Community discussions

MikroTik App
 
Tadas
just joined
Topic Author
Posts: 8
Joined: Tue Jul 12, 2022 10:11 pm

hAP AC3 WPA2/WPA3 slowsdown wifi speed

Tue Jul 12, 2022 10:39 pm

For a month im using hAP AC3 and notice poor wifi speed. Made some tests and find that with wpa or non secure wifi my internet speed is 320Mb/s (ISP on cable 400Mb/s). When i check wpa2-psk, wp3-psk or both, wifi speed drops to 30Mb/s. It happens for all connected devices.
Any ideas how to solve this issue?
ROS 7.3.1 stable, wifiwave2.
Have reset router, doesn't config anything on it, but issue persist.
Thanks
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Wed Jul 13, 2022 8:37 am

One thing to keep in mind when configuring WPA2 (on any device) is to avoid using TKIP at all costs. So security profiles should be set with encryption=ccmp group-encryption=ccmp. Other encryption algorithms are optional in WPA3 and may be poorly supported / buggy both by ROS as well as wireless clients so perhaps you should avoid using them until you reach stable operation with the required (basic) CCMP.
 
erlinden
Forum Guru
Forum Guru
Posts: 1900
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Wed Jul 13, 2022 10:04 am

Perhaps you can share your current config:
/export hide-sensitive file=anynameyoulike (en be aware to remove any personal information)
 
Tadas
just joined
Topic Author
Posts: 8
Joined: Tue Jul 12, 2022 10:11 pm

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Thu Jul 14, 2022 6:47 pm

current config:
# jul/14/2022 18:23:18 by RouterOS 7.3.1
# software id = 19K0-QWE0
#
# model = RBD53iG-5HacD2HnD
# serial number = F34E0F4A8361
/interface bridge
add admin-mac=DC:2C:6E:5D:43:BB auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=2ghz-n .frequency=2461-2483 \
    .skip-dfs-channels=10min-cac .width=20mhz configuration.mode=ap .ssid=\
    D disabled=no name=2.4 security.authentication-types=wpa-psk \
    .encryption=ccmp
set [ find default-name=wifi2 ] channel.band=5ghz-ac .frequency=5180-5240 \
    .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap \
    .ssid=5G disabled=no name=5 security.authentication-types=wpa-psk \
    .encryption=ccmp
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk encryption=ccmp name=sec1
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=2.4
add bridge=bridge comment=defconf interface=5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Vilnius
/system scheduler
add interval=1w name="auto reboot" on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jul/10/2022 start-time=03:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Fri Jul 15, 2022 3:57 pm

Not sure if it affects speed, but you should be using authentication-types=wpa2-psk (not wpa-psk).
 
Tadas
just joined
Topic Author
Posts: 8
Joined: Tue Jul 12, 2022 10:11 pm

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Fri Jul 15, 2022 9:41 pm

Not sure if it affects speed, but you should be using authentication-types=wpa2-psk (not wpa-psk).
WPA2 and WPA3 decrease wifi speed. Only WPA or non secure wifi had to use for better wifi speed...
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Fri Jul 15, 2022 9:49 pm

Not sure if it affects speed, but you should be using authentication-types=wpa2-psk (not wpa-psk).
WPA2 and WPA3 decrease wifi speed. Only WPA or non secure wifi had to use for better wifi speed...
And still, depending on which source you consult, WPA is claimed to result in connection to be slower then when using WPA2.
So go figure ...
https://www.diffen.com/difference/WPA_vs_WPA2
 
Tadas
just joined
Topic Author
Posts: 8
Joined: Tue Jul 12, 2022 10:11 pm

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Sat Jul 16, 2022 1:20 am



WPA2 and WPA3 decrease wifi speed. Only WPA or non secure wifi had to use for better wifi speed...
And still, depending on which source you consult, WPA is claimed to result in connection to be slower then when using WPA2.
So go figure ...
https://www.diffen.com/difference/WPA_vs_WPA2
I would be happy and i want to use WPA2 or even WPA3, but my practice with this router shows different. I refuse to have internet speed with 30Mb/s and have to choose WPA with 300Mb/s. I hope this issue would be solved with ROS update or somebody shows magic how to config os.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Sat Jul 16, 2022 6:53 am

I would be happy and i want to use WPA2 or even WPA3, but my practice with this router shows different. I refuse to have internet speed with 30Mb/s and have to choose WPA with 300Mb/s. I hope this issue would be solved with ROS update or somebody shows magic how to config os.
I use WPA3 on AC3 and get consistent >300 Mb speeds (internal iperf server).
No magic needed.
 
Tadas
just joined
Topic Author
Posts: 8
Joined: Tue Jul 12, 2022 10:11 pm

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Sat Jul 16, 2022 3:37 pm

I use WPA3 on AC3 and get consistent >300 Mb speeds (internal iperf server).
No magic needed.
Could you share your current config?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5317
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Sat Jul 16, 2022 3:56 pm

Could you share your current config?
Sure. Wifiwave2 related part included.
Pretty basic.

