |
+
+---
+
+## Quick Reference
+
+### Show WiFi status
+```routeros
+/interface wifi print
+/interface wifi monitor wifi2 once
+/interface wifi registration-table print
+```
+
+### Show security settings
+```routeros
+/interface wifi security print detail
+:put [/interface wifi get wifi2 security.authentication-types]
+:put [/interface wifi get wifi2 security.encryption]
+```
+
+### Check CAPsMAN
+```routeros
+/interface wifi capsman print
+/interface wifi capsman remote-cap print
+```