Guys,
in order to avoid all the fuzz which was there with the RB5009-bootloader-mishap …
Let’s make this clear:
THIS IS A NIGHTLY BUILD.
AS INDICATED IN THAT OTHER THREAD: PROCEED AT YOUR OWN RISK AND DO NOT COME COMPLAINING IF THINGS BREAK.
Ok ? 
Great news!!!
I’ve had this build running for 3 days without noticeable WIFI related issues.
That being said. Something else might be broken, but nothing impacting the features I use.
Still works after 24+ hours. Then again, i’m only testing VLAN Tagging and wifi functionality. Something else is likely broken.
What’s important is that it looks like Mikrotik finally fixed the issue and we will receive a production ready fix in the coming months.
I can confirm that the issue has been fixed after upgrade to 7.21 !!! At last!
No more disconnections on the 5 GHz wifi on my router hap ax2.
Looks like wi-fi issue was resolved at 7.21 My HP laptop no longer disconnetcs under load.
RouterOS 7.19.2 [stable] released
Changelog
*) wifi-qcom - fixed beacon loss issues and improved stability for IPQ-6018;
Did anyone try?
2 Likes
Just updated 
I’ll run it overnight without any Google/Chromecast devices connected, and will then connect them tomorrow to see if they still affect my network stability 
1 Like
Updated, everything worked fine for a few hours 
1 Like
7.19.2. Updated here and everything looks good so far! Great news
1 Like
Updated a few hours ago, looks like it fixed. 5Ghz now connected immediately and dont drop even due to a bad signal.
Many thanks to everyone involved! Now I`m happy with my wifi 
1 Like
Has anyone had such a problem?
Upgrade 7.14.3 to 7.19.2
I have WiFi1 (5GHz) + Virtual AP
If VAP works, DHCP on WiFi1 works only for a few seconds after “switching on”. After a while, the customer hangs “waiting for the address”. If I turn off the master (WiFi1) and VAP (WiFi1_2), and then I only turn on wifi1, I normally connect. Then when I turn on wifii1_2, DHCP stops working on wifi1.
I reviewed the entire configid - the interfaces are in bridge, DHCP well set.
AND! Of course, I can connect to wifi1_2 when not to wifi1 - it’s the same DHCP.
now I back to 14.3 and works well…
The config could be useful.
So the hAP ax3 has IPQ-6018? The data sheet and spec says it has IPQ-6010. Likewise for cAP ax? My guess is 6010 may be a family, so the wifi-qcom fix applies to more like 601x series chipsets?
Edit: I found under wifi radios where it shows Hw Type QCA6018 on my cap ax and hAP ax3
14.3
/disk
add slot=router-backup smb-address=192.168.123.111 smb-encryption=yes \
smb-share=router-backup smb-user=n type=smb
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-PC
set [ find default-name=ether3 ] name=ether3-NAS
set [ find default-name=ether1 ] mac-address= name=internet
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180 .width=\
20/40/80mhz configuration.country=Brazil .dtim-period=3 .mode=ap .ssid=\
some-ssid .tx-power=6 disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk .connect-priority=0/1 .ft=no .ft-over-ds=no
add configuration.mode=ap .ssid=some-ssid-g \
disabled=no mac-address=some-mac2 master-interface=wifi1 name=\
wifi1_xbox security.authentication-types=wpa2-psk .connect-priority=0 \
.disable-pmkid=yes .ft=no .ft-over-ds=no .management-protection=disabled
set [ find default-name=wifi2 ] channel.band=2ghz-n .frequency=2437 \
.secondary-frequency=2447 .skip-dfs-channels=10min-cac .width=20/40mhz \
configuration.country=Panama .dtim-period=3 .mode=ap .ssid=\
some-ssid2,4 .tx-power=3 disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk .connect-priority=0/1 .disable-pmkid=yes .ft=no \
.ft-over-ds=no
/interface wireguard
add listen-port=15231 mtu=1420 name=wireguard1
/interface wifi
add configuration.mode=ap .ssid=GuestWIFI disabled=no mac-address=\
some-mac master-interface=wifi2 name=guest1 \
security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi
add configuration.mode=ap .ssid=iot datapath.interface-list=LAN disabled=no \
mac-address=4some-mac master-interface=wifi2 name=iot1 \
security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
/ip dhcp-server option
add code=119 name=domain-search-option value="'lan'"
add code=15 name="Domain Name" value="'lan'"
/ip pool
add name=default-dhcp ranges=192.168.123.2-192.168.123.99
add name=vpn-pool ranges=192.168.200.20-192.168.200.220
add name=dhcp_pool4 ranges=10.11.12.2-10.11.12.254
add name=dhcp_pool5 ranges=10.111.112.200-10.111.112.210
add name=dhcp_pool6 ranges=10.111.112.2-10.111.112.14
