ALL of configation start from Scratch.
WIFIs manage on local, not CAPsMAN.
Build the LAN side
# Create the LAN bridge
/interface/bridge add name=LAN protocol-mode=rstp
# Put your Ethernet uplink to the switch into the LAN bridge (adjust ports as needed)
/interface/bridge/port
add bridge=LAN interface=ether1
add bridge=LAN interface=ether2
add bridge=LAN interface=wifi2Set DNS
/ip dns set servers=8.8.8.8,8.8.4.4
/ip dns set allow-remote-requests=yesGive the LAN an IP + DHCP server
# Give the router a LAN IP and a small DHCP server (optional but typical)
# Use the subnet you like; 192.168.88.0/24 shown here
/ip address add address=192.168.88.1/24 interface=LAN
/ip pool add name=dhcp_pool_lan ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add name=dhcp_lan interface=LAN address-pool=dhcp_pool_lan
/ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1
/ip dhcp-server enable dhcp_lanConfigure Wi-Fi station to wahoo (open, hidden)
/interface/wifi/configuration
add name=cfg-wahoo mode=station ssid="wahoo" country="United States" security.authentication-types=""
/interface/wifi
set [find name="wifi1"] configuration=cfg-wahoo disabled=noGet WAN IP via DHCP on wifi1
/ip/dhcp-client add interface=wifi1 use-peer-dns=yes add-default-route=yes
/ip/dhcp-client
enable [find interface="wifi1"]NAT + basic firewall
/interface/list add name=WAN
/interface/list/member add list=WAN interface=wifi1
/ip/firewall/nat
add chain=srcnat out-interface-list=WAN action=masquerade comment="WAN via wahoo"
/ip/firewall/filter
add chain=input action=accept connection-state=established,related
add chain=input action=accept in-interface=LAN comment="manage from LAN"
add chain=input action=drop in-interface-list=WAN comment="drop unsolicited from WAN"
add chain=forward action=accept connection-state=established,related
add chain=forward action=accept in-interface=LAN out-interface-list=WAN
add chain=forward action=dropCreate a LAN WIFI
Create a security profile (password)
/interface/wifi/security
add name=sec-lan authentication-types=wpa2-psk,wpa3-psk passphrase="xxx"Create an AP configuration profile for LAN Wi-Fi
/interface/wifi/configuration
add name=cfg-lan mode=ap ssid="LAN-WiFi" security=sec-lan country="United States" installation=indoorApply it to wifi2 and enable
/interface/wifi
set [find name="wifi2"] configuration=cfg-lan disabled=noVerify
/interface/wifi print detail where name="wifi2"
/interface/wifi monitor wifi2 once
/interface/wifi registration-table printAccess 192.168.1.x network through Proxmox VE (PVE) main switch MikroTik L009UiGS-RM
/ip route add dst-address=192.168.1.0/24 gateway=192.168.88.2 comment="to 192.168.1 via L009"Verify
/ip route print where dst-address=192.168.1.0/24
/ping 192.168.88.2
/ping 192.168.1.1MikroTik cAP (WinBox)
- IP → Routes → +
- Dst. Address: 192.168.1.0/24
- Gateway: 192.168.88.2
Apply/OK
Allow Winbox (TCP 8291) in the MikroTik firewall(s)
On the MikroTik you are trying to manage (the cAP), allow Winbox from 192.168.1.0/24 (adjust if you already have a structured ruleset):
/ip firewall filter add chain=input src-address=192.168.1.0/24 protocol=tcp dst-port=8291 action=accept comment="Allow Winbox from 192.168.1"Also confirm Winbox service is enabled and (optionally) restricted to your management subnets
/ip service set winbox disabled=no address=192.168.1.0/24,192.168.88.0/24NOTE:
- Connect in Winbox by IP, not by MAC/Neighbors
- Winbox “Neighbors” discovery is L2/broadcast-based and will not traverse routed subnets. That’s normal.
- Just type the target device IP (e.g., 192.168.88.1) into “Connect To”.
Port Exposing from LAN to WAN
expose tcp/8006 on WAN to 192.168.1.11:8006 (Data Center Testbed Design’s server 1) on LAN expose tcp/3128 for SPICE (Simple Protocol for Independent Computing Environments) on WAN to 192.168.1.11:8006 (pve’s server 1) on LAN.