The most arduous access point ever: hAP ax³

AMENDED: I have added a zip file containing both an exported script and backup. Sorry was a long day and my rant overrode my common sense. I appreciate the comments and you guys are correct without looking at the details only assumptions can be the outcome.
Login details: admin + 123letmein

This without a doubt has been the most arduous Mikrotik access point I have ever had the displeasure of dealing with in my near 20 years of using Mikrotik products. I have spent way to many hours dealing with this access point.

I am using this hAP ax³ strictly as an access point with DHCP relay set, all ports are in a bridge and the bridge is a DHCP client and it is connected via the 2.5Gbps ether port to an upstream CRS310 that is my gateway, DHCP, DNS, NAT and firewall filtering device. So I am using the minimalist settings for this hAP ax³ to serve as an access point, straight up KISS (keeping it stupid simple).

Some devices connect, can get to the web and surf, literally no issues. On the exact same radio I can connect a device, RECEIVE a DHCP address and all the correct network information, from that same radio, yet CANNOT get out to the internet. NO IT IS NOT THE DNS, otherwise none of my network would be working. There are multiple other devices connected via Ethernet to the CRS310 and none have any connection issues.

Some devices I have that are Wi-Fi 6 capable will connect on the 2.4Ghz or the 5Ghz and get an IP and network information from either radios, however they cannot surf the web on the 5Ghz side. Both radio’s are in the same bridge with the other ethernet ports and everything that connects through that bridge can get to the web. For example my iPhone 14 Pro can connect to the 2.4Ghz side and surf the internet no issues, if I try the 5Ghz side it connects, I get an IP and all the rest of the network info, yet the iPhone tells me there is no internet and I cannot open any web sites! I can see the iPhone’s MAC address assigned on that 5Ghz radio so I know it is successfully communicating with that radio, yet the iPhone cannot surf the web!

Yet I have two Reolink cameras that are connected on the 5GHz side and work perfectly. I can stream the camera directly to my iPhone from these cameras.

BEYOND FRUSTRATING, I literally want to take this hAP ax³ out side and shoot it with my 12 gauge, but I don’t want to waste the shells.

What are the optimal settings for using this hAP ax³ in the USA, for both radios, on the channel tab, what frequencies are best?

Does anyone have this hAP ax³ setup and work without client issues? If so, would you kindly pass along your setup?

If I cannot get this thing working in the next coming days I will just returned it and go back to my reliable RB4011.

Is it possible that I received a bad hAP ax³?
MyHouse.zip (9.96 KB)

without seeing your config nobody will reply to this rant

Do you have HW offloading set to OFF on the bridge? Try to activate RSTP there and retry.

The only and most sensible reply possible, indeed …

…may be leading you astray, because these new ax routers’ behavior differs in quite a number of ways from the old ones. If all you did was copy your RB4011 config over, it’s no wonder you’re having trouble. (Details: 1, 2)


I literally want to take this hAP ax³ out side and shoot it with my 12 gauge

Send it to me. I can put it to a better use than as a skeet clay.

I mean, have you ever tried cleaning the remains of an ax³ off a target range before, to comply with the club’s littering rules? Talk about frustrating, try’na find all them little plastic bits…


what frequencies are best?

Being a home user, I leave mine free to pick. Hard-coding frequencies is for large sites with fixed AP layouts, where you can make a plan and have a reasonable hope that it will stick long enough to be worth the effort. At home, surrounded by neighbors who wouldn’t follow your careful plan even if you laid it out for them with charts and graphs, not even if you offered free cookies? Nah; lunacy.


would you kindly pass along your setup?

If you’ll reset your router to the defaults and post that configuration for me, I’ll diff mine against yours. I’d appreciate it if you did it via “/export terse show-sensitive”, with PII like the MAC, default SSID, and default PSKs manually redacted. (That will in turn let me add it to my collection, for future use.)

If you want me to do the resetting instead, you’ll be waiting until I get both a lull where I can risk my device being out of commission and the itch to go and do it. You, on the other hand, already have a broken config, so what’ve you got to lose?

I hate to break it to you, but the people you’re talking to on this forum are, generally speaking, not the unfortunate souls that are responsible for the design of the hAP ax³. I understand your frustration. Truly, I do. But without an effort from yourself to efficiently convey information, as opposed to conveying your anger and frustration, no one on this forum will be able to help you, including myself. To that extent, a great first step would be to paste


/export file=hAPax3-cfg.rsc

into the terminal of your ax3, press Enter, upload the contents of the file generated to some file-sharing website (or even just paste it directly into a forum post), and share it in this topic. Note that RouterOS 7 hides sensitive data by default, unlike RouterOS 6, which required ‘hide-sensitive’ argument passed to the ‘/export’ command. Also, if you reiterated the results of experiments you performed (which device works, which doesn’t, etc) in a more understandable and less ranty format, that’d be nice, thanks.

