any fix yet for Macbook Pro 2016-2017 not working with hAP ax3 wifi?

Hi, everyone–

I kinda wish I had read the forum before buying the hAP ax3, but there was no way to know I’d get hit by this problem before actually getting hit by it.

I’d read these threads and have pretty much the same problem: an Apple Macbook Pro 2016-2017 will not work with the hAP ax3’s wifi, and every other device I have works fine, including a newer iPhone SE 2nd Generation. Sadly, the Macbook Pro 13in. “late 2016” I have is my only laptop and will be for a while since it has $1000 of music production software on it, so I do have to figure this issue out soon.

This thread is the closest to my situation:

http://forum.mikrotik.com/t/apple-macbook-issues-with-5ghz-wi-fi/162045/1

“What happens - I connect the WiFi and after a minute or a few seconds, it is auto disconnected from the MikroTik. However, the WiFi on the Mac says it’s still connected, but when I try to browse, there is no internet connection. Pinging my router also does not work.”

That is exactly what happens to me. I’d add that eventually, the Macbook Pro figures out that the wifi connection is no good, and then it goes into a lengthy re-connect attempt before finally giving up. I can then manually re-connect it, and it will work for a minute or two, and then it will fail in the same way again.

I tried this tip, but it unfortunately doesn’t work for me: http://forum.mikrotik.com/t/apple-macbook-issues-with-5ghz-wi-fi/162045/1

"If it the “new” wifiwave2 drivers, those screenshots should work. The most important setting is to set your country correctly (and as here you need to check right boxes in the security tab).

On the older drivers, it’s critical that the distance=indoors is set on the wireless interfaces & the group key timeout is 1:00:00 (default was lower in “old” drivers) for it work on a Mac."

I am pretty sure I do not have the wifiwave2 drivers and am using the bone stock “old wifi” drivers. I suspect this advice would work for most Macs, just not mine.

I seem to be having the same problem as these two other posters in that the specific model years of Macbook Pro, the “late 2016/early 2017” models, just don’t work:

http://forum.mikrotik.com/t/apple-macbook-issues-with-5ghz-wi-fi/162045/1

http://forum.mikrotik.com/t/apple-12-macbook-2017-to-hap-ax2-via-2ghz-and-5ghz-drops-during-large-data-transfer/164948/1

Note that one of them tried a Macbook Pro 2019 and it did work…

I suspect it is the chipset in the Macbook Pro 2016-2017 that just doesn’t like the hAP ax3 (and probably not the ax2 either). I suppose I can test this if I got a macos-compatible USB wifi adapter and used it with this Macbook Pro and the hAP ax3.

Oh, I should add that my same Macbook Pro 13in late-2016 works fine with an hAP ac2 on 5GHz.

I also seem to be having the same problem with this Macbook Pro and the hAP ax3 on the 2.4GHz radio, but it seems to go for much longer (around 10 minutes) before it loses the connection. It is likely similar to this other thread: http://forum.mikrotik.com/t/apple-12-macbook-2017-to-hap-ax2-via-2ghz-and-5ghz-drops-during-large-data-transfer/164948/1

I have not tried shutting off the 5GHz radio and turning the 2.4GHz radio down to N mode since that is worse than my older hAP ac2 can provide (might as well return the hAP ax3 and keep the hAP ac2).

But, I’d like to keep the hAP ax3, so I’m game to help figure this out with whatever debugging is needed.

My config. I started with a factory default with AP QuickSet and configured only the LAN and WAN networking and the WiFi SSIDs. The Macbook Pro didn’t work, but all the other devices did on the factory default. I’ve since then changed a few settings per what I read online, trying to change as few settings per test loop at a time. What you see below is where I currently am at, but I have not fixed this issue even once.

# 2024-02-08 20:52:40 by RouterOS 7.13.4
# software id = 3003-87TI
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/interface bridge
add admin-mac=48:A9:8A:56:01:51 auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=\
    mywifi5 disabled=no security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0 .group-key-update=1h
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac .width=20/40mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=mywifi2 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.138.100-192.168.138.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.138.1/24 comment=defconf interface=bridge network=192.168.138.0
add address=192.168.89.2/24 interface=ether1 network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.138.0/24 comment=defconf dns-server=192.168.138.1 gateway=192.168.138.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.89.1
/ip dns static
add address=192.168.138.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Los_Angeles
/system logging
add topics=debug,wireless
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

In the wireless, debug log, it just looks like a four-step sequence over and over:
associated
connected
disconnected
disassociated


Thanks in advance for any help!

