Roast my config

I am getting more and more frustrated with the random disconnects:

.

This is the config (I took out a bunch of access list entries and scripts to make it easier to evaluate):

# 2024-11-25 16:42:55 by RouterOS 7.16.1
# software id = 5NRD-V1QF
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HDG0
/interface bridge add admin-mac=48:A9:8A:0F:04:8F auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface bridge add admin-mac=4A:A9:8A:0F:04:94 auto-mac=no name=bridge-guestwifi
/interface ethernet set [ find default-name=ether1 ] comment="To RB5009" poe-out=off
/interface ethernet set [ find default-name=ether3 ] comment=TV
/interface ethernet set [ find default-name=ether4 ] comment=TV
/interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=all .width=20/40/80mhz configuration.antenna-gain=0 .country=Russia .mode=ap .ssid=Upstairs5g-0F0493 .tx-power=16 disabled=no security.authentication-types=wpa2-psk .disable-pmkid=yes .ft=yes .ft-over-ds=yes .management-protection=disabled .passphrase=XXXXX
/interface wifi set [ find default-name=wifi2 ] channel.band=2ghz-g .skip-dfs-channels=disabled .width=20mhz configuration.country="United States" .mode=ap .ssid=Upstairs-2G-0F0494 disabled=no security.authentication-types=wpa2-psk .disable-pmkid=yes .ft=yes .ft-over-ds=yes .management-protection=disabled .passphrase=XXXXX
/interface eoip add disabled=yes mac-address=02:88:47:EE:7A:47 name=eoip-tunnel-to-212-rb5009 remote-address=XXXXXXnnel-id=101
/interface wifi add configuration.mode=ap .ssid=2point4 disabled=no mac-address=4A:A9:8A:0F:04:93 master-interface=wifi2 mtu=1500 name=2point4 security.authentication-types=wpa2-psk .disable-pmkid=yes .ft=yes .ft-over-ds=yes .management-protection=disabled .passphrase=XXXXX
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/interface list add include=all name=TRUSTED
/interface wifi configuration add datapath.client-isolation=yes disabled=no name=guestcfg security.authentication-types=wpa2-psk .disable-pmkid=yes .ft=yes .ft-over-ds=yes .passphrase=blueberry ssid=GuestWifi
/interface wifi add configuration=guestcfg configuration.mode=ap mac-address=4A:A9:8A:0F:04:94 master-interface=wifi2 name=Guest2g security.management-protection=disabled
/interface wifi add configuration=guestcfg configuration.mode=ap disabled=no mac-address=4A:A9:8A:0F:04:95 master-interface=wifi1 name=Guest5g security.management-protection=disabled
/ip pool add name=pool-guest ranges=10.0.0.10-10.0.0.252
/ip smb users set [ find default=yes ] disabled=yes
/queue type add fq-codel-interval=60ms fq-codel-limit=800 kind=fq-codel name=fq
/system logging action set 3 remote=192.168.0.13 syslog-severity=emergency
/system logging action add name=logserver remote=192.168.0.112 remote-port=51400 target=remote
/system logging action add name=Graylog remote=192.168.0.147 syslog-severity=emergency target=remote
/interface bridge port add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=*6 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge interface=2point4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge interface=wifi1
/interface bridge port add bridge=bridge-guestwifi interface=Guest2g
/interface bridge port add bridge=bridge-guestwifi interface=Guest5g
/ip firewall connection tracking set udp-timeout=10s
/ip neighbor discovery-settings set discover-interface-list=TRUSTED
/interface bridge vlan add bridge=bridge disabled=yes vlan-ids=100
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=bridge list=TRUSTED
/interface list member add interface=ether1 list=TRUSTED
/interface list member add interface=*6 list=TRUSTED
/interface list member add interface=wifi2 list=TRUSTED
/ip address add address=192.168.2.5/24 comment=defconf interface=bridge network=192.168.2.0
/ip address add address=10.10.10.5/24 disabled=yes interface=bridge network=10.10.10.0
/ip address add address=172.16.0.1/24 disabled=yes interface=*C network=172.16.0.0
/ip address add address=10.0.0.1/24 interface=bridge-guestwifi network=10.0.0.0
/ip address add address=10.0.0.1/24 disabled=yes interface=Guest5g network=10.0.0.0
/ip cloud set ddns-enabled=yes
/ip dhcp-server add address-pool=pool-guest interface=bridge-guestwifi name=dhcp-guestwifi
/ip dhcp-server add address-pool=pool-guest disabled=yes interface=Guest5g name=dhcp-guest5g
/ip dhcp-server network add address=10.0.0.0/24 dns-server=1.1.1.1 gateway=10.0.0.1
/ip dns set allow-remote-requests=yes cache-max-ttl=4w cache-size=32768KiB query-server-timeout=5s servers=1.1.1.1,8.8.8.8,9.9.9.9,8.8.4.4
/ip dns static add address=192.168.2.5 comment=defconf name=hapax3.212.local type=A
/ip dns static add address=10.0.0.1 comment=defconf name=router.lan type=A
/ip firewall address-list add address=10.0.0.2-10.0.0.254 list="Guest WiFi"
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
/ip firewall filter add action=accept chain=input comment="allow 67 68 to 10.0.0.1" dst-address=10.0.0.1 dst-port=67,68 log-prefix="allow 67 68  to 10.0.0.1" protocol=udp
/ip firewall filter add action=drop chain=input comment="drop all to 10.0.0.1" dst-address=10.0.0.1 in-interface=!lo log=yes log-prefix="drop all to 10.0.0.1"
/ip firewall filter add action=accept chain=input
/ip firewall filter add action=drop chain=forward comment="drop all 10.0.0.0/24 to not-WAN" disabled=yes log=yes log-prefix=drop-all-10-0-0-0-24-to-not-WAN out-interface-list=!WAN src-address=10.0.0.0/24
/ip firewall filter add action=drop chain=forward comment="drop guest to 192.168.0.0/16" dst-address=192.168.0.0/16 dst-port=!53,68,68 log=yes log-prefix=drop-guest-to-192-168-0-0-16 protocol=udp src-address-list="Guest WiFi"
/ip firewall filter add action=accept chain=forward
/ip firewall filter add action=accept chain=input disabled=yes
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" disabled=yes dst-address=127.0.0.1
/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
/ip firewall filter add action=accept chain=forward disabled=yes in-interface-list=LAN log=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
/ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=0s-1d
/ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.2 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service set www-ssl disabled=no
/ip smb shares set [ find default=yes ] directory=/pub
/snmp set enabled=yes trap-version=2
/system clock set time-zone-name=America/New_York
/system identity set name=212hAP-Ax3
/system logging add disabled=yes topics=wireless
/system logging add action=logserver prefix="XXXXXC MikroTik" topics=hotspot
/system logging add action=logserver prefix="XXXXXC MikroTik" topics=!debug,!packet,!snmp
/system logging add topics=account
/system logging add action=remote prefix="192.168.2.5 " topics=info
/system logging add disabled=yes topics=dhcp
/system logging add action=Graylog topics=debug,packet,wireless,dns,netwatch,dhcp
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=192.168.2.2
/system ntp client servers add address=3.pool.ntp.org
/system ntp client servers add address=0.north-america.pool.ntp.org
/tool graphing resource add
/tool mac-server set allowed-interface-list=TRUSTED
/tool mac-server mac-winbox set allowed-interface-list=TRUSTED
/tool netwatch add disabled=no down-script=Netwatch host=1.1.1.1 http-codes="" interval=1m name=Netwatch-1.1.1.1 test-script="" type=simple up-script=Netwatch
/tool romon set enabled=yes
/tool sniffer set file-limit=10000KiB filter-dst-port=syslog filter-interface=all memory-limit=1000KiB
/user group add name=HA policy=reboot,read,write,policy,test,api,!local,!telnet,!ssh,!ftp,!winbox,!password,!web,!sniff,!sensitive,!romon,!rest-api

