Cannot give virtual APs different security profiles

Hi,

I’m fairly new to Mikrotiks, and I’ve hit a problem.

I have a wireless interface, wlan1, configured as an AP Bridge using the default security profile, which is WPA2 PSK AES. I’ve then added a couple of virtual wireless interfaces, also as AP Bridges, with wlan1 as the master.

The problem I have is that as soon as I set the virtual interfaces to use a different security profile (..also WPA2 but with different passphrases), all wireless seems to stop working. Anything already connected to wlan1 drops the connection and reports authentication problems when it tries to reconnect, and nothing can connect to the virtual adaptors. Using an Android WiFi Analyser app suggests that the wireless carriers associated with wlan1 keep appearing and disappearing, although I’m not sure how reliable that is.

To get wireless back I have to switch the virtual adaptors back to using the default security profile, or disable the virtual adaptors all together. Sometimes I then also have to reboot the router before I can reconnect to wlan1 without the clients reporting authentication errors.

The unit is a 951G-2HnD running v6.38.1.

Thanks in advance for any suggestions.

–Dave

I don’t know much, but I do know you should post your configuration.

/export hide-sensitive

Hi Kevin,

Yeah, I thought that’d probably be needed, but I wasn’t sure if I should post the whole thing, or if someone would be able to point to which parts of the edited-down config would be most useful to share.

I’m about to have a house full of visitors who will probably be annoyed if there’s no wifi, so I’ll wait until tomorrow before I re-break it and post the config in the broken state.

Cheers,
–Dave

Do you put virtual interfaces into any bridge ? It could fire loop storm which brings whole thing down.

Hi All,

First - @BartoszP - yes, the virtual interfaces are associated with bridges, and when wifi/the virtuals are working, clients connected to the virtuals are able to access the internet.

This morning I have upgraded from 6.38.1 to 6.38.5 (which seemingly slightly changed the way in which the problem manifests itself), and then testing different configurations to try and get a conclusive cause of the problems. I’m not sure if I’ve managed to do that, because sometimes it appears that everything is working with one configuration, and then I’ll change things and return to a previously working configuration only to find that, this time, it no longer works.

At the moment, I have a configuration with the physical interface having the SSID “wifi-test” using the default security profile, then virtual interfaces “wifi-guest” and “wifi-kids”, which I’m switching between the default security profile and other profiles with names that match the SSID. All of the security profiles are the same (WPA2-PSK, AES) with the only difference being the passphrase. In the “broken” state, none of the wireless interfaces work - clients are unable to associate with them, usually reporting an authentication failure, sometimes prompting for the passphrase to be re-entered (doing so does not result in a connection), or they just fail to associate silently.

Here’s a snippet of my config in the working state (note I also have another couple of virtual interfaces configured but disabled - I’ve not been touching these interfaces during my testing). In this config all interfaces are using the default security profile.

/interface wireless
add mac-address=E6:8D:8C:74:3F:31 master-interface=wlan1 mode=ap-bridge name=\
    wlan-20-iot wds-default-bridge=bridge-local wps-mode=disabled
add hide-ssid=yes mac-address=E6:8D:8C:74:3F:32 master-interface=wlan1 mode=\
    ap-bridge name=wlan-30-proxpn ssid=nobodynet-XPN wds-default-bridge=\
    bridge-local wps-mode=disabled
add disabled=no mac-address=E6:8D:8C:74:3F:33 master-interface=wlan1 mode=\
    ap-bridge name=wlan-40-guest ssid=wifi-guest wds-default-bridge=\
    bridge-local wps-mode=disabled
add disabled=no mac-address=E6:8D:8C:74:3F:34 master-interface=wlan1 mode=\
    ap-bridge name=wlan-40-kids ssid=wifi-kids wds-default-bridge=\
    bridge-local wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=wifi-guest
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=wifi-kids

Now here’s the same snippet of config when the wifi is in a broken state - the only change being that wifi-guest has been changed to use the wifi-guest security-profile (doing a diff confirms that this is the only difference between the two config dumps, other than the timestamp of the export):

