Choppy WiFi performance with CapsMan

mrmut · March 2, 2019, 2:41pm

I have a very weird issue of choppy WiFi performance in some cases. I have 6 APs done with CapsMan, and when set everything works nicely. However, when I restart one of the CAPs, and when it reboots, the WiFi performance goes out of the window. It is plain terrible, I get internet connection in patches of several hundred kilobits to 5-6 megabits, and that’s it.

Then, if I restart the PoE switch (Mikrotik), everything works in perfect order when CAPs boot up. I even did area measurements, and everything is perfect.

What can I do to alleviate this? And how to test WTH is happening?

anuser · March 4, 2019, 6:17am

Please post your configuration of the CAPSMAN controller and one access Point, i.e. /export Compact

Also, update to latest stable RouterOS 6.44

Does the problem exist only for 2.4GHz? So, the CAPs boot and 2.4GHz band ist available but not Clean. Then 5GHz is enabled after Radar detection is over.

mrmut · March 4, 2019, 8:41am

The problem is on 2.4 GHz, but not on all setups. I have one setup where WiFi links directly into the wired network, where DNS server is Windows Server. There everything works swell.

However, on three other WiFi networks which are isolated (own bridges and ranges), it sometimes work, and sometimes don’t.

I actually think I am screwed by Firewall rule “add action=drop chain=input comment=“Disallow other” log=yes log-prefix=\ “INPUT DROP ALL OTHER”” but I really don’t understand why.

Here is
CAPSMAN router config, and I will post the CAP one below;

