[Solved] Need help to keep iPad WiFi alive

RouterOS General
1

I have a VoIP app on my iPad that doesn’t ring when connected to my hAP AX2 router, unless the iPad is unlocked. However, it rings fine when I use a Huawei router regardless of the iPad’s lock state.

So, how would I go about making the AX2 play nice with the iPad so I can contunue to receive calls?

I’m using the 3CX app on the iPad, if that’s of any help. There’s nothing in the app settings that helps.

Thanks in advance.

2

First thing to check: what version of ROS are you using on that AX2 ?

See if it is at latest stable 7.19.2.
You can even try 7.20b5, quite some wifi problems have been addressed there.
And there is an 7.21alpha version around bringing even more long-due fixes for wifi issues.

If changing version does not help, can you please provide export from wifi part of your config ?

Winbox - terminal
/interface wifi export file=anynameyouwish
Move to PC
Obfuscate sensitive info (serial, passwd, …)
Move back here between code quotes for easier readability.

3

Did you try to enable the multicast-enhance feature? It will send wifi multicast frames as unicast and helps to ensure packages are received by client devices.
Downside: It will probably lower your battery lifetime.

Alternatively, you could play with decreasing dtim interval and increasing group key lifetime settings, but I believe the wifi driver defaults are already pretty reasonable.

Edit: If you are using the mikrotik device as a router and not only as wifi AP, you may want to increase connection tracking timeouts in the firewall as well. Especially if your voip application is using UDP for signaling.

4

Thanks for your reply @holvoetn,

I’m currently running 7.14.3 for the issues you alude to. I did try 7.19.2, but that was still pretty much unusable. I’m keeping an eye on both the forums and changelogs to see whether there are any significant changes likely to provide the required fixes. Not so much a fan of beta or alpha releases as I’ve been burned before, though not with MT releases.

I understand there’s a slew of changes coming, think I’d prefer to wait until 7.21 becomes stable.

