Hotspot exhausting all dhcp pool

Hi,

I have 2 different sites that are set up with capsman (around 10 aps) and hotspot. Both setups were set up with RouterOS v6 and User Manager.

Fast forward today I have upgraded to RouterOS v7 and migrated to UserManager v7. Hotspot setup is untouched. Only thing changed is the migration to UserManager v7.

Now, the problem I face is that since 2-3 months ago, on both setup I am getting DHCP pool of wifi clients consumed and it results to no available IP for clients - followed with relevant error in log.

Currently when it happens, I have to reboot the router in order to empty the DHCP pool, because I can't find a relevant command to reclaim all unused IPs of the pool. It goes without saying that I know this is not solution. I have just been so busy that a quick reboot in order to "fix" it for 1-2 weeks was good enough to keep it going.

Could you please point me to the right direction of where to look to see why the pool is getting exhausted? I have reduced Lease time but nothing changed. I am suspecting it has something to do with hotspot.

I will be able to provide config tomorrow.

UPDATE:
Here is the config. Some parts are removed.

# 2025-08-12 11:57:59 by RouterOS 7.19.3
#
# model = RB4011iGS+
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz name=2GHz
add band=5ghz-a/n/ac control-channel-width=20mhz name=5GHz
/interface bridge
add fast-forward=no name=STAFF port-cost-mode=short
add fast-forward=no name=WLAN port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP1
set [ find default-name=ether3 ] name=ether3-Main-Switch
set [ find default-name=ether8 ] name=ether8-1810-Backup-Switc
set [ find default-name=ether9 ] name=ether9-FreePBX

/interface l2tp-server
add name=l2tp-XXXXXXXXXXXX user=XXXXXXXXXXXX
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-ISP1 name=PPPoE-ISP1 \
    use-peer-dns=yes user=ABCD


/interface vlan
add interface=ether3-Main-Switch name=vlan131-Clients vlan-id=131

