Fast transition with 2 hap ac2 not working

raelbsd · Mon Jan 15, 2024 11:55 pm

Hi folks, a month ago I've upgraded my ac2s to 7.13 and installed the wifi-qcom-ac package to use the benefits of fast roaming. I was using CAPsMan with ROS 6, since there was a lot of changes I backed up the configuration and started from scratch with the new CAPsMan. I have around 50 devices in my house using both bands, the ac2s are linked together with ethernet cable and they are separated 15 meters. I'm using the same SSID for both routers, if I connect a device to one router and walk away to the another router, nothing happens, the device is bond to the first router no matter the quality of the signal. I tought that it's a client's fault, at first I used my Oneplus 10, but after that I've tried with a Dell laptop, a Fire tablet, and even a Surface, with no luck.
I'm not sure what else to try, perhaps someone can shed me some light on this.
Thanks in advance!

Here is my config:

First mikrotik (estudio):

# 2024-01-15 18:49:22 by RouterOS 7.13
# software id = HWJU-6UKY
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXXX
/interface bridge
add admin-mac=08:55:31:9B:20:E2 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-n disabled=no frequency=2472 name=2-channel13-N width=20mhz
add band=5ghz-ac disabled=no frequency=5220 name=5-channel-ac \
    skip-dfs-channels=all width=20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk comment=security_profile \
    connect-priority=0 disabled=no ft=yes ft-over-ds=yes name=\
    security_profile
/interface wifi configuration
add channel=5-channel-ac country="United States" disabled=no mode=ap name=\
    profile-wifi-5-ac security=security_profile \
    security.authentication-types=wpa-psk,wpa2-psk .connect-priority=0 .ft=\
    yes .ft-over-ds=yes ssid=darkstar-5.0GHz
add channel=2-channel13-N country="United States" disabled=no mode=ap name=\
    profile-wifi-2-an security=security_profile \
    security.authentication-types=wpa-psk,wpa2-psk .ft=yes .ft-over-ds=yes \
    ssid=darkstar-2.4GHz
/interface wifi
add channel.frequency=2462 configuration=profile-wifi-2-an \
    configuration.mode=ap disabled=no name=living-cap-wifi2 radio-mac=\
    18:FD:74:74:2B:F4
add channel.frequency=5220 configuration=profile-wifi-5-ac \
    configuration.mode=ap disabled=no name=living-cap-wifi5 radio-mac=\
    18:FD:74:74:2B:F5
set [ find default-name=wifi1 ] channel.frequency=2462 configuration=\
    profile-wifi-2-an configuration.mode=ap datapath.bridge=bridge disabled=\
    no name=wifi-2.0 security.connect-priority=0
set [ find default-name=wifi2 ] configuration=profile-wifi-5-ac \
    configuration.mode=ap disabled=no name=wifi-5.0 \
    security.connect-priority=0
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.190
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi-2.0
add bridge=bridge comment=defconf interface=wifi-5.0
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=yes upgrade-policy=\
    none
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=192.168.0.2/24 interface=ether1 network=192.168.0.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.1.17 client-id=1:7c:78:b2:38:1a:d mac-address=\
    7C:78:B2:38:1A:0D server=defconf
add address=192.168.1.7 mac-address=E4:5F:01:0A:30:11 server=defconf
add address=192.168.1.41 client-id=1:7c:78:b2:38:1a:de mac-address=\
    7C:78:B2:38:1A:DE server=defconf
add address=192.168.1.107 client-id=1:c:8c:24:c:ee:17 mac-address=\
    0C:8C:24:0C:EE:17 server=defconf
add address=192.168.1.27 mac-address=10:2C:6B:10:45:88 server=defconf