/interface wireless
add mac-address=E6:8D:8C:74:3F:31 master-interface=wlan1 mode=ap-bridge name=\
    wlan-20-iot wds-default-bridge=bridge-local wps-mode=disabled
add hide-ssid=yes mac-address=E6:8D:8C:74:3F:32 master-interface=wlan1 mode=\
    ap-bridge name=wlan-30-proxpn ssid=nobodynet-XPN wds-default-bridge=\
    bridge-local wps-mode=disabled
add disabled=no mac-address=E6:8D:8C:74:3F:34 master-interface=wlan1 mode=\
    ap-bridge name=wlan-40-kids ssid=wifi-kids wds-default-bridge=\
    bridge-local wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=wifi-guest
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=wifi-kids
/interface wireless
add disabled=no mac-address=E6:8D:8C:74:3F:33 master-interface=wlan1 mode=\
    ap-bridge name=wlan-40-guest security-profile=wifi-guest ssid=wifi-guest \
    wds-default-bridge=bridge-local wps-mode=disabled

I believe that every time I have tried this configuration, clients are unable to associate with any of the SSIDs.

In other tests, I kept wifi-guest on ‘default’ and assigned wifi-kids the wifi-kids security profile. I certainly saw clients able to associate with all three SSIDs in this configuration, but I may have also seen it in the broken state in this configuration.

I have also tried the config where wifi-test=>default, wifi-kids=>wifi-kids and wifi-guest=>default (all SSIDs worked) but which then broke when I changed wifi-guest to use the wifi-guest profile.

At the moment, then, it looks like assigning wifi-guest profile to the wifi-guest SSID causes the breakage. I have tried changing the WPA2 passphrase in that profile, just in case there was a special-character in the passphrase that was causing problems, but I haven’t seen any change in behaviour.

If it helps, here’s a full-ish dump of my config in it’s working state. I’ve exported it with --hide-sensitive, naturally, but I’ve also stripped out various other potentially sensitive things like VPN configs, firewall configs, etc. Rest-assured though that www and ssh access to the router is firewalled off from the outside world.