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1w name=dhcp1
add address-pool=dhcp_pool6 interface=iot1 lease-time=1w name=dhcp3
add address-pool=dhcp_pool4 interface=guest1 lease-time=1d name=dhcp2
/ip smb users
set [ find default=yes ] disabled=yes
/queue simple
add max-limit=20M/0 name=queue_quest target=guest1
add disabled=yes max-limit=10M/10M name=queue_iot target=iot1,iot1
add disabled=yes name=NotFromLan packet-marks=NotLan target=""
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-PC
add bridge=bridge comment=defconf interface=ether3-NAS
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi1_xbox
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=wireguard1 list=LAN
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\
none
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=192.168.100.2/32 client-dns=\
8.8.8.8 client-endpoint=some-endpoint client-listen-port=\
15231 comment=mc interface=wireguard1 persistent-keepalive=25s \
public-key="key"
/ip address
add address=192.168.123.1/24 comment=defconf interface=bridge network=\
192.168.123.0
add address=10.11.12.1/24 interface=guest1 network=10.11.12.0
add address=192.168.123.0/24 interface=bridge network=192.168.123.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=10.111.112.1/28 interface=iot1 network=10.111.112.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h update-time=no
/ip dhcp-client
add comment=defconf interface=internet
/ip dhcp-server network
add address=10.11.12.0/24 gateway=10.11.12.1
add address=10.111.112.0/28 gateway=10.111.112.1
add address=192.168.123.0/24 dns-server=192.168.123.1 domain=lan gateway=\
192.168.123.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 verify-doh-cert=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow wg" dst-port=15231 log=yes \
log-prefix="wg 13231" protocol=udp
add action=accept chain=input comment="wireguard traffic" log=yes log-prefix=\
"wg traffic" src-address=192.168.100.0/24
add action=accept chain=input comment="defconf: accept ICMP" packet-size=\
0-128 protocol=icmp
add action=accept chain=input \
dst-port=22 protocol=tcp src-address-list=some_name
add action=accept chain=input \
dst-port=443 protocol=tcp src-address-list=some_name
add action=add-src-to-address-list address-list=Fail2Ban \
address-list-timeout=1w chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=input comment="ruch z openvpn" src-address-list=VPN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix=DZIWNE
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward connection-state=established,related \
src-address-list=iot_quest
add action=accept chain=forward connection-state=established,related \
dst-address-list=iot_quest
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input connection-state=established,related,untracked \
disabled=yes dst-address=192.168.123.0/24 src-address=10.11.12.0/24
add action=drop chain=input dst-address=192.168.123.0/24 src-address=\
10.11.12.0/24
add action=drop chain=forward dst-address=192.168.123.0/24 src-address=\
10.11.12.0/24
add action=accept chain=input connection-state=established,related,untracked \
disabled=yes dst-address=192.168.123.0/24 src-address=10.111.112.0/28
add action=drop chain=input dst-address=192.168.123.0/24 src-address=\
10.111.112.0/28
add action=drop chain=forward dst-address=192.168.123.0/24 src-address=\
10.111.112.0/28
add action=drop chain=input dst-address=10.111.112.0/24 src-address=\
10.11.12.0/24
add action=drop chain=forward dst-address=10.111.112.0/24 src-address=\
10.11.12.0/24
add action=drop chain=input dst-address=10.11.12.0/24 src-address=\
10.111.112.0/28
add action=drop chain=forward dst-address=10.11.12.0/24 src-address=\
10.111.112.0/28
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=\
LOCAL
add action=masquerade chain=srcnat log=yes log-prefix="maskarada wg" \
src-address=192.168.100.0/24
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp to-addresses=\
192.168.123.111 to-ports=51413
add action=dst-nat chain=dstnat dst-port=51413 protocol=udp to-addresses=\
192.168.123.111 to-ports=51413
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 \
protocol=tcp to-addresses=192.168.123.111
add action=dst-nat chain=dstnat dst-address-type=local dst-port=9994 \
protocol=udp to-addresses=192.168.123.111
add action=masquerade chain=srcnat comment="Hairpin Nat" src-address-list=\
LOCAL
add action=dst-nat chain=dstnat \
dst-address-type=local dst-port=34567 protocol=tcp src-address-list=some_name \
