Hi
I’m trying to setup roaming on my home network.
It is a brick house with 4 rooms, each room has wAP AC in 5ghz mode.
Rooms are isolated good enough so that I do not have a lot of overlap.
They all are connected to hex poe
They all are configured manually (no Capsman) with same security profile and same channel.
They all are running latest 6.45(stable) brunch.
Here is what I have tried and my results:
Solution #1:
Set access point to kick clients with with low signal strength (-60..120)
Here is the flow I got when I go from room1 to room2
room1 kicks client exactly when it should
client swiftly connects room2
So far so good, then I go back room2 to room1
room2 kicks client exactly when it should
client is unable connect to neither room1 neither room2, and will stay disconnected for a while
I suppose it is due to the fact that it was kicked short time ago, and the client is kind of reluctant to try to connect again.
My client is MacBook Pro 2019, I do not understand how everyone here keeps recommending kick by signal strength if it has such a major flaw of being unable to reconnect.
What I’m doing wrong?
Solution #2:
Disable low data rates on HT MCS tab i.e. 0-7 and only leave the 8+
Surprisingly there is no effect at all. My macbook still shows that MSC level drop below the allowed levels. I.e. 6, and macbook stays connected in the adjacent room.
Solution #3
Set antenna gain to higher levels, so that the router will reduce the TX power.
The kicking part works great.
But now I have lower data rates even if I’m next to the router.
I used to have 780mbps, now I have 140mbps, it defeats the whole idea of using 5ghz.
Also I have seen rates as low as 10mbps while moving around, and the bastard will still stick to the AP in the next room.
Basically I want client to have 300mbps or get kicked because there is 100% faster AP next to it. I do not need access in corridors, around the house, there are only limited number of places the macbook can be in. And all of them have 500mbps+ connection speeds. I can achieve that if I “disconnect/connect” every time I change location, but I’m looking for a way to do that automatically.
I do not need zero-hand-off or whatever magic there is. I’m fine with drop packets and up to 10 sec of downtime.
-60 is very strict , maybe -73 is a better value
What is in the MKT log when you cannot reconnect? It can also be the client that has marked the network as “bad”, because it got kicked out.
Solution #2:
Disable low data rates on HT MCS tab i.e. 0-7 and only leave the 8+
Surprisingly there is no effect at all. My macbook still shows that MSC level drop below the allowed levels. I.e. 6, and macbook stays connected in the adjacent room.
8+ ? That’s not the way HT MCS rates are defined. They go from 0 to 7, 8 to 15 is again 0 to 7 but in double spatial stream, 16 to 23 is again 0 to 7 but in triple stream. http://mcsindex.com/ … see column 1 HT MCS
There are also the data rates , where you changed from default to configured, to be able to modify the MCS selection. There also you should remove the lowest rates.
Basic rate 12Mbps and supported rates from 12Mbps upward is a startingpoint and good balance.
Solution #3
Set antenna gain to higher levels, so that the router will reduce the TX power.
The kicking part works great.
But now I have lower data rates even if I’m next to the router.
I used to have 780mbps, now I have 140mbps, it defeats the whole idea of using 5ghz.
Also I have seen rates as low as 10mbps while moving around, and the bastard will still stick to the AP in the next room.
Basically I want client to have 300mbps or get kicked because there is 100% faster AP next to it. I do not need access in corridors, around the house, there are only limited number of places the macbook can be in. And all of them have 500mbps+ connection speeds. I can achieve that if I “disconnect/connect” every time I change location, but I’m looking for a way to do that automatically.
I do not need zero-hand-off or whatever magic there is. I’m fine with drop packets and up to 10 sec of downtime.
780Mbps can be achieved with 80 MHz bandwidth and dual spatial stream. (wAP AC does triple spatial stream , but your Macbook probably not)
There is no need at all to have all AP’s on the same frequency. Your devices will select an AP based on the SSID , not the freq. It will not be slower.
You might even be better off having all AP’s on different bands (the other extreme) , only 40 MHz channel width, you easily get 400 Mbps
Yes sure is, for 5GHz band certainly. The strategy for 2.4 GHz is a bit different, and I have the impression that most of the “perfomance” tweaks here still come from the 2.4 GHz experience.
“Multiple APs should be on separate channels.” … overlap is no problem then.