# mar/20/2017 11:28:33 by RouterOS 6.38.5
# software id = F8MR-RLH4
#
/interface bridge
add admin-mac=E4:8D:8C:74:3F:2D auto-mac=no name=bridge-local
add comment="Main Network" name=bridge-vlan10
add comment="IOT Network" name=bridge-vlan20
add comment="proXPN Network" name=bridge-vlan30
add comment="Guest Network" name=bridge-vlan40
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] comment="iot/phone switch" name=\
    ether3-slave-local
set [ find default-name=ether4 ] advertise=1000M-half,1000M-full comment=\
    "office switch" name=ether4-slave-local
set [ find default-name=ether5 ] comment="lounge switch" name=\
    ether5-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n country="united kingdom" \
    disabled=no distance=indoors frequency=auto keepalive-frames=disabled \
    mode=ap-bridge ssid=wifi-test vlan-id=10 wireless-protocol=802.11 \
    wps-mode=disabled
/ip neighbor discovery
set ether1-gateway discover=no
/interface vlan
add interface=ether5-slave-local name=ether5-vlan10 vlan-id=10
add interface=ether5-slave-local name=ether5-vlan3 vlan-id=3
add comment="proXPN VLAN" disabled=yes interface=bridge-vlan30 name=vlan3 \
    vlan-id=3
add disabled=yes interface=bridge-vlan10 name=vlan10 vlan-id=10
add disabled=yes interface=bridge-vlan20 name=vlan20 vlan-id=20
/interface wireless
add mac-address=E6:8D:8C:74:3F:31 master-interface=wlan1 mode=ap-bridge name=\
    wlan-20-iot wds-default-bridge=bridge-local wps-mode=disabled
add hide-ssid=yes mac-address=E6:8D:8C:74:3F:32 master-interface=wlan1 mode=\
    ap-bridge name=wlan-30-proxpn ssid=nobodynet-XPN wds-default-bridge=\
    bridge-local wps-mode=disabled
add disabled=no mac-address=E6:8D:8C:74:3F:33 master-interface=wlan1 mode=\
    ap-bridge name=wlan-40-guest ssid=wifi-guest wds-default-bridge=\
    bridge-local wps-mode=disabled
add disabled=no mac-address=E6:8D:8C:74:3F:34 master-interface=wlan1 mode=\
    ap-bridge name=wlan-40-kids ssid=wifi-kids wds-default-bridge=\
    bridge-local wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=wifi-guest
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=wifi-kids
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-vlan10 ranges=10.1.10.101-10.1.10.200
add name=pool-vlan20 ranges=10.1.20.101-10.1.20.200
add name=pool-vlan30 ranges=10.1.30.101-10.1.30.200
add name=pool-vlan40 ranges=10.1.40.101-10.1.40.200
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
add address-pool=pool-vlan10 disabled=no interface=bridge-vlan10 lease-time=\
    1h name=dhcpd-vlan10
add address-pool=pool-vlan20 disabled=no interface=bridge-vlan20 lease-time=\
    1h name=dhcpd-vlan20
add address-pool=pool-vlan30 disabled=no interface=bridge-vlan30 lease-time=\
    1h name=dhcpd-vlan30
add address-pool=pool-vlan40 disabled=no interface=bridge-vlan40 lease-time=\
    1h name=dhcpd-vlan40
/ipv6 dhcp-server
add address-pool=aa.net_v6 disabled=yes interface=bridge-vlan10 lease-time=1h \
    name=dhcpd-vlan10
/system logging action
set 3 bsd-syslog=yes remote=10.1.10.1
/interface bridge port
add bridge=bridge-vlan10 comment=copstick interface=ether2-master-local
add bridge=bridge-vlan10 interface=wlan1
add bridge=bridge-vlan10 comment=phone-adapter interface=ether3-slave-local
add bridge=bridge-vlan10 comment="office switch" interface=ether4-slave-local
add bridge=bridge-vlan10 comment="lounge switch" disabled=yes interface=\
    ether5-slave-local
add bridge=bridge-vlan20
add bridge=bridge-vlan10 interface=openvpn-inbound
add bridge=bridge-vlan10 interface=ether5-vlan10
add bridge=bridge-vlan30 interface=ether5-vlan3
add bridge=bridge-vlan20 interface=wlan-20-iot
add bridge=bridge-vlan40 interface=wlan-40-guest
add bridge=bridge-vlan30 interface=wlan-30-proxpn
add bridge=bridge-vlan40 interface=wlan-40-kids
/ip address
add address=192.168.88.1/24 comment="default configuration" disabled=yes \
    interface=bridge-local network=192.168.88.0
add address=10.0.0.254/24 comment="Board non-VLAN address" interface=\
    ether2-master-local network=10.0.0.0
add address=10.1.10.254/24 comment="nobodynet main vlan" interface=\
