Hi, I have been using capsman with 2 access points for a long time… one in the Basement and the other on the main floor of my house.
Everything works as expected except that my Iphones lose Internet access all the time… I turn off wifi and reactivate it 5 seconde later then I am good for a few hours.
Setup: RB5009….. 7.22.2
2 x cap ax. 7.22.2
The aps are almost of top of each other.
Can it cause that kind of behaveour ?
This may not be a question of positioning. It seems that others are having troubles with iphones at the moment. Do a search on the forum and have a look at the announcement thread for your version of RouterOS
Can you share the config?
/export file=anynameyoulike
Remove serial and any other private info.
(or at least the /interface/wifi export)
Hi, Here is the export file…
Since new users are not allowed to Upload, I will simply copy the content :
# 2026-05-11 07:32:34 by RouterOS 7.22.2
# software id = RCZE-B8E4
#
# model = RB5009UPr+S+
# serial number = < serial number removed by mod >
/interface bridge
add admin-mac=78:9A:18:D6:11:5B auto-mac=no name=bridge
/interface ethernet
set \[ find default-name=ether1 \] l2mtu=1514 name="ETH1 - WAN for PPPoE"
set \[ find default-name=ether2 \] l2mtu=1514 name="ETH2"
set \[ find default-name=ether3 \] l2mtu=1514 name="ETH3"
set \[ find default-name=ether4 \] l2mtu=1514 name="ETH4 - CAP"
set \[ find default-name=ether5 \] l2mtu=1514 name="ETH5 - CAP"
set \[ find default-name=ether6 \] l2mtu=1514
set \[ find default-name=ether7 \] l2mtu=1514
set \[ find default-name=ether8 \] l2mtu=1514
set \[ find default-name=sfp-sfpplus1 \] advertise="1G-baseT-half,1G-baseT-full,
1G-baseX,2.5G-baseT,2.5G-baseX,5G-baseT,10G-baseT,10G-baseSR-LR,10G-baseCR
" l2mtu=1514 name="sfp-Uplink from Cisco"
/interface pppoe-client
add add-default-route=yes comment=
"PPPoE Automatic Generated Interface User: B12S8BH9 Pass: Canada12"
disabled=no interface="ETH1 - WAN for PPPoE" name=
"Bell - PPPoE connextion" use-peer-dns=yes user=B12S8BH9
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=5ghz-ax disabled=no name="NEW - 5GHZ-AUTO" skip-dfs-channels=all
width=20/40/80mhz
add band=2ghz-ax disabled=no name="NEW - 2GHZ::AUTO" width=20/40mhz
add band=2ghz-n disabled=no name="2G - Borne" width=20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no eap-methods=tls
encryption=ccmp,gcmp ft=yes ft-over-ds=yes name=RF_SEC_PROFILE
add authentication-types=wpa2-psk disabled=no eap-methods=tls encryption=ccmp
name=Borne
/interface wifi configuration
add channel="NEW - 2GHZ::AUTO" country=Canada datapath.bridge=bridge
.client-isolation=no disabled=no installation=indoor
interworking.realms-raw="" mode=ap name=Config_2G security=RF_SEC_PROFILE
security.eap-methods=tls .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no
ssid=RF_NET tx-power=40
add channel="NEW - 5GHZ-AUTO" country=Canada datapath.bridge=bridge
.client-isolation=no disabled=no installation=indoor
interworking.realms-raw="" mode=ap name=Config_5G security=RF_SEC_PROFILE
security.authentication-types="" .disable-pmkid=no .eap-accounting=no
.eap-methods=tls .ft=yes .ft-over-ds=yes .ft-preserve-vlanid=no ssid=
RF_NET tx-power=40
add channel="2G - Borne" country=Canada datapath.bridge=bridge
.client-isolation=no disabled=no installation=indoor
interworking.realms-raw="" mode=ap name=2G_Tesla security=Borne
security.authentication-types="" .eap-methods=tls .encryption="" .ft=yes
.ft-over-ds=yes .ft-preserve-vlanid=no ssid=RF_NET_B tx-power=40
/interface wifi
# operated by CAP D4:01:C3:D9:A6:89%bridge, traffic processing on CAP
add channel="NEW - 5GHZ-AUTO" configuration=Config_5G configuration.mode=ap
disabled=no interworking.realms-raw="" name="cap-Basement 5G" radio-mac=
D4:01:C3:D9:A6:8B security=RF_SEC_PROFILE security.eap-methods=tls
# operated by CAP 48:A9:8A:A8:F2:34%bridge, traffic processing on CAP
add channel="NEW - 5GHZ-AUTO" configuration=Config_5G configuration.mode=ap
disabled=no interworking.realms-raw="" name="cap-RC 5G" radio-mac=
48:A9:8A:A8:F2:36 security=RF_SEC_PROFILE security.eap-methods=tls
/interface wireless security-profiles
set \[ find default=yes \] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=10.50.101.1-10.50.101.200
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1w name=defconf
/queue type
add kind=pfifo name=PCQ_PPPOE_DL
add kind=pfifo name=PCQ_PPPOE_UL
/ppp profile
set \*0 queue-type=PCQ_PPPOE_DL/PCQ_PPPOE_UL
/user group
add name=MGT policy="ssh,reboot,read,write,policy,test,winbox,password,web,sni
ff,sensitive,api,romon,rest-api,!local,!telnet,!ftp"
/certificate settings
set crl-download=yes crl-store=system crl-use=yes
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf interface="ETH2"
add bridge=bridge comment=defconf interface="ETH3"
add bridge=bridge comment=defconf interface="ETH4 - CAP"
add bridge=bridge comment=defconf interface="ETH5 - CAP"
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface="sfp-Uplink from Cisco"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=all lan-interface-list=
LAN wan-interface-list=WAN
/interface list member
add interface=bridge list=LAN
add interface="Bell - PPPoE connextion" list=WAN
/interface wifi access-list
add action=reject comment="Flush weak clients" disabled=no interface=dynamic
signal-range=-90..-120
add action=accept comment="Accept Strong" disabled=no interface=
"cap-Basement 5G"
add action=accept comment="Accept Strong" disabled=no interface="cap-RC 5G"
add action=reject comment="Kick-out roaming" disabled=no interface=\*11
signal-range=-90..-120
add action=reject comment="Kick-out roaming" disabled=no interface=\*16
signal-range=-78..-120
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge
package-path="" require-peer-certificate=no upgrade-policy=
suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=Config_2G
name-format=CAP radio-mac=00:00:00:00:00:00 slave-configurations=2G_Tesla
add action=create-dynamic-enabled disabled=no master-configuration=Config_2G
name-format="CAP-Basement 2G" radio-mac=D4:01:C3:D9:A6:8C
slave-configurations=2G_Tesla slave-name-format="SEC-CAP-Basement 2G"
add action=create-dynamic-enabled disabled=no master-configuration=Config_2G
name-format="CAP-RC 2G" radio-mac=48:A9:8A:A8:F2:37 slave-configurations=
2G_Tesla slave-name-format="SEC-CAP-RC 2G"
/ip address
add address=10.50.101.254/24 comment=defconf interface=bridge network=
10.50.101.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=10.50.101.222 client-id=1:54:bf:64:a3:f8:cf mac-address=
54:BF:64:A3:F8:CF server=defconf
add address=10.50.101.237 client-id=1:94:fb:a7:12:1:58 mac-address=
94:FB:A7:12:01:58 server=defconf
add address=10.50.101.236 client-id=1:ac:cc:8e:a8:d6:15 mac-address=
