XTRM-Unraid
b250493d5a
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
New Structure: - 01-NETWORK-MAP.md - Network topology, IPs, Docker networks, services - 02-SERVICES-CRITICAL.md - DNS, Auth, Routing (P0/P1 services) - 03-SERVICES-OTHER.md - All non-critical services - 04-HARDWARE-INVENTORY.md - Physical devices and specs - 05-CHANGELOG.md - Major events only New Folders: - docs/archive/ - Legacy docs (read-only reference) - docs/wip/ - Planned changes and ideas - UPGRADE-2026-HARDWARE.md - N5 Air + N100 migration plan - GITOPS-CONTAINERS.md - Phase 2 container GitOps Changes: - Moved all 22 legacy docs to archive/ - Consolidated container IPs, physical map, and services into single network map - Extracted critical vs non-critical service classification - Simplified changelog to major events only Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
8.5 KiB
8.5 KiB
MikroTik WiFi & CAPsMAN Configuration
Document Created: 2026-01-18 Last Updated: 2026-01-18
Device Inventory
MikroTik hAP ax³ (CAPsMAN Controller)
| Parameter | Value |
|---|---|
| Role | Main Router + CAPsMAN Controller |
| IP Address | 192.168.31.1 |
| RouterOS Version | 7.20.6 (stable) |
| Identity | HAPax3 |
SSH Connection:
# From Unraid server (key-based)
ssh -i /root/.ssh/mikrotik_key -p 2222 xtrm@192.168.31.1
# Alternative user
ssh -i /root/.ssh/mikrotik_key -p 2222 unraid@192.168.31.1
MikroTik cAP ac (Managed Access Point)
| Parameter | Value |
|---|---|
| Role | CAPsMAN Managed Access Point |
| IP Address | 192.168.31.6 |
| RouterOS Version | 7.20.1 (stable) |
| Identity | CAP XL ac |
| Board | RBcAPGi-5acD2nD |
SSH Connection:
# Key-based (from desktop)
ssh -p 2222 xtrm@192.168.31.6
# Password-based
ssh -p 2222 xtrm@192.168.31.6
# Password: M0stW4nt3d@xtrm
WiFi Networks
XTRM (Main Network)
| Parameter | Value |
|---|---|
| SSID | XTRM |
| Password | M0stW4nt3d@home |
| Bands | 2.4GHz + 5GHz |
| Security | WPA-PSK, WPA2-PSK (2.4GHz) / WPA2-PSK, WPA3-PSK (5GHz) |
XTRM2 (IoT Network)
| Parameter | Value |
|---|---|
| SSID | XTRM2 |
| Password | M0stW4nt3d@IoT |
| Bands | 2.4GHz only |
| Security | WPA-PSK, WPA2-PSK |
| Purpose | Legacy/IoT devices |
WiFi Interfaces
hAP ax³ (Local Interfaces)
| Interface | Band | SSID | Channel | Status |
|---|---|---|---|---|
| hap-wifi1 | 5GHz | XTRM | 5180, 5260, 5500 (80MHz) | Running |
| hap-wifi2 | 2.4GHz | XTRM | 2412, 2432, 2472 (20MHz) | Running |
| hap-wifi2-virtual1 | 2.4GHz | XTRM2 | 2412, 2432, 2472 (20MHz) | Running |
cAP ac (CAPsMAN Managed)
| Interface | Band | SSID | Channel | Status |
|---|---|---|---|---|
| cap-wifi1 | 2.4GHz | XTRM | 2432 (20MHz) | Running |
| cap-wifi1-virtual1 | 2.4GHz | XTRM2 | (virtual) | Running |
| cap-wifi2 | 5GHz | XTRM | 5260 (80MHz, DFS) | Running |
CAPsMAN Configuration
Controller Settings (hAP ax³)
/interface/wifi/capsman/print
enabled: yes
interfaces: bridge
require-peer-certificate: no
upgrade-policy: none
generated-ca-certificate: WiFi-CAPsMAN-CA-789A182CA548
generated-certificate: WiFi-CAPsMAN-789A182CA548
Channel Configurations
/interface/wifi/channel/print
0 name="ch-2ghz" frequency=2412,2432,2472 width=20mhz
1 name="ch-5ghz" frequency=5180,5260,5500 width=20/40/80mhz
Security Profiles
/interface/wifi/security/print
0 name="sec-XTRM" authentication-types=wpa2-psk,wpa3-psk
passphrase="M0stW4nt3d@home"
1 name="sec-IoT" authentication-types=wpa-psk,wpa2-psk
passphrase="M0stW4nt3d@IoT" disable-pmkid=yes
WiFi Configurations
/interface/wifi/configuration/print
0 name="cfg-XTRM5g" ssid="XTRM"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-5ghz channel.band=5ghz-ac
datapath.bridge=bridge
1 name="cfg-XTRM2g" ssid="XTRM"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-2ghz channel.band=2ghz-n
datapath.bridge=bridge
2 name="cfgXTRM-IoT" ssid="XTRM2"
security.authentication-types=wpa-psk,wpa2-psk
channel=ch-2ghz channel.band=2ghz-n
datapath.bridge=bridge
Provisioning Rules
/interface/wifi/provisioning/print
0 comment="XTRM-5G"
supported-bands=5ghz-ac
action=create-dynamic-enabled
master-configuration=cfg-XTRM5g
1 comment="XTRM-2G"
supported-bands=2ghz-n
action=create-dynamic-enabled
master-configuration=cfg-XTRM2g
slave-configurations=cfgXTRM-IoT
CAP Configuration (cAP ac)
CAP Settings
/interface/wifi/cap/print
enabled: yes
discovery-interfaces: bridge
caps-man-addresses: 192.168.31.1
Interface Manager Settings
Both radios must be set to CAPsMAN managed:
/interface/wifi set wifi1 configuration.manager=capsman
/interface/wifi set wifi2 configuration.manager=capsman
Legacy Device Compatibility
iPad 2 / Older Devices
Older devices (pre-2012) may not support:
- WPA3-PSK
- PMF (Protected Management Frames)
- 5GHz band
Solution: Use XTRM2 network which supports WPA-PSK/WPA2-PSK without WPA3.