“MCS 8+ ? That’s not the way HT MCS rates are defined. They go from 0 to 7, 8 to 15 is again 0 to 7 but in double spatial stream, 16 to 23 is again 0 to 7 but in triple stream.”
“What is in the MKT log when you cannot reconnect? It can also be the client that has marked the network as “bad”, because it got kicked out.”
Just checked my connection time this morning … less than a second. So roaming should be fast, if you let the client decide when to do it.
Clue may be in the logs. You could also enable “wireless” “debug” logging in the Mikrotik.
Just FYI: a Mikrotik client (station mode, or station bridge mode) has the “Station roaming” option, and then re-evaluates the AP selection. (Something like every 5 minutes , but it depends on the current signal strength). Roaming is always the decision of the client. https://support.apple.com/en-us/HT203068
the other is similar except my numbers for 0 to -78 (good signal) and -79 to -120 (weak signal).
I based my settings on what my iphone was telling me walking around using the scan function of airport utility with some fudge factor of at least 3dbs.
Well my settings are 30 secs if it is a strong signal currently attached (gives the user up to 30 secs grace before kicking…) the opposite, if one meanders out of the crappy signal into the good signal,i want the op to go the better signal faster… Something like that anyway…
Yes that’s what it is. Very useful if one swaps fast, by walking in and out the room, with an indoor and an outdoor AP, to be able to reconnect fast enough, With default settings you are locked out for the default 10 seconds on both AP’s. The initial complaint of the OP. " I do not understand how everyone here keeps recommending kick by signal strength if it has such a major flaw of being unable to reconnect."
Inconsistent experience.
Hope holiday guests were sleeping, far away from the AP. But even with the 3 sec timing, lockout timing does not match. Reset timer after every attempt? But even one with 12 sec !
Only happens at night, when this is the only activity, so far. Daytime lockout disappeared when allow time was reduced to 3 sec.
.
.
@anav
Still experimenting. It’s all reverse engineering. It’s shaking a black box to model it’s content. But sometimes (at night) the experiments are inconsistent, so the model is not fully correct yet.
Autumn holidays starting, there will be more residents … more data to work with.
I’m down now to 1 second. (Don’t know if “no time set” is possible and if that means never, as there is an explicit “always”). Other brands have a short but unknown time for ‘black listing’.
Next experiment is without the rejecting rule, but authentication OFF on that WLAN default. (If there is no access list rule, it will use the default.) But what’s better or faster ??? Will that be zero delay ?
My understanding of the wording “Allow Signal Out of Range -Time” is: this rule will still apply for the specified time even if the signal is out of range for this active rule.
There are access-list rules that allow authorization (so you will not get kicked off if you do not satisfy the signal level but within the specified time ) , and there are rules that do not let you authorize and reject the association. If the signal is out of range for this active reject rule you are still rejected/banned if within the specified time. The banned reason is given in the log (because there are other banned conditions than “not allowed by access-list”)
If you have a few AP’s in range, and walk around with your device, you are easily banned from all those AP’s.if the default 10 seconds are used. (You need special action to see the Allowed Time column in WinBox and the default is not in the config export. So it is easily overlooked). The wiki example is a trap for bad wifi experience with portable devices with AP’s in adjacent rooms or inside&outside.
We can see that devices in IOS, Android, Windows 10, massively start to switch to private MAC addresses. (The user was never asked to enable this, the update just did it!) The rules on how dynamic those changes in MAC addresses are, are not clear to me, but I see a devastating consequence in DHCP lease use, but also a potential major problem in roaming.
Not only is there a new MAC+IP address every hour, consuming DHCP leases (current lease timeout is 36 hours), one per connected network (different subnets have different SSID’s) , but now even while roaming : changing AP (or maybe also from 2.4GHz to 5 GHz WLAN with same SSID) with the same SSID (and of course subnet) is changing the MAC and getting a new IP address.
.
.
.
.
Even when the client is maintaining the same MAC (and IP address) for one full hour for every wireless connection possibility, there a fundamental changes.
DHCP leases are consumed more frequently
Roaming is switching the MAC address now. This is totally different for any “switch/bridge” MAC-table/Hosts-table that is not corrected by the new flow as before.
