WiFi Disconnect Issues with hAP ax² - Seeking Advice on Stable Version and Future Updates

Hi everyone,

I’ve been a loyal MikroTik user for years, and never had wifi issues but but my recent experience with the hAP ax² has been frustrating. Since day one, I’ve been dealing with WiFi disconnect issues that aren’t related to signal strength or distance from the AP—all my devices are in the same location with excellent signal quality. Yet, I keep seeing “disconnected, connection lost” notifications without any clear cause.

After testing various firmware versions, the most stable I’ve found is 7.14.3. However, when I upgraded to the latest 7.16.1, I had a pretty terrible experience. The disconnects became so frequent that I nearly considered throwing the router away! It was especially embarrassing during work meetings, where I’d get disconnected mid-sentence while presenting.

So, I have a question for everyone here, as I assume some of you might have had similar experiences: Should I stick with 7.14.3 and ignore new releases until a stable solution comes out?
Also, does anyone know if MikroTik plans to officially announce a firmware release to install once the WiFi issues are permanently fixed?

Thanks
George.

Did you disable wpa3 ???
By the way tis why I rely on TPLINK wifi, while practicing with ax wifi.

experience with the hAP ax² has been frustrating. Since day one, I’ve been dealing with WiFi disconnect issues that aren’t related to signal strength or distance from the AP—all my devices are in the same location with excellent signal quality.

Not sure what signal strength you get here. Your configuration may allow for different 5GHz channels to be used, in an uncontrolled way. And for the hAP ax² and ax³ the power of those channels vary from 30dBm to 14dBm , or in other words can be 1000mW to 25mW strong/weak with the same configuration setting. The ac series normally had no 25mW channels allowed.
The 25mW channels are for Europe, and in some ROS7.xx version (some 7.14) upgrade they changed the default country from US to Latvia (Europe). So suddenly you face the potential of very weak signals, which cannot be seen with the configuration only. (Channel selection can be dynamic)

To avoid the weak 5GHz channels, Restrict the allowed channels to the 5100-5700 range !!!
Check the status for the transmission strength and registration table for the received signal strength.
Value in registration table greater than -30dBm (e.g. -29dBm) is too strong and will also cause disconnects

If I may, a meta-question.

Why (the heck) are most people here on the forum obsessed with updating?

Besides the obvious mistakes the good Mikrotik guys insist on making, pushing out new versions without appropriate testing, and mixing all together, without even an attempt to prioritize them, new features, bug fixes, half-@ssed experimental additions and what not, it seems to me like many users believe in the fallacy of “new is better” which may, or It may not be true in all cases.

1)You have a working setup? Do not update.
2)There is a needed security fix? Update.
3)There is a new feature that you need or only want to try? Update but be ready to go back to #1 or #2 if something that was working has become worse or doesn’t work anymore.

Like the kid’s today say: FOMO (Fear of Missing Out [on something cool, hip, current, etc.])

Thank you so much all for your response!

I appreciate the advice about WPA3 – I had already disabled it, but unfortunately, the issue persisted. (Also I ave a question why to disable WPA3? I have seen a lot of references on this, mikrotik does not support WPA3? what is the problem on this? supposed to be wifi6 secure device. )

Regarding the signal strength this is an example:
disconnected, connection lost, signal strength -52

Not sure how to restrict the allowed channels to the 5100-5700 range? When I click on the channel setting does not list anything.
If there is a good tutorial

That said, staying on top of firmware updates has become absolutely essential for me, particularly because I have several services exposed to the internet. Security is critical, and regular updates are a priority to help keep everything as safe as possible. Keeping firmware current should not only ensures stability but also helps protect against vulnerabilities, which is especially important when external access is involved.

Thanks.

George

Yep, I understand, but due to the way Mikrotik creates the updates (since they “mix” bug fixes with new features) just updating because a new version came out can actually be less safe.

The same new feature that creates the instability (whatever it is) may well - for all we know - introduce a new vulnerability.

Newer is not always better. You can read changelogs to consider upgrading or not.

Can you provide us with a complete export?

/export file=anynameyoulike

Remove serial and any other private info.

thank you @erlinden

I have pasted my config file.

# 2024-10-28 12:34:29 by RouterOS 7.14.3
# software id = TYKS-1IZI
#
# model = C52iG-5HaxD2HaxD
# serial number = xxxxxxx
/interface bridge
add admin-mac=48:A9:8A:xxxx auto-mac=no comment=defconf name=bridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40/80mhz configuration.chains="" .country=\
    "United Kingdom" .mode=ap .ssid=XXXXXX .tx-chains="" disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk .connect-priority=0 .ft=\
    yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=\
    10min-cac .width=20/40mhz configuration.country="United Kingdom" .mode=ap \
    .ssid=XXXXXXXX disabled=no security.authentication-types=\
    wpa2-psk,wpa3-psk .connect-priority=0 .ft=yes .ft-over-ds=yes
add configuration.mode=ap .ssid=XXXXXXXXXXguest24 mac-address=xxxxx \
    master-interface=wifi1 name=wifi3
add configuration.ssid=XXXXXguest5 mac-address=4A:A9:8Axxxxx \
    master-interface=wifi2 name=wifi4
/interface wireguard
add listen-port=13233 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
    0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
    0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
/interface bridge filter
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward in-interface=wifi3
# wifi3 not ready
# in/out-bridge-port matcher not possible when interface (wifi3) is not slave
add action=drop chain=forward out-interface=wifi3
# wifi4 not ready
# in/out-bridge-port matcher not possible when interface (wifi4) is not slave
add action=drop chain=forward in-interface=wifi4
# wifi4 not ready
# in/out-bridge-port matcher not possible when interface (wifi4) is not slave
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dns
set allow-remote-requests=yes cache-max-ttl=10m servers=8.8.8.8,8.8.4.4
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=xxxxxxx profile=OVPN-Profile service=ovpn
/snmp
set enabled=yes trap-generators=interfaces trap-interfaces=all trap-version=3
/system clock
set time-zone-name=Europe/London
/system logging
set 0 action=remote
set 1 action=remote
set 2 action=remote
set 3 action=remote
add topics=ovpn
add topics=ovpn,info
add action=remote topics=caps
add action=remote disabled=yes topics=wireless
add topics=critical
add topics=error
add topics=info
add action=remote disabled=yes topics=dhcp
add action=remote topics=health
add topics=firewall
add action=remote topics=firewall
add action=remote topics=ovpn
add disabled=yes topics=ntp
add topics=wireless
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.europe.pool.ntp.org
add address=1.europe.pool.ntp.org
add address=2.europe.pool.ntp.org
add address=3.europe.pool.ntp.org
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add interface=bridge
add interface=wifi1
add interface=wifi2
add interface=wifi3
add interface=wifi4
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-src-port=49222