Google Nest Audio doesn't see WiFi networks from my hAP ax3

monkeber · December 29, 2024, 11:31am

Hello. Recently I purchased Mikrotik hAP ax3 (C53UiG+5HPaxD2HPaxD) instead of my old TP-Link Archer C6, most of the functionality seems to be working OK (except occasional SA query timeout, but that’s another topic), good coverage and speeds, but I’m having issues connecting Google Nest Audio speaker to the WiFi and spent several days researching this topic to no avail. It often can’t see my networks at all even though it sees all the neighbors. I’m able to connect the speaker to my hotspot from the phone and it worked on my old router as well, so I suspect the problem is in my ax3 since it is the only thing that changed recently.

My setup: I have only one router in my flat, I’ve configured 2 WiFi networks with different names, one for 5 GHz and one for 2.4 GHz. routeros 7.16.2. wifi-qcom 7.16.2.

The issue: While setting up the speaker it often can’t see my networks, neither 5 GHz one, nor 2.4 GHz. Very rarely it detects 5 GHz, tries to connect to it, but later gives up saying “unable to connect”. Sometimes (but only sometimes, for some reason) it can see 2.4 GHz network and then is able to connect to it and will work until the router is rebooted (because of blackout, for example) or once router randomly dropped the connection (it happened only once during a couple of weeks). What I found that could work to fix it - is going into 2.4 network configuration and switching WIFI band to another one (for example AX to N, or N to AX) and then the speaker will be able to connect to the router again, it works more often than not, but still can fail from time to time. This workaround doesn’t work with 5 GHz network though.
I even was able to reproduce the issue with 2.4 GHz network by: rebooting the router → speaker looses the connection → I wait for the speaker to reconnect (waited up to 1 hour, all other devices are able to find the network and connect) → speaker still cannot connect → open network settings and change WiFi band → wait a couple of minutes and the speaker successfully connected to the network (or I can redo the setup process and it will see that network). Repeated this process several times, almost always it worked, one time I had to switch the band couple more times before it connected.

What else I tried on both 5GHz and 2.4GHz networks and did not had an effect:

Play with the different settings, tried different bands, different channel width, authentification types and encryption types (wpa, wpa2, wpa3, ccmp, tkip, etc), disable\enable FT, enabled UPNP as was suggested in one of the topics on the forum.
Tried to analyze my neighbors wifi networks via WIFI Analyzer and configure my networks the same way.
Set up the speaker almost right next to the router (1-2 meters distance).

Did any one else encountered such issues? Could somebody help me?
I’ve asked my friends who have mikrotik devices but no one seem to have this issues, but they are also on older devices like hAP ac or rb2011uias-2hnd-in with wireless driver, not wifi-qcom, could it be the issue with the newer driver?

My config:

# 2024-12-29 11:17:20 by RouterOS 7.16.2

# software id = 7KR8-1ZQT

#

# model = C53UiG+5HPaxD2HPaxD

# serial number = HGW******

/interface bridge

add admin-mac=F4:1E:57:20:XX:XX auto-mac=no comment=defconf name=bridge

/interface wifi

set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz configuration.country=Ukraine .mode=ap .multicast-enhance=enabled .ssid=Lasagna disabled=no security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes

set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=all .width=20/40mhz configuration.country=Ukraine .mode=ap .multicast-enhance=enabled .ssid=Lasagna2.4 disabled=no security.authentication-types=wpa2-psk .encryption=ccmp .ft=yes .ft-over-ds=no .management-encryption=cmac .management-protection=disabled