/caps-man datapath
add bridge=WLAN name=Clients
add bridge=STAFF name=Staff
add bridge=WLAN name=Clients
add bridge=STAFF name=Staff
/caps-man configuration
add channel=2GHz country=greece datapath=Clients mode=ap name=client-2GHz \
    ssid=THIS-IS-CLIENTS-SSID
add channel=2GHz country=greece datapath=Clients mode=ap name=client-2GHz \
    ssid=THIS-IS-CLIENTS-SSID
add channel=5GHz country=greece datapath=Clients mode=ap name=client-5GHz \
    ssid=THIS-IS-CLIENTS-SSID
/caps-man interface
add configuration=client-2GHz disabled=no mac-address=CC:2D:E0:17:9D:41 \
    master-interface=none name=2GHz-ABCD-AP-1-1 radio-mac=CC:2D:E0:17:9D:41 \
    radio-name=CC2DE0179D41
add configuration=client-2GHz disabled=no mac-address=D4:CA:6D:52:FA:91 \
    master-interface=none name=2GHz-ABCD-AP-2-1 radio-mac=D4:CA:6D:52:FA:91 \
    radio-name=D4CA6D52FA91
add configuration=client-2GHz disabled=no l2mtu=1600 mac-address=\
    CC:2D:E0:76:67:D8 master-interface=none name=2GHz-ABCD-AP-4-1 radio-mac=\
    CC:2D:E0:76:67:D8 radio-name=CC2DE07667D8
add configuration=client-2GHz disabled=no l2mtu=1600 mac-address=\
    CC:2D:E0:53:FB:3D master-interface=none name=2GHz-ABCD-AP-6-1 radio-mac=\
    CC:2D:E0:53:FB:3D radio-name=CC2DE053FB3D
add configuration=client-2GHz disabled=no l2mtu=1600 mac-address=\
    CC:2D:E0:53:FA:74 master-interface=none name=2GHz-ABCD-AP-7-1 radio-mac=\
    CC:2D:E0:53:FA:74 radio-name=CC2DE053FA74
add configuration=client-2GHz disabled=no l2mtu=1600 mac-address=\
    CC:2D:E0:76:67:8D master-interface=none name=2GHz-ABCD-AP-8-1 radio-mac=\
    CC:2D:E0:76:67:8D radio-name=CC2DE076678D
add configuration=client-5GHz disabled=no l2mtu=1600 mac-address=\
    CC:2D:E0:76:67:D7 master-interface=none name=5GHz-ABCD-AP-4-1 radio-mac=\
    CC:2D:E0:76:67:D7 radio-name=CC2DE07667D7
add configuration=client-5GHz disabled=no l2mtu=1600 mac-address=\
    CC:2D:E0:53:FB:3C master-interface=none name=5GHz-ABCD-AP-6-1 radio-mac=\
    CC:2D:E0:53:FB:3C radio-name=CC2DE053FB3C
add configuration=client-5GHz disabled=no l2mtu=1600 mac-address=\
    CC:2D:E0:53:FA:73 master-interface=none name=5GHz-ABCD-AP-7-1 radio-mac=\
    CC:2D:E0:53:FA:73 radio-name=CC2DE053FA73
add configuration=client-5GHz disabled=no l2mtu=1600 mac-address=\
    CC:2D:E0:76:67:8C master-interface=none name=5GHz-ABCD-AP-8-1 radio-mac=\
    CC:2D:E0:76:67:8C radio-name=CC2DE076678C
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
    group-encryption=aes-ccm name=staff-sec
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm \
    group-encryption=aes-ccm name=client-sec
/caps-man configuration
add channel=2GHz country=greece datapath=Staff mode=ap name=staff-2GHz \
    security=staff-sec ssid=STAFF
add channel=5GHz country=greece datapath=Staff mode=ap name=staff-5GHz \
    security=staff-sec ssid=STAFF
/caps-man interface
add configuration=staff-2GHz disabled=no mac-address=CE:2D:E0:17:9D:41 \
    master-interface=2GHz-ABCD-AP-1-1 name=2GHz-ABCD-AP-1-1-1 radio-mac=\
    00:00:00:00:00:00 radio-name=CE2DE0179D41
add configuration=staff-2GHz disabled=no mac-address=D6:CA:6D:52:FA:91 \
    master-interface=2GHz-ABCD-AP-2-1 name=2GHz-ABCD-AP-2-1-1 radio-mac=\
    00:00:00:00:00:00 radio-name=D6CA6D52FA91
add configuration=staff-2GHz disabled=no l2mtu=1600 mac-address=\
    CE:2D:E0:76:67:D8 master-interface=2GHz-ABCD-AP-4-1 name=\
    2GHz-ABCD-AP-4-1-1 radio-mac=00:00:00:00:00:00 radio-name=CE2DE07667D8
add configuration=staff-2GHz disabled=no l2mtu=1600 mac-address=\
    CE:2D:E0:53:FB:3D master-interface=2GHz-ABCD-AP-6-1 name=\
    2GHz-ABCD-AP-6-1-1 radio-mac=00:00:00:00:00:00 radio-name=CE2DE053FB3D
add configuration=staff-2GHz disabled=no l2mtu=1600 mac-address=\
