Degraded wifi performance

How can I go about determing the reason for degraded wifi performance? Specifically, internet speed-that’s all that the connection is used for is internet. I’m not certain how to just test the connection speed.

I have an Audience in my house and used to get great reception all over the house. I have read that I should have several APs throughout the house and I do have an cAP XL that I got to put up, but… It was working great. And I can’t think of anything that has changed, except perhaps some updates to RouterOS. Position of the Audience is the same. Configuration hasn’t changed. I’m not aware of anything that’s been added that would create additional interference. Additionally, it seems that rebooting the Audience improves performance for a while, measured by a quick internet speed test. The distance between the Audience and the devices connected to it is about 12m, with 2 interior walls separating them: one sheetrock and one thin paneling. Two devices are known to be affected: TV & iPad. Again, this was working fine until recently. I have no problems installing more APs, but I want to know what has changed. What are possible causes for variable performance and what can I use to test it?

# may/24/2022 16:34:21 by RouterOS 7.2.3
# software id = L4BD-ZE0J
#
# model = RBD25G-5HPacQD2HPnD
# serial number = D5840D80F71A
/interface bridge
add admin-mac=08:55:31:69:F3:2F auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] disabled=no installation=indoor mode=\
    ap-bridge name=wlan-2g ssid=1736StrtfrdRmsCt wps-mode=disabled
set [ find default-name=wlan2 ] disabled=no installation=indoor mode=\
    ap-bridge name=wlan-5g ssid=1736StrtfrdRmsCt wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan3 ] ssid=MikroTik
/interface vlan
add interface=bridge name=vlan-base vlan-id=99
/interface list
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-guest supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-iot supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-nest supplicant-identity=""
/interface wireless
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    0A:55:31:69:F3:31 master-interface=wlan-2g multicast-buffering=disabled \
    name=wlan-2g-guest security-profile=profile-guest ssid=\
    1736StrtfrdRmsCt-Guest wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=0A:55:31:69:F3:32 \
    master-interface=wlan-2g multicast-buffering=disabled name=wlan-2g-iot \
    security-profile=profile-iot ssid=1736StrtfrdRmsCt-IOT wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=0A:55:31:69:F3:35 \
    master-interface=wlan-2g multicast-buffering=disabled name=wlan-2g-nest \
    security-profile=profile-nest ssid="Randy's Nest" wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    0A:55:31:69:F3:33 master-interface=wlan-5g multicast-buffering=disabled \
    name=wlan-5g-guest security-profile=profile-guest ssid=\
    1736StrtfrdRmsCt-Guest wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
add keepalive-frames=disabled mac-address=0A:55:31:69:F3:34 master-interface=\
    wlan-5g multicast-buffering=disabled name=wlan-5g-iot security-profile=\
    profile-iot ssid=1736StrtfrdRmsCt-IOT wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-5g pvid=99
add bridge=bridge interface=wlan3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2g pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2g-guest pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2g-iot pvid=107
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-5g-guest pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-5g-iot pvid=107
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2g-nest pvid=107
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=99
add bridge=bridge tagged=ether1,ether2 vlan-ids=101
add bridge=bridge tagged=ether1,ether2 vlan-ids=107
/interface list member
add interface=vlan-base list=BASE
/interface ovpn-server server
set auth=sha1,md5
/interface wireless access-list
add authentication=no comment="REJECT: Echo: Bedroom R" interface=wlan-2g \
    mac-address=74:E2:0C:A2:49:D5
add authentication=no comment="REJECT: Echo: Bedroom R" interface=\
    wlan-2g-nest mac-address=74:E2:0C:A2:49:D5
