Page 1 of 1

Apple devices & Mikrotik

Posted: Sun Oct 07, 2012 1:32 am
by PhilipLykov
I have 2 iPhones, 2 iPads, 2 MacBookPro in my home and one PC. I tried to use TP-Link, Linksys and now Mikrotik devices as WiFi AP and always have the following problem:
After some time of work every Apple device lost connection with AP on IP level and there is no such problem with PC at all. The connection appears as established (and I can see the signal strength) on AP and device but no traffic is present there. I tried sniff WiFi interface on Mikrotik in order to confirm it. No ARP, no IP, no ping from AP, no traffic at all. If I reconnect to WIFi from the device it will work great again (for some time, it may be few seconds or few hours).

I use iOS 4, 5 and 6 on devices. I use AES CCM only. Preamble Mode is "both".

How to debug it?

Re: Apple devices & Mikrotik

Posted: Sun Oct 07, 2012 1:39 am
by samsung172
Try 4.17 on ap. Was like magic on one of my hotspots.

Re: Apple devices & Mikrotik

Posted: Sun Oct 07, 2012 1:43 am
by PhilipLykov
Now I use 5.20. So you believe that older RouterOS version is better, isn't it?

Re: Apple devices & Mikrotik

Posted: Sun Oct 07, 2012 8:04 am
by samsung172
to none mikrotik devices, 4.17 is much better.

Apple devices & Mikrotik

Posted: Sun Oct 07, 2012 10:04 am
by TrollMan
I have 2 iPad2, 1 iPod, 1 iPhone4, 1 iPhone4s and a iPhone5 connected. Only device that ever had issues is the iphone5 and there is a confirmed issue with aes on some iphone5 devices(I have issues). The iPod did have connect issues but setting it up again removed the issues. I have ios5 and iOS6 on devices and ros 5.20

Apple devices & Mikrotik

Posted: Sun Oct 07, 2012 2:02 pm
by cbrown
I have also never had a problem with any of my apple products which include iPhones, iPads, and MBPs.

Post /export compact and we can take a look at your settings.

Re: Apple devices & Mikrotik

Posted: Mon Oct 08, 2012 8:45 am
by normis
Also check which Wireless chipset the Apple devices have. Around 50% of them use Broadcom, others use Atheros. Check which ones are having the issues. You can see this in MacOS menu "About this mac -> More info -> System report"

Re: Apple devices & Mikrotik

Posted: Mon Oct 08, 2012 9:37 am
by TrollMan
IOS 6 has a confirmed bug with running mixed TKIP & aes on iphone4s and lower, so turn off TPIK in your router(should really be off anyway). iPhone5 has general wifi issues on some of the hardware and apple has not released any information but confirmed the issue. Workaround here is to run TKIP only since the defect affects aes only. Apple has not confirmed yet if its a HW issue or a software issue.

Re: Apple devices & Mikrotik

Posted: Mon Oct 08, 2012 10:18 am
by PhilipLykov
Here is my config:
-------------------------
[root@mktk] > /export compact
# oct/07/2012 16:14:19 by RouterOS 5.20
# software id = *
#
/interface wireless
set 0 arp=reply-only band=2ghz-b/g/n default-authentication=no default-forwarding=no dfs-mode=no-radar-detect disabled=no disconnect-timeout=10s \
distance=indoors frequency=2437 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge name=WiFi preamble-mode=long radio-name=AA11 ssid=\
AA11 wireless-protocol=any wmm-support=enabled
/interface bridge
add admin-mac=D4:CA:6D:* arp=reply-only auto-mac=no l2mtu=1598 name=bridge-local
/interface ethernet
set 0 arp=reply-only name="ether1 - WAN"
set 1 arp=reply-only name="ether2"
set 2 arp=reply-only master-port="ether2" name="ether3"
set 3 disabled=yes master-port="ether2" name=ether4-slave-local
set 4 disabled=yes master-port="ether2" name=ether5-slave-local
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=passthrough management-protection=allowed management-protection-key=\
"*****" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key="******" wpa2-pre-shared-key="*****"
add authentication-types=wpa-psk,wpa2-psk eap-methods=passthrough name=no supplicant-identity=""
/ip dhcp-server
add add-arp=yes authoritative=yes disabled=no interface=bridge-local lease-time=4w3d name=default
/ip pool
add name=LAN ranges=192.168.111.10-192.168.111.254
/ppp profile
set 1 use-encryption=required
/queue tree
add disabled=yes name=In parent=global-in priority=6
add disabled=yes name=Out parent=global-out priority=6
add disabled=yes name=Other-In packet-mark=no-mark parent=In priority=6
add disabled=yes name=Other-Out packet-mark=no-mark parent=Out priority=6
add disabled=yes name=VoIP-In packet-mark=VoIP parent=In priority=2
add disabled=yes name=VoIP-Out packet-mark=VoIP parent=Out priority=2
/system logging action
set 1 disk-file-count=50 disk-lines-per-file=10000
/interface bridge port
add bridge=bridge-local interface="ether2"
add bridge=bridge-local interface=WiFi
/interface wireless access-list
add comment="Mac1" interface=WiFi mac-address=60:33:4B:* signal-range=-100..100
add comment="iPhone1" interface=WiFi mac-address=CC:08:E0:* signal-range=-100..100
add comment="iPad1" interface=WiFi mac-address=A4:67:06:* signal-range=-100..100
add comment="iPad2" interface=WiFi mac-address=A4:67:06:* signal-range=-100..100
add comment="iPhone2" interface=WiFi mac-address=90:84:0D:* signal-range=-100..100
add comment="Mac2" interface=WiFi mac-address=00:1C:B3:* signal-range=-100..100
/ip address
add address=192.168.111.1/24 interface=bridge-local
/ip arp
add address=111.184.161.1 interface="ether1 - WAN" mac-address=00:21:55:*
add address=192.168.111.254 interface=bridge-local mac-address=60:33:4B:*
add address=192.168.111.248 interface=bridge-local mac-address=A4:67:06:*
add address=192.168.111.251 interface=bridge-local mac-address=CC:08:E0:*
add address=192.168.111.247 interface=bridge-local mac-address=C4:2C:03:*
add address=192.168.111.246 interface=bridge-local mac-address=00:90:3E:*
add address=192.168.111.253 interface=bridge-local mac-address=A4:67:06:*
add address=192.168.111.250 interface=bridge-local mac-address=90:84:0D:*
add address=192.168.111.249 interface=bridge-local mac-address=00:1C:B3:*
/ip dhcp-client
add default-route-distance=101 disabled=no interface="ether1 - WAN" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=1d
/ip dhcp-server lease
add address=192.168.111.254 always-broadcast=yes client-id=1:60:33:4b:* comment="Mac1" mac-address=60:33:4B:* server=default
add address=192.168.111.251 client-id=1:cc:8:e0:* comment="iPhone1" mac-address=CC:08:E0:* server=default
add address=192.168.111.248 client-id=1:a4:67:6:* comment="iPad1" mac-address=A4:67:06:* server=default
add address=192.168.111.247 client-id=1:c4:2c:3:* comment="Mac1 LAN" mac-address=C4:2C:03:* server=default
add address=192.168.111.246 client-id=1:0:90:3e:* comment=AudioCenter mac-address=00:90:3E:* server=default
add address=192.168.111.253 client-id=1:a4:67:6:* comment="iPad2" mac-address=A4:67:06:* server=default
add address=192.168.111.250 client-id=1:90:84:d:* comment="iPhone2" mac-address=90:84:0D:* server=default
add address=192.168.111.249 client-id=1:0:1c:b3:* comment="Mac2" mac-address=00:1C:B3:* server=default
/ip dhcp-server network
add address=192.168.111.0/24 dns-server=192.168.111.1 gateway=192.168.111.1 netmask=24 ntp-server=192.168.111.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.111.1 name=router
/ip firewall address-list
add address=192.168.111.0/24 list=mngmnts
/ip firewall connection tracking
set tcp-established-timeout=10h tcp-syncookie=yes
/ip firewall filter
add action=drop chain=input comment=SYSTEM connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input src-address-list=blocked_in
add action=drop chain=forward src-address-list=blocked_in
add chain=input connection-state=established
add chain=forward connection-state=established
add chain=input connection-state=related
add chain=forward connection-state=related
add chain=input limit=4,2 protocol=icmp
add chain=forward limit=4,2 protocol=icmp
add action=drop chain=input protocol=icmp
add action=drop chain=forward protocol=icmp
add action=add-src-to-address-list address-list=blocked_in address-list-timeout=1h chain=input comment="Port Scanners" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=blocked_in address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=blocked_in address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=blocked_in address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=blocked_in address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=blocked_in address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=blocked_in address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
add chain=forward comment="Allow Internet Access" in-interface="!ether1 - WAN" out-interface="ether1 - WAN" src-address=192.168.111.0/24
add chain=input comment="Local Services" dst-port=53,123 protocol=udp
add chain=input comment="Remote Admins" src-address-list=mngmnts
dd action=drop chain=input comment=SYSTEM
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting comment=VoIP connection-state=new disabled=yes dst-address=**** new-connection-mark=VoIP_con
add action=mark-packet chain=prerouting connection-mark=VoIP_con disabled=yes new-packet-mark=VoIP passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - WAN"
/ip neighbor discovery
set "ether1 - WAN" disabled=yes
set "ether2" disabled=yes
set "ether3" disabled=yes
set WiFi disabled=yes
set bridge-local disabled=yes
/ip route
add distance=100 dst-address=10.0.0.0/8 type=blackhole
add distance=100 dst-address=172.16.0.0/12 type=blackhole
add distance=100 dst-address=192.168.0.0/16 type=blackhole
/ip service
set telnet disabled=yes
set ftp disabled=no
set www disabled=yes
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=mktk
/system leds
set 0 interface=WiFi
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
/system ntp client
set enabled=yes primary-ntp=* secondary-ntp=*
/system ntp server
set enabled=yes
/system watchdog
set automatic-supout=no no-ping-delay=15m watch-address=8.8.8.8 watchdog-timer=no
/tool mac-server
add interface="ether2"
add interface="ether3"
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=WiFi
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface="ether2"
add interface="ether3"
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=WiFi
add interface=bridge-local
/tool mac-server ping
set enabled=no
/tool sniffer
set file-limit=10000KiB file-name=/sniff.txt filter-direction=any interface=WiFi memory-limit=1000KiB
-------------------------
Some information was hided with "*".

