Finally success - 802.11r/k/v fast roaming works reliably with WifiWave2

kravemir · Wed Sep 20, 2023 7:25 pm

Finally success - managed to get 802.11r/k/v roaming working with WifiWave2 on all my client devices, using hAP ax³ and hAP ac³.

It was some amount of troubleshooting, and hunting for the right settings. In the end, following things needed to be done - hope I didn't forget anything:

manage all APs by the same instance of RouterOS - use WifiWave2 CAPsMAN,
set authentication type to WPA2 only, disable WPA3, because Android devices have trouble roaming with WPA3, and even if they receive other BSSIDs from neighboor group and see them as ones with better signal, they won't roam-connect to these better APs/BSSIDs. My ThinkPad A485 and wife's T440p have no problem roaming with WPA3, we both have Linux if that makes a difference, but Android devices do have issues with WPA3.
set ft=yes and ft-over-ds=yes in security profile to enable 802.11r fast BSS transitions (roaming),
do not kick off clients with weak signal, remove such wifiwave2 access-list rule if you have one, because it makes client devices to avoid using that SSID or access point completely and results in worse wifi experience.
RouterOS version 7.11.2 if that makes a difference.

If roaming is working correctly, then there should be now following entries about roaming in the log:

0C:C6:FD:XX:XX:XX@distant-AP-wifi-2G roamed to 0C:C6:FD:XX:XX:XX@closer-AP-wifi-5G, signal strength -66

Instead of entries about disconnection followed by immediate reconnection entries:

0C:C6:FD:XX:XX:XX@distant-AP-wifi-5G disconnected, connection lost, signal strength -92
0C:C6:FD:XX:XX:XX@closer-AP-wifi-5G connected, signal strength -75

gigabyte091 · Wed Sep 20, 2023 8:59 pm

set authentication type to WPA2 only, disable WPA3, because Android devices have trouble roaming with WPA3, and even if they receive other BSSIDs from neighboor group and see them as ones with better signal, they won't roam-connect to these better APs/BSSIDs. My ThinkPad A485 and wife's T440p have no problem roaming with WPA3, we both have Linux if that makes a difference, but Android devices do have issues with WPA3.

Have no problem with WPA3 and android devices, they roam and connects without any problem.

kravemir · Wed Sep 20, 2023 9:10 pm

Have no problem with WPA3 and android devices, they roam and connects without any problem.

Tested Android devices in my household:

Xiaomi Mi 9 SE - https://www.gsmarena.com/xiaomi_mi_9_se-9583.php - roamed well, Android 11.
Xiaomi Redmi Note 10 Pro - https://www.gsmarena.com/xiaomi_redmi_n ... -10662.php - didn't roam at all, Android 13.
Huawei P20 Pro - https://www.gsmarena.com/huawei_p20_pro-9106.php - didn't roam at all, and don't know what Android version, because it didn't survive the last time wife accidentally dropped this-her phone. It had a very great camera. Poor phone.

However,... besides WPA3 issue on some Android devices, that I'm lucky to have in my household....

The conclusion is, that 802.11r/k/v fast roaming works well, and that the future of multi-AP wireless networking with roaming looks bright with WifiWave2 on MikroTik devices. Just, waiting for WifiWave2 outdoor APs from MikroTik.

gigabyte091 · Wed Sep 20, 2023 9:21 pm

Agree with you, i think Mikrotik wireless became good, at least for home users, now i have same or even better experience with cap ax when compared to ubiquiti u6 lite. Signal is better for sure.

Now I don't know how good will it work with more devices, eg office, etc but at the moment i have 22 wireless device connected and they are working without a problem. (Mix smart TVs, IoT devices, cameras, laptops, phones, tablets, smart watches)

kravemir · Thu Sep 21, 2023 1:03 pm

... good, at least for home users, ...

Now I don't know how good will it work with more devices, eg office, ... i have 22 wireless device connected and they are working without a problem. (Mix smart TVs, IoT devices, cameras, laptops, phones, tablets, smart watches)

I use MikroTik in my household/SOHO, too.

There are usually no more than two devices, that try to saturate wireless bandwidth. It's usually one or two at the same time from: me downloading something on my laptop, wife downloading something on her laptop, apps updates or installation or my phone, wife's phone, or Nintendo switch download, or a guest downloading something on own phone/laptop. Every stationary device is wired. So, I don't have have scenarios with many wifi devices competing for wireless bandwidth.

My problems are based on property layout with thick walls, that is impossible to cover with single AP reliably.

My wife, much more than me, moves between physical locations covered by different APs. She, especially, needs internet access in those different locations - see list of things to pack for shipment for eShop sales (one AP covering storage and packing areas), doing other things on net and responding to customers in different more comfortable place (different AP).

Also, for me, I don't like having to turn off and on wifi on phone to manually roam to better AP.

So, seamless roaming is of higher importance to me/us, than top performance.

For, IoT, I guess, that performance doesn't drop much with number of little devices, but with number of devices actively competing for bandwidth. Also, performance drops with number of slow talking (weak signal) devices. So, area coverage is important here, too. I don't have IoT or smart-home thingies yet, though.

olivier2831 · Thu Sep 21, 2023 1:50 pm

Agree with you, i think Mikrotik wireless became good, at least for home users, now i have same or even better experience with cap ax when compared to ubiquiti u6 lite. Signal is better for sure.

Do you have figures (dB, ...) echoing this ?
Were both AP ceiling mounted ?

gigabyte091 · Thu Sep 21, 2023 2:31 pm

I don't, i just noticed that with mikrotik i have wifi in my yard, with ubiquiti i don't. I know, not very scientific method.

ToTheFull · Thu Sep 21, 2023 4:30 pm

It isn't a fair test, maybe the U6 LR yes.

U6 Lite
Antenna gain
2.4 GHz 2.8 dBi
5 GHz 3 dBi

cAP ax
Wireless 2.4 GHz standards 802.11b/g/n/ax
Antenna gain dBi for 2.4 GHz 6

Wireless 5 GHz standards 802.11a/n/ac/ax
Antenna gain dBi for 5 GHz 5.5

Thu Sep 21, 2023 4:55 pm

I have set of Google Pixel phones 4A 6A 7A and no issues with roaming on Capsman ww2.
My issue is with only iPhone (14) in the house. I can't figure why but it will not reconnect by itself to the house network, only after manual clicking on the phone it connects.

Also my ThinkPad E14 sometimes roams away to worst possible AP in the house, and get stuck to it like a glue - i can only force it to jump somewhere else if i remove that interface from capsman for a second.

So it seems to me that fastroaming stuff has very random implementation on clients side.

gigabyte091 · Thu Sep 21, 2023 7:59 pm

It isn't a fair test, maybe the U6 LR yes.

Maybe, but for eg, U6-Lite in my country costs about 126 Euros, and cAP ax is about 143 euros, so that's about 17 Euros difference.

U6 LR costs about 220 Euros and that is about 77 Euros difference...

ToTheFull · Thu Sep 21, 2023 8:29 pm

I'm Happy with my cAP ax and hAP ax2, considering the contraints/regs Imposed on WiFi6 devices these days I think Microtik have done a fantastic job.
Yes it's taken time, but still we are nearly there!

Tue Nov 07, 2023 11:35 pm

Implemented capsman at home (RB5009, AX3, AX2).
Most devices roam just fine except for Samsung S20 when using WPA3 (Android 13).
Samsung S8 (Android 9) however works just fine (but I'm thinking it only uses WPA2) ?
Downgrading security to WPA2 only, "solves the problem" for S20.

7.12 rc6

anav · Wed Nov 08, 2023 3:32 am

Can you draw a network diagram to see what is connected to what.
What is your main router
Does it run capsman
What is the difference in wifiwave2 setup on main router (running capsman) and the other devices?

Can you provide /exports of all the MT wifi devices......

gigabyte091 · Wed Nov 08, 2023 5:53 am

I experienced the same thing but wife and I have same phones, exactly the same model, only difference is color and her phone is a year younger so i'm thinking different revision ??

Her phone roams without a problem, my sticks to the downstairs AP and won't let go... It's like his life depends on it...

Tablets, laptops, everything else roams without a problem.

Did a test with U6 Lite same thing... Won't roam... Sticks to the downstairs AP...

