If ti helps, I use this for some seperation, main network with full FT then a guest network on just one AP with just WPA2/CCMP and no FT. Works well for me anyway.
/interface wifi channel
add band=5ghz-ax disabled=no frequency=5745 name=155 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5180 name=42 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5500 name=106 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=2ghz-ax disabled=no frequency=2412 name=1 skip-dfs-channels=10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2437 name=6 skip-dfs-channels=10min-cac width=20mhz
add band=2ghz-ax disabled=no frequency=2462 name=11 skip-dfs-channels=10min-cac width=20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disabled=no encryption=ccmp ft=\
yes ft-over-ds=yes management-protection=allowed name=sec1 wps=disable
add authentication-types=wpa2-psk disabled=no encryption=ccmp management-protection=allowed name=sec3 wps=\
disable
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-001-3cdd55e9 rrm=yes wnm=yes
/interface wifi
# operated by CAP 48:A9%bridge, traffic processing on CAP
add channel=106 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no name=cap-1 \
radio-mac=48:A9:8A security=sec1 steering=steering1
# operated by CAP 48:A9%bridge, traffic processing on CAP
add channel=1 configuration.country="United Kingdom" .mode=ap .ssid=001 disabled=no name=cap-2 radio-mac=\
48:A9 security=sec1 steering=steering1 steering.2g-probe-delay=yes
set [ find default-name=wifi1 ] channel=42 configuration.country="United Kingdom" .mode=ap .ssid=001 \
disabled=no security=sec1 steering=steering1
set [ find default-name=wifi2 ] channel=11 configuration.country="United Kingdom" .mode=ap .ssid=001 \
disabled=no security=sec1 steering=steering1 steering.2g-probe-delay=yes
add configuration.mode=ap .ssid=Radio disabled=no mac-address=1A:FD:74 master-interface=wifi1 name=\
wifi3 security=sec3
add configuration.mode=ap .ssid=Radio disabled=no mac-address=1A:FD master-interface=wifi2 name=\
wifi4 security=sec3
/interface wifi capsman
set enabled=yes
/interface bridge port
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4
/interface bridge filter
add action=drop chain=forward in-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward out-interface=wifi4
I also use this as a general guide to try and undestand what transpires and why.
please don’t take this as gospel. i’ll be happy for anybody to point out any errors to the following to save even more confusion around here.
Gneral Guide
To enable wifi connect priority 0/1 on a Mikrotik router, specifically for roaming or steering functionality, you need to configure the connect-priority setting within the WiFi security profile.
This setting prioritizes connections, ensuring that devices prefer one access point over another when multiple are available. For WPA2, roaming might work without modification,
but for WPA3, connect-priority=0/1 is often required.
Here's a breakdown of what's needed and why:
1. Understanding Connect Priority:
Purpose:
connect-priority determines which access point a client will connect to when multiple APs with the same SSID are available.
Values:
0/1 means that if a client is connected to an access point and finds another one with a better signal (or other criteria set by the AP),
it will drop the current connection and connect to the new one.
Other values:
0/0 would only allow a connection to a different AP if the current one is unreachable, and 1/0 would not allow a connection to the other AP at all.
2. Configuration Steps (General):
Access the Router's Configuration:
Use Winbox or the command-line interface (CLI) to access your Mikrotik router's settings.
Locate the Security Profile:
Navigate to the WiFi interface's security settings, where you'll find the security profile you're using.
Modify connect-priority:
Set the connect-priority value to 0/1 within the security profile.
Enable/Verify Other Settings:
Ensure that other relevant settings like authentication-types (e.g., wpa2-psk or wpa3-psk), management-protection (if needed),
and ft (Fast Transition for roaming) are configured correctly.
3. WPA3 Considerations:
WPA3 Roaming:
With WPA3, connect-priority=0/1 is often necessary for proper roaming behavior, especially when using Fast Transition (FT).
Potential Issues:
Some users have reported issues with WPA3 and roaming, and setting connect-priority=0/1 can resolve these.
4. Other Factors for Seamless Roaming:
*Signal Levels: Adjust signal strengths on your access points to encourage devices to roam when they should.
*Band Steering: Consider using band steering to guide devices to the 5 GHz band for better performance.
*SSID: Ensure all your access points have the same SSID.
In summary, to enable connect priority 0/1 for roaming on a Mikrotik router, navigate to the relevant WiFi security profile and set connect-priority to 0/1. For WPA3,
this setting is often crucial for reliable roaming, but also consider other factors like signal levels and band steering for optimal performance.
*Steering Probe Delay
The command 'steering.2g-probe-delay=yes' in MikroTik's RouterOS enables a feature that delays sending probe requests on the 2.4 GHz band.
This can help reduce interference and improve client roaming behavior in congested 2.4 GHz environments. It works by introducing a small delay before sending out probe requests,
giving clients a chance to connect to the strongest available AP before the router actively probes for other potential connections.
Here's a more detailed explanation:
When a wireless client moves out of range of its current access point (AP), it sends out probe requests to discover other available APs.
These requests are broadcast on the radio frequency, and can contribute to network congestion, especially in areas with many Wi-Fi networks. Delaying Probe Requests:
By setting steering.2g-probe-delay=yes, the router will wait a short period (default) before sending out its own probe requests.
This delay allows clients to potentially connect to a stronger AP on their own before the router starts actively probing for new connections.
*Improved Roaming
In crowded 2.4 GHz environments, clients might initially connect to a weaker AP due to the rapid succession of probe requests. By introducing a delay,
clients have a better chance of connecting to the strongest AP, leading to smoother roaming and better overall performance.
In essence, this command optimizes the behavior of the 2.4 GHz band to enhance client roaming and potentially reduce interference