What I cannot understand: why there is wpa-psk appear in the authentication-types, because in the WinBox I see that it isn't enable (attached). I have no iPhone5, most trouble devices are my iPad2. My MacBookPro have Broadcom chipset.

Re: Apple devices & Mikrotik

Posted: Mon Oct 08, 2012 10:22 am
by normis
Also enable regular WPA not just WPA2, see if it helps

We just did some testing on multiple Mac devices, it seems that the MacOS has some sort of bug (?) - When you first time connect to it without a password, it saves it. After you set a WPA password, it doesn't want to use it, because MacOS has saved that this AP doesn't have any password. Instead of giving you a meaningful error, it says something like "connection timeout" or similar. What helps is clearing all remembered APs from the mac, disabling the Wifi, enabling it, and connecting then.

Re: Apple devices & Mikrotik

Posted: Mon Oct 08, 2012 10:18 pm
by PhilipLykov
I enabled both WPA and WPA2. The situation is a same. After few hours of IDLE one of my iPads see connection but cannot even answer to ARP request. I see that Mikrotik update his last-activity timer for this item, I saw an ARP request in that time which ask who has 192.168.111.253.

I see that Mikrotik has 802.1x for this device, is it OK? I don't have a RADIUS.

[root@mktk] /interface wireless registration-table> print stats
0 ;;; iPad2
interface=WiFi mac-address=A4:67:06:* ap=no wds=no bridge=no rx-rate="1.0Mbps" tx-rate="13.0Mbps" packets=189930,129272
bytes=228440630,117644569 frames=189930,129317 frame-bytes=228823870,116873774 hw-frames=212197,189934
hw-frame-bytes=261834975,174999314 tx-frames-timed-out=0 uptime=3h37m5s last-activity=9s670ms signal-strength=-50dBm@1Mbps
signal-to-noise=57dB signal-strength-ch0=-51dBm signal-strength-ch1=-59dBm
strength-at-rates=-50dBm@1Mbps 3m10s620ms,-46dBm@HT20-0 2h46m46s10ms,-51dBm@HT20-1 21m900ms,-52dBm@HT20-2 21m11s770ms,-47dBm@HT20-3
20m50s220ms,-45dBm@HT20-4 16s340ms,-48dBm@HT20-5 20m2s250ms,-48dBm@HT20-6 19m44s530ms,-46dBm@HT20-7 9s670ms
tx-ccq=74% p-throughput=9592 last-ip=192.168.111.253 802.1x-port-enabled=yes authentication-type=wpa2-psk encryption=aes-ccm
group-encryption=aes-ccm management-protection=no wmm-enabled=yes

Re: Apple devices & Mikrotik

Posted: Thu Oct 11, 2012 1:22 am
by PhilipLykov
Sorry, but the problem still persist for at least two my iPads and one iPhone. You write about a bug in the MacOS but I don't have that problem with WPA black password.

Is there any way to discover what is going on in the WiFi in that time when all my devices believe they are connected but it's no so?

Re: Apple devices & Mikrotik

Posted: Sun Oct 14, 2012 1:49 pm
by IMF2000
Also have the same issue here, only happened with IPhone 5 running IOS 6.

Do he workarounds mentioned above solve the issue?

