So I finally set up WiFi for my home and it consist of hAP ax3 acting as an router on second floor and hAP ax2 acting as an AP/switch for downstairs wired devices.
I have multiple SSIDs and VLANs, and hAP ax3 only have one SSID, for my main network and it's combined 2.4/5 GHz ax, ax2 have 3 SSIDs, one for main network, same as ax3, so combined 2.4/5 GHz ax and same SSID for both of them. One SSID for cameras and security related devices and another SSID for IoT devices.
I noticed that my devices loves to connect to the upstairs router instead of the ax2 downstairs... Devices even rather connect to the 2.4 GHz WiFi upstairs and have terrible speeds... I scanned my area and i choose channels so APs don't overlaps. Here are configs for both devices. I don't know where the problem is...
Downstairs ax2
Code: Select all
# jan/03/1970 02:14:49 by RouterOS 7.7
# software id =
#
# model = C52iG-5HaxD2HaxD
# serial number =
/interface bridge
add ingress-filtering=no name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=TRUNK
set [ find default-name=ether2 ] comment=VLAN40_IPTV
set [ find default-name=ether3 ] comment=VLAN20_SECURITY
set [ find default-name=ether4 ] comment=VLAN20_SECURITY
set [ find default-name=ether5 ] comment=VLAN88_HOME
/interface vlan
add interface=bridge name=VLAN20_SECURITY vlan-id=20
add interface=bridge name=VLAN30_IOT vlan-id=30
add interface=bridge name=VLAN40_IPTV vlan-id=40
add interface=bridge name=VLAN88_HOME vlan-id=88
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk name=HOME
add authentication-types=wpa2-psk name=IOT
add authentication-types=wpa2-psk name=CCTV
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5180 .width=\
20/40/80mhz configuration.country=Croatia .mode=ap .ssid="Gazdin WiFi" \
disabled=no security=HOME
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2462 .width=\
20mhz configuration.country=Croatia .mode=ap .ssid="Gazdin WiFi" \
disabled=no security=HOME
add channel.band=2ghz-ax .width=20mhz configuration.country=Croatia .mode=ap \
.ssid=IoT disabled=no mac-address=XX:XX:XX:XX:XX:XX master-interface=\
wifi2 name=wifi3 security=IOT
add channel.band=2ghz-ax .width=20mhz configuration.country=Croatia .mode=ap \
.ssid=WiFi_CCTV disabled=no mac-address=XX:XX:XX:XX:XX:XX \
master-interface=wifi2 name=wifi4 security=CCTV
/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether2 pvid=40
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4 pvid=20
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether5 pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=wifi1 pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=wifi2 pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=wifi3 pvid=30
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=wifi4 pvid=20
/interface bridge vlan
add bridge=bridge tagged=ether1,bridge untagged=ether3,ether4,wifi4 vlan-ids=\
20
add bridge=bridge tagged=bridge,ether1 untagged=ether5,wifi1,wifi2 vlan-ids=\
88
add bridge=bridge tagged=bridge,ether1 untagged=ether2 vlan-ids=40
add bridge=bridge tagged=bridge,ether1 untagged=wifi3 vlan-ids=30
/system identity
set name=hAP_ax2_DB
Code: Select all
feb/19/2023 10:06:52 by RouterOS 7.6
# software id =
#
# model = C53UiG+5HPaxD2HPaxD
# serial number =
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=TRUNK
set [ find default-name=ether3 ] comment=VLAN10_TEA_RADNI_PC
set [ find default-name=ether4 ] comment=VLAN88_HOME
set [ find default-name=ether5 ] comment=VLAN88_HOME
/interface vlan
add interface=bridge name=VLAN10_TEA_PC vlan-id=10
add interface=bridge name=VLAN20_SECURITY vlan-id=20
add interface=bridge name=VLAN30_IOT vlan-id=30
add interface=bridge name=VLAN40_IPTV vlan-id=40
add interface=bridge name=VLAN88_HOME vlan-id=88
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=HOME
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk name=HOME
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ax .frequency=5500 \
.skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.country=\
Croatia .mode=ap .ssid="Gazdin WiFi" disabled=no security=HOME
set [ find default-name=wifi2 ] channel.band=2ghz-ax .frequency=2412 \
.skip-dfs-channels=10min-cac .width=20mhz configuration.country=Croatia \
.mode=ap .ssid="Gazdin WiFi" disabled=no security=HOME
/ip pool
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.5
add name=dhcp_pool2 ranges=10.10.20.2-10.10.20.150
add name=dhcp_pool3 ranges=10.10.30.2-10.10.30.254
add name=dhcp_pool4 ranges=10.10.40.2-10.10.40.50
add name=dhcp_pool5 ranges=10.10.88.2-10.10.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=VLAN10_TEA_PC lease-time=1d name=\
dhcp_VLAN10
add address-pool=dhcp_pool2 interface=VLAN20_SECURITY lease-time=1d name=\
dhcp_VLAN20
add address-pool=dhcp_pool3 interface=VLAN30_IOT lease-time=1d name=\
dhcp_VLAN30
add address-pool=dhcp_pool4 interface=VLAN40_IPTV lease-time=1d name=\
dhcp_VLAN40
add address-pool=dhcp_pool5 interface=VLAN88_HOME lease-time=1d name=\
dhcp_VLAN88
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-vlan-tagged \
interface=ether2
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether4 pvid=88
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=ether5 pvid=88
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi1 pvid=88
add bridge=bridge comment=defconf frame-types=\
admit-only-untagged-and-priority-tagged interface=wifi2 pvid=88
/ip neighbor discovery-settings
set discover-interface-list=HOME
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,ether2 untagged=wifi1,wifi2,ether4,ether5 \
vlan-ids=88
add bridge=bridge tagged=bridge untagged=ether3 vlan-ids=10
add bridge=bridge tagged=bridge,ether2 vlan-ids=20
add bridge=bridge tagged=bridge,ether2 vlan-ids=30
add bridge=bridge tagged=bridge,ether2 vlan-ids=40
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN10_TEA_PC list=LAN
add interface=VLAN20_SECURITY list=LAN
add interface=VLAN30_IOT list=LAN
add interface=VLAN40_IPTV list=LAN
add interface=VLAN88_HOME list=LAN
add interface=VLAN88_HOME list=HOME
/ip address
add address=10.10.10.1/24 comment="VLAN10 _TEA_PC" interface=VLAN10_TEA_PC \
network=10.10.10.0
add address=10.10.20.1/24 comment=VLAN20_SECURITY interface=VLAN20_SECURITY \
network=10.10.20.0
add address=10.10.30.1/24 comment=VLAN30_IOT interface=VLAN30_IOT network=\
10.10.30.0
add address=10.10.40.1/24 comment=VLAN40_IPTV interface=VLAN40_IPTV network=\
10.10.40.0
add address=10.10.88.1/24 comment=VLAN88_HOME interface=VLAN88_HOME network=\
10.10.88.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=10.10.20.0/24 gateway=10.10.20.1
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.40.0/24 gateway=10.10.40.1
add address=10.10.88.0/24 gateway=10.10.88.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Zagreb
/system identity
set name=hAP_ax3_router
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=HOME