Ax3 upgrades from 7.19.3 to 7.20.2 broke 5ghz wifi!

Ugh! I had to stick my fingers in it.

I upgrade an ax3 from 7.19.3 to 7.20.2.

All was working great at 7.19.3.

Now, I can’t connect to any of the 5ghz SSIDs.

I tried changing from AX to AC, I tried changing “Skip DFS Channels,” I tried connecting from multiple devices.

Then I tried running a wifi scan from another ax3 and it saw my 5ghz SSIDs – Sure seems like that means the primary ax3 was sending out announcements of its existance.

So I downgraded back to 7.19.3 and still my devices won’t connect. And still the other ax3 see the 5ghz SSIDs.

Can someone please help?

Here’s the export:

# 2025-10-26 13:19:58 by RouterOS 7.19.3
# software id = 5NRD-V1QF
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HDG0
/interface bridge
add admin-mac=48:A9:8A:0F:04:8F ageing-time=5m arp=enabled arp-timeout=auto \
    auto-mac=no comment=defconf dhcp-snooping=no disabled=no fast-forward=yes \
    forward-delay=15s igmp-snooping=no max-learned-entries=auto \
    max-message-age=20s mtu=auto mvrp=no name=bridge port-cost-mode=short \
    priority=0x8000 protocol-mode=rstp transmit-hold-count=6 vlan-filtering=\
    no
/interface ethernet
set [ find default-name=ether1 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full,2.5G-baseT" arp=\
    enabled arp-timeout=auto auto-negotiation=yes bandwidth=\
    unlimited/unlimited comment="To RB5009" disabled=no l2mtu=1568 \
    loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=48:A9:8A:0F:04:8E mtu=1500 \
    name=ether1 orig-mac-address=48:A9:8A:0F:04:8E poe-out=off poe-priority=\
    10 power-cycle-interval=none !power-cycle-ping-address \
    power-cycle-ping-enabled=no !power-cycle-ping-timeout rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether2 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    disabled=no l2mtu=1568 loop-protect=default loop-protect-disable-time=5m \
    loop-protect-send-interval=5s mac-address=48:A9:8A:0F:04:8F mtu=1500 \
    name=ether2 orig-mac-address=48:A9:8A:0F:04:8F rx-flow-control=off \
    tx-flow-control=off
set [ find default-name=ether3 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment="TV - JRS-SRN" disabled=no l2mtu=1568 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    48:A9:8A:0F:04:90 mtu=1500 name=ether3 orig-mac-address=48:A9:8A:0F:04:90 \
    rx-flow-control=off tx-flow-control=off
set [ find default-name=ether4 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment=TV disabled=no l2mtu=1568 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    48:A9:8A:0F:04:91 mtu=1500 name=ether4 orig-mac-address=48:A9:8A:0F:04:91 \
    rx-flow-control=off tx-flow-control=off
set [ find default-name=ether5 ] advertise="10M-baseT-half,10M-baseT-full,100M\
    -baseT-half,100M-baseT-full,1G-baseT-half,1G-baseT-full" arp=enabled \
    arp-timeout=auto auto-negotiation=yes bandwidth=unlimited/unlimited \
    comment=OffBridge disabled=no l2mtu=1568 loop-protect=default \
    loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    48:A9:8A:0F:04:92 mtu=1500 name=ether5 orig-mac-address=48:A9:8A:0F:04:92 \
    rx-flow-control=off tx-flow-control=off
/interface wifi
set [ find default-name=wifi1 ] arp-timeout=auto channel.band=5ghz-ax \
    .skip-dfs-channels=disabled .width=20/40/80mhz configuration.country=\
    "United States" .mode=ap .ssid=Upstairs5g-0F0493 disabled=no l2mtu=1560 \
    mac-address=48:A9:8A:0F:04:93 name=wifi1 radio-mac=48:A9:8A:0F:04:93 \
    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] arp-timeout=auto channel.band=2ghz-ax \
    .secondary-frequency=2412 .skip-dfs-channels=disabled .width=20mhz \
    configuration.country="United States" .mode=ap .ssid=Upstairs-2G-0F0494 \
    disabled=no l2mtu=1560 mac-address=48:A9:8A:0F:04:94 name=wifi2 \
    radio-mac=48:A9:8A:0F:04:94 security.authentication-types=wpa2-psk \
    .connect-priority=0/1 .disable-pmkid=yes .ft=yes .ft-over-ds=yes \
    .management-protection=disabled
/queue interface
set bridge queue=no-queue
/interface wifi
add arp-timeout=auto configuration.mode=ap .ssid=2point4 disabled=no l2mtu=\
    1560 mac-address=4A:A9:8A:0F:04:93 master-interface=wifi2 mtu=1500 name=\
    2point4 security.authentication-types=wpa2-psk .connect-priority=0/1 \
    .disable-pmkid=yes .ft=yes .ft-over-ds=yes .management-protection=\
    disabled
add arp-timeout=auto comment=JRS-Upstairs configuration.mode=ap .ssid=\
    JRS-Upstairs disabled=no l2mtu=1560 mac-address=4A:A9:8A:0F:04:94 \
    master-interface=wifi1 name=JRS-Upstairs security.authentication-types=\
    wpa2-psk .disable-pmkid=yes .management-protection=disabled
add arp-timeout=auto configuration.mode=ap .ssid=blueberries disabled=yes \
    l2mtu=1560 mac-address=4A:A9:8A:0F:04:96 master-interface=wifi1 name=\
    blueberries security.authentication-types=wpa2-psk .disable-pmkid=yes \
    .management-protection=disabled
/interface ethernet switch
set 0 !cpu-flow-control mirror-source=none mirror-target=none name=switch1
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
/interface ethernet switch port-isolation
set 0 !forwarding-override
set 1 !forwarding-override
set 2 !forwarding-override
set 3 !forwarding-override
set 4 !forwarding-override
set 5 !forwarding-override
/interface list
set [ find name=all ] comment="contains all interfaces" exclude="" include="" \
    name=all
set [ find name=none ] comment="contains no interfaces" exclude="" include="" \
    name=none
set [ find name=dynamic ] comment="contains dynamic interfaces" exclude="" \
    include="" name=dynamic
set [ find name=static ] comment="contains static interfaces" exclude="" \
    include="" name=static
add comment=defconf exclude="" include="" name=WAN
add comment=defconf exclude="" include="" name=LAN
add exclude="" include=all name=TRUSTED
/interface lte apn
set [ find default=yes ] add-default-route=yes apn=internet authentication=\
    none default-route-distance=2 ip-type=auto name=default use-network-apn=\
    yes use-peer-dns=yes
/interface macsec profile
set [ find default-name=default ] name=default server-priority=10
/ip dhcp-client option
set clientid_duid code=61 name=clientid_duid value="0xff\$(CLIENT_DUID)"
set clientid code=61 name=clientid value="0x01\$(CLIENT_MAC)"
set hostname code=12 name=hostname value="\$(HOSTNAME)"
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    flash/hotspot html-directory-override="" http-cookie-lifetime=3d \
    http-proxy=0.0.0.0:0 install-hotspot-queue=no login-by=cookie,http-chap \
    name=default smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=yes address-list="" idle-timeout=none \
    !insert-queue-before keepalive-timeout=2m mac-cookie-timeout=3d name=\
    default !parent-queue !queue-type shared-users=1 status-autorefresh=1m \
    transparent-proxy=no

