Wifi Latency

Hello, beginner looking for advice on wifi issue. I have RB941-2nD-TC hAP Lite.

Issue is spikes in latency across wifi network:
Multiple devices experiencing ping times up to 100 ms (bounces from <1ms up to 100 ms, no apparent pattern)
Same devices hardwired into the same Mikrotik router latency is consistent <1ms
I live in a rural area, 500m from nearest neighbour. No other wifi networks running in my house.
Connect Dlink DIR-645 to Mikrotik via Ethernet, and use the DIR-645 as an access point works fine - latency problem goes away
I have tried all available channel width options (currently set to 20/40 Mhz Ce, but I have tried them all)
I have tried all available frequencies (currently set to auto, but I have tried them all)

Anything else to try? Here’s my config:

# sep/28/2017 13:26:29 by RouterOS 6.34.2
# software id = PM9J-FXZT
#

/interface bridge
add admin-mac=6C:3B:6B:AF:56:37 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    distance=indoors frequency=auto mode=ap-bridge ssid=mackinnon \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether4,ether1 max-mru=1480 \
    max-mtu=1480 name=pppoe-out1 service-name="Teksavvy MLPPP" user=\
    /ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
    192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.123,208.67.220.123
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=pppoe-out1
/system clock
set time-zone-name=America/Toronto
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/tool graphing interface
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

• edit - removed user name and added code box, thanks for suggestions

Please wrap the config output in |code| block. Also remove your username and any sensitive data.

Looking at your configuration.

MTU:
Please test setting the MTU by running commands. Then set this line correctly.

/interface pppoe-client max-mru=1472 max-mtu=1472

Security Profile:
Next, change your security profile like so, so that you’re only using wpa2-psk and a longer key update.

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys group-key-update=60m

firewall filter
Your firewall filter is incorrect. What is your WAN interface? ether1 or pppoe-out1? Please use these sensible rules instead. Read slowly.

/ip firewall filter
add chain=input action=accept connection-state=established,related comment="Accept established related"
add chain=input action=accept in-interface=bridge comment="Allow LAN access to router and Internet"
add chain=input action=drop comment="Drop all other input"

add chain=forward action=accept connection-state=established,related comment="Accept established related"
add chain=forward action=accept connection-state=new in-interface=bridge comment="Allow LAN access to router and Internet"
add chain=forward action=accept connection-nat-state=dstnat comment="Allow Port forwards"
add chain=forward action=drop comment="Drop all other forward"

/ip firewall nat
add chain=srcnat action=masquerade out-interface=pppoe-out1 comment="Default masq"

Thanks pcunite, your help is greatly appreciated. I have adjusted the MTU and changed the security profile (so far that hasn’t fixed the latency problem).

Before changing the firewall filter, I wanted to explain my setup a little further. I am using MLPPP to connect to my ISP over 2 DSL lines. The lines are physically connected to Ether1 and Ether4. PPPoE-Out1 is the virtual WAN interface that binds the two physical interfaces.

Does that change your recommendation on firewall rules?

Well, just make sure you are consistent with your rules to use whatever is WAN vs. LAN.

OK I changed the FW rules as suggested. No impact on wireless issue unfortunately, still seeing frequent latency spikes. It’s really making VoIP unusable over Wifi.

Any other suggestions for troubleshooting?

Current config:

> export hide-sensitive 
# oct/02/2017 09:15:54 by RouterOS 6.34.2
# software id = PM9J-FXZT
#
/interface bridge
add admin-mac=6C:3B:6B:AF:56:37 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=mackinnon \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether4,ether1 max-mru=1472 \
    max-mtu=1472 name=pppoe-out1 service-name="Teksavvy MLPPP" user=\
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-key-update=1h \
    mode=dynamic-keys
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=23h10m name=\
    defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
    192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.123,208.67.220.123
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="Accept established related" connection-state=\
    established,related
add chain=input comment="Allow LAN access to router and Internet" \
    in-interface=bridge
add action=drop chain=input comment="Drop all other input"
add chain=forward comment="Accept established related" connection-state=\
    established,related
add chain=forward comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=bridge
add chain=forward comment="Allow Port forwards" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all other forward"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    out-interface=pppoe-out1
/system clock
set time-zone-name=America/Toronto
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/tool graphing interface
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

I did not realize you where working with VoIP equipment. Please install 6.38.7 firmware. There are a lot of things to be aware of involving VoIP. However, things are fine for you off WiFi. Install the new firmware, then do a spectral scan. You may have interference even though it seems you are in the clear. Interference can come from microwaves, bluetooth, other cordless type items, or who knows what … that will not show up as a WiFi device.

/interface wireless spectral-history wlan1

Firmware upgrade was successful, however running that command crashes the router. Below is output in terminal after running the command, then trying again… crashes after displaying first line each time). Now trying to find some wifi spectrum analyzer for Android device to see if I can get info that way… will post results if I find anything.

oct/03/2017 09:28:32 system,error,critical router was rebooted without proper sh
utdown
oct/03/2017 09:28:33 system,error,critical kernel failure in previous boot
oct/03/2017 09:31:30 system,error,critical router was rebooted without proper sh
utdown
oct/03/2017 09:31:30 system,error,critical kernel failure in previous boot
[Colin@MikroTik] > /interface wireless spectral-history wlan1 
max:   < -90 <= . < -80 <= + < -70 <= * < -60 <= # < -35 <= %

Here’s a screenshot from an Android spectrum analyzer, not sure if this helps:

https://drive.google.com/file/d/0B4zxz0m1Yc9STkozcEpXcllpUzRhazlZU0dXYzQwVURLbGdV/view?usp=sharing

Also ran a ping at the same time as taking the screen shot… ping is from Windows laptop > HAP Lite over Wifi… again if I plug the same laptop into a physical port on the router, no latency and if I use same laptop on Dlink 2.4 Ghz wifi also no latency

Reply from 192.168.88.1: bytes=32 time<1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=6ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=2ms TTL=64
Reply from 192.168.88.1: bytes=32 time=215ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=5ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=3ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=350ms TTL=64
Reply from 192.168.88.1: bytes=32 time=170ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time<1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=28ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=290ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64
Reply from 192.168.88.1: bytes=32 time<1ms TTL=64
Reply from 192.168.88.1: bytes=32 time<1ms TTL=64
Reply from 192.168.88.1: bytes=32 time=1ms TTL=64

That is only showing WiFi polite devices, not what is actually in the air. I don’t know how to help you further. Sorry.

I would like you to remove the Wifi security for testing. You can add it again later.

Use the open Wifi to see if you still have latency spikes.

This looks like a decent android wifi analysis app: https://www.appszoom.com/android_applications/tools/wifi-analyzer_gotsf.html