    CE:2D:E0:53:FA:74 master-interface=2GHz-ABCD-AP-7-1 name=\
    2GHz-ABCD-AP-7-1-1 radio-mac=00:00:00:00:00:00 radio-name=CE2DE053FA74
add configuration=staff-2GHz disabled=no l2mtu=1600 mac-address=\
    CE:2D:E0:76:67:8D master-interface=2GHz-ABCD-AP-8-1 name=\
    2GHz-ABCD-AP-8-1-1 radio-mac=00:00:00:00:00:00 radio-name=CE2DE076678D
add configuration=staff-5GHz disabled=no l2mtu=1600 mac-address=\
    CE:2D:E0:76:67:D7 master-interface=5GHz-ABCD-AP-4-1 name=\
    5GHz-ABCD-AP-4-1-1 radio-mac=00:00:00:00:00:00 radio-name=CE2DE07667D7
add configuration=staff-5GHz disabled=no l2mtu=1600 mac-address=\
    CE:2D:E0:53:FB:3C master-interface=5GHz-ABCD-AP-6-1 name=\
    5GHz-ABCD-AP-6-1-1 radio-mac=00:00:00:00:00:00 radio-name=CE2DE053FB3C
add configuration=staff-5GHz disabled=no l2mtu=1600 mac-address=\
    CE:2D:E0:53:FA:73 master-interface=5GHz-ABCD-AP-7-1 name=\
    5GHz-ABCD-AP-7-1-1 radio-mac=00:00:00:00:00:00 radio-name=CE2DE053FA73
add configuration=staff-5GHz disabled=no l2mtu=1600 mac-address=\
    CE:2D:E0:76:67:8C master-interface=5GHz-ABCD-AP-8-1 name=\
    5GHz-ABCD-AP-8-1-1 radio-mac=00:00:00:00:00:00 radio-name=CE2DE076678C
/interface list
add name=WANs
add name=ActiveAPs
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi channel
add band=2ghz-ax disabled=no name=2GHz width=20/40mhz
add band=5ghz-ax disabled=no name=5GHz width=20/40mhz
add band=2ghz-n disabled=no name=2GHz_AC width=20/40mhz
add band=5ghz-ac disabled=no name=5GHz_AC width=20/40mhz
/interface wifi datapath
add bridge=WLAN disabled=no interface-list=ActiveAPs name=Clients vlan-id=131
add bridge=STAFF disabled=no interface-list=ActiveAPs name=Staff
/interface wifi configuration
add channel=2GHz country=Greece datapath=Clients disabled=no name=client-2GHz \
    ssid=THIS-IS-CLIENTS-SSID
add channel=5GHz country=Greece datapath=Clients disabled=no name=client-5GHz \
    ssid=THIS-IS-CLIENTS-SSID
add channel=2GHz_AC country=Greece datapath=Clients disabled=no name=\
    client-2GHz_AC ssid=THIS-IS-CLIENTS-SSID
add channel=5GHz_AC country=Greece datapath=Clients disabled=no name=\
    client-5GHz_AC ssid=THIS-IS-CLIENTS-SSID
/interface wifi
# operated by CAP F4:1E:57:DB:3F:76%STAFF, traffic processing on CAP
add configuration=client-2GHz disabled=no name=ABCD-AP-1-2GHz-1 radio-mac=\
    F4:1E:57:DB:3F:7C
# operated by CAP F4:1E:57:DB:3F:76%STAFF, traffic processing on CAP
add configuration=client-5GHz disabled=no name=ABCD-AP-1-5GHz-1 radio-mac=\
    F4:1E:57:DB:3F:7B
add configuration=client-2GHz disabled=no name=ABCD-AP-2-2GHz-1 radio-mac=\
    F4:1E:57:DB:40:B0
add configuration=client-5GHz disabled=no name=ABCD-AP-2-5GHz-1 radio-mac=\
    F4:1E:57:DB:40:AF
# operated by CAP 192.168.130.15, traffic processing on CAP
# client was disconnected because could not assign VLAN, maximum VLAN count for interface was reached
add configuration=client-2GHz_AC disabled=no name=ABCD-AP-5-2GHz-1 \
    radio-mac=2C:C8:1B:44:78:6C
# operated by CAP 192.168.130.15, traffic processing on CAP
# client was disconnected because could not assign VLAN, maximum VLAN count for interface was reached
add configuration=client-5GHz_AC disabled=no name=ABCD-AP-5-5GHz-1 \
    radio-mac=2C:C8:1B:44:78:6D
# operated by CAP F4:1E:57:31:1B:85%STAFF, traffic processing on CAP
add configuration=client-2GHz disabled=no name=ABCD-AP-9-2GHz-1 radio-mac=\
    F4:1E:57:31:1B:86
# operated by CAP F4:1E:57:31:1B:85%STAFF, traffic processing on CAP
add configuration=client-5GHz disabled=no name=ABCD-AP-9-5GHz-1 radio-mac=\
    F4:1E:57:31:1B:85
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no group-encryption=ccmp \
    name=client-sec
add authentication-types=wpa2-psk,wpa3-psk disabled=no group-encryption=ccmp \
    name=staff-sec
