Community discussions

MikroTik App
 
anatolykryzhanovsky
just joined
Topic Author
Posts: 3
Joined: Wed Jul 21, 2021 3:15 pm

WiFi apple problems

Wed Jul 21, 2021 3:45 pm

good day every one
i have very strange problem:
i have x86 pc with routeros installed on them (called Router). also i have 5 capAc wifi access points which connected to switch (the Router also connected to them). CAPsMAN already enabled on Router and all access points added to them.
Now, if i connected to wifi from my android device i can access internet pages and can also load internal corporate site.
If i try to do this operation from windows laptop - also all works fine
BUT! then i try to this from apple device (i try two different iPad and mac Mini) i see follow:
- internet pages are opened (but not all)
- internal site load first page (login), but after success login no page loaded.
i try to ping with different package size and gain following info:
- if i try to ping using package size more then 1154 bytes - no ping response
- if i try to pin using package size less then 1154 bytes - all works fine
- this correct for both - windows and mac mini device

also additional info - after i login on internal site there is authorization header will sent to next requests (bearer token), so package size was grown.

i check MTU, L2MTU on all interface and can't find any points for that behavior.

also, if i try to connect mac mini by wire - all works fine

also i try to use different wifi access point - i added to my lan cisco ap and all devices can load properly internal site when connected to them.
so problem is in access point configuration, or in capsman config.

there is my configuration:

some notes:
- we have two different wifi (each in 2.4G and 5G) - for guest (guest), which can only use internet, no access to internal resources, and for out employees (office). problem corresponded to office network
- for office wifi we use external dhcp server, which also used for lan client
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz name=2G
add band=5ghz-a/n/ac extension-channel=Ceee frequency=5180 name=5G
/interface bridge
add arp=reply-only igmp-snooping=yes name=bridge-guest
add arp=proxy-arp name=bridge-office
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=LAN
set [ find default-name=ether4 ] name=WAN
set [ find default-name=ether3 ] name=WAN-alt
set [ find default-name=ether2 ] disabled=yes name=ether1
/interface pppoe-client
add interface=WAN name=dom.ru service-name=domru user=<redacted>
/caps-man datapath
add bridge=bridge-office client-to-client-forwarding=yes local-forwarding=no \
    mtu=1500 name=datapath-office
add bridge=bridge-guest client-to-client-forwarding=no local-forwarding=no \
    name=datapath-guest
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=office
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    name=guest
/caps-man configuration
add channel=2G country=russia datapath=datapath-office datapath.bridge=\
    bridge-office mode=ap name=office-2g rx-chains=0,1,2 security=office ssid=\
    office tx-chains=0,1,2
add channel=5G country=russia datapath=datapath-office datapath.bridge=\
    bridge-office mode=ap name=office-5g rx-chains=0,1,2 security=office ssid=\
    office-5g tx-chains=0,1,2
add channel=2G country=russia datapath=datapath-guest datapath.bridge=\
    bridge-guest mode=ap name=guest-2g rx-chains=0,1,2 security=guest ssid=\
    guest tx-chains=0,1,2
add channel=5G country=russia datapath=datapath-guest datapath.bridge=\
    bridge-guest mode=ap name=guest-5g security=guest ssid=guest-5g
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=guest-pool ranges=192.168.100.2-192.168.100.50
/ip dhcp-server
add add-arp=yes address-pool=guest-pool disabled=no interface=bridge-guest \
    name=guest-dhcp
/queue simple
add comment="Limit for guest wifi" max-limit=5M/5M name=guest-wifi-limit \
    target=bridge-guest
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
    -84..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s comment=\
    "Reject bad connections" disabled=no signal-range=-120..-85 ssid-regexp=""
add allow-signal-out-of-range=10s disabled=no mac-address=50:8F:4C:71:CB:0B \
    ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
add disabled=no interface=bridge-office
/caps-man provisioning
add action=create-dynamic-enabled comment=\
    "provision profile for office wifi (both 2g and 5g)" hw-supported-modes=gn \
    master-configuration=office-2g slave-configurations=guest-2g
add action=create-dynamic-enabled comment=\
    "provision profile for guest wifi (both 2g and 5g)" hw-supported-modes=ac \
    master-configuration=office-5g slave-configurations=guest-5g
/interface bridge port
add bridge=bridge-office interface=LAN
/interface bridge settings
set use-ip-firewall-for-pppoe=yes
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=vpn-profile enabled=yes \
    use-ipsec=yes
/interface ovpn-server server
set auth=sha1 certificate=mikrotik2 cipher=aes256 default-profile=vpn-profile \
    enabled=yes require-client-certificate=yes
/ip address
add address=<redacted> interface=WAN-alt network=<redacted>
add address=192.168.0.1/24 interface=bridge-office network=192.168.0.0
add address=192.168.100.1/24 interface=bridge-guest network=192.168.100.0
/ip dhcp-relay
add dhcp-server=192.168.0.10 name="lan dhcp"
add dhcp-server=192.168.0.10 disabled=no interface=bridge-office name=\
    "bridge relay"
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=192.168.0.10
/ip firewall address-list
add address=192.168.100.0/24 list=GuestNet
add address=192.168.0.0/24 list=OfficeNet
/ip firewall filter
add action=accept chain=input dst-port=1194 protocol=tcp
add chain=input port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
/ip firewall mangle
add action=mark-routing chain=output dst-port=53 new-routing-mark=dns \
    passthrough=yes protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment=rostelekom out-interface=WAN-alt
/ip ipsec settings
set xauth-use-radius=yes
/ip route
add distance=1 gateway=<redacted> routing-mark=wan-alt
add check-gateway=ping distance=1 gateway=<redacted>
add check-gateway=ping comment="Netwatch rostelekom" distance=1 dst-address=\
    8.8.8.4/32 gateway=<redacted>
/ip route rule
add action=unreachable comment="forbid guest to office" dst-address=\
    192.168.0.0/24 src-address=192.168.100.0/24
add action=unreachable comment="forbid office to guest" disabled=yes \
    dst-address=192.168.100.0/24 src-address=192.168.0.0/24
/ip service
set telnet address=192.168.0.0/16
set ftp address=192.168.0.0/16
set www address=192.168.0.0/16 port=69
set ssh address=192.168.0.0/16
set api address=192.168.0.0/16
set winbox address=192.168.0.0/16
set api-ssl address=192.168.0.0/16
/ppp aaa
set use-radius=yes
/radius
add address=192.168.0.10 service=ppp timeout=1s
/system clock
set time-zone-autodetect=no
/system clock manual
set time-zone=+03:00
/system logging
add action=disk topics=pptp,info,ppp,account
add topics=debug,ovpn
add topics=pppoe,ppp
/user aaa
set use-radius=yes
and this is configuration from one of capAc:
/interface bridge
add name=bridge protocol-mode=none
/interface wireless
# managed by CAPsMAN
# channel: 2452/20-Ce/gn(18dBm), SSID: office, CAPsMAN forwarding
set [ find default-name=wlan1 ] name=wlan-office-2g ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(17dBm), SSID: office-5g, CAPsMAN for

