ROS v3.10 VirtualAP problem

RouterOS General
1

Hi, this is my first post at this forum, I’m from Indonesia and my english are bad… sorry :laughing:

I was started my WISP using MT’s RB & ROS in 2006 and all my problem solved just by following suggestions in this forum and MT’s wiki. Currently I have 7 APs using various RB (1x RB532, 3x RB153, 3x RB133) running well with ROS v2.9.51. I have 100+ customers connected to these 7 APs, they are 10 RB112 and the rest was Linksys WRT54GL running OpenWRT WhiteRussian 0.9.

I want to upgrade my APs one by one with faster RB to get better throughput. The choice is RB600 so I buy it, my plan is to replace the RB532 (the most CPEs connected, 2 RB112 & 42 Linksys) with this new RB600 and move the RB532 to another location. Before airing, I was trying the new RB600 off ground using the same configuration with the production machine RB532 except the ROS was v3.10 not v2.9.15, and the same Linksys CPE configuration at my customer side.

The problem is : The Linksys cannot connect to the new RB600 VirtualAP (it is connect when I try to the master interface). The log message is “@wlan.BROADBAND: disconnected, unicast key exchange timeout”, something I’ve never seen before. Security profile are WPA tkip.

Under my curiosity, I try to upgrade one of my APs (RB153, the nearest one with the less customer, only 4 Linksys connected) to ROS v3.10 firmware to 2.15. The same problem happened (before and after firmware upgrade). (ok, no problem with this one, downgrade to ROS v2.9.51 firmware 2.12 and everything is back to normal).

The questions is : Is there a problem with ROS v3.10 VirtualAP? or is there anything changed at VirtualAP from 2.9.51 to 3.10? I need this feature and are using this feature since the first time my WISP running to divide customers into 3 classes (Dedicated customer using RBs[master iface], Broadband/Personal using Linksys+PPPoE[vap] and Hotspot[vap]) then EoIP it from APs to the authentication server at NOC. And I need to replace the APs without major change (maybe some minor change that can be done remotely before replacing AP would be accepted) to those Linksys CPEs as it would be a lot of cost and lot of pain to replace or reconfigure those 42 → 100+ CPEs.

TIA.

2

UPDATE:
Linksys WRT54GL & Asus WL-520GU using DD-WRT seems ok to connect to v3.10 VAP. But I still believe there’s something different with VAP on v2.9.51 to v3.10 causing OpenWRT won’t connected. I had try different mPCI R52/SR2 on AP, same result. So I think this is a software related problem between RouterOS v3.10 and OpenWRT.

I will try to get second opinion from OpenWRT guy and post it here.

3

No, there is no difference. Try to use AES-CCM instead of TKIP, probably it will work better.

4

Thanks for the reply sergejs, but the problem is still there. I have try combination of security profile using WPA2/tkip, WPA2/aes-ccm, WPA/tkip, WPA2/aes-ccm with no good results.

I’ve also posted this problem (link to this thread) to OpenWRT forum, but I dont expect much on them to reply it and I’m sure the answer is “go ask to Mikrotik Support”. I hope you guys from Mikrotik would not answer the same, “go ask to OpenWRT” :laughing: (sorry this is a joke, it’s almost 6 am here and I haven’t sleep yet).

Ok, since I purchased this RB600 from a reseller in Indonesia. I’ve also asked for their support, and I hope this community would give me a hint too on how to solve this problem.