/interface wifi configuration
add channel=2GHz country=Greece datapath=Staff disabled=no name=staff-2GHz \
    security=staff-sec ssid=STAFF
add channel=5GHz country=Greece datapath=Staff disabled=no name=staff-5GHz \
    security=staff-sec ssid=STAFF
add channel=2GHz_AC country=Greece datapath=Staff disabled=no name=\
    staff-2GHz_AC security=staff-sec ssid=STAFF
add channel=5GHz_AC country=Greece datapath=Staff disabled=no name=\
    staff-5GHz_AC security=staff-sec ssid=STAFF
/interface wifi
# operated by CAP F4:1E:57:DB:3F:76%STAFF, traffic processing on CAP
add configuration=staff-2GHz disabled=no mac-address=F6:1E:57:DB:3F:7C \
    master-interface=ABCD-AP-1-2GHz-1 name=ABCD-AP-1-2GHz-2
# operated by CAP F4:1E:57:DB:3F:76%STAFF, traffic processing on CAP
add configuration=staff-5GHz disabled=no mac-address=F6:1E:57:DB:3F:7B \
    master-interface=ABCD-AP-1-5GHz-1 name=ABCD-AP-1-5GHz-2
add configuration=staff-2GHz disabled=no mac-address=F6:1E:57:DB:40:B0 \
    master-interface=ABCD-AP-2-2GHz-1 name=ABCD-AP-2-2GHz-2
add configuration=staff-5GHz disabled=no mac-address=F6:1E:57:DB:40:AF \
    master-interface=ABCD-AP-2-5GHz-1 name=ABCD-AP-2-5GHz-2
# operated by CAP 192.168.130.15, traffic processing on CAP
add configuration=staff-2GHz_AC disabled=no mac-address=2E:C8:1B:44:78:6C \
    master-interface=ABCD-AP-5-2GHz-1 name=ABCD-AP-5-2GHz-2
# operated by CAP 192.168.130.15, traffic processing on CAP
add configuration=staff-5GHz_AC disabled=no mac-address=2E:C8:1B:44:78:6D \
    master-interface=ABCD-AP-5-5GHz-1 name=ABCD-AP-5-5GHz-2
# operated by CAP F4:1E:57:31:1B:85%STAFF, traffic processing on CAP
add configuration=staff-2GHz disabled=no mac-address=F6:1E:57:31:1B:86 \
    master-interface=ABCD-AP-9-2GHz-1 name=ABCD-AP-9-2GHz-2
# operated by CAP F4:1E:57:31:1B:85%STAFF, traffic processing on CAP
add configuration=staff-5GHz disabled=no mac-address=F6:1E:57:31:1B:85 \
    master-interface=ABCD-AP-9-5GHz-1 name=ABCD-AP-9-5GHz-2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=66 name=option66 value="s'A.B.C.D'"
/ip hotspot profile
set [ find default=yes ] dns-name=hotspot.muses hotspot-address=\
    192.168.131.254 http-cookie-lifetime=3h login-by=\
    cookie,http-chap,http-pap,mac-cookie use-radius=yes
add dns-name=hotspot.muses2 hotspot-address=192.168.134.254 \
    http-cookie-lifetime=3h login-by=\
    cookie,http-chap,https,http-pap,mac-cookie name=hsprof1 use-radius=yes
/ip hotspot user profile
set [ find default=yes ] keepalive-timeout=20m mac-cookie-timeout=3h \
    shared-users=unlimited
add keepalive-timeout=20m mac-cookie-timeout=1d name=Customers shared-users=\
    unlimited
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 \
    enc-algorithm=aes-256,aes-128,3des
add dpd-interval=1m dpd-maximum-failures=5 enc-algorithm=aes-256 \
    hash-algorithm=sha256 name=ut_prof nat-traversal=no
add dh-group=modp1024 dpd-interval=2m dpd-maximum-failures=5 enc-algorithm=\
    aes-256 hash-algorithm=sha256 name=bts_prof
/ip ipsec peer
add address=PUBLIC.ADDR.OF.UT exchange-mode=ike2 name=ut_peer profile=\
    ut_prof
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,3des,des
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=ut pfs-group=\
    none
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc name=bts pfs-group=\
    none
/ip pool
add name=staff-pool ranges=192.168.130.201-192.168.130.254
add name=client-pool ranges=192.168.131.1-192.168.131.100
/ip dhcp-server
add address-pool=staff-pool interface=STAFF lease-time=1d name=staff-dhcp
add address-pool=client-pool interface=WLAN lease-time=1h name=client-dhcp
/ip hotspot
add address-pool=client-pool disabled=no idle-timeout=none interface=WLAN \
    name=hotspot-server