add authentication=no comment="REJECT: Echo: Bedroom R" interface=wlan-5g \
    mac-address=74:E2:0C:A2:49:D5
add authentication=no comment="REJECT: Echo: Bedroom L" interface=wlan-2g \
    mac-address=D8:BE:65:54:93:23
add authentication=no comment="REJECT: Echo: Bedroom L" interface=\
    wlan-2g-nest mac-address=D8:BE:65:54:93:23
add authentication=no comment="REJECT: Echo: Bedroom L" interface=wlan-5g \
    mac-address=D8:BE:65:54:93:23
add authentication=no comment="REJECT: Echo: Bathroom" interface=wlan-2g \
    mac-address=0C:EE:99:E6:93:BA
add authentication=no comment="REJECT: Echo: Bathroom" interface=wlan-2g-nest \
    mac-address=0C:EE:99:E6:93:BA
add authentication=no comment="REJECT: Echo: Bathroom" interface=wlan-5g \
    mac-address=0C:EE:99:E6:93:BA
add authentication=no comment="REJECT: Echo: Dining Room" interface=wlan-2g \
    mac-address=FC:49:2D:A7:3D:29
add authentication=no comment="REJECT: Echo: Dining Room" interface=\
    wlan-2g-nest mac-address=FC:49:2D:A7:3D:29
add authentication=no comment="REJECT: Echo: Dining Room" interface=wlan-5g \
    mac-address=FC:49:2D:A7:3D:29
add authentication=no comment="REJECT: Echo: Family Room" interface=wlan-2g \
    mac-address=C8:6C:3D:03:D4:E5
add authentication=no comment="REJECT: Echo: Family Room" interface=\
    wlan-2g-nest mac-address=C8:6C:3D:03:D4:E5
add authentication=no comment="REJECT: Echo: Family Room" interface=wlan-5g \
    mac-address=C8:6C:3D:03:D4:E5
add authentication=no comment="REJECT: Echo: Kitchen Show" interface=wlan-2g \
    mac-address=10:96:93:C4:0F:47
add authentication=no comment="REJECT: Echo: Kitchen Show" interface=\
    wlan-2g-nest mac-address=10:96:93:C4:0F:47
add authentication=no comment="REJECT: Echo: Kitchen Show" interface=wlan-5g \
    mac-address=10:96:93:C4:0F:47
add authentication=no comment="REJECT: Echo: Laundry Room" interface=wlan-2g \
    mac-address=74:A7:EA:F1:DB:E5
add authentication=no comment="REJECT: Echo: Laundry Room" interface=\
    wlan-2g-nest mac-address=74:A7:EA:F1:DB:E5
add authentication=no comment="REJECT: Echo: Laundry Room" interface=wlan-5g \
    mac-address=74:A7:EA:F1:DB:E5
add authentication=no comment="REJECT: Echo: Master Bedroom" interface=\
    wlan-2g mac-address=00:F3:61:6E:B6:C8
add authentication=no comment="REJECT: Echo: Master Bedroom" interface=\
    wlan-2g-nest mac-address=00:F3:61:6E:B6:C8
add authentication=no comment="REJECT: Echo: Master Bedroom" interface=\
    wlan-5g mac-address=00:F3:61:6E:B6:C8
add authentication=no comment="REJECT: Echo: Spare Bedroom" interface=wlan-2g \
    mac-address=F8:54:B8:97:35:2D
add authentication=no comment="REJECT: Echo: Spare Bedroom" interface=\
    wlan-2g-nest mac-address=F8:54:B8:97:35:2D
add authentication=no comment="REJECT: Echo: Spare Bedroom" interface=wlan-5g \
    mac-address=F8:54:B8:97:35:2D
add authentication=no comment="REJECT: Echo: Shop" interface=wlan-2g \
    mac-address=08:A6:BC:33:B0:13
add authentication=no comment="REJECT: Echo: Shop" interface=wlan-2g-nest \
    mac-address=08:A6:BC:33:B0:13
add authentication=no comment="REJECT: Echo: Shop" interface=wlan-5g \
    mac-address=08:A6:BC:33:B0:13
/interface wireless cap
set bridge=bridge discovery-interfaces=bridge interfaces=\
    wlan-2g,wlan-5g,wlan3
/ip address
add address=192.168.99.5/24 interface=vlan-base network=192.168.99.0
/ip dns
set servers=192.168.99.1
/ip route
add distance=1 gateway=192.168.99.1
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=AP01-Office
/system ntp client
set enabled=yes mode=multicast
/system ntp client servers
add address=192.168.99.1
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

If nothing has changed and suddenly your having issues, it’s probably a wireless channel issue. I don’t see that the channel is being specified. So it’s probably on auto and so if a channel is chosen that has interference wireless will have issues. Do a wireless survey and see what channels are the cleanest.

And sometimes sitting right on top of another channel is a lot better then sitting in between other channels which are on themselves non-overlapping.
Double impact !

But as indicated by previous poster, you need to control where your channels will be used.

