Community discussions

MikroTik App
 
mociulski
just joined
Topic Author
Posts: 1
Joined: Tue Jan 08, 2019 5:05 pm

Hap AC Wifi Dropping

Thu Nov 24, 2022 12:41 pm

Hello,

I have a Hap AC running as a remote CAP, along with other APs, all managed by CAPsMAN by a RB4011. Whenever I am connected to the HapAC, regardless of the distance to the AP, the WIFI drops for a couple of seconds from time to time, then comes back It happens with two diferent laptops and a phone as well.

In the caps logs I have:
1C:1B:B5:D1:BD:7F@hAP AC 2GHz disconnected, received deauth: unspecified (1), signal strength -54
and nothing in wifi debug logs.

Would you have any suggestions on how to debug this? I've confirmed that it's the WIFI (ping from the client -> AP times out, ping from the RB4011 -> AP does not), but I have no clue on how to go any further.

Here is the HapAC configuration:
# nov/24/2022 10:04:50 by RouterOS 6.49.7
# software id = LPIG-3C32
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8308077CAA5C
/interface bridge
add admin-mac=64:D1:54:AA:12:49 auto-mac=no comment=defconf name=bridgeLocal \
    protocol-mode=none
/interface ethernet
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full rx-flow-control=auto \
    tx-flow-control=auto
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
    auto-negotiation=no rx-flow-control=auto tx-flow-control=auto
/interface wireless
# managed by CAPsMAN
# channel: 2412/20/gn(17dBm), SSID: WifiSSID, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(21dBm), SSID: WifiSSID5, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/interface bonding
add name="bonding Proxmox" slaves=ether3,ether4
add mode=802.3ad name="bonding RB4011" slaves=ether1,ether2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether5
add bridge=bridgeLocal comment=defconf interface=sfp1
add bridge=bridgeLocal interface="bonding RB4011"
add bridge=bridgeLocal interface="bonding Proxmox"
/interface wireless cap
# 
set bridge=bridgeLocal discovery-interfaces=bridgeLocal enabled=yes \
    interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf disabled=no interface=bridgeLocal
/system clock
set time-zone-name=Europe/Paris
/system identity
set name="hAP AC"
and the RB4011 CAPsMAN manager:

# nov/24/2022 11:03:06 by RouterOS 6.49.7
# software id = 999R-MRX7
#
# model = RB4011iGS+
# serial number = B8FE0AF61801
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2412 name=channel1
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2437 name=channel6
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
    frequency=2462 name=channel11
add band=5ghz-a/n/ac extension-channel=Ceee frequency=5180 name=channel36
add band=5ghz-a/n/ac extension-channel=Ceee frequency=5260 name=channel52
add band=5ghz-a/n/ac extension-channel=Ceee frequency=5500 name=channel100
/interface bridge
add admin-mac=74:4D:28:EC:F4:E8 auto-mac=no comment=defconf name=bridge
add name=bridgeGuest
/interface bonding
add mode=802.3ad name="bonding GS1900" slaves=ether4,ether5 \
    transmit-hash-policy=layer-2-and-3
add mode=802.3ad name="bonding hAP" slaves=ether2,ether3
/caps-man datapath
add bridge=bridge client-to-client-forwarding=yes local-forwarding=yes name=\
    datapath
add bridge=bridgeGuest name=guest_path
/caps-man security
add authentication-types=wpa-psk,wpa2-psk group-key-update=1h name=MHSecurity
add authentication-types=wpa-psk,wpa2-psk name=GuestSecurity
/caps-man configuration
add country=france datapath=datapath datapath.bridge=bridge name=WifiSSID \
    security=MHSecurity ssid=WifiSSID
add channel.band=5ghz-a/n/ac country=france datapath=datapath \
    datapath.bridge=bridge mode=ap name=WifiSSID5 security=MHSecurity \
    security.authentication-types=wpa-psk,wpa2-psk ssid=WifiSSID5
add country=france datapath=guest_path datapath.bridge=bridgeGuest mode=ap \
    name=MHGuest security=GuestSecurity ssid=MHGuest
/caps-man interface
add channel=channel1 configuration=WifiSSID disabled=no l2mtu=1600 \
    mac-address=64:D1:54:AA:12:50 master-interface=none name="hAP AC 2GHz" \
    radio-mac=64:D1:54:AA:12:50 radio-name=64D154AA1250
add channel=channel36 configuration=WifiSSID5 disabled=no l2mtu=1600 \
    mac-address=64:D1:54:AA:12:4F master-interface=none name="hAP AC 5GHz" \
    radio-mac=64:D1:54:AA:12:4F radio-name=64D154AA124F
add configuration=MHGuest disabled=no l2mtu=1600 mac-address=\
    66:D1:54:AA:12:50 master-interface="hAP AC 2GHz" name="hAP AC Guest 2GHz" \
    radio-mac=00:00:00:00:00:00 radio-name=66D154AA1250
add configuration=MHGuest datapath=guest_path disabled=no l2mtu=1600 \
    mac-address=66:D1:54:AA:12:4F master-interface="hAP AC 5GHz" name=\
    "hAP AC Guest 5GHz" radio-mac=00:00:00:00:00:00 radio-name=66D154AA124F
add channel=channel11 channel.frequency=2462 configuration=WifiSSID \
    disabled=no l2mtu=1600 mac-address=C4:AD:34:34:DC:CB master-interface=\
    none name="hAP AC2 2GHz" radio-mac=C4:AD:34:34:DC:CB radio-name=\
    C4AD3434DCCB
add channel=channel100 channel.frequency=5500 configuration=WifiSSID5 \
    disabled=no l2mtu=1600 mac-address=C4:AD:34:34:DC:CC master-interface=\
    none name="hAP AC2 5GHz" radio-mac=C4:AD:34:34:DC:CC radio-name=\
    C4AD3434DCCC
add configuration=MHGuest disabled=no l2mtu=1600 mac-address=\
    C6:AD:34:34:DC:CB master-interface="hAP AC2 2GHz" name=\
    "hAP AC2 Guest 2GHz" radio-mac=00:00:00:00:00:00 radio-name=C6AD3434DCCB
add configuration=MHGuest disabled=no l2mtu=1600 mac-address=\
    C6:AD:34:34:DC:CC master-interface="hAP AC2 5GHz" name=\
    "hAP AC2 Guest 5GHz" radio-mac=00:00:00:00:00:00 radio-name=C6AD3434DCCC
add channel=channel11 configuration=WifiSSID disabled=no l2mtu=1600 \
    mac-address=6C:3B:6B:7D:7B:4B master-interface=none name="wAP Black 2GHz" \
    radio-mac=6C:3B:6B:7D:7B:4B radio-name=6C3B6B7D7B4B
add channel=channel100 configuration=WifiSSID5 disabled=no l2mtu=1600 \
    mac-address=6C:3B:6B:7D:7B:4A master-interface=none mtu=1500 name=\
    "wAP Black 5GHz" radio-mac=6C:3B:6B:7D:7B:4A radio-name=6C3B6B7D7B4A
add configuration=MHGuest datapath=guest_path disabled=no l2mtu=1600 \
    mac-address=6E:3B:6B:7D:7B:4B master-interface="wAP Black 2GHz" name=\
    "wAP Black Guest 2GHz" radio-mac=00:00:00:00:00:00 radio-name=\
    6E3B6B7D7B4B
add configuration=MHGuest disabled=no l2mtu=1600 mac-address=\
    6E:3B:6B:7D:7B:4A master-interface="wAP Black 5GHz" name=\
    "wAP Black Guest 5Ghz" radio-mac=00:00:00:00:00:00 radio-name=\
    6E3B6B7D7B4A
add channel=channel6 configuration=WifiSSID disabled=no l2mtu=1600 \
    mac-address=CC:2D:E0:10:5F:45 master-interface=none name="wAP White 2GHz" \
    radio-mac=CC:2D:E0:10:5F:45 radio-name=CC2DE0105F45
add channel=channel52 configuration=WifiSSID5 disabled=no l2mtu=1600 \
    mac-address=CC:2D:E0:10:5F:44 master-interface=none name="wAP White 5GHz" \
    radio-mac=CC:2D:E0:10:5F:44 radio-name=CC2DE0105F44
add configuration=MHGuest disabled=no l2mtu=1600 mac-address=\
    CE:2D:E0:10:5F:45 master-interface="wAP White 2GHz" name=\
    "wAP White Guest 2GHz" radio-mac=00:00:00:00:00:00 radio-name=\
    CE2DE0105F45
add configuration=MHGuest datapath=guest_path disabled=no l2mtu=1600 \
    mac-address=CE:2D:E0:10:5F:44 master-interface="wAP White 5GHz" name=\
    "wAP White Guest 5GHz" radio-mac=00:00:00:00:00:00 radio-name=\
    CE2DE0105F44
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip dhcp-client option
add code=90 name=authsend value=\
    0x00000000000000000000006674692f32656776363678
add code=60 name=vendor-class-identifier value="'neufbox_NB6V-MAIN-bg'"
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add disabled=yes name=peer1 passive=yes
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=10.10.12.1-10.10.12.250
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp-guest ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=dhcp
add address-pool=dhcp-guest disabled=no interface=bridgeGuest name=\
    "dhcp guest"
/ppp profile
set *0 rate-limit=10M/10M
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man access-list
add action=reject allow-signal-out-of-range=10s comment="Mezzanine Light" \
    disabled=yes mac-address=E0:98:06:D5:E5:C0 signal-range=-120..-70 \
    ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-enabled master-configuration=WifiSSID name-format=identity \
    slave-configurations=MHGuest
/dude
set enabled=yes
/interface bridge nat
add action=accept chain=srcnat
add action=accept chain=srcnat
/interface bridge port
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge interface="bonding hAP"
add bridge=bridge interface="bonding GS1900"
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.10.10.1/8 comment=defconf interface=bridge network=10.0.0.0
add address=192.168.1.1/24 interface=bridgeGuest network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=vendor-class-identifier disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/8 dns-server=10.10.10.1 gateway=10.10.10.1
add address=192.168.1.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.1.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701,500,4500 \
    log=yes protocol=udp
add action=accept chain=input comment="Allow L2TP VPN ipsec" log=yes \
    protocol=ipsec-esp
add action=accept chain=input comment="allow pptp" dst-port=1723 log=yes \
    protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow incoming from VPN" in-interface=\
    all-ppp log=yes
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=forward comment="Drop everything from guest network" \
    in-interface=bridgeGuest out-interface=bridge
add action=accept chain=input comment="Allow established conversations" \
    connection-state=established,related,untracked
add action=drop chain=input comment="Drop everything else from WAN" disabled=\
    yes in-interface=ether1 log-prefix=Drop:
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
add action=dst-nat chain=dstnat comment=Transmission dst-port=9091 protocol=\
    tcp to-addresses=10.10.10.200 to-ports=9091
add action=dst-nat chain=dstnat comment=FTP dst-port=4491 protocol=tcp \
    to-addresses=10.10.10.200 to-ports=21
add action=dst-nat chain=dstnat comment="NAS SSH" dst-port=4492 protocol=tcp \
    to-addresses=10.10.10.200 to-ports=22
add action=masquerade chain=srcnat dst-address=10.10.10.200 src-address=\
    10.10.0.0/16
add action=dst-nat chain=dstnat comment="NAS Plex" dst-port=42300 protocol=\
    tcp to-addresses=10.10.10.200 to-ports=32400
add action=dst-nat chain=dstnat comment="NAS PhotoPrism" dst-port=2432 \
    protocol=tcp to-addresses=10.10.10.200 to-ports=2342
add action=dst-nat chain=dstnat comment=iDRAC dst-port=7272 protocol=tcp \
    to-addresses=10.10.10.72 to-ports=7272
add action=dst-nat chain=dstnat comment=iDRAC dst-port=4433 protocol=tcp \
    to-addresses=10.10.10.72 to-ports=5901
add action=masquerade chain=srcnat dst-address=10.10.10.72 src-address=\
    10.10.0.0/16
add action=dst-nat chain=dstnat comment=ESXI dst-port=6969 protocol=tcp \
    to-addresses=10.10.10.69 to-ports=443
add action=dst-nat chain=dstnat comment=ESXI dst-port=903 protocol=tcp \
    to-addresses=10.10.10.69 to-ports=903
add action=dst-nat chain=dstnat comment="Home Assistant DEV" dst-port=8234 \
    protocol=tcp to-addresses=10.10.10.11 to-ports=8123
add action=masquerade chain=srcnat dst-address=10.10.10.150 src-address=\
    10.10.0.0/16 src-address-list=""
add action=dst-nat chain=dstnat comment=MQTT disabled=yes dst-port=8813 \
    protocol=tcp src-port="" to-addresses=10.10.11.11 to-ports=1883
add action=masquerade chain=srcnat dst-address=10.10.10.11 src-address=\
    10.10.0.0/16
add action=dst-nat chain=dstnat comment=HomeAssistantPi dst-port=8345 \
    protocol=tcp to-addresses=10.10.11.11 to-ports=8123
add action=dst-nat chain=dstnat comment="W10 RDC" dst-port=8933 protocol=tcp \
    to-addresses=10.10.10.160 to-ports=3389
add action=dst-nat chain=dstnat comment="W10 Samsung RDC" dst-port=8934 \
    protocol=tcp src-port="" to-addresses=10.10.10.161 to-ports=3389
add action=dst-nat chain=dstnat comment=ProxMox dst-port=6008 protocol=tcp \
    src-port="" to-addresses=10.10.10.69 to-ports=8006
add action=masquerade chain=srcnat dst-address=10.10.10.69 src-address=\
    10.10.0.0/16
add action=dst-nat chain=dstnat comment="Transmission UDP" dst-port=9091 \
    protocol=udp to-addresses=10.10.10.200 to-ports=9091
add action=dst-nat chain=dstnat comment=Docker dst-port=80 in-interface=\
    ether1 protocol=tcp to-addresses=10.10.10.100 to-ports=80
add action=dst-nat chain=dstnat comment=Bitwarden dst-port=11080 packet-mark=\
    "" protocol=tcp src-port="" to-addresses=10.10.10.100 to-ports=11080
add action=masquerade chain=srcnat dst-address=10.10.10.100 src-address=\
    10.10.0.0/16
add action=masquerade chain=srcnat comment="Masquarade Guest Network" \
    src-address=192.168.1.0/24
add action=dst-nat chain=dstnat comment=BabyBuddy dst-port=8100 protocol=tcp \
    src-port="" to-addresses=10.10.10.100 to-ports=8100
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system identity
set name=RB4011
/system logging
add disabled=yes prefix=" L2TPDBG===>" topics=l2tp
add disabled=yes prefix=" IPSECDBG===>" topics=ipsec
add disabled=yes prefix=" PPTPCDBG===>" topics=pptp
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Who is online

Users browsing this forum: Google [Bot], mstanciu, phascogale and 25 guests