add address=192.168.1.30 client-id=1:7c:78:b2:38:15:6f mac-address=\
    7C:78:B2:38:15:6F server=defconf
add address=192.168.1.26 mac-address=D8:8C:79:74:ED:EB server=defconf
add address=192.168.1.10 client-id=1:c:8c:24:22:bd:e1 mac-address=\
    0C:8C:24:22:BD:E1 server=defconf
add address=192.168.1.116 client-id=\
    ff:c2:72:f6:9:0:2:0:0:ab:11:f5:a2:86:96:a4:27:48:e0 mac-address=\
    00:A0:98:71:FD:FE server=defconf
add address=192.168.1.51 mac-address=10:52:1C:74:0B:84 server=defconf
add address=192.168.1.11 mac-address=C8:2B:96:E3:7F:BC server=defconf
add address=192.168.1.78 mac-address=DC:4F:22:B9:6A:92 server=defconf
add address=192.168.1.59 mac-address=7C:78:B2:69:E8:9E server=defconf
add address=192.168.1.69 mac-address=70:03:9F:09:7C:38 server=defconf
add address=192.168.1.75 client-id=\
    ff:b5:5e:67:ff:0:2:0:0:ab:11:71:51:7a:3f:5a:ab:ed:2d mac-address=\
    00:A0:98:14:0C:1B server=defconf
add address=192.168.1.94 client-id=1:7c:78:b2:7a:c7:ee comment=cam-patio.lan \
    mac-address=7C:78:B2:7A:C7:EE server=defconf
add address=192.168.1.9 client-id=1:18:fd:74:74:2b:ef comment=\
    mikrotik.living.lan mac-address=18:FD:74:74:2B:EF server=defconf
add address=192.168.1.4 comment=dockernas.lan mac-address=1E:CD:BF:A6:E0:11
add address=192.168.1.8 comment=truenas.lan mac-address=86:46:69:3C:40:BA
add address=192.168.1.13 comment=proxmox.lan mac-address=18:C0:4D:61:3C:49
add address=192.168.1.66 comment=cam-babycall.lan mac-address=\
    D0:3F:27:A2:B1:77
add address=192.168.1.61 comment=cam-patio2.lan mac-address=7C:78:B2:38:3E:9A
add address=192.168.1.54 client-id=1:c4:60:35:3c:66:3e mac-address=\
    C4:60:35:3C:66:3E server=defconf
add address=192.168.1.28 mac-address=24:A1:60:0B:06:C6
add address=192.168.1.68 mac-address=DC:A6:32:08:DD:07
add address=192.168.1.25 client-id=1:1e:52:ce:a6:b6:cd mac-address=\
    1E:52:CE:A6:B6:CD server=defconf
add address=192.168.1.24 client-id=1:26:40:20:e3:4e:b4 mac-address=\
    26:40:20:E3:4E:B4 server=defconf
add address=192.168.1.29 client-id=1:4a:53:f6:af:dd:6c mac-address=\
    4A:53:F6:AF:DD:6C server=defconf
add address=192.168.1.44 client-id=1:8:5b:d6:5a:dc:f5 mac-address=\
    08:5B:D6:5A:DC:F5 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=\
    192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.1,1.0.0.1,192.105.0.131,192.105.0.4
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
add address=192.168.1.1 name=mikrotik.estudio.lan
add address=192.168.1.9 name=mikrotik.living.lan
add address=192.168.0.1 name=routerisp.lan
add address=192.168.1.8 name=truenas.lan
add address=192.168.1.7 name=cronos.lan
add address=192.168.1.68 name=octopi.lan
add cname=transmission.docker name=transmission.lan type=CNAME
add address=192.168.1.4 name=dockernas.lan
add address=192.168.1.193 name=portainer.lan
add address=192.168.1.59 name=cam-garage.lan
add address=192.168.1.94 name=cam-patio.lan
add address=192.168.1.30 name=cam-entrada.lan
add address=192.168.1.41 name=cam-cocina.lan
add address=192.168.1.17 name=cam-frente.lan
add cname=dockernas.lan disabled=yes name=aikidofudoshinkan.org type=CNAME
add address=192.168.1.13 name=proxmox.lan
add address=192.168.1.66 name=cam-babycall.lan
add address=192.168.1.61 name=cam-patio2.lan
add address=192.168.1.54 name=tablet.entrada.lan
add address=192.168.1.25 name=1+.sole.50.lan
add address=192.168.1.24 name=1+.juan.50.lan
add address=192.168.1.29 name=1+.juan.24.lan
add address=192.168.1.44 name=surface.cata.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=America/Argentina/Buenos_Aires
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Second mikrotik (living):