Is your RB5009 PoE version ? I bought PoE so I don't have to deal witn injectors

Wed Nov 08, 2023 6:34 am

Can you draw a network diagram to see what is connected to what.
What is your main router
Does it run capsman
What is the difference in wifiwave2 setup on main router (running capsman) and the other devices?

Can you provide /exports of all the MT wifi devices......

Get lost, you ...

Is your RB5009 PoE version ? I bought PoE so I don't have to deal witn injectors

Nope, regular RB5009. No POE involved for AX3 nor AX2.
That S20 simply will not roam using WPA3. It disconnects when signal is too low and then connects again to nearest AP but no roaming message in log. Just disconnect and connect.

gigabyte091 · Wed Nov 08, 2023 7:32 am

I can see @anav buying couple of cAP ax's to replace existing AP ih his home

I tested now at one of my customer site's, they are using TP-Link for AP's, same thing, phone is holding for one AP...

anav · Wed Nov 08, 2023 4:09 pm

your wife has better iphone skills ;-PP

gigabyte091 · Wed Nov 08, 2023 4:42 pm

No iOS, Android only

Honestly, I don't care, as long as her wifi is good i'm happy. I still have flashbacks to ROS 7.9 and wifi fiasco... I can still hear her voice... WIFI IS NOT WORKING AGAIN !!!

anav · Wed Nov 08, 2023 6:45 pm

People are still using androids??

mkx · Wed Nov 08, 2023 7:02 pm

We are all becoming androids

gigabyte091 · Wed Nov 08, 2023 7:11 pm

Android rulz

Wed Nov 08, 2023 8:16 pm

OK, moving on ...

Read some snippets earlier today where I conclude Samsung and WPA3 can cause roaming issues on whatever brand of AP if you're 'lucky' (ahem ...).
Funny thing is that the same model/SW version works reliably but another user having the exact same device reports issues.
I've also seen reports about other brands/devices (not only smartphones, also tablets, smartwatches, ...)
Various brands of APs, no common denominator.

So it looks like this is not an MT problem but more a client implementation problem ?

gigabyte091 · Wed Nov 08, 2023 8:35 pm

I do believe that this is a client problem. At least in my case, only one device have this problem. In my case we are talking about Xiaomi phone. Same model, year apart from my wife's phone, her phone roams, my doesn't.

I also noticed that it likes to hang onto 5GHz radio... When we are in our yard my phone disconnects but wife's phone connects to 2.4GHz...

I tested today with my brothers S23 Ultra and it's roaming without a problem.

Unfortunately I don't have any iPhone to test... Maybe it's OS problem ?

gotsprings · Wed Nov 08, 2023 10:29 pm

People are still using androids??

img_1_1698111777047~2.jpg

kravemir · Sat Nov 11, 2023 5:26 pm

We are all becoming androids

Not everyone desires to sell their soul to apple. Android asks for lesser portion of soul, than Apple. So, a better choice.

Kaldek · Mon Nov 13, 2023 5:52 am

Given the amount of yelling Mikrotik users have been doing about the previous lack of 802.11r, check out this stat from the recent Wireless LAN Professionals conference in Prague. This is from a Cisco employee directly:

Of 8.7 million known SSIDS on Meraki gear, only 1.45% have enabled 802.11r.

Screenshot 2023-11-13 144824.png

User4011 · Thu Nov 23, 2023 4:47 am

@kravenmir,

Also interested in anav's request below:

Can you draw a network diagram to see what is connected to what.
What is your main router
Does it run capsman
What is the difference in wifiwave2 setup on main router (running capsman) and the other devices?

Can you provide /exports of all the MT wifi devices......

Thu Nov 23, 2023 4:53 am

Given the amount of yelling Mikrotik users have been doing about the previous lack of 802.11r, check out this stat from the recent Wireless LAN Professionals conference in Prague. This is from a Cisco employee directly:

Of 8.7 million known SSIDS on Meraki gear, only 1.45% have enabled 802.11r.

finally someone reasonable

tlamik · Mon Jan 15, 2024 5:23 pm

I am strugling with roaming on Mikrotiks. I have five cAP ax, on one of them I setup CAPSMAN, everything seems to work nice. But I noticed from log that only 2 devices doing roaming (Samsung S10 and Samsung S22). So I uncheck WPA3 and used only WPA2 (according to advice). Now all mobile phones doing roaming well. But none of windows laptops. Is it normal behavior ? All kind of mobile types are OK, but none laptops ? Do I need setup something in windows registry ?

