hAP ax3 5Ghz Wifi Failure after no configuration changes

RouterOS Wireless Networking
1

I have been using the hAP ax3 as an AP for my home network for the past 4 weeks, and it has been working fine until about 12 hours ago.

12 hours ago, without me ever touching the configuration or changing anything physically with the ax3, the 5Ghz wifi network stopped working.

The SSID still appears for devices, but when I try to connect, the device is unable to connect. Most devices just quietly fail to connect, but my iPhone (iOS 26.2.1) gives me an incorrect password error.

The 2.4 GHz wifi network is working as normal, and I am at a loss as to what could have caused my 5GHz wifi to stop working. I have enabled wifi debug logging, and there are no messages related to the 5GHz wifi except the starting message on reboot.

My hAP ax3 config is below:

/interface bridge
add admin-mac=04:F4:1C:DA:E4:63 auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=
10min-cac .width=20/40/80mhz configuration.country="United States" .mode=
ap .ssid=237C disabled=no security.authentication-types=wpa2-psk,wpa3-psk
.ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=
10min-cac .width=20/40mhz configuration.country="United States" .mode=ap
.ssid=237C-2 disabled=no security.authentication-types=wpa2-psk,wpa3-psk
.ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip dhcp-client
add comment=defconf default-route-tables=main interface=bridge
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
in-interface=lo src-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=
out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute"
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=input comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1"
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=
ipsec-esp
add action=accept chain=forward comment=
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=MikroTik-hAP
/system logging
add topics=wireless,debug
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source="\r
\n :if ([system leds settings get all-leds-off] = "never") do={\r
\n /system leds settings set all-leds-off=immediate \r
\n } else={\r
\n /system leds settings set all-leds-off=never \r
\n }\r
\n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
source="\r
\n :foreach iface in=[/interface/wifi find where (configuration.mode="ap
" && disabled=no)] do={\r
\n /interface/wifi wps-push-button $iface;}\r
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

2

Did you remove in your export the
security.passphrase=<8-63_characters>
setting?

Or the /interface wifi security?

If yes - of course changing the actual password - you should post the export not edited.

Your configuration seems at first sight a default one (for a router/AP, rather than a "pure" AP), but it looks fine, set aside the above.

Loosely having BOTH wpa2-psk and wpa3-psk authentication makes little sense, you usually EITHER want/need the safer Wpa3-psk ONLY (and thus reject any device with Wpa2-psk) or Wpa2-psk only (devices capable of Wpa3-psk will be also compatible with Wpa2-psk).

3

Other generic comment:
Using FT settings doesn't make sense if you set both 2.4 and 5GHz to use a different SSID or if you're not using capsman.
For FT to work, you have to set SSIDs the same, it's for roaming between radios having the same SSID (and security settings).

4

This is the default. IMHO this does make sense. Device capable of wpa3-psk should use it, enhances security. Devices not compatible should be able to use wpa2-psk. Setting it to "wpa2-psk" only, makes no sense at all.

@ProspectTheorist Which RouterOS version is this running on? There was this change in 7.20:

*) wifi - avoid picking 5GHz channels by default which are unlikely to be supported by clients, can be overridden with channel.deprioritize-unii-3-4;

Below 7.20 it could be possible, even experienced myself, that the AP picked a 5ghz frequency not supported by any of my devices.

5

Security of what?
Not of the wireless network.

6

Security of connection between device and access point.

7

Yep, all those hostile secret agants intercepting your lolcats, may be an issue with wpa2-psk only ... :roll_eyes: