I have 3 different SSIDs: Home, Guest and IoT. The latter is separated into 2.4 and 5G while the former two are combined.
The iPad connects to all SSIDs, but only the 5GHz IoT has no internet.
My laptop, by comparision, will resolve internet fron all SSIDs when connected to each. I check the registration table to confirm which band the laptop was connected to.
I also have the same issues with my Grandstream VoIP phone, so don’t believe it’s an exclusive iPad issue.
> exp
# 2025-12-11 21:45:37 by RouterOS 7.20.2
# software id = xx
#
# model = C52iG-5HaxD2HaxD
# serial number = xx
/interface bridge
add admin-mac=xx:A9:8A:xx:xx:xx auto-mac=no comment=BRIDGE name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-LTE
set [ find default-name=ether2 ] comment=WAN-DHCP
set [ find default-name=ether3 ] comment=WAN-PPPoE
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=2300-7300 \
.skip-dfs-channels=10min-cac .width=20/40/80mhz comment=Primary \
configuration.country="New Zealand" .hide-ssid=no .mode=ap .ssid=\
Home datapath.client-isolation=no disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp \
.sae-anti-clogging-threshold=0
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=all \
.width=20/40mhz-eC comment=Primary configuration.country="New Zealand" \
.hide-ssid=no .mode=ap .ssid=Home .station-roaming=no \
datapath.client-isolation=no disabled=no security.authentication-types=\
wpa2-psk,wpa3-psk .encryption=ccmp .sae-anti-clogging-threshold=0
add comment=Guest configuration.mode=ap .ssid="Guests" \
datapath.client-isolation=yes disabled=no mac-address=xx:A9:8A:xx:xx:xx \
master-interface=wifi1 name=wifi3 security.authentication-types=\
wpa2-psk,wpa3-psk .encryption=ccmp
add comment=Guest configuration.mode=ap .ssid="Guests" \
datapath.client-isolation=yes disabled=no mac-address=xx:A9:8A:xx:xx:xx \
master-interface=wifi2 name=wifi4 security.authentication-types=\
wpa2-psk,wpa3-psk .encryption=ccmp
add comment=IoT configuration.hide-ssid=yes .mode=ap .ssid=iot5 \
datapath.client-isolation=yes disabled=no mac-address=xx:A9:8A:xx:xx:xx \
master-interface=wifi1 name=wifi5 security.authentication-types=\
wpa2-psk,wpa3-psk .encryption=ccmp .ft=no .ft-over-ds=no
add comment=IoT configuration.hide-ssid=yes .mode=ap .ssid=iot2 \
datapath.client-isolation=yes disabled=no mac-address=xx:A9:8A:xx:xx:xx \
master-interface=wifi2 name=wifi6 security.authentication-types=\
wpa-psk,wpa2-psk .encryption=ccmp
/interface vlan
add comment="VLAN 10 - DHCP" interface=ether2 name=DHCP_v10 vlan-id=10
add comment="VLAN 10 - PPPoE" interface=ether3 name=vlan10 vlan-id=10
/interface pppoe-client
add add-default-route=yes comment="WAN PPPoE" interface=vlan10 name=pppoe-1 \
use-peer-dns=yes user=username
/interface ethernet switch
set 0 cpu-flow-control=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add comment=2.4G-IoT name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
add comment=2.4G-Guest name=dhcp_pool2 ranges=10.10.20.2-10.10.20.254
add comment=5G-Guest name=dhcp_pool3 ranges=10.10.20.2-10.10.20.254
add comment=5G-IoT name=dhcp_pool4 ranges=10.10.10.2-10.10.10.254
add comment=Primary name=defconf_dhcp ranges=10.10.0.2-10.10.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=defconf_dhcp comment=Primary interface=bridge name=defconf
add address-pool=dhcp_pool1 comment="2.4G IoT" interface=wifi6 lease-time=1d \
name=dhcp1
# Interface not running
add address-pool=dhcp_pool2 comment="2.4G Guest" interface=wifi4 lease-time=1d \
name=dhcp2
# Interface not running
add address-pool=dhcp_pool3 comment="5G Guest" interface=wifi3 lease-time=1d \
name=dhcp3
add address-pool=dhcp_pool4 comment="5G IoT" interface=wifi5 lease-time=1d \
name=dhcp4
/ppp profile
add dns-server=1.1.1.1 local-address=192.168.89.1 name=vpn remote-address=vpn \
use-encryption=yes
set *FFFFFFFE use-ipv6=no
/routing bgp template
set default as=65530
/interface bridge port