Re: Apple devices & Mikrotik

Posted: Sun Oct 14, 2012 1:54 pm
by PhilipLykov
Hi,
Actually no workarounds was mentioned. And my iPads 2 and iPhones 4 still lost connection every few minutes.

Re: Apple devices & Mikrotik

Posted: Sun Oct 14, 2012 2:11 pm
by IMF2000
Yeah, I read above that just enabling TKIP and disabling AES is a workaround for Iphone 5 but when I tried this just now, I found that I could only telnet to the router and one other internet site and could not connect to most internet locations:
IOS 6 has a confirmed bug with running mixed TKIP & aes on iphone4s and lower, so turn off TPIK in your router(should really be off anyway). iPhone5 has general wifi issues on some of the hardware and apple has not released any information but confirmed the issue. Workaround here is to run TKIP only since the defect affects aes only. Apple has not confirmed yet if its a HW issue or a software issue.
This was also noticed in another thread:
http://forum.mikrotik.com/viewtopic.php?f=7&t=65738


So back to working Iphone5 that cuts out after a while on mikrotik router.


Any other ideas?

Re: Apple devices & Mikrotik

Posted: Sun Oct 14, 2012 3:59 pm
by PhilipLykov
I use only AES from the beginning and these trouble was with iOS 4, 5 and 6 for all Apple devices (MacBookPro, iPad 2, iPhone 3Gs/4). So it's not a problem within iOS 6 or iPhone 6 at me. But this problem appears at long WiFi usage only. In my scenario - iPad 90% of the day connected to AP and use WiFi to check mail every few minutes. Then the problem happens about a once per day, but when I see clips on YouTube it happens every few minutes. My Mac and iPhone is not so affected just because Mac is not always connected to AP and iPhone is always travel with me.

Re: Apple devices & Mikrotik

Posted: Mon Oct 15, 2012 5:01 pm
by TrollMan
On my iPhone5 I can get issues mostly when running Sonos, but also some times without Sonos running. Disabling and enabling wifi on my iphone5 will solve it for a while. I have not tried the TKIP workaround, since I have a lot of other devices connected I did not want to play with this.

Re: Apple devices & Mikrotik

Posted: Mon Oct 15, 2012 5:05 pm
by IMF2000
On my iPhone5 I can get issues mostly when running Sonos, but also some times without Sonos running. Disabling and enabling wifi on my iphone5 will solve it for a while. I have not tried the TKIP workaround, since I have a lot of other devices connected I did not want to play with this.
Exactly this, have to disable wireless on the iphone and re-enable to get it to re-connect.


Very frustrating bug.

Re: Apple devices & Mikrotik

Posted: Mon Oct 15, 2012 5:24 pm
by TrollMan
I agree, but in all fairness I can't see the problem with RouterOS since the issue is present on all major router / AP systems. PRO and consumer. Apple should get the boot for it!

Re: Apple devices & Mikrotik

Posted: Mon Oct 15, 2012 5:27 pm
by IMF2000
Yes, I was more looking for a clever work around whilst we wait for Apple to do something.

Ie using a different authentication method or disabling auth completely and using mac based access control or something.

Re: Apple devices & Mikrotik

Posted: Mon Oct 15, 2012 7:43 pm
by PhilipLykov
MAC based access control is not a solution because MAC address can be easily changed.

Re: Apple devices & Mikrotik

Posted: Mon Oct 15, 2012 7:51 pm
by IMF2000
MAC based access control is not a solution because MAC address can be easily changed.
Indeed but I could probably live with it for a little while.

Re: Apple devices & Mikrotik

Posted: Thu Dec 05, 2013 11:42 am
by masood11
Hi,
Problem is that ipad and iphone both persist and had a bug in Mac OS but yet i can not able to solve that problem due to black WPA Password

Re: Apple devices & Mikrotik

Posted: Thu Apr 03, 2014 12:11 pm
by MATU
test

Re: Apple devices & Mikrotik

Posted: Fri Apr 11, 2014 5:46 pm
by MATU
Hi Guys,

I am having a peculiar problem that specifically affects apple products. Apple products regardless of their IOS are exhibiting very slow loading time from websites and most times will not open at all. I have found a work around of "binding" the specific client IP address and "bypassing" it. This always solves the problem but I want it to work normally without having to by pass the IP addresses since bypassing the client makes it impossible to monitor or control his/her bandwidth.
The problem has occurred several times before but it always goes away with time but this time around it has persisted.
Note that my authentication is the hotspot http chap therefore the issues discussed above regarding AES are not related with this.

Find my router configuration below. Your help will be very much appreciated.

