Sonoff sensor won't reconnect

RouterOS General
1

I have 2 different locations, both with hAP-Ax3, and both with Sonoff TH316 devices at the locations.

The Sonoff’s can connect just fine once the hAP is running.

If I reboot the hAPs, the Sonoff’s do not connect.

I have the Sonoffs set to connect to the SSID “2point4” which is a virtual wireless interface under the master “wifi2”

Is there some reason that the other wifi devices (Sonoff Tasmota devices; an oil level monitor, smart switches) would reconnect but the Sonoff TH316 wouldn’t?

Here is the export from one of the hAPs:

/interface bridge
add admin-mac=18:xxxxxx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    disabled .width=20/40/80mhz configuration.country="United States" .mode=\
    ap .ssid=76-5ghz disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    disabled .width=20/40mhz configuration.country="United States" .mode=ap \
    .ssid=76-2ghz disabled=no security.authentication-types=wpa2-psk,wpa3-psk

/interface wifiwave2
add configuration.mode=ap .ssid=2point4 disabled=no mac-address=\
    1A:FD:74:FE:87:EA master-interface=wifi2 mtu=1500 name=2point4 \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=Guest disabled=no mac-address=\
    1A:FD:74:FE:87:E8 master-interface=wifi1 name=Guest-wifi1 \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=Guest disabled=no mac-address=\
    1A:FD:74:FE:87:E9 master-interface=wifi2 name=Guest-wifi2 \
    security.authentication-types=wpa2-psk,wpa3-psk

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add include=LAN,WAN name=ALL
add name=TRUSTED

/ip pool
add name=default-dhcp ranges=192.168.30.100-192.168.30.200

/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=2d name=defconf

/port
set 0 name=serial0

/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=Guest-wifi1
add bridge=bridge interface=Guest-wifi2
add bridge=bridge ingress-filtering=no interface=2point4 multicast-router=\
    disabled

/ip neighbor discovery-settings
set discover-interface-list=ALL

/ipv6 settings
set disable-ipv6=yes

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge list=TRUSTED
add interface=ether1 list=TRUSTED
add interface=wireguard1 list=LAN

/interface wifiwave2 access-list
add action=accept comment="76 LR TV" disabled=no mac-address=\
    48:9E:9D:07:E3:C2

/ip address
add address=10.10.100.30/24 interface=wireguard1 network=10.10.100.0
add address=192.168.30.2/24 interface=bridge network=192.168.30.0

/ip cloud
set ddns-enabled=yes ddns-update-interval=1h

/ip dhcp-client
add comment=defconf interface=ether1

/ip dhcp-server network
add address=192.168.30.0/24 comment=defconf dns-server=1.1.1.1,8.8.8.8 \
    gateway=192.168.30.2

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8

/ip dns static
add address=10.10.100.30 comment=defconf name=76-10.10.100.30.local
add address=192.168.30.2 comment=defconf name=76.local

/ip firewall address-list
add address=xxxxxx.dyndns.org list=mtdale
add address=aaaaa.dyndns.org list=212
add address=IP-local-admin-destkop list=authorized
add address=IP-local-admin-laptop list=authorized
add address=bbbbb.dyndns.org list=dynamic-WANIP
add address=192.168.0.0/16 list=admin
add address=10.10.100.0/24 list=admin

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
    dst-address=127.0.0.1
add action=accept chain=input comment="allow incoming wireguard connections" \
    dst-port=51830 protocol=udp
add action=accept chain=input comment="Alow wireguard to router" \
    in-interface=wireguard1
add action=accept chain=input in-interface-list=LAN
add action=accept chain=input comment="REMOVE\?" src-address-list=admin
add action=accept chain=input src-address-list=212
add action=accept chain=input src-address-list=mtdale
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Allow WG to subnet" disabled=yes \
    dst-address=192.168.1.0/24 in-interface=wireguard1
add action=accept chain=forward disabled=yes in-interface=wireguard1 \
    protocol=udp
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Allow wireguard to subnet" disabled=\
    yes dst-address=192.168.30.0/24 in-interface=wireguard1
add action=accept chain=forward comment="Allow wireguard to subnet" \
    in-interface=wireguard1
add action=accept chain=forward comment="Allow subnet to enter WG" \
    out-interface=wireguard1
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip route
add disabled=no dst-address=192.168.88.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.2.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.0.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no
add disabled=no dst-address=192.168.40.0/24 gateway=wireguard1 routing-table=\
    main suppress-hw-offload=no

/ip ssh
set forwarding-enabled=both

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
	
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=America/New_York
/system identity
set name=76
/system logging
add topics=event
add topics=account
add topics=firewall
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=3.pool.ntp.org
/tool mac-server
set allowed-interface-list=ALL
/tool mac-server mac-winbox
set allowed-interface-list=ALL
/tool romon
set enabled=yes
2

Three suggestions:

  1. set authentication-types to lowest you can afford (i.e. wpa2 only), some WiFi clients are picky when it comes to features supported by AP but not supported by themselves. And wpa3 is a new stuff, not many IoT gadgets support it.
  2. set channel width to 20MHz only on 2.4GHz spectrum. IoT devices usually don’t require much of a bandwidth, setting to 20MHz only increases signal level by 3dB (higher signal doesn’t hurt most of times) and again it’s something that WiFi clients might be picky about.
  3. if the first two suggestions don’t make the TH316 thrash happy, try to set channel band to “2ghz-n” on 2.4GHz interface (master interface that is).