AC:CC:8E:A8:D6:15 server=defconf
add address=10.50.101.239 mac-address=00:D0:89:1D:83:8D server=defconf
add address=10.50.101.26 client-id=1:bc:24:22:fa:71:68 mac-address=
BC:24:22:FA:71:68 server=defconf
add address=10.50.101.37 client-id=
ff:ca:53:9:5a:0:2:0:0:ab:11:f1:25:62:6d:e9:dd:e3:6a mac-address=
BC:24:22:54:C9:14 server=defconf
add address=10.50.101.59 client-id=1:0:46:b8:2d:b7:a4 mac-address=
00:46:B8:2D:B7:A4 server=defconf
add address=10.50.101.251 client-id=1:8:bf:b8:c3:2a:d4 mac-address=
08:BF:B8:C3:2A:D4 server=defconf
add address=10.50.101.23 mac-address=9C:8E:99:04:47:38 server=defconf
/ip dhcp-server network
add address=10.50.101.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4
gateway=10.50.101.254
/ip dns
set allow-remote-requests=yes cache-size=8192KiB doh-max-concurrent-queries=
200 max-udp-packet-size=1232 servers=8.8.4.4,8.8.8.8
/ip firewall filter
add action=accept chain=forward connection-nat-state=dstnat dst-port=554 log=
yes log-prefix="FWD_RULE 554" protocol=tcp
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new disabled=yes in-interface-list=WAN
add action=accept chain=forward disabled=yes dst-port=5555 log=yes protocol=
tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="LPR CAM" disabled=yes dst-port=8008
log=yes log-prefix="LPR CAM" protocol=tcp to-addresses=10.50.101.10
to-ports=80
add action=dst-nat chain=dstnat comment=ICT_GX_SOAP dst-port=8888 log=yes
log-prefix=GX_SOAP protocol=tcp to-addresses=10.50.101.18 to-ports=8030
add action=dst-nat chain=dstnat comment="CLOUD CAM" dst-port=8077 log=yes
log-prefix=CLOUD_CAM protocol=tcp to-addresses=10.50.101.59 to-ports=80
add action=dst-nat chain=dstnat comment="CLOUD CAM - RTSP" dst-port=8554 log=
yes log-prefix=CLOUD_CAM_RTSP protocol=tcp to-addresses=10.50.101.59
to-ports=554
add action=dst-nat chain=dstnat comment="SSH to ARK-Linux" disabled=yes
dst-port=9922 log=yes log-prefix=AXXON protocol=tcp to-addresses=
10.50.101.50 to-ports=22
add action=dst-nat chain=dstnat comment="SSH Local Srkivnet" disabled=yes
dst-port=9922 in-interface="ETH1 - WAN for PPPoE" log=yes log-prefix=
"SSH - ARKIVNET - LOCAL" protocol=tcp routing-mark=main src-port=9922
to-addresses=10.50.101.50 to-ports=22
/ip firewall raw
add action=drop chain=prerouting comment=IPS-drop_in_bad_traffic disabled=yes
src-address-list=Suricata
add action=drop chain=prerouting comment=IPS-drop_out_bad_traffic disabled=
yes dst-address-list=Suricata.
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip service
set ftp disabled=yes
set ssh address=10.50.101.0/24
set telnet disabled=yes
set www disabled=yes
set api address=10.50.101.0/24
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=
!LAN
/ipv6 firewall raw
add action=drop chain=prerouting comment=IPS-drop_in_bad_traffic
src-address-list=Suricata
add action=drop chain=prerouting comment=IPS-drop_out_bad_traffic
dst-address-list=Suricata
/snmp
set trap-generators="" trap-target=10.50.101.30 trap-version=3
/system clock
set time-zone-name=America/Toronto
/system logging
add action=\*6 disabled=yes topics=info,error,dhcp,wireless,critical
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.ca.pool.ntp.org
add address=1.ca.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface="ETH1 - WAN for PPPoE,Bell - PPPoE connextion"
filter-ip-protocol=tcp filter-port=8554 streaming-server=10.50.101.79