Hi,
Can anyone help me with setting up CAPSMAN for better roaming from AP to AP? I have a RB5009 router with 3 CAPS connected, 2 hAP AX2s and 1 cAP AX.
In a large apartment with concrete walls so need APs to cover each area.
Under Configuration, I have the SSID and country selected and Mode: AP.
Under Security, WPA3-PSK and WPA2-PSK and CCMP and GCMP under Encryption and the Passphrase.
Under FT, I have FT enabled checked and FT over DS checked.
Under Steering, I have a neighbor group, RRM and WNM set to Yes.
I have an issue with devices roaming from room to room with some devices still being connected to an AP with a weaker signal. I am confused about how to set the Channel settings and tune the power for 2ghz lower than 5ghz because I would like this to stay as it is, one SSID for both frequencies.
Thanks in advance.
Re: CAPSMAN Setup Help for better roaming
Remember, roaming is a client decision !
Some clients are very stubborn in switching AP and tend to stick way to long to a weaker AP.
what you describe should be OK ... but
remove WPA3 for now ...
make sure each AP is on a different channel/frequency, it will help stubborn clients to switch ap easier
(and even that won't help for some of my IOT devices, they tend to stick to the mac addres of an AP forever)
Some clients are very stubborn in switching AP and tend to stick way to long to a weaker AP.
what you describe should be OK ... but
remove WPA3 for now ...
make sure each AP is on a different channel/frequency, it will help stubborn clients to switch ap easier
(and even that won't help for some of my IOT devices, they tend to stick to the mac addres of an AP forever)
Re: CAPSMAN Setup Help for better roaming
You could play with transmission power, by default it is set to maximum. Lowering could improve roaming.
Re: CAPSMAN Setup Help for better roaming
Yes that is what I would like. But can you help me with how I can set the transmission power and the channels for each AP?You could play with transmission power, by default it is set to maximum. Lowering could improve roaming.
I would like to keep one SSID for both frequencies.
Re: CAPSMAN Setup Help for better roaming
Why do you say remove WPA3?Remember, roaming is a client decision !
Some clients are very stubborn in switching AP and tend to stick way to long to a weaker AP.
what you describe should be OK ... but
remove WPA3 for now ...
make sure each AP is on a different channel/frequency, it will help stubborn clients to switch ap easier
(and even that won't help for some of my IOT devices, they tend to stick to the mac addres of an AP forever)
Also how do I set the APs with each of them having a different channel/frequency. Also the transmission power? I think because of the transmission power, the APs are overlapping.
Re: CAPSMAN Setup Help for better roaming
Transmission power is set on:
/interface/wifi/configuration/tx-power
Frequency is set on:
/interface/wifi/channel/frequency
Can you share your config?
I have made a config (and provision rule) per radio, so I can set everything the way I want it exactly. I.e. all channels on the 5GHz radios are manually set. They all share the same SSID (apart form the open network) and the same security (apart from the open network as well).
/interface/wifi/configuration/tx-power
Frequency is set on:
/interface/wifi/channel/frequency
Can you share your config?
Code: Select all
/export file=anynameyoulikeRe: CAPSMAN Setup Help for better roaming
Sorry for my delayed response but I got wrapped up into something at work and just now was able to get to this, also had to take some time to redact personal things from the config since it does not export with hiding sensitive stuff even with the command.Transmission power is set on:
/interface/wifi/configuration/tx-power
Frequency is set on:
/interface/wifi/channel/frequency
Can you share your config?
I have made a config (and provision rule) per radio, so I can set everything the way I want it exactly. I.e. all channels on the 5GHz radios are manually set. They all share the same SSID (apart form the open network) and the same security (apart from the open network as well).Code: Select all/export file=anynameyoulike
If you are knowledgeable on Queues also, that is one thing I have been struggling to set up as you can see. I added some stuff but all disabled for the moment and firewall rules are not really my thing either.
I can post a network diagram as well if that will help.
Code: Select all
# 2024-10-28 17:42:50 by RouterOS 7.16.1
# software id = Redacted
#
# model = RB5009UG+S+
# serial number = (SerNum)
/interface bridge
add disabled=yes name=br-EOIP
add disabled=yes name=br-OVPN
add name=br-VPN
add name=br_PBR port-cost-mode=short
add admin-mac=(MacAddress) auto-mac=no comment=defconf name=bridge \
port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-WG-LAN
set [ find default-name=ether4 ] name=ether4-VOIP
set [ find default-name=ether5 ] name="ether5-IPTV STB"
set [ find default-name=ether6 ] name=ether6-IPTV2
set [ find default-name=ether8 ] comment=WAN2
/interface l2tp-client
add connect-to=(VPN IP) disabled=no name=l2tp-out1 use-ipsec=\
yes user=l2tp
/interface eoip
add disabled=yes mac-address=(MacAddress) name=eoip-tunnel1 \
remote-address=192.168.50.1 tunnel-id=1
/interface wireguard
add disabled=yes listen-port=13232 mtu=1420 name=Name
add listen-port=13231 mtu=1412 name=wg1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-DOMA-1f2e3a6c rrm=yes \
wnm=yes
/interface wifi configuration
add country="North Macedonia" disabled=no mode=ap name=cfg1 \
security.authentication-types=wpa2-psk,wpa3-psk .encryption=ccmp,gcmp \
.ft=yes .ft-over-ds=yes ssid=DOMA steering=steering1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.98.10-192.168.98.254
add name=dhcp_pool2 ranges=192.168.99.10-192.168.99.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool2 interface=br_PBR lease-time=10m name=dhcp2
/ip smb users
set [ find default=yes ] disabled=yes
/ppp profile
add bridge=br-OVPN change-tcp-mss=yes name=OVPN use-ipv6=default
set *FFFFFFFE bridge=br-VPN use-encryption=default use-ipv6=default
/interface ovpn-client
add certificate=cert_export_client.crt_0 cipher=aes256-cbc connect-to=\
(VpnIP) disabled=yes mac-address=(MacAddress) mode=\
ethernet name=ovpn-out1 profile=OVPN user=ovpnclient
/queue simple
add max-limit=3M/30M name="Asus Router" target=192.168.99.155/32
/queue type
add kind=fq-codel name=fq_qodel-default
add cake-autorate-ingress=yes kind=cake name=cake
/queue tree
add bucket-size=0.01 disabled=yes max-limit=90M name=DOWN parent=br_PBR \
queue=default
add disabled=yes name="1. VOIP" packet-mark=VOIP parent=DOWN priority=1 \
queue=default
add disabled=yes name="2. MAXTV" packet-mark=MaxTV parent=br-VPN priority=2 \
queue=default
add disabled=yes name="2. DNS" packet-mark=DNS parent=DOWN priority=2 queue=\
default
add disabled=yes name="3. ACK" packet-mark=ACK parent=DOWN priority=3 queue=\
default
add disabled=yes name="4. UDP" packet-mark=UDP parent=DOWN priority=3 queue=\
default
add disabled=yes name="5. ICMP" packet-mark=ICMP parent=DOWN priority=4 \
queue=default
add disabled=yes name="6. HTTP" packet-mark=HTTP parent=DOWN priority=5 \
queue=default
add disabled=yes name="7. HTTP_BIG" packet-mark=HTTP_BIG parent=DOWN \
priority=6 queue=default
add disabled=yes name="8. QUIC" packet-mark=QUIC parent=DOWN priority=7 \
queue=default
add disabled=yes name="9. OTHER" packet-mark=OTHER parent=DOWN queue=default
add bucket-size=0.01 disabled=yes max-limit=15M name=UP parent=br_PBR queue=\
default
add disabled=yes name="1. VOIP_" packet-mark=VOIP parent=UP priority=1 queue=\
default
add disabled=yes name="2. DNS_" packet-mark=DNS parent=UP priority=2 queue=\
default
add disabled=yes name="3. ACK_" packet-mark=ACK parent=UP priority=3 queue=\
default
add disabled=yes name="4. UDP_" packet-mark=UDP parent=UP priority=3 queue=\
default
add disabled=yes name="5. ICMP_" packet-mark=ICMP parent=UP priority=4 queue=\
default
add disabled=yes name="6. HTTP_" packet-mark=HTTP parent=UP priority=5 queue=\
default
add disabled=yes name="7. HTTP_BIG_" packet-mark=HTTP_BIG parent=UP priority=\
6 queue=default
add disabled=yes name="8. QUIC_" packet-mark=QUIC parent=UP priority=7 queue=\
default
add disabled=yes name="9. OTHER_" packet-mark=OTHER parent=UP queue=default
add disabled=yes max-limit=15M name=cake-queue-upload parent=wg1 queue=cake
add disabled=yes name=cake-queue-download parent=wg1 queue=cake
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/routing table
add disabled=no fib name=wg
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" \