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

/ip pool

add name=default-dhcp ranges=192.168.88.10-192.168.88.254

/ip dhcp-server

add address-pool=default-dhcp interface=bridge name=defconf

/disk settings

set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes

/interface bridge port

add bridge=bridge comment=defconf interface=ether2

add bridge=bridge comment=defconf interface=ether3

add bridge=bridge comment=defconf interface=ether4

add bridge=bridge comment=defconf interface=ether5

add bridge=bridge comment=defconf interface=wifi1

add bridge=bridge comment=defconf interface=wifi2

/ip neighbor discovery-settings

set discover-interface-list=LAN

/interface list member

add comment=defconf interface=bridge list=LAN

add comment=defconf interface=ether1 list=WAN

/ip address

add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

/ip dhcp-client

add comment=defconf interface=ether1

/ip dhcp-server network

add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns

set allow-remote-requests=yes

/ip dns static

add address=192.168.88.1 comment=defconf name=router.lan type=A

/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=dst-nat chain=dstnat comment="Local server" dst-port=27000-27050 protocol=tcp to-addresses=192.168.88.254

add action=dst-nat chain=dstnat comment="Local server" dst-port=27000-27050 protocol=udp to-addresses=192.168.88.254

add action=masquerade chain=srcnat dst-address=192.168.88.254 out-interface=bridge protocol=tcp src-address=192.168.88.0/24

add action=masquerade chain=srcnat dst-address=192.168.88.254 out-interface=bridge protocol=udp src-address=192.168.88.0/24

/ip ipsec profile

set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5

/ip upnp

set allow-disable-external-interface=yes enabled=yes

/ip upnp interfaces

add interface=bridge type=internal

add interface=ether1 type=external

/ipv6 firewall address-list

add address=::/128 comment="defconf: unspecified address" list=bad_ipv6

add address=::1/128 comment="defconf: lo" list=bad_ipv6

add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6

add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6

add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6

add address=100::/64 comment="defconf: discard only " list=bad_ipv6

add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6

add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6

add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6

add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp

add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10

add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp

add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah

add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp

add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec

add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6

add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6

add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6

add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6

add action=accept chain=forward comment="defconf: accept HIP" protocol=139

add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp

add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah

add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp

add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec

add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/system note

set show-at-login=no

/system routerboard wps-button

set enabled=yes on-event=wps-accept

/system script

add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\

    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\

    \n     /interface/wifi wps-push-button \$iface;}\r\

    \n "

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN

holvoetn · December 29, 2024, 11:45am

Check security settings on the used ssid.
Some devices don’t like it when WPA3 is possible even though they can not use it.
Remove WPA3 and see what happens then.

Alternative: create slave ssid only for those devices not using wpa3.

monkeber · December 30, 2024, 12:20am

Hi holvoetn, WPA3 is already disabled for the networks, unless I misunderstood you, still have the same issue.

holvoetn · December 30, 2024, 7:14am

Can you post the wifi part of your config ?
Make sure passwords are obfuscated (change them so we know they are there but so we can not see what it is).

monkeber · December 30, 2024, 9:28am

Yep, here it is:

[admin@MikroTik] /interface/wifi> export verbose show-sensitive 
# 2024-12-30 09:24:44 by RouterOS 7.16.2
# software id = 7KR8-1ZQT
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HGW*********

/interface wifi

set [ find default-name=wifi1 ] arp-timeout=auto channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz configuration.country=Ukraine .mode=ap .multicast-enhance=enabled .ssid=Lasagna disabled=no l2mtu=1560 mac-address=F4:1E:57:20:CA:E0 name=wifi1 \

    radio-mac=F4:1E:57:20:CA:E0 security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes .passphrase="***********"

set [ find default-name=wifi2 ] arp-timeout=auto channel.band=2ghz-n .skip-dfs-channels=all .width=20/40mhz configuration.country=Ukraine .mode=ap .multicast-enhance=enabled .ssid=Lasagna2.4 disabled=no l2mtu=1560 mac-address=F4:1E:57:20:CA:E1 name=wifi2 radio-mac=\

    F4:1E:57:20:CA:E1 security.authentication-types=wpa2-psk .encryption=ccmp .ft=yes .ft-over-ds=no .management-encryption=cmac .management-protection=disabled .passphrase="**********"

/interface wifi cap
set enabled=no

/interface wifi capsman
set enabled=no

holvoetn · December 30, 2024, 9:48am

I see these 2 settings for 2GHz channel:
.encryption=ccmp … .management-encryption=cmac

Make sure they are both disabled.
Not open and blank, really disabled (folded in).

monkeber · December 30, 2024, 11:16am

Tried, still have the same issue. I’ve changed the settings like you suggested, rebooted the router, the speaker can’t find the network, I’ve waited for a few more minutes to make sure that it still doesn’t see the network, then I changed the band of the 2.4 GHz network and the speaker can see the network again. 5 GHz is not visible at all still.