Plenty of people here use that generation of macbook without issue, so it must be either a macOS config issue or ROS config issue. Try and configurre OS as 5ghz-ac and remove WPA3 and see how it works then.

That’s good to hear–there’s some hope for me then!

I did try removing WPA3 already on both 5G and 2.4G so that only WPA2 was left.
I also tried removing WPA2 so that only WPA3 was left (also on both 5G and 2.4G).
No improvement. I tried to keep all other settings equal when doing this particular test (that was the only change). It is possible that some other setting should have been changed along with the WPA2 or WPA3 test.

I will try stepping down to 5Ghz-AC, but that kind of defeats the purpose of upgrading from an hAP ac2 to an hAP ax3 (I have other newer devices with AX capability–this Mac is AC at best)… I’ll do it for diagnostic purposes, of course.

Thanks! I’ll report back after some testing.

Oh, I forgot to mention: I have several routers on hand (I am an IT professional). I’ll test this specific Mac with at least one other AX router (Gl-inet) too.

No luck stepping it down from 5GHz-AX to 5Ghz-AC. It just failed in the same way after a few minutes.

Here is the current wifi config that doesn’t work yet:

/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=\
    mywifi5 disabled=no security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0 .group-key-update=1h
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac .width=20/40mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=mywifi2 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0 .group-key-update=1h

Next I will try WPA2-only with 5GHz-AC only.

When macbook has connected, hold “option” on the keyboard while clicking on the wifi icon in top-right corner of the screen. It will show more details about the connection

Thanks, normis–
Doing so confirms it is connected at 5GHz AC (but that’s no surprise, since the highest this Macbook Pro can go is 5GHz AC).

Interestingly, it says it’s connected using WPA3 Personal, but I have unchecked the box for all WPA3 on the hAP ax3 5GHz radio, leaving only WPA2 PSK checked. Is the Mac lying?

The other info is:

Channel 149 (5GHz, 80MHz)
Country Code: US
RSSI: -46dBm
Noise: -92dBm
TX Rate: 585 Mbps
PHY Mode: 802.11ac
MCS Index: 7
NSS: 1

OK so this could be the cause. MacBooks sometimes remember old config, even if you changed it. Try another SSID. It will think it’s a new network and will reconsider the settings.

Interesting. I read that in one of the other posts, but I thought it would be enough to remove the SSID from the “Advanced” tab of the Wifi Config in MacOS.

Are you saying I actually have to change the SSID in the hAP ax3? That’s not hard, but I have not tried it once yet during my testing. I’d only deleted the remembered SSIDs from the Mac between tests.

Yes, macOS is very stubborn. If you joined a SSID with WPA3, it will try it again, no matter if you removed it from recently used SSIDs.
Just for sake of experiment, set a new SSID in the hAP device

Understood, and thanks.

I have done so just now. The new SSID is test15. I confirm that the Mac says WPA2 Personal and 5GHz-ac. Current config is:

/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=test15 \
    disabled=no security.authentication-types=wpa2-psk .connect-priority=0 .group-key-update=1h
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac .width=20/40mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=mywifi2 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0 .group-key-update=1h

It’s late here, so I will put it on streaming music, and if it makes it through the night, then it is a huge success. After that I will try 5GHz-ax with WPA2 Personal. Thanks again!

Darn, no luck with 5GHz-ac with WPA2 PSK only (confirmed on the Mac side too).
It just cut off the streaming radio music a few minutes in.

I’ll pick this up tomorrow–any other suggestions are welcome! I’d like to fix this and document it here for anyone else having the same problem.

I tried wiping out the Mac’s network settings by destroying the Preferences files. No improvement.

I tried destroying the Location and creating a new one, then destroying all the network-related Preferences files. So far, it’s doing better (I had one hiccup at the start but the connection has been running okay so far–I’m running a continuous ping to 8.8.8.8 and it seems to be okay).

Stepping back up to 5GHz-ax with WPA2 PSK only to see how it goes…

There is a chance the continuous ping is acting as a keepalive somehow; I will also run the test without the ping.

Try to disable skip-dfs and pick lowest 5Ghz channel. the issue with disconnecting could be related with skipping dfs channels and (for some reason) not connecting to other channel (maybe?).