to-addresses=192.168.123.111 to-ports=34567
add action=dst-nat chain=dstnat \
dst-address-type=local dst-port=8123 protocol=tcp src-address-list=some_name \
to-addresses=192.168.123.111 to-ports=8123
add action=dst-nat chain=dstnat dst-address-type=local dst-port=22100 \
protocol=tcp src-address-list=some_name to-addresses=192.168.123.100 to-ports=\
22
add action=dst-nat chain=dstnat dst-address-type=local dst-port=22111 \
protocol=tcp src-address-list=some_name to-addresses=192.168.123.111 to-ports=\
22
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 protocol=\
tcp src-address-list=some_name to-addresses=192.168.123.111 to-ports=80
add action=masquerade chain=srcnat out-interface=internet src-address=\
10.11.12.0/24
add action=masquerade chain=srcnat out-interface=internet src-address=\
10.111.112.0/28
/ip ipsec policy
set 0 disabled=yes
/ip route
add disabled=no dst-address=10.8.0.0/24 gateway=192.168.123.111
add disabled=yes dst-address=192.168.200.0/24 gateway=192.168.123.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8181
set www-ssl certificate=WiFi-CAPsMAN disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=both
/ip upnp interfaces
add interface=internet type=external
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Warsaw
/system identity
set name=domrouter-hapax2
/system leds
add disabled=yes leds=user-led type=on
/system logging
set 0 topics=info,!wireguard
add disabled=yes topics=debug,wireless
add topics=critical
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nist.gov
add address=pool.ntp.org
/system package update
set channel=testing
/system watchdog
set watchdog-timer=no
/tool graphing
set store-every=24hours
/tool graphing interface
add interface=internet
add interface=wifi1
add interface=*A
add interface=wifi2
add interface=wifi1_xbox
add interface=internet
add interface=wifi1
add interface=wifi1_xbox
add interface=wifi2
/tool graphing resource
add store-on-disk=no
add store-on-disk=no
add store-on-disk=no
add store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
and 7.19.2, after upgrade
/disk
add slot=router-backup smb-address=192.168.123.111 smb-encryption=yes \
smb-share=router-backup smb-user=n type=smb
/interface bridge
add admin-mac=some_mac5 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-PC
set [ find default-name=ether3 ] name=ether3-NAS
set [ find default-name=ether1 ] mac-address=some_mac4 name=internet
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180 .width=\
20/40/80mhz configuration.country=Brazil .dtim-period=3 .mode=ap .ssid=\
some_ssid .tx-power=6 disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk .connect-priority=0/1 .ft=no .ft-over-ds=no
add configuration.mode=ap .multicast-enhance=enabled .ssid=some_ssid-g \
disabled=no mac-address=some_mac3 master-interface=wifi1 name=\
wifi1_xbox security.authentication-types=wpa2-psk .connect-priority=0 \
.disable-pmkid=yes .ft=no .ft-over-ds=no .management-protection=disabled
set [ find default-name=wifi2 ] channel.band=2ghz-n .frequency=2437 \
.secondary-frequency=2447 .skip-dfs-channels=10min-cac .width=20/40mhz \
configuration.country=Panama .dtim-period=3 .mode=ap .ssid=\
some_ssid2,4 .tx-power=3 disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk .connect-priority=0/1 .disable-pmkid=yes .ft=no \
.ft-over-ds=no
/interface wireguard
add listen-port=15231 mtu=1420 name=wireguard1
/interface wifi
add configuration.mode=ap .ssid=GuestWIFI disabled=no mac-address=\
some_mac master-interface=wifi2 name=guest1 \
security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi
add configuration.mode=ap .ssid=iot datapath.interface-list=LAN disabled=no \
mac-address=some_mac2 master-interface=wifi2 name=iot1 \
security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0
/ip dhcp-server option
add code=119 name=domain-search-option value="'lan'"
add code=15 name="Domain Name" value="'lan'"
add code=6 name=dns_pihole value="'192.168.123.111''192.168.123.1'"
add code=6 name=DNSTEST value="'176.103.130.130''176.103.130.131'"
/ip pool
add name=default-dhcp ranges=192.168.123.2-192.168.123.99
add name=vpn-pool ranges=192.168.200.20-192.168.200.220
add name=dhcp_pool4 ranges=10.11.12.2-10.11.12.254
add name=dhcp_pool5 ranges=10.111.112.200-10.111.112.210
add name=dhcp_pool6 ranges=10.111.112.2-10.111.112.14
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=1w name=dhcp1
add address-pool=dhcp_pool6 interface=iot1 lease-time=1w name=dhcp3