Current config:

[admin@MikroTik] /interface/wifi> export verbose show-sensitive 

# 2024-12-30 11:07:39 by RouterOS 7.16.2

# software id = 7KR8-1ZQT

#

# model = C53UiG+5HPaxD2HPaxD

# serial number = HGW********

/interface wifi

set [ find default-name=wifi1 ] arp-timeout=auto channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz configuration.country=Ukraine .mode=ap .multicast-enhance=enabled .ssid=Lasagna disabled=no l2mtu=1560 mac-address=F4:1E:57:20:CA:E0 name=wifi1 \

    radio-mac=F4:1E:57:20:CA:E0 security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes .passphrase="**********"

set [ find default-name=wifi2 ] arp-timeout=auto channel.band=2ghz-n .skip-dfs-channels=all .width=20/40mhz configuration.country=Ukraine .mode=ap .multicast-enhance=enabled .ssid=Lasagna2.4 disabled=no l2mtu=1560 mac-address=F4:1E:57:20:CA:E1 name=wifi2 radio-mac=\

    F4:1E:57:20:CA:E1 security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=no .passphrase="*********"

/interface wifi cap

set enabled=no

/interface wifi capsman

set enabled=no

https://imgur.com/Ug5lSls

wrkq · December 30, 2024, 12:51pm

Stupid suggestion, but as a test, try to manually configure the 5Ghz for a low channel number and width (5200/20 for example) and see if the speaker can find the network then?
Maybe your auto-frequency setting lands on some channel in the 5600 or 5800 zone and the client radio in the speaker is so basic/cheap it cannot reach so high?
I had similar issues with IoT…

monkeber · December 31, 2024, 1:28am

Hi @wrkq

Thank you for the suggestion! While setting the 5200 frequency and channel width to 20, the speaker was still not able to find the network, but I did some more tweaking and noticed that frequencies matter for 2.4 GHz. For example, when the router selects frequencies 2437-2477 - the speaker was not able to find even 2.4 GHz network, but when the router selects 2407-2447 - the speaker is able to connect without issues and even reconnects after the router reboot. For now I’ve set frequencies manually to 2407-2447. All other devices are always able to connect to the 2.4 GHz network regardless of what frequencies are set, I guess it may be that Google just decided to produce a wifi-only device that doesn’t work with certain wifi frequencies

Regarding the 5 GHz - I still don’t understand why it won’t see the network even when it is on 5200, but maybe I need to try different channels, since the speaker prefers specific 2.4 channels as well.
I’ve also found a relevant topic on Ubiquiti forum: https://community.ui.com/questions/Google-Nest-Mini-5Ghz-does-not-support-channel-149-or-higher/53bb73fd-bf41-4a2a-b095-893fbe5691e0, it’s for Nest Mini but I suppose the hardware may be similar. They say that nest mini doesn’t support channels above 149.

I will try to tweak the channels for 5ghz in the following days and double check that it works only on specific 2.4 channels and post my findings here.

