Issue with 2.4GHz Wi-Fi on hAP ax² After Upgrade to RouterOS 7.18.1

RouterOS General
1

I recently upgraded my MikroTik hAP ax² to RouterOS 7.18.1, and since then, I have been experiencing an issue with the 2.4GHz Wi-Fi network. My devices can see the SSID “M2”, but they are unable to connect.

I have tested multiple devices, including:
Android smartphone
Linux PC
MacBook
None of them can establish a connection. The 5GHz network is working fine.
I performed a full reset of the settings and applied the default configuration, but this did not resolve the problem.

To help diagnose the issue, here is my current configuration output:

 
  # 2025-03-11 23:08:07 by RouterOS 7.18.1
# software id = BHIS-LVZ7
#
# model = C52iG-5HaxD2HaxD
# serial number = ************
/interface bridge
add admin-mac=48:A9:8A:DF:D2:16 auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=M5 disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=M2 disabled=no security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.10.1.20-10.10.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/user group
add name=monitoring policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.10.1.1/24 comment=defconf interface=bridge network=10.10.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.10.1.10 client-id=1:d8:3a:dd:68:df:23 mac-address=**REDACTED** server=defconf
/ip dhcp-server network
add address=10.10.1.0/24 comment=defconf dns-server=10.10.1.10 gateway=10.10.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.10.1.10
/ip dns static
add address=10.10.1.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack6" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Kiev
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

remove this as its not needed if using 2 different SSIDs

.ft=yes .ft-over-ds=yes

Also i cant see a security configuration? Like a Passphrase but you’re using wpa2/wpa3 so im guessing you didnt use “show-sensitive”?

Got something in the logs?

3

Thank you for the advice, I have disabled these settings.

Here is more detailed information with the show-sensitive flag.

# 2025-03-13 21:33:47 by RouterOS 7.18.2
# software id = BHIS-LVZ7
#
# model = C52iG-5HaxD2HaxD
# serial number = ************
/interface bridge
add admin-mac=**:**:**:**:**:** auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=M5 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=no .ft-over-ds=no \
    .passphrase=********
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.mode=ap .ssid=M2 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .ft=no .ft-over-ds=no \
    .passphrase=********
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=10.10.1.20-10.10.1.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/user group
add name=monitoring policy="read,api,!local,!telnet,!ssh,!ftp,!reboot,!write,!\ 
    policy,!test,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api"
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.10.1.1/24 comment=defconf interface=bridge network=10.10.1.0
/ip dhcp-client
add comment=defconf interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=10.10.1.10 client-id=1:**:**:**:**:**:** mac-address=\
    **:**:**:**:**:** server=defconf
/ip dhcp-server network
add address=10.10.1.0/24 comment=defconf dns-server=10.10.1.10 gateway=\
    10.10.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=10.10.1.10
/ip dns static
add address=10.10.1.1 comment=defconf name=router.lan type=A
...
/system clock
set time-zone-name=Europe/Kyiv
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

This configuration was obtained after a factory reset through the MikroTik interface and setting up Quick Setup. I wanted to rule out any of my mistakes.


I also just attempted to connect to the 2.4 network, and here’s what the log looks like:

2025-03-13 21:43:13 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:13 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:14 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:14 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:29 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:30 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:30 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:30 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:39 wireless,debug ************@wifi2 authentication timeout
2025-03-13 21:43:43 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:43 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:43 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:44 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:56 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:57 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:57 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:43:57 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:02 wireless,debug ************@wifi2 authentication timeout
2025-03-13 21:44:10 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:10 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:10 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:10 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:14 wireless,debug ************@wifi1 associated, signal strength -49
2025-03-13 21:44:14 wireless,info ************@wifi1 connected, signal strength -49
2025-03-13 21:44:27 wireless,info ************@wifi1 disconnected, connection lost, signal strength -46
2025-03-13 21:44:27 wireless,debug ************@wifi1 disassociated, connection lost, signal strength -46
2025-03-13 21:44:29 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:30 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:30 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:30 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:38 wireless,debug ************@wifi2 authentication timeout
2025-03-13 21:44:39 wireless,debug ************@wifi1 associated, signal strength -44
2025-03-13 21:44:39 wireless,info ************@wifi1 connected, signal strength -44
2025-03-13 21:44:43 wireless,info ************@wifi1 disconnected, connection lost, signal strength -49
2025-03-13 21:44:43 wireless,debug ************@wifi1 disassociated, connection lost, signal strength -49
2025-03-13 21:44:43 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:43 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:44 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:44 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:52 wireless,debug ************@wifi1 associated, signal strength -39
2025-03-13 21:44:53 wireless,info ************@wifi1 connected, signal strength -39
2025-03-13 21:44:56 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:56 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:57 wireless,debug ************@wifi2 reauthenticating
2025-03-13 21:44:57 wireless,debug ************@wifi2 reauthenticating
4

Well first you should set a country.
Default is Latvia

Is it always the same device on wifi2?
Like do you just have one connected and that one keeps losing the connection? Or do you have multiple with the same issue at the same time?