You will have to figure out how WiFi works, how to configure multiple access points nearby, or get a specialist to do it.
In the configuration you gave, there is not much data about the WiFi settings, only that 3 SSIDs are configured on each interface. And that the rest of the settings are automatically selected by the device. The problem is that the automatic configuration takes place when the device is rebooted and then it runs on these settings. I have not yet encountered a device that can correctly select the settings in automatic mode.
You need to show the wireless registration table from each device and a scan of the air from each physical interface of each device.(CAP XL and Audience)
Roughly working 2.4GHz WiFi through one wall works, through two walls works not confidently, through 3 walls does not work, 5GHz through one wall does not work confidently, through 2 walls does not work.
When there is only one access point in the house, it should be placed as close as possible to the center of the house, when there are more access points need to look at the plan and choose places of installation.

PS From experience, when the house is not enough 1 access point, you have to put 3-4 for normal operation.
First rule of WiFi - “A device that the user does not carry with them all the time must be connected by cable”.
I personally, in your case, would use Capsman.

I’m not familiar with all the tools related to wifi. I did use the Freq scan to select the channels for my two existing APs: an Audience (channel 1) and an wAP AC (channel 6) on the Patio. Here are snapshots of the freq, & reg dialogs for each. I do need to go ahead and run the cable and install the cAP XL-I just want to understand why performance has degraded so badly. It is now almost impossible to use. I had to use my phone’s hotspot last night because it felt like someone resurrected my old 300 baud modem from ages ago. For months my current setup worked flawlessly, performance has been much better than I’d hoped. Zero problems with coverage. Then it tanked, and I don’t know how to figure out what happened.

Audience



wAP AC

Are you using WifiWave2 on the Audience?

Not yet. It’s been on my very long list of things to try/learn. Now might be a good time to check on that…

Keep in mind capsman (if you ever plan on using that) and wifiwave2 are currently not yet compatible.
It’s one or the other.

@simsrw73
Why did you limit an interface with 13 registered clients to a useful speed of about 15-20 mbit/s? Whereas in the standard n can be 180-200 mbit/s. I think this is the main reason
The screenshot shows how to enable the air scanner.

On WiFi in the standard n is considered the boundary of a good signal level of -67 dB, values up to -75 satisfactory all that below -80 dB is considered unacceptable. You have a lot of devices connected to WAPac with very bad signal levels. This is either a sign that you are in the wrong place or that you need to add another device. The lower the signal strength the lower the connection speed, and the speed drops on all devices connected to that AP.

That’s a great question. A better question is why I didn’t see that. I would say maybe fumble fingers bumped it while browsing around, but the same thing happened on 5Ghz radio: It’s set to 5Ghz A. I have no idea how those were reset to the lowest option. I “know” I set them when I setup the AP. The patio AP is setup correctly. Embarrassed I didn’t see that before posting. I’ve looked at that dialog a dozen times the last few days. I’ll have to spend a little time with it to see if that straightens it out.

That highlights another issue. Ideally, only a couple of those devices should be on that AP. It’s pointed outside over the backyard and at the shop and those devices in the shop will have bad signal. I plan to put a wireless wire to fix that and the wAP should ideally only capture my phone or tablet when out in the backyard or on the patio. But as is it is currently grabbing a lot of devices from inside the house that used to be connected, without issue, to the Audience. It’s one of the reasons I’ve got this cAP XL sitting on my desk. I probably need a couple of them. The wAP is sitting very close to 4 iot devices that are in the house, through brick wall. Even with installing a couple cAPs, I’m not sure those cAPs will capture those devices. I may need to configure Access List to kick them off because they are currently connected to the wAP but not reachable.

Here’s that scan on the Audience (2GHz). Had no idea there would be that many devices around the neighborhood that would be in range.

And 5GHz

Definitely still broke.

Speed Test on wired desktop: 357.6 Down 79.9 Up
Speed Test on wireless iPad: 0.19 Down 28.5 Up

Why is it primarily affecting Down speed?

Edit: scratch that. After multiple runs it is variously affecting up/down/both. Inconsistent but still abysmal down.

EDIT 2: OK. I think I touched on the problem above. My two APs are interfering with each other. I cut off the radios on the patio AP and now things are back to normal. I didn’t think that was supposed to happen, but then I obviously don’t know much about wifi. And why did this just start? I’ve had both APs active for a while and it wasn’t a problem. What am I doing wrong there? How do I get them to play nicely?