My current config:

[admin@MikroTik] /interface/wifi> export verbose show-sensitive 

# 2024-12-31 01:20:36 by RouterOS 7.16.2

# software id = 7KR8-1ZQT

#

# model = C53UiG+5HPaxD2HPaxD

# serial number = HGW*********

/interface wifi

set [ find default-name=wifi1 ] arp-timeout=auto channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz configuration.country=Ukraine .mode=ap .multicast-enhance=enabled .ssid=Lasagna disabled=no l2mtu=1560 mac-address=F4:1E:57:20:CA:E0 name=wifi1 radio-mac=F4:1E:57:20:CA:E0 security.authentication-types=wpa2-psk \

    .ft=yes .ft-over-ds=yes .passphrase="*********"

set [ find default-name=wifi2 ] arp-timeout=auto channel.band=2ghz-ax .frequency=2407-2447 .skip-dfs-channels=all .width=20/40mhz configuration.country=Ukraine .mode=ap .multicast-enhance=enabled .ssid=Lasagna2.4 disabled=no l2mtu=1560 mac-address=F4:1E:57:20:CA:E1 name=wifi2 radio-mac=F4:1E:57:20:CA:E1 \

    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=no .passphrase="*******"

/interface wifi cap

set enabled=no

/interface wifi capsman

set enabled=no

maigonis · December 31, 2024, 4:43pm

Stupid suggestion, but as a test, try to manually configure the 5Ghz for a low channel number and width (5200/20 for example) and see if the speaker can find the network then?
Maybe your auto-frequency setting lands on some channel in the 5600 or 5800 zone and the client radio in the speaker is so basic/cheap it cannot reach so high?
I had similar issues with IoT…

Hi @wrkq

Thank you for the suggestion! While setting the 5200 frequency and channel width to 20, the speaker was still not able to find the network, but I did some more tweaking and noticed that frequencies matter for 2.4 GHz. For example, when the router selects frequencies 2437-2477 - the speaker was not able to find even 2.4 GHz network, but when the router selects 2407-2447 - the speaker is able to connect without issues and even reconnects after the router reboot. For now I’ve set frequencies manually to 2407-2447. All other devices are always able to connect to the 2.4 GHz network regardless of what frequencies are set, I guess it may be that Google just decided to produce a wifi-only device that doesn’t work with certain wifi frequencies

Regarding the 5 GHz - I still don’t understand why it won’t see the network even when it is on 5200, but maybe I need to try different channels, since the speaker prefers specific 2.4 channels as well.
I’ve also found a relevant topic on Ubiquiti forum: https://community.ui.com/questions/Google-Nest-Mini-5Ghz-does-not-support-channel-149-or-higher/53bb73fd-bf41-4a2a-b095-893fbe5691e0, it’s for Nest Mini but I suppose the hardware may be similar. They say that nest mini doesn’t support channels above 149.

I will try to tweak the channels for 5ghz in the following days and double check that it works only on specific 2.4 channels and post my findings here.

My current config:
[admin@MikroTik] /interface/wifi> export verbose show-sensitive 

# 2024-12-31 01:20:36 by RouterOS 7.16.2

# software id = 7KR8-1ZQT

#

# model = C53UiG+5HPaxD2HPaxD

# serial number = HGW*********

/interface wifi

set [ find default-name=wifi1 ] arp-timeout=auto channel.band=5ghz-ax .skip-dfs-channels=disabled .width=20/40/80mhz configuration.country=Ukraine .mode=ap .multicast-enhance=enabled .ssid=Lasagna disabled=no l2mtu=1560 mac-address=F4:1E:57:20:CA:E0 name=wifi1 radio-mac=F4:1E:57:20:CA:E0 security.authentication-types=wpa2-psk \

    .ft=yes .ft-over-ds=yes .passphrase="*********"

set [ find default-name=wifi2 ] arp-timeout=auto channel.band=2ghz-ax .frequency=2407-2447 .skip-dfs-channels=all .width=20/40mhz configuration.country=Ukraine .mode=ap .multicast-enhance=enabled .ssid=Lasagna2.4 disabled=no l2mtu=1560 mac-address=F4:1E:57:20:CA:E1 name=wifi2 radio-mac=F4:1E:57:20:CA:E1 \

    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=no .passphrase="*******"

/interface wifi cap

set enabled=no

/interface wifi capsman

set enabled=no

Lasagna

Make sure your device have the same country set. If AP is Ukraine make sure nest is also set Ukraine.