5

I returned the country, now it’s Ukraine. I wanted to check if this would have an effect.

Here’s how the problem looks:
Through Quick Setup, I created two Wi-Fi networks. The 5 GHz works steadily and correctly.
The 2.4 GHz network is visible, but no device can connect to it
The connection process lasts for a few seconds and then stops

I used the 2.4 GHz for old smart home devices, and the Wi-Fi was working before.
I’ve had this router for a year, but I only recently noticed the issue with the 2.4 GHz Wi-Fi

6

I have this precise problem and can’t seem to fix it, whatever I did. Pretty annoying to be honest.
My old and IoT devices can’t connect at all.

7

hAP ax3 - similar story, started after upgrade to 7.18.2. Few minutes after restart 2.4GHz radio is “working” - I can see the SSIDs from my PC, phone etc but could not connect. But then it disappearing, in logs - nothing interesting even in debug mode.
Also tried 7.19beta6 - same issue. Created support ticket - SUP-184002, attached my supout.rif there.
image_2025-03-30_002127442.png

8

Downgraded to 7.16.1 - still the same issue..

9

Perform:

/interface wifi
reset numbers=1

/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2460 name=CHAN-2G reselect-interval=1d..1d12h width=20mhz

/interface wifi
set [ find default-name=wifi2 ] channel=CHAN-2G configuration.country=Ukraine .mode=ap .ssid=M2 \
    security.authentication-types=wpa2-psk,wpa3-psk .passphrase=[don't forget to fill it in]
10

Did downgrades one by one till 7.13, then did factory reset, then installed 7.19beta6 again with upgrading routerboard firmware.
Then had issues with restoring config from rsc file, edited it manually.
And finally - it stared working.. I don’t know what to say, and what was the reason tbh…

11

Thanks! Your advice to roll back to a version no higher than 7.13 (I rolled back to 7.12.2), do a full reset, and then upgrade to the latest stable version, 7.18.2, helped fix the issue.

Also, during the rollback process, I realized it’s vital to download both the RouterOS-7.12.2 and WiFiwave2-7.12.2 packages.
Before downgrading, you need to disable the wifi-qcom package, otherwise, the downgrade won’t proceed.


I hope these tips will help others quickly resolve the issue if they come across this thread.

12

Have you tried just updating to 7.18 via netinstall?

13

It stopped working again on 04/04. So it worked less than a week for me, without any changes. That’s what I have now:
image_2025-04-10_211514991.png
Trying to investigate again.. And I have only in-memory logs, so no indication what happened on 04.04

And it’s not about tricky configuration for picky old devices, I have both: old web cam and new shiny MediaTek Wi-Fi 6E MT7922 160MHz Wireless LAN Card.
Both can’t connect to 2.4GHz WiFi, while 5GHz works as expected.

Windows says the same as in prev. time:

WLAN AutoConfig service failed to connect to a wireless network.

Network Adapter: 
Interface GUID: {...}
Connection Mode: Manual connection with a profile
Profile Name: ...
SSID: ...
BSS Type: Infrastructure
Failure Reason:The specific network is not available.
RSSI: 255
14

Have you performed a “Freq. Usage” scan? Especially when this is happening?

15

I saw it several days after it stopped working. So no - I had no chance to do it.
I have one device on 2.4GHz WiFi that periodically sends some data to server. And in Grafana I identified that data transfer stopped 04/04.

But I fixed it now:

  • Reboot - didn’t help


  • Upgrade from 7.19beta6 to 7.19beta8 - didn’t help


  • Upgrade firmware, same versions - didn’t help


  • Backup → Reset (preserving Users, no default config so I connected by MAC later) → Restore - it started working

Again, have no idea about the reason, but there is definitely something happening to the radio.

16

Btw previous time I used direct manual configuration of primary & virtual WiFi.
This time I was using provisioning from configuration (no CAP).
So seems like it does not matter how you configure the radio.

Enabled debug logging to file. May be it will show something.

And frequency-scan and spectral-scan at this moment of time for the history (configuration set to use Ch1, 2412MHz, for compatibility with old devices):

# 2025-04-10 22:49:20 by RouterOS 7.19beta8
# software id = TYMQ-0Y5X
#
Flags: P - PRIMARY; S - SECONDARY
Columns: CHANNEL, NETWORKS, LOAD, NF, MAX-SIGNAL, MIN-SIGNAL
   CHANNEL  NETWORKS  LOAD  NF   MAX-SIGNAL  MIN-SIGNAL
      2412            18%   -74                        
P     2417         1  26%   -74  -60         -60       
      2422            13%   -74                        
      2427            7%    -74                        
      2432            1%    -75                        
 S    2437                  -75                        
      2442            1%    -75                        
      2447            1%    -76                        
      2452            1%    -76                        
      2457            1%    -76                        
      2462            1%    -77                        
      2467                  -78                        
      2472                  -79                        

# 2025-04-10 22:50:25 by RouterOS 7.19beta8
# software id = TYMQ-0Y5X
#
Columns: FREQ, MAGN, PEAK, GRAPH
FREQ    MAGN  PEAK  GRAPH                                                       
2404.5  -79   -56   ::::::::::::.......................                         
2409.5  -75   -49   ::::::::::::::::..........................                  
2414.5  -74   -56   :::::::::::::::::..................                         
2419.5  -76   -55   :::::::::::::::.....................
17

Same issue again. Now I managed to collect supout.rif and add it to my ticket.