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface l2tp-server server
set default-profile=vpn enabled=yes one-session-per-host=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=LTE interface=ether1 list=WAN
add comment=PPPoE interface=pppoe-1 list=WAN
add comment=DHCP interface=DHCP_v10 list=WAN
/ip address
add address=10.10.10.1/24 comment="2.4G IoT" interface=wifi6 network=\
10.10.10.0
add address=10.10.20.1/24 comment="5G Guest" interface=wifi3 network=\
10.10.20.0
add address=10.10.20.1/24 comment="2.4G Guest" interface=wifi4 network=\
10.10.20.0
add address=10.10.10.1/24 comment="5G IoT" interface=wifi5 network=10.10.10.0
add address=10.10.0.1/24 comment=Primary interface=bridge network=10.10.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
# Interface not active
add comment=LTE interface=ether1
add comment=DHCP interface=DHCP_v10
/ip dhcp-server network
add address=10.10.0.0/24 comment="Main Subnet" dns-server=\
208.67.222.222,208.67.220.220 gateway=10.10.0.1
add address=10.10.10.0/24 comment="IoT Subnet" dns-server=1.1.1.1,1.0.0.1 \
gateway=10.10.10.1
add address=10.10.20.0/24 comment="Guest Subnet" dns-server=\
208.67.222.222,208.67.220.220 gateway=10.10.20.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB
/ip dns adlist
add ssl-verify=no url=\
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
/ip dns static
add address=10.10.0.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
"Allow trusted subnet and wireguard for config" in-interface-list=LAN
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="2G IoT Isolation" in-interface=wifi6 \
out-interface=bridge
add action=drop chain=forward comment="5G IoT Isolation" in-interface=wifi5 \
out-interface=bridge
add action=drop chain=forward comment="2G Guest Isolation" in-interface=wifi4 \
out-interface=bridge
add action=drop chain=forward comment="5G Guest Isolation" in-interface=wifi3 \
out-interface=bridge
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow remote connection for Winbox" \
dst-port=8291 protocol=tcp src-address-list=Management
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="OpenDNS [tcp]" dst-port=53 protocol=\
tcp to-addresses=208.67.222.222 to-ports=53
add action=dst-nat chain=dstnat comment="OpenDNS [udp]" dst-port=53 protocol=\
udp to-addresses=208.67.222.222 to-ports=53
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set ssh port=2206
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ppp secret
add name=vpn profile=vpn service=l2tp
/system clock
set time-zone-name=Pacific/Auckland
/system clock manual
set time-zone=+12:00
/system identity
set name="Home Router AX"
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
add address=pool.ntp.org
/system scheduler
add comment="5G Enable" disabled=yes interval=1d name=Enable_WiFi1 on-event=\
"/interface enable wifi1" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-06-22 start-time=06:30:00
add comment="2G Enable" disabled=yes interval=1d name=Enable_WiFi2 on-event=\
"/interface enable wifi2" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-06-22 start-time=06:30:00
add comment="5G Disable" disabled=yes interval=1d name=Disable_WiFi1 on-event=\
"/interface disable wifi1" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-06-22 start-time=23:00:00
add comment="2G Disable" disabled=yes interval=1d name=Disable_WiFi2 on-event=\
"/interface disable wifi2" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-06-22 start-time=23:00:00
add comment="Disable Overnight LTE Data" disabled=yes interval=1d name=\
Disable_LTE/Ether1 on-event="/interface disable ether1" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-08-12 start-time=22:30:00
add comment="Enable Daytime LTE Data" disabled=yes interval=1d name=\
Enable_LTE/Ether1 on-event="/interface enable ether1" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=2025-08-13 start-time=06:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