Regards,

Matu



jan/04/2007 start-time=07:30:00
add comment="" disabled=yes interval=1w name="Weekend BW Upgrade Sat" \
on-event="04 - Upgrade_BW" policy=read,write,test start-date=jul/28/2007 \
start-time=07:05:00
add comment="" disabled=no interval=1w name="Weekend BW Upgrade Sun" \
on-event="04 - Upgrade_BW" policy=read,write,test start-date=jul/29/2007 \
start-time=07:05:00
add comment="" disabled=no interval=30s name="07 - Remove busy status" \
on-event="07 - Remove busy status" policy=read,write,test start-date=\
nov/11/2011 start-time=16:45:00
add comment="" disabled=no interval=1m name="08 - Busy status remove" \
on-event="08 - Busy status remove" policy=read,write,test start-date=\
nov/11/2011 start-time=16:52:00
/system script
add name=Email_backup_file policy=ftp,reboot,read,write,policy,test source="/s\
ystem backup save name=email-system\r\
\n/tool e-mail send to=\"*****\" from=\"*****.\
co.ke\" server=\"smtp.accesskenya.com\" subject=(\"Backup of: \" . [/syste\
m identity get name] . \"-\" . [/system clock get time] . \"-\" . [/syste\
m clock get date]) body=\" This is the weekly backup of the hotgossip rout\
er. Please find attached the backup config for router *******. \
Keep this in a safe place.\" file=email-system.backup\r\
\n:log info \"Backup email sent OK\""
add name="04 - Upgrade_BW" policy=ftp,reboot,read,write,policy,test,winbox \
source=":log info \"Begin bandwidth daily upgrade...\"\r\
\n###\r\
\n# Change 24/48 Day - 32/128 Night back to 32/128 for Night\r\
\n/ip hotspot user profile set \"24/48 Day - 32/128 Night\" rate-limit=\"3\
2k/128k 100000000k/100000000k 18k/36k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 24/48 to 32/64 for night\r\
\n/ip hotspot user profile set \"24/48 Customers\" rate-limit=\"32k/64k 10\
0000000k/100000000k 24k/48k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 24k/48k Night to 1k/1k for day\r\
\n/ip hotspot user profile set \"24k/48k Night\" rate-limit=\"24k/48k 1000\
00000k/100000000k 18k/36k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 24/48 Day - 32/96 Night to 32/96 for night\r\
\n/ip hotspot user profile set \"24/48 Day - 32/96 Night\" rate-limit=\"32\
k/96k 100000000k/100000000k 24k/68k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 32/64 to 48/96 for night\r\
\n/ip hotspot user profile set \"32/64 Customers\" rate-limit=\"48k/96k 10\
0000000k/100000000k 33k/68k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 48/64 to 48/96 for night\r\
\n/ip hotspot user profile set \"48/64 Customers\" rate-limit=\"48k/96k 10\
0000000k/100000000k 33k/68k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 48/96 to 64/128 for night\r\
\n/ip hotspot user profile set \"48/96 Customers\" rate-limit=\"64k/128k 1\
00000000k/100000000k 72k/115k 40 8\"\r\
\n\r\
\n\r\
\n###\r\
\n# Change 64/128 to 128/256 for night\r\
\n/ip hotspot user profile set \"64/128 Customers\" rate-limit=\"128k/256k\
\_100000000k/100000000k 115k/230k 40 8\"\r\
\n\r\
\n\r\
\n###\r\
\n# Change Camp Kenya Office Day Only to 24k/48k for night\r\
\n/ip hotspot user profile set \"Camp Kenya Office Day Only\" rate-limit=\
\"24k/48k 100000000k/100000000k 18k/36k 40 8\"\r\
\n\r\
\n###\r\
\n# Change Camp Kenya Directors for night\r\
\n/ip hotspot user profile set \"Camp Kenya Directors\" rate-limit=\"64k/1\
28k 100000000k/100000000k 48k/96k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 24/48 Day - 32/256 Night to 32/256 for night\r\
\n/ip hotspot user profile set \"24/48 Day - 32/256 Night\" rate-limit=\"3\
2k/256k 100000000k/100000000k 24k/230k 40 8\"\r\
\n\r\
\n##\r\
\n# Change 32/64 Day - 0/0 Night to 0/0 for night\r\
\n/ip hotspot user profile set \"32/64 Day - 0/0 Night\" rate-limit=\"1k/1\
k\"\r\
\n\r\
\n###\r\
\n# Change 32/256 Night Only to ON for night\r\
\n/ip hotspot user profile set \"32/256 Night Only\" rate-limit=\"32k/256k\
\_100000000k/100000000k 24k/230k 40 8\"\r\
\n\r\
\n\r\
\n\r\
\n#End.\r\
\n:log info \"End: daily bandwidth upgrade complete!\"\r\
\n:delay 10\r\
\n"
add name="03 - Downgrade_BW" policy=ftp,reboot,read,write,policy,test,winbox \
source=":log info \"Begin bandwidth daily downgrade...\"\r\
\n###\r\
\n# Change 24/48 Day - 32/128 Night back to 24/48 for day\r\
\n/ip hotspot user profile set \"24/48 Day - 32/128 Night\" rate-limit=\"2\
