TV authentication timeout on wifi

RouterOS Beginner Basics
1

Hello guys.

I’m having trouble connecting my TV(TCL 65C835) to the MikroTik hAP ax2 Wi-Fi network with auth. settings WPA2 PSK, WPA3 PSK.

It’s displaying this message from LOG mentioned below:


 13:57:47 wireless,debug xx:xx:xx:xx:xx:xx@wifi2 authentication timeout
 13:57:54 wireless,debug xx:xx:xx:xx:xx:xx@wifi2 authentication timeout
 13:58:08 wireless,debug xx:xx:xx:xx:xx:xx@wifi2 authentication timeout
 13:58:17 wireless,debug xx:xx:xx:xx:xx:xx@wifi2 authentication timeout
 13:58:30 wireless,debug xx:xx:xx:xx:xx:xx@wifi2 authentication timeout
 13:58:50 wireless,debug xx:xx:xx:xx:xx:xx@wifi2 authentication timeout
 13:59:09 wireless,debug xx:xx:xx:xx:xx:xx@wifi2 authentication timeout
 13:59:28 wireless,debug xx:xx:xx:xx:xx:xx@wifi2 authentication timeout
 13:59:48 wireless,debug xx:xx:xx:xx:xx:xx@wifi2 authentication timeout
 14:00:07 wireless,debug xx:xx:xx:xx:xx:xx@wifi2 authentication timeout
 14:00:25 system,info,account user xxxxx logged in from 192.168.88.254 via local
 14:00:26 wireless,debug xx:xx:xx:xx:xx:xx@wifi2 authentication timeout

Mikrotik config:


# 2023-10-02 14:05:07 by RouterOS 7.11.2
# software id = **ELIDED**
#
# model = C52iG-5HaxD2HaxD
# serial number = **ELIDED**
/interface bridge
add name=bridge-VLAN10 vlan-filtering=yes
add name=local
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20mhz configuration.country=Czech .mode=ap .ssid=\
    "Pila IoT" security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20mhz configuration.country=Czech .mode=ap .ssid=\
    "Pila AP" .tx-power=17 datapath.client-isolation=no disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
/interface list
add name=listBridge
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=VLAN10-remote
/interface wifiwave2
add configuration.mode=ap .ssid="Pila remote" datapath.client-isolation=no \
    .vlan-id=10 disabled=no mac-address=**ELIDED** master-interface=\
    wifi2 name=Pila-remote-VLAN10 security=VLAN10-remote
/interface vlan
add interface=Pila-remote-VLAN10 name=vlan10 vlan-id=10
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.85.2-192.168.85.254
add name=dhcp_pool2 ranges=\
    192.168.10.1-192.168.10.9,192.168.10.11-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=local lease-time=10m name=dhcp1
add address-pool=dhcp_pool2 interface=bridge-VLAN10 name=dhcp2
/interface bridge port
add bridge=local interface=ether2
add bridge=local interface=wifi2
add bridge=local interface=ether3
add bridge=local interface=wifi1
add bridge=bridge-VLAN10 interface=Pila-remote-VLAN10
add bridge=bridge-VLAN10 interface=vlan10
add bridge=local interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=listBridge
/ipv6 settings
set max-neighbor-entries=15360
/interface list member
add interface=local list=listBridge
/ip address
add address=192.168.88.1/24 interface=local network=192.168.88.0
add address=192.168.10.10/24 interface=bridge-VLAN10 network=192.168.10.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.88.50 client-id=**ELIDED** mac-address=**ELIDED** server=dhcp1
/ip dhcp-server network
add address=192.168.10.0/24 gateway=192.168.10.10
add address=192.168.88.0/24 dns-server=8.8.8.8 gateway=192.168.88.1
/ip firewall filter
add action=accept chain=input comment="accept established, related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 \
    protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 \
    port=8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22 \
    protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=\
    ether1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Prague
/system logging
add topics=wireless,debug
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=listBridge
/tool mac-server mac-winbox
set allowed-interface-list=listBridge
/tool mac-server ping
set enabled=no

Don’t you have any advice what can be wrong? The TV have WiFi Built-in ax/ac/n 2.4/5Ghz

Thank you very much for your assistance.

2

Check signal strength.

3

For testing purposes disable WPA3 if possible

4

It seems that disabling WPA3 will figure it out. For now TV is connected so we will see a test by kids tommorow. :smiley: Thank you.

I hoped that i will be running on WPA3 PSK. :frowning:

5

Many devices do not yet support WPA3. As a home user, you do not need to worry. There is nothing broken with WPA2, unlike WPA.

6

For IoT devices you can create separate VLAN network and SSID with WPA2 only network.

7

Thats my new step, what im trying for now. If you can look at the config i maked VLAN wifi “pila remote” for home office work, but i dont know if its correct. I cant ping cross networks so i think its working. But i have been studying it for a week and still not comfortable and convinced that im doing it right. :smiley:

Im planning to make it look like this:

VLAN 10 - 192.168.10.0 - WiFi for phones

VLAN 20 - 192.168.20.0 - WiFi for work notebook homeoffice

VLAN 30 - 192.168.30.0 - WiFi IoT - vacuum, washing machine, TV(i dont know if should TV put there)

VLAN 40 - 192.168.40.0 - kids room cam, the problem is that cam need to be connected to network for i can use it on my and wife phones, if i cut the internet, it will only work in main app for me, so still idk how to figure it out, the cam without power over day, its only for night, if everythink is ok when they are sleeping. I will start looking for some cam that dont need to be in some 3rd party cloud.

VLAN 50 - 192168.50.0 - ETH2 - my computer

VLAN 60 - 192.168.60.0 - ETH3 - wife gaming PC

What i saw, there is several method to make “VLANs”. But i cant still find the right guidance for me. :slight_smile:

8

Why so many VLANs ?? I would put phones and your and your wife’s PC in same VLAN or are you trying to say that you don’t trust your wife ?? :laughing: :laughing:

Kids camera in the same VLAN as your IoT devices, office stuff can go in separate VLAN.

I can recommend you VLAN guide from pcunite so you became familiar with VLANs and anav have great tutorial.

pcunite guide:

http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

anav guide:

https://forum.mikrotik.com/viewtopic.php?t=182373

And don’t use two bridges… only one bridge is needed…

/interface bridge
add name=bridge-VLAN10 vlan-filtering=yes
add name=loca
9

More secured. :smiley: Yep, i definitely need to separate her computer.

Ok, thank you for recommendations. I will take a look and will put a feedback, how im doing. :slight_smile: :sunglasses:

10

You know, my colleague once said to me… but why so much security ? Are you running a bank ? :laughing: :laughing: :laughing:

11

No, im not, but i like it. :smiley: Im starting to reading the guide what u reffered. I would like to prepare it like this. What you think about that? For the VLAN40 i will enable client isolation. The WIFE PC i want it to be separated if she donwload some malware, but i think that i can put it to VLAN 10 and make isolation too? Hard to decide without experience for me. Thank for your tips. :slight_smile:. Sorry for ugly diagram.
Diagram bez názvu.drawio.png

12

I have similar problem and it seems to be connected to SAE Anti Clogging Threshold. more here http://forum.mikrotik.com/t/wifi-wave2-wpa2-wpa3/157337/8