"No internet connection available" on CAPsMAN

bandini981 · March 8, 2021, 1:19pm

Hi,
sometimes clients disconnect from APs because of “No internet connection available” on the WiFi network.

Has anyone else had this problem?

Let me add some useful information about the network topology.
I have four CAPs:

Outside the build, outdoor installation
Ground floor
First floor
Second floor

Each CAP is connected by cable and carries three SSID (one real + two virtual); I know this may introduce some interference, but it worked fine until last week.

Here latest logs from CAPsMAN:
(from the client point of view, there is a disconnection due to “no internet connection available on WiFi network”)

08:45:11 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap66 rejected, forbidden by access-list
08:45:30 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap60 rejected, forbidden by access-list
08:45:32 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap66 rejected, forbidden by access-list
08:45:42 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap66 rejected, forbidden by access-list
08:45:44 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap63 rejected, forbidden by access-list
08:45:47 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap69 connected, signal strength -57
08:46:15 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap69 disconnected, received deauth: sending station leaving (3)
08:48:03 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap66 connected, signal strength -67
08:48:19 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap60 connected, signal strength -54
08:48:19 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap66 disconnected, registered to other interface
09:03:08 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap60 disconnected, group key timeout
09:05:13 192.xx.xx.xx caps,info XX:XX:XX:XX:07:F6@cap60 connected, signal strength -50

Here some CAPsMAN configuration details:

/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=any signal-range=-80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no interface=any signal-range=-120..-81 ssid-regexp=""

/caps-man configuration
add channel=channel1 datapath=loccal_forwarding_datapath datapath.arp=disabled hide-ssid=no mode=ap name=cfg1 rx-chains=0,1,2 security=security1 ssid=xxxxxxx tx-chains=0,1,2
add channel=channel6 datapath=loccal_forwarding_datapath hide-ssid=no mode=ap name=cfg6 rx-chains=0,1,2 security=security1 ssid=xxxxxxx tx-chains=0,1,2
add channel=channel11 datapath=loccal_forwarding_datapath hide-ssid=no mode=ap name=cfg11 rx-chains=0,1,2 security=security1 ssid=xxxxxxx tx-chains=0,1,2
add channel=channel3 datapath=loccal_forwarding_datapath datapath.vlan-id=10 datapath.vlan-mode=use-tag hide-ssid=yes mode=ap name=cfgSmartWifi security=security2 ssid=YYYYY
add channel=channel5 datapath=loccal_forwarding_datapath datapath.vlan-id=50 datapath.vlan-mode=use-tag hide-ssid=yes mode=ap name=cfgCameraWiFi security=security2 ssid=ZZZZZ

/caps-man datapath
add arp=reply-only client-to-client-forwarding=yes local-forwarding=yes name=loccal_forwarding_datapath

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2437 name=channel6
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2462 name=channel11
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2422 name=channel3
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2432 name=channel5

/caps-man provisioning
add action=create-enabled comment="CAP 1" master-configuration=cfg1 radio-mac=XX:XX:XX:XX:D8:FD slave-configurations=cfgCameraWiFi,cfgSmartWifi
add action=create-enabled comment="CAP 2" master-configuration=cfg6 radio-mac=XX:XX:XX:XX:0D:A9 slave-configurations=cfgCameraWiFi,cfgSmartWifi
add action=create-enabled comment="CAP 3" master-configuration=cfg11 radio-mac=XX:XX:XX:XX:5A:7C slave-configurations=cfgCameraWiFi,cfgSmartWifi
add action=create-enabled comment="CAP 4" master-configuration=cfg1 radio-mac=XX:XX:XX:XX:E3:5E slave-configurations=cfgCameraWiFi,cfgSmartWifi

/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security1
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security2

/ip dns
set allow-remote-requests=yes max-concurrent-queries=1000 max-concurrent-tcp-sessions=200 servers=1.1.1.1,8.8.8.8,9.9.9.9,208.67.220.220,208.67.222.222,8.8.4.4,1.0.0.1

Many thanks,

ML

erlinden · March 8, 2021, 1:37pm

Couple of things (that might help):

Only use WPA2-AES, nothing else
Only use channels 1, 6 and 11. Anything in between will cause interference
Get rid of the access-list…any (modern) client will handle this themselves
Disable 802.11b, just keep 802.11g/n

What version of RouterOS are you running?
What MikroTik hardware is involved?

bandini981 · March 8, 2021, 2:07pm

Hi,
I've applied your suggestions and going to test it.
In the meanwhile, CAPsMAN is RB760iGS. Three CAPs are RB941-2nD and the external one is RouterBOARD wAP 2nD r2. All of them are running 6.48.1 Firmware version.

Thanks