It seems the station always selects the AP with strongest signal (even log messages say so), and tries hard to connect only to this one even if repeatedly rejected by MAC ACL.
I’d suggest to work more like UBNT does: still try the strongest one first, but if rejected, try the next weaker one, until all are tried, then start again from the strongest one (in case its ACL was changed in the meantime). This is how it has always worked there (old 2/5 series; newer M2/M5 series except 5.6.3 firmware where they broke it to work like MT, I reported it and they fixed it in 5.6.4; no experience with AC series which I refuse to buy due to no more plain 802.11ac compatibility = total vendor lock-in).
Coming from UBNT background and started moving to MT later, I don’t know if the broken way (try forever just the one strongest AP) has always been the case or was changed recently.
Why this matters? Consider a network where all APs share the same SSID and security settings, and which CPEs connect where is controlled by MAC ACLs. This works fine with UBNT, and has some advantages:
- common CPE config everywhere (can have pre-configured CPEs on a shelf waiting to be installed at any location and just work after adding the correct MAC address to the ACL at the correct AP, no need for technicians to reconfigure CPEs in the field)
- if one sector fails, turn off MAC ACL on two adjacent sectors and customers will have service (poor performance but better than nothing) until the failed AP is replaced
The network also has relay sites (need to get around some difficult terrain), where a CPE (with wireless connection to some distant AP) has a wired connection to an AP. This works with UBNT as long as MAC ACL is always on, and the nearby CPE’s MAC address is not allowed (that would create a loop). But the MT station will try forever to connect to the nearby AP with strongest signal, instead of the distant one where it should connect.
Would it be possible to make MT stations work like UBNT stations in this respect? Connecting to a weaker signal is usually better than not connecting at all.