Degraded wifi performance

simsrw73 · Wed May 25, 2022 12:38 am

How can I go about determing the reason for degraded wifi performance? Specifically, internet speed-that's all that the connection is used for is internet. I'm not certain how to just test the connection speed.

I have an Audience in my house and used to get great reception all over the house. I have read that I should have several APs throughout the house and I do have an cAP XL that I got to put up, but... It was working great. And I can't think of anything that has changed, except perhaps some updates to RouterOS. Position of the Audience is the same. Configuration hasn't changed. I'm not aware of anything that's been added that would create additional interference. Additionally, it seems that rebooting the Audience improves performance for a while, measured by a quick internet speed test. The distance between the Audience and the devices connected to it is about 12m, with 2 interior walls separating them: one sheetrock and one thin paneling. Two devices are known to be affected: TV & iPad. Again, this was working fine until recently. I have no problems installing more APs, but I want to know what has changed. What are possible causes for variable performance and what can I use to test it?

# may/24/2022 16:34:21 by RouterOS 7.2.3
# software id = L4BD-ZE0J
#
# model = RBD25G-5HPacQD2HPnD
# serial number = D5840D80F71A
/interface bridge
add admin-mac=08:55:31:69:F3:2F auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] disabled=no installation=indoor mode=\
    ap-bridge name=wlan-2g ssid=1736StrtfrdRmsCt wps-mode=disabled
set [ find default-name=wlan2 ] disabled=no installation=indoor mode=\
    ap-bridge name=wlan-5g ssid=1736StrtfrdRmsCt wireless-protocol=802.11 \
    wps-mode=disabled
set [ find default-name=wlan3 ] ssid=MikroTik
/interface vlan
add interface=bridge name=vlan-base vlan-id=99
/interface list
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-guest supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-iot supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-nest supplicant-identity=""
/interface wireless
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    0A:55:31:69:F3:31 master-interface=wlan-2g multicast-buffering=disabled \
    name=wlan-2g-guest security-profile=profile-guest ssid=\
    1736StrtfrdRmsCt-Guest wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
add disabled=no keepalive-frames=disabled mac-address=0A:55:31:69:F3:32 \
    master-interface=wlan-2g multicast-buffering=disabled name=wlan-2g-iot \
    security-profile=profile-iot ssid=1736StrtfrdRmsCt-IOT wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=0A:55:31:69:F3:35 \
    master-interface=wlan-2g multicast-buffering=disabled name=wlan-2g-nest \
    security-profile=profile-nest ssid="Randy's Nest" wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
add default-forwarding=no disabled=no keepalive-frames=disabled mac-address=\
    0A:55:31:69:F3:33 master-interface=wlan-5g multicast-buffering=disabled \
    name=wlan-5g-guest security-profile=profile-guest ssid=\
    1736StrtfrdRmsCt-Guest wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
add keepalive-frames=disabled mac-address=0A:55:31:69:F3:34 master-interface=\
    wlan-5g multicast-buffering=disabled name=wlan-5g-iot security-profile=\
    profile-iot ssid=1736StrtfrdRmsCt-IOT wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-5g pvid=99
add bridge=bridge interface=wlan3
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2g pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2g-guest pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2g-iot pvid=107
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-5g-guest pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-5g-iot pvid=107
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2g-nest pvid=107
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=99
add bridge=bridge tagged=ether1,ether2 vlan-ids=101
add bridge=bridge tagged=ether1,ether2 vlan-ids=107
/interface list member
add interface=vlan-base list=BASE
/interface ovpn-server server
set auth=sha1,md5
/interface wireless access-list
add authentication=no comment="REJECT: Echo: Bedroom R" interface=wlan-2g \
    mac-address=74:E2:0C:A2:49:D5
add authentication=no comment="REJECT: Echo: Bedroom R" interface=\
    wlan-2g-nest mac-address=74:E2:0C:A2:49:D5
add authentication=no comment="REJECT: Echo: Bedroom R" interface=wlan-5g \
    mac-address=74:E2:0C:A2:49:D5
add authentication=no comment="REJECT: Echo: Bedroom L" interface=wlan-2g \
    mac-address=D8:BE:65:54:93:23
add authentication=no comment="REJECT: Echo: Bedroom L" interface=\
    wlan-2g-nest mac-address=D8:BE:65:54:93:23
add authentication=no comment="REJECT: Echo: Bedroom L" interface=wlan-5g \
    mac-address=D8:BE:65:54:93:23
add authentication=no comment="REJECT: Echo: Bathroom" interface=wlan-2g \
    mac-address=0C:EE:99:E6:93:BA
add authentication=no comment="REJECT: Echo: Bathroom" interface=wlan-2g-nest \
    mac-address=0C:EE:99:E6:93:BA
add authentication=no comment="REJECT: Echo: Bathroom" interface=wlan-5g \
    mac-address=0C:EE:99:E6:93:BA
add authentication=no comment="REJECT: Echo: Dining Room" interface=wlan-2g \
    mac-address=FC:49:2D:A7:3D:29
add authentication=no comment="REJECT: Echo: Dining Room" interface=\
    wlan-2g-nest mac-address=FC:49:2D:A7:3D:29
add authentication=no comment="REJECT: Echo: Dining Room" interface=wlan-5g \
    mac-address=FC:49:2D:A7:3D:29
add authentication=no comment="REJECT: Echo: Family Room" interface=wlan-2g \
    mac-address=C8:6C:3D:03:D4:E5
add authentication=no comment="REJECT: Echo: Family Room" interface=\
    wlan-2g-nest mac-address=C8:6C:3D:03:D4:E5
add authentication=no comment="REJECT: Echo: Family Room" interface=wlan-5g \
    mac-address=C8:6C:3D:03:D4:E5
add authentication=no comment="REJECT: Echo: Kitchen Show" interface=wlan-2g \
    mac-address=10:96:93:C4:0F:47
add authentication=no comment="REJECT: Echo: Kitchen Show" interface=\
    wlan-2g-nest mac-address=10:96:93:C4:0F:47
add authentication=no comment="REJECT: Echo: Kitchen Show" interface=wlan-5g \
    mac-address=10:96:93:C4:0F:47
add authentication=no comment="REJECT: Echo: Laundry Room" interface=wlan-2g \
    mac-address=74:A7:EA:F1:DB:E5
add authentication=no comment="REJECT: Echo: Laundry Room" interface=\
    wlan-2g-nest mac-address=74:A7:EA:F1:DB:E5
add authentication=no comment="REJECT: Echo: Laundry Room" interface=wlan-5g \
    mac-address=74:A7:EA:F1:DB:E5
add authentication=no comment="REJECT: Echo: Master Bedroom" interface=\
    wlan-2g mac-address=00:F3:61:6E:B6:C8
add authentication=no comment="REJECT: Echo: Master Bedroom" interface=\
    wlan-2g-nest mac-address=00:F3:61:6E:B6:C8
add authentication=no comment="REJECT: Echo: Master Bedroom" interface=\
    wlan-5g mac-address=00:F3:61:6E:B6:C8
add authentication=no comment="REJECT: Echo: Spare Bedroom" interface=wlan-2g \
    mac-address=F8:54:B8:97:35:2D
add authentication=no comment="REJECT: Echo: Spare Bedroom" interface=\
    wlan-2g-nest mac-address=F8:54:B8:97:35:2D
add authentication=no comment="REJECT: Echo: Spare Bedroom" interface=wlan-5g \
    mac-address=F8:54:B8:97:35:2D
add authentication=no comment="REJECT: Echo: Shop" interface=wlan-2g \
    mac-address=08:A6:BC:33:B0:13
add authentication=no comment="REJECT: Echo: Shop" interface=wlan-2g-nest \
    mac-address=08:A6:BC:33:B0:13
add authentication=no comment="REJECT: Echo: Shop" interface=wlan-5g \
    mac-address=08:A6:BC:33:B0:13
/interface wireless cap
set bridge=bridge discovery-interfaces=bridge interfaces=\
    wlan-2g,wlan-5g,wlan3
/ip address
add address=192.168.99.5/24 interface=vlan-base network=192.168.99.0
/ip dns
set servers=192.168.99.1
/ip route
add distance=1 gateway=192.168.99.1
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=AP01-Office
/system ntp client
set enabled=yes mode=multicast
/system ntp client servers
add address=192.168.99.1
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

cdemers · Wed May 25, 2022 4:45 am

If nothing has changed and suddenly your having issues, it's probably a wireless channel issue. I don't see that the channel is being specified. So it's probably on auto and so if a channel is chosen that has interference wireless will have issues. Do a wireless survey and see what channels are the cleanest.