Fixed manually but relatively quickly - backup → reset (preserving users, no default config) → restore

# 2025-04-13 00:38:32 by RouterOS 7.19beta8
# software id = TYMQ-0Y5X
#
Flags: P - PRIMARY; S - SECONDARY
Columns: CHANNEL, NETWORKS, LOAD, NF, MAX-SIGNAL, MIN-SIGNAL
   CHANNEL  NETWORKS  LOAD  NF   MAX-SIGNAL  MIN-SIGNAL
P     2412         1  3%    -80  -72         -72       
P     2417         1  3%    -80  -63         -63       
      2422            1%    -81                        
      2427            2%    -82                        
      2432            1%    -83                        
PS    2437         1  3%    -83  -73         -73       
      2442            1%    -83                        
      2447            1%    -83                        
      2452                  -82                        
      2457            1%    -82                        
      2462            1%    -82                        
      2467                  -83                        
      2472            1%    -85                        
# 2025-04-13 00:39:01 by RouterOS 7.19beta8
# software id = TYMQ-0Y5X
#
Columns: FREQ, MAGN, PEAK, GRAPH
FREQ    MAGN  PEAK  GRAPH                                                       
2404.5  -80   -68   :::::::::::............                                     
2409.5  -77   -54   ::::::::::::::.......................                       
2414.5  -76   -48   :::::::::::::::............................                 
2419.5  -78   -53   :::::::::::::.........................
18

Okay, now I have exactly the same issue. I tried to backup → reset → restore twice, it didn’t work. Then I run frequency-scan aaaand:

Flags: P - PRIMARY; S - SECONDARY
Columns: CHANNEL, NETWORKS, LOAD, NF, MAX-SIGNAL, MIN-SIGNAL
   CHANNEL  NETWORKS  LOAD  NF   MAX-SIGNAL  MIN-SIGNAL
P     2412         1  99%   -75  -71         -71       
P     2417         1  99%   -76  -62         -62       
      2422            99%   -76                        
      2427            97%   -77                        
 S    2432            92%   -77                        
 S    2437            77%   -78                        
      2442            46%   -79                        
      2447            16%   -79                        
      2452            4%    -79                        
      2457            1%    -80                        
      2462            1%    -80                        
      2467            1%    -80                        
      2472            1%    -82

So I switched temporarily channel to 2452. It started working. Just that one of oldest devices that expect ch 1 won’t be able to connect now…
It would be interesting to use something like RTL-SDR to look what is going on in the air.

19

Interesting, it still looks the same…

Flags: P - PRIMARY; S - SECONDARY
Columns: CHANNEL, NETWORKS, LOAD, NF, MAX-SIGNAL, MIN-SIGNAL
   CHANNEL  NETWORKS  LOAD  NF   MAX-SIGNAL  MIN-SIGNAL
      2412            99%   -75                        
P     2417         1  99%   -75  -62         -62       
      2422            99%   -76                        
      2427            99%   -76                        
      2432            99%   -77                        
 S    2437            96%   -77                        
      2442            87%   -77                        
      2447            59%   -78                        
      2452            20%   -78                        
      2457            1%    -78                        
      2462                  -79                        
      2467                  -80                        
      2472            1%    -81
20

Received signal strength (-62dB) indicates that “interferer” is either “ordinary AP” physically placed very close to your hAP ax2 … or a high-gain PtP link (probably operating at illegsl Tx power levels) with line betwern link peers going right through your hAP ax2. And either operating with 40MHz bandwidth (20+20MHz; channels 2+6) which is insanity to do in 2.4GHz by itself. In previous scan there seemed to be another similar AP operating (channels 1+5) a bit further away (signal strength -71dB) which probably wouldn’t blick your hAP ax2 from starting to transmit but would interfere never the less.

The big problem is “load”, seen on channels (99%). WiFi radios tend to check “frequency” occupation and avoid transmitting while another device (AP, station) transmits (collisions are about the worst thing happening as none of receivers can receive their frames so everything has to be re-transmitted). And with 99% load a decently operating AP can not even transmit beacons and hence it can’t enable wifi interface. A “vicious” AP might start transmitting beacons anyway and thus “bully” well behaved APs and stations out of their channel.