# 2024-01-15 09:50:46 by RouterOS 7.13
# software id = 08N0-RX40
#
# model = RBD52G-5HacD2HnD
# serial number = XXXXXXX
/interface bridge
add admin-mac=18:FD:74:74:2B:EF auto-mac=no comment=defconf name=bridgeLocal
/interface list
add name=WAN
add name=LAN
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: darkstar-2.4GHz, channel: 2462/n
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
# managed by CAPsMAN
# mode: AP, SSID: darkstar-5.0GHz, channel: 5220/ac/eeCe
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface list member
add interface=ether1 list=WAN
add interface=bridgeLocal list=LAN
/interface wifi cap
set certificate=request discovery-interfaces=bridgeLocal enabled=yes \
    slaves-datapath=capdp
/ip address
add address=192.168.1.9/24 interface=bridgeLocal network=192.168.1.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/system note
set show-at-login=no

erlinden · Tue Jan 16, 2024 8:51 am

/interface wifi configuration
add channel=5-channel-ac country="United States" disabled=no mode=ap name=\
    profile-wifi-5-ac security=security_profile \
    security.authentication-types=wpa-psk,wpa2-psk .connect-priority=0 .ft=\
    yes .ft-over-ds=yes ssid=darkstar-5.0GHz
add channel=2-channel13-N country="United States" disabled=no mode=ap name=\
    profile-wifi-2-an security=security_profile \
    security.authentication-types=wpa-psk,wpa2-psk .ft=yes .ft-over-ds=yes \
    ssid=darkstar-2.4GHz

I would have expected something different:

/interface wifi configuration
add channel=5-channel-ac country=United States name=profile-wifi-5-ac security=security_profile ssid=darkstar-5.0GHz
add channel=2-channel13-N country=United States name=profile-wifi-2-an security=security_profile ssid=ssid=darkstar-2.4GHz

Anything you specify in the profile overwrites i.e. the security settings. Hence you are using wpa-psk and wpa2-psk.
You might want to consider using single SSID so FT is not only between CAPs but als between radios.

For the CAP (living room) there seems to be some old configuration left. I have reset configuration and checking CAPs Mode to start as clean as possible. Don't forget to follow the documentation, especially on the CAP:

https://help.mikrotik.com/docs/display/ ... ionexample:

Tue Jan 16, 2024 1:41 pm

after that I've tried with a Dell laptop, a Fire tablet, and even a Surface, with no luck.

Regarding Windows laptops and roaming, check this message out.

raelbsd · Tue Jan 16, 2024 5:08 pm

Thanks for the tips, I didn't found an example to have one only SSID, I'm not sure how to do it. For a start I think with the two bands splitted should be working (maybe they're working and I didn't find a suitable client to test). I tried to use a centralized config thru a configuration profile, but it looks I mixed some things, I'll review that config part again. I'm using the Wireless Table->Registration tab to see where each device connects and checking the roaming.
Regarding the cAP, it's weird that some older configuration remains, I did a System->Reset Configuration->CAPS Mode. I'll do it again just in case.
Thanks for pointing me about Windows and FT, I didn't know about it. I think I can try with some laptop with Linux to test.
At first, I was afraid I misunderstood about the new drivers, the FT capabilities and so, because I saw old topics in the forum saying that all this new stuff will only work with new devices and not the ac2. But in the 7.13 release info seems they found the way to include this old devices.
Lastly, I putted the wpa-psk and wpa2-psk settings because in 2.4 I have a lot ot IoT devices, I'm not so sure if all of them support wpa2.
Thanks again for your comments!
Best regards

Tue Jan 16, 2024 10:35 pm

Lastly, I putted the wpa-psk and wpa2-psk settings because in 2.4 I have a lot ot IoT devices, I'm not so sure if all of them support wpa2.
Thanks again for your comments!
Best regards

Use WPA3 for those SSIDs where you want FT. Use same SSID for 2.4 and 5GHz.

Use WPA/WPA2 on a separate SSID for only those IoT devices.

Further on you may want to consider using VLAN to separate that IoT traffic completely from the rest (and maybe also a Guest network

)

Fast transition with 2 hap ac2 not working

Fast transition with 2 hap ac2 not working

Re: Fast transition with 2 hap ac2 not working

Re: Fast transition with 2 hap ac2 not working

Re: Fast transition with 2 hap ac2 not working

Re: Fast transition with 2 hap ac2 not working

Who is online