Wed May 25, 2022 5:17 pm

And sometimes sitting right on top of another channel is a lot better then sitting in between other channels which are on themselves non-overlapping.
Double impact !

But as indicated by previous poster, you need to control where your channels will be used.

Ca6ko · Wed May 25, 2022 5:35 pm

How can I go about determing the reason for degraded wifi performance?

You will have to figure out how WiFi works, how to configure multiple access points nearby, or get a specialist to do it.
In the configuration you gave, there is not much data about the WiFi settings, only that 3 SSIDs are configured on each interface. And that the rest of the settings are automatically selected by the device. The problem is that the automatic configuration takes place when the device is rebooted and then it runs on these settings. I have not yet encountered a device that can correctly select the settings in automatic mode.
You need to show the wireless registration table from each device and a scan of the air from each physical interface of each device.(CAP XL and Audience)
Roughly working 2.4GHz WiFi through one wall works, through two walls works not confidently, through 3 walls does not work, 5GHz through one wall does not work confidently, through 2 walls does not work.
When there is only one access point in the house, it should be placed as close as possible to the center of the house, when there are more access points need to look at the plan and choose places of installation.

PS From experience, when the house is not enough 1 access point, you have to put 3-4 for normal operation.
First rule of WiFi - "A device that the user does not carry with them all the time must be connected by cable".
I personally, in your case, would use Capsman.

simsrw73 · Wed May 25, 2022 11:43 pm

I'm not familiar with all the tools related to wifi. I did use the Freq scan to select the channels for my two existing APs: an Audience (channel 1) and an wAP AC (channel 6) on the Patio. Here are snapshots of the freq, & reg dialogs for each. I do need to go ahead and run the cable and install the cAP XL-I just want to understand why performance has degraded so badly. It is now almost impossible to use. I had to use my phone's hotspot last night because it felt like someone resurrected my old 300 baud modem from ages ago. For months my current setup worked flawlessly, performance has been much better than I'd hoped. Zero problems with coverage. Then it tanked, and I don't know how to figure out what happened.

Audience

audience-if.png

audience-freq.png

audience-reg.png

wAP AC

wapc-if.png

wapac-freq.png

wapac-reg.png

hecatae · Thu May 26, 2022 3:00 pm

Are you using WifiWave2 on the Audience?

simsrw73 · Thu May 26, 2022 3:50 pm

Are you using WifiWave2 on the Audience?

Not yet. It's been on my very long list of things to try/learn. Now might be a good time to check on that...

Thu May 26, 2022 3:59 pm

Not yet. It's been on my very long list of things to try/learn. Now might be a good time to check on that...

Keep in mind capsman (if you ever plan on using that) and wifiwave2 are currently not yet compatible.
It's one or the other.

Ca6ko · Thu May 26, 2022 6:50 pm

@simsrw73
Why did you limit an interface with 13 registered clients to a useful speed of about 15-20 mbit/s? Whereas in the standard n can be 180-200 mbit/s. I think this is the main reason
The screenshot shows how to enable the air scanner.

Screenshot_2.jpg

On WiFi in the standard n is considered the boundary of a good signal level of -67 dB, values up to -75 satisfactory all that below -80 dB is considered unacceptable. You have a lot of devices connected to WAPac with very bad signal levels. This is either a sign that you are in the wrong place or that you need to add another device. The lower the signal strength the lower the connection speed, and the speed drops on all devices connected to that AP.

simsrw73 · Thu May 26, 2022 9:02 pm

@simsrw73
Why did you limit an interface with 13 registered clients to a useful speed of about 15-20 mbit/s? Whereas in the standard n can be 180-200 mbit/s. I think this is the main reason
The screenshot shows how to enable the air scanner.

That's a great question. A better question is why I didn't see that. I would say maybe fumble fingers bumped it while browsing around, but the same thing happened on 5Ghz radio: It's set to 5Ghz A. I have no idea how those were reset to the lowest option. I "know" I set them when I setup the AP. The patio AP is setup correctly. Embarrassed I didn't see that before posting. I've looked at that dialog a dozen times the last few days. I'll have to spend a little time with it to see if that straightens it out.

On WiFi in the standard n is considered the boundary of a good signal level of -67 dB, values up to -75 satisfactory all that below -80 dB is considered unacceptable. You have a lot of devices connected to WAPac with very bad signal levels. This is either a sign that you are in the wrong place or that you need to add another device. The lower the signal strength the lower the connection speed, and the speed drops on all devices connected to that AP.

That highlights another issue. Ideally, only a couple of those devices should be on that AP. It's pointed outside over the backyard and at the shop and those devices in the shop will have bad signal. I plan to put a wireless wire to fix that and the wAP should ideally only capture my phone or tablet when out in the backyard or on the patio. But as is it is currently grabbing a lot of devices from inside the house that used to be connected, without issue, to the Audience. It's one of the reasons I've got this cAP XL sitting on my desk. I probably need a couple of them. The wAP is sitting very close to 4 iot devices that are in the house, through brick wall. Even with installing a couple cAPs, I'm not sure those cAPs will capture those devices. I may need to configure Access List to kick them off because they are currently connected to the wAP but not reachable.

Here's that scan on the Audience (2GHz). Had no idea there would be that many devices around the neighborhood that would be in range.

audience-scan.png

And 5GHz

wapac-scan.png

simsrw73 · Thu May 26, 2022 10:35 pm

Definitely still broke.

Speed Test on wired desktop: 357.6 Down 79.9 Up
Speed Test on wireless iPad: 0.19 Down 28.5 Up

Why is it primarily affecting Down speed?

Edit: scratch that. After multiple runs it is variously affecting up/down/both. Inconsistent but still abysmal down.

EDIT 2: OK. I think I touched on the problem above. My two APs are interfering with each other. I cut off the radios on the patio AP and now things are back to normal. I didn’t think that was supposed to happen, but then I obviously don’t know much about wifi. And why did this just start? I’ve had both APs active for a while and it wasn’t a problem. What am I doing wrong there? How do I get them to play nicely?

simsrw73 · Fri May 27, 2022 1:48 am

In the Family Room where I’m testing, where the problems are most noticeable, I’m getting -55 dBm on 2.4 GHz on the Audience, -75 dBm on 5 GHz. Since cutting the radios on the wAP AC, speed has been great on the Audience, back to normal. However, I occasionally lose wifi momentarily. Maybe it’s jumping between 2.4 & 5? Not sure how to verify? Why would it do that? What can I do to make all these radios work together? Is it going to be worse when I add more APs? I didn’t realize it was so difficult to get APs to work together.

I’m now fairly confident that the wAP & Audience are interfering with each other causing the degraded performance. How do I fix that? If my device is jumping between 2.4 & 5, dropping the connection momentarily, how do I stop that?

erlinden · Fri May 27, 2022 10:59 am

Have you played with transmission power? Especially on the 2,4GHz radio?

simsrw73 · Fri May 27, 2022 6:23 pm

Have you played with transmission power? Especially on the 2,4GHz radio?

No, I haven't modified transmission power on either AP's radios. I haven't modified any of the advanced settings. Just a basic setup. Do they need to be adjusted?

Ca6ko · Sun May 29, 2022 10:48 pm

I’m now fairly confident that the wAP & Audience are interfering with each other causing the degraded performance.

That's what I told you in my first reply
You just have no idea how WiFi works.
On wifi it is always the client who decides where to connect, this is the standard.
You are faced with the most common problem where there are two different access points and the client can connect to any of them. When the client connects to the first access point and sticks with it even though the connection speed is already bad and the signal from the second point is much better, but the client stubbornly does not switch to the second access point. Your clients were connected to Wap ac and wouldn't switch to audience until you turned it off. If you now turn the wAP ac back on, the clients will stay on the Audience and everything will work fine until you reboot the Audience.
These problems are greatly reduced when you put the access points under Capsman control. But you have to configure it manually. As I said before, automatic tuning can't work correctly because it has no radio intelligence data.
The disconnects you have are when the client switches both from one access point to another and from one interface to another at one point. There is a new registration of the client on the access point with the exchange of passwords, handshakes, etc. This can take from 2 to 30 seconds. When access points are controlled by Capsman, there is no new registration, so the switching time is much less, when you switch a few packets are lost, but voice or video messenger conversations may break (not always) in other uses switching is unnoticeable to the user.
I have no links to English-language materials here in Russian here is some information. https://habr.com/ru/article/456918/
It is somewhat difficult to teach you within the forum.
You need to either reduce the power or move the points away from each other, now they hear each other at -75dB. Watch where to put the points on the floor plan.

Sun May 29, 2022 10:52 pm

Acl rules could help as well.
Drop connection when below -87db e.g. ( or already -75 ?)

Caveat is that there is no guarantee that client will effectively move to the other ap.

simsrw73 · Mon May 30, 2022 6:10 pm

These problems are greatly reduced when you put the access points under Capsman control.

OK. This is my plan today. So far... this plan is failing at step 1. Your point:

You just have no idea how WiFi works.

mmm, may have some merit. For the moment.

Okwy, not exactly failed at step 1, but my experience is contrary to the docs (https://help.mikrotik.com/docs/pages/vi ... sMANsystem) and to any of the tutorials I've watched on YT or Wireless Engineer course on Udemy. I set the most basic config on the manager (RB5009), and on the client I go to Wireless -> WiFi Interfaces -> CAP, and set Enabled, Interfaces to W1 & W2, Discovery Interfaces to ether1, and then .... nothing. It does not auto discover the manager. Setting the DHCP caps-manager option on the manager also seems to do nothing. Only when I give the CAPsMAN Address on the clients (both audience and wapac) do they find the manager. It's working, by manually specifying the capsman address on every client, but it bothers me when it doesn't work as documented. What would prevent auto discovery? (apologies for the wall of code below)

RB5009

# may/30/2022 10:03:11 by RouterOS 7.2.3
# software id = SYTB-ZK4C
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=DC:2C:6E:47:0F:C0 auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface ethernet
set [ find default-name=ether7 ] name=ether7-Access
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,10000M-full \
    speed=1Gbps
/interface vlan
add interface=bridge name=vlan-base vlan-id=99
add interface=bridge name=vlan-guest vlan-id=101
add interface=bridge name=vlan-iot vlan-id=107
add interface=bridge name=vlan-security vlan-id=119
add interface=bridge name=vlan-server vlan-id=200
add interface=bridge name=vlan-voip vlan-id=111
/caps-man configuration
add country="united states3" datapath.bridge=bridge name=cfg2G \
    security.authentication-types=wpa2-psk ssid=1736StrtfrdRmsCt
/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool-base ranges=192.168.99.31-192.168.99.254
add name=dhcp_pool-guest ranges=192.168.101.21-192.168.101.254
add name=dhcp_pool-iot ranges=192.168.107.21-192.168.107.254
add name=dhcp_pool-security ranges=192.168.119.21-192.168.119.254
add name=dhcp_pool-voip ranges=192.168.111.21-192.168.111.254
add name=dhcp_pool-server ranges=192.168.200.200-192.168.200.249
/ip dhcp-server
add address-pool=dhcp_pool-base interface=vlan-base name=dhcp-base
add address-pool=dhcp_pool-guest interface=vlan-guest name=dhcp-guest
add address-pool=dhcp_pool-iot interface=vlan-iot name=dhcp-iot
add address-pool=dhcp_pool-security interface=vlan-security name=\
    dhcp-security
add address-pool=dhcp_pool-voip interface=vlan-voip name=dhcp-voip
add address-pool=dhcp_pool-server interface=vlan-server name=dhcp-server
/system logging action
set 3 remote=192.168.200.14
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    identity="1" name=zt1 port=9993
/zerotier interface
add instance=zt1 name=zerotier1 network=1
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg2G
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether3
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether8 pvid=99
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge interface=zerotier1
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=101
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=107
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=119
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=111
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=200
/interface list member
add interface=ether1 list=WAN
add interface=vlan-guest list=VLAN
add interface=vlan-iot list=VLAN
add interface=vlan-base list=BASE
add interface=vlan-base list=VLAN
add interface=ether7-Access list=BASE
add interface=vlan-security list=VLAN
add interface=vlan-server list=VLAN
add interface=vlan-voip list=VLAN
add interface=zerotier1 list=VLAN
add interface=zerotier1 list=BASE
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.99.1/24 interface=vlan-base network=192.168.99.0
add address=192.168.101.1/24 interface=vlan-guest network=192.168.101.0
add address=192.168.107.1/24 interface=vlan-iot network=192.168.107.0
add address=192.168.9.11/24 interface=ether7-Access network=192.168.9.0
add address=192.168.119.1/24 interface=vlan-security network=192.168.119.0
add address=192.168.111.1/24 interface=vlan-voip network=192.168.111.0
add address=192.168.200.1/24 interface=vlan-server network=192.168.200.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-client
add interface=ether1 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.99.15 client-id=1:60:12:8b:5c:43:5b comment=\
    "Canon MB5320 Printer" mac-address=60:12:8B:5C:43:5B server=dhcp-base
add address=192.168.200.14 client-id=1:e4:5f:1:95:b2:43 mac-address=\
    E4:5F:01:95:B2:43 server=dhcp-server
add address=192.168.200.200 mac-address=36:59:4B:91:03:74 server=dhcp-server
add address=192.168.200.201 client-id=\
    ff:2f:bd:15:e7:0:1:0:1:2a:23:8d:e4:76:f:2f:bd:15:e7 mac-address=\
    76:0F:2F:BD:15:E7 server=dhcp-server
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1 \
    ntp-server=192.168.99.1
add address=192.168.101.0/24 dns-server=192.168.99.1 gateway=192.168.101.1 \
    ntp-server=192.168.99.1
add address=192.168.107.0/24 dns-server=192.168.99.1 gateway=192.168.107.1 \
    ntp-server=192.168.99.1
add address=192.168.111.0/24 dns-server=192.168.99.1 gateway=192.168.111.1 \
    ntp-server=192.168.99.1
add address=192.168.119.0/24 dns-server=192.168.99.1 gateway=192.168.119.1 \
    ntp-server=192.168.99.1
add address=192.168.200.0/24 dns-server=192.168.99.1 gateway=192.168.200.1 \
    ntp-server=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=192.168.200.10 name=zadkiel.home.arpa
add address=192.168.99.20 name=cassiel.home.arpa
add address=192.168.200.14 name=raziel.home.arpa
add address=192.168.200.10 name=proxmox.home.arpa
add address=192.168.99.1 name=uriel.home.arpa
/ip firewall address-list
add address=ec1a0fcc6b92.sn.mynetname.net list=WAN_IP
add address=192.168.99.0/24 list=Clients
add address=192.168.99.20 list=Admin
add address=192.168.99.21 list=Admin
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept DNS (udp)" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Accept DNS (tcp)" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Accept NTP" dst-port=123,12300 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=VLAN
add action=accept chain=input comment="Allow BASE" in-interface-list=BASE \
    log=yes log-prefix=BASE
add action=reject chain=input comment="Reject icmp-admin-prohibited" \
    in-interface-list=VLAN log=yes log-prefix=ICMP-ADMIN-PROHIBITED \
    reject-with=icmp-admin-prohibited
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow VLAN access Internet" \
    connection-state=new in-interface-list=VLAN log=yes log-prefix=\
    VLAN->INTERNET: out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE to Server VLAN" \
    in-interface-list=BASE log=yes log-prefix=VLAN out-interface=vlan-server
add action=accept chain=forward comment="Allow Inter-VLAN" in-interface=\
    vlan-base log=yes log-prefix=VLAN out-interface=vlan-security
add action=accept chain=forward comment=\
    "Allow dst-nat from both WAN and LAN (including port forwarding)" \
    connection-nat-state=dstnat
add action=reject chain=forward comment="Reject icmp-admin-prohibited" log=\
    yes log-prefix=ICMP-ADMIN-PROHIBITED reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="Drop everything else" log=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Fwd for WWW" dst-address-list=\
    WAN_IP dst-port=80,443 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.200.201
add action=src-nat chain=srcnat comment=\
    "Translate NTP from 123 to 12300 to bypass AT&T block of port 123" \
    protocol=udp src-port=123 to-ports=12300
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.99.0/24,192.168.9.0/24,10.173.18.0/24
set api disabled=yes
set winbox address=192.168.99.0/24,192.168.9.0/24,10.173.18.0/24
set api-ssl disabled=yes
/ip smb shares
add comment="default share" directory=/pub name=pub
add comment="default share" directory=/pub name=pub
/ip smb users
add name=guest
add name=guest
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !*2000011
/system clock
set time-zone-name=America/New_York
/system identity
set name=RT1-Office-NR2
/system logging
add action=remote topics=critical,warning,info,debug,error
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=2.north-america.pool.ntp.org
add address=3.north-america.pool.ntp.org
/system scheduler
add interval=25w5d name=schedule-UpdateCACerts on-event=\
    "/system/script/run script-UpdateCACerts" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/30/2021 start-time=02:30:00
add disabled=yes interval=1d name=schedule-UpdateDDNS on-event=\
    "/system/script/run script-UpdateDDNS" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/30/2021 start-time=02:40:00
/system script
add dont-require-permissions=no name=script-UpdateCACerts owner=username policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=""
add dont-require-permissions=no name=script-UpdateDDNS owner=username policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=""
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool romon
set enabled=yes

