( edit: solved! Long story short: for WPA3-PSK users to successfully roam, you need to include following:
/interface/wifi/security/connect-priority=0/1
)

Hi.

I have 3x Wi-Fi APs (hAP ax^3) and 1x CAPsMAN controller (on hAP ac^2, Wi-Fi interfaces disabled there).

Until yesterday, I had some stable version (probably 7.16.2), and Wi-Fi roaming was working fine there.
Yesterday, I updated to 7.17.1, and Wi-Fi roaming stops working.

Clients just “reconnect” with about a 0.5-1 second interruption to the other AP, and “disconnected” and “connected” messages appear in the log:
C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G disconnected, connection lost, signal strength -80
C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G connected, signal strength -53
and back
C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G disconnected, not responding, signal strength -88
C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G connected, signal strength -56

Before the update, only one “roaming” message was appearing there instead:
C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G, signal strength -48
or back
C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G, signal strength -48

I think the problem is, that I cannot select both “WPA2 PSK” with “WPA3 PSK” together in the security settings.
Perhap issue is combination with the “Management Protection” setting.

1. “WPA3 PSK” only:
   When only option “WPA3 PSK” is selected, “Management Protection” must be set to “required”.
   Otherwise, no clients are able to connect with “allowed” or “disabled”.
   But even with “required”, the “roaming” is not working.
   It seems that clients try to roam (client’s SW show connected=roamed to the new AP) but are immediately “disconnected” and “connected” again.

2. “WPA2 PSK” only:
   When “WPA2 PSK” only is selected, and “Management Protection” is set to “disabled|allowed|required|not set”, roaming starts working fine again, as beffore.

3. In the older version of 7.16.X, I had the option “WPA2 PSK + WPA3 PSK” with “Management Protection” set to “required”, almost all clients were connected with WPA3 PSK, and roaming was working fine (as expected).
   So some changes in mikrotik SW code was changed, perhaps some BUG introduced, which stops roaming worked for all my clients.
   I am prepared to create ticket for support, but I am still waiting for registration email to register there.
   Please check what can be wrong and perhaps if there is better sollution, than turning WPA3 PSK OFF, and also “Protection Management” to OFF.
   It was working few versions behind.

Note:
I see a positive change in version 7.18beta5.
Probably due to option “.2g-probe-delay=yes” clients now ROAM more on 5G, while before they usually tended to roam to 2.4G instead 5G.

Note2:
I added more explanation and my configuration below (3rd post).

Thank you.

Re. “Management Protection” setting: it used to be so that if it wasn’t set, then default value was different when different security setups were in use (for WPA2 it was “disabled” and for WPA3 it was “allowed”). This doesn’t work the same with setting explicitly set. On my 7.17.2 setups I still don’t set it and roaming works for my station devices.

So if you unset the setting, does it work any differently?

First, thank for respond.
Are you 100% sure, that roaming is working for you?
Are we talking about WIFI "AP" mode?
Can you check it (steps below) to be sure?

Do you have 7.17.1 or newer?

Do you see roaming messages with expicit string "ROAMED" (see bellow) in log?
/log print where topics~"wireless"
2025-02-08 17:36:25 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G, signal strength -44
2025-02-08 17:36:46 wireless,info C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G, signal strength -48
2025-02-08 17:37:03 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_chr_wifi-2G, signal strength -52
2025-02-08 17:37:05 wireless,info C8:9B:D7:0E:B8:39@ap_chr_wifi-2G roamed to C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G, signal strength -70
Roaming is not working for you, if you see in log DISCONNECTED and following CONNECTED messagess, instead single ROAMED message.