Important Notes
-
WPA + WPA3 Incompatibility: MikroTik does not allow WPA-PSK and WPA3-PSK in the same configuration. Use WPA-PSK + WPA2-PSK for legacy support.
-
Management Protection: When using WPA3, management-protection must be "allowed" or "required". Setting it to "disabled" with WPA3 will cause interface to become inactive.
-
Band Configuration: Ensure configuration templates have correct
channel.bandsettings:- 5GHz configs:
5ghz-acor5ghz-ax - 2.4GHz configs:
2ghz-nor2ghz-ax
- 5GHz configs:
Useful Commands
Check Connected Clients
/interface/wifi/registration-table/print
Check CAPsMAN Remote CAPs
/interface/wifi/capsman/remote-cap/print
Check All WiFi Radios
/interface/wifi/radio/print
Check Interface Status
/interface/wifi/print
Restart WiFi Interface
/interface/wifi disable [interface-name]
:delay 2s
/interface/wifi enable [interface-name]
View WiFi Logs
/log print where topics~"wireless" or topics~"wifi"
Troubleshooting
Interface Shows "I" (Inactive)
-
Check for configuration errors in detail view:
/interface/wifi/print detail where name=[interface] -
Look for comment warnings like:
- "can't use WPA with WPA3"
- "management protection should be allowed or required with WPA3"
- "no available channels"
-
Verify channel configuration has proper frequency settings
CAP Not Connecting to CAPsMAN
-
Verify CAPsMAN is enabled on controller:
/interface/wifi/capsman/print -
Check CAP has correct CAPsMAN address:
/interface/wifi/cap/print -
Ensure CAP radios are set to CAPsMAN managed:
/interface/wifi/print detail # Look for configuration.manager=capsman -
Check firewall isn't blocking CAPsMAN traffic (UDP 5246-5247)
CAP Interfaces Show "B" But Not "R"
This is normal when traffic is processed on CAP (local forwarding mode). The "R" (Running) flag only appears on the CAP device itself, not on CAPsMAN.
Network Diagram
Internet
│
▼
┌────────────────────────┐
│ MikroTik hAP ax³ │
│ 192.168.31.1 │
│ CAPsMAN Controller │
│ │
│ WiFi Interfaces: │
│ - hap-wifi1 (5GHz) │
│ - hap-wifi2 (2.4GHz) │
│ - XTRM, XTRM2 │
└───────────┬────────────┘
│
│ LAN
│
┌───────────┴────────────┐
│ │
▼ ▼
┌────────────────────┐ ┌────────────────────┐
│ MikroTik cAP ac │ │ Other Devices │
│ 192.168.31.6 │ │ 192.168.31.x │
│ CAPsMAN Managed │ │ │
│ │ │ │
│ WiFi Interfaces: │ │ │
│ - wifi1 (2.4GHz) │ │ │
│ - wifi2 (5GHz) │ │ │
│ - XTRM, XTRM2 │ │ │
└────────────────────┘ └────────────────────┘
SSH Key Setup
Adding SSH Key to MikroTik Device
-
Copy public key to device:
scp -P 2222 ~/.ssh/id_ed25519.pub user@[device-ip]:key.pub -
Import key for user:
/user/ssh-keys/import public-key-file=key.pub user=[username] -
Verify import:
/user/ssh-keys/print -
Clean up:
/file/remove key.pub
Current SSH Key Status
| Device | User | Key Installed |
|---|---|---|
| hAP ax³ (192.168.31.1) | xtrm | Yes (mikrotik_key from Unraid) |
| hAP ax³ (192.168.31.1) | unraid | Yes (mikrotik_key from Unraid) |
| cAP ac (192.168.31.6) | xtrm | Yes (id_ed25519 from Desktop) |