set [ find default-name=wlan2 ] name=wlan-office-5g ssid=MikroTik
/interface ethernet
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge interface=ether1
/interface wireless cap
# 
set discovery-interfaces=ether1 enabled=yes interfaces=\
    wlan-office-2g,wlan-office-5g
/ip dhcp-client
# DHCP client can not run on slave interface!
add disabled=no interface=ether1
/system clock
set time-zone-name=Europe/Volgograd
/system identity
set name=AP#4
and state from winbox:
interfaces list on controller:
Image

bridges on controller:
Image

bridge ports on controller:
Image

interfaces on capAc:
Image

bridges on capAc:
Image

bridge ports on capAc:
Image

so, now i have no points to resolve issue. may be someone can help me
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: WiFi apple problems

Wed Jul 21, 2021 6:52 pm

Yes,
if
from my android device i can access internet pages and can also load internal corporate site
and
this operation from windows laptop - also all works fine
and
from apple device (i try two different iPad and mac Mini) do not work as expected
then
WiFi apple problems
must be solved from Apple support.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: WiFi apple problems

Thu Jul 22, 2021 4:48 pm

The world refuses to conform to Apple standards LOL........ ( we are owned by Apple or Google LOL, well until amazon decides to take over the internet)

Try setting your 5GHz provisioning to the following
BAND: 5GHz-n/AC
Channel Width: 20/40MHz Ce

The other thing to consider would be the dhcp leases for such devices.
Perhaps make them longer!

Who is online

Users browsing this forum: Amazon [Bot] and 35 guests