4k/48k 100000000k/100000000k 18k/36k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 24/48 back to 24/48 for day\r\
\n/ip hotspot user profile set \"24/48 Customers\" rate-limit=\"24k/48k 10\
0000000k/100000000k 18k/36k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 24k/48k Night to 1k/1k for day\r\
\n/ip hotspot user profile set \"24k/48k Night\" rate-limit=\"1k/1k\"\r\
\n\r\
\n###\r\
\n# Change 24/48 Day - 32/96 Night back to 24/48 for day\r\
\n/ip hotspot user profile set \"24/48 Day - 32/96 Night\" rate-limit=\"24\
k/48k 100000000k/100000000k 18k/36k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 32/64 back to 32/64 for day\r\
\n/ip hotspot user profile set \"32/64 Customers\" rate-limit=\"32k/64k 10\
0000000k/100000000k 24k/48k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 48/64 back to 48/64 for day\r\
\n/ip hotspot user profile set \"48/64 Customers\" rate-limit=\"48k/64k 10\
0000000k/100000000k 24k/48k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 48/96 back to 48/96 for day\r\
\n/ip hotspot user profile set \"48/96 Customers\" rate-limit=\"48k/96k 10\
0000000k/100000000k 24k/72k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 64/128 back to 64/128 for day\r\
\n/ip hotspot user profile set \"64/128 Customers\" rate-limit=\"64k/128k \
100000000k/100000000k 48k/96k 40 8\"\r\
\n\r\
\n###\r\
\n# Change Camp Kenya Office Day Only to 128/256 for day\r\
\n/ip hotspot user profile set \"Camp Kenya Office Day Only\" rate-limit=\
\"128k/256k 100000000k/100000000k 115k/230k 40 8\"\r\
\n\r\
\n###\r\
\n# Change Camp Kenya Directors to 1k/1k for day\r\
\n/ip hotspot user profile set \"Camp Kenya Directors\" rate-limit=\"1k/1k\
\"\r\
\n\r\
\n###\r\
\n# Change 24/48 Day - 32/256 Night back to 24/48 for day\r\
\n/ip hotspot user profile set \"24/48 Day - 32/256 Night\" rate-limit=\"2\
4k/48k 100000000k/100000000k 24k/48k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 32/64 Day - 32/256 Night back to 32/64 for day\r\
\n/ip hotspot user profile set \"32/64 Day - 0/0 Night\" rate-limit=\"32/6\
4k 100000000k/100000000k 24k/48k 40 8\"\r\
\n\r\
\n###\r\
\n# Change 32/256 Night Only to ON for night\r\
\n/ip hotspot user profile set \"32/256 Night Only\" rate-limit=\"6k/6k\"\
\r\
\n\r\
\n#End.\r\
\n:log info \"End: daily bandwidth downgrade complete!\"\r\
\n:delay 10\r\
\n\r\
\n"
add name="06 - enable_night_users" policy=\
ftp,reboot,read,write,policy,test,winbox,password source="###\r\
\n# Enable Night Only Customers\r\
\n/ip hotspot user profile set \"16k/32k Night\" shared-users=1"
add name="05 - disable_night_users" policy=\
ftp,reboot,read,write,policy,test,winbox,password source="###\r\
\n# Disable Night Only Customers\r\
\n/ip hotspot user profile set \"24k/48k Night\" shared-users=0"
add name="00 - mv-static" policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff source=":foreach n\
\_in=[/queue simple find priority=7] do={ /queue simple move \$n [:pick [/\
queue simple find] 0] }\r\
\n:foreach n in=[/queue simple find priority=5] do={ /queue simple move \$\
n [:pick [/queue simple find] 0] }\r\
\n:foreach n in=[/queue simple find priority=4] do={ /queue simple move \$\
n [:pick [/queue simple find] 0] }"
add name="02 - Throttle p2p during the day" policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff source="/ip firewa\
ll filter enable [/ip firewall filter find comment=\"Drop P2p Marked Packe\
ts\"]\r\
\n/ip firewall filter enable [/ip firewall filter find comment=\"Drop P2p \
Protocol\"]"
add name="01 - Allow p2p during the Night" policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff source="/ip firewa\
ll filter disable [/ip firewall filter find comment=\"Drop P2p Marked Pack\
ets\"]\r\
\n/ip firewall filter disable [/ip firewall filter find comment=\"Drop P2p\
\_Protocol\"]"
add name="07 - Remove busy status" policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff source=":foreach i\
\_in=[/ip dhcp-server lease find status=\"busy\"]\\\r\
\n do={\r\
\n :log error (\"Busy status detected: \" . [/ip dhcp-server lease get \$i\
\_address]);\r\
\n /ip dhcp-server lease remove \$i;\r\
\n }\r\
\n"
add name="08 - Busy status remove" policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff source=":foreach i\
\_in=[/ip dhcp-server lease find mac-address=00:00:00:00:00:00]\\\r\