What you see in "/interface/wifi/registration-table" ???:

My config withouth WPA3-PSK, that means only WPA2-PSK, where roaming is working is:

/interface/wifi> export
# // ...I removed some lines which were not relevant to this SSID configuration ...
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412 name=2G_ch1-7 skip-dfs-channels=disabled width=20/40mhz-Ce
add band=2ghz-ax disabled=no frequency=2472 name=2G_ch8-14 skip-dfs-channels=disabled width=20/40mhz-eC
add band=5ghz-ax disabled=no frequency=5500 name="5G_ch106(100-112)_f5500(5490-5570)" skip-dfs-channels=disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5580 name="5G_ch122(116-128)_f5580(5570-5650)" skip-dfs-channels=disabled width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5660 name="5G_ch138(132-144)_f5660(5650-5730)" skip-dfs-channels=disabled width=20/40/80mhz
/interface wifi datapath
add bridge=bridgeSwitch disabled=no name=datapath-home vlan-id=110
/interface wifi security
add authentication-types=wpa2-psk disable-pmkid=no disabled=no ft=yes ft-over-ds=yes management-protection=allowed name=security_home wps=disable
/interface wifi configuration
add channel=2G_ch1-7 country=Czech datapath=datapath-home disabled=no mode=ap name=wifi-2G_home_ch1-7 security=security_home ssid=rbhn
add channel=2G_ch8-14 country=Czech datapath=datapath-home disabled=no mode=ap name=wifi-2G_home_ch8-14 security=security_home ssid=rbhn
add channel="5G_ch106(100-112)_f5500(5490-5570)" country=Czech datapath=datapath-home disabled=no mode=ap name="wifi-5G_home_ch106(100-112)_f5500(5490-5570)" security=security_home ssid=rbhn
add channel="5G_ch122(116-128)_f5580(5570-5650)" country=Czech datapath=datapath-home disabled=no mode=ap name="wifi-5G_home_ch122(116-128)_f5580(5570-5650)" security=security_home ssid=rbhn
add channel="5G_ch138(132-144)_f5660(5650-5730)" country=Czech datapath=datapath-home disabled=no mode=ap name="wifi-5G_home_ch138(132-144)_f5660(5650-5730)" security=security_home ssid=rbhn
/interface wifi steering
add 2g-probe-delay=yes disabled=no name=steering_home neighbor-group=dynamic-rbhn-f21aa6c5 rrm=yes wnm=yes
/interface wifi capsman
set enabled=yes interfaces=vlan_home package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no identity-regexp=lvr|bdr master-configuration=wifi-2G_home_ch8-14 name-format=%I_wifi-2G slave-configurations=wifi-2G_guests,wifi-2G_iot supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=chr master-configuration=wifi-2G_home_ch1-7 name-format=%I_wifi-2G slave-configurations=wifi-2G_guests,wifi-2G_iot supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=lvr master-configuration="wifi-5G_home_ch106(100-112)_f5500(5490-5570)" name-format=%I_wifi-5G slave-configurations=wifi-5G_guests supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=chr master-configuration="wifi-5G_home_ch122(116-128)_f5580(5570-5650)" name-format=%I_wifi-5G slave-configurations=wifi-5G_guests supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=bdr master-configuration="wifi-5G_home_ch138(132-144)_f5660(5650-5730)" name-format=%I_wifi-5G slave-configurations=wifi-5G_guests supported-bands=5ghz-ax

So roaming is working only when:
authentication-types=wpa2-psk
... and does not matter how "management-protection" is set (required|allowed|disabled|"not set")
Some clients have "auth-type" set to "ft-wpa2-psk" instead "wpa2-psk", and for those with "ft-", roaming works as expected:

/interface/wifi/registration-table> print

INTERFACE SSID MAC-ADDRESS UPTIME LAST-ACTIVITY SIGNAL AUTH-TYPE BAND

5 A ap_bdr_wifi-2G rbhn ??:??:??:??:??:?? 27m54s 0ms -55 ft-wpa2-psk 2ghz-ax
6 A ap_chr_wifi-2G rbhn ??:??:??:??:??:?? 27m41s 0ms -40 ft-wpa2-psk 2ghz-n
8 A ap_chr_wifi-2G rbhn ??:??:??:??:??:?? 27m32s 0ms -54 ft-wpa2-psk 2ghz-n
9 A ap_lvr_wifi-5G rbhn ??:??:??:??:??:?? 20m7s 0ms -67 ft-wpa2-psk 5ghz-ac