Thanks

Mon Jan 15, 2024 7:14 pm

Try Forget network and then connect again.
You should not change anything on the laptops, at least I didn't have to.

Mon Jan 15, 2024 8:10 pm

Windows only supports FT over the networks with 802.1X (i.e. when using WAPx EAP), it does not work in open networks or networks with WAPx PSK. That does not mean Windows laptops does not roam at all, it just meas Fast BSS Transition is not supported in those cases.

When using the new CAPsMAN, however, I used to struggle with a couple of Windows laptops that were stuck on one AP and refused to roam even when the signal was dropping way below acceptable level, no matter if FT was enabled or not. This has been fixed for me with the following setting (follow this link if you need some explanation):

set ... security.connect-priority=0/1

S8T8 · Tue Jan 16, 2024 11:38 am

@andriys, I was interested in testing suggestion by @whatever about connect-priority=0/1 but I wonder how this affect connect-group and security (this was implemented to prevent MacStealer attack), connect-priority=0/1 should allow duplicate MAC addresses to be connected at the same time.

rextended · Tue Jan 16, 2024 11:41 am

Given the amount of yelling Mikrotik users have been doing about the previous lack of 802.11r, check out this stat from the recent Wireless LAN Professionals conference in Prague. This is from a Cisco employee directly:

Of 8.7 million known SSIDS on Meraki gear, only 1.45% have enabled 802.11r.

finally someone reasonable

Remember that only those who are dissatisfied for some reason write to us on the forum,
not those who are happy, who don't give a damn about coming here to say thank you...
Instead, obviously, we only read the posts of those who complain....

Tue Jan 16, 2024 11:51 am

@S8T8 Whatever you set the connect-priority to, the duplicate MAC addresses should not be allowed withing the same connect-group. But you are probably correct in your assumption that the connect-priority=0/1 setting is less secure than whatever the default setting is. Please note that the 'MacStealer' attack assumes that the attacker is already authenticated in your network, so it is up to you to decide whether this setting is acceptable to you in your specific use case.

tlamik · Fri Jan 19, 2024 8:01 am

Well, I did 2 changes, I installed wifi driver from my wifi card's vendor (not M$ drivers) and did setup connect-priority=0/1 and seems to working on my laptop. On others computers I can see they sometimes roamed, but not so often as my laptop, they mostly disconnected/connected. I read that some of wifi adapters not support 802.11r/k/v.

gotsprings · Fri Jan 19, 2024 2:58 pm

not those who are happy, who don't give a damn about coming here to say thank you...
Instead, obviously, we only read the posts of those who complain....

Uhh... No.

Mikrotik has some serious apologists around here.

ips · Fri Jan 26, 2024 4:16 pm

I tried to setup fast roaming (I'm on 7.13.3) and I have a strange behaviour: my Android phone successfully roams, but after exactly 10s it disconnects from the new AP and reconnects in a couple of seconds. Any idea?

infabo · Fri Jan 26, 2024 4:23 pm

roams from/to? config?

ips · Fri Jan 26, 2024 4:44 pm

From hapax3 to hap ax lite.

Config hapax3 (capsman):

