hAP ax2 5 GHz SSID visible in MikroTik scan, but not detected by most clients

nicknamer · May 26, 2026, 8:35am

Hi,

I’m having a strange issue with a MikroTik C52iG-5HaxD2HaxD running RouterOS firmware type ipq6000. The device is brand new and was first tested with the factory firmware 7.6.

The 2.4 GHz SSID works normally and is visible to all devices. The 5 GHz SSID is the problem: MikroTik can see it in scan, but most client devices do not see it at all.

What I tested:

Different RouterOS versions: 7.21.1, 7.21.3 LTS, 7.22.3 stable
Factory firmware 7.6
Default configuration
Complete configuration wipe/reset
Different wireless parameter changes
Different frequencies and channel settings
DFS disabled / changed
Security variations

Current behavior:

Out of about 10 computers, only one laptop can see the 5 GHz SSID.
MikroTik can see the SSID in scan.
About half of the phones cannot see it.
Samsung phones with One UI 8.5 do not see it at all.
Samsung phones with One UI 8.0 can see it.
Windows 10 / Windows 11 devices also mostly do not see it.

This does not look like a client connection problem — the network is simply not visible to most devices.

I already tried:

Different firmware versions
Default configuration
Full configuration wipe/reset
Different channel/frequency settings
Disabling DFS
Changing channel width
Various security settings
QuickSet defaults and manual changes

At this point I suspect either:

a compatibility issue in the hAP ax2 WiFi implementation,
a regulatory/channel broadcast issue,
or a bug in RouterOS WiFi on this model.

Has anyone seen similar behavior where the AP sees the SSID itself, but most modern clients do not detect it?

PrintDetail

[admin@MikroTik] > /interface/wifi/print detail
Flags: M - MASTER; D - DYNAMIC, N - NETWORK; B - BOUND;
X - DISABLED, I - INACTIVE, R - RUNNING
0 M B default-name="wifi1" name="wifi1" l2mtu=1560
mac-address=48:A9:8A:64:FA:CE arp-timeout=auto
radio-mac=48:A9:8A:64:FA:CE
configuration.country=Czech .installation=indoor .ssid="5G" .mode=ap
security.authentication-types=wpa2-psk .encryption=""
.group-encryption=ccmp
datapath.bridge=bridge
channel.frequency=5180 .band=5ghz-ax .width=20mhz
.skip-dfs-channels=all

1 M B default-name="wifi2" name="wifi2" l2mtu=1560
mac-address=48:A9:8A:64:FA:CF arp-timeout=auto
radio-mac=48:A9:8A:64:FA:CF
configuration.country=Czech .ssid="24G" .mode=ap
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes
.ft-over-ds=yes
channel.skip-dfs-channels=10min-cac

Thanks.

holvoetn · May 26, 2026, 8:37am

99 out of 100 the issue is config but we did not get to see that ?
Default AX devices tend to select higher frequencies for 5GHz and quite a bit of clients can not handle it.
However there might be other reasons.

So please show export of your config, specifically the wifi part.
Make sure to remove serial, passwd, ... then post back here between code quotes for easier readability.

rextended · May 26, 2026, 8:54am

Really?

Config wrong, use /export as mentioned before.

aldek · May 26, 2026, 9:17am

The same device model = C52iG-5HaxD2HaxD

RouterOS 7.21.1

No problem at all - iOS, MAC, Ubuntu, Win11 clients, at any 2.4/5 GHz SSIDs

My config:

/interface wifi set [ find default-name=wifi2 ] channel.band=2ghz-ax .reselect-interval=2h..4h .width=20mhz configuration.country=Superchannel .hw-protection-mode=rts-cts .mode=ap .ssid=XXX-X disabled=no name=wifi.2GHz security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .passphrase=PASSPHRASE .wps=disable
/interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ax .reselect-interval=2h..4h .width=20/40/80mhz configuration.country=Superchannel .hw-protection-mode=rts-cts .mode=ap .ssid=XXX-X disabled=no name=wifi.5GHz security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes .passphrase=PASSPHRASE .wps=push-button

[xxxxxxx@hAPax2-ZL] > interface/wifi print detail
Flags: M - master; D - dynamic; B - bound; X - disabled, I - inactive, R - running
0 M BR default-name="wifi2" name="wifi.2GHz" l2mtu=1560 mac-address=FF:FF:FF:FF:XX:XX arp-timeout=auto
radio-mac=FF:FF:FF:FF:FF:FF
configuration.mode=ap .ssid="XXX-X" .country=Superchannel .hw-protection-mode=rts-cts
security.authentication-types=wpa2-psk,wpa3-psk .wps=disable .ft=yes .ft-over-ds=yes
channel.band=2ghz-ax .width=20mhz .reselect-interval=2h..4h