/log print where topics~"wireless"
2025-02-08 17:36:09 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G connected, signal strength -70
2025-02-08 17:36:25 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G, signal strength -44
2025-02-08 17:36:46 wireless,info C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G, signal strength -48
2025-02-08 17:36:50 wireless,info DC:8D:91:51:7C:14@ap_lvr_wifi-2G roamed to DC:8D:91:51:7C:14@ap_lvr_wifi-5G, signal strength -64
2025-02-08 17:37:03 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_chr_wifi-2G, signal strength -52
2025-02-08 17:37:05 wireless,info C8:9B:D7:0E:B8:39@ap_chr_wifi-2G roamed to C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G, signal strength -70
2025-02-08 17:37:34 wireless,info C8:9B:D7:0E:B8:39@ap_lvr_wifi-5G roamed to C8:9B:D7:0E:B8:39@ap_bdr_wifi-5G, signal strength -50

Roaming fails for all wpa3-psk settings:
authentication-types=wpa3-psk ... or ... authentication-types=wpa2-psk,wpa3-psk
and
management-protection=required (or "not set")

When roaming fails, I see "wpa3-psk" only:
/interface/wifi/registration-table> print

INTERFACE SSID MAC-ADDRESS UPTIME LAST-ACTIVITY SIGNAL AUTH-TYPE BAND

6 A ap_lvr_wifi-2G rbhn ??:??:??:??:??:?? 59s 0ms -52 wpa3-psk 2ghz-n
7 A ap_lvr_wifi-2G rbhn ??:??:??:??:??:?? 58s 0ms -64 wpa3-psk 2ghz-n
8 A ap_lvr_wifi-2G rbhn ??:??:??:??:??:?? 56s 0ms -71 wpa3-psk 2ghz-n
9 A ap_chr_wifi-2G rbhn ??:??:??:??:??:?? 28s 0ms -73 wpa3-psk 2ghz-ax
/log print where topics~"wireless"
2025-02-08 17:20:20 wireless,info C8:9B:D7:0E:B8:39@ap_lvr_wifi-2G connected, signal strength -71
2025-02-08 17:20:57 wireless,info C8:9B:D7:0E:B8:39@ap_lvr_wifi-2G disconnected, not responding, signal strength -79
2025-02-08 17:21:02 wireless,info C8:9B:D7:0E:B8:39@ap_chr_wifi-2G connected, signal strength -78
2025-02-08 17:24:43 wireless,info C8:9B:D7:0E:B8:39@ap_chr_wifi-2G disconnected, not responding, signal strength -76
2025-02-08 17:24:46 wireless,info C8:9B:D7:0E:B8:39@ap_bdr_wifi-2G connected, signal strength -51

When I set management-protection to "allowed" or "disabled", clients are not able even connect to the network at all (which is expected and OK).

1. 7.17.2
2. (logs are double ... because I have two log destinations, memory and disk)