disabled=yes disabled=yes name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=yes instance=\
zt1 name=zerotier1 network=(NetworkID)
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-LAN \
internal-path-cost=10 path-cost=10
add bridge=br_PBR comment=defconf ingress-filtering=no interface=\
ether3-WG-LAN internal-path-cost=10 path-cost=10
add bridge=br_PBR comment=defconf ingress-filtering=no interface=ether4-VOIP \
internal-path-cost=10 path-cost=10
add bridge=br-VPN comment=defconf ingress-filtering=no interface=\
"ether5-IPTV STB" internal-path-cost=10 path-cost=10
add bridge=bridge disabled=yes ingress-filtering=no interface=ether1-WAN \
internal-path-cost=10 path-cost=10
add bridge=br-OVPN disabled=yes interface=eoip-tunnel1
add bridge=br-VPN interface=ether6-IPTV2
add bridge=br-EOIP interface=eoip-tunnel1
/ip firewall connection tracking
set udp-timeout=1m
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=wg1 list=LAN
add comment=defconf interface=br_PBR list=LAN
add comment=defconf interface=ether8 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifi capsman
set enabled=yes package-path=/ require-peer-certificate=no upgrade-policy=\
none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1
/interface wireguard peers
add allowed-address="0.0.0.0/0,192.168.50.0/24,192.168.88.0/24,AllowedAddresses" endpoint-address=\
(VpnIP) endpoint-port=13231 interface=wg1 name=peer8 \
persistent-keepalive=25s public-key=\
"PublicKey"
add allowed-address=192.168.60.0/24 disabled=yes endpoint-address=\
(RedactedIP) endpoint-port=13232 interface=Name name=peer12 \
persistent-keepalive=1s private-key=\
"PublicKey" public-key=\
"PrivateKey"
/ip address
add address=192.168.98.1/24 comment=defconf interface=bridge network=\
192.168.98.0
add address=10.0.0.2/24 disabled=yes interface=ether1-WAN network=10.0.0.0
add address=192.168.50.2/24 interface=wg1 network=192.168.50.0
add address=192.168.99.1/24 interface=br_PBR network=192.168.99.0
add address=192.168.60.2/24 interface=Name network=192.168.60.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=ether1-WAN use-peer-dns=no
add add-default-route=no interface=br-VPN
add add-default-route=no interface=ether8 use-peer-dns=no
/ip dhcp-server lease
add address=192.168.99.7 client-id=(Mac) comment=\
"Grandstream HT801" mac-address=(Mac) server=dhcp2
add address=192.168.99.183 client-id=(Mac) comment=\
"Alienware PC" mac-address=(Mac) server=dhcp2
add address=192.168.99.151 client-id=(Mac) mac-address=\
(Mac) server=dhcp2
add address=192.168.99.155 client-id=(Mac) comment=\
"ASUS Router" mac-address=(Mac) server=dhcp2
add address=192.168.99.190 client-id=(Mac) comment=\
"AVM Fritz Powerline 1260" mac-address=(Mac) server=dhcp2
add address=192.168.99.91 client-id=(Mac) comment=PS5 \
mac-address=(Mac) server=dhcp2
add address=192.168.99.21 client-id=1(Mac) comment=\
MAXTV-Android-Box mac-address=(Mac) server=dhcp2
add address=192.168.99.14 client-id=(Mac) comment=SONY-TV-77 \
mac-address=(Mac) server=dhcp2
add address=192.168.99.169 mac-address=(Mac) server=dhcp2
add address=192.168.99.35 comment="Motorola Nettvplus" mac-address=\
(Mac) server=dhcp2
add address=192.168.99.23 client-id=(Mac) mac-address=\
(Mac) server=dhcp2
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf dns-server=192.168.98.1 gateway=\
192.168.98.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=192.168.50.1
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan type=A
add address=192.168.50.1 name=mk.wg type=A
/ip firewall address-list
add address=192.168.98.0/24 list=local
add address=192.168.50.0/24 list=Trusted
add address=(VpnIP) list=Trusted
add address=192.168.60.0/24 list=Trusted
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=drop chain=output comment="TEST WAN1 Failover to WAN2" disabled=\
yes dst-address=8.8.8.8
add action=accept chain=forward connection-state=established,related
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=\
tcp src-address-list=Trusted
add action=accept chain=input src-address-list=Trusted
# zerotier1 not ready
# zerotier1 not ready
add action=accept chain=forward in-interface=zerotier1