1 M BR default-name="wifi1" name="wifi.5GHz" l2mtu=1560 mac-address=FF:FF:FF:FF:FF:FF arp-timeout=auto
radio-mac=FF:FF:FF:FF:FF:FF
configuration.mode=ap .ssid="XXX-X" .country=Superchannel .hw-protection-mode=rts-cts
security.authentication-types=wpa2-psk,wpa3-psk .wps=push-button .ft=yes .ft-over-ds=yes
channel.band=5ghz-ax .width=20/40/80mhz .reselect-interval=2h..4h

rextended · May 26, 2026, 9:37am

For maximum compatibility, it should not be set. See other topics on the same topic.

aldek · May 26, 2026, 9:47am

Yep, I know, but in my case it doesn't matter.

nicknamer · May 26, 2026, 9:54am

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

Press F1 for help

[admin@MikroTik] > /export hide-sensitive

2026-05-26 08:04:11 by RouterOS 7.22.3

model = C52iG-5HaxD2HaxD

/interface bridge
add admin-mac=48:A9:8A:64:FA:CA auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180 .skip-dfs-channels=all .width=20mhz configuration.country=Czech .installation=indoor .mode=ap .ssid=5G datapath.bridge=bridge
disabled=no security.authentication-types=wpa2-psk .encryption="" .group-encryption=ccmp
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Czech .mode=ap .ssid=24G security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client

Interface not active

add comment=defconf interface=ether1 name=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 in-interface=lo src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

nicknamer · May 26, 2026, 9:54am

/interface bridge
add admin-mac=48:A9:8A:64:FA:CA auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180 .skip-dfs-channels=all .width=20mhz configuration.country=Czech .installation=indoor .mode=ap .ssid=5G disabled=no
interworking.realms-raw="" security.authentication-types=wpa2-psk .encryption=ccmp .group-encryption=ccmp
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Czech .mode=ap .ssid=24G disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client

Interface not active

add comment=defconf interface=ether1 name=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 in-interface=lo src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

nicknamer · May 26, 2026, 9:54am

Thank you. I have two of these devices. Both are configured the same way, but one is having these issues and the other isn't...
The only difference is that on one of them, I updated and then downgraded the firmware, while on the other, I've had version 21.1.1 for a long time and it's working fine... But now I'm afraid to upgrade it...

nicknamer · May 26, 2026, 9:54am

2ghz works perfect... problem is in 5ghz...

nicknamer · May 26, 2026, 9:54am

tested your configuration - not working

rextended · May 26, 2026, 10:03am

Search other topic: Do not use winbox 3 and remove that wrong config.
Other topics explain exactly how do that.

Paste on Terminal:

/interface wifi
set [ find ] !interworking.realms-raw

nicknamer · May 26, 2026, 10:51am

Thank you, but not working

/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180
.reselect-interval=2h..4h .skip-dfs-channels=all .width=20/40/80mhz
configuration.country=Czech .hw-protection-mode=rts-cts .installation=
indoor .mode=ap .ssid=5ghzt disabled=no name=wifi.5GHz
security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp .ft=yes
.ft-over-ds=yes .group-encryption=ccmp .wps=push-button

rextended · May 26, 2026, 11:03am

First start from a base where it works for everyone, then customize...

Paste this:

/interface wifi
set [ find default-name=wifi1 ] !channel.band channel.frequency=5180 !channel.reselect-interval \
    .skip-dfs-channels=all !channel.width configuration.country=Czech !configuration.hw-protection-mode .installation=indoor \
    .mode=ap disabled=no !interworking.realms-raw security.authentication-types=wpa2-psk \
    .encryption=ccmp .ft=yes .ft-over-ds=yes .group-encryption=ccmp .management-protection=disabled .wps=disable

nicknamer · May 26, 2026, 11:47am

/interface wifi

SSID not set

must specify passphrase for PSK

set [ find default-name=wifi1 ] configuration.country=Czech .installation=indoor .mode=ap disabled=no mtu=1500 security.authentication-types=wpa2-psk
.beacon-protection=disabled .encryption=ccmp .ft=yes .ft-over-ds=yes .group-encryption=ccmp .management-protection=disabled .wps=disable

SSID not set

must specify passphrase for PSK

set [ find default-name=wifi2 ] configuration.country=Czech .installation=indoor .mode=ap disabled=no security.authentication-types=wpa2-psk .encryption=ccmp
.ft=yes .ft-over-ds=yes .group-encryption=ccmp .management-protection=disabled .wps=disable

jaclaz · May 26, 2026, 12:25pm

You probably need to add this:

to each set of commands

rextended · May 26, 2026, 12:25pm

Something new comes up every time,
but what are you doing?

nicknamer · May 26, 2026, 12:50pm

set [ find default-name=wifi1 ] configuration.country=Czech .installation=indoor .mode=ap .ssid=T5G mtu=1500 security.authentication-types=wpa2-psk
.beacon-protection=disabled .encryption="" .management-protection=disabled .wps=disable

It doesn't matter if there's no authentication—I turned off all authentication options and it still doesn't work. Now I've set it to WPA2 with the password 12345678, and that doesn't work either. Most devices just can't see it; it's not listed among the visible networks...

jaclaz · May 26, 2026, 1:49pm

Could it be an issue with channel range?, i.e. this:

deprioritize-unii-3-4=yes

is sometimes needed when clients cannot reach the higher frequency channels.