2025-02-08 09:04:49 wireless,info 34:F0:43:B4:80:B0@cap-audience-2g-42 connected, signal strength -41
 2025-02-08 10:14:06 wireless,info 34:F0:43:B4:80:B0@cap-audience-2g-42 roamed to 34:F0:43:B4:80:B0@cap-audience-5g-42, signal strength -66
 2025-02-08 10:14:06 wireless,info 34:F0:43:B4:80:B0@cap-audience-2g-42 roamed to 34:F0:43:B4:80:B0@cap-audience-5g-42, signal strength -66
 2025-02-08 12:02:13 wireless,info 34:F0:43:B4:80:B0@cap-audience-5g-42 roamed to 34:F0:43:B4:80:B0@cap-wap-2g-42, signal strength -34
 2025-02-08 12:02:13 wireless,info 34:F0:43:B4:80:B0@cap-audience-5g-42 roamed to 34:F0:43:B4:80:B0@cap-wap-2g-42, signal strength -34
 2025-02-08 12:04:49 wireless,info 34:F0:43:B4:80:B0@cap-wap-2g-42 roamed to 34:F0:43:B4:80:B0@cap-wap-5g-42, signal strength -58
 2025-02-08 12:04:49 wireless,info 34:F0:43:B4:80:B0@cap-wap-2g-42 roamed to 34:F0:43:B4:80:B0@cap-wap-5g-42, signal strength -58
 2025-02-08 13:23:17 wireless,info 84:98:66:7C:71:ED@cap-audience-2g-42 roamed to 84:98:66:7C:71:ED@cap-wap-2g-42, signal strength -53
 2025-02-08 13:23:17 wireless,info 84:98:66:7C:71:ED@cap-audience-2g-42 roamed to 84:98:66:7C:71:ED@cap-wap-2g-42, signal strength -53
 2025-02-08 13:33:23 wireless,info 84:98:66:7C:71:ED@cap-wap-2g-42 roamed to 84:98:66:7C:71:ED@cap-audience-5g-42, signal strength -69
 2025-02-08 13:33:23 wireless,info 84:98:66:7C:71:ED@cap-wap-2g-42 roamed to 84:98:66:7C:71:ED@cap-audience-5g-42, signal strength -69
 2025-02-08 14:10:26 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -68
 2025-02-08 14:10:26 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -68
 2025-02-08 14:10:41 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-5g-42, signal strength -86
 2025-02-08 14:10:41 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-5g-42, signal strength -86
 2025-02-08 14:15:26 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 disconnected, group key timeout, signal strength -97
 2025-02-08 14:15:26 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 disconnected, group key timeout, signal strength -97
 2025-02-08 14:26:00 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 connected, signal strength -79
 2025-02-08 14:26:00 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 connected, signal strength -79
 2025-02-08 14:26:05 wireless,info 0A:1E:47:03:74:AD@cap-audience-5g-42 roamed to 0A:1E:47:03:74:AD@cap-audience-2g-42, signal strength -62
 2025-02-08 14:26:05 wireless,info 0A:1E:47:03:74:AD@cap-audience-5g-42 roamed to 0A:1E:47:03:74:AD@cap-audience-2g-42, signal strength -62
 2025-02-08 14:34:45 wireless,info 84:98:66:7C:71:ED@cap-audience-5g-42 roamed to 84:98:66:7C:71:ED@cap-wap-5g-42, signal strength -63
 2025-02-08 14:34:45 wireless,info 84:98:66:7C:71:ED@cap-audience-5g-42 roamed to 84:98:66:7C:71:ED@cap-wap-5g-42, signal strength -63
 2025-02-08 14:45:08 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -50
 2025-02-08 14:45:08 wireless,info 54:10:4F:DF:55:FF@cap-audience-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -50
 2025-02-08 14:47:21 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-5g-42, signal strength -72
 2025-02-08 14:47:21 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-5g-42, signal strength -72
 2025-02-08 16:49:01 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -67
 2025-02-08 16:49:01 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-wap-2g-42, signal strength -67
 2025-02-08 16:52:37 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-2g-42, signal strength -78
 2025-02-08 16:52:37 wireless,info 54:10:4F:DF:55:FF@cap-wap-2g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-2g-42, signal strength -78
 2025-02-08 16:56:14 wireless,info 54:10:4F:DF:55:FF@cap-audience-2g-42 disconnected, group key timeout, signal strength -81
 2025-02-08 16:56:14 wireless,info 54:10:4F:DF:55:FF@cap-audience-2g-42 disconnected, group key timeout, signal strength -81
 2025-02-08 16:59:26 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 connected, signal strength -77
 2025-02-08 16:59:26 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 connected, signal strength -77
 2025-02-08 17:41:11 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-5g-42, signal strength -68
 2025-02-08 17:41:11 wireless,info 54:10:4F:DF:55:FF@cap-wap-5g-42 roamed to 54:10:4F:DF:55:FF@cap-audience-5g-42, signal strength -68