Thanks, EternalNet. Yeah, it does look like it could be related to channel-skipping. It feels like there’s an element of randomness going on…

I will test that next. Right now, I am trying to get back to a working state based only on what I did earlier.

I added back 5GHz-ax, and that seemed to be fine (the Group Key Update was 01:00:00 and it was WPA2 PSK only).
Then, I removed the Group Key Update 01:00:00, and that seemed okay.
Then, I added back WPA3 PSK, and it broke almost right away.

The continuous ping probably also isn’t serving as a keepalive, since I was able to break the wifi even while the continuous ping was running. It’s a good forward indicator of when the connection actually fails, though. As soon as the ping fails, I know the wifi is down even if it thinks it’s not.

Anyway, I turned off WPA3 PSK and put back the Group Key Update 01:00:00, but now I’m having to mess with the Mac to try to get back to a working state. The three things I’m trying that seemed to work before were:

1. Delete the saved SSID
2. Create a new Location, destroy the old one.
3. Remove the network-related Preferences files and reboot

Combine that with renaming the SSID on the hAP ax3 and that seemed to get me to a stable working state. Trying it again now…

• There is a fourth trick for Mac users: remove the Wifi interface and re-add it. I have not done that even once yet during my testing.

Here’s the config that was working stably for at least a couple of hours until I broke it by removing group-key-update=1h and adding back WPA3 PSK:

/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=test15 \
    disabled=no security.authentication-types=wpa2-psk .connect-priority=0 .group-key-update=1h
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac .width=20/40mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=mywifi2 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk

I am going to have to rename test15 to something else now. The Mac seems determined to remember the SSID no matter what. I suspect that my iPhone is sharing its remembered networks with the Macbook Pro… To keep the iPhone from interfering, I will not join it to the new SSID name.

Okay, I’m back where I was when it was stable, but it’s not stable, so next test: EternalNet’s suggestions, one at a time.

First, turn off skip-dfs-channels.

This is the current config I am testing:

/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=test25 \
    disabled=no security.authentication-types=wpa2-psk .connect-priority=0 .group-key-update=1h
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac .width=20/40mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=mywifi2 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk

No luck with just disabling skip-dfs-channels. So far, the Mac’s wifi info shows it has been using DFS, 100 (5GHz, 80MHz) for all of this time since I disabled skip-dfs-channels.

Now trying the second tip from EternalNet: set the channel to a low one.

I’ve run into a problem, though: when I try to select the Channel in the drop-down in WebFig, the drop-down is empty (nothing to choose from).
I’m guessing I’ll have to set it using the Terminal or WinBox… UPDATE: Under WinBox, Channel = unknown.

Hmm. It occurred to me that I might have better lucky trying the wifiwave2 drivers that others have written about…

I use Ruckus AP in my production and WPA-3 also sucks.
Turned off and things go smoother for older and newer WiFi cards … no Macs but the effect was immediate.

Thanks, BartozP-- I won’t try WPA3 again (no real need for it, as opposed to max throughput and lowest latency).


Here’s another wrench in the works. My Windows PC has always been fine with the 5GHz-ax connection regardless of the tweaking of the settings for the Mac. While running WinBox over the 5GHz-az wifi, WinBox suddenly lost the connection to the hAP ax3 and then reconnected quickly on its own. I wasn’t making changes and was just watching the traffic graph. Is that normal? I have never seen that happen on my other two MIkrotik devices (except when deliberately making changes such as changing the wifi settings or rebooting the device).

Another strange clue with the Mac’s failure. Now, when it loses the wifi connection, if I try to manually force it to reconnect to the SSID test25, sometimes it can’t even see the SSID for a minute. If I keep waiting long enough, it will eventually see the SSID again and can re-connect (and then fail again). Also, the failures, when they happen, are super-fast (within a few seconds, whereas it used to take about 1 to 2 minutes to as many as 5 minutes before the connection failed.

This is the current config–it’s bad. I’m not sure how the connect-priority=0 got in there. Gonna remove that next.

/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=test25 \
    disabled=no security.authentication-types=wpa2-psk .connect-priority=0 .group-key-update=1h
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac .width=20/40mhz configuration.antenna-gain=6 .country="United States" .mode=ap .ssid=mywifi2 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk

Removing connect-priority=0 didn’t make a difference on the Mac, but it wasn’t there when it was stable before, so I got rid of it.

Anybody know what to look for in the macOS wifi.log files? I will start checking those and correlating timestamps to wifi failures.