# 2024-01-26 15:33:59 by RouterOS 7.13.3
#
# model = C53UiG+5HPaxD2HPaxD
/interface bridge
add arp=proxy-arp name=bridge
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
/interface wireguard
add listen-port=PORT mtu=1420 name=wireguard1
/interface vlan
add interface=ether1 name=vlan835-TIM vlan-id=835
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan835-TIM name=#####
/interface list
add name=WAN
add name=LAN
/interface wifi datapath
add bridge=bridge disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk connect-priority=0/1 disabled=no ft=yes ft-over-ds=yes name=wifisec_FT wps=disable
/interface wifi configuration
add channel.band=2ghz-n .width=20mhz country=Italy datapath=datapath1 disabled=no mode=ap name=wificonf_FT security=wifisec_FT ssid=ssid24
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ac .frequency=5170-5250 .skip-dfs-channels=all .width=20/40mhz-Ce configuration=wificonf_FT configuration.mode=ap .ssid=ssid5 disabled=no
set [ find default-name=wifi2 ] configuration=wificonf_FT configuration.mode=ap disabled=no
/ip pool
add name=default-dhcp ranges=192.168.1.200-192.168.1.222
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp interface=bridge lease-time=3d name=dhcp_server1
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge disabled=yes interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=pppoe-TIM-out list=WAN
add interface=wireguard1 list=LAN
/interface wifi capsman
set ca-certificate=auto enabled=yes interfaces=bridge require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=wificonf_FT name-format=wifi%I slave-configurations=""
/interface wireguard peers
## edited
/ip address
add address=192.168.1.2/24 interface=bridge network=192.168.1.0
add address=192.168.1.224/28 interface=wireguard1 network=192.168.1.224
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-server config
set accounting=no store-leases-disk=never
/ip dhcp-server lease
## edited
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.2 domain=home.arpa gateway=192.168.1.2
/ip dns
set allow-remote-requests=yes doh-max-server-connections=10 doh-timeout=10s max-concurrent-queries=200 max-concurrent-tcp-sessions=40 query-server-timeout=5s use-doh-server=edited verify-doh-cert=yes
/ip dns static
add address=45.90.28.0 disabled=yes name=dns.nextdns.io
add address=45.90.30.0 disabled=yes name=dns.nextdns.io
add address=2a07:a8c0:: disabled=yes name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: disabled=yes name=dns.nextdns.io type=AAAA
add address=38.175.119.129 name=dns.nextdns.io
add address=178.255.155.63 name=dns.nextdns.io
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow WireGuard" dst-port=PORT in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Rome
/system identity
set name=hapax3
/system leds settings
set all-leds-off=after-1h
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=it.pool.ntp.org
add address=europe.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool graphing
set store-every=24hours
/tool graphing interface
add allow-address=192.168.1.0/24
/tool graphing resource
add allow-address=192.168.1.0/24
/tool mac-server
set allowed-interface-list=LAN

Config hap ax lite:

# 2024-01-26 15:41:01 by RouterOS 7.13.3
#
# model = L41G-2axD
/interface bridge
add comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: ssid24, channel: 2462/n
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp disabled=no
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
/ipv6 settings
set disable-ipv6=yes
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip cloud
set update-time=no
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Rome
/system identity
set name=hapaxlite
/system leds settings
set all-leds-off=after-1h
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=it.pool.ntp.org
add address=europe.pool.ntp.org

The smartphone is a Huawei P20

Thanks!

infabo · Fri Jan 26, 2024 4:54 pm

Thanks for sharing the config. But you did not say in which direction you have roaming issues. roaming from 5g to 2g and falling back to 5g after 10 secs? or the other way round? 2g to 5g and falling back to 2g again?

Or are you especially referring roaming on 2ghz from your your hap ax3 to hap lite ax?

ips · Fri Jan 26, 2024 5:04 pm

I apologize: I separated the SSIDs of the two channels. So I have this issue while roaming from the 2.4GHz band of the hap ax3 to the 2.4GHz band of the hap ax lite. The phone roams from ax3 to ax lite -> after 10s, it disconnects from the hap ax lite -> after 2-3s it connects to the hap ax lite

Example:

 15:33:32 wireless,info E4:XX@wifi2 roamed to E4:XX@wifihapaxlite, signal strength -47
 15:33:42 wireless,info E4:XX@wifihapaxlite disconnected, connection lost, signal strength -39
 15:33:45 wireless,info E4:XX@wifihapaxlite connected, signal strength -44

In some cases I also have:

 15:33:45 dhcp,info dhcp deassigned 192.168.1.20 for E4:XX HUAWEI_P20
 15:33:45 dhcp,info dhcp assigned 192.168.1.20 for E4:XX HUAWEI_P20

The same happens also in the other way (from hapaxlite to hapax3)

infabo · Fri Jan 26, 2024 5:15 pm

oh i'm sorry too, overlooked the different ssids. But this is indeed very strange. It may be because of your "connect-priority=0/1" setting that causes the "disconnect" entries. Try to unset and use the default (accept/hold equal)

