CAPsMAN

Assuming a primary router and 2 APs (CAPs)

On CAPs go to Wireless > CAP. Enable. Set Interface to wlan1, Discovery interface to ether2.

Go back to primary and rename CAPs.

On CAPs go to Wireless > CAP. Cert - request. After obtaining cert lock to CAPsMAN.

(NB. You will eventually choose to Require Peer Cert on Primary, but whenever adding new CAPs you must uncheck this.)

Now on CAPs Lock to CAPsMAN & change certificate to the cert that was requested.

CAPsMAN > Channels. Name - Channel1, freq - 2412, width - 20mhz, band - g/n, extd - disabled, tx - -6. (For Channel6, freq - 2437).

Security Profile: CAPsMAN > Security Cfg. Name - users/guest, auth - WPA2 PSK, enc - aes ccm, group enc. - aes ccm, pw - __________
Datapaths: First we have to create some bridges.

Bridge. Name - bridge-users/guests.

Now, IP > Addresses. 192.168.23.1/24 for bridge-users, 192.168.45.1/24 for bridge-guests.

Now IP > DHCP Server. Just go to Setup, choose respective group and go through options.

Now back to CAPsMAN > Datapaths. Name - datapath-users/guests. Bridge - bridge-users/guests.

(NB. Under Datapaths there are the options Local Forwarding and Client to Client Forwarding. These may need to be enabled for users.)

[At this point also make sure masquerading is on on Firewall. Firewall > NAT. Channel - srcnat. Action - masquerade.]

Containers. CAPsMAN > Configurations. Wireless, name - WiFi-Chn1-Users/Guests, Wifi-Chn6-Users/Guest. Mode - AP. SSID - Wireless. Country - USA. Channel - channel1, Datapath - users. Security - users (as appropriate).
Provisioning. CAPsMAN > Radio. Copy the Radio Mac. Then go to Provisioning. Paste the MAC into Radio Mac. Action - create_dynamic_enabled. Mater & Slave configs must match channels, name format, identities.

Now! Go to CAPsMAN > CAP Interface. Delete all.

Now go to CAPsMAN > Remote CAP, select all and Provision.