# 2025-07-05 19:23:43 by RouterOS 7.14.3
# software id = 43JE-CDHX
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxxxx
/interface bridge
add admin-mac=xxxxxxxx auto-mac=no comment=BRIDGE name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=WAN-LTE
set [ find default-name=ether2 ] comment=WAN-DHCP
set [ find default-name=ether3 ] comment=WAN-PPPoE
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz comment=Primary configuration.country=\
    "New Zealand" .mode=ap .ssid=NeverUMind disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp \
    .passphrase=xxxxxxxx
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=all \
    .width=20/40mhz-eC comment=Primary configuration.country="New Zealand" \
    .mode=ap .ssid=NeverUMind disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .encryption=ccmp .passphrase=xxxxxxxx
add comment=Guest configuration.mode=ap .ssid=NeverUMind-Guest \
    datapath.client-isolation=yes disabled=no mac-address=xxxxxxxx \
    master-interface=wifi1 name=wifi3 security.authentication-types=\
    wpa2-psk,wpa3-psk .encryption=ccmp .passphrase=xxxxxxxx
add comment=Guest configuration.mode=ap .ssid=NeverUMind-Guest \
    datapath.client-isolation=yes disabled=no mac-address=xxxxxxxx \
    master-interface=wifi2 name=wifi4 security.authentication-types=\
    wpa2-psk,wpa3-psk .encryption=ccmp .passphrase=xxxxxxxx
add comment=IoT configuration.hide-ssid=yes .mode=ap .ssid=iot5 \
    datapath.client-isolation=yes disabled=no mac-address=xxxxxxxx \
    master-interface=wifi1 name=wifi5 security.authentication-types=\
    wpa2-psk,wpa3-psk .encryption=ccmp .passphrase=xxxxxxxx
add comment=IoT configuration.hide-ssid=yes .mode=ap .ssid=iot2 \
    datapath.client-isolation=yes disabled=no mac-address=xxxxxxxx \
    master-interface=wifi2 name=wifi6 security.authentication-types=\
    wpa-psk,wpa2-psk .encryption=ccmp .passphrase=xxxxxxxx
/interface wireguard
add comment=back-to-home-vpn listen-port=35960 mtu=1420 name=back-to-home-vpn \
    private-key="xxxxxxxx"
/interface vlan
add comment="VLAN 10 - DHCP" interface=ether2 name=DHCP_v10 vlan-id=10
add comment="VLAN 10 - PPPoE" interface=ether3 name=vlan10 vlan-id=10
/interface pppoe-client
add add-default-route=yes comment="WAN PPPoE" disabled=no interface=vlan10 \
    name=pppoe-1 password=password use-peer-dns=yes user=username
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add comment=2.4G-IoT name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
add comment=2.4G-Guest name=dhcp_pool2 ranges=10.10.20.2-10.10.20.254
add comment=5G-Guest name=dhcp_pool3 ranges=10.10.20.2-10.10.20.254
add comment=5G-IoT name=dhcp_pool4 ranges=10.10.10.2-10.10.10.254
add comment=Primary name=defconf_dhcp ranges=10.10.0.2-10.10.0.254
/ip dhcp-server
add address-pool=defconf_dhcp comment=Primary interface=bridge lease-time=10m \
    name=defconf
add address-pool=dhcp_pool1 comment="2.4G IoT" interface=wifi6 lease-time=10m \
    name=dhcp1
add address-pool=dhcp_pool2 comment="2.4G Guest" interface=wifi4 lease-time=\
    10m name=dhcp2
add address-pool=dhcp_pool3 comment="5G Guest" interface=wifi3 lease-time=10m \
    name=dhcp3
add address-pool=dhcp_pool4 comment="5G IoT" interface=wifi5 lease-time=10m \
    name=dhcp4
/interface bridge port
add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 \
    path-cost=10
add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 \
    path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=15360
/interface l2tp-server server
set default-profile=default one-session-per-host=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=LTE interface=ether1 list=WAN
add comment=PPPoE interface=pppoe-1 list=WAN
add comment=DHCP interface=DHCP_v10 list=WAN
/ip address
add address=10.10.10.1/24 comment="2.4G IoT" interface=wifi6 network=\
    10.10.10.0
add address=10.10.20.1/24 comment="5G Guest" interface=wifi3 network=\
    10.10.20.0
add address=10.10.20.1/24 comment="2.4G Guest" interface=wifi4 network=\
    10.10.20.0
add address=10.10.10.1/24 comment="5G IoT" interface=wifi5 network=10.10.10.0
add address=10.10.0.1/24 comment=Primary interface=bridge network=10.10.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ip dhcp-client
add comment=defconf interface=ether1
add comment=defconf interface=ether2
/ip dhcp-server network
add address=10.10.0.0/24 dns-server=1.1.1.3,1.0.0.3 gateway=10.10.0.1
add address=10.10.10.0/24 comment="IoT Subnet" dns-server=1.1.1.3,1.0.0.3 \
    gateway=10.10.10.1
add address=10.10.20.0/24 comment="Guest Subnet" dns-server=1.1.1.3,1.0.0.3 \
    gateway=10.10.20.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.10.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "Allow trusted subnet  and wireguard for config" in-interface-list=LAN
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward in-interface=wifi6 out-interface=bridge
add action=drop chain=forward in-interface=wifi5 out-interface=bridge
add action=drop chain=forward in-interface=wifi4 out-interface=bridge
add action=drop chain=forward in-interface=wifi3 out-interface=bridge
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2206
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Pacific/Auckland
/system identity
set name="Home Router AX"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=time.cloudflare.com
/system scheduler
add comment="5G Enable" interval=1d name=Enable_WiFi1 on-event=\
    Enable_Primary5G policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-06-22 start-time=06:30:00
add comment="2G Enable" interval=1d name=Enable_WiFi2 on-event=\
    Enable_Primary2G policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-06-22 start-time=06:30:00
add comment="5G Disable" interval=1d name=Disable_WiFi1 on-event=\
    Disable_Primary5G policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-06-22 start-time=23:00:00
add comment="2G Disable" interval=1d name=Disable_WiFi2 on-event=\
    Disable_Primary2G policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-06-22 start-time=23:00:00
/system script
add dont-require-permissions=no name=Enable_Primary5G owner=itechadmin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="interface wifi enable  wifi1"
add dont-require-permissions=no name=Enable_Primary2G owner=itechadmin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="interface wifi enable  wifi2"
add dont-require-permissions=no name=Disable_Primary5G owner=itechadmin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="interface wifi disable wifi1"
add dont-require-permissions=no name=Disable_Primary2G owner=itechadmin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="interface wifi disable wifi2"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
5