/ip pool
add comment=offbridge-dhcp-server name=offbridge-dhcp-server ranges=\
    192.168.55.100-192.168.55.200
/ip dhcp-server
# Interface not running
add address-lists="" address-pool=offbridge-dhcp-server comment=\
    offbridge-dhcp-server disabled=no interface=ether5 lease-script="" \
    lease-time=30m name=offbridge-dhcp-server use-radius=no use-reconfigure=\
    no
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=pcq name=pcq-upload-default pcq-burst-rate=0 pcq-burst-threshold=0 \
    pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 \
    pcq-dst-address6-mask=128 pcq-limit=50KiB pcq-rate=0 \
    pcq-src-address-mask=32 pcq-src-address6-mask=128 pcq-total-limit=2000KiB
set 6 kind=pcq name=pcq-download-default pcq-burst-rate=0 \
    pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address \
    pcq-dst-address-mask=32 pcq-dst-address6-mask=128 pcq-limit=50KiB \
    pcq-rate=0 pcq-src-address-mask=32 pcq-src-address6-mask=128 \
    pcq-total-limit=2000KiB
set 7 kind=none name=only-hardware-queue
set 8 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 9 kind=pfifo name=default-small pfifo-limit=10
/queue interface
set ether1 queue=only-hardware-queue
set ether2 queue=only-hardware-queue
set ether3 queue=only-hardware-queue
set ether4 queue=only-hardware-queue
set ether5 queue=only-hardware-queue
set "2point4" queue=wireless-default
set JRS-Upstairs queue=wireless-default
set blueberries queue=wireless-default
set wifi1 queue=wireless-default
set wifi2 queue=wireless-default

