Настройки выполнял по аналогии -> https://serveradmin.ru/nastroyka-capsman-v-mikrotik/.
На точке доступа, офисная сеть получает корректные настройки и работает, а гостевая сеть тянет настройки с DHCP офисного, хотя на каждую сеть сделано отдельное сетевое пространство и dhcp сервер со своим пулом.
Конфиг коммутатора
[admin@MikroTik_Gate] > /export compact
# aug/04/2020 15:43:39 by RouterOS 6.47
#
# model = 960PGS
# serial number =
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2457 name=channel_Office tx-power=20
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2457 name=channel_Cafe tx-power=20
/interface bridge
add arp=proxy-arp name=bridge_local
add name=bridge_pablic
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth1-wan name=Internet_Dom.ru password=14889+ use-peer-dns=yes user=159487
/caps-man datapath
add bridge=bridge_local client-to-client-forwarding=yes local-forwarding=yes name=datapath_Office
add bridge=bridge_pablic local-forwarding=yes name=datapath_Cafe
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security_Office passphrase=123456
add authentication-types=wpa2-psk encryption=aes-ccm name=security_Cafe passphrase=123456
/caps-man configuration
add channel=channel_Office datapath=datapath_Office mode=ap name=cfg_Office rx-chains=0,1,2,3 security=\
security_Office ssid=Office tx-chains=0,1,2,3
add channel=channel_Cafe datapath=datapath_Cafe mode=ap name=cfg_Cafe rx-chains=0,1,2,3 security=\
security_Cafe ssid=Cafe tx-chains=0,1,2,3
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool_office ranges=192.168.37.100-192.168.37.200
add name=pool_pablic ranges=5.10.10.2-5.10.10.254
/ip dhcp-server
add address-pool=pool_office disabled=no interface=bridge_local name=dhcp_office
add address-pool=pool_pablic disabled=no interface=bridge_pablic name=dhcp_pablic
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg_Office slave-configurations=cfg_Cafe
/interface bridge port
add bridge=bridge_local interface=ether2
add bridge=bridge_local interface=ether3
add bridge=bridge_local interface=ether4
add bridge=bridge_local interface=ether5
/interface list member
add interface=eth1-wan list=WAN
add interface=bridge_local list=LAN
add interface=Internet list=WAN
/ip address
add address=192.168.37.1/24 interface=ether2 network=192.168.37.0
add address=5.10.10.1/24 interface=bridge_pablic network=5.10.10.0
/ip dhcp-server network
add address=5.10.10.0/24 dns-server=5.10.10.1 gateway=5.10.10.1 netmask=24
add address=192.168.37.0/24 dns-server=192.168.37.1 domain=local gateway=192.168.37.1
/ip dns
set allow-remote-requests=yes servers=192.168.37.1
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface=GRE-HQ protocol=tcp
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid disabled=yes
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Internet_Dom.ru
add action=masquerade chain=srcnat dst-address=5.10.10.0/24 out-interface=Internet_Dom.ru
# aug/04/2020 15:43:39 by RouterOS 6.47
#
# model = 960PGS
# serial number =
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2457 name=channel_Office tx-power=20
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled frequency=2457 name=channel_Cafe tx-power=20
/interface bridge
add arp=proxy-arp name=bridge_local
add name=bridge_pablic
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=sfp1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=eth1-wan name=Internet_Dom.ru password=14889+ use-peer-dns=yes user=159487
/caps-man datapath
add bridge=bridge_local client-to-client-forwarding=yes local-forwarding=yes name=datapath_Office
add bridge=bridge_pablic local-forwarding=yes name=datapath_Cafe
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security_Office passphrase=123456
add authentication-types=wpa2-psk encryption=aes-ccm name=security_Cafe passphrase=123456
/caps-man configuration
add channel=channel_Office datapath=datapath_Office mode=ap name=cfg_Office rx-chains=0,1,2,3 security=\
security_Office ssid=Office tx-chains=0,1,2,3
add channel=channel_Cafe datapath=datapath_Cafe mode=ap name=cfg_Cafe rx-chains=0,1,2,3 security=\