Thanks for your help @whatever.

Are you able to provide further guidance please?

This is an iPad setting? I am assuming it’s the MT router that’s at fault, because it all works fine with an ISP Huawei router. Could that be wrong?

This sounds promising. How would I go about doing this please?

Cheers.

6

You have really short lease times there !

Default setting nowadays is at 30m.
You might even consider using 4h for the pool used for wifi clients (the one where your iPad is connected to). I even use 1d for IoT stuff (it doesn’t move around that much, you see).

As a reference: you can check how it is set at the working config with Huawei.

7

Sadly, I can’t. It’s not my router and the PW has been changed. We’re housesitting atm and the home owner is on holiday overseas.

I might change the lease time to 4 hours and assign the iPad to the IoT SSID. I’ll let you know how it goes. Thanks!

8

This setting:
/ip firewall connection tracking set udp-timeout=10s

Should be 30s default.

Just a question: where did you get these settings from since they are not default ?
That change from 10s to 30s was introduced in 7.14 so your base config comes from before that ?

9

To be honest, I’m not sure. I think it may have come from a training session a few years ago. The intent was for testing but I think the practice stuck.

The device came with 7.7, which I upgraded to 7.12.1, 7.13 then 7.19.2 upon receipt. Downgraded to current when 7.19.2 gave WiFi issues.

10

The fact it shows in your export, indicates it deviates from the default.

11

You can also check it on client side. No need to get into the router.

On Windows:
Control Panel - Network - select network - Status - Details
It will show lease obtained and lease expires.

12

I’m using Linux and when I just checked the details there’s no lease time listed.

13

??
Even on my Android phone I can see it using a tool like Network Scanner.

You should be able to find it.

14

No, it’s a routeros setting on the wifi interface.
But your first step should be to increase the dhcp lease time, anything below 1h is nuts for standby devices.

15

Changed wifi 5&6 to a 4hr lease time and assigned the iPad to wifi5. Should know in a few mins if successful.

16

Done.

17

For the iPad I assume? And any other battery powered device connected to that wifi network, I assume?

18

Seems to have fixed it. Previously, once the iPad cover was closed and lock took effect after 5mins, the app stopped receiving calls. Now, under the same conditions, I left it 10mins and tried again after 25mins and the app rang both times.

Consequently, I took on board what you said @holvoetn and changed wifi 5&6 to 1 day lease time and 30mins on wifi 1-4.

If things fail again, I’ll try your idea @whatever and activate multicast-enhance.

Thanks heaps to you both! I’m def a happy camper now that I have two of the biggest issues resolved. Now just waiting on v7.21 to go stable. Hopefully that’ll be the one to see my wifi right.

Marking post as solved! :grinning_face:

19

If you’re in the US, configure Wi-Fi 5ghz to skip all DFS channels in /interface/wifi by setting skip-dfs-channels=all.

20

Hi,

I picked up that you said you were housesitting and the Huawei ISP router is not under your control. I understand therefore that you have added your Mikrotik behind the huawei.

If that is the case this is almost certainly a double NAT issue, where your mikrotik is doing NAT as is your Huawei router.

Best,

Alex