See my apology and attached script in the original post. Login details are posted there as well.

Here you go Tangent:

/interface bridge add name=LanBridge port-cost-mode=short
/interface ethernet set [ find default-name=ether1 ] advertise=10M-baseT-half,10M-
baseT-full,100M-baseT-half,100M-baseT-full,1G-baseT-half,2.5G-baseT comment=Eth1 l
2mtu=1598 name=LAN1
/interface ethernet set [ find default-name=ether2 ] comment=Eth2 l2mtu=1598 name=
LAN2
/interface ethernet set [ find default-name=ether3 ] comment=Eth3 l2mtu=1598 name=
LAN3
/interface ethernet set [ find default-name=ether4 ] comment=Eth4 l2mtu=1598 name=
LAN4
/interface ethernet set [ find default-name=ether5 ] comment=Eth5 l2mtu=1598 name=
LAN5
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no en
cryption=ccmp,gcmp,ccmp-256,gcmp-256 group-key-update=1h management-protection=all
owed name=WifiSec passphrase=123letmein wps=disable
/interface wifi set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=24
12,2432,2462 .skip-dfs-channels=10min-cac .width=20mhz comment=House configuration
.country=“United States” .mode=ap .ssid=MyHouse disabled=no name=House2.4GHz secur
ity=WifiSec
/interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=51
80,5250,5745 .skip-dfs-channels=10min-cac .width=20/40/80mhz comment=House5GHz con
figuration.country=“United States” .mode=ap .ssid=MyHouse5GHz disabled=no name=Hou
se5GHz security=WifiSec
/interface bridge port add bridge=LanBridge ingress-filtering=no interface=LAN4 in
ternal-path-cost=10 path-cost=10
/interface bridge port add bridge=LanBridge ingress-filtering=no interface=LAN5 in
ternal-path-cost=10 path-cost=10
/interface bridge port add bridge=LanBridge ingress-filtering=no interface=LAN2 in
ternal-path-cost=10 path-cost=10
/interface bridge port add bridge=LanBridge interface=LAN3 internal-path-cost=10 p
ath-cost=10
/interface bridge port add bridge=LanBridge interface=House5GHz internal-path-cost
=10 path-cost=10
/interface bridge port add bridge=LanBridge interface=House2.4GHz internal-path-co
st=10 path-cost=10
/interface bridge port add bridge=LanBridge interface=LAN1
/interface bridge port add bridge=LanBridge interface=*B
/interface bridge port add bridge=LanBridge interface=all
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/ip dhcp-client add interface=LanBridge
/ip dhcp-relay add dhcp-server=192.168.50.1 disabled=no interface=LanBridge name=d
hcpRelay
/ip dns set allow-remote-requests=yes
/ip firewall service-port set ftp disabled=yes
/ip service set telnet disabled=yes port=23
/ip service set ftp disabled=yes port=21
/ip service set www port=80
/ip service set ssh disabled=yes port=22
/ip service set api port=8728
/ip service set winbox port=8291
/ip service set api-ssl port=8729
/system clock set time-zone-autodetect=no time-zone-name=US/Pacific
/system clock manual set dst-delta=+01:00 time-zone=-07:00
/system identity set name=AP1-AX-House
/system note set show-at-login=no
/system ntp client set enabled=yes
/system ntp client servers add address=0.us.pool.ntp.org
/system ntp client servers add address=1.us.pool.ntp.org
/system ntp client servers add address=2.us.pool.ntp.org
/system ntp client servers add address=3.us.pool.ntp.org

Apology accepted, but delete login details this instant. They aren’t needed, and you should never share them, because security concerns. I don’t think it’s that bad for a device only accessible from your local network. But it’s the principle that should be followed here. If you use these credentials on your edge router or something, definitely change them, though.

I made them up on the fly just encase someone could not get into the settings I provided. I would never post any real credentials I use. Same with the password on the wifi security. :slight_smile:

Ah, good then.

I took a look at the config… So, why do you need a DHCP relay on the ax³, again? All your interfaces are in one bridge… And two times, actually? All interfaces are in the bridge individually, then there’s the “all” entry (which has different settings, so that may be it as well), then there’s also a dead pointer entry, “*B”. Say what, try and remove the “all” entry and the “*B” entry from Bridge > Ports, then see if it works.

I will give it a try and report back. I find that curious about the bridge because I am sure I only used the “All” setting. I am to lazy to add them one at a time. :slight_smile:
DHCP relay = is not needed since the server is on the same sub net.

Ah, I see. Remove the DHCP relay as well, then. It may be competing with the DHCP server that’s on the CRS, and that might be what’s happening here. Though I’d probably pin it on RSTP misbehaving because of a weird bridge config, rather than on DHCP weirdness.