security_Cafe ssid=Cafe tx-chains=0,1,2,3
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool_office ranges=192.168.37.100-192.168.37.200
add name=pool_pablic ranges=5.10.10.2-5.10.10.254
/ip dhcp-server
add address-pool=pool_office disabled=no interface=bridge_local name=dhcp_office
add address-pool=pool_pablic disabled=no interface=bridge_pablic name=dhcp_pablic
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg_Office slave-configurations=cfg_Cafe
/interface bridge port
add bridge=bridge_local interface=ether2
add bridge=bridge_local interface=ether3
add bridge=bridge_local interface=ether4
add bridge=bridge_local interface=ether5
/interface list member
add interface=eth1-wan list=WAN
add interface=bridge_local list=LAN
add interface=Internet list=WAN
/ip address
add address=192.168.37.1/24 interface=ether2 network=192.168.37.0
add address=5.10.10.1/24 interface=bridge_pablic network=5.10.10.0
/ip dhcp-server network
add address=5.10.10.0/24 dns-server=5.10.10.1 gateway=5.10.10.1 netmask=24
add address=192.168.37.0/24 dns-server=192.168.37.1 domain=local gateway=192.168.37.1
/ip dns
set allow-remote-requests=yes servers=192.168.37.1
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface=GRE-HQ protocol=tcp
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid disabled=yes
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Internet_Dom.ru
add action=masquerade chain=srcnat dst-address=5.10.10.0/24 out-interface=Internet_Dom.ru
[admin@Mikrotik_Cafe2] > /export compact
# aug/04/2020 15:58:30 by RouterOS 6.47
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add admin-mac=74:4D:28:20:EA:EA auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=\
bridge ssid=MikroTik-20EAEE wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=Pass supplicant-identity="" \
wpa-pre-shared-key=123123 wpa2-pre-shared-key=123123
/interface wireless
# managed by CAPsMAN
# channel: 2457/20/gn(18dBm), SSID: Office, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor \
mode=ap-bridge security-profile=Pass ssid=MikroTik-20EAEF wireless-protocol=802.11
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
#
set bridge=bridge caps-man-addresses=192.168.37.1 discovery-interfaces=ether1 enabled=yes interfaces=wlan1
/ip address
add address=192.168.37.244/24 interface=ether2 network=192.168.37.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=192.168.37.1
/ip dns static
add address=192.168.37.244 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=8291 in-interface=bridge protocol=tcp
add action=accept chain=forward dst-port=8291 in-interface=bridge protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=all
/ip route
add distance=1 gateway=192.168.37.1
# aug/04/2020 15:58:30 by RouterOS 6.47
# model = RB952Ui-5ac2nD
# serial number =
/interface bridge
add admin-mac=74:4D:28:20:EA:EA auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor mode=\
bridge ssid=MikroTik-20EAEE wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=Pass supplicant-identity="" \
wpa-pre-shared-key=123123 wpa2-pre-shared-key=123123
/interface wireless
# managed by CAPsMAN
# channel: 2457/20/gn(18dBm), SSID: Office, local forwarding
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor \
mode=ap-bridge security-profile=Pass ssid=MikroTik-20EAEF wireless-protocol=802.11
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface wireless cap
#
set bridge=bridge caps-man-addresses=192.168.37.1 discovery-interfaces=ether1 enabled=yes interfaces=wlan1
/ip address
add address=192.168.37.244/24 interface=ether2 network=192.168.37.0
/ip dhcp-client
# DHCP client can not run on slave interface!
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=192.168.37.1
/ip dns static
add address=192.168.37.244 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input dst-port=8291 in-interface=bridge protocol=tcp
add action=accept chain=forward dst-port=8291 in-interface=bridge protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=all
/ip route
add distance=1 gateway=192.168.37.1