# zerotier1 not ready
# zerotier1 not ready
add action=accept chain=input in-interface=zerotier1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept IGMP" in-interface=br-VPN \
protocol=udp
add action=accept chain=forward comment="Forward IGMP" in-interface=br-VPN \
protocol=udp
add action=accept chain=input comment="Accept GRE" protocol=gre
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=input dst-port=500 in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=4500 in-interface-list=WAN protocol=\
tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1300 out-interface=\
wg1 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=mark-routing chain=prerouting disabled=yes in-interface=br-VPN \
log=yes new-routing-mark=wg passthrough=yes
add action=change-mss chain=forward comment="WG Required Rule (First One)" \
disabled=yes new-mss=clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=\
syn
add action=change-mss chain=forward comment="WG Required Rule 1/2" new-mss=\
1372 out-interface=wg1 passthrough=no protocol=tcp tcp-flags=syn tcp-mss=\
1373-65535
add action=change-mss chain=forward comment="WG Required Rule 2/2" disabled=\
yes new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=change-mss chain=forward comment="Change MSS on L2TP bridge" \
disabled=yes new-mss=clamp-to-pmtu out-interface=br-VPN passthrough=yes \
protocol=tcp tcp-flags=syn
add action=change-mss chain=forward disabled=yes new-mss=1380 passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1381-65535
add action=mark-connection chain=prerouting comment=MaxTV disabled=yes \
in-interface=br-VPN new-connection-mark=MaxTV passthrough=yes
add action=mark-packet chain=prerouting connection-mark=MaxTV disabled=yes \
new-packet-mark=MaxTV passthrough=no
add action=mark-connection chain=prerouting comment=DNS connection-state=new \
disabled=yes new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=prerouting connection-mark=DNS disabled=yes \
new-packet-mark=DNS passthrough=no
add action=mark-connection chain=postrouting connection-state=new disabled=\
yes new-connection-mark=DNS passthrough=yes port=53 protocol=udp
add action=mark-packet chain=postrouting connection-mark=DNS disabled=yes \
new-packet-mark=DNS passthrough=no
add action=mark-connection chain=prerouting comment=VOIP disabled=yes \
new-connection-mark=VOIP passthrough=yes port=5060-5062,8560,10000-10050 \
protocol=udp
add action=mark-packet chain=prerouting connection-mark=VOIP disabled=yes \
new-packet-mark=VOIP passthrough=no
add action=mark-connection chain=prerouting comment=QUIC connection-state=new \
disabled=yes new-connection-mark=QUIC passthrough=yes port=80,443 \
protocol=udp
add action=mark-packet chain=prerouting connection-mark=QUIC disabled=yes \
new-packet-mark=QUIC passthrough=no
add action=mark-connection chain=prerouting comment=UDP connection-state=new \
disabled=yes new-connection-mark=UDP passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=UDP disabled=yes \
new-packet-mark=UDP passthrough=no
add action=mark-connection chain=prerouting comment=ICMP connection-state=new \
disabled=yes new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=prerouting connection-mark=ICMP disabled=yes \
new-packet-mark=ICMP passthrough=no
add action=mark-connection chain=postrouting connection-state=new disabled=\
yes new-connection-mark=ICMP passthrough=yes protocol=icmp
add action=mark-packet chain=postrouting connection-mark=ICMP disabled=yes \
new-packet-mark=ICMP passthrough=no
add action=mark-packet chain=postrouting comment=ACK disabled=yes \
new-packet-mark=ACK packet-size=0-123 passthrough=no protocol=tcp \
tcp-flags=ack
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=ACK \
packet-size=0-123 passthrough=no protocol=tcp tcp-flags=ack
add action=mark-connection chain=prerouting comment=HTTP connection-mark=\
no-mark connection-state=new disabled=yes new-connection-mark=HTTP \
passthrough=yes port=80,443 protocol=tcp
add action=mark-connection chain=prerouting connection-bytes=5000000-0 \
connection-mark=HTTP connection-rate=2M-100M disabled=yes \
new-connection-mark=HTTP_BIG passthrough=yes protocol=tcp
add action=mark-packet chain=prerouting connection-mark=HTTP_BIG disabled=yes \