/snmp community
set [ find default=yes ] addresses=::/0 authentication-protocol=MD5 disabled=\
    no encryption-protocol=DES name=public read-access=yes security=none \
    write-access=no

/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w\
    eb,sniff,sensitive,api,romon,rest-api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa\
    ssword,web,sniff,sensitive,api,romon,rest-api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,\
    winbox,password,web,sniff,sensitive,api,romon,rest-api" skin=default
add name=HA policy="reboot,read,write,policy,test,api,!local,!telnet,!ssh,!ftp\
    ,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api" skin=default
/interface bridge port
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=yes interface=ether2 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=yes interface=ether3 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none hw=yes ingress-filtering=yes interface=ether4 \
    internal-path-cost=10 learn=auto multicast-router=temporary-query \
    mvrp-applicant-state=normal-participant mvrp-registrar-state=normal \
    path-cost=10 point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes comment=\
    defconf disabled=no edge=auto fast-leave=no frame-types=admit-all \
    horizon=none ingress-filtering=yes interface=wifi2 internal-path-cost=10 \
    learn=auto multicast-router=temporary-query mvrp-applicant-state=\
    normal-participant mvrp-registrar-state=normal path-cost=10 \
    point-to-point=auto priority=0x80 pvid=1 restricted-role=no \
    restricted-tcn=no tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none hw=yes \
    ingress-filtering=yes interface=ether1 internal-path-cost=10 learn=auto \
    multicast-router=temporary-query mvrp-applicant-state=normal-participant \
    mvrp-registrar-state=normal path-cost=10 point-to-point=auto priority=\
    0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=\
    no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none \
    ingress-filtering=yes interface=2point4 internal-path-cost=10 learn=auto \
    multicast-router=temporary-query mvrp-applicant-state=normal-participant \
    mvrp-registrar-state=normal path-cost=10 point-to-point=auto priority=\
    0x80 pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=\
    no unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none \
    ingress-filtering=yes interface=wifi1 !internal-path-cost learn=auto \
    multicast-router=temporary-query mvrp-applicant-state=normal-participant \
    mvrp-registrar-state=normal !path-cost point-to-point=auto priority=0x80 \
    pvid=1 restricted-role=no restricted-tcn=no tag-stacking=no trusted=no \
    unknown-multicast-flood=yes unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none \
    ingress-filtering=yes interface=blueberries !internal-path-cost learn=\
    auto multicast-router=temporary-query mvrp-applicant-state=\
    normal-participant mvrp-registrar-state=normal !path-cost point-to-point=\
    auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no \
    tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
add auto-isolate=no bpdu-guard=no bridge=bridge broadcast-flood=yes disabled=\
    no edge=auto fast-leave=no frame-types=admit-all horizon=none \
    ingress-filtering=yes interface=JRS-Upstairs !internal-path-cost learn=\
    auto multicast-router=temporary-query mvrp-applicant-state=\
    normal-participant mvrp-registrar-state=normal !path-cost point-to-point=\
    auto priority=0x80 pvid=1 restricted-role=no restricted-tcn=no \
    tag-stacking=no trusted=no unknown-multicast-flood=yes \
    unknown-unicast-flood=yes
/interface bridge settings
set allow-fast-path=yes use-ip-firewall=no use-ip-firewall-for-pppoe=no \
    use-ip-firewall-for-vlan=no
/ip firewall connection tracking
set enabled=auto generic-timeout=10m icmp-timeout=10s loose-tcp-tracking=yes \
    tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=\
    1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m \
    udp-stream-timeout=3m udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED discover-interval=30s \
    lldp-mac-phy-config=no lldp-max-frame-size=no lldp-med-net-policy-vlan=\
    disabled lldp-poe-power=yes lldp-vlan-info=no mode=tx-and-rx protocol=\
    cdp,lldp,mndp
/ip settings
set accept-redirects=no accept-source-route=no allow-fast-path=yes \
    arp-timeout=30s icmp-errors-use-inbound-interface-address=no \
