Mikrotik AX2 and strange MacOS issue

_george · May 4, 2026, 1:47am

Hello all,

I own a AX2 for quite a long time, 1+ year. For all this time I had no issues with the wifi connectivity at all (maybe I used only the 5Ghz though, not sure :/). This changed the last couple of days with a strange issue. The issue that I suddenly have now is that my MacBook Pro 2023 (MacOs 14.6) can only connect to the wifi 2.4Ghz of my AX2 once. If it tries to reconnect it will always fail with either “cannot join network” or it will just ask for password every single time.

I think that the main reason that this happens is that the macbook somehow manages to save the connection as WPA3 personal even though when it asks for the wifi password it specifically states that this is WPA2 personal password.

I have tried multiple different configurations that I found in the forrums here (like this one) or in the internet without success.

My AX2 runs on version: 7.22.2 stable and this is my config:

 2 M BR default-name="wifi2" name="wifi2" l2mtu=1560 mac-address=myaddress arp-timeout=auto radio-mac=myaddress 
        configuration.country=Norway .ssid="myssid" .mode=ap .beacon-interval=100ms .dtim-period=1 .station-roaming=no 
        security.authentication-types=wpa2-psk .group-encryption=ccmp .group-key-update=1h .disable-pmkid=yes .management-protection=allowed 
        .wps=disable .ft=yes .ft-over-ds=yes interworking.realms-raw="" 
        channel.band=2ghz-n .width=20mhz .skip-dfs-channels=all 
        steering.rrm=yes .wnm=yes

I experimented with many of these options, for example I heard that ft/ft-over-dns can cause issues so I disabled it. I also disabled the steering rrm and/or wnm at some point. I tried editing multiple different combinations of these configurations without any success.

I am aware that this might not be a Mikrotik issue exactly, since my Linux/Android/iOs devices can connect without issues but if someone had a similar issues and have any tips I would be really grateful

aldek · May 4, 2026, 3:55am

I’m sure you’ve already tried this:

A. Forget the network (Wi-Fi SSID).

B. Restart the MacBook completely.

C. Reconnect to Wi-Fi.

but it helped me in a similar situation with the (hAP ax2) vs (MacBook Pro 2024 and Apple iPad 2023)

0 M BR default-name="wifi2" name="wifi.2GHz" l2mtu=1560 mac-address=XX arp-timeout=auto radio-mac=XX
configuration.mode=ap .ssid="X" .country=Superchannel .hw-protection-mode=rts-cts
security.authentication-types=wpa2-psk,wpa3-psk .wps=push-button .ft=yes .ft-over-ds=yes
channel.band=2ghz-ax .width=20mhz .reselect-interval=2h..4h

whatever · May 4, 2026, 5:49am

Unset "interworking.realms-raw" from the cli, it's a known issue that WinBox 3 creates this setting which breaks stuff.

_george · May 4, 2026, 6:03pm

Thank you for the response both!

@aldek
Indeed I tried to forget the network multiple times and reboot both the macbook and the ax2 multiple times.

Thanks for sharing the configuration, I might try to directly set the settings exactly as yours and see how it goes.

@whatever
I tried to unset the reals-raw:
[admin@MikroTik] /interface/wifi> unset 2 interworking.realms-raw

This also did not help

I still see that the saved network reports that it is wpa3 personal and I suppose that this is the main issue here

rextended · May 4, 2026, 6:36pm

First, not use "random" numbers on terminal.

rextended · May 4, 2026, 6:37pm

Must be disabled, also because you do not use wpa3

So, paste this on terminal, and do not use WinBox 3 to set the device:

/interface wifi
set [find] !interworking.realms-raw
set [find] security.management-protection=disabled

But for all other errors like:

channel.band=2ghz-n

disable all other modes (g and ax)
it's another story.

rextended · May 4, 2026, 6:49pm

DNS

_george · May 5, 2026, 5:45am

@rextended

I am not sure what you mean by random numbers here, number 2 is the ID of my 2.4ghz wifi interface.

And the DS→ DNS that you are talking about comes from the Mikrotik itself.

Anyway, your configuration actually works! So thanks a lot!

For future reference that is my configuration now:

default-name="wifi2" name="wifi2" l2mtu=1560 mac-address=myaddress arp-timeout=auto radio-mac=myaddress
configuration.country=Norway .ssid="greatwifi" .mode=ap .station-roaming=no
security.authentication-types=wpa2-psk .disable-pmkid=yes .management-protection=disabled .wps=disable .ft=no .ft-over-ds=no
channel.band=2ghz-n .width=20mhz .skip-dfs-channels=all
steering.rrm=yes .wnm=yes

I connected through SSH and run the commands that you said, plus I set the band from ssh:

/interface/wifi

set 2 channel.band=2ghz-n

Again 2 is the ID of of 2.4ghz wifi interface

Out of curiosity, you said that this is a bug in winbox 3? So if I used only the command line to configure everything it should have been fine all this time?

PS: The macbook still shows the network as WPA3 personal even though it is a WPA2 network and even though now it works as expected

Haley · May 5, 2026, 7:04am

I had 2 APs, one a cAP XL ac and the other a hAP ax3 on the basement. On the first floor, even though the signal to the basement ax device was around 84db, my work laptop wanted to connect to it because it provided wpa3 against the wpa2 of the ac device which provided a signal of 48db. It stuck with the wpa3 instead of the signal quality. Dunno if you have a similar setup. But could be worth a check

Znevna · May 5, 2026, 7:13am

Nope, that's all on you.

rextended · May 5, 2026, 8:52am

You disable g and ax (and "a" and "ac" if set like on 5GHz) when you set "only" n
You must set nothing for work with g/n/a/ac/ax on both interfaces (obv. "a" and "ac" on 5GHz only)
"b" is not supported.

/interface wifi
set [find] !channel.band

not, it's your typo, in export is ft-over-ds, but no problem, is a joke.

It's not normal for "mac-address" and "radio-mac" to appear unless you've done a "export verbose", or you have changed original MACs.
I recommend always doing a normal "export", so the default parameters aren't listed.

jaclaz · May 5, 2026, 9:23am

Yes and no.
Winbox 3 on 7.22 creates this artifact:
interworking.realms-raw=""
and this artifact ONLY.
That setting prevents IOS devices (and evidently MacOS ones, as it happened to you) to connect/authenticate.
But the other mis-configurations are not coming from the use of WInbox 3, very likely you made them while attempting to troubleshoot the issue.

mkx · May 5, 2026, 1:14pm

I hope that you're aware that these numbers are not constant, they are created dynamically by print command and are only valid until another print (can be in different config subtree) gets executed.

Correct way would be to run set [ find name="wifi2" ] channel.band=2ghz-n .

And again: the best practice is to unset security.managment-protection property altogether (don't set it to "disabled" or "allowed" or "required"), default (which then depends on actual security algorithm used by station, e.g. wpa2 or wpa3) is most of times just fine.

_george · May 5, 2026, 9:02pm

That makes sense yeah, thanks!

I know got what you guys talk about, I did a silly typo indeed.

Interesting, I just print the interfaces with detail:

[admin@MikroTik] /interface/wifi> print detail

Oh right! Now it makes much more sense what happens! Thanks!

Well no, I thought that these are permanent ids actually! So its really nice that you shared the correct way to do that, thanks

As for the management-protection it makes sense what you said, after all all this time it worked without any selection.

Thanks a ton for all the people that replied here, not only I fixed my issue but I learned a bit more about the configuration of my AX2 which is great!