Audience:

# may/30/2022 10:03:27 by RouterOS 7.2.3
# software id = L4BD-ZE0J
#
# model = RBD25G-5HPacQD2HPnD
/interface bridge
add admin-mac=08:55:31:69:F3:2F auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] name=wlan-2g ssid=MikroTik
set [ find default-name=wlan2 ] name=wlan-5g ssid=MikroTik
set [ find default-name=wlan3 ] ssid=MikroTik
/interface vlan
add interface=bridge name=vlan-base vlan-id=99
/interface list
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-guest supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-iot supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    profile-nest supplicant-identity=""
/caps-man manager
set ca-certificate=auto certificate=auto
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*4 pvid=99
add bridge=bridge interface=*5
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*3 pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*7 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-2g pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan3 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*14 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*1A pvid=107
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=wlan-5g pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*15 pvid=107
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*17 pvid=101
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*18 pvid=107
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=*16 pvid=107
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,ether2 vlan-ids=99
add bridge=bridge tagged=ether1,ether2 vlan-ids=101
add bridge=bridge tagged=ether1,ether2 vlan-ids=107
/interface list member
add interface=vlan-base list=BASE
/interface ovpn-server server
set auth=sha1,md5
/interface wireless access-list
...
/interface wireless cap
# 
set bridge=bridge discovery-interfaces=ether1 enabled=yes interfaces=wlan-2g
/ip address
add address=192.168.99.5/24 interface=vlan-base network=192.168.99.0
/ip dns
set servers=192.168.99.1
/ip route
add distance=1 gateway=192.168.99.1
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=America/New_York
/system identity
set name=AP01-Office
/system ntp client
set enabled=yes mode=multicast
/system ntp client servers
add address=192.168.99.1
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool romon
set enabled=yes

rextended · Mon May 30, 2022 7:23 pm

You have exposed serial numbers and google dns username and password...

simsrw73 · Mon May 30, 2022 7:39 pm

You have exposed serial numbers and google dns username and password...

Sanitized. Thanks. Need to remove that anyway. Now using Cloudflare with a ddns update utility in a docker on my server. Are the serial numbers in comments at top of export bad to post? If so why are they still exported? I cleaned up some other stuff before my initial post that seemed like it should have been automatically removed for the zerotier network info? And username I removed from script permissions, I think? Shouldn't all that be automatically removed? I know the content of the scripts is my responsibility, but shouldn't the other stuff be automatic?

rextended · Mon May 30, 2022 7:46 pm

No, the export is not intended to be exposed on forum, but is faster than guess the configuration of other's device...
¯\_(ツ)_/¯

Ca6ko · Tue May 31, 2022 10:37 pm

Discovery Interfaces to ether1, and then .... nothing. It does not auto discover the manager.

Try turning on the DHCP-client on ether1 ROS will immediately tell you the reason.
discovery-interfaces=bridge
Everything works as described in the documentation.

I told you it would be hard to learn on the forum. It's easier for me to connect remotely and configure than to write a detailed manual.
Before you start setting up, you need to do a WIFI network project.
1. On the plan of the building to place access points and to determine their number, approximate coverage areas, and approximately the power access point
2. Place the access point in the desired location and draw a heat map. For each access point. Correct the location and power if necessary.
The coverage zone is calculated at -67 dBm, overlapping zones by 20%... Network calculation is done for 5GHz, because 2.4GHz penetrates further and the zone is always easy to reduce the power.
3. At each point, scan the air and select the most suitable channel.
Only then connect CAPsMAN and make the necessary settings. This is the L1 level, which network engineers do not pay attention to.
Regarding the principle of CAPsMAN. WLAN interface with an encrypted channel is connected to the device manager, the result is that the device manager is one access point with multiple remote radio interfaces. Now an important question there are two modes of routing data. First, the access point sends all traffic to the device manager and there is already routing. In this case in the data path Local Forwarding is unchecked and on the access point itself the WLAN interface cannot be bridged to a wired interface, otherwise there is a loop between the physical and virtual interfaces on device CAPsMAN. The second option is used when there are dozens of access points, then the data is sent to the network by the access point itself, the Local Forwarding checkbox is on and the WLAN interface is added to the bridge. This mode is used when you need to unload the device CAPsMAN.
And then everything is simple
On the device CAPsMAN open tab CAP Interface click the + button and in the window of a new interface on the general fill MAC address of the radio interface access point it is inserted and in the window of radio MAC. well further fill all the tabs, just as with the usual setup wireless interface (the top line on the tabs are blank by default). After that turn on the access point in the CAP mode and it connects to the manager.
If you use Provision then you should not set action=create-dynamic-enabled, but action=create-enabled then the automatically created CAP-interface can be edited manually.

simsrw73 · Sun Jun 05, 2022 8:12 pm

Apologies for the delayed response: learning has taken a great deal longer than planned. Very much appreciate your responses. You have gotten me on the right track. Very much improved. Even if I still have much to learn. I'm glad to have veered toward capsman. I now think I would have been chasing rabbits if I had chosen to implement wave 2 or continued trying to manually manage each AP. CAPsMAN is what's needed to make these devices work together. Took me a minute to see that. Thanks for steering me that way.

Discovery Interfaces to ether1, and then .... nothing. It does not auto discover the manager.
Try turning on the DHCP-client on ether1 ROS will immediately tell you the reason.
discovery-interfaces=bridge
Everything works as described in the documentation.

I believe the reason this occurred is because I was trying to modify an existing configuration instead of starting from scratch which would have made things significantly easier in this case. Mostly because of my complete ignorance of how capsman works. I'm not sure if it was because my connection to the router from the AP was through a trunk port, but when I reset the AP and set the router port to an access port, it was able to find it without having to specify the address manually.

I told you it would be hard to learn on the forum. It's easier for me to connect remotely and configure than to write a detailed manual.