    bridge-vlan10 network=10.1.10.0
add address=10.1.20.254/24 interface=bridge-vlan20 network=10.1.20.0
add address=10.1.30.254/24 interface=bridge-vlan30 network=10.1.30.0
add address=10.1.40.254/24 interface=bridge-vlan40 network=10.1.40.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.9.2.0/24,10.1.10.0/24
set ssh address=10.9.2.0/24,10.1.10.0/24
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=MikroTik_2G_Core
/system leds
set 0 interface=wlan1
/system logging
set 0 topics=info,!firewall
add action=remote prefix=mikrotik-critical topics=critical
add action=remote prefix=mikrotik-wireless topics=wireless
add action=remote topics=firewall
add action=remote prefix=mikrotik-error topics=error
add action=remote prefix=mikrotik-info topics=info
add action=remote prefix=mikrotik-warning topics=warning
add action=remote topics=script
add action=remote prefix=mikrotik-ovpn topics=ovpn
/system ntp client
set enabled=yes server-dns-names=uk.pool.ntp.org
/system routerboard settings
set init-delay=0s
/system scheduler
add comment="Fill DNS with DHCP clients every 5 min" disabled=yes interval=5m \
    name=dns-dhcp on-event=dns-dhcp start-date=feb/12/2017 start-time=\
    05:45:26
/system script
add comment="Update DNS to DHCP leases from https://www.tolaris.com/2014/09/27\
    /synchronising-dhcp-and-dns-on-mikrotik-routers/" name=dns-dhcp owner=\
    admin policy=read,write source="# Creates static DNS entres for DHCP clien\
    ts in the named DHCP server.\
    \n# Hostnames passed to DHCP are appended with the zone.\
    \n \
    \n# Set the first two variables according to your installation.\
    \n:local dhcpserver \"dhcpd-vlan10\"\
    \n:local zone \"nobody\"\
    \n \
    \n# Set the TTL to the scheduler frequency for this script.\
    \n:local ttl \"00:05:00\"\
    \n \
    \n# Clear old static DNS entries matching the zone and TTL.\
    \n/ip dns static\
    \n:foreach dnsrecord in=[find where name ~ (\".*\\\\.\".\$zone) ] do={\
    \n\t:local fqdn [ get \$dnsrecord name ]\
    \n\t:local hostname [ :pick \$fqdn 0 ( [ :len \$fqdn ] - ( [ :len \$zone ]\
    \_+ 1 ) ) ]\
    \n\t:local recordttl [get \$dnsrecord ttl]\
    \n\t:if ( \$recordttl != \$ttl ) do={\
    \n\t\t:log debug (\"Ignoring DNS record \$fqdn with TTL \$recordttl\")\
    \n\t} else={\
    \n\t\t/ip dhcp-server lease\
    \n\t\t:local dhcplease [ find where host-name=\$hostname and server=\"\$dh\
    cpserver\"]\
    \n\t\t:if ( [ :len \$dhcplease ] > 0) do={\
    \n\t\t\t:log debug (\"DHCP lease exists for \$hostname in \$dhcpserver, ke\
    eping DNS record \$fqdn\")\
    \n\t\t} else={\
    \n\t\t\t:log info (\"DHCP lease expired for \$hostname, deleting DNS recor\
    d \$fqdn\")\
    \n\t\t\t/ip dns static remove \$dnsrecord\
    \n\t\t}\
    \n\t}\
    \n}\
    \n \
    \n# Create or update static DNS entries from DHCP server leases.\
    \n/ip dhcp-server lease\
    \n:foreach dhcplease in=[find where server ~ (\"\$dhcpserver\")] do={\
    \n\t:local hostname [ get \$dhcplease host-name ]\
    \n\t:if ( [ :len \$hostname ] > 0) do={\
    \n\t\t:local dhcpip [ get \$dhcplease address ]\
    \n\t\t:local fqdn ( \$hostname . \".\" . \$zone )\
    \n\t\t/ip dns static\
    \n\t\t:local dnsrecord [ find where name=\$fqdn ]\
    \n\t\t:if ( [ :len \$dnsrecord ] > 0 ) do={\
    \n\t\t\t:local dnsip [ get \$dnsrecord address ]\
    \n\t\t\t:if ( \$dnsip = \$dhcpip ) do={\
    \n\t\t\t\t:log debug (\"DNS record for \$fqdn to \$dhcpip is up to date\")\
    \n\t\t\t} else={\
    \n\t\t\t\t:log info (\"Updating DNS record for \$fqdn to \$dhcpip\")\
    \n\t\t\t\t/ip dns static remove \$dnsrecord\
    \n\t\t\t\t/ip dns static add name=\$fqdn address=\$dhcpip ttl=\$ttl\
    \n\t\t\t}\
    \n\t\t} else={\
    \n\t\t\t:log info (\"Creating DNS record for \$fqdn to \$dhcpip\")\
    \n\t\t\t/ip dns static add name=\$fqdn address=\$dhcpip ttl=\$ttl\
    \n\t\t}\
    \n\t}\
    \n}"
/tool graphing interface
add interface=aa.net
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool romon port
add

Cheers,
–Dave