is it me, or is it the wAP ax?

Good day all,
Posting in the Beginner section - but feel free to move the post, if it should be.
I’m no “beginner”, but my CCNA was a long time ago, and while I’m quite technical, I admit that all my Mikrotik stuff usually just “works out of the box” for me… so either it’s me, or the wAPax is a nightmare, has issues - OR - needs serious tweaking from the factory - that I have NOT found instructions for yet.

I’ve deployed 100+ Mikrotik devices… lots of cAPac, wAPac, and always to great delight and success. (for me, and my customers)
I’ve even used CAPSMAN a few times in larger setups, but that’s not what today’s challenge is about. (I know capsman has issues with wAPax)

I admit, that while I can work a CLI if I have to, I really do prefer the WinBox… it’s just SOOOOO pleasant to see blanks, configure a minimalist approach, and walk away. (that’s what I mean by “works out of the box” above)

Bear with me… as I spell out today’s challenging setup at a site, after some “recurring strangeness” since I started adding wAPax units to the mix, in a NUMBER of locations. Usually, there are a lot of variables, neighbours, excuses for interference, blah blah blah.
Not so much this time - so that’s why my post. THIS SHOULD JUST WORK, and work awesomely.

Rural Canadian setup, as in, so rural that Starlink is the source internet.
When doing a full scan from the highest point/device on a tower, I can see a few Bell devices from neighbouring properties, that are obviously using cellular Bell Canada conversion systems. But, we are talking about a very quiet area… no radar, no strangeness, maybe 3 of these Bell systems showing on the scan list.

All devices updated and running 7.19.1

Two houses, plus some outbuildings.
All sharing internet mounted on building 1.
75m apart, the two main buildings. (forgive me US friends, multiply by 3 to get feet)
Wired Gb ethernet (via the mid-position-cabin) between them.

Building 1 - modern wood construction, wood siding exterior.
Served internal wifi by an hAPac. Works well, always has.
Garage has metal cladding, so added a cAPac on wired ethernet, to enhance access in there. No issues.
Recently added two wAPax units, to upper rear, and front deck, hoping to expand coverage beyond building - “from the road to the waterfront”, sort of idea. (figuring that anything exterior wAP from Mikrotik should KILL this coverage. (it always has - like we are talking open line of sight!!)
Yet… not exactly stunning results…

Small cabin between building 1 & 2, wood construction & exterior.
Served internal wifi by a cAPac, that also acts as the mid-way relay point for ethernet between building 1 & 2.
wifi also nicely spreads out beyond, to surrounding outdoors around it, lightly wooded areas. Working signal still, 20m away.

Building 2 - older wood construction, metal siding and roofing. (yeah, I know, it’s a Faraday cage)
It is served wifi by a cAPac, works well inside, but as you can imagine is “spotty” outside the building.

Yesterday, I added a wAPax that I had set aside, to this second building.
I mounted it up, on the old standard 3-C-channel TV tower that has been on the building forever, figuring that the height (10m up) would give me EXTENSIVE coverage, of everything outside this metal clad building, and in particular, a 2.4Ghz connection for the new Tesla wall charger, 22m away, open sight… through AT WORST a few leafy branches. (I can still SEE the wAPax from the charger)

This should be all - no-brainer solutions.
Yet, the wall charger barely stays connected… and as I walked around today using the ol’ “wifi sweet spots” app on the iPhone, not only was the signal speed/strength all over the map, but I realized afterwards, that it wasn’t even connecting to the 5Ghz, but was clinging to the crappy 2.4Ghz radio on the wAPax, the whole time.

Like, literally - an elevated position, 5m (15ft) above the roof line, where I can see it through the trees, and speed is dropping to 2Mbps, and such crap.

So - what am I doing wrong?

My configs are, and have always been dead simple.
I power units up from factory, login from lan side on WinBox.
Change SSIDs (both same for all), set to Canada, set to WPA2PSK and set the key.
Disable DHCP server, and set both Ether ports to bridge. (no WAN, no routing needed)

Yet, they suck.
Have done lots of wAPac units too, and they “just work”, much like the cAPac.

What am I missing?
(happy to share configs, files, tell me what you want to see!)
Also open to any replies that say “you’re an idiot, you need to turn on X”…

thanks!
Andrew

You are aware of the radiation pattern of the wAP AX? Sure you are using the correct device in this situation? Mounted correctly?
What is the signal and how did you set it up (yep, indeed we want to see the config)?

Thanks,
I have sought out radiation patterns of the Mikrotik devices in the past, and been told they are “generally spherical”.
I did try and seek out the wAPax this morning, to no avail. (mikrotik site, manuals, etc)
If it’s out there, love to see it.
Mounted vertically, using supplied rear plate, tied to vertical channel of TV tower. (3 pole steel tower)

Config here - like I posted, only minor adjustments “as needed” from what the factory sent.
That’s where I wonder if the wAPax isn’t as friendly as all the past cAP/wAP AC units I have implemented.

Thank you for the quick reply!

# 2025-05-31 13:07:06 by RouterOS 7.19.1
# software id = 3YWZ-I0AK
#
# model = wAPG-5HaxD2HaxD
# serial number = HH80A2E5C34
/interface bridge
add admin-mac=F4:1E:57:69:AC:E7 auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.country=Canada .mode=ap .ssid=\
    Rivendell disabled=no security.authentication-types=wpa2-psk .ft=yes \
    .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.country=Canada .mode=ap .ssid=\
    Rivendell disabled=no security.authentication-types=wpa2-psk .ft=yes \
    .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf disabled=yes interface=ether1 list=WAN
/interface ovpn-server server
add mac-address=FE:11:42:D4:18:9C name=ovpn-server1
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Toronto
/system identity
set name=95-wAPax-tower
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

I am pretty sure that you can have that, too, and for free!

The WapAx is an exception, it is rather directional, the W stays for Wall, so in the back there is little radiation, the most is projected forward in an angle that is in the 90-120° range, possibly a bit less.

See:
http://forum.mikrotik.com/t/wap-coverage-picture-included/179859/1
http://forum.mikrotik.com/t/wap-coverage-picture-included/179859/1

About 5Ghz, you seemingly let the Mikrotik to use whatever channel it sees fit:

/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.country=Canada .mode=ap .ssid=Rivendell disabled=no security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=Canada .mode=ap .ssid=Rivendell disabled=no security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes

and there are a few channels on the high end of the 5 GHz band that usually Mikrotik “prefers” but that common devices (possibly also your charger) simply cannot reach/connect to.

…so the W isn’t for WeatherProof.
Wellllllllllllll poop.
When I got sold the first wAPac, that’s what I was told… guess I should have fact checked.

90-120 degrees.
And they don’t include PoE out on the wAP units, so it’s not like I can put another next to it.
ok, thanks.
I read the posting, but am going to go back and take another look at the 3D nature (ie: below) of the “flat ball sphere”, and take another look at alternatives.

As for the higher frequencies on 5Ghz, any posted range to stick to, in your experience?

Thank you,
Andrew

Stick to U-NII-1 and U-NII-2 … so up to and including channel 136 for 20MHz channels, 132 for 40MHz channels and 116 for 80MHz channels (that’s center frequencies 5680, 5660 and 5580 MHz respectively). Lower boundary is channel 36 (5180 MHz) for all channel widths. Thi frequency range also contains some DFS ranges which may work just fine or may fail completely for any particular installation.

Newer MT devices by default like to use U-NII-3 band which is not supported by many wifi clients and additionally comes with seriously low Tx power limits in many regulatory domains.

I still find it odd, that folks are saying W stands for wall, and not weatherproof.

https://mikrotik.com/product/wap_ax

wAP ax brings fast and reliable Wi-Fi 6 to your countryside getaway or any other challenging environments – like a rural gas station or a bus stop. wAP’s legendary weatherproof form-factor has been tested for several generations all across the globe, and remains a favorite among MikroTik users for its simplicity and durability.

http://forum.mikrotik.com/t/wap-coverage-picture-included/179859/4

You probably mean weird .

yeah, probably.
I’m sending my rep a note on the topic.

I read that topic too, saw all the WALL references.
Yet, their marketing materials for either wAP unit, don’t mention wall… they’re all about WeatherProof…

Yeah, I wondered about that too. Miktotik’s product page says “The cAP ac is a very capable and powerful wireless access point that looks beautiful on both walls and ceilings”…

Beauty is in the eye of the beholder, but looking beautiful doesn’t mean it works properly in whatever orientation …

For the cAP (c is for ceiling) I couldn’t find a diagram of the emissions, common sense tells me that it should be a more or less fat toroid (doughnut) that is horizontal when the device is hung to the ceiling (as otherwise, if it was omnidirectional[1] or projected forward you would have better wi-fi at the floor over or below your apartment).
Which should mean that the cAP sucks if hung on a wall.

By the same reasoning, if you hang a wAP (w is for wall) to the ceiling, the apartment below your should have better signal than you do outside a narrow radius, still one of the mounting bracket for the wAP is called "wAP ceiling mount bracket " …

Maybe when inside it doesn’t really matter as reflections make both devices omnidirectional in practice.

The wAP may be actually designed for the publicized environments (very common, everybody has one or more of those ) :

countryside getaway … , rural gas station or a bus stop

I was thinking of buying a bus stop to test a wAP in its natural environment (as rural gas stations are quite pricey here ) but wife said no way .


[1] but it clearly has some sort of reflectors inside that prevent signal to go through the ceiling

FWIW… where I have it up a tower right now, below it and in front of it, does work very well. “5 bars”…
so, the “facing direction”, anecdotally at least, does work below. (I can’t fly - so I can’t test up - yet)

If I want to mount on the tower, something more truly “spherical” and omnidirectional, and still use Mikrotik… any personal recommendations?
The other posts seem to point to the Metalsomething AX, which can have external antennae, or not. (it would appear)
But local supply says “back-order”, so maybe it’s too new?

That’s where a certain number of helium filled balloons may come handy…

Naah, the Netmetal Ax is not very new, maybe it is just out of stock.

But you would need an external 2x2 omnidirectional antenna, which may actually be more difficult to procure, or a couple of simple external ones.

The alternative would be a Groove, but there is no Ax version of it, only Ac.

Yeah… so far the supplier is recommending a pair of mANTBox units, facing opposite ways.
But at the price, I could just as easily add a second wAPax too… methinks…?
(and cheaper!)

Asking Mikrotik what they think…

I don’t think that you got the best advice from your retailer. (It happens even with the best of intentions.) Placing two devices back-to-back is severely not recommended. This is because while there is significantly less power radiated backwards, it is still overwhelming when one of the devices is transmitting, but the other would be receiving. (This is true even if they are on different channels, because a large part of the amplification stages amplifies the entire band, not just the frequency it is using.)

Cellular (GSM/LTE/5G) people get away with such things because their radios are synchronized to one another - either they are in the same device/chassis or they use a precision GPS clock.

Also, one-antenna solutions should not be considered, because there are significant standing wave patterns due to reflections, so at least two antennas are needed for the coverage not to fluctuate every 5-10 centimeters.

The go-to solution in my neck of the woods used to be (quite some time ago) the OmniTik. This would be the device of choice for you - unfortunately it doesn’t come in ax. (Yet? Who knows.)

Probably the current best solution would be the NetMetal AX + two of Mikrotik’s “HGO-antenna-OUT” antennas. Many people (including myself) are a bit skeptical of how well this would hold up outdoors, but Mikrotik even has an image of this setup in the product pages. (I have absolutely no personal experience with this.) Anyway, if you are willing to pay for a NetMetal AX, some self-vulcanizing tape can certainly be squeezed into the budget.

I’m sure the NetMetal is not exactly unobtainium.

…and I already own self-vulcanizing tape.

I put in a support request to Mikrotik - will see if their people concur. To me, what you suggest, “feels right”.
And with the suggested short cords, I could mount them apart a distance too?

Do you recommend (I don’t want to assume) - mounting the two antennae as far from each other as is possible?

My surprise was more about their image showing the device “uncapped”, with the antennas attached directly. If you can easily obtain pigtails/mounts, I would definitely go for that - it would just feel bad leaving the top of a well constructed device exposed.

As to antenna placement: the standing waves I’m referring to have nodes at lambda/2 intervals, so roughly 12.5 and 6 cm (at 2.4 and 5 GHz). So you would want your antennas to be at an odd multiple of 3cm apart, so 3, 9, 15, etc. cm. And the problems mostly come from reflections, which are even more screwed up, so basically unless you’re placing them on a PCB in a small unit (and in that specific case it matters a lot!), as long as there’s 20-30 cm separation, placement really doesn’t matter much, and any effort to place them further will be in vain. (Unless of course you have some sort of obstruction, in which case the larger part of the area to be covered can be in line of sight of either antenna, the better.)

Thanks.
I spent some time today at the FCC website, trying to see those same radio patterns (above) for the NetMetal, and Box thing, but could NOT find the same diagram. Has anyone seen one for the NetMetal?

Would love to know what it’s horizontal coverage, and vertical coverage - look like.
It would tell me how high to ideally mount it up the tower, and still achieve “below coverage”, as well as the distance I am looking for.

Worst case - i go with the height, that is the same elevation as the highest point at the furthest distance…

Agree on the pigtails - I would do the same.
And then just use a non-reflective material mount, to do the distance idea you mentioned. (solid plastic or PVC)

The two antennas separated Is good ( the suggested two hgo-out are nonsense, too near each other to work correctly and they cannot be inclined) but not too far apart, the ideal distance is some multiple of the wavelength usually 3x of the 2.4GHz i.e. around 37 cm that Is roughly 6x the 5GHz wavelength, 4x or 50 cm can also be good, I wouldn’t set them much more apart than that