<whining comment="there is no point in reading this blabbering">
This was hard to learn from every source I scraped together: Mikrotik docs, YouTube, Udemy courses, blogs, forum threads. Like anything I've done with MikroTik so far, finding instruction is incredibly difficult. (very satisfied with the equipment, just not the available instruction.) I'd pay a couple hundred bucks for a good book. A lot of stuff out there is out of date. A lot of that is likely still valid and useful, but some of it is way off. There's a guy on Udemy with a bunch of courses, which I've enrolled in most of, has taught me some, but he's prone to often just going through the steps, not really teaching how to do anything outside of the specific way he's setting it up. There's some good stuff on YouTube. Some out of date. Some newer, but prone to some times just going through the steps without instruction, explanations, theory. There's one guy, new, who's also been very helpful, but who is prone to guided tours: "here's this setting here and if you click on the drop down you can see all the options you can set to. You can set it to this or that. Here's another setting here with some more options." That is not exaggerated dialog. Those are nearly his words. No explanations at all. It's just very hard to learn this stuff. I have learned much from some conference talks on YouTube. Some of it is also outdated, but there is some good stuff. I just have to go through tons and tons from of all those sources it to find the information needed. There is also some quite good stuff on the MikroTik YouTube though they are too brief and don't cover enough of the available features and different options for implementing them.
</whining>

Before you start setting up, you need to do a WIFI network project.
1. On the plan of the building to place access points and to determine their number, approximate coverage areas, and approximately the power access point
2. Place the access point in the desired location and draw a heat map. For each access point. Correct the location and power if necessary.
The coverage zone is calculated at -67 dBm, overlapping zones by 20%... Network calculation is done for 5GHz, because 2.4GHz penetrates further and the zone is always easy to reduce the power.
3. At each point, scan the air and select the most suitable channel.
Only then connect CAPsMAN and make the necessary settings. This is the L1 level, which network engineers do not pay attention to.

This is just for home use, for my homelab and personal use. Not a big company or institution. All the tools I could find for heat maps and stuff where outside of my budget for this. So I just used little Android apps (iPad seems to be hamstrung), to select best channels for 2G. And punted. I'm still ignorant on 5G and it is set to auto, I think. There is a ton of information on setting up 2G, but I haven't found much of anything at all on 5G, channel widths, and such. I need to find more help on that.

I've done the best I could for the moment and it is TONS better than it ever has been. Solved some problems I had that I hadn't got around to figuring out yet, some iot devices buryied in the wall that weren't connecting. I thought something happened on the devices config. Never occurred to me that they were having connection problems. For some reason, it never occurred to me that add more APs would cause more connection issue.

Regarding the principle of CAPsMAN. WLAN interface with an encrypted channel is connected to the device manager, the result is that the device manager is one access point with multiple remote radio interfaces. Now an important question there are two modes of routing data. First, the access point sends all traffic to the device manager and there is already routing. In this case in the data path Local Forwarding is unchecked and on the access point itself the WLAN interface cannot be bridged to a wired interface, otherwise there is a loop between the physical and virtual interfaces on device CAPsMAN. The second option is used when there are dozens of access points, then the data is sent to the network by the access point itself, the Local Forwarding checkbox is on and the WLAN interface is added to the bridge. This mode is used when you need to unload the device CAPsMAN.

I think the former is the correct choice for my small home network: no Local Forwarding, everything to the router/capsman. The bridge is now correctly configured for that scenario.

And then everything is simple
On the device CAPsMAN open tab CAP Interface click the + button and in the window of a new interface on the general fill MAC address of the radio interface access point it is inserted and in the window of radio MAC. well further fill all the tabs, just as with the usual setup wireless interface (the top line on the tabs are blank by default). After that turn on the access point in the CAP mode and it connects to the manager.
If you use Provision then you should not set action=create-dynamic-enabled, but action=create-enabled then the automatically created CAP-interface can be edited manually.

I think I've got things mostly correct now. But I've thought that before. Everything seems to be working, much better than it ever has. I could probably tweak the rates and the signal range in the Access Control a little better, but I have a couple devices inside a shop out from the house about 25m. I need to set up a wireless wire to get signal inside the shop. The wAP covers the backyard very well but doesn't penetrate the shop. I've also still got a few questions to resolve:

What do I need to know about 5G?

Certificates. I reset one or another CAP several times while learning. Took me a while to figure out I need to delete the old cert on the capsman that was issued to the CAP. But how to identify which one? I compared them to the remaining caps to see which was in use and deleted the remaining one. I'm sure that is terribly wrong, but didn't see an easier way other than deleting all certs and reissuing to all CAPs.

Also not sure if there are other security issues I need to be aware of.

I hate to ask anyone to stare at a wall of code, but if anyone is inclined to poke holes and ridicule me, please do!

Thanks again for the great info you've provided. I've read through it numerous times and it has gotten me far though I'm sure I'm still missing much.

Router/CAPsMAN

# jun/05/2022 08:36:24 by RouterOS 7.2.3
# model = RB5009UG+S+

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=\
    channel-2G-Ch1
add band=2ghz-g/n control-channel-width=20mhz frequency=2437 name=\
    channel-2G-Ch6
add band=2ghz-g/n control-channel-width=20mhz frequency=2462 name=\
    channel-2G-Ch11

/interface bridge
add admin-mac=DC:2C:6E:47:0F:C0 auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes

/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether7 ] name=ether7-Access
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-full,10000M-full \
    speed=1Gbps

/interface vlan
add interface=bridge name=vlan-base vlan-id=99
add interface=bridge name=vlan-guest vlan-id=101
add interface=bridge name=vlan-iot vlan-id=107
add interface=bridge name=vlan-security vlan-id=119
add interface=bridge name=vlan-server vlan-id=200
add interface=bridge name=vlan-voip vlan-id=111

/caps-man datapath
add bridge=bridge name=datapath-base vlan-id=99 vlan-mode=use-tag
add bridge=bridge name=datapath-guest vlan-id=101 vlan-mode=use-tag
add bridge=bridge name=datapath-iot vlan-id=107 vlan-mode=use-tag
add bridge=bridge name=datapath-security vlan-id=119 vlan-mode=use-tag
add bridge=bridge name=datapath-nest vlan-id=107 vlan-mode=use-tag

/caps-man rates
add basic=6Mbps name=rate-Minimum supported=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-base
add authentication-types=wpa2-psk encryption=aes-ccm name=security-guest
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-iot
add authentication-types=wpa2-psk encryption=aes-ccm name=security-security
add authentication-types=wpa2-psk encryption=aes-ccm name=security-voip
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=\
    security-nest

/caps-man configuration
add channel=channel-2G-Ch1 country="united states3" datapath=datapath-base \
    installation=any mode=ap name=cfg-BASE-2G-Ch1-DP-base-Sec-base rates=\
    rate-Minimum security=security-base ssid=1736StrtfrdRmsCt
add channel=channel-2G-Ch11 country="united states3" datapath=datapath-base \
    installation=any mode=ap name=cfg-BASE-2G-Ch11-DP-base-Sec-base rates=\
    rate-Minimum security=security-base ssid=1736StrtfrdRmsCt
add channel=channel-2G-Ch6 country="united states3" datapath=datapath-base \
    installation=any mode=ap name=cfg-BASE-2G-Ch6-DP-base-Sec-base rates=\
    rate-Minimum security=security-base ssid=1736StrtfrdRmsCt
add datapath=datapath-guest mode=ap name=cfg-slave-GUEST-DP-guest-Sec-guest \
    rates=rate-Minimum security=security-guest ssid=1736StrtfrdRmsCt-Guest
add datapath=datapath-iot mode=ap name=cfg-slave-IOT-DP-iot-Sec-iot rates=\
    rate-Minimum security=security-iot ssid=1736StrtfrdRmsCt-IOT
add datapath=datapath-nest mode=ap name=cfg-slave-NEST-DP-nest-Sec-nest \
    rates=rate-Minimum security=security-nest ssid="Randy's Nest"
add channel.band=5ghz-n/ac country="united states3" datapath=datapath-base \
    installation=any mode=ap name=cfg-BASE-5G-DP-base-SEC-base rates=\
    rate-Minimum security=security-base ssid=1736StrtfrdRmsCt5
add datapath=datapath-guest mode=ap name=\
    cfg-slave-GUEST-5G-DP-guest-Sec-guest rates=rate-Minimum security=\
    security-guest ssid=1736StrtfrdRmsCt5-Guest

