I am currently setting up a HAP AX S as access point behind another router. I want a very basic setup where the HAP AX S just acts as a switch with the physical ports, and serves as an AP with SSID1 linked to untagged traffic on any port, and SSID2 linked to VLAN 20-tagged traffic on ether2.
As a first step, I did setup a bridge across all physical ports and added Wifi with the following config:
[admin@MikroTik] > /export hide-sensitive
# 2025-12-03 12:29:34 by RouterOS 7.20.6
# software id = GDQF-PIJS
#
# model = E62iUGS-2axD5axT
# serial number = HK60AMMY2J0
/interface bridge
add comment="Main Bridge" name=bridge1
/interface wifi configuration
add channel.skip-dfs-channels=all country=Germany datapath.bridge=bridge1 disabled=no mode=ap name=test \
security.authentication-types=wpa2-psk ssid=test
/interface wifi
set [ find default-name=wifi2 ] configuration=test configuration.mode=ap disabled=no
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
This is working nicely: down/up approx. 400/50mbps (my internet line speed is 1000/50).
As soon as I enable VLAN filtering on the switch (no other change), I get down/up of approx. 400/1mbps tested with the same device, and very unreliable WIFI connections.
I tried adding VLAN tag 1 to the datapath, but it doesn't change anything.
What am I doing wrong? How can I enable VLAN on this device to support multiple SSIDs with reasonable speed?
I have already tried several combinations of options, but whenever I enable VLAN filtering on the main bridge, I get unusable upload performance for WIFI devices.
Speed is fine for devices connected to any of the LAN ports ether2-ether5 (I did not yet test ether1 due to it not supporting HW offload).
The above config is currently the complete config on the device. I have already stripped it down to the absolute minimum to reproduce the issue. That is also why additional VLANs etc. are currently removed from the configuration.
I had the whole setup running with several VLANs, but Wifi upload is so slow that it is unusable and clients constantly disconnect, so I replaced the Mikrotik with my old AP and tried to reproduce the issue in an isolated environment. The problem appears as soon as I enable VLAN filtering on the bridge.
The wifi is part of the bridge through datapath.bridge=bridge1, which adds it as a dynamic bridge port.
I already tried to add the wifi2 device directly as a bridge port and remove the datapath option. It does not make a difference in performance.
My goal in this test setup is to get the most basic part working: get a bridge that is VLAN-enabled and routes all untagged traffic between all physical ports and wifi clients. If I get this working with reasonable performance, I can add complexity with additional VLANs later.
However, the basic setup fails as soon as I enable VLAN filtering with unacceptable performance.
The configuration you posted has NO VLAN(s) whatsoever, you should also post the configuration (with VLAN(s) and bridge filter enabled) that is giving you the slow speed (on upload only if I get it right?).
here is the complete config.
I have two SSID, "test" and "guest". For "guest", everything is fast (Up- and Download). For "test", only downloads are fast. Uploads on test fail or are extremely slow.
Speed is now tested with an iperf3 server in the local network and an iperf3 client on the android client devices. I use two different Wifi clients. Both show the same performance problem in network "test" (download ~400-600mbit/s, upload ~5-10mbit/s with some failing connections).
Any hints what I am doing wrong? Thank you in advance for your help.
FT aka https://en.wikipedia.org/wiki/IEEE_802.11r-2008 does work without a controller (in standalone, BSS mode) as long as client uses centralized AAA (by means of 802.1X) i.e RADIUS (from what I know).
For "test", only downloads are fast. Uploads on test fail or are extremely slow.
Which channel (MSC or frequency) your client connected to?
The clients are connected to 5GHz network. I just tried to move away from the AP until the client roams to 2.4GHz. The same speed issues occur on the 2.4 GHz connection.
Current channels are 2412/ax and 5805/ax/eeeC.
It is configured like that, because untagged traffic on ether2 belongs to VLAN ID 1, and tagged traffic belongs to VLAN 20. From reading the documentation, this setting is supported, and RouterOS calls it a "hybrid port": Bridging and Switching - RouterOS - MikroTik Documentation
This is just to reduce load on the 2.4GHz frequencies - it is already super crowded with Wifi networks where I live. The bad performance happens independently of the channel settings, and even if 2.4G is completely switched off.
The router is connected to ether2. I wanted to use the other interfaces as switch to connect stuff like e.g. my printer.
Do you think reducing the number of untagged ports would make any difference w.r.t. wifi performance? Currently, only ether2 has anything connected, all other ports are free. The bridge shows current-untagged=ether2, it seems like the inactive interfaces get dynamically removed from this list.
I don't think the problem is with your configuration, but rather that the Wi-Fi on this device is currently broken. This is confirmed by other forum posts where users complain about low speeds and by YouTube reviews.
Wait, maybe they'll fix it. But I think the whole Hex Refresh, S, HAP S AX series is stillborn, and it's easier to sell them and forget about them. Try buying AX2 and AX3, although they have their issues, they're generally satisfactory.
I would try another pvid than 1 on wifi1/wifi2. I don't know how vlan1 is handled in detail, but it has special meaning. I wouldn't wonder if this would put extra pressure on CPU.
Thank you for the hint. I have already tried that and changed everything to PVID / VLAN 10. It does not make any difference. CPU utilization is ~3% during slow/failing upload, so it is not the CPU that is limiting performance here.
Thank you very much for the advice. I think your conclusion is correct. I can still return the device, so I will most likely inform Mikrotik about the issue and if I do not get a timely feedback, return the device and look for something else.
What I found positive about the HAP AX S is that it does offer 40 MHz bandwidth on 2.4 GHz band and 160 MHz wide channels on 5GHz, contrary to the specs.
Are real-world Wifi speeds comparable on the AX2? The alternative would be to just wait for the be3 to become available and stable.