    icmp-rate-limit=10 icmp-rate-mask=0x1818 ip-forward=yes \
    ipv4-multipath-hash-policy=l3 max-neighbor-entries=16384 rp-filter=no \
    secure-redirects=yes send-redirects=yes tcp-syncookies=no tcp-timestamps=\
    random-offset
/ipv6 settings
set accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=\
    yes-if-forwarding-disabled allow-fast-path=yes disable-ipv6=no \
    disable-link-local-address=no forward=yes max-neighbor-entries=15360 \
    min-neighbor-entries=3584 multipath-hash-policy=l3 \
    soft-max-neighbor-entries=7168 stale-neighbor-detect-interval=30 \
    stale-neighbor-timeout=60
/interface detect-internet
set detect-interface-list=none internet-interface-list=none \
    lan-interface-list=none wan-interface-list=none
/interface l2tp-server server
set accept-proto-version=all accept-pseudowire-type=all allow-fast-path=no \
    authentication=pap,chap,mschap1,mschap2 caller-id-type=ip-address \
    default-profile=default-encryption enabled=no keepalive-timeout=30 \
    l2tpv3-circuit-id="" l2tpv3-cookie-length=0 l2tpv3-digest-hash=md5 \
    !l2tpv3-ether-interface-list max-mru=1450 max-mtu=1450 max-sessions=\
    unlimited mrru=disabled one-session-per-host=no use-ipsec=no
/interface list member
add comment=defconf disabled=no interface=bridge list=LAN
add comment=defconf disabled=no interface=ether1 list=WAN
add disabled=no interface=bridge list=TRUSTED
add disabled=no interface=ether1 list=TRUSTED
add disabled=no interface=wifi2 list=TRUSTED
add comment=OffBridge disabled=no interface=ether5 list=LAN
add disabled=no interface=wifi1 list=TRUSTED
/interface lte settings
set esim-channel=auto firmware-path=firmware link-recovery-timer=120 mode=\
    auto
/interface ovpn-server server
add auth=sha1,md5,sha256,sha512 certificate=*0 cipher=blowfish128,aes128-cbc \
    default-profile=default disabled=yes enable-tun-ipv6=no ipv6-prefix-len=\
    64 keepalive-timeout=60 mac-address=FE:20:83:39:29:80 max-mtu=1500 mode=\
    ip name=ovpn-server1 netmask=24 port=1194 protocol=tcp push-routes="" \
    redirect-gateway=disabled reneg-sec=3600 require-client-certificate=no \
    tls-version=any tun-server-ipv6=:: user-auth-method=pap vrf=main
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set authentication=mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1450 max-mtu=1450 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none ciphers=\
    aes256-sha,aes256-gcm-sha384 default-profile=default enabled=no \
    keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled pfs=no port=\
    443 tls-version=any verify-client-certificate=no
/interface wifi access-list
add action=accept comment=HarmonyHub disabled=no mac-address=\
    00:04:20:F9:31:D2
add action=accept comment=MFC-L3770 disabled=no mac-address=30:C9:AB:17:71:59
add action=accept comment="JRS iPhone" disabled=no mac-address=\
    FC:AA:81:2A:1F:B4
add action=accept comment="\?\?\?" disabled=no mac-address=96:4E:A5:1A:A9:74
add action=accept comment="\?\?\?" disabled=no mac-address=52:DA:D4:46:23:5B
add action=accept comment="Thomas iPhone" disabled=no mac-address=\
    46:B4:96:5E:1A:1B
add action=accept comment="SRN iPhone" disabled=no mac-address=\
    4A:11:46:2B:5B:78
add action=accept comment="\?\?\?" disabled=no mac-address=02:2A:61:8A:88:A7
add action=accept comment="SRN iPad" disabled=no mac-address=\
    16:31:50:11:6B:CF
add action=accept comment=DCP-L2550DW disabled=no mac-address=\
    2C:6F:C9:5F:BC:EB
add action=accept comment=Laptop-JRS-AN51 disabled=no mac-address=\
    94:E7:0B:29:30:E7
add action=accept comment="Tasmota switch" disabled=no mac-address=\
    C4:5B:BE:E3:76:77
add action=accept comment="JRS Laptop 2023" disabled=no mac-address=\
    64:49:7D:61:AE:2C
add action=accept comment="Living room (TV maybe)" disabled=no mac-address=\
    D4:90:9C:D8:66:99
add action=accept comment="49TCLRokuTV - Thomas" disabled=no mac-address=\
    0C:62:A6:1E:8B:18
add action=accept comment="SRN MS laptop" disabled=no mac-address=\
    24:EE:9A:54:9A:E8
add action=accept comment=MFC-L2550 disabled=no mac-address=B2:38:0C:90:FE:04
add action=accept comment="THR316 Thomas BR" disabled=no mac-address=\
    C8:F0:9E:E8:8A:E4
add action=accept comment="SRN iPhone" disabled=no mac-address=\
    EA:C1:05:82:99:7C
add action=accept comment="THS Acer Laptop" disabled=no mac-address=\
    54:6C:EB:7B:A2:C3
add action=accept comment="Screek Human Sensor 2A 16 LR" disabled=no \