Flags: A - AUTHORIZED
Columns: INTERFACE, SSID, MAC-ADDRESS, UPTIME, LAST-ACTIVITY, SIGNAL, AUTH-TYPE, BAND

INTERFACE SSID MAC-ADDRESS UPTIME LAST-ACTIVITY SIGNAL AUTH-TYPE BAND

0 A cap-wap-2g-42 mkxNet AC:BD:70:xx:yy:zz 1d8h43m57s 0ms -39 wpa2-psk 2ghz-n
1 A cap-wap-5g-42 mkxNet 78:F2:38:xx:yy:zz 10h16m32s 15s30ms -45 ft-wpa2-psk 5ghz-ax
2 A cap-wap-5g-42 mkxNet 34:F0:43:xx:yy:zz 5h59m59s 21s40ms -56 ft-wpa2-psk 5ghz-ac
3 A cap-audience-2g-42 mkxNet 0A:1E:47:xx:yy:zz 3h38m43s 0ms -54 wpa3-psk 2ghz-n
4 A cap-wap-5g-42 mkxNet 84:98:66:xx:yy:zz 3h30m3s 24s40ms -45 wpa2-psk 5ghz-ac
5 A cap-audience-5g-42 mkxNet 54:10:4F:xx:yy:zz 23m37s 0ms -59 ft-wpa2-psk 5ghz-ac

