F**G WiFi6 from C52iG-5HaxD2HaxD

Good day to you all !
I have a problem that lasts since the purchase of C52iG-5HaxD2HaxD, which is more than 1 year !
It all started with the fact that WiFi 6 on RouterOS version above ~7. 15+ works unstable - at random times can happen a complete disconnect
I would have stayed on the factory version of RouterOS but there is a very low speed Wifi ~200mbs
I made a ticket - SUP- 164448 and after ~month of communication with the support team and searching forums I came to the conclusion that this is the problem of my wifi card in my laptop - Intel ax211 and I forced in the properties of my card to use only Wifi AC


. Time passed - new hardware appeared - with Intel BE201 and I also started to get the same problems.


I get disconnections with Windows Eventid errors - 7021, 6062
And in Mikrotik - “disconnected, connection lost, signal strength”


I’ve been using Mikrotik products for years, my IT infrastructure is built on CHR in offices configured CapsMan - but I can’t beat this crap.

I don’t want to lower frequencies below 80 I don’t want to switch to AC, that’s not why I bought this device - although if you tell me that the situation is not fixable and it’s a hardware problem - I’ll go and buy just an Asus…

# 2025-04-10 22:27:34 by RouterOS 7.18.2
# software id = 82YJ-5SNB
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface bridge
add admin-mac=78:9A:18:FE:E9:B8 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] mac-address=F0:2F:74:EA:3E:98
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    disabled .width=20/40/80mhz configuration.country=Ukraine .dtim-period=3 \
    .mode=ap .ssid=1H1W15G disabled=no security.authentication-types=\
    wpa3-psk .ft=no .ft-over-ds=no .wps=disable steering.rrm=yes .wnm=yes
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=disabled \
    configuration.mode=ap .ssid=1H1W1 .tx-chains=0,1 disabled=no mtu=1500 \
    security.authentication-types=wpa2-psk,wpa3-psk .disable-pmkid=no .ft=yes \
    .ft-over-ds=yes .wps=disable
/interface l2tp-client
add allow=mschap2 allow-fast-path=yes connect-to= name=\
    1S1GW1 use-ipsec=yes user=1GW1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.201.10-192.168.201.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/snmp community
set [ find default=yes ] disabled=yes
add addresses=0.0.0.0/0 encryption-protocol=AES name=cns1zbx1
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether2 list=WAN
/interface ovpn-server server
add mac-address=FE:DC:B4:E6:3C:62 name=ovpn-server1
/ip address
add address=192.168.201.1/24 comment=defconf interface=bridge network=\
    192.168.201.0
/ip dhcp-client
add interface=ether2
/ip dhcp-server lease
add address=192.168.201.131 client-id=1:ea:8d:c5:a0:98:8 mac-address=\
    EA:8D:C5:A0:98:08 server=defconf
add address=192.168.201.118 client-id=1:28:c5:d2:85:90:80 mac-address=\
    28:C5:D2:85:90:80 server=defconf
/ip dhcp-server network
add address=192.168.201.0/24 comment=defconf dns-server=192.168.201.1 gateway=\
    192.168.201.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall address-list
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
# 1S1GW1 not ready
# 1S1GW1 not ready
add action=accept chain=input comment=1ZBX1-SNMP dst-port=161 in-interface=\
   1S1GW1 protocol=udp src-address=
add action=accept chain=input comment=1GW1-WinBox dst-port=8291 protocol=tcp \
    src-address-list=1ACCESS1
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=yes distance=1 dst-address= gateway= \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service

/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" \
    src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" \
    dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/snmp
set contact= enabled=yes location= trap-community= \
    trap-version=3
/system clock
set time-zone-name=Europe/Kyiv
/system identity
set name=
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.ua.pool.ntp.org
/system scheduler
add disabled=yes name=schedule1 on-event=\
    ":delay 20s; /system/script/run script1" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=script1 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":lo\
    cal DateTime ([ / system clock get date ] . \"-\" . [ / system\r\
    \n clock get time ]);\r\
    \ninterface wifi scan duration=30 wifi2 save-file=(\"wifi-scan-\" . \$DateTi\
    me)"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Well, IMHO the Intel BE/AX Series is total garbage. I got an BE200 ever since it was released and its been a terrible experience.
There’s A LOT of people on the intel forums with issues with those cards.

Last good one in my opinion is the AC9260.

Well now the normal tasks to do:

1. Update to the latest WiFi Driver
2. Update to the latest (7.18.2) RouterOS
3. Create a Windows Wi-Fi Report
   should look something like the attachment.
   
   
   Other than that, cleanup your config on the Wi-Fi interfaces. Keep it simple.
   You can try capsman. Some people once mentioned that it seems like us who have no issues all use capsman.
   Only one person i know of who tested it so far but it sadly didnt change anything.
   You can set up a config + provisioning rule and under “Radio” you can click provision to apply a capsman config on the local radios.

I’m using Intel AX and BE Wi-Fi Cards without issues using an AX3 and AX2 Combo with Capsman + FT, but because those cards have a sucky Frequency Range I must stay on low 5ghz channels.

EDIT: its a BE200.
I also got an AX210 and got the numbers mixed up woops. already changed in the text

i have ax210 nic and ac9260 nic, had to return to 7.14.3 (i dont use capsman)

ok intel is bad but it’s 80% of the market.
From mid-range workstations like HP ProBook G10 with ax211, to premium segment like Asus Zenbook Duo with BE201 and what is the time difference between them by release date for example ?
AX211 = Q3’21
BE201 = Q2’24
A few years …
If the problem is only with Mikrotik (which is the most evidence but I don’t claim) then it is a Mikrotik problem

If the problem is general (then it is strange why Intel continues to release such a poor quality product)
Then a standard like IEEE 802.11ax - Dead ?
Otherwise I can’t find any explanation how the rest of the world can safely use AX when it can randomly stop working.

I would like to see Mikrotik’s official position on this - I think it’s time to clarify the situation and put some dots on it