/interface/wifi/security/unset value-name=connect-priority wifisec_FT

ips · Fri Jan 26, 2024 10:16 pm

That was the original setting. Nonetheless, I tried to disable connect-priority, without any change. It still disconnect after 10s and it reconnects in a couple of seconds.
Does anybody know how to debug/collect additional information of what happen in those seconds?

kravemir · Sat Jan 27, 2024 9:17 am

The phone roams from ax3 to ax lite -> after 10s, it disconnects from the hap ax lite -> after 2-3s it connects to the hap ax lite

When phone roams is purely client's decision. The 10s number is quite good. The NetworkManager in Linux configures wpa_supplicant to quite bad values - to initiate roaming possibility discovery only when signal is very very bad.

The fact, that phone roamed successfully, but then disconnects and reconnects indicates, that you have L2 or L3 issues in your network.

Do you have RSTP enabled on all your routers and switches?

One device should have high bridge priority - I choose main/central/edge router to have the highest bridge priority (the lowest value = the highest priority) to ensure it becomes the root bridge.

As this requires troubleshooting your network/setup/devices, it's better to open a new thread than to hijack existing thread. It may be completely off topic. And, if it's resolved successful and there's something missing in this thread, then just add results to this thread.

ips · Sat Jan 27, 2024 10:38 am

Yes, you are right. I'll open a new thread and I will have a look at those points in the meanwhile.
Thanks.

ips · Wed Jan 31, 2024 4:10 pm

I come back here to report of what happen when FT is disabled: basically roaming now works perfectly for different clients.
Another user reported that roaming works also when FT is disabled (and that disabling FT fixed a problem of one of her/his iPhones).

For details: viewtopic.php?t=203935

infabo · Thu Feb 01, 2024 11:03 am

I would like to see the hostname as it was in the legacy wireless registration table. This is a pita.

tinodj · Fri Mar 15, 2024 10:19 pm

set ft=yes and ft-over-ds=yes in security profile to enable 802.11r fast BSS transitions (roaming),

Wondering why these parameters exist at two places - configuration and security. When enabled in security it works great, but when enabled in configuration then it makes troubles in stability and roaming does not work at all. Can anyone explain?

whatever · Sat Mar 16, 2024 10:13 am

Wondering why these parameters exist at two places - configuration and security.

Interface > Configuration > security profile

You can configure the parameters anywhere you like. Interface parameters overwrite everything else, if you are using a configuration profile you can overwrite specific settings of the referred security profile.

Contrary to your observations, the result will be the same in any case. It's only a matter of how you want to organize your configuration.

anav · Sat Mar 16, 2024 5:28 pm

Concur, the setup process and menu selections are not intuitive and its easy to get lost, ( especially how there are hidden defaults etc. )
I am not a fan of how they have chosen to give flexibility, or more accurately how clear it is to the admin, what is actually configured.
Dont feel bad, you are not alone, all these so called wifi experts dont have a clue about proper MMI.

infabo · Sat Mar 16, 2024 5:36 pm

easy, /interface/wifi/actual-configuration print

tinodj · Sat Mar 16, 2024 7:50 pm

Wondering why these parameters exist at two places - configuration and security.
Interface > Configuration > security profile

You can configure the parameters anywhere you like. Interface parameters overwrite everything else, if you are using a configuration profile you can overwrite specific settings of the referred security profile.

Contrary to your observations, the result will be the same in any case. It's only a matter of how you want to organize your configuration.

Well, using capsman, when I enable FT on configuration (which there is not shown under security at least in webfig not) while having selected in security some already predefined security profile, it does not work. However, when I go in the security profile and define FT there then it works.

Maybe it is just unintuitive and maybe FT in configuration should be under security, and probably once you have security profile defined there in configuration then whet is under FT in configuration is not taken in account, it is rewritten by the security profile chosen.

But of course I am not alone on this one, just found this:

viewtopic.php?p=993564#p993564

infabo · Sat Mar 16, 2024 10:56 pm

time to show off....your configuration. all speculation

whatever · Sat Mar 16, 2024 11:32 pm

let me rephrase that: The result _should_ be the same.
It it isn't, you may want to report a bug to Mikrotik support.

Who is online