In the Family Room where I’m testing, where the problems are most noticeable, I’m getting -55 dBm on 2.4 GHz on the Audience, -75 dBm on 5 GHz. Since cutting the radios on the wAP AC, speed has been great on the Audience, back to normal. However, I occasionally lose wifi momentarily. Maybe it’s jumping between 2.4 & 5? Not sure how to verify? Why would it do that? What can I do to make all these radios work together? Is it going to be worse when I add more APs? I didn’t realize it was so difficult to get APs to work together.

I’m now fairly confident that the wAP & Audience are interfering with each other causing the degraded performance. How do I fix that? If my device is jumping between 2.4 & 5, dropping the connection momentarily, how do I stop that?

Have you played with transmission power? Especially on the 2,4GHz radio?

No, I haven't modified transmission power on either AP's radios. I haven't modified any of the advanced settings. Just a basic setup. Do they need to be adjusted?

That’s what I told you in my first reply
You just have no idea how WiFi works.
On wifi it is always the client who decides where to connect, this is the standard.
You are faced with the most common problem where there are two different access points and the client can connect to any of them. When the client connects to the first access point and sticks with it even though the connection speed is already bad and the signal from the second point is much better, but the client stubbornly does not switch to the second access point. Your clients were connected to Wap ac and wouldn’t switch to audience until you turned it off. If you now turn the wAP ac back on, the clients will stay on the Audience and everything will work fine until you reboot the Audience.
These problems are greatly reduced when you put the access points under Capsman control. But you have to configure it manually. As I said before, automatic tuning can’t work correctly because it has no radio intelligence data.
The disconnects you have are when the client switches both from one access point to another and from one interface to another at one point. There is a new registration of the client on the access point with the exchange of passwords, handshakes, etc. This can take from 2 to 30 seconds. When access points are controlled by Capsman, there is no new registration, so the switching time is much less, when you switch a few packets are lost, but voice or video messenger conversations may break (not always) in other uses switching is unnoticeable to the user.
I have no links to English-language materials here in Russian here is some information. https://habr.com/ru/article/456918/
It is somewhat difficult to teach you within the forum.
You need to either reduce the power or move the points away from each other, now they hear each other at -75dB. Watch where to put the points on the floor plan.

Acl rules could help as well.
Drop connection when below -87db e.g. ( or already -75 ?)

Caveat is that there is no guarantee that client will effectively move to the other ap.

OK. This is my plan today. So far… this plan is failing at step 1. Your point:

mmm, may have some merit. For the moment.

Okwy, not exactly failed at step 1, but my experience is contrary to the docs (https://help.mikrotik.com/docs/pages/viewpage.action?pageId=1409149#APController(CAPsMAN)-SimplesetupofaCAPsMANsystem) and to any of the tutorials I’ve watched on YT or Wireless Engineer course on Udemy. I set the most basic config on the manager (RB5009), and on the client I go to Wireless → WiFi Interfaces → CAP, and set Enabled, Interfaces to W1 & W2, Discovery Interfaces to ether1, and then … nothing. It does not auto discover the manager. Setting the DHCP caps-manager option on the manager also seems to do nothing. Only when I give the CAPsMAN Address on the clients (both audience and wapac) do they find the manager. It’s working, by manually specifying the capsman address on every client, but it bothers me when it doesn’t work as documented. What would prevent auto discovery? (apologies for the wall of code below)


