VLANs on Mikrotik cAP ac with wifi-qcom-ac

Published on:

RouterOS 7.13 brings a new wireless package to the Mikrotik cAP ac Wi-Fi access points. The package wifi-qcom-ac adds support for the third generation of CAPsMAN and provides a new driver for the wireless radios. Although the new driver brings many useful features (MU-MIMO, beamforming, 802.11r/k/v fast roaming), it also takes away a few — most notably VLAN configuration via CAPsMAN.

Disclaimer

This article provides a workaround only. As of April 2025, it is not possible to restore the old behavior — VLANs have to be configured manually on each cAP ac, and only one VLAN can be configured per SSID.

With wifi-qcom-ac, VLANs can only be configured manually per-interface in bridge settings. It’s worth to check whether the CAP configuration is VLAN-aware. VLAN filtering should be enabled on the bridge, but ingress filtering must be disabled. Similarly, ingress filtering must be disabled on ether1. I suggest using the fallback VLAN mode for ether1 and switch1 cpu switch ports. Finally, the Slaves Static option in CAP settings should be turned on. You can use the CLI commands below to quickly adjust the settings.

/interface bridge port set ingress-filtering=no [find where interface=ether1]
/interface bridge set bridgeLocal vlan-filtering=yes ingress-filtering=no
/interface ethernet switch port set ether1 vlan-mode=fallback
/interface ethernet switch port set "switch1 cpu" vlan-mode=fallback
/interface wifi cap set slaves-static=yes

Then, you can assign VLANs to your wireless interfaces (one VLAN per SSID). First, add a new port in Bridge » Ports. Choose the wireless interface you want to assign the VLAN to, and under VLAN set PVID to the VLAN number you want. Ingress filtering should be turned on this time.

Next, in Bridge » VLANs, add the VLAN to the bridge. Type the VLAN ID, put the ether1 interface as tagged and the wireless interface as untagged. Finally, add a switch record for the VLAN as well. In Switch » VLAN, add the VLAN ID with switch1-cpu and ether1 ports.

Now all traffic on the wireless interface should flow through the VLAN. For example to assign VLAN 100 to wifi1, you can use the following CLI commands:

/interface bridge port add bridge=bridgeLocal interface=wifi1 pvid=100
/interface bridge vlan add bridge=bridgeLocal tagged=ether1 untagged=wifi1 vlan-ids=100
/interface ethernet switch vlan add ports=switch1-cpu,ether1 switch=switch1 vlan-id=100
Caution

You must keep the VLAN configuration in sync with your SSIDs manually. For example, if you change the SSID that broadcasts on an existing interface, the VLAN assignment will stay the same. If you remove a slave configuration, re-provision, then add it back, a new wireless interface will be created without any VLAN assigned to it.