    mac-address=EC:DA:3B:D1:92:3C
add action=accept comment="Shelly Button1 15 AV Equip" disabled=no \
    mac-address=48:55:19:F0:73:12
add action=accept comment="Beelink 212 DR" disabled=no mac-address=\
    70:D8:C2:4C:54:64
add action=accept comment="JRS Iphone" disabled=no mac-address=\
    7C:4B:26:5D:06:BE
add action=accept comment="Susan iPhone" disabled=no mac-address=\
    60:57:C8:5D:06:4E
add action=accept comment=212-16-DR-Light-Tasmota disabled=no interface=\
    2point4 mac-address=C4:5B:BE:DE:D0:8D
add action=accept comment="Amazon device" disabled=no interface=wifi1 \
    mac-address=58:E4:88:97:C9:D1
add action=accept comment="Amazon Device" disabled=no interface=wifi1 \
    mac-address=44:3D:54:A2:D1:14
add action=accept comment="Amazon Device" disabled=no interface=wifi1 \
    mac-address=F0:F0:A4:FA:0E:B3
add action=accept comment="Amazon Device" disabled=no interface=2point4 \
    mac-address=E8:4C:4A:CA:E9:AC
add action=accept comment="Amazon Device" disabled=no interface=wifi1 \
    mac-address=E8:4C:4A:CA:E9:AC
add action=accept comment=Watch disabled=no interface=wifi1 mac-address=\
    D2:C6:1C:CB:64:8C
add action=accept comment="THS Iphone 2024" disabled=no interface=wifi1 \
    mac-address=64:41:E6:0F:64:D2
add action=accept comment="Amazon Device" disabled=no interface=2point4 \
    mac-address=44:3D:54:A2:D1:14
add action=accept comment=iPad disabled=no interface=wifi1 mac-address=\
    92:3B:B1:33:94:7D
add action=accept comment=iPad disabled=no interface=wifi1 mac-address=\
    F2:41:ED:13:C8:95
add action=accept comment="Cross Trainer 15" disabled=no interface=2point4 \
    mac-address=E0:4F:43:82:2D:A0
/interface wifi cap
set enabled=no
/interface wifi capsman
set enabled=no
/ip address
add address=192.168.2.5/24 comment=defconf disabled=no interface=bridge \
    network=192.168.2.0
add address=192.168.55.1/24 comment=OffBridge disabled=no interface=ether5 \
    network=192.168.55.0
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=yes \
    ddns-update-interval=none update-time=yes
/ip cloud advanced
set use-local-address=no
/ip dhcp-server config
set accounting=yes interim-update=0s radius-password=empty store-leases-disk=\
    5m
/ip dhcp-server network
add address=192.168.55.0/24 caps-manager="" dhcp-option="" dns-server=1.1.1.1 \
    gateway=192.168.55.1 netmask=24 !next-server ntp-server="" wins-server=""
/ip dns
set address-list-extra-time=0s allow-remote-requests=yes cache-max-ttl=4w \
    cache-size=4096KiB doh-max-concurrent-queries=50 \
    doh-max-server-connections=5 doh-timeout=5s max-concurrent-queries=100 \
    max-concurrent-tcp-sessions=20 max-udp-packet-size=4096 \
    mdns-repeat-ifaces="" query-server-timeout=5s query-total-timeout=10s \
    servers=192.168.2.2 use-doh-server="" verify-doh-cert=no vrf=main
/ip dns static
add address=192.168.2.5 comment=defconf disabled=no name=\
    hapax3-upstairs.212.local ttl=1d type=A
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN !to-addresses !to-ports
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=yes ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set rtsp disabled=yes ports=554
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
set [ find default=yes ] comment="counters and limits for trial users" \
    disabled=no name=default-trial
/ip ipsec policy
set 0 disabled=no dst-address=::/0 group=default proposal=default protocol=\
    all src-address=::/0 template=yes
/ip ipsec settings
set accounting=yes interim-update=0s xauth-use-radius=no
/ip media settings
set thumbnails=""
/ip nat-pmp
set enabled=no
/ip proxy
set always-from-cache=no anonymous=no cache-administrator=webmaster \
    cache-hit-dscp=4 cache-on-disk=no cache-path=web-proxy enabled=no \
    max-cache-object-size=2048KiB max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=:: parent-proxy-port=0 port=8080 serialize-connections=no \
    src-address=::
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set ftp address="" disabled=yes max-sessions=20 port=21 vrf=main
set ssh address="" disabled=no max-sessions=20 port=22 vrf=main
set telnet address="" disabled=yes max-sessions=20 port=23 vrf=main
set www address="" disabled=yes max-sessions=20 port=80 vrf=main
set www-ssl address="" certificate=none disabled=no max-sessions=20 port=443 \
    tls-version=any vrf=main
set winbox address="" disabled=no max-sessions=20 port=8291 vrf=main
set api address="" disabled=yes max-sessions=20 port=8728 vrf=main
