wlan broke after upgrade, and I cant see why

RouterOS Beginner Basics
1

Introductions

I have been using Mikrotik for years and slowly migrated most of my family to use it, but I am not a network person. I am very comfortable on a Linux CLI but generally prefer the web GUI on Mikrotik.

Hardware Setup

  1. hAP ax3 (Primary)
  2. hAP ax2 (Extender)

Wireless Network Setup

  1. Primary 2G networked
  2. Primary 5G networked
  3. Secondary 2G client isolated (aka common)
  4. Secondary 5G client isolated (aka common)

Problem

After an upgrade from 7.12 (I think) to 7.18.2 packages and firmware, some things broken/stopped working.

Best i can tell, it looks like DHCP is no-longer working on the secondary 2G wlan and the Primary 5G wlan, but if I set a fixed IP clients can connect.

DHCP seems to work on Ethernet and Primary 2G and Secondary 5G wlan.

Question

I have been clicking through settings for a few hours now and cant figure out what is the problem. Any guidance or help would be greatly appreciated.

Settings Export

# 2025-04-27 16:17:09 by RouterOS 7.18.2
/interface bridge
add name=bridge-common port-cost-mode=short
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=\
    bridge-network port-cost-mode=short
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=wlan-common-list
add name=wlan-network-list
/interface wifi channel
add band=2ghz-ax comment=2G-WIFI6 disabled=no frequency=2442-2462 name=\
    channel1-2G-W6 skip-dfs-channels=10min-cac width=20/40mhz
add band=2ghz-n comment=2G-WIFI4 disabled=yes frequency=2412-2422 name=\
    channel5-2G-W4 skip-dfs-channels=all width=20mhz
add band=5ghz-ax comment=5G-WIFI6 disabled=no frequency=5180-5320 name=\
    channel2-5G-W6 skip-dfs-channels=10min-cac width=20/40/80mhz
add band=5ghz-ac comment=5G-WIFI5 disabled=yes frequency=5180-5320 name=\
    channel3-5G-W5 skip-dfs-channels=all width=20/40/80mhz
add band=2ghz-g comment=G2-WIFI3 disabled=yes frequency=2412-2422 name=\
    channel5-2G-W3 skip-dfs-channels=all width=20mhz
/interface wifi datapath
add client-isolation=yes comment=common-isolation disabled=no interface-list=\
    wlan-common-list name=datapath-isolation
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment="Common security profile" \
    disable-pmkid=yes disabled=no eap-certificate-mode=\
    dont-verify-certificate ft=yes name=sec-sid-common wps=disable
add authentication-types=wpa2-psk,wpa3-psk comment=\
    "Networked security profile" disable-pmkid=yes disabled=no name=\
    sec-sid-network wps=disable
/interface wifi configuration
add channel=channel1-2G-W6 disabled=no mode=ap name=cfg-sid-common-2G \
    security=sec-sid-common security.ft=yes ssid=sid
add channel=channel1-2G-W6 country="South Africa" disabled=no mode=ap name=\
    cfg-sid-network-2G security=sec-sid-network security.ft=yes ssid=\
    sid-N
add channel=channel2-5G-W6 country="South Africa" datapath=datapath-isolation \
    disabled=no mode=ap name=cfg-sid-common-5G security=sec-sid-common \
    security.eap-certificate-mode=dont-verify-certificate .ft=yes ssid=\
    sid-5
add channel=channel2-5G-W6 country="South Africa" disabled=no mode=ap name=\
    cfg-sid-network-5G security=sec-sid-network security.ft=yes ssid=\
    sid-N5
/interface wifi
set [ find default-name=wifi1 ] channel=channel2-5G-W6 comment=\
    "Primary 5G Wifi 6 (ax)" configuration=cfg-sid-network-5G \
    configuration.mode=ap disabled=no name=wlan1-5G-W6
set [ find default-name=wifi2 ] channel=channel1-2G-W6 \
    channel.skip-dfs-channels=all comment="Primary 2G Wifi 6 (ax)" \
    configuration=cfg-sid-network-2G configuration.mode=ap disabled=no \
    name=wlan2-2G-W6 security.ft=yes
add comment="Common 2G Wifi 6 (ax)" configuration=cfg-sid-common-2G \
    configuration.mode=ap disabled=no mac-address=4A:A9:8A:0A:27:88 \
    master-interface=wlan2-2G-W6 name=wlan3-common-2G-W6
add comment="Common 5G Wifi 6 (ax)" configuration=cfg-sid-common-5G \
    configuration.mode=ap disabled=no mac-address=4A:A9:8A:0A:27:87 \
    master-interface=wlan1-5G-W6 name=wlan4-common-5G-W6
/ip pool
add name=dhcp-pool-network ranges=192.168.0.100-192.168.0.200
add name=dhcp-pool-common ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp-pool-network interface=bridge-network lease-time=2h \
    name=dhcp-network
add address-pool=dhcp-pool-common interface=bridge-common lease-time=8h name=\
    dhcp-common
/port
set 0 name=serial0
/user group
add comment="Home assistant Integration Group" name=home policy="read,write,po\
    licy,test,api,!local,!telnet,!ssh,!ftp,!reboot,!winbox,!password,!web,!sni\
    ff,!sensitive,!romon,!rest-api"
/interface bridge port
add bridge=bridge-network comment=defconf interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-network comment=defconf interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-network comment=defconf interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-network comment=defconf interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-network comment=defconf interface=wlan1-5G-W6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-network comment=defconf interface=wlan2-2G-W6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge-common interface=wlan3-common-2G-W6
add bridge=bridge-common interface=wlan4-common-5G-W6
add bridge=bridge-common interface=wlan-common-list internal-path-cost=10 \
    path-cost=10
add bridge=bridge-network interface=wlan-network-list internal-path-cost=10 \
    path-cost=10
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict
/ipv6 settings
set max-neighbor-entries=15360
/interface list member
add comment=defconf interface=bridge-network list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wlan3-common-2G-W6 list=wlan-common-list
add interface=wlan4-common-5G-W6 list=wlan-common-list
add interface=wlan1-5G-W6 list=wlan-network-list
add interface=wlan2-2G-W6 list=wlan-network-list
/interface ovpn-server server
add mac-address=FE:8A:43:5A:E0:D2 name=ovpn-server1
/interface wifi access-list
add action=accept comment=M1 disabled=yes interface=any mac-address=\
    XX:XX:XX:XX:XX:XX signal-range=0 time=0s-0s
add action=accept comment=M2 disabled=yes interface=any mac-address=\
    XX:XX:XX:XX:XX:XX signal-range=0 time=0s-0s
add action=accept comment=M3 disabled=yes interface=any \
    mac-address=XX:XX:XX:XX:XX:XX signal-range=0 time=0s-0s
add action=accept comment=M4 disabled=yes interface=wlan-common-list \
    mac-address=XX:XX:XX:XX:XX:XX signal-range=0 time=0s-0s
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge-network network=\
    192.168.0.0
add address=192.168.1.1/24 interface=bridge-common network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=10.0.0.1 gateway=\
    192.168.0.1
add address=192.168.1.0/24 dns-server=10.0.0.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=drop chain=forward comment="Block common form network" \
    dst-address=192.168.0.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop common to common" in-interface=\
    bridge-common out-interface=bridge-common
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=nat-common out-interface-list=WAN \
    src-address=192.168.1.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=WebFigCrt disabled=no
set api disabled=yes
set api-ssl certificate=WebFigCrt
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Place/City
/system identity
set name=sid-HA
/system logging
add topics=wireless,debug
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
2