Worst is the different IP address. Even if NATted in the gateway (the internet server sees no difference) the session is interrupted or maintained to the wrong LAN IP address. The gateway must set up a new connection to the new IP address. The client must initiate that connection. This will clearly be an interruption just as switching between different SSID/subnets is.
MAC based access-lists and MAC based cookies in the Portal … well that is yet another changing world.
EDIT … will be a challenge … now 1 user walking between 4 AP’s … real load is 200 users and 25 AP’s … will explode !
.
.
With an iPhone you select different SSID’s. With an Applewatch and new AP specific test SSID’s???
MAC addresses are from the private range! Should we block them all ??? Can we filter this with MAC-address ranges in the access-list ? How can we instruct a large random public to turn this off, with success ??? (Src MAC Mask Filter in Bridge?) https://www.blackmanticore.com/fc5c95c7c2e29e262ec89c539852f8fb Like private IP address ranges (defined in RFC 1918), there are also private MAC address ranges. These are called Locally Administered Address Ranges which are never used by devices or other vendors. MAC addresses in these ranges can be safely used, assuming they are unique within your network:
Every time I revisit this I get myself tied in knots.
Q1. what happens after 30s?
Q2. Does the Radio then go to the next rule which says dont authenticate and dont forward (which stops the connection cold)
Q3. Or does it KICK the user off the AP entirely by some other mechanism?
Q4. If there is a kick mode, how long does it last for???
Q5. If the second rule will never authenticate and forward what is the point of a. having it or b. setting a time like 5secs.
Q6. In other words lets say there is no strong connection in current location when I turn the phone on, does that mean both Radios will not allow connecting???
Hi anav, I have to guess and reverse engineer as it is not well documented and Mkt developers did not add information yet.
Still my current understanding is:
Q1. what happens after 30s?
The first evaluation expires and a new one has to be made. So the access-list is checked again, top-down. If the first rule matches again OK we are set for another 30 sec (default= authentication =yes, forwarding=yes), so we stay connected even if the signal goes out-of-range during these 30 sec.
. Q2. Does the Radio then go to the next rule which says dont authenticate and dont forward (which stops the connection cold)
No, the access-list is scanned again top-down. If the first rule does not match, the next is evaluated , until one matches or the default is used if no match. If the matching rule (or default) has authentication=no , you can not authenticate (or stay authenticated). If forwarding=no you cannot communicatie with other clients in this SSID.
. Q3. Or does it KICK the user off the AP entirely by some other mechanism?
There are 2 methods to kick a user off by access-list. An access-list rule with authentication=no (documented in the wiki) , or a default setting with authentication=no (not documented, but used by others in this forum). There are other reasons to kick off a client, sometimes the reason is in full text or by number (disconnected, received deauth: authentication not valid (2); disconnected, received deauth: class 3 frame received (7); disconnected, extensive data loss; … and while roaming … disconnected, received disassoc: sending station leaving (8); disconnected, registered to other interface; disconnected, registered to other device in network)
. Q4. If there is a kick mode, how long does it last for???
Well there seems to be a lockout or blacklisted state. “banned (last failure - xxxxxx)”, in this case xxxxxx= “not allowed by access list” . The banned state is also used for other reasons (see deauth reason in Q3), It is not clear how long it lasts. Other brands log the facts ‘added to blacklist’, ‘removed from blacklist’ with a very short delay, around 1sec.
. Q5. If the second rule will never authenticate and forward what is the point of a. having it or b. setting a time like 5secs.
This rule and any rule with authentication=no generates the state “not allowed by access list”, if you are connected you are kicked out. The 5 sec is the time that this rule selection remains valid. So even if the signal is back to high strength, you still are in the state of this rule, just as for the 30 sec in the authentication=yes rule, dropping the signal level there did not start re-evaluation, here getting higher signal is not starting re-evaluation. Re-evaluation is going top-down through the rules again. Default timeout for signal-out-of-range is 10sec. This might be frustrating if you roam based on signal level access-list rules, alternating between 2 AP’s faster, because of the 10 sec lockout.
. Q6. In other words lets say there is no strong connection in current location when I turn the phone on, does that mean both Radios will not allow connecting???
Yes! (and for at least the timeout time period). And I don’t know what message the user device is giving in that case . Something like “could not connect to that network” … maybe.