set api-ssl address="" certificate=none disabled=no max-sessions=20 port=8729 \
    tls-version=any vrf=main
/ip smb shares
set [ find default=yes ] directory=flash/pub disabled=yes invalid-users="" \
    name=pub read-only=no require-encryption=no valid-users=""
/ip socks
set auth-method=none connection-idle-timeout=2m enabled=no max-connections=\
    200 port=1080 version=4 vrf=main
/ip ssh
set always-allow-password-login=no ciphers=auto forwarding-enabled=no \
    host-key-size=2048 host-key-type=rsa strong-crypto=no
/ip tftp settings
set max-block-size=4096
/ip traffic-flow
set active-flow-timeout=30m cache-entries=256k enabled=no \
    inactive-flow-timeout=15s interfaces=all packet-sampling=no \
    sampling-interval=0 sampling-space=0
/ip traffic-flow ipfix
set bytes=yes dst-address=yes dst-address-mask=yes dst-mac-address=yes \
    dst-port=yes first-forwarded=yes gateway=yes icmp-code=yes icmp-type=yes \
    igmp-type=yes in-interface=yes ip-header-length=yes ip-total-length=yes \
    ipv6-flow-label=yes is-multicast=yes last-forwarded=yes nat-dst-address=\
    yes nat-dst-port=yes nat-events=no nat-src-address=yes nat-src-port=yes \
    out-interface=yes packets=yes protocol=yes src-address=yes \
    src-address-mask=yes src-mac-address=yes src-port=yes sys-init-time=yes \
    tcp-ack-num=yes tcp-flags=yes tcp-seq-num=yes tcp-window-size=yes tos=yes \
    ttl=yes udp-length=yes
/ip upnp
set allow-disable-external-interface=no enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes \
    disabled=no hop-limit=unspecified interface=all \
    managed-address-configuration=no mtu=unspecified other-configuration=no \
    ra-delay=3s ra-interval=3m20s-10m ra-lifetime=30m ra-preference=medium \
    reachable-time=unspecified retransmit-interval=unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls settings
set allow-fast-path=yes dynamic-label-range=16-1048575 propagate-ttl=yes
/ppp aaa
set accounting=yes enable-ipv6-accounting=no interim-update=0s \
    use-circuit-id-in-nas-port-id=no use-radius=no
/radius incoming
set accept=no port=3799 vrf=main
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing settings
set single-process=no
/snmp
set contact="" enabled=yes engine-id-suffix="" location="" src-address=:: \
    trap-community=public trap-generators=temp-exception trap-target="" \
    trap-version=2 vrf=main
/system clock
set time-zone-autodetect=yes time-zone-name=America/New_York
/system clock manual
set dst-delta=+00:00 dst-end="1970-01-01 00:00:00" dst-start=\
    "1970-01-01 00:00:00" time-zone=+00:00
/system health settings
set cpu-overtemp-check=no cpu-overtemp-startup-delay=1m \
    cpu-overtemp-threshold=105C
/system identity
set name=212hAPax3-upstairs
/system leds
set 0 disabled=no leds=poe-led type=poe-out
set 1 disabled=no interface=ether1 leds=led1 type=interface-activity
set 2 disabled=no interface=ether2 leds=led2 type=interface-activity
set 3 disabled=no interface=ether3 leds=led3 type=interface-activity
set 4 disabled=no interface=ether4 leds=led4 type=interface-activity
set 5 disabled=no interface=ether5 leds=led5 type=interface-activity
/system leds settings
set all-leds-off=never
/system logging
set 0 action=memory disabled=no prefix="" regex="" topics=info
set 1 action=memory disabled=no prefix="" regex="" topics=error
set 2 action=memory disabled=no prefix="" regex="" topics=warning
set 3 action=echo disabled=no prefix="" regex="" topics=critical
add action=memory disabled=no prefix="" regex="" topics=account
add action=remote disabled=no prefix="192.168.2.5 " regex="" topics=info
add action=email disabled=no prefix=ether3-monitor regex="ether3 link down" \
    topics=info
/system note
set note="" show-at-cli-login=no show-at-login=no
/system ntp client
set enabled=yes mode=unicast servers=\
    192.168.2.2,3.pool.ntp.org,0.north-america.pool.ntp.org vrf=main
/system ntp server
set auth-key=none broadcast=no broadcast-addresses="" enabled=no \
    local-clock-stratum=5 manycast=no multicast=no use-local-clock=no vrf=\
    main
/system ntp client servers
add address=192.168.2.2 auth-key=none disabled=no iburst=yes max-poll=10 \
    min-poll=6
add address=3.pool.ntp.org auth-key=none disabled=no iburst=yes max-poll=10 \
    min-poll=6
add address=0.north-america.pool.ntp.org auth-key=none disabled=no iburst=yes \
    max-poll=10 min-poll=6
/system package local-update mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""

/system resource usb settings
set authorization=no
/system routerboard mode-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard reset-button
set enabled=no hold-time=0s..1m on-event=""
/system routerboard settings
set auto-upgrade=no boot-device=nand-if-fail-then-ethernet boot-protocol=\
    bootp force-backup-booter=no preboot-etherboot=disabled \
    preboot-etherboot-server=any protected-routerboot=disabled \
    reformat-hold-button=20s reformat-hold-button-max=10m silent-boot=no
/system routerboard wps-button
set enabled=no hold-time=0s..1m on-event=""

/system watchdog
set auto-send-supout=yes automatic-supout=yes ping-start-after-boot=10m \
    ping-timeout=5m send-email-to=jXXXXX@domain.com watch-address=\
    1.1.1.1 watchdog-timer=yes
/tool e-mail
set from=jXXXXX@domain.com port=587 server=smtp.gmail.com tls=starttls \
    user=<user>@gmail.com vrf=main
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool mac-server ping
set enabled=yes

/tool romon
set enabled=yes id=00:00:00:00:00:00
/tool romon port
set [ find default=yes ] cost=100 disabled=no forbid=no interface=all

And what frequency is that 5ghz radio using ?
Can your client devices use it ?
AX devices like to use higher channels.
Not all clients can use it.

Set frequency manually so you know where it is.

It’s set to auto and currently using 5500/ax/Ceee/D

I don’t know how or why, but now the clients can see it and connect to it just fine.

Before they neither saw it nor were able to connect to it.

It was working find before the upgrade. Maybe I was too hasty with the downgrade back to 7.19.3 (I gave it about 30-40 minutes).