/interface list
add name=WAN
add name=VLAN
add name=BASE
add name=TRUSTED

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip pool
add name=dhcp_pool-base ranges=192.168.99.100-192.168.99.199
add name=dhcp_pool-guest ranges=192.168.101.21-192.168.101.254
add name=dhcp_pool-iot ranges=192.168.107.21-192.168.107.254
add name=dhcp_pool-security ranges=192.168.119.21-192.168.119.254
add name=dhcp_pool-voip ranges=192.168.111.21-192.168.111.254
add name=dhcp_pool-server ranges=192.168.200.200-192.168.200.249

/ip dhcp-server
add address-pool=dhcp_pool-base interface=vlan-base name=dhcp-base
add address-pool=dhcp_pool-guest interface=vlan-guest name=dhcp-guest
add address-pool=dhcp_pool-iot interface=vlan-iot name=dhcp-iot
add address-pool=dhcp_pool-security interface=vlan-security name=\
    dhcp-security
add address-pool=dhcp_pool-voip interface=vlan-voip name=dhcp-voip
add address-pool=dhcp_pool-server interface=vlan-server name=dhcp-server

/system logging action
set 3 remote=192.168.200.14

/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
    identity="abcdef" name=zt1 port=9993

/zerotier interface
add instance=zt1 name=zerotier1 network=1234567890

/caps-man access-list
# Keep stupid Amazon Echo devices off other SSIDs
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    74:E2:0C:A2:49:D5 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
    74:E2:0C:A2:49:D5 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    08:A6:BC:33:B0:13 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
    08:A6:BC:33:B0:13 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    F8:54:B8:97:35:2D ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
    F8:54:B8:97:35:2D ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    74:A7:EA:F1:DB:E5 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
    74:A7:EA:F1:DB:E5 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    10:96:93:C4:0F:47 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
    10:96:93:C4:0F:47 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    C8:6C:3D:03:D4:E5 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
    C8:6C:3D:03:D4:E5 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    FC:49:2D:A7:3D:29 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
    FC:49:2D:A7:3D:29 ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    0C:EE:99:E6:93:BA ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
    0C:EE:99:E6:93:BA ssid-regexp=""
add action=accept allow-signal-out-of-range=10s disabled=no mac-address=\
    D8:BE:65:54:93:23 ssid-regexp=1736StrtfrdRmsCt-IOT
add action=reject allow-signal-out-of-range=10s disabled=no mac-address=\
    D8:BE:65:54:93:23 ssid-regexp=""

# Drop wifi devices that have low signal strength
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=\
    -80..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no ssid-regexp=""

/caps-man manager
set ca-certificate=CAPsMAN-CA-DC2C6E470FBF certificate=CAPsMAN-DC2C6E470FBF \
    enabled=yes require-peer-certificate=yes

/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=vlan-base

/caps-man provisioning
add action=create-dynamic-enabled comment="AP01-Office [Audience]" \
    master-configuration=cfg-BASE-2G-Ch1-DP-base-Sec-base name-format=\
    identity radio-mac=08:55:31:69:F3:31 slave-configurations="cfg-slave-GUEST\
    -DP-guest-Sec-guest,cfg-slave-IOT-DP-iot-Sec-iot,cfg-slave-NEST-DP-nest-Se\
    c-nest"
add action=create-dynamic-enabled comment="AP01-Office [Audience] (5GHz)" \
    master-configuration=cfg-BASE-5G-DP-base-SEC-base name-format=identity \
    radio-mac=08:55:31:69:F3:32 slave-configurations=\
    cfg-slave-GUEST-5G-DP-guest-Sec-guest
add action=create-dynamic-enabled comment="AP02-Patio [wAP AC]" \
    master-configuration=cfg-BASE-2G-Ch6-DP-base-Sec-base name-format=\
    identity radio-mac=08:55:31:D9:23:A4 slave-configurations="cfg-slave-GUEST\
    -DP-guest-Sec-guest,cfg-slave-IOT-DP-iot-Sec-iot,cfg-slave-NEST-DP-nest-Se\
    c-nest"
add action=create-dynamic-enabled comment="AP02-Patio [wAP AC] (5GHz)" \
    master-configuration=cfg-BASE-5G-DP-base-SEC-base name-format=identity \
    radio-mac=08:55:31:D9:23:A5 slave-configurations=\
    cfg-slave-GUEST-5G-DP-guest-Sec-guest
add action=create-dynamic-enabled comment="AP03-FamilyRoom [cAP XL AC]" \
    master-configuration=cfg-BASE-2G-Ch11-DP-base-Sec-base name-format=\
    identity radio-mac=DC:2C:6E:1E:81:FA slave-configurations="cfg-slave-GUEST\
    -DP-guest-Sec-guest,cfg-slave-IOT-DP-iot-Sec-iot,cfg-slave-NEST-DP-nest-Se\
    c-nest"
add action=create-dynamic-enabled comment=\
    "AP03-FamilyRoom [cAP XL AC] (5GHz)" master-configuration=\
    cfg-BASE-5G-DP-base-SEC-base name-format=identity radio-mac=\
    DC:2C:6E:1E:81:FB slave-configurations=\
    cfg-slave-GUEST-5G-DP-guest-Sec-guest

/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether2
add bridge=bridge frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
add bridge=bridge interface=zerotier1

/ip neighbor discovery-settings
set discover-interface-list=BASE

/interface bridge vlan
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=99
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=101
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=107
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=119
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=111
add bridge=bridge tagged=bridge,sfp-sfpplus1 vlan-ids=200

/interface list member
add interface=ether1-WAN list=WAN
add interface=vlan-guest list=VLAN
add interface=vlan-iot list=VLAN
add interface=vlan-base list=BASE
add interface=vlan-base list=VLAN
add interface=ether7-Access list=BASE
add interface=vlan-security list=VLAN
add interface=vlan-server list=VLAN
add interface=vlan-voip list=VLAN
add interface=zerotier1 list=VLAN
add interface=zerotier1 list=BASE

/interface ovpn-server server
set auth=sha1,md5

/ip address
add address=192.168.99.1/24 interface=vlan-base network=192.168.99.0
add address=192.168.101.1/24 interface=vlan-guest network=192.168.101.0
add address=192.168.107.1/24 interface=vlan-iot network=192.168.107.0
add address=192.168.9.11/24 interface=ether7-Access network=192.168.9.0
add address=192.168.119.1/24 interface=vlan-security network=192.168.119.0
add address=192.168.111.1/24 interface=vlan-voip network=192.168.111.0
add address=192.168.200.1/24 interface=vlan-server network=192.168.200.0

/ip cloud
set ddns-enabled=yes update-time=no

/ip dhcp-client
add interface=ether1-WAN use-peer-dns=no

/ip dhcp-server lease
add address=192.168.99.15 client-id=1:60:12:8b:5c:43:5b comment=\
    "Canon MB5320 Printer" mac-address=60:12:8B:5C:43:5B server=dhcp-base
add address=192.168.200.14 client-id=1:e4:5f:1:95:b2:43 mac-address=\
    E4:5F:01:95:B2:43 server=dhcp-server
add address=192.168.200.200 mac-address=36:59:4B:91:03:74 server=dhcp-server
add address=192.168.200.201 client-id=\
    ff:2f:bd:15:e7:0:1:0:1:2a:23:8d:e4:76:f:2f:bd:15:e7 mac-address=\
    76:0F:2F:BD:15:E7 server=dhcp-server
add address=192.168.99.20 client-id=1:50:eb:f6:7e:73:de mac-address=\
    50:EB:F6:7E:73:DE server=dhcp-base
add address=192.168.99.11 client-id=1:8:55:31:69:f3:2f mac-address=\
    08:55:31:69:F3:2F server=dhcp-base
add address=192.168.99.12 client-id=1:dc:2c:6e:1e:81:f8 mac-address=\
    DC:2C:6E:1E:81:F8 server=dhcp-base
add address=192.168.99.13 client-id=1:8:55:31:d9:23:a2 mac-address=\
    08:55:31:D9:23:A2 server=dhcp-base