- setup channels to be used
- setup security to be used
- make configurations needed based on channels and security defined before
- create interfaces based on configurations (1x 2.4Ghz SSID plus slave IoT SSID, 1x 5GHz channel with own SSID)
Do not change settings related to security or channels when defining interfaces since you will overrule the ones you made before (as you did in your config).
If you know how to use capsman, it works conceptually exactly the same.

security.ft=no was something I tried for the new 802.11r features (which don't work cross-AP yet, so I disabled it again since my SSIDs are different across radios)
# jul/16/2022 14:47:48 by RouterOS 7.4rc2
# software id = LB29-6B5U
#
# model = RBD53iG-5HacD2HnD
# serial number = <serial>
/interface wifiwave2 channel
add band=2ghz-n frequency=2412,2437,2462 name=ch1_6_11 width=20mhz
add band=5ghz-ac frequency=5500 name=ch5500 width=20/40/80mhz
/interface wifiwave2 security
add authentication-types=wpa2-psk name=security1 passphrase=<super-secret>
add authentication-types=wpa2-psk name=IoT passphrase=<super-secret2>
/interface wifiwave2 configuration
add country=Belgium mode=ap name=name1 security=security1 ssid=SSID1
add country=Belgium mode=ap name=name2 security=security2 ssid=SSID2
add channel.frequency="" country=Belgium mode=ap name=IoT security=IoT ssid=IoT
/interface wifiwave2
set [ find default-name=wifi1 ] arp-timeout=auto channel=ch1_6_11 \
    configuration=name1 configuration.mode=ap disabled=no name=wifi1 security.ft=no
set [ find default-name=wifi2 ] arp-timeout=auto channel=ch5500 \
    configuration=name2 configuration.mode=ap disabled=no \
    name=wifi2 security.ft=no
add arp-timeout=auto configuration=IoT configuration.mode=ap disabled=no \
    master-interface=wifi1 name=wifi3 \
    security.ft=no
/interface wifiwave2 access-list
add action=accept allow-signal-out-of-range=30s disabled=no interface=dynamic \
    signal-range=-86..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=1s disabled=no interface=dynamic \
    signal-range=-120..-87 ssid-regexp=""
 
Tadas
just joined
Topic Author
Posts: 8
Joined: Tue Jul 12, 2022 10:11 pm

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Tue Dec 20, 2022 1:16 pm

Again im here.
Updated ROS expecting to solve my problem, but no results...
Any ideas?

# dec/20/2022 12:59:57 by RouterOS 7.6

# software id = 19K0-QWE0

#

# model = RBD53iG-5HacD2HnD

# serial number = F34E0F4A8361

/interface bridge

add admin-mac=DC:2C:6E:5D:43:BB auto-mac=no comment=defconf name=bridge

/interface wifiwave2

set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Lithuania .mode=ap .ssid=_2G disabled=no name=2.4 security.authentication-types=wpa-psk .encryption=ccmp

set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Lithuania .mode=ap .ssid=_5G disabled=no name=5 security.authentication-types=wpa-psk .encryption=ccmp

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

/interface wifiwave2 security

add authentication-types=wpa2-psk,wpa3-psk encryption=ccmp name=sec1

/ip pool

add name=dhcp ranges=192.168.88.10-192.168.88.254

/ip dhcp-server

add address-pool=dhcp interface=bridge name=defconf

/interface bridge port

add bridge=bridge comment=defconf interface=ether2

add bridge=bridge comment=defconf interface=ether3

add bridge=bridge comment=defconf interface=ether4

add bridge=bridge comment=defconf interface=ether5

add bridge=bridge comment=defconf interface=2.4

add bridge=bridge comment=defconf interface=5

/ip neighbor discovery-settings

set discover-interface-list=LAN

/interface list member

add comment=defconf interface=bridge list=LAN

add comment=defconf interface=ether1 list=WAN

/ip address

add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0

/ip dhcp-client

add comment=defconf interface=ether1

/ip dhcp-server network

add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1

/ip dns

set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

/ip dns static

add address=192.168.88.1 comment=defconf name=router.lan

/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes

add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

/ipv6 firewall address-list

add address=::/128 comment="defconf: unspecified address" list=bad_ipv6

add address=::1/128 comment="defconf: lo" list=bad_ipv6

add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6

add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6

add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6

add address=100::/64 comment="defconf: discard only " list=bad_ipv6

add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6

add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6

add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6

add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp

add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10

add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp

add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah

add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp

add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec

add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6

add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6

add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6

add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6

add action=accept chain=forward comment="defconf: accept HIP" protocol=139

add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp

add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah

add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp

add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec

add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

/system clock

set time-zone-name=Europe/Vilnius

/system scheduler

add interval=1w name="auto reboot" on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jul/10/2022 start-time=03:00:00

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN
 
Tadas
just joined
Topic Author
Posts: 8
Joined: Tue Jul 12, 2022 10:11 pm

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed

Wed Feb 01, 2023 9:58 am

Have googling for days and find some answers.
1. Have to setup Mikrotik device manually avoiding its quick setup. https://www.youtube.com/watch?v=Y_xIprSlp94
After manual configuration my AC3 increases internet speed and majority devices starts working with wpa2/wpa3 in full speed.
2. Atheros QCA9377 wifi adapter is buggy.
My Lenovo with MX Linux-21 ath10k_pci with firmware-5.bin and firmware-6.bin is still limiting 30mbps speed on wpa2/wpa3.
Wifes Dell with Windows10 and same wifi adapter (QCA9377) works properly and reaches top speed with same Mikrotik hAP AC3 network.

In searching for linux solution...
 
Tadas
just joined
Topic Author
Posts: 8
Joined: Tue Jul 12, 2022 10:11 pm

Re: hAP AC3 WPA2/WPA3 slowsdown wifi speed  [SOLVED]

Sun Jun 04, 2023 12:28 pm

Looks like my hAP AC3 starts working as i expected, stable and fast.
I have changed computers wifi adapter to Intel AX200 (25eur) and update ros to 7.9.1. Updating ros solves wifi droping issue.
Best device is when u forget about it. It just works.

Who is online

Users browsing this forum: shafiqmaswan and 27 guests