Hi, I have really strange issue with cAP ax.
At home I run hAP ac2 as main router with relatively simple config (gateway, DHCP server, NAT, firewall). I used a cAP ac device as another AP in the house. Recently I have changed this cAP with cAP ax (static IP, everything in bridge, simple AP config). Since then, I have great issues with wifi connection.

After a client connects to the cAP ax, it loses internet connection. Ping from client to cAP is possible, but not to gateway. But ping from cAP ax to hAP ac2 works fine. Both wifi interfaces and eth ports are in bridge. I tried to reset config and set everything from scratch, but without any success - after short period, internet goes away. Can you please help me find the issue? Thank you.

cAP ax config:

# 2024-05-31 12:29:41 by RouterOS 7.14.3
# software id = 2XPM-2DZS
#
# model = cAPGi-5HaxD2HaxD
# serial number = ****
/interface bridge
add name=bridge1 protocol-mode=none
/interface wifi
set [ find default-name=wifi1 ] comment=5ghz configuration.country=Czech \
    .mode=ap .ssid=***** security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] comment=2_4ghz configuration.country=Czech \
    .mode=ap .ssid=***** security.authentication-types=wpa2-psk
/interface list
add name=WAN
add name=LAN
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
add bridge=bridge1 interface=ether1
/ipv6 settings
set disable-ipv6=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.11/24 interface=bridge1 network=192.168.1.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/system identity
set name=cAP_ax
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=217.31.202.100

Does this happen when client devices are connected to both SSIDs ? (2.4 and 5Ghz)
Or only 5GHz ?

Already tried to manually set freqency for both radios ? I don’t like auto-settings… especially on AX devices and 5GHz it may favor the higher range frequencies and a lot of clients are not too happy with that.

I tried only 2ghz or 5ghz with same result. I even tried to force N/ac mode. Setting frequencies manually didnt change anything.

I noticed that When my
Iphone connects to this ap, I get ip address from dhcp but not a gateway. Signal strength is good.

Can you also provide hap ac config ?

Yes, here is hap config:

# 2024-05-31 19:15:25 by RouterOS 7.15
# software id = I1D7-PACH
#
# model = RBD53iG-5HacD2HnD
# serial number = ******
/interface bridge
add name=bridge_local port-cost-mode=short protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=ether2_loznice_2NP
set [ find default-name=ether5 ] name=ether5_uplink_poe poe-out=forced-on
/interface list
add name=WAN
add name=LAN
/interface wifi security
add authentication-types=wpa2-psk disabled=no group-encryption=tkip name=sec1
/interface wifi configuration
add country=Czech mode=ap name=default_cfg_dvorak_AP security=sec1 ssid=\
    Dvorak_AP
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .frequency=2447 .width=\
    20/40mhz-Ce configuration=default_cfg_dvorak_AP configuration.mode=ap \
    disabled=no name=wifi1_24ghz security=sec1
# DFS channel availability check (10 min)
set [ find default-name=wifi2 ] channel.band=5ghz-ac .frequency=5600 .width=\
    20/40/80mhz configuration=default_cfg_dvorak_AP configuration.mode=ap \
    disabled=no name=wifi2_5ghz security=sec1
/ip pool
add name=dhcp_pool0 ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge_local lease-time=1w1d name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=\
    zt1 name=zerotier1 network=*********
/interface bridge port
add bridge=bridge_local interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridge_local interface=ether2_loznice_2NP internal-path-cost=10 \
    path-cost=10
add bridge=bridge_local interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge_local interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge_local interface=wifi1_24ghz multicast-router=disabled
add bridge=bridge_local interface=wifi2_5ghz multicast-router=disabled
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=ether5_uplink_poe list=WAN
add interface=bridge_local list=LAN
/ip address
add address=192.168.1.1/24 interface=bridge_local network=192.168.1.0
add address=10.**.**.***/30 interface=ether5_uplink_poe network=*****
/ip dhcp-server lease
add address=192.168.1.21 client-id="Netatmo Relay" mac-address=\
    *** server=dhcp1
add address=192.168.1.22 mac-address=**** server=dhcp1
add address=192.168.1.24 client-id=1:**** mac-address=\
    **** server=dhcp1
add address=192.168.1.23 client-id=1:**** mac-address=\
    **** server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.1.1
/ip dns
set servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=forward comment="Zerotier FW rules" in-interface=\
    zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5_uplink_poe
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.47.28.185 \
    pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
/ip service
set www disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 address
# address pool error: pool not found: ipv6pool (4)
add address=::1 from-pool=ipv6pool interface=bridge_local
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked log-prefix=test_
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 nd
set [ find default=yes ] dns=2606:4700:4700::1001,2606:4700:4700::1111 \
    interface=bridge_local other-configuration=yes
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=hap_ac3
/system leds settings
set all-leds-off=immediate
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=217.31.202.100

On the cap unset the bridge protocol mode.
Remove ether1 from WAN interface list.

Agree on 1st.

2nd is irrelevant, there is no FW to handle that interface list.

I’m not completely sure if firewall is not present or it was simply omitted from the exported configuration. Still, since there is no WAN, I cannot see any reason to keep that interface list (apart for having problems).
I would also disable detect-internet on hap.

For the test, disable IP v6 on both devices

Isn’t it already disabled?

Hi,
i have deleted both interface lists on cap. IPv6 had been disabled before. I dont understand what do you mean by unsetting bridge-mode. By default Mtik devices are set to RSTP, but i always change that to none, co what should i do? Thanks

On cAP ax specifically (as well as ax2 and ax3, all the devices with IPQ6010 chip), it is suggested to enable RTSP mode on the bridge since there is some bug in hw offloading and setting RSTP will disable hw offload.. I have RSTP on my cAP ax and it works without any issues with CAPsMAN. No RSTP then on the bridge where CAPsMAN is running.

U dont need to use STP, but disable (Bridge - Ports) “Hardware Offload” on ports.

Sticking to the defaults unless needed is the safest approach, in my opinion, as it avoids nasty problems. As such, I prefer to keep the protocol mode unset (=default).

(1) Stick with default mode for bridge, think its RTSP??
(2) No WAN or LAN on an AP.
(3) I config my caps on the bench through ether2, off bridge, and when installed if its reachable directly or else I wire ether2 where I can at least access with laptop.
Just change laptop ipv4 settings to 192.168.55.2 and you are in.
(4) For NTP, Client server should be the main router and set up the main MT router as client to the www, and server for downstream devices.

_model = cAPGi-5HaxD2HaxD

serial number = ****

/interface bridge
add name=bridge1 vlan-filtering=no protocol-mode=default

/interface ethernet
set [ find default-name=ether2 ] comment=Off-Bridge

/interface list
add name=MANAGE

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2

/interface list member
add interface=bridge1 list=MANAGE
add interface=Off-Bridge list=MANAGE

/ip address
add address=192.168.1.11/24 interface=bridge1 network=192.168.1.0
add address=192.168.55.1/30 interface=Off-Bridge network=192.168.55.0

/ip neighbor discovery-settings
set discover-interface-list=MANAGE

/ip dns
set allow-remote-requests=yes servers=192.168.1.1

/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-table=main

/system ntp client
set enabled=yes

/system ntp client servers
add address=192.168.1.1_

The above is clean and simple, if its not working then the issue is within your WIFI settings.

Hi, disabling HW offload seems to resolve this issue. I will keep an eye on it and write if anything happens. Thank you very much!

I repeat myself: sticking to the defaults (unless there is a reason not to do so) helps avoiding problems. Hence, hw offload (apparently) enabled and protocol mode set to RSTP. When (if) they will fix the problems, you will have a working system with hw offloading enabled without touching the configuration.

I agree. Having (R)STP disabled seemed like good idea since there is no possibility to storm my home network. I changed my devices to RSTP enabled.