Suggestions #2 and #3 mean reduction of maximum throughput on 2.4GHz radio, affecting also devices using main SSID (76-2ghz). But you may have to go down this path to make those Sonos devices happy.

3

Thank you very much for your help.

I tried it all:

WPA2 only
20mhz
N

I removed all IP6 facilities.

I removed and recreated the 2point4 interface.

I went to the location and changed the Sonoff config to access wifi2 (the master with ssid “76-2ghz”).

Still the same behavior: Connects just fine to an up and running hAP. If the hAP reboots, the Sonoff will not reconnect.

I have the exact same model Sonoff (THR316) connected to a location with several Ubiquiti APs (UAP-AC-M models) and the Sonoff reconnects after the AP reboots. The UAPs are set for 20mhz, “11n/b/g”

Here is the latest wireless config (works fine except for the Sonoff’s not reconnecting):

/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    disabled .width=20/40/80mhz configuration.country="United States" .mode=ap \
    .ssid=76-5ghz disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-n .skip-dfs-channels=disabled \
    .width=20mhz configuration.country="United States" .mode=ap .ssid=76-2ghz \
    disabled=no security.authentication-types=wpa2-psk
add configuration.mode=ap .ssid=2point4 disabled=no mac-address=\
    1A:FD:74:FE:87:EA master-interface=wifi2 mtu=1500 name=2point4 \
    security.authentication-types=wpa2-psk
add configuration.mode=ap .ssid=Guest disabled=no mac-address=1A:FD:74:FE:87:E8 \
    master-interface=wifi1 name=Guest-wifi1 security.authentication-types=\
    wpa2-psk,wpa3-psk
add configuration.mode=ap .ssid=Guest disabled=no mac-address=1A:FD:74:FE:87:E9 \
    master-interface=wifi2 name=Guest-wifi2 security.authentication-types=\
    wpa2-psk
4

Is there anything in the AP’s log when Sonos fails to reconnect? A few problems are reported regarding wifiwave2 driver in ROS newer than 7.8 (7.10 seems to be slightly better but not OK), but log has entries about those clients.

5

No log entries whatsoever.

Scan/sniff/torch don’t even see the Sonoff or its packets.

6

I have the exact same issue with a ax3 and sonoff THR320D and sonoff M5-1C-120

It only occurs if you reboot the router. It doesnt happen if you shutdown and then power it on again.(I double checked myself and found that i was incorrect it happens on a reboot and shutdown)

7

Which might indicate that Sonoff doesn’t like MT wireless after hAP is rebooted and doesn’t even try to connect. But the same Sonoff devices are content with MT wireless after Sonoff is restarted? There might be some weird interaction, but I’m affraid only MT can comment on it. So you probably should open a trouble ticket with mikrotik support. I guess supout files (one while Sonoff is connected and working fine, another while sonoff doesn’t want to connect) might be usable for MT.

8

So ive enabled the wireless debug log so ill see what shows up there. If that doesnt lead anywhere then ill open a support ticket.

I double checked myself in regards to it not happening on a shutdown and found i was incorrect. The sonoff devices dont want to reconnect to the wifi network on both a reboot and a shutdown.
But if you powercycle the sonoff switch itsself then tit will reconnect to the wifi.

9

I emailed support.

Is incompatibility between wifiwave2 in the hAPs and certain devices a thing?

10

Have you tried skip-dfs-channels=enabled? Sniffing raw 802.11 traffic might help: https://wiki.wireshark.org/CaptureSetup/WLAN, but you need to know what to look for.

11

@OP set up a 2.4GHz (virtual) AP for the offending devices, so the suggestion doesn’t apply.

Josephny: There are reported problems with wifiwave2 on ax devices. Behaviour is not the same as you observe (most users see disconnects and then rejected connection attempts until AP is rebooted), but perhaps it’s another glitch of the same HW/driver combination, this one might be harder to observe (because it happens with specific clients). That’s why I suggested you to contact support, they are the most qualified to make guesses (when they find some time).

12

I have been trying every possible thing I can think of and find in threads about wifiwave2 problems.

And I opened a support ticket.

13

Support tickets opened with MT and Sonoff and still no progress.

14

Hi, do you have any news about this? It bugs me quite a bit, too…

15

Here’s the latest from Sonoff support:

"Hi

Sorry for the late reply due to the day off.

The Mikrotik router maybe cannot be compatible with the device."



And this from MT on June 28 which I promptly complied with and haven’t heard back:


“Hello,
So the issue is only with these devices, and other clients can join without issues?
Please try creating supout.rif file soon after the issue appears, or at the very least right after Sonoff tries to connect to AP, but fails.
You could try updating to 7.11beta2, there are some improvements added to it.
Unfortunately, the supout.rif file you sent earlier contains no logs/debug logs in regards to “C0:49:EF:F”.”


So I connected a Shelly1 to cycle the power when pings to the THR fail.

It’s very frustrating, but there are only so many hours in a day.