\ndo={\r\
\n:log error (\"Mac address zero detected: \" . [/ip dhcp-server lease get\
\_\$i address]);\r\
\n/ip dhcp-server lease remove \$i;\r\
\n}"
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=no no-ping-delay=5m watch-address=\
none watchdog-timer=no
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=10
/tool e-mail
set from=<winbox> password="" server=**.**.**.**/** username=""
/tool graphing
set store-every=5min
/tool graphing interface
add allow-address=192.168.101.0/24 disabled=no interface=all store-on-disk=\
yes
add allow-address=**.**.**.**/** disabled=no interface=all store-on-disk=yes
add allow-address=10.1.10.253/32 disabled=no interface=all store-on-disk=yes
add allow-address=10.1.10.251/32 disabled=no interface=all store-on-disk=yes
add allow-address=10.1.10.250/32 disabled=no interface=all store-on-disk=yes
add allow-address=10.1.10.0/24 disabled=no interface=all store-on-disk=yes
add allow-address=172.16.2.0/24 disabled=no interface=all store-on-disk=yes
add allow-address=**.**.**.**/** disabled=no interface=all store-on-disk=\
yes
/tool graphing queue
add allow-address=192.168.1.0/24 allow-target=yes disabled=no simple-queue=\
"Simon Home" store-on-disk=yes
add allow-address=192.168.101.0/24 allow-target=yes disabled=no simple-queue=\
all store-on-disk=yes
add allow-address=**.**.**.**/** allow-target=yes disabled=no simple-queue=\
all store-on-disk=yes
add allow-address=10.1.10.253/32 allow-target=yes disabled=no simple-queue=\
all store-on-disk=yes
add allow-address=10.1.10.251/32 allow-target=yes disabled=no simple-queue=\
all store-on-disk=yes
add allow-address=10.1.10.250/32 allow-target=yes disabled=no simple-queue=\
all store-on-disk=yes
add allow-address=10.1.10.0/24 allow-target=yes disabled=no simple-queue=all \
store-on-disk=yes
add allow-address=172.16.2.0/24 allow-target=yes disabled=no simple-queue=all \
store-on-disk=yes
add allow-address=**.**.**.**/** allow-target=yes disabled=no simple-queue=\
all store-on-disk=yes
/tool graphing resource
add allow-address=192.168.101.0/24 disabled=no store-on-disk=yes
add allow-address=**.**.**.**/** disabled=no store-on-disk=yes
add allow-address=10.1.10.253/32 disabled=no store-on-disk=yes
add allow-address=10.1.10.251/32 disabled=no store-on-disk=yes
add allow-address=10.1.10.250/32 disabled=no store-on-disk=yes
add allow-address=10.1.10.0/24 disabled=no store-on-disk=yes
add allow-address=172.16.2.0/24 disabled=no store-on-disk=yes
/tool mac-server
add disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool netwatch
add comment="Check if Idirect modem is pingable and log it" disabled=no \
down-script="/tool e-mail send to=\"**.**.**.**/**\" from=\"sup\
port@hotgossip.co.ke\" server=\"192.168.101.11\" subject=(\"Idirect Modem \
Down: \" . \"-\" . [/system clock get time] . \"-\" . [/system clock get \
date]) body=\" The Simbanet Idirect Modem has gone down.\"\r\
\n:log info \"Idirect VSAT Modem gone DOWN! Boo!\"" host=**.**.**.**/** \
interval=5m timeout=800ms up-script="/tool e-mail send to=\"**.**.**.**/**\" from=\"**.**.**.**/**\" server=\"192.168.101.11\" s\
ubject=(\"Idirect Modem Up: \" . \"-\" . [/system clock get time] . \"-\"\
\_. [/system clock get date]) body=\" The Simbanet Idirect Modem has gone \
back up!.\"\r\
\n:log info \"Idirect VSAT Modem gone UP! Yay!!\""
add comment="Check if KDN Link is pingable and log it" disabled=no \
down-script="/tool e-mail send to=\"**.**.**.**/**\" from=\"sup\
**.**.**.**/**\" server=\"192.168.101.11\" subject=(\"KDN Link Down:\
\_\" . \"-\" . [/system clock get time] . \"-\" . [/system clock get date\
]) body=\" The KDN Link has gone down.\"\r\
\n:log info \"KDN Link gone DOWN! Boo!\"" host=**.**.**.**/** interval=1m \
timeout=400ms up-script="/tool e-mail send to=\"**.**.**.**/**\
\" from=\"**.**.**.**/**\" server=\"192.168.101.11\" subject=(\"K\
DN Link Up: \" . \"-\" . [/system clock get time] . \"-\" . [/system cloc\
k get date]) body=\" The KDN Link has gone back up!.\"\r\
\n:log info \"KDN Link gone UP! Yay!!\""
/tool sniffer
set file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=\
yes interface=all memory-limit=10 only-headers=no streaming-enabled=no \
streaming-server=0.0.0.0
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no