/interface bridge
add name=INTERNET
add name=PINKY
add name=VIDEONADZOR
add name=WiFi-GOSTI
add name=WiFi-PINKY
add name=WiFi-SKLADISTE
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-SW1
set [ find default-name=ether3 ] name=ether3-SW2
set [ find default-name=ether4 ] name=ether4-SW3
set [ find default-name=ether5 ] name=ether5-PoESW1
set [ find default-name=ether6 ] name=ether6-GRICKO
set [ find default-name=ether7 ] name=ether7-SKVIKI
set [ find default-name=ether8 ] name=ether8-HRCAK
set [ find default-name=ether9 ] name=ether9-LINK-CARINSKO
set [ find default-name=ether10 ] disabled=yes name=ether10-VIDEONADZOR
set [ find default-name=sfp1 ] name=sfp1-LINK-STAKLARSKA1
/caps-man configuration
add channel.band=2ghz-onlyn channel.extension-channel=disabled country=\
    no_country_set datapath.bridge=WiFi-PINKY distance=indoors \
    installation=indoor mode=ap name=PINKY security.authentication-types=\
    wpa2-psk security.encryption=aes-ccm security.passphrase=PASSPHRASE \
    ssid=PINKY
add channel.band=2ghz-b/g/n channel.extension-channel=disabled country=\
    no_country_set datapath.bridge=WiFi-GOSTI distance=indoors installation=\
    indoor mode=ap name=GUESTS security.authentication-types=wpa2-psk \
    security.encryption=aes-ccm security.passphrase=PASSPHRASE ssid=\
    GUESTS
add country=no_country_set datapath.bridge=PINKY distance=indoors \
    installation=indoor mode=ap name=LINK security.authentication-types=\
    wpa2-psk security.encryption=aes-ccm security.passphrase=PASSPHRASE ssid=\
    LINK
add channel.band=2ghz-b/g/n channel.extension-channel=disabled country=\
    no_country_set datapath.bridge=WiFi-SKLADISTE distance=indoors \
    installation=indoor mode=ap name=SKLADISTE security.authentication-types=\
    wpa2-psk security.encryption=aes-ccm security.passphrase=PASSPHRASE ssid=\
    SKLADISTE
/interface list
add name=PINKY-LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=lan-PINKY-pool ranges=192.168.10.40-192.168.10.240
add name=wifi-PINKY-pool ranges=192.168.40.2-192.168.40.254
add name=wifi-gosti-pool ranges=192.168.50.2-192.168.50.254
add name=wifi-skladiste-pool ranges=192.168.30.2-192.168.30.254
/ip dhcp-server
add address-pool=lan-PINKY-pool disabled=no interface=PINKY name=\
    lan-PINKY-dhcp
add address-pool=wifi-PINKY-pool disabled=no interface=WiFi-PINKY \
    name=wifi-PINKY-dhcp
add address-pool=wifi-gosti-pool disabled=no interface=WiFi-GOSTI name=\
    wifi-gosti-dhcp
add address-pool=wifi-skladiste-pool disabled=no interface=WiFi-SKLADISTE name=\
    wifi-skladiste-dhcp
/caps-man access-list
add allow-signal-out-of-range=10s ap-tx-limit=1000000 comment=\
    "GUESTS limit, 500k -> 3.5MB/s" disabled=no ssid-regexp=GUESTS
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\
    suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=PINKY
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    PINKY name-format=prefix-identity name-prefix=CAP-2.4GHz \
    slave-configurations=SKLADISTE,GUESTS,LINK
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
    LINK name-format=prefix-identity name-prefix=CAP-5GHz slave-configurations=\
    PINKY
/dude
set enabled=yes
/interface bridge port
add bridge=PINKY interface=ether2-SW1
add bridge=PINKY interface=ether3-SW2
add bridge=PINKY interface=ether4-SW3
add bridge=PINKY interface=ether5-PoESW1
add bridge=PINKY interface=ether6-GRICKO
add bridge=PINKY interface=ether7-SKVIKI
add bridge=PINKY interface=ether8-HRCAK
add bridge=VIDEONADZOR interface=ether10-VIDEONADZOR
add bridge=PINKY interface=sfp1-LINK-STAKLARSKA1
add bridge=PINKY interface=ether9-LINK-CARINSKO
add bridge=INTERNET interface=ether1-WAN
/interface list member
add interface=ether2-SW1 list=PINKY-LAN
add interface=ether3-SW2 list=PINKY-LAN
add interface=ether4-SW3 list=PINKY-LAN
add interface=ether5-PoESW1 list=PINKY-LAN
add interface=ether6-GRICKO list=PINKY-LAN
add interface=ether7-SKVIKI list=PINKY-LAN
add interface=ether8-HRCAK list=PINKY-LAN
add interface=ether9-LINK-CARINSKO list=PINKY-LAN
add interface=sfp1-LINK-STAKLARSKA1 list=PINKY-LAN
/ip address
add address=192.168.10.1/24 interface=PINKY network=192.168.10.0
add address=192.168.40.1/24 interface=WiFi-PINKY network=192.168.40.0
add address=192.168.50.1/24 interface=WiFi-GOSTI network=192.168.50.0
add address=192.168.30.1/24 interface=WiFi-SKLADISTE network=192.168.30.0
add address=192.168.0.2/24 interface=INTERNET network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=INTERNET
/ip dhcp-server network
add address=192.168.10.0/24 caps-manager=192.168.10.1 dns-server=\
    192.168.10.13,192.168.10.10,192.168.10.1 domain=PINKY.local gateway=\
    192.168.10.1 ntp-server=192.168.10.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1,216.146.35.35,216.146.36.36
/ip firewall address-list
add address=192.168.10.2-192.168.10.254 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="DROP INVALID INPUT "
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow IP range" src-address-list=\
    allowed_to_router
add action=drop chain=input comment="Disallow other" log=yes log-prefix=\
    "INPUT DROP ALL OTHER"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="ACCEPT PORT FORWARD" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid log=yes log-prefix="DROP INVALID FORWARD "
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=INTERNET
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=INTERNET
add action=dst-nat chain=dstnat dst-port=3389 in-interface=INTERNET protocol=\
    tcp to-addresses=192.168.10.10 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3948 in-interface=INTERNET protocol=\
    tcp to-addresses=192.168.10.12 to-ports=3389
add action=dst-nat chain=dstnat dst-port=1433 in-interface=INTERNET protocol=\
    tcp to-addresses=192.168.10.12 to-ports=1433
add action=dst-nat chain=dstnat dst-port=2001 in-interface=INTERNET protocol=\
    tcp to-addresses=192.168.10.12 to-ports=2001
add action=dst-nat chain=dstnat dst-port=2002 in-interface=INTERNET protocol=\
    tcp to-addresses=192.168.10.12 to-ports=2002
add action=dst-nat chain=dstnat dst-port=21001 in-interface=INTERNET protocol=\
    tcp to-addresses=192.168.10.12 to-ports=21001
add action=dst-nat chain=dstnat dst-port=22001 in-interface=INTERNET protocol=\
    tcp to-addresses=192.168.10.12 to-ports=22001
add action=dst-nat chain=dstnat dst-port=12301 in-interface=INTERNET protocol=\
    tcp to-addresses=192.168.10.12 to-ports=12301
/ip route
add distance=1 gateway=192.168.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=never default-screen=stats read-only-mode=yes
/lcd interface
add interface=PINKY
add interface=VIDEONADZOR
add interface=INTERNET
add interface=WiFi-PINKY
add interface=WiFi-GOSTI
/lcd interface pages
set 0 interfaces="ether1-WAN,ether2-SW1,ether3-SW2,ether4-SW3,ether5-PoESW1,ethe\
    r6-GRICKO,ether7-SKVIKI,ether8-HRCAK,ether9-LINK-CARINSKO,ether10-VIDEONADZO\
    R,sfp1-LINK-STAKLARSKA1"
/system clock
set time-zone-name=Europe/Zagr
/system identity
set name="TRNOSCICA - GLAVNI O
/system ntp client
set enabled=yes primary-ntp=21
/system ntp server
set enabled=yes
/system package update
set channel=long-term
/tool graphing
set store-every=hour
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=non
/tool mac-server mac-winbox
set allowed-interface-list=MAR
/tool mac-server ping

mrmut · March 4, 2019, 8:44am

CAP:

set [ find default-name=wlan1 ] ssid=MikroTik
/interface list
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether1
/interface list member
add interface=ether1 list=LAN
/interface wireless cap
# 
set bridge=bridge1 caps-man-addresses=192.168.10.1 certificate=request \
    discovery-interfaces=bridge1 enabled=yes interfaces=wlan1
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1
/ip firewall address-list
add address=192.168.10.1-192.168.10.254 list=allowed_to_router
/ip firewall filter
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid log=yes log-prefix="DROP INVALID"
add action=accept chain=input comment="Allow established, related" \
    connection-state=established,related
add action=accept chain=input comment="Allow IP range" src-address-list=\
    allowed_to_router
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Disallow other" log=yes log-prefix=\
    "DROP ALL OTHER"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name="STR - CAP - KAT - C20"
/system ntp client
set enabled=yes primary-ntp=192.168.10.1 secondary-ntp=216.239.35.0
/system package update
set channel=long-term
/tool graphing
set store-every=hour
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

mrmut · March 4, 2019, 9:59am

The culprit is probably Firewall. I set the rules to protect the INPUT from non-LAN ip range, however that also blocks some services the devices need. The issue is probably with DNS requests.

So, the real question is how to configure INPUT firewall blocks for wireless CAPSMAN server?