RB5009

# may/30/2022 10:03:11 by RouterOS 7.2.3
# software id = SYTB-ZK4C
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=DC:2C:6E:47:0F:C0 auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether7 ] name=ether7-Access
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,10000M-full \
    speed=1Gbps
/interface vlan
add interface=bridge name=vlan-base vlan-id=99
add interface=bridge name=vlan-guest vlan-id=101
add interface=bridge name=vlan-iot vlan-id=107
add interface=bridge name=vlan-security vlan-id=119
add interface=bridge name=vlan-server vlan-id=200
add interface=bridge name=vlan-voip vlan-id=111
/caps-man configuration
add country="united states3" datapath.bridge=bridge name=cfg2G \
    security.authentication-types=wpa2-psk ssid=1736StrtfrdRmsCt
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool-base ranges=192.168.99.31-192.168.99.254
add name=dhcp_pool-guest ranges=192.168.101.21-192.168.101.254
add name=dhcp_pool-iot ranges=192.168.107.21-192.168.107.254
add name=dhcp_pool-security ranges=192.168.119.21-192.168.119.254
add name=dhcp_pool-voip ranges=192.168.111.21-192.168.111.254
add name=dhcp_pool-server ranges=192.168.200.200-192.168.200.249
/ip dhcp-server
add address-pool=dhcp_pool-base interface=vlan-base name=dhcp-base
add address-pool=dhcp_pool-guest interface=vlan-guest name=dhcp-guest
add address-pool=dhcp_pool-iot interface=vlan-iot name=dhcp-iot
add address-pool=dhcp_pool-security interface=vlan-security name=\
    dhcp-security
add address-pool=dhcp_pool-voip interface=vlan-voip name=dhcp-voip
add address-pool=dhcp_pool-server interface=vlan-server name=dhcp-server
/system logging action
set 3 remote=192.168.200.14
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    identity="1" name=zt1 port=9993
/zerotier interface
add instance=zt1 name=zerotier1 network=1
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg2G
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge interface=zerotier1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=101
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=107
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=119
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=111
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=200
/interface list member
add interface=ether1 list=WAN
add interface=vlan-guest list=VLAN
add interface=vlan-iot list=VLAN
add interface=vlan-base list=BASE
add interface=vlan-base list=VLAN
add interface=ether7-Access list=BASE
add interface=vlan-security list=VLAN
add interface=vlan-server list=VLAN
add interface=vlan-voip list=VLAN
add interface=zerotier1 list=VLAN
add interface=zerotier1 list=BASE
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.99.1/24 interface=vlan-base network=192.168.99.0
add address=192.168.101.1/24 interface=vlan-guest network=192.168.101.0
add address=192.168.107.1/24 interface=vlan-iot network=192.168.107.0
add address=192.168.9.11/24 interface=ether7-Access network=192.168.9.0
add address=192.168.119.1/24 interface=vlan-security network=192.168.119.0
add address=192.168.111.1/24 interface=vlan-voip network=192.168.111.0
add address=192.168.200.1/24 interface=vlan-server network=192.168.200.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.99.15 client-id=1:60:12:8b:5c:43:5b comment=\
    "Canon MB5320 Printer" mac-address=60:12:8B:5C:43:5B server=dhcp-base
add address=192.168.200.14 client-id=1:e4:5f:1:95:b2:43 mac-address=\
    E4:5F:01:95:B2:43 server=dhcp-server
add address=192.168.200.200 mac-address=36:59:4B:91:03:74 server=dhcp-server
add address=192.168.200.201 client-id=\
    ff:2f:bd:15:e7:0:1:0:1:2a:23:8d:e4:76:f:2f:bd:15:e7 mac-address=\
    76:0F:2F:BD:15:E7 server=dhcp-server
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1 \
    ntp-server=192.168.99.1
add address=192.168.101.0/24 dns-server=192.168.99.1 gateway=192.168.101.1 \
    ntp-server=192.168.99.1
add address=192.168.107.0/24 dns-server=192.168.99.1 gateway=192.168.107.1 \
    ntp-server=192.168.99.1
add address=192.168.111.0/24 dns-server=192.168.99.1 gateway=192.168.111.1 \
    ntp-server=192.168.99.1
add address=192.168.119.0/24 dns-server=192.168.99.1 gateway=192.168.119.1 \
    ntp-server=192.168.99.1
add address=192.168.200.0/24 dns-server=192.168.99.1 gateway=192.168.200.1 \
    ntp-server=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.200.10 name=zadkiel.home.arpa
add address=192.168.99.20 name=cassiel.home.arpa
add address=192.168.200.14 name=raziel.home.arpa
add address=192.168.200.10 name=proxmox.home.arpa
add address=192.168.99.1 name=uriel.home.arpa
/ip firewall address-list
add address=ec1a0fcc6b92.sn.mynetname.net list=WAN_IP
add address=192.168.99.0/24 list=Clients
add address=192.168.99.20 list=Admin
add address=192.168.99.21 list=Admin
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept DNS (udp)" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Accept DNS (tcp)" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Accept NTP" dst-port=123,12300 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=VLAN
add action=accept chain=input comment="Allow BASE" in-interface-list=BASE \
    log=yes log-prefix=BASE
add action=reject chain=input comment="Reject icmp-admin-prohibited" \
    in-interface-list=VLAN log=yes log-prefix=ICMP-ADMIN-PROHIBITED \
    reject-with=icmp-admin-prohibited
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow VLAN access Internet" \
    connection-state=new in-interface-list=VLAN log=yes log-prefix=\
    VLAN->INTERNET: out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE to Server VLAN" \
    in-interface-list=BASE log=yes log-prefix=VLAN out-interface=vlan-server
add action=accept chain=forward comment="Allow Inter-VLAN" in-interface=\
    vlan-base log=yes log-prefix=VLAN out-interface=vlan-security
add action=accept chain=forward comment=\
    "Allow dst-nat from both WAN and LAN (including port forwarding)" \
    connection-nat-state=dstnat
add action=reject chain=forward comment="Reject icmp-admin-prohibited" log=\
    yes log-prefix=ICMP-ADMIN-PROHIBITED reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="Drop everything else" log=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Fwd for WWW" dst-address-list=\
    WAN_IP dst-port=80,443 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.200.201
add action=src-nat chain=srcnat comment=\
    "Translate NTP from 123 to 12300 to bypass AT&T block of port 123" \
    protocol=udp src-port=123 to-ports=12300
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.99.0/24,192.168.9.0/24,10.173.18.0/24
set api disabled=yes
set winbox address=192.168.99.0/24,192.168.9.0/24,10.173.18.0/24
set api-ssl disabled=yes
/ip smb shares
add comment="default share" directory=/pub name=pub
add comment="default share" directory=/pub name=pub
/ip smb users
add name=guest
add name=guest
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
/system clock
set time-zone-name=America/New_York
/system identity
set name=RT1-Office-NR2
/system logging
add action=remote topics=critical,warning,info,debug,error
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=2.north-america.pool.ntp.org
add address=3.north-america.pool.ntp.org
/system scheduler
add interval=25w5d name=schedule-UpdateCACerts on-event=\
    "/system/script/run script-UpdateCACerts" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/30/2021 start-time=02:30:00
add disabled=yes interval=1d name=schedule-UpdateDDNS on-event=\
    "/system/script/run script-UpdateDDNS" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/30/2021 start-time=02:40:00
/system script
add dont-require-permissions=no name=script-UpdateCACerts owner=username policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=""
add dont-require-permissions=no name=script-UpdateDDNS owner=username policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=""
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool romon
set enabled=yes