Okay, I cant explain it but a third reboot on both routers solved it, but only after the extender was also rebooted.

I have no explanation because upgrades always includes a reboot, but after hours of issues everything seems to be working now.

Maybe something with the DHCP leases. Does that make any sense?

3

Lately there have been a few reports of *somethiing" apparently getting “sticky” and solved by a reboot, but I cannot seem to find a “pattern”, in your case it could be DHCP, yesterday in another case it was the LTE (or the APN):
http://forum.mikrotik.com/t/sxt-lte6-kit-lte-problem/183410/1
the day before it was ping/routes:
http://forum.mikrotik.com/t/unable-to-ping-internet-via-isp-router/183409/1

4

Thank you for connecting the dots and the links. I hope its helpful to others.

5

@jaclaz I had a look at the links you posted. Dont you think both your linked issues could have been affected by DHCP issues in some way, just on the WAN.

From my point of view DHCP issues could be the pattern.

6

To me, this seems doubtful. According to your description, the problem was linked to particular bridge members (two different wireless interfaces that are members of two different bridges). If this were purely a DHCP issue, then it seems like it would not limit itself to 100% of clients that are connected to specific SSIDs, especially when you are not running separate DHCP server instances on those two SSIDs but rather on bridges…bridges where hosts attached to other member ports have no problems getting back a response from the DHCP server.

So, this feels like a bridging problem to me. DHCP involves broadcast traffic, so, seems likely that you were suffering from broadcast frames not getting properly forwarded between your wireless clients and the DHCP server. Either the responses from the DHCP server were getting lost and not forwarded back to the clients, or the initial requests were getting lost before they ever reached the DHCP server, and so the DHCP server never heard them in the first place.

You mentioned an “extender”, and I immediately thought “uh-oh.” Then I re-read and noticed the extender you referenced was another MT (ax2). You only included one config export, though, and I assume that export was from the primary ax3 router. So it begs the question: how is this “extender” configured?

If the “extender” is broadcasting the same ESSIDs as the main router+AP, is it at all possible that the real issue was that if you happened to wirelessly connect to the “extender”, that’s when DHCP failed to work, but if you happened to connect to the main router, it worked? And it really had nothing whatsoever to do with the secondary 2GHz SSID or the primary 5GHz SSID?

7

Thanks for the feedback. Just to clarify and answer some of your points.

  1. The issues I experienced were reproducible connecting directly the main router without the extender.
  2. The issues were reproducible connecting via the extender using WIFI (both bridges) and Ethernet (one bridge).
  3. I only have DHCP setup on the main router.
  4. If I set a manually configured IP+gateway on the client everything worked, connecting to the main router or the extender.

So all my symptoms pointed to DHCP issues. The cause of the issues I dont know, and yes, it could be firewall or routing related and not on DHCP side or it could be related to leasing issues.

I dont know more than this and its been working great since the 3rd restart of both routers without any config changes.

8

I do understand that. However, if broadcast traffic were somehow broken or blocked in only one direction, you could still theoretically get this outcome where a static IP works but DHCP doesn’t. ARP would still need to function in a static IP set-up, but if broadcast was working from client to router on those broadcast domains but not the other way around, theoretically a client could update its own ARP table with the router’s MAC by sending a broadcast request to it, while also updating the router’s ARP cache with its own MAC, even though broadcast traffic isn’t flowing in both directions.

It is possible, though, that the DHCP instances running on those particular bridges simply weren’t working, but the others were. If you went to IP > DHCP Server while in, say, Winbox, did you observe any of them to be highlighted red? Or on CLI, show an “I” for Invalid?

What would result in a definitive conclusion would have been to try moving one of the ethernet ports on the main router to be in one of the bridges where you weren’t getting a DHCP response on WiFi, while the problem was happening. If it happens again, that’s the first test I would try to run.