If you are using it as an AP, you can bridge the WiFi interface to the LAN interface, so the AP will act as a switch.
Remove the DHCP client and DHCP relay. The AP does not need an IP address and can be managed by WinBox if you are on the same switch.
Maybe you should specify vlan 1 in data path in the WiFi config, or some other vlan depending on what you use. Mikrotik uses vlan 1 as default.

That is entirely correct. However, that is also already the case, see config =P


Setting vlan to 1 explicitly is not required, and IMO it is better to leave VLAN-related settings alone in a VLAN-less environment, which this one seems to be.

How do you know it’s VLAN-less ? Maybe the router is using VLAN 1. Most mikrotik interfaces will use VLAN 1 if left unconfigured, except for WiFi.

Because I read the config and there’s no mention of VLANs?

Sure, the interface on the CRS that’s connected to the ax3 could somehow be configured as a VLAN1 access port. With somehow only tagged packets being admitted and untagged packets being dropped as opposed to tagged (Jackie Chan meme).

But that would mean that the entire ax3 would essentially be offline, and not a single client connected to it would be able to access the Internet. Which is not the case:


Isn’t tagging done by default on ethernet but not on WiFi? If a packets comes from WiFi headed for ethernet, it doesn’t get tagged and the virtual bridge drops the traffic. This would explain why DHCP would work but nothing else. Since he setup a dhcp relay.






Maybe the iphone is tagging the traffic as VLAN 1.

Look. We’re talking VLAN-less config here. Not a single mention of VLANs in the config file. Which means that any and all Ethernet frames leaving the ax3 and going into the CRS are untagged. Yes, ChatGPT is correct, MikroTik uses VLAN1 by default as its native VLAN. No, by default, no packet is tagged, unless you specifically make it tag packets. Which means that if CRS only accepted tagged VLAN1 frames, which would be ludicrous, the entirety of the ax3 would be offline, as CRS would reject any and all frames coming from the ax3.

And no, iPhones don’t VLAN-tag traffic. And even if iPhones did VLAN-tag traffic, they wouldn’t randomly tag traffic only on the 2.4GHz interface, and not on the 5GHz one.

Ok, did as you suggested Nullcaller.

I cleaned up the bridge, rebuild it from scratch, manually added each interface. I also removed the DHCP relay as the DHCP server is on the same network so it is not needed.

I now have it back in play and decide to test it again with my iPhone. It works normally on the 2.4Ghz radio, pages loading very fast all good. Switching over the 5Ghz side, produces the almost the same result. Pages do load however they on average always take over a full minute to do so. So an improvement of sorts…

I did order a new hAP ax3 and it arrived late last night. I now have that hAP ax3 manually configured with the same settings and replaced the other hAP ax3. Unfortunately no change in the behavior.

Here is the export from the new hAP ax3:

2024-07-20 09:20:11 by RouterOS 7.15.2

software id = removed

model = C53UiG+5HPaxD2HPaxD

serial number = removed

/interface bridge add name=LanBridge
/interface ethernet set [ find default-name=ether1 ] name=LAN1
/interface ethernet set [ find default-name=ether2 ] name=LAN2
/interface ethernet set [ find default-name=ether3 ] name=LAN3
/interface ethernet set [ find default-name=ether5 ] name=LAN5
/interface ethernet set [ find default-name=ether4 ] name=LANr4
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption=ccmp,gcmp,ccmp-256,gcmp-256 group-key-update=1h name=WifiSec passphrase=removed wps=dis
able
/interface wifi set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2412,2432,2462 .width=20/40mhz-Ce configuration.country=“United States” .mode=ap .ssid=House disable
d=no name=House2.4GHz security=WifiSec
/interface wifi set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180,5240,5745 .width=20/40/80mhz configuration.country=“United States” .mode=ap .ssid=House5GHz dis
abled=no name=House5GHz security=WifiSec
/interface bridge port add bridge=LanBridge interface=LAN1
/interface bridge port add bridge=LanBridge interface=LAN2
/interface bridge port add bridge=LanBridge interface=LAN3
/interface bridge port add bridge=LanBridge interface=LANr4
/interface bridge port add bridge=LanBridge interface=LAN5
/interface bridge port add bridge=LanBridge interface=House2.4GHz
/interface bridge port add bridge=LanBridge interface=House5GHz
/ip neighbor discovery-settings set discover-interface-list=!dynamic
/ip dhcp-client add interface=LanBridge
/ip dns set allow-remote-requests=yes
/system clock set time-zone-name=America/Los_Angeles
/system identity set name=AP2-AX-House
/system note set show-at-login=no
/system routerboard settings set auto-upgrade=yes

I am bewildered and dismayed to say the least… :frowning:

Please do a simple test, use only 20 MHz width on 5 GHz, set frequency as 5180-5650. Set tx power 15. Disable 2.4 GHz. Be about 10 feet from the router.