Try lookin for somethimg something deprioritize-unii-3-4 setting in interface properties and set it to no explicitly.

Next time I try upgrading, if the problem arises, I certainly will try that.

I wonder, however, if choosing a frequency lower in the 5ghz band would also rule out a frequency-selection problem.

Most likely yes.
It might be (depending on your environment) you may run into added interference problems due to other radios in your vicinity (which will then impact performance) but it will most certainly increase possibility that your client devices will connect.

Hence why I ALWAYS opt to set frequencies manually. I want to know where they are so I do not have to spend time troubleshooting like you did here.

it is available since 7.20, should be like:

/interface/wifi/channel> add deprioritize-unii-3-4=yes disabled=no name=wifi1 width=20/40/80mhz

You can set the channel.frequency to a limited number of frequency (ranges). This in combination with reselect-interval will provide a nice way of having the best frequency.

An example to give an idea (it is set to 20MHz bandwidth, sure you understand how to change that):

/interface wifi channel
add band=5ghz-ax disabled=no frequency=5180,5200,5220,5240 name=5GHZ::UNII-1 width=20mhz

https://mikrotikmasters.com/basic-ap-deployment/

Thanks gentlemen!

I just today explained to my son in college that the learning, thankfully, is (and should be) continuous throughout life.

A day without learning something new, small as it may be, is a wasted day ...

Update: 7.20.2 installed and working on two ax3 devices here.

The following works great:

/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .deprioritize-unii-3-4=yes .frequency=5180-5550 .skip-dfs-channels=all .width=20/40/80mhz configuration.country="United States" .mode=ap .ssid=Upstairs5g-0F0493 .tx-power=32 disabled=no security.authentication-types=wpa2-psk .ft=yes \
    .ft-over-ds=yes

Thank you!

Just some feedback:

By setting .skip-dfs-channels=all the remaing frequency range is: 5170-5250
By setting .tx-power=32 you will get something different then you might expect: from coutry regulations maximum signal is 30 dBm, with antenna gain of 6 dBm your tx-power will be 24 dBm at max.

But most importantly...it works great!

@Josephny nobody seems to have mentioned this:- when you turn on a 5GHz device, it does not activate the 5GHz wireless for 10 minutes, It sits there and listens to see if there is radar in the area and adjusts channels accordingly.

To be precise about @DuctView statement:

Every DFS channel has to scan for 1 minute, except the range 5570-5650 (that has to scan for 10 minutes). Non DFS channels (5170-5250 and above 5710) are directly available.

Depends.
If lower channels are being used, radio will be available immediately.

Depending on frequency it can be up to 10 minutes (and it can become worse if radar has been detected, new frequency selected, again checking,...).

Thank you for seeing this and letting me know.

tx power was me playing around – I had every intention of returning it to a much lower value. This AP is downstairs and I am upstairs, and want to “steer” traffic to upstairs AP.

I have removed the frequency range and left only the deprioritize-unii-3-4 setting.

Confirmed still working.

/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .deprioritize-unii-3-4=yes .skip-dfs-channels=all .width=20/40/80mhz configuration.country="United States" .mode=ap .ssid=Upstairs5g-0F0493 .tx-power=21 disabled=no security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes

I thought the 10 minute delay only happen with the “Skip DFS channels” set to “10min CAC?”

Nope, it is for skipping these frequencies out of the options for being set on the radio.
From the documentation:

Whether to avoid using channels, on which channel availability check (listening for presence of radar signals) is required.

10min-cac - interface will avoid using channels, on which 10 minute long CAC is required
all - interface will avoid using all channels, on which CAC is required
disabled  - interface may select any supported channel, regardless of CAC requirements

I trust you know my overall awe of you and others here, and this forum in general, and my affiinity for MT and ROS, but that snippet from the docs is not English. I do not mean that in a snooty or ungrateful or put-down way. I mean it very simply: It is incomprehensible.

If someone could explain what it means, I would be happy to re-write it clearly.

I'll give it a try by explaining per option (and confirming to ETSI) what frequencies are available:

10 min-cac: frequencies 5150-5590 and 5650 and above
all: frequencies 5170-5250 and 5710 and above
disabled: frequencies 5150 and above