For a month im using hAP AC3 and notice poor wifi speed. Made some tests and find that with wpa or non secure wifi my internet speed is 320Mb/s (ISP on cable 400Mb/s). When i check wpa2-psk, wp3-psk or both, wifi speed drops to 30Mb/s. It happens for all connected devices.
Any ideas how to solve this issue?
ROS 7.3.1 stable, wifiwave2.
Have reset router, doesn’t config anything on it, but issue persist.
Thanks
One thing to keep in mind when configuring WPA2 (on any device) is to avoid using TKIP at all costs. So security profiles should be set with encryption=ccmp group-encryption=ccmp. Other encryption algorithms are optional in WPA3 and may be poorly supported / buggy both by ROS as well as wireless clients so perhaps you should avoid using them until you reach stable operation with the required (basic) CCMP.
Perhaps you can share your current config:
/export hide-sensitive file=anynameyoulike (en be aware to remove any personal information)
current config:
# jul/14/2022 18:23:18 by RouterOS 7.3.1
# software id = 19K0-QWE0
#
# model = RBD53iG-5HacD2HnD
# serial number = F34E0F4A8361
/interface bridge
add admin-mac=DC:2C:6E:5D:43:BB auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=2ghz-n .frequency=2461-2483 \
.skip-dfs-channels=10min-cac .width=20mhz configuration.mode=ap .ssid=\
D disabled=no name=2.4 security.authentication-types=wpa-psk \
.encryption=ccmp
set [ find default-name=wifi2 ] channel.band=5ghz-ac .frequency=5180-5240 \
.skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap \
.ssid=5G disabled=no name=5 security.authentication-types=wpa-psk \
.encryption=ccmp
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk encryption=ccmp name=sec1
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2.4
add bridge=bridge comment=defconf interface=5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Vilnius
/system scheduler
add interval=1w name="auto reboot" on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jul/10/2022 start-time=03:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Not sure if it affects speed, but you should be using authentication-types=wpa2-psk (not wpa-psk).
WPA2 and WPA3 decrease wifi speed. Only WPA or non secure wifi had to use for better wifi speed…
And still, depending on which source you consult, WPA is claimed to result in connection to be slower then when using WPA2.
So go figure …
https://www.diffen.com/difference/WPA_vs_WPA2
I would be happy and i want to use WPA2 or even WPA3, but my practice with this router shows different. I refuse to have internet speed with 30Mb/s and have to choose WPA with 300Mb/s. I hope this issue would be solved with ROS update or somebody shows magic how to config os.
I use WPA3 on AC3 and get consistent >300 Mb speeds (internal iperf server).
No magic needed.
Could you share your current config?
Sure. Wifiwave2 related part included.
Pretty basic.
- setup channels to be used
- setup security to be used
- make configurations needed based on channels and security defined before
- create interfaces based on configurations (1x 2.4Ghz SSID plus slave IoT SSID, 1x 5GHz channel with own SSID)
Do not change settings related to security or channels when defining interfaces since you will overrule the ones you made before (as you did in your config).
If you know how to use capsman, it works conceptually exactly the same.
security.ft=no was something I tried for the new 802.11r features (which don’t work cross-AP yet, so I disabled it again since my SSIDs are different across radios)
# jul/16/2022 14:47:48 by RouterOS 7.4rc2
# software id = LB29-6B5U
#
# model = RBD53iG-5HacD2HnD
# serial number = <serial>
/interface wifiwave2 channel
add band=2ghz-n frequency=2412,2437,2462 name=ch1_6_11 width=20mhz
add band=5ghz-ac frequency=5500 name=ch5500 width=20/40/80mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk name=security1 passphrase=<super-secret>
add authentication-types=wpa2-psk name=IoT passphrase=<super-secret2>
/interface wifiwave2 configuration
add country=Belgium mode=ap name=name1 security=security1 ssid=SSID1
add country=Belgium mode=ap name=name2 security=security2 ssid=SSID2
add channel.frequency="" country=Belgium mode=ap name=IoT security=IoT ssid=IoT
/interface wifiwave2
set [ find default-name=wifi1 ] arp-timeout=auto channel=ch1_6_11 \
configuration=name1 configuration.mode=ap disabled=no name=wifi1 security.ft=no
set [ find default-name=wifi2 ] arp-timeout=auto channel=ch5500 \
configuration=name2 configuration.mode=ap disabled=no \
name=wifi2 security.ft=no
add arp-timeout=auto configuration=IoT configuration.mode=ap disabled=no \
master-interface=wifi1 name=wifi3 \
security.ft=no
/interface wifiwave2 access-list
add action=accept allow-signal-out-of-range=30s disabled=no interface=dynamic \
signal-range=-86..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=1s disabled=no interface=dynamic \
signal-range=-120..-87 ssid-regexp=""
Again im here.
Updated ROS expecting to solve my problem, but no results…
Any ideas?
# dec/20/2022 12:59:57 by RouterOS 7.6
# software id = 19K0-QWE0
#
# model = RBD53iG-5HacD2HnD
# serial number = F34E0F4A8361
/interface bridge
add admin-mac=DC:2C:6E:5D:43:BB auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Lithuania .mode=ap .ssid=_2G disabled=no name=2.4 security.authentication-types=wpa-psk .encryption=ccmp
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Lithuania .mode=ap .ssid=_5G disabled=no name=5 security.authentication-types=wpa-psk .encryption=ccmp
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk encryption=ccmp name=sec1
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2.4
add bridge=bridge comment=defconf interface=5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Vilnius
/system scheduler
add interval=1w name="auto reboot" on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/10/2022 start-time=03:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Have googling for days and find some answers.
- Have to setup Mikrotik device manually avoiding its quick setup. https://www.youtube.com/watch?v=Y_xIprSlp94
After manual configuration my AC3 increases internet speed and majority devices starts working with wpa2/wpa3 in full speed. - Atheros QCA9377 wifi adapter is buggy.
My Lenovo with MX Linux-21 ath10k_pci with firmware-5.bin and firmware-6.bin is still limiting 30mbps speed on wpa2/wpa3.
Wifes Dell with Windows10 and same wifi adapter (QCA9377) works properly and reaches top speed with same Mikrotik hAP AC3 network.
In searching for linux solution…
Looks like my hAP AC3 starts working as i expected, stable and fast.
I have changed computers wifi adapter to Intel AX200 (25eur) and update ros to 7.9.1. Updating ros solves wifi droping issue.
Best device is when u forget about it. It just works.