add address-pool=dhcp_pool4 interface=guest1 lease-time=1d name=dhcp2
/ip smb users
set [ find default=yes ] disabled=yes
/queue simple
add max-limit=20M/0 name=queue_quest target=guest1
/ip smb
set enabled=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-PC
add bridge=bridge comment=defconf interface=ether3-NAS
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi1_xbox
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=internet list=WAN
add interface=wireguard1 list=LAN
/interface ovpn-server server
add mac-address=FE:D1:75:5F:CD:9B name=ovpn-server1
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\
none
/interface wireguard peers
add allowed-address=0.0.0.0/0 client-address=192.168.100.2/32 client-dns=\
8.8.8.8 client-endpoint=heh08q66z5b.sn.mynetname.net client-listen-port=\
15231 comment=mc interface=wireguard1 name=peer6 persistent-keepalive=25s \
public-key="L+V9o0fNYkMVKNqsX7spBzD/9oSvxM/C7ZCZX1jLO3Q="
/ip address
add address=192.168.123.1/24 comment=defconf interface=bridge network=\
192.168.123.0
add address=10.11.12.1/24 interface=guest1 network=10.11.12.0
add address=192.168.123.0/24 interface=bridge network=192.168.123.0
add address=192.168.100.1/24 interface=wireguard1 network=192.168.100.0
add address=10.111.112.1/28 interface=iot1 network=10.111.112.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h update-time=no
/ip dhcp-client
add comment=defconf interface=internet
/ip dhcp-server network
add address=10.11.12.0/24 gateway=10.11.12.1
add address=10.111.112.0/28 gateway=10.111.112.1
add address=192.168.123.0/24 dns-server=192.168.123.1 domain=lan gateway=\
192.168.123.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 verify-doh-cert=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow wg" dst-port=15231 log=yes \
log-prefix="wg 13231" protocol=udp
add action=accept chain=input comment="wireguard traffic" log=yes log-prefix=\
"wg traffic" src-address=192.168.100.0/24
add action=accept chain=input comment="defconf: accept ICMP" packet-size=\
0-128 protocol=icmp
add action=accept chain=input comment="info" \
dst-port=22 protocol=tcp src-address-list=list_name
add action=accept chain=input comment="info" \
dst-port=443 protocol=tcp src-address-list=list_name
add action=add-src-to-address-list address-list=Fail2Ban \
address-list-timeout=1w chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=input comment="ruch z openvpn" src-address-list=VPN
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log-prefix=DZIWNE
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward connection-state=established,related \
src-address-list=iot_quest
add action=accept chain=forward connection-state=established,related \
dst-address-list=iot_quest
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input dst-address=192.168.123.0/24 src-address=\
10.11.12.0/24
add action=drop chain=forward dst-address=192.168.123.0/24 src-address=\
10.11.12.0/24
add action=drop chain=input dst-address=192.168.123.0/24 src-address=\
10.111.112.0/28
add action=drop chain=forward dst-address=192.168.123.0/24 src-address=\
10.111.112.0/28
add action=drop chain=input dst-address=10.111.112.0/24 src-address=\
10.11.12.0/24
add action=drop chain=forward dst-address=10.111.112.0/24 src-address=\
10.11.12.0/24
add action=drop chain=input dst-address=10.11.12.0/24 src-address=\
10.111.112.0/28
add action=drop chain=forward dst-address=10.11.12.0/24 src-address=\
10.111.112.0/28
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=\
LOCAL
add action=masquerade chain=srcnat log=yes log-prefix="maskarada wg" \
src-address=192.168.100.0/24
add action=dst-nat chain=dstnat dst-port=51413 protocol=tcp to-addresses=\
192.168.123.111 to-ports=51413
add action=dst-nat chain=dstnat dst-port=51413 protocol=udp to-addresses=\
192.168.123.111 to-ports=51413
protocol=udp to-addresses=192.168.123.111
add action=dst-nat chain=dstnat dst-address-type=local dst-port=1194 \
protocol=tcp to-addresses=192.168.123.111
add action=dst-nat chain=dstnat dst-address-type=local dst-port=9994 \
protocol=udp to-addresses=192.168.123.111
add action=masquerade chain=srcnat comment="Hairpin Nat" src-address-list=\
LOCAL
add action=dst-nat chain=dstnat comment="text" \
dst-address-type=local dst-port=34567 protocol=tcp src-address-list=list_name \
to-addresses=192.168.123.111 to-ports=34567
add action=dst-nat chain=dstnat comment="text" \
dst-address-type=local dst-port=8123 protocol=tcp src-address-list=list_name \
to-addresses=192.168.123.111 to-ports=8123
add action=dst-nat chain=dstnat dst-address-type=local dst-port=22100 \
protocol=tcp src-address-list=list_name to-addresses=192.168.123.100 to-ports=\
22
add action=dst-nat chain=dstnat dst-address-type=local dst-port=22111 \
protocol=tcp src-address-list=list_name to-addresses=192.168.123.111 to-ports=\
22
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 protocol=\
tcp src-address-list=list_name to-addresses=192.168.123.111 to-ports=80
add action=masquerade chain=srcnat out-interface=internet src-address=\
10.11.12.0/24
add action=masquerade chain=srcnat out-interface=internet src-address=\
10.111.112.0/28
/ip ipsec policy
set 0 disabled=yes
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=10.8.0.0/24 gateway=192.168.123.111
add disabled=yes dst-address=192.168.200.0/24 gateway=192.168.123.1
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www-ssl certificate=WiFi-CAPsMAN-723456 disabled=no
set www disabled=yes port=8181
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set ciphers=aes-gcm,aes-ctr,aes-cbc,3des-cbc,null forwarding-enabled=both
/ip upnp interfaces
add interface=internet type=external
add interface=bridge type=internal
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Warsaw
/system identity
set name=domrouter-hapax2
/system leds
add disabled=yes leds=user-led type=on
/system logging
set 0 topics=info,!wireguard
add disabled=yes topics=debug,wireless
add topics=critical
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nist.gov
add address=pool.ntp.org
/system routerboard mode-button
set enabled=yes on-event=wps-wifi-onoff
/system watchdog
set watchdog-timer=no
/tool graphing
set store-every=24hours
/tool graphing interface
add interface=internet
add interface=wifi1
add interface=*A
add interface=wifi2
add interface=wifi1_xbox
/tool graphing resource
add store-on-disk=no
add store-on-disk=no
add store-on-disk=no
add store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
1 Like
updated AX2 to 7.19.2, problems with disconnecting WiFi are gone, that’s good
but some of my home devices still can’t work with WiFi AX2
- mercusys mw150us, 2.4Ghz - ping 100-200 speed less than 1.5-3 Mbps
- huawei matebook d15, 5Ghz - ping 100-200
the most annoying thing is that TP-Link AX3000, which is three times cheaper, works perfectly.
OK, so been running 7.19.2 on my 2x hAP ax2 devices running on capsman for about 3 days now - rock solid without my Google Nest Hub connected.
Last night I turned my Google Nest Hub on again - it still disconnects a lot though 
Strange though - it disconnects twice at the end of every hour. Fortunately, it doesn’t cause the other devices on my network to disconnect anymore 
Nonetheless, when I use an AC device instead of AX, then it works fine without disconnecting so much.
Does someone here have a Google Nest Hub (2nd gen)? If so, can you please see if you can reproduce this?
I administer a hotel with RB5009+6 cAP AX. The latest patch did not fix anything. There are still many disconnections.
The Wi-Fi operating conditions are difficult, thick reinforced concrete walls. But it disconnects users even with a 50 dBa signal.
Iphone and some Androids often disconnect.
In vain did I advise buying Mikrotik.
1 Like
I do not have these nest hub devices which apparently caused extreme problems by even disconnecting other devices from AP. But I had some infrequent disconnects because of “signal greater than <insert number 50-160 here” (remark: positive number) and frequent disconnects of some devices that try to roam from e.g. wifi1 to wifi2; signal lost log message, right after connect to wifi2 again. All in a loop for 10 seconds and then staying connected. And the worst of all: only a single device in my whole network, a AX200 Linux machine, is unable to connect to 2ghz wireless. There are plenty other devices happily connecting to 2ghz and even some perfectly roaming. But this particular AX200 can’t connect to 2ghz, journal says as reason something like “AP full. AP refused to connect”. But why? It somewhen started after some 6.x Linux Kernel version. Seems like I have to go debugging again. Last time I reported an update for my support issue (maybe 2 months ago) the response was like “we are already working on a solution together with Qualcomm”. Great, I thought. But changes in 7.19.2 don’t seem to be the all-in-one fix for every wifi-qcom wireless issue.
Did you create a ticket with Mikrotik support???