4. my config:

```text
/interface wifi channel
add frequency=2412 name=2GHz-1 width=20mhz
add frequency=2432 name=2GHz-5 width=20mhz
add frequency=2452 name=2GHz-9 width=20mhz
add frequency=2472 name=2GHz-13 width=20mhz
add frequency=2412,2432 name=2GHz-1+5 reselect-interval=6h..1d width=20mhz
add frequency=5500,5580,5660 name=5GHz-high reselect-interval=6h..1d width=20/40/80mhz
add frequency=2452,2472 name=2GHz-9+13 reselect-interval=6h..1d width=20mhz
add frequency=5180,5200,5220,5240 name=5GHz-low-80 reselect-interval=8h..12h width=20/40/80mhz
add frequency=5180,5200,5220,5240 name=5GHz-low-20 reselect-interval=8h..12h width=20mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 dh-groups=19,20,21 disable-pmkid=yes encryption=ccmp,ccmp-256 ft=\
    yes ft-over-ds=yes ft-preserve-vlanid=no group-key-update=5m name=wpa2wpa3 wps=disable
/interface wifi steering
add name=steering42 neighbor-group=LAN-42 rrm=yes wnm=yes
add name=steering41 neighbor-group=guest-41 rrm=yes wnm=yes
/interface wifi
# operated by CAP 2E:C8:1B:xx:yy:z6%vlan-99, traffic processing on CAP
add configuration=2GHz-9-noVID disabled=no name=cap-audience-2g-42 radio-mac=2C:C8:1B:xx:yy:z8
# operated by CAP 2E:C8:1B:xx:yyzE6%vlan-99, traffic processing on CAP
add configuration=5GHz-low-41-novid disabled=no name=cap-audience-5g-41 radio-mac=2C:C8:1B:xx:yy:z9
# operated by CAP 2E:C8:1B:xx:yy:z6%vlan-99, traffic processing on CAP
add configuration=5GHz-high-noVID disabled=no name=cap-audience-5g-42 radio-mac=2C:C8:1B:xx:yy:zA
# operated by CAP F6:1E:57:36:CD:D4%vlan-99, traffic processing on CAP
add configuration=2GHz-13-42 disabled=no name=cap-wap-2g-42 radio-mac=F4:1E:57:aa:bb:c6
# operated by CAP F6:1E:57:aa:bb:c4%vlan-99, traffic processing on CAP
add configuration=5GHz-high-42 disabled=no name=cap-wap-5g-42 radio-mac=F4:1E:57:aa:bb:c7
# operated by CAP F6:1E:57:aa:bb:c4%vlan-99, traffic processing on CAP
add configuration=slave-41 disabled=no mac-address=F6:1E:57:aa:bb:c7 master-interface=cap-wap-5g-42 name=cap-wap-5g-virt-41
/interface wifi capsman
set enabled=yes interfaces=vlan-99
/interface wifi configuration
add channel=2GHz-1+5 comment="2GHz low 42" country=<country> datapath=datapath42 mode=ap multicast-enhance=enabled name=2GHz-low-42 \
    security=wpa2wpa3 ssid=<SSID1> steering=steering42
add channel=5GHz-high comment="5GHz high 42" country=<country> datapath=datapath42 mode=ap multicast-enhance=enabled name=\
    5GHz-high-42 security=wpa2wpa3 ssid=<SSID1> steering=steering42
add channel=2GHz-13 comment="2GHz ch13 42" country=<country> datapath=datapath42 mode=ap multicast-enhance=enabled name=2GHz-13-42 \
    security=wpa2wpa3 ssid=<SSID1> steering=steering42
add datapath=datapath41 mode=ap multicast-enhance=enabled name=slave-41 ssid="I\E2\9D\A4MikroTik" steering=steering41
add channel=5GHz-low-80 comment="5GHz low no VLAN ID" country=<country> datapath=datapath-noVID mode=ap multicast-enhance=enabled \
    name=5GHz-low-noVID security=wpa2wpa3 ssid=<SSID1> steering=steering42
add channel=2GHz-9 comment="2GHz ch9 no VLAN ID" country=<country> datapath=datapath-noVID mode=ap multicast-enhance=enabled name=\
    2GHz-9-noVID security=wpa2wpa3 ssid=<SSID1> steering=steering42
add channel=5GHz-high comment="5GHz high no VLAN ID" country=<country> datapath=datapath-noVID mode=ap multicast-enhance=enabled \
    name=5GHz-high-noVID security=wpa2wpa3 ssid=<SSID1> steering=steering42
add channel=5GHz-low-20 comment="5GHz low guest no VLAN ID" country=<country> datapath=datapath-noVID mode=ap multicast-enhance=\
    enabled name=5GHz-low-41-novid ssid="I\E2\9D\A4MikroTik" steering=steering41
/interface wifi datapath
add bridge=bridge comment=LAN name=datapath42 vlan-id=42
add bridge=bridge client-isolation=yes comment="guest WiFi" name=datapath41 vlan-id=41
add bridge=bridge client-isolation=yes comment="no VLAN ID" name=datapath-noVID
/interface wifi provisioning
add action=create-enabled comment="wAP 2Ghz" master-configuration=2GHz-13-42 radio-mac=F4:1E:57:aa:bb:c6
add action=create-enabled comment="wAP 5Ghz" master-configuration=5GHz-high-42 radio-mac=F4:1E:57:aa:bb:c7 slave-configurations=\
    slave-41
add action=create-enabled comment="Audience 5GHz low" master-configuration=5GHz-low-41-novid radio-mac=2C:C8:1B:xx:yy:z9
add action=create-enabled comment="Audience 2GHz" master-configuration=2GHz-9-noVID radio-mac=2C:C8:1B:xx:yy:z8
add action=create-enabled comment="Audience 5GHz high" master-configuration=5GHz-high-noVID radio-mac=2C:C8:1B:xx:yy:zA

Thank you very much …
Just from a quick glance I don’t see anything that could be a problem. Something to do with VLAN ID maybe … we’ll see.
I will try to replicate parts of your configuration, till it starts working and make some tests, and let you know.

(deleted, not relevant anymore)

Interesting …
… i added “connect-priority” as you have (before was not set) and roaming for WPA3-PSK clients started working fine!
/interface/wifi/security/
connect-priority=0/1

So, for WPA3-PSK clients to be able roaming, that line needs to be there.
Do you know, or better, can you describe, how that line works and what represents?
