hAP ax2 woes

RouterOS Beginner Basics
21

Not sure why all the sarcasm feel free if it’s that important, it’s just a basic config. No point in posting the cap as it’s as is in CAP mode nothing to see!

# 2023-11-21 15:36:50 by RouterOS 7.13beta2
# software id = FA8N-TIE6
#
# model = C52iG-5HaxD2HaxD
# serial number = 
/interface bridge
add admin-mac=18: auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface wifi
add channel.band=5ghz-ax .frequency=5500-5560 .skip-dfs-channels=10min-cac \
    .width=20/40/80mhz configuration.country="United Kingdom" .mode=ap .ssid=\
    01 disabled=no name=cap-wifi1 radio-mac=48: \
    security.authentication-types=wpa2-psk .encryption=ccmp
add channel.band=2ghz-ax .frequency=2402-2422 .skip-dfs-channels=10min-cac \
    .width=20mhz configuration.country="United Kingdom" .mode=ap .ssid=\
    01 .tx-power=10 disabled=no name=cap-wifi2 radio-mac=\
    48: security.authentication-types=wpa2-psk .encryption=ccmp
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180-5240 \
    .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country=\
    "United Kingdom" .mode=ap .ssid=TEST security.authentication-types=\
    wpa2-psk .encryption=ccmp
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2462-2482 \
    .skip-dfs-channels=10min-cac .width=20mhz configuration.country=\
    "United Kingdom" .mode=ap .ssid=01 disabled=no \
    security.authentication-types=wpa2-psk .encryption=ccmp
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.0.100-192.168.0.200
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=1d name=defconf
/queue type
add kind=fq-codel name=fq_codel
add kind=cake name=cake
/queue simple
add max-limit=250M/25M name=QOS queue=pcq-upload-default/pcq-download-default \
    target=ether1
add disabled=yes max-limit=250M/25M name=fq_codel queue=fq_codel/fq_codel \
    target=ether1 total-queue=fq_codel
/interface bridge port
add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
    path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set disable-ipv6=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi capsman
set enabled=yes
/ip address
add address=192.168.0.254/24 comment=defconf interface=bridge network=\
    192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.0.4 client-id=1:84: mac-address=\
    84: server=defconf
add address=192.168.0 client-id=1:a0: mac-address=\
    A0: server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.x gateway=\
    192.168.0.254
/ip dns static
add address=192.168.0.254 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
/ipv6 firewall address-list
DELETED....

/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/London
/system note
set show-at-login=no
/system package update
set channel=testing
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
22

Definitely not default config.

Focusing on the wifi part since that’s the part giving you the most trouble.

Where does this block come from ?
Manual setting ?

add channel.band=5ghz-ax .frequency=5500-5560 .skip-dfs-channels=10min-cac \
    .width=20/40/80mhz configuration.country="United Kingdom" .mode=ap .ssid=\
    01 disabled=no name=cap-wifi1 radio-mac=48: \
    security.authentication-types=wpa2-psk .encryption=ccmp
add channel.band=2ghz-ax .frequency=2402-2422 .skip-dfs-channels=10min-cac \
    .width=20mhz configuration.country="United Kingdom" .mode=ap .ssid=\
    01 .tx-power=10 disabled=no name=cap-wifi2 radio-mac=\
    48: security.authentication-types=wpa2-psk .encryption=ccmp

I am not seeing this on my RB5009 acting as controller.

The part after this code block, is your manual setting of the local radio, correct ? That should be ok.
But that first part makes me wonder where it comes from.

Also, the whole point of capsman is to use the same SSID across APs. I don’t see that on 5GHz ? You got 01 and TEST

23

Yes thats manual settings of the cap and hap your seeing, when capsman is turned on in the hAP ax2 it presents itself as…
cap-wifi,cap-wifi2
add is the CAP
wifi1,wifi2
set is the HAP
And I was using the same ssid apart from last night while testing, hope that clears things up.
I just follwed Toms video which is great of course.
https://www.youtube.com/watch?v=37aff6d14Xk

24

Why use capsman if you set the interfaces manually ???

25

Ease of use, less complicated and all the bridging is done for you via the cap in cap mode.
I don’t need to add loads of caps, just the one so no point in making a central config for security etc.
Edit: Looking from a home user stand point.