Audience:

# may/30/2022 10:03:27 by RouterOS 7.2.3
# software id = L4BD-ZE0J
#
# model = RBD25G-5HPacQD2HPnD
/interface bridge
add admin-mac=08:55:31:69:F3:2F auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] name=wlan-2g ssid=MikroTik
set [ find default-name=wlan2 ] name=wlan-5g ssid=MikroTik
set [ find default-name=wlan3 ] ssid=MikroTik
/interface vlan
add interface=bridge name=vlan-base vlan-id=99
/interface list
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-guest supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-iot supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-nest supplicant-identity=""
/caps-man manager
set ca-certificate=auto certificate=auto
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*4 pvid=99
add bridge=bridge interface=*5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*3 pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*7 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2g pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan3 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*14 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*1A pvid=107
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-5g pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*15 pvid=107
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*17 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*18 pvid=107
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*16 pvid=107
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=99
add bridge=bridge tagged=ether1,ether2 vlan-ids=101
add bridge=bridge tagged=ether1,ether2 vlan-ids=107
/interface list member
add interface=vlan-base list=BASE
/interface ovpn-server server
set auth=sha1,md5
/interface wireless access-list
...
/interface wireless cap
# 
set bridge=bridge discovery-interfaces=ether1 enabled=yes interfaces=wlan-2g
/ip address
add address=192.168.99.5/24 interface=vlan-base network=192.168.99.0
/ip dns
set servers=192.168.99.1
/ip route
add distance=1 gateway=192.168.99.1
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=AP01-Office
/system ntp client
set enabled=yes mode=multicast
/system ntp client servers
add address=192.168.99.1
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool romon
set enabled=yes

You have exposed serial numbers and google dns username and password…

Sanitized. Thanks. Need to remove that anyway. Now using Cloudflare with a ddns update utility in a docker on my server. Are the serial numbers in comments at top of export bad to post? If so why are they still exported? I cleaned up some other stuff before my initial post that seemed like it should have been automatically removed for the zerotier network info? And username I removed from script permissions, I think? Shouldn't all that be automatically removed? I know the content of the scripts is my responsibility, but shouldn't the other stuff be automatic?

No, the export is not intended to be exposed on forum, but is faster than guess the configuration of other’s device…
¯_(ツ)_/¯