Information from documentation does not make sense for me:
https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-SecurityProperties

...
If (accept-priority of AP2) = (hold-priority of AP1), a connection to AP2 will be allowed only if the MAC address can no longer be reached via AP1.
...
If omitted, hold-priority is the same as accept-priority.
...
By default, APs, which perform user authentication, have higher priority (lower integer value), than open APs.

So if I understand correctly, default value is:
connect-priority=1/1 (or connect-priority=0/0 ?)

This “default” value is probably the reason, why WPA3-PSK client shows for around 500ms that has roamed to the new AP, but immediatelly disconnects from it and reconnect to the new AP.
And mikrotik does not log anything about client tried roaming, just disconnect due to be not reachable.
So, it seems mikrotik is not accepting MAC frames from new Wifi AP after client roamed to it, because it still register that client (and it’s MAC) on the old Wifi AP.

So question is … why this (that MAC ignoring) is not applied also to the FT-WPA2-PSK clients, only to WPA3-PSK clients.
I will add this discovery to the support ticket I created.

Thank you for help and anybody else, who can add some more information about this problem (setting connect-priority).

No idea why exactly that setting needs to be that way, I don’t recal reading any good explanation of what it does. It was discovered and reported by other forum members quite a while ago so I guess it’s a public secret by now

Unfortunately no explanation from my side either, but I can confirm that I’m experiencing the same issues on my end. Roaming with WPA3 seems to be broken / unreliable. So I’m happy for everyone that is reporting this (rather than disputing it) to the support. In order to start understanding anything about roaming you’ll need to increase the WiFi logging anyway, but even with more verbose logging, you don’t see any issues, just roaming and/or new connections. So debugging this is rather hard.

Right now, just by adding this line to my config:
“/interface/wifi/security/connect-priority=0/1”
… all FT-WPA2-PSK and WPA3 clients are roaming without any registered problems. There are no disconnects or reconnects, no packet/ping loss, everything works 100% as it should.

Furthermore, with the new option added (I think in 7.17.0):
“2g-probe-delay=yes”
… my clients are roaming to 5G almost all the time. Even if they roam to 2G, after approximately 3-20 seconds (max 240 seconds), they roam back to 5G (same AP, same signal strength).

This is what I have expected (and wanted) during my almost 10 years as a customer of Mikrotik devices.
Finally.

…

1. Exactly, Mikrotik should have more detailed logs at the “debug” level:
2. Dropping frame because the MAC is registered to another radio.
3. Unable to roam because some protocol/encryption handshake was incomplete or not supported.

I created ticket at “MikroTik support portal” under “SUP-178792” (also linked to this forum) regarding problems described here, and I am waiting for reply from them about “/interface/wifi/security/connect-priority=0/1” settings.

It solved it for me too, luckily I only had problems with old Android smartphones.

I can’t find it, is it only available for CLI?

Config in post #3 above puts it in steering configuration subtree. I’m not sure if it was introduced in 7.17, option isn’t known on my 7.17.2 install. So it could be 7.18beta feature (it’s available in 7.18beta5 … can’t test it because my only 7.18beta device is a RB951G which doesn’t support new wifi driver).

Currently it is missing in WinBox GUI. Don’t know about HTTP WEBGUI (not using it).
It is in CLI (SSH or Winbox >>> Terminal) here “/interface/wifi/steering >>> 2g-probe-delay=yes” .

According changelog here:
https://mikrotik.com/download/changelogs/#tab-testing
… it was added in 7.18beta2 .

Just wanted to report a success story: I just installed ROS 7.18.1 and have set 2g-probe-delay=yes … I have a Huawei tablet, which otherwise stubbornly connects to 2.4GHz BSSID. After enabling the property (and kicking tablet off wireless) it connected to 5GHz BSSID.

@mkx What settings work best for you ?

image615×388 6.65 KB

I also have a Huawei tablet (M5 or something). It always connected to 5ghz even before the new delay property. But it only did choose 5ghz when freshly connecting (wifi toggle for example). The probe delay did not help in my case. Once the tablet - for whatever reason - switches to 2.4ghz it won't switch back to 5ghz anymore. It is a very stupid wireless device. I don't even move the tablet more than 2m away from the AP and still it switches to 2.4 - most probably in the powersave mode when screen is off.

You may just disallow connecting this specific device to 2g using access-lists.

Thank you, I am considering it. I left behind "access-list steering" the day I switched from wireless to wifi-qcom-ac drivers. Never looked back. But this seems to be a valid access list rule for my particular use case that should work - hopefully - without tablet going connection-retry-crzy.