/ip dhcp-server network
add address=192.168.99.0/24 caps-manager=192.168.99.1 dns-server=192.168.99.1 \
    gateway=192.168.99.1 ntp-server=192.168.99.1
add address=192.168.101.0/24 dns-server=192.168.99.1 gateway=192.168.101.1 \
    ntp-server=192.168.99.1
add address=192.168.107.0/24 dns-server=192.168.99.1 gateway=192.168.107.1 \
    ntp-server=192.168.99.1
add address=192.168.111.0/24 dns-server=192.168.99.1 gateway=192.168.111.1 \
    ntp-server=192.168.99.1
add address=192.168.119.0/24 dns-server=192.168.99.1 gateway=192.168.119.1 \
    ntp-server=192.168.99.1
add address=192.168.200.0/24 dns-server=192.168.99.1 gateway=192.168.200.1 \
    ntp-server=192.168.99.1

/ip dns
set allow-remote-requests=yes servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes

/ip dns static
add address=192.168.200.10 name=zadkiel.home.arpa
add address=192.168.99.20 name=cassiel.home.arpa
add address=192.168.200.14 name=raziel.home.arpa
add address=192.168.200.10 name=proxmox.home.arpa
add address=192.168.99.1 name=uriel.home.arpa

/ip firewall address-list
add address=ec1a0fcc6b92.sn.mynetname.net list=WAN_IP

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept DNS (udp)" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="Accept DNS (tcp)" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Accept NTP" dst-port=123,12300 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow BASE" in-interface-list=BASE
add action=reject chain=input comment="Reject icmp-admin-prohibited" \
    in-interface-list=VLAN reject-with=icmp-admin-prohibited
add action=drop chain=input comment="Drop everything else"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="Allow VLAN access Internet" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="Allow BASE to Server VLAN" \
    in-interface-list=BASE out-interface=vlan-server
add action=accept chain=forward comment="Allow Server VLAN to BASE" \
    in-interface=vlan-server out-interface-list=BASE
add action=accept chain=forward comment="Allow Inter-VLAN" in-interface=\
    vlan-base out-interface=vlan-security
add action=accept chain=forward comment=\
    "Allow dst-nat from both WAN and LAN (including port forwarding)" \
    connection-nat-state=dstnat
add action=reject chain=forward comment="Reject icmp-admin-prohibited" \
    reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="Drop everything else" log=yes \
    log-prefix="** DROP ALL:"

/ip firewall nat
add action=dst-nat chain=dstnat comment="Port Fwd for WWW" dst-address-list=\
    WAN_IP dst-port=80,443 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.99.20
add action=src-nat chain=srcnat comment=\
    "Translate NTP from 123 to 12300 to bypass AT&T block of port 123" \
    protocol=udp src-port=123 to-ports=12300
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.99.0/24,192.168.9.0/24,10.173.18.0/24
set api disabled=yes
set winbox address=192.168.99.0/24,192.168.9.0/24,10.173.18.0/24
set api-ssl disabled=yes

/ip smb shares
add comment="default share" directory=/pub name=pub
add comment="default share" directory=/pub name=pub

/ip smb users
add name=guest
add name=guest

/ip ssh
set strong-crypto=yes

/system clock
set time-zone-name=America/New_York

/system identity
set name=RT1-Office-NR2

/system logging
add action=remote topics=critical,warning,info,debug,error

/system ntp client
set enabled=yes

/system ntp server
set enabled=yes manycast=yes multicast=yes

/system ntp client servers
add address=0.north-america.pool.ntp.org
add address=1.north-america.pool.ntp.org
add address=2.north-america.pool.ntp.org
add address=3.north-america.pool.ntp.org

/system scheduler
add interval=25w5d name=schedule-UpdateCACerts on-event=\
    "/system/script/run script-UpdateCACerts" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/30/2021 start-time=02:30:00

/system script
add dont-require-permissions=no name=script-UpdateCACerts owner=Yosef policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="{\
    \r\
    \n  :do {\r\
    \n      /tool fetch url=https://mkcert.org/generate/ check-certificate=yes\
    \_dst-path=cacert.pem;\r\
    \n      /certificate remove [ find where authority expired ];\r\
    \n      /certificate import file-name=cacert.pem passphrase=\"\";\r\
    \n      /file remove cacert.pem;\r\
    \n      :log info (\"CACERT: Updated certificate trust store\");\r\
    \n  } on-error={\r\
    \n      :log error (\"CACERT: Failed to update certificate trust store\");\
    \r\
    \n  };\r\
    \n}"

/tool mac-server
set allowed-interface-list=BASE

/tool mac-server mac-winbox
set allowed-interface-list=BASE

/tool romon
set enabled=yes

All of my CAPs are set exactly the same:

# jun/05/2022 08:36:58 by RouterOS 7.2.3
# model = RBD25G-5HPacQD2HPnD

/interface bridge
add admin-mac=08:55:31:69:F3:2F auto-mac=no comment=defconf name=bridgeLocal

/interface wireless
# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm), SSID: 1736StrtfrdRmsCt, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(26dBm), SSID: 1736StrtfrdRmsCt5, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
set [ find default-name=wlan3 ] ssid=MikroTik

/interface list
add name=MGMT

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2

/ip neighbor discovery-settings
set discover-interface-list=MGMT

/interface list member
add interface=ether1 list=MGMT

/interface wireless cap
set bridge=bridgeLocal certificate=CAP-08553169F32F discovery-interfaces=\
    bridgeLocal enabled=yes interfaces=wlan1,wlan2

/ip dhcp-client
add comment=defconf interface=bridgeLocal

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

/ip ssh
set host-key-size=4096 strong-crypto=yes

/system clock
set time-zone-name=America/New_York

/system identity
set name=AP01-Office

/system ntp client
set enabled=yes mode=multicast

/system ntp client servers
add address=192.168.99.1

/tool mac-server
set allowed-interface-list=MGMT

/tool mac-server mac-winbox
set allowed-interface-list=MGMT

Ca6ko · Mon Jun 06, 2022 3:24 pm

All the tools I could find for heat maps and stuff where outside of my budget for this.

https://www.wifisolutions.com.ua/
.

If you use Provision then you should not set action=create-dynamic-enabled, but action=create-enabled then the automatically created CAP-interface can be edited manually.

Sorry for the lack of time, I will give an analysis of your configuration later.

good teaching material "7 Ways to Fail as a Wireless Expert.." https://www.youtube.com/watch?v=ow3ANq5XKDw

Mon Jun 06, 2022 4:45 pm

If only using a couple of caps, no need to use certificates (IMHO).
If you want to maximize network speed from cap to internet, do use local forwarding.

Ca6ko · Wed Jun 15, 2022 12:45 am

Good afternoon, I'm back. As promised comments on the configuration.

# jun/05/2022 08:36:58 by RouterOS 7.2.3
# model = RBD25G-5HPacQD2HPnD

# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm),
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(26dBm),

Look at the Mikrotik website for the specifications of your device Here is the maximum power at which the device can operate without reducing speed. By setting this much power you are forcing the access point to work at a reduced speed. This confirms what I said before about not using automatic settings.

Screenshot_1.jpg

Manual power adjustment is used to determine the coverage area of the access point, the signal level at the coverage boundary must be -67 dBm and the signal from the other point must be greater by at least 2-3 dB. Then the automatic switching of the client will happen clearly

Wed Jun 15, 2022 2:18 am

i think Wi-Fi diagnostic without site survey and spectrum analysis is a guessing game

bpwl · Wed Jun 15, 2022 12:40 pm

Degraded wifi performance can be hard to fix.

Some basic wifi principles can help to find what is going on.
1. Wifi is in the air (ether) around, and has a major impact on the performance of all wifi devices, even if they are in different networks, or use different independent AP. All what uses the same channel or overlaps with the channel matters.
2. In 802.11 there is a major rule : if a device notices something is transmitting, the device will wait for a free channel. (It's like in a meeting, if you notice someone is talking (even not taking part at that meeting, or too weak to understand), you shut up. It is digital , not analog. Being louder or transmitting with more power does not give priority or allow transmission. If there is some 802.11 signal detected, you WAIT. 802.11 signal is detected far beyond the usable range.
3. If the signal is weak (e.g. below -86dBm), or disturbed, wifi will slow down until it works. Even down to 1Mbps if 802.11b is allowed. Transmitting at that low rate will take a lot of air-time for a message, and will make all the others wait that long. So a fast 144Mbps will only transmit a short burst, and then wait for the long 1 Mbps transmitter. Overall throughput for both is 0.95Mbps if there is continuous need to transmit.
4. If some (client) device is detected transmitting with 802.11b, then any AP even with 802.11g/n or 802.11-only-n, will use 802.11b's 1 Mbps for it's beacons (10 times per second), and trigger 802.11b for other AP's to do the same. Happens even without that client connecting, just being around searching for an AP.

bpwl · Wed Jun 15, 2022 12:57 pm

Klembord-2.jpg

are all one and the same frequency range. channel (36 till 48) (5180 till 5240 MHz), 5220eeCe would also be the same range

bpwl · Wed Jun 15, 2022 1:02 pm

i think Wi-Fi diagnostic without site survey and spectrum analysis is a guessing game

Yes. "Wifi Analyzer" on a smartphone helps. inSSIDer is free on Windows, as some others.

The Mikrotik AP has many usefull tools: "SCAN, Freq Usage, Snooper, Wireless Sniffer (analysed with Wireshark), Spectral Scan"

mkx · Wed Jun 15, 2022 4:10 pm

# jun/05/2022 08:36:58 by RouterOS 7.2.3
# model = RBD25G-5HPacQD2HPnD

# managed by CAPsMAN
# channel: 2412/20-Ce/gn(27dBm),
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(26dBm),
Look at the Mikrotik website for the specifications of your device Here is the maximum power at which the device can operate without reducing speed. By setting this much power you are forcing the access point to work at a reduced speed. This confirms what I said before about not using automatic settings.

That's not quite true.

First thing: the comment in CAP shows power setting received from CAPsMAN ... which takes into account regulatory limits and antenna gain. The figure displayed is output power of wifi power amplifier and will almost always be slightly lower than country regulations (by amount of antenna gain which for built-in antennae is often 3dBi). The sub-item is that country regulations limit total EIRP, if multiple antennae are used this means further reduction of Tx power per antenna/chain ... not in output of @simsrw73, but even if country regulations were uniform for whole 5GHz band, Tx power on Audience's wifi3 (high 5GHz band, using 4 chains) would be 3 dBm lower than on wifi2 (lower 5GHz band, using 2 chains) per chain (times 2 translates to 3dB and times 4 translates to 6dB). I don't know if high 5GHz radio can boost Tx power by 3dB if only 2 chains are used due to client not being able to utilize 4x4 MIMO, but if it can't, then high 5GHz wifi cell will have slightly smaller size than the lower 5GHz wifi cell with same Tx power settings.
Keep in mind that antenna gain actually improves reception, but obviously only helps in one direction (reception) if EIRP is kept at legal limit.

Second thing: the Tx maximum power per MCS illustrates power backoff needed by output power amplifier due to "complex" modulation scheme. Great RF amplifiers have no power backoff while poor amplifiers have quite large power backoff (as seen from the Tx power table). Power backoff per-se doesn't mean reduced speeds, if receiver is reasonably close to transmitter, traffic will still flow with maximum speed. However with increased path loss this indeed means that high-speed modes will mean lower signal strength and consequently lower SINR and decreased throughput. However, even if all Tx modes used same Tx power (e.g. both 6Mbit/s and MCS9) it might still not be possible to use highest speeds to the coverage border because of reduced receive sensitivity with higher modes.

Third thing: keep in mind what I already mentioned: receiver sensitivity. Those figures are up to receiver which means that different wireless clients can perform quite differently even in exactly same radio conditions of same AP. Even if you check these figures for different Mikrotik WAPs, you will see quite a bit different stories.
If high gain (=directional) antenna is used, then with some luck it can also reduce interference/noise on receiver. Which improves SINR and allows for higher throughputs. Obviously that can't happen if interference source is in same general direction as link partner.

Ca6ko · Wed Jun 15, 2022 7:42 pm

That's not quite true.

I wrote about the technical characteristics of the access point. The thing is that the Capsman is not aware of the capabilities of the device and if not configured for the access point gives a power of 30 dBm. Then the access point takes away the antenna gain and accepts this value. It's kind of like super channel mode in a regular setup. The antenna gain at Audience is stated to be 2.4=3.5 dB and 5=4.5 dB so the AP applies at 2.4GHz 30-3=27 dB and at 5GHz 30-4=26 dB. That is, Capsman ignores the power limit setting for the country. But the Audience CPU itself cannot stably operate on MSC7 modulation and output power above 25dBm on the 2.4GHz band. This is a limitation of the device, Capsman knows nothing about it, so the radio engineer must manually set the power for Audience not more than 25 dBm or knowing the limitation for the country for example EIRP 20 dBm must set 20-3=17 dBm output power for 2.4 GHz. If the engineer sets the power to 27dBm, he understands that the device will not be able to operate stably on MSC 6-7 and disables these modulations by setting the maximum speed in MSC5. Microtik specifies only the transmitter power / receiver sensitivity for the slowest modulation and the fastest (MSC0 and MSC7 for n standard) in the device specifications other manufacturers specify these parameters for all modulations

Correction
, Capsman ignores the power limit setting for the country
It's kind of like super channel mode in a regular setup.
In this case I was wrong, Capsman meets the limit for the country. The "united states3" limitation is 30 dB.

bpwl · Wed Jun 15, 2022 9:55 pm

Maybe it’s jumping between 2.4 & 5? Not sure how to verify?

The LOG (in the AP) is your friend in this. Any migration should be clearly indicated, with timestamps.

disconnected, received disassociate: sending station leaving (3) ---> the AP pushed the station away
disconnected: received disassociate: sending station leaving (8) ---> the station notifies the AP that it is going away from this interface

The AP wireless LOG might be found in the CAPsMAN controller, when CAPsMAN is used.

mkx · Thu Jun 16, 2022 12:31 am

That's not quite true.
I wrote about the technical characteristics of the access point. The thing is that the Capsman is not aware of the capabilities of the device and if not configured for the access point gives a power of 30 dBm.

CAPsMAN doesn't have to be aware of hardware capabilities, it simply sets maximum EIRP which by default is according to country limits (per frequency channel). Actual Tx power is then determined by AP as minimum of the following items (this was explained by MT staffer a few years ago on this forum, I'm not going to look for reference link, so you can trust me on this or not, as you wish):

country limit, adjusted with antenna gain
If country limit is e.g. 30dBm and antenna gain is 3.5dBi=>4dBi (antenna gain is integer setting and is rounded up), then the value for this item is 30dBm-4dBi=26dBm (per chain)
maximum power amplifier Tx power at certain Tx mode
Let's say Tx mode is MCS7, hence the value for Audience 2.4GHz radio is 25dBm
manually set Tx power

Let's say administrator did not limit Tx power, so the selected Tx power will be 25dBm for MCS7 (due to wifi power amplifier power backoff). For Tx modes with lower rates (e.g. 6Mbps with max Tx power of 29dBm) selected Tx power will be 26dBm (country limit).

In case when country limit is lower (e.g. 20dBm), it's country limit that gets obeyed for all Tx modes. In this case cell coverage will still be larger than MCS7 coverage due to better receiver sensitivity for lower rates even though transmitter will use same Tx power for all Tx modes, only the size difference will be less than if Tx power used would be capped by HW capabilities. Similar thing happens when antenna gain is set high ... it effectively reduces country limitation.

If one wants to reduce coverage even further, it is possible to manually set Tx power to something low ... in that case thus item would have lowest value.
The opposite (manual setting Tx power to unrealistic high numbers) doesn't yield anything, Tx power will be capped by other two items anyway.

The Tx power calculation is then further adjusted according to number of Tx chains actually used (for each individual wireless frame), for 2 chains Tx power per chain is reduced by 3dB (compared to values mentioned above).

And again: it's not CAPsMAN calculating Tx power, it's APs them selves. CAPsMAN only provisions CAPs (= configures them).

Degraded wifi performance

Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Re: Degraded wifi performance

Who is online