26

Just checking we are on the same page here, those settings are set in the hAP not the cap!

27

Yes, that’s what I am referring to.

CAP you set in caps mode and done. Nothing else to be done there (assuming it’s AX device and everything is running wave2 drivers).

Capsman, there you set the configs for the cap to be applied.
If you use a device having own wireless interfaces as capsman, you need to set those wireless interfaces locally.
But you do not, never, set the caps interfaces on the capsman controller. It will do so on its own through provisioning. That’s what capsman is for.

However, mentioning that, I don’t even see a provisioning part in your capsman controller.
Then how do you expect those interfaces to get their config ?

Great Youtube video ? I beg to differ …
Help pages from Mikrotik, rudimentary as they may be for some, do work.

Summarizing how I do it:

  • create the configs you want to use for local and caps.
    Since it’s 2 GHz and 5GHz, I guess you will need 4 sets (2GHz with 2 different frequencies, 5GHz with 2 different frequencies).
  • set local interfaces local on AX2 using 2 sets of prior made config (and for 95% or so it WILL be the same as the caps config, that’s how it works)
  • PROVISION the remaining 2 configs to your caps device (1 for 2GHz, 1 for 5GHz).
    Done.
28

For me it was very helpful, I can’t see why it wouldn’t be at a basic level that is anyway.

29

Watched the video, it’s the one from Mikrotik ?
I stand corrected then.

But…
There is a section there which mentions provisioning.
You missed that part ?
Even for 1 cap you need to do that.

In your case, I advise using dynamic enabled

30

What he said is… BUT setting it up manually gives you a better understanding, at which point I glazed over!
This needs clarifying with Microtik if this further step does or doesn’t need doing.

31

Check help pages.

Don’t believe me.
I have a working setup (multiple).

32

I must agree with @holvoetn, there is no need to mess with CAP settings. Whole point of CAPsMAN is that everything is managed in one place.

33

My radios are managed by my hAP ax2
Screenshot 2023-11-22 071642.png

34

This isn’t about my cap, that works perfect, you asked me to try my hAP ax2 on it’s own to see if I was having the same disconnections on my hAP ax2 when using it by itself with a DEFAULT not Basic config. I did just that and came back and said it does the same thing when being used as stand alone. So I came to the conclusion that my hAP ax2 the problem as for some reason it keeps dropping the connection. My cap ax doesn’t do that it stays connected period.

35

Ok, then we change focus…
I see you use frequency ranges. What if you set a specific frequency ?

36

Lets have a look at that then.

interface/wifi/monitor 2  
               state: running
             channel: 5660/ax/Ceee
    registered-peers: 1
    authorized-peers: 1
            tx-power: 25
  available-channels: 5660/ax/Ceee,5660/ac/Ceee,5660/ax/Ce,5660/ac/Ce,5660/n/Ce,5660/ax,5660/ac,5660/n,5660/a

  Network type           : Infrastructure
    Radio type             : 802.11n
    Authentication         : WPA2-Personal
    Cipher                 : CCMP
    Connection mode        : Profile
    Band                   : 5 GHz
    Channel                : 132
    Receive rate (Mbps)    : 300
    Transmit rate (Mbps)   : 270
    Signal                 : 91%
    Profile                : TEST

Test runnng…
Screenshot 2023-11-22 100011.png

37

You only changed that frequency setting ?
I am going to load your config up on a spare AX2.

38

Test is still running, that graph just shows the start time!
Flags: A - AUTHORIZED
Columns: INTERFACE, SSID, MAC-ADDRESS, UPTIME, SIGNAL

INTERFACE SSID MAC-ADDRESS UPTIME SIGNAL

2 A wifi1 TEST A0: 1h34m42s -49

39

Configured an AX2 with your settings for local 5GHz on wifi1.
Laptop connected to it using wifi5-card.
It shows 802.11ac (in one of your last screenshots I saw 802.11n being mentioned ??)
No issues. No disconnects (with connection to Azure Remote Desktop I would know immediately if it disconnects, even for a split second).

What device have you connecting to that AP ?

40

Yeah I jut chucked in the frequency left the rest blank