new-packet-mark=HTTP_BIG passthrough=no
add action=mark-packet chain=prerouting connection-mark=HTTP disabled=yes \
new-packet-mark=HTTP passthrough=no
add action=mark-connection chain=prerouting comment=OTHER connection-state=\
new disabled=yes new-connection-mark=POP3 passthrough=yes port=\
995,465,587 protocol=tcp
add action=mark-packet chain=prerouting connection-mark=POP3 disabled=yes \
new-packet-mark=OTHER passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes new-connection-mark=OTHER passthrough=yes
add action=mark-packet chain=prerouting connection-mark=OTHER disabled=yes \
new-packet-mark=OTHER passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=lo
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=br_PBR
add action=masquerade chain=srcnat disabled=yes out-interface=wg1
/ip firewall raw
add action=drop chain=output disabled=yes dst-address=8.8.4.4 src-address=\
192.168.120.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no distance=1 dst-address=192.168.88.0/24 gateway=wg1 \
routing-table=main scope=10 suppress-hw-offload=no
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wg1 pref-src="" \
routing-table=wg scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.5.5.241/32 gateway=192.168.1.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=31
add disabled=no distance=1 dst-address=8.8.4.4/32 gateway=192.168.188.1 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=31
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=\
192.5.5.241 pref-src="" routing-table=main scope=30 suppress-hw-offload=\
no target-scope=32
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=\
8.8.4.4 pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=32
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip upnp
set enabled=yes
/mpls ldp
add disabled=no lsr-id=192.168.12.2 transport-addresses=192.168.12.2
/mpls ldp interface
add disabled=no interface="ether5-IPTV STB"
add disabled=no interface=lo
/ppp profile
add bridge=*E name=SITE-TO-SITE-L2VPN
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets="(RedactedIPs)" disabled=yes \
interface=wg1 upstream=yes
add disabled=yes interface="ether5-IPTV STB"
/routing rule
add action=lookup-only-in-table disabled=yes src-address=192.168.99.101/32 \
table=main
add action=lookup comment="Alienware PC VPN Routing (Enable to bypass WG)" \
disabled=yes src-address=192.168.99.183/32 table=main
add action=lookup comment="ASUS Router" disabled=no src-address=\
192.168.99.155/32 table=main
add action=lookup-only-in-table disabled=no dst-address=192.168.99.0/24 \
src-address=192.168.99.0/24 table=main
add action=lookup-only-in-table disabled=no src-address=192.168.99.0/24 \
table=wg
add action=lookup comment=\
"AVM Fritz Powerline 1260 - Enable to bypass WG VPN" disabled=yes \
src-address=192.168.99.190/32 table=main
add action=lookup comment="PS5 (Enable to bypass MK WG)" disabled=yes \
src-address=192.168.99.91/32 table=main
add action=lookup comment="NettvPlus Motorola (Enable to bypass MK WG)" \
disabled=yes src-address=192.168.99.35/32 table=main
add action=lookup comment="Macbook Pro" disabled=yes src-address=\
192.168.99.23/32 table=main
/system clock
set time-zone-autodetect=no time-zone-name=Redacted
/system identity
set name=RB5009
/system note
set show-at-login=no
/system script
add dont-require-permissions=yes name=UP owner=(Name) policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
tool fetch url=\"https://api.telegram.org/bot\text=WAN1 is UP\""
add dont-require-permissions=yes name=DOWN owner=(Name) policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
delay 20s;\r\
\n/tool fetch url=\"https://api.telegram.org/text=WAN1 is DOWN\""
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="/system/script/run DOWN;" host=192.5.5.241 \
http-codes="" interval=1m packet-count=10 packet-interval=1s start-delay=\
3s startup-delay=2m test-script="" thr-avg=200ms timeout=3s type=icmp \
up-s
Re: CAPSMAN Setup Help for better roaming
@erlinden - Have you had a chance to take a look at the config?Transmission power is set on:
/interface/wifi/configuration/tx-power
Frequency is set on:
/interface/wifi/channel/frequency
Can you share your config?
