I have a capsman setup and multiple AP’s all running 6.4.8 stable around the house. I have access list created that allow a specific MAC addresses to connect to specific AP’s and then I put a deny all right after it. This usually works 95% of the time, but sometimes the IoT devices drop and try and connect to another nearby AP. This results in the log saying over and over forbidden, rejected by access-list. Why does it not jump back to the AP that it’s allowed to connect to rather than sit there and repeatedly try and connect to one that it’s denied access to. Am I doing something wrong? Any help/advice would be greatly appreciated.
Devices usually try to connect to the strongest AP and don’t know they are blocked there.
As @normis wrote, device will try to connect to any AP with same SSID. If you want to constrain certain client devices to certain APs, create SSIDs specifically for each AP (e.g. AP1, AP2, …) and configure those devices to use appropriate SSID (e.g. configure IoT3 device to connect only to AP #2 by configuring it to use SSID=AP2). Those SSIDs can be virtual (no need for dedicated hardware) and bridged to same LAN, so no need for LAN segmentation (if you don’t want to do it, keeping IoT devices contained in separate VLANs is good BTW).
I’m not sure why would you want to keep devices using AP further way though.
Yes, I already have all my IoT devices connected to a separate SSID using a seperate data path with all the necessary iptable rules implemented. They can only access the internet. My issue is I have them connected to the strongest AP and I lock them by access-list to that AP. At some random point they try and connect to the AP that is further away and cannot due to the access-list. Rather than bouncing back to the AP they are allowed to connect to and were connected to before they will just repeatedly try to connect to the one they are forbidden. It’s strange.
Could be some intermittent interference present on channel used by closest AP. As @Normis already wrote: wifi standard does not have anything about mobility hence AP can not force client to connect to another AP, it can only reject registration. But as many have learned, rejecting clients to make them roam elsewhere doesn’t always work. Specially so if there is no margin for client …
For wireless clients
Take a look at the Mikrotik connect-list and Mikrotik area-prefix
I assume you have multiple APs your clients are connection to and the APs all have the same SSID
Here is what you can do:
On your APs ( all APs have the same SSID ) , configure a unique area-prefix for each AP
On your clients ( all your clients want to connect to the same SSID ) , configure the connect-list unique prefix you want the client to connect to.
If the connect-list fails , the client will try to connect normally as if there was no connect-list or area-prefix setting
https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless
North Idaho Tom Jones
Can’t find area-prefix in CAPsMAN configuration and there is no connection-list as well.
I don’t think CAPsMAN supports area-prefix. It is supported in Winbox.
Has anyone had success with this?
I have created a connection list entry on both the Wireless Access Point and the Wireless Client. I used the SSID, Area Prefix, Security Profile and even the MAC address (WAP MAC on the Client connection list). No luck… the Client keeps connecting to the Wireless Access Point with no Connection List configuration.