Re: Apple devices & Mikrotik

Posted: Sun Apr 13, 2014 12:16 am
by Nollitik
FWIW, I never have any issues because I used an Apple Extreme with a Mikrotik RB450G in front of it. So, I get the robustness of the Mikrotik RouterOS and the seamlessness of the Apple devices connectivity with the Apple Extreme either wired or wirelessly.

I would recommend the route if it's important to you to use Apple devices.

Re: Apple devices & Mikrotik

Posted: Sun Apr 13, 2014 2:50 am
by rextended
/interface wireless
wireless-protocol=any wmm-support=enabled
/interface wireless security-profiles
management-protection=allowed
FOR ALL: WIRELESS PROTOCOL MUST BE SET TO 802.11, NOT TO ANY: ONLY MIKROTIK DEVICES USE NSTREME OR NV2!!!

UNDERSTAND???

USE ONLY 802.11 ON WIRELESS PROTOCOL IF YOU WANT MAKE ONE ACCESS POINT!!!


IF YOU LEAVE WIRELESS PROTOCOL TO "ALL" AND FORGET TO SET NV2 SECURITY, ANYONE WITH MIKROTIK DEVICES CAN CONNECT WITHOUT PASSWORD TO YOUR NETWORK!!!!!! NOT ONLY TO HOME AP, BUT ALSO ON AP FOR CPE!....


2) USE ONLY UPPERCASE LETTERS A-Z, NUMBERS 0-9 AND "-" FOR SSID IF YOU USE APPLE DEVICES, THE MAJORITY OF THE DRIVER HAVE BUG ON LOWERCASE AND SPECIAL SYMBOLS FOR SSID.

example working: AP-THISWORKONMAC
example not working: MyApNotWork_With_allMAC

3) use default data rates, some devices do not support forced data rates (some Ralink drivers, for example)
and also not force to long preamble.

4) do not use rts/cts or "access point and client mode", not all devices support that.

5) do not activate wmm support, incredibly sometime disconnect every 1/2 min some devices

6) set management protection on security profile disabled, not all devices support that.......

Re: Apple devices & Mikrotik

Posted: Mon Apr 14, 2014 1:35 pm
by MATU
@Nollitik and rextended, thanks for your replies.

Rextended,
I am not using the wireless modes from the router board, I have setup hotspot and am using http chap so as much as you can connect to our 80 access points you will still be queried with a password to access the internet by the login page.

Re: Apple devices & Mikrotik

Posted: Sat Apr 19, 2014 5:46 am
by nbeacham
I'm having this same problem with apple products and the hotspot. I have to create a bypass also. If you build a simple queue targeting the users ip, it at least throttles them. Would be nice to know a walk around. I use Mac authentication for my login.

Re: Apple devices & Mikrotik

Posted: Sun Jul 27, 2014 11:38 am
by bullis82
Guys, I use a RB2011 with wireless on OS 6.17 and had same issue with no connectivity from any MAC device while from other brands was ok.

I simply added AES encryption along with the TKIP that I had before and now all work fine. I hope it works for you as well.

A I also changed the SSID to capital letters (not quite sure if it changed anything).

Re: Apple devices & Mikrotik

Posted: Thu Feb 26, 2015 8:27 pm
by kerad
I just spent a LOT of time trying all your suggestions and nothing would work, still. My iPad, as well as my Kindle would not connect no matter what. But guess what. Turns out you can't have any special characters in your WiFi password. I had an exclamation mark (!) and that was the thing that was killing it. :?