I have made a config (and provision rule) per radio, so I can set everything the way I want it exactly. I.e. all channels on the 5GHz radios are manually set. They all share the same SSID (apart form the open network) and the same security (apart from the open network as well).Code: Select all/export file=anynameyoulike
Re: CAPSMAN Setup Help for better roaming
Check that you have some meaningful identity set on all caps.
Change to:
Remember, you want your signal to overlap but on different frequencies. Anyway, your 802.11k/r/v looks good, not much more can be done. As it was already mentioned, at the end client decides when to roam.
Code: Select all
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg1Change to:
Code: Select all
/interface wifi provisioning
add action=create-enabled disabled=no name-format=%I-wifi master-configuration=cfg1- name-format with variable %I (capital i) will create list of interfaces: IdentityOfCap-wifi1 and so on, that way you will be able easily identify each interface
- create-enabled instead of create-dynamic-enabled will allow you to manually set frequency of each cap (on CAPsMAN), that way you will prevent overlapping on same frequency
Remember, you want your signal to overlap but on different frequencies. Anyway, your 802.11k/r/v looks good, not much more can be done. As it was already mentioned, at the end client decides when to roam.
Re: CAPSMAN Setup Help for better roaming
By leaving a lot on auto, you never know what will happen. I.e. all frequencies can be equal making roaming terrible.
What I would do, is configure per radio:
I added the option for lowering tx-power on the 2.4GHz radio. As well I removed .encryption property (which you are very wellcome to use ofcourse.
Hope this gives insights on how you can configure more precisely.
What I would do, is configure per radio:
Code: Select all
/interface wifi channel
add disabled=no frequency=2412 name="CH 1 (2412)" width=20mhz
add disabled=no frequency=2437 name="CH 6 (2437)" width=20mhz
add disabled=no frequency=2462 name="CH 11(2462)" width=20mhz
add disabled=no frequency=5180 name="CH 36 (5180)" width=20/40/80mhz
add disabled=no frequency=5260 name="CH 52 (5260)" width=20/40/80mhz
add disabled=no frequency=5500 name="CH 100 (5500)" width=20/40/80mhz
add disabled=no frequency=5680 name="CH 136 (5680)" width=20/40/80mhz
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=sec1 wps=disable
/interface wifi configuration
add country=""North Macedonia" disabled=no mode=ap name=AP1-2412 security=sec1 ssid=DOMA channel="CH 1 (2412)" tx-power=10
add country=""North Macedonia" disabled=no mode=ap name=AP2-2437 security=sec1 ssid=DOMA channel="CH 2 (2437)" tx-power=10
add country=""North Macedonia" disabled=no mode=ap name=AP3-2462 security=sec1 ssid=DOMA channel="CH 3 (2462)" tx-power=10
add country=""North Macedonia" disabled=no mode=ap name=AP1-5180 security=sec1 ssid=DOMA channel="CH 36 (5180)"
add country=""North Macedonia" disabled=no mode=ap name=AP2-5260 security=sec1 ssid=DOMA channel="CH 52 (5260)"
add country=""North Macedonia" disabled=no mode=ap name=AP3-5500 security=sec1 ssid=DOMA channel="CH 100 (5500)"
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=AP1-2412 radio-mac=[INSERT MAC address of AP1, 2.4GHz radio]
add action=create-dynamic-enabled master-configuration=AP2-2437 radio-mac=[INSERT MAC address of AP2, 2.4GHz radio]
add action=create-dynamic-enabled master-configuration=AP3-2462 radio-mac=[INSERT MAC address of AP3, 2.4GHz radio]
add action=create-dynamic-enabled master-configuration=AP1-5180 radio-mac=[INSERT MAC address of AP1, 5GHz radio]
add action=create-dynamic-enabled master-configuration=AP2-5260 radio-mac=[INSERT MAC address of AP2, 5GHz radio]
add action=create-dynamic-enabled master-configuration=AP3-5500 radio-mac=[INSERT MAC address of AP3, 5GHz radio]
Hope this gives insights on how you can configure more precisely.
Re: CAPSMAN Setup Help for better roaming
Perfect, thank you very much. I will do the configuration and report back.By leaