Setting up wireless network with hAP ax3 and cAP ax

klin · December 5, 2024, 9:12pm

I am trying to setup a working wireless network at my house. My setup works for a short while and then it stops working.
I have hAP ax3 downstairs and cAP ax upstairs. Configured with CAPsMAN with one SSID.
First I tried wirthout assigning fixed channels - it worked for a day but on next day I found out that both 5Ghz networks were set on the same frequency and I had issues with connection.
So I read this thread here below and tried to set it up on fixed channels:
http://forum.mikrotik.com/t/capsman-setup-help-for-better-roaming/179713/1

Here is my current setup:

# 2024-12-05 20:56:25 by RouterOS 7.16.2

/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add disabled=no frequency=2412 name="CH 1 (2412)" width=20mhz
add disabled=no frequency=2472 name="CH 13 (2472)" width=20mhz
add disabled=no frequency=5500 name="CH 100 (5500)" width=20/40/80mhz
add disabled=no frequency=5680 name="CH 136 (5680)" width=20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk disabled=no ft=yes ft-over-ds=yes name=sec1 \
    wps=disable
/interface wifi configuration
add channel="CH 1 (2412)" country=Poland disabled=no mode=ap name=hAP-2 \
    security=sec1 ssid=gromek
add channel="CH 13 (2472)" country=Poland disabled=no mode=ap name=cAP-2 \
    security=sec1 ssid=gromek
add channel="CH 136 (5680)" country=Poland disabled=no mode=ap name=hAP-5 \
    security=sec1 ssid=gromek
add channel="CH 100 (5500)" country=Poland disabled=no mode=ap name=cAP-5 \
    security=sec1 ssid=gromek tx-power=16
/interface wifi
# DFS channel availability check (1 min)
set [ find default-name=wifi1 ] configuration=hAP-5 configuration.mode=ap \
    disabled=no
set [ find default-name=wifi2 ] configuration=hAP-2 configuration.mode=ap \
    disabled=no
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\
    none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=hAP-5 \
    radio-mac=XXXXX
add action=create-dynamic-enabled disabled=no master-configuration=hAP-2 \
    radio-mac=XXXXX
add action=create-dynamic-enabled disabled=no master-configuration=cAP-5 \
    radio-mac=XXXXX
add action=create-dynamic-enabled disabled=no master-configuration=cAP-2 \
    radio-mac=XXXXX
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether5
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"a\
    p\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

It worked fine for a day but now I found that that 5Ghz wifi on freq. 5680 is not available anymore. First I saw message like “could not load the channel” (or something similar) and now I can see “DFS channel availability check (1min)” - I can see it for one hour now…
What am I doing wrong?
Maybe I should set a secondary frequency on each Channel definition?
Or shall I go back to not defining fixed channels? But then why it somehow sets same channels/frequencies on both 5Ghz networks on its own?

neki · December 5, 2024, 9:37pm

Try to use different channel without the burden of DFS? https://en.wikipedia.org/wiki/List_of_WLAN_channels

holvoetn · December 6, 2024, 4:54am

Also: scan the environment for each ap separately. You have the tools available in ROS, use them.

Choose a frequency which is not already used by others ( even your own AP if it is close enough) to avoid interference.

klin · December 6, 2024, 6:38am

This is how it looks at my house. These two marked networks are mine, and there is just one from my neighbor on channel 40. If I should skip DFS channels then that would mean that I should stick to channels 144 - 173? This “SRD” thing does not harm?
MT channels.jpg

holvoetn · December 6, 2024, 7:42am

What is wrong with 52 or 60 ? You don’t HAVE to use 80MHz channels. Sometimes it is even better to go smaller.

Problem with these high ranges is that quite a bit of client devices are not able to use them.
So be careful and check.

klin · December 6, 2024, 7:59am

52, 56 and 60 seems to be DFS channels so I understood I should avoid them, right?
MT channels2.jpg

holvoetn · December 6, 2024, 8:11am

Not when used indoors.
Only 1 minute DFS.