So far I have try this setup :

  1. RB112, RB153, RB133, RB532 with ROS v2.9.51 VirtualAP :
    Linksys + OpenWRT (security profile WPA or WPA2, tkip or aes-ccm) [OK]
    Linksys/Asus + DD-WRT (security profile WPA or WPA2, tkip or aes-ccm) [OK]

  2. RB600, RB153, RB112 with ROS v3.10 VirtualAP :
    Linksys + OpenWRT (security profile WPA or WPA2, tkip or aes-ccm) [FAILED]
    Linksys/Asus + DD-WRT (security profile WPA or WPA2, tkip or aes-ccm) [OK]

  3. RB600, RB153, RB112 with ROS v3.10 master interface (the real AP not VirtualAP)
    Linksys + OpenWRT (security profile WPA or WPA2, tkip or aes-ccm) [OK]
    Linksys/Asus + DD-WRT (security profile WPA or WPA2, tkip or aes-ccm) [OK]

this is my current wireless configuration at RB600 ROS v3.10 :

/interface wireless security-profiles
add authentication-types=wpa-psk group-ciphers=tkip group-key-update=5m \
    interim-update=0s mode=dynamic-keys name=broadband radius-eap-accounting=\
    no radius-mac-accounting=no radius-mac-authentication=no \
    radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX \
    radius-mac-mode=as-username static-algo-0=none static-algo-1=none \
    static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" \
    static-key-2="" static-key-3="" static-sta-private-algo=none \
    static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=\
    "" tls-certificate=none tls-mode=no-certificates unicast-ciphers=tkip \
    wpa-pre-shared-key=***hideme*** \
    wpa2-pre-shared-key=""

^ I have also tried to change group-key-update to 1 hour.

/interface wireless
set 1 ack-timeout=dynamic adaptive-noise-immunity=none allow-sharedkey=no \
    antenna-gain=0 antenna-mode=ant-a area="" arp=enabled band=2.4ghz-b/g \
    basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=disabled comment="" \
    compression=no country=indonesia default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes dfs-mode=none disable-running-check=no disabled=no \
    disconnect-timeout=3s frame-lifetime=0 frequency=2452 frequency-mode=\
    manual-txpower hide-ssid=no hw-retries=7 mac-address=00:15:6D:XX:XX:XX \
    max-station-count=100 mode=ap-bridge mtu=1500 name=wlan.DEDICATED \
    noise-floor-threshold=default on-fail-retry-time=100ms \
    periodic-calibration=default periodic-calibration-interval=60 \
    preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=AP01-NEW \
    rate-set=default scan-list=default security-profile=dedicated \
    ssid=DEDICATED station-bridge-clone-mac=00:00:00:00:00:00 \
    supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
    supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tx-power=15 tx-power-mode=\
    card-rates update-stats-interval=disabled wds-cost-range=50-150 \
    wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=\
    disabled wmm-support=disabled

^ that is the master interface.

add area="" arp=enabled comment="" default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes disable-running-check=no disabled=no hide-ssid=no mac-address=\
    02:15:6D:XX:XX:XX master-interface=wlan.DEDICATED max-station-count=200 \
    mtu=1500 name=wlan.BROADBAND proprietary-extensions=post-2.9.25 \
    security-profile=broadband ssid=BROADBAND \
    update-stats-interval=disabled wds-cost-range=0 wds-default-bridge=none \
    wds-default-cost=0 wds-ignore-ssid=no wds-mode=disabled wmm-support=\
    disabled

^ that is the VirtualAP.

/interface wireless manual-tx-power-table
set wlan.DEDICATED comment="" manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,1\
    1Mbps:17,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:\
    17,54Mbps:17,HT20-1:0,HT20-2:0,HT20-3:0,HT20-4:0,HT20-5:0,HT20-6:0,HT20-7:\
    0,HT20-8:0,HT40-1:0,HT40-2:0,HT40-3:0,HT40-4:0,HT40-5:0,HT40-6:0,HT40-7:0,\
    HT40-8:0"

/interface wireless nstreme
set wlan.DEDICATED comment="" disable-csma=no enable-nstreme=no \
    enable-polling=no framer-limit=3200 framer-policy=none

TIA.

5

I have the same problem in a RB532A with V3.11 using WPA2/AES, each 5 minutes around 15 clients(Edimax EW-7209APG) of 50 are disconnecting and reconnecting.

What can be the problem? thx