/user-manager limitation
add download-limit=4000000B name=Limits upload-limit=1000000B
add download-limit=25000000B name=limit1 upload-limit=2000000B
/user-manager profile
add name="Wifi client" name-for-users="Wifi client" override-shared-users=6 \
    starts-when=first-auth validity=unlimited
add name=Teleworkers name-for-users=Teleworkers override-shared-users=2 \
    starts-when=first-auth validity=unlimited
/user-manager user
add attributes=Framed-IP-Address:0.0.0.0 name=ms1 shared-users=6
add attributes=Framed-IP-Address:0.0.0.0 name=ms2 shared-users=6
add attributes=Framed-IP-Address:0.0.0.0 name=ms3 shared-users=6
add attributes=Framed-IP-Address:0.0.0.0 name=ms4 shared-users=6
add attributes=Framed-IP-Address:0.0.0.0 name=ms5 shared-users=6
add attributes=Framed-IP-Address:0.0.0.0 name=ms6 shared-users=6
add attributes=Framed-IP-Address:0.0.0.0 name=ms7 shared-users=6
add attributes=Framed-IP-Address:0.0.0.0 name=teleworker shared-users=2
add attributes=Framed-IP-Address:0.0.0.0 name=ms8 shared-users=6
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
    -90..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=\
    -120..-90 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-enabled comment=2GHz hw-supported-modes=gn \
    master-configuration=client-2GHz name-format=prefix-identity name-prefix=\
    2GHz slave-configurations=staff-2GHz
add action=create-enabled comment=5GHz hw-supported-modes=ac \
    master-configuration=client-5GHz name-format=prefix-identity name-prefix=\
    5GHz slave-configurations=staff-5GHz
/interface bridge port
add bridge=STAFF ingress-filtering=no interface=ether3-Main-Switch \
    internal-path-cost=10 path-cost=10
add bridge=STAFF ingress-filtering=no interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=STAFF ingress-filtering=no interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=STAFF ingress-filtering=no interface=ether8-1810-Backup-Switc \
    internal-path-cost=10 path-cost=10
add bridge=STAFF ingress-filtering=no interface=ether9-FreePBX \
    internal-path-cost=10 path-cost=10
add bridge=STAFF ingress-filtering=no interface=ether10 internal-path-cost=10 \
    path-cost=10
add bridge=STAFF ingress-filtering=no interface=ether2 internal-path-cost=10 \
    path-cost=10
add bridge=WLAN ingress-filtering=no interface=vlan131-Clients \
    internal-path-cost=10 path-cost=10
add bridge=WLAN ingress-filtering=no interface=ether7 internal-path-cost=10 \
    path-cost=10

/ip settings
set tcp-syncookies=yes

/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add interface=ether1-ISP1 list=WANs
add interface=PPPoE-ISP1 list=WANs
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:44:72:74:79:2C name=ovpn-server1
/interface wifi access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
    -90..120
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=\
    -120..-90
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=STAFF \
    package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-enabled comment=5GHz disabled=no master-configuration=\
    client-5GHz name-format=%I-5GHz-1 slave-configurations=staff-5GHz \
    slave-name-format=%I-5GHz-2 supported-bands=5ghz-ax
add action=create-enabled comment=5GHz disabled=no master-configuration=\
    client-5GHz_AC name-format=%I-5GHz-1 slave-configurations=staff-5GHz_AC \
    slave-name-format=%I-5GHz-2 supported-bands=5ghz-ac
add action=create-enabled comment=2GHz disabled=no master-configuration=\
    client-2GHz name-format=%I-2GHz-1 slave-configurations=staff-2GHz \
    slave-name-format=%I-2GHz-2 supported-bands=2ghz-ax
add action=create-enabled comment=2GHz disabled=no master-configuration=\
    client-2GHz_AC name-format=%I-2GHz-1 slave-configurations=staff-2GHz_AC \
    slave-name-format=%I-2GHz-2 supported-bands=2ghz-n,2ghz-g




/ip address
add address=192.168.130.200/24 interface=STAFF network=192.168.130.0
add address=192.168.131.254/24 interface=WLAN network=192.168.131.0
add address=192.168.5.2/24 interface=ether1-ISP1 network=192.168.5.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-server lease
add address=192.168.130.247 mac-address=70:5A:0F:A4:04:E1 server=staff-dhcp
/ip dhcp-server network
add address=192.168.130.0/24 dhcp-option=option66 dns-server=1.1.1.1,1.0.0.1 \
    gateway=192.168.130.200 netmask=24
add address=192.168.131.0/24 dhcp-option=option66 dns-server=\
    192.168.131.254,1.1.1.1,8.8.8.8 gateway=192.168.131.254 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

/ip firewall address-list
[REMOVED, irrelevant]
/ip firewall filter
[REMOVED, irrelevant]
/ip firewall raw
[REMOVED, irrelevant]
/ip firewall service-port
[REMOVED, irrelevant]

/ip hotspot ip-binding
add address=192.168.130.30 type=bypassed
/ip hotspot user
add name=hotel-manager server=hotspot-server
add name=user-test server=hotspot-server
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no !dst-address !dst-address-list dst-host=\
    192.168.130.30 !dst-port !protocol !src-address !src-address-list
/ip ipsec identity
[REMOVED, irrelevant]
/ip ipsec policy
[REMOVED, irrelevant]

/ip route
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=192.168.5.1

/ip service
[REMOVED, irrelevant]

/ppp secret
[REMOVED, irrelevant]

/radius
add address=192.168.130.200 require-message-auth=no service=hotspot timeout=\
    300ms
/radius incoming
set accept=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5

/system clock
set time-zone-name=Europe/Athens
/system identity
set name=Ms
/system ntp client
set enabled=yes
/system ntp client servers
add address=194.177.210.54
add address=193.239.214.227
/system resource irq rps
set sfp-sfpplus1 disabled=no

/system scheduler
[REMOVED, irrelevant]

/system script
[REMOVED, irrelevant]


/tool netwatch
add disabled=no down-script=":local status \"DOWN\"\r\
    \n:local previousMessage [/file get internetlog.txt contents]\r\
    \n:local newMessage ([/system/clock/get date ].\" \".[/system/clock/get ti\
    me ].\" \".\$status.\"\\r\\n\")\r\
    \n\r\
    \n:local contents (\$previousMessage.\$newMessage)\r\
    \n/file set internetlog.txt contents=\$contents" host=8.8.8.8 http-codes=\
    "" interval=20s name=check_ISP1 packet-count=10 packet-interval=1s \
    test-script="" type=icmp up-script=":local status \"UP\"\r\
    \n:local previousMessage [/file get internetlog.txt contents]\r\
    \n:local newMessage ([/system/clock/get date ].\" \".[/system/clock/get ti\
    me ].\" \".\$status.\"\\r\\n\")\r\
    \n\r\
    \n:local contents (\$previousMessage.\$newMessage)\r\
    \n/file set internetlog.txt contents=\$contents"
/tool romon
set enabled=no
/user aaa
set use-radius=yes
/user-manager
set certificate=*0 enabled=yes require-message-auth=no use-profiles=yes
/user-manager router
add address=192.168.130.200 name=hotspot
/user-manager user-profile
add profile="Wifi client" user=ms1
add profile="Wifi client" user=ms2
add profile="Wifi client" user=ms3
add profile="Wifi client" user=ms4
add profile="Wifi client" user=ms5
add profile="Wifi client" user=ms6
add profile="Wifi client" user=ms7
add profile=Teleworkers user=teleworker
add profile="Wifi client" user=ms8

The best course of action is to adjust the pool size to your liking I normally set the pool size to /22 or it really depends on the situation on how many AP you have

Would like to have a look at your config:
/export file=anynameyoulike
Remove serial and any other private info, post between Preformatted text tags by using the </> button.

It can be some device that has no access and re-tries with a different randomized MAC address.
It is difficult to fight that.

But doesn't it show all leases in

/ip/dhcp-server/lease> print 

?
there is a host name and last seen.

Just in case: RFC1918 provides a huge 10.0.0.0/8 network. You has ~17 millions IPs.

It generally is not wise to allocate such a large subnet to a WiFi... the persistent attacker will exhaust it anyway, and in the meantime you will get serious performance problems.

@erlinden
Updated Post with a config.

@loloski
I really don't have that many users. We are talking about 10 AP, and max 30 client devices up concurrently. My basic problem is IPs from pool not being released from hotspot. I can inside IP->Pool that the owned is hotspot.

@IlKa
No, because some IPs from the pool are owned by hotspot. Could be misconfiguration that was left from previous v6 that got migrated to v7. Check the column "owner", to see what I mean.

image859×751 37.8 KB

@pe1chl
It's not the amount of concurrent devices that eats the pool. It's that they are not being released. Specifically the ones owned by "hotspot" in the image above.

PS. I know that the VLAN - capsman setup is the "old way" with bridging the vlan interface and it needs modernize. That's another topic!

Thanks.

Aren't the devices generate random MAC address each time they do the DHCP query?
When they do not accept the answer - why? that is the question - they try again and again ... the DHCP pool gets exhausted.
Are DHCP addresses deliverd to DHCP clients? Do you have proper firewall forwarding enabled? If devices ask for an IP and they do not get the answer however DHCP server does reservations.

I can understand the logic of devices using random mac address and I will look into it.

My main question is why some addresses in IP Pool have owner DHCP and other have hotspot. Because the ones with hotspot owned stay there never-to-be-released until the pool is exhausted.

I mean if I sort by MAC, I can see that for each mac there are 2 IPs from the pool (1 from hotspot and 1 from DHCP). Once DHCP is over, the DHCP owned IP gets released while the hotspot owned stays there. The more I look at it, the more I believe it's a misconfigurtation in either hotspot or user manager.

The following screenshot is now, after having cleared the pool so it's been running around 3 hour max.

image600×417 13.2 KB

I think I found something.

I can see the following MAC Address that is not duplicate and owned by DHCP, the one that will get stuck longer than all the other.

image744×422 20.6 KB

Now in IP -> Hotspot -> Hosts I can find that MAC Address. It has 2 IP addresses, one of the hotspot and one of the DHCP (192.168.131.100) which you can see above that it has already been released.

image937×426 23.8 KB

If I delete this host line marked with yellow, the IP that was reserved from hotspot finally get released from the pool.

What is it for? Is it needed? What happens if you turn it off?

As you use VLANs, do the DHCP answers are tagged back with proper VLAN tag so they reach WiFi clients?
Default tag for STAFF is added as documentation says: Bridge VLAN Table - RouterOS - MikroTik Documentation
What about egress traffic?

DHCP option66 is just for setting the tftp server for the auto-provisioning of ip phones. Also this is used on dhcp server of another subnet, it is 100% not related. For the sake of info, the IP in the value is just the pbx IP.

I did mention earlier, the VLANs on this router are set up "the old way" where you create a separate bridge that includes the vlan interface along with all the interfaces that should be on same subnet.
I know it is dated, the reason being that this was setup more than 5 years ago, in RoutersOS v6. In reality, when there will be enough time available, I will update it to current way of implementing VLANs, but as a setup it works.
Also from AP standpoint, since it's still the OLD capsman, this is setup with capsman-forwarding so all the wifi related traffic of APs is forwarded directly to capsman through single VLAN.

The problem I describe in this post exists since some months ago, meaning for example that on 7.14.X version it didn't happen (or to be more precise, it wasn't noticeable if there was).

After I managed to pinpoint a bit better the problem, I found the following post which seems like the one I am facing. Hotspot and multiple IP's per MAC

Edit for clarification: This export I posted includes both capsman v1 and v2, since I have both mipsbe and arm64. The problem I face is related to capsman v1 and it is the same on another site with similar setup and only capsman v1.

I know what option 66 is for but as in the configuration it's obsfucated and we do not know if the same IP is served for 130 and 131 subnets and therefore maybe (!!!) clients do not react to the first assigned IP but wait for some other "66" data to be provided.
What, just for test, if you remove VLAN's tag and let subnets mix IPs with default native VLAN tag?
What happens when/if you assign static IPs to MACs?

Ok fair enough. Removed option 66 from DHCP Server-> Networks (and to be frank, it was also forgotten enabled in wifi subnet for no reason).

1st downside - Since the location is a remote at an island I am not sure how I can do the rest. Also one subnet is staff which should not have hotspot, the other is clients ssid which should have hotspot.
Unfortunately, I can't mix them, I will create more problems than solve if I do that.
2nd downside - I don't have any device I can test wifi remotely and see what works. Only way I can think of in order to test hotspot is if I create an EoIP from client to my office.

What I can do is spend the time to update VLAN configuration into current setup v7 with vlan-filtering (as per your link), if that would make things clearer.

Since there is literally no time in order to investigate right now I will implement a workaround based on what I have found so far, until I find time. I need to get familiar with hotspot setup before I modify anything. Maybe (just maybe) the solution is to put a proper "idle timeout" value, I don't know.

Anyway, temporary workaround I aim to implement.

Aim => Create a script that will run scheduled (eg. daily) that will iterate entries in /ip hotspot host, check if the ip in column "address" exists in ip pool used. If not, then delete the entry from /ip hotspot host.
Note 1: In /ip hotspot host column "address" is the equivalent of DHCP-owned address in ip pool used, and column "to-address" is the equivalent of hotspot owned address in ip pool used.
Note 2: Removing a host entry in /ip hotspot host, also frees the IP from the dhcp pool if it exists, removing the hotspot owned IP in ip pool used.

:foreach h in=[/ip hotspot host find] do={
  :local dhcpip [/ip hotspot host get $h address]
  :local clientmacaddress [/ip hotspot host get $h mac-address]

  if ( [/ip pool used find address=$dhcpip] ) do={
#    :put "YES"
  } else={
    :log info "Hotspot host check: Found inactive hotspot entry. MAC Address: $clientmacaddress. Removing it."
    /ip hotspot host remove [find mac-address=$clientmacaddress]
  }
}

Don't want to waste any more of your time

Just a follow-up, the script has worked as intended, so far so good.

Of course this is a workaround until I get to the root of the problem.