(I’m not really in Russia.)

1. Is this router BEHIND the RB5009, in double NAT, or acting as a switch/AP
   OR
   Is this router in front of the Rb5009 and public IP facing.

2. Why is this error showing??
   /interface bridge port add bridge=bridge comment=defconf interface=6*** internal-path-cost=10 path-cost=10

3. Why do you have two bridges???

1. Internet<–>Cable-Modem<–>RB5009<–>hAPax3 (acting as a switch/AP, I hope)
   

2. I believe this was created during the change to the qcom wireless package. I hadn’t seen it until you pointed it out. It is now gone.

3. You’re going to (virtually) roll your eyes: The second bridge supports the guestwifi security/separation/isolation implementation.

Here is the problem, you want the hapax to be a simple AP switch, but then you try to add a second network behind the router.
This is not possible be it assigning a subnet to a WLAN, creating a second bridge etc…
The fact of the matter is you only have one subnet reaching the hapax3…

So the options are
a. make the hapax3 a router ( doable but a bit more complex ),
b. keep the hapax3 as an ap/switch and create two vlans on the 5009.
ONE for the home subnet, and one for the guest network.

This may be some additional work initially on the 5009, but you will have great flexibility moving forward to handle many networks/subnets easily.
I also prefer option b, because then you are creating a real separate path from guest user to internet, whereas in a. eventually the guest users will be hitting the home subnet before going out the RB5009 router.

Are your comments related to the guest wifi network?

My post was only about the wifi disconnects.

But, as for the guest wifi set, it seems to work. I could be wrong, but it sure seems to be working fine.

Perhaps I spoke too soon when I stated that the ax3 was just a switch/AP. Having 2 networks would be one (of a couple of) indication that it is acting as a router, right?

You are in charge, not the MT device LOL. You decide based upon requirements.
What I see is a two vlan requirement spanning 5009 to HAPAX3 (setup as an AP/switch)

It is the logical choice.
The only reason I would make the hapax3 as a router is if I wanted to use it for wireguard and not the 5009

The ax’s initial purpose is to provide nothing more than wifi connectivity (i.e., AP).

And, have given up on VLANS, for the sole reason for which being that I am incapable of learning it (despite very much wanting to be able to master it), I implemented the guestwifi dual-bridge solution.

For now, why am I experiencing frequent disconnections?

• You have two different countries set for 2.4 and 5G. It might not come up as an error, but I suspects this is not possible and ROS will pick one arbitrarily.

5GHZ:

• Do not skip ALL DFS channels. This reduces the list of available channels quite a bit. I would use default and see if you are ok with the time at boot up it takes to scan 5G. If time is too long, you can reduce channels to only 20/40MHz, which anyhow might be a good idea if you have disconnects. Or you can then decide to skip 10min DFS channels and keep 80Mhz.
• I would not change gain and TX power settings. Device will use maximum values already (but make sure you correct country setting).
  2.4GHz:
• why not using 11ax (includes b/g/n as well), it provides superior performance compared to G only.

I was indeed playing around with different countries, frequencies, tx power, etc.

I don’t know about ROS not liking a different country for each band. I would be equally unsurprised if it is just fine or completely rejected.

As for the frequencies (and relatedly DFS), this location is extremely wifi RF dense, so choosing a freq is important.

As for the TX power, I tried various levels to see if any level would reduce the disconnects (none did).

As for 11g vs. n or AX, this also was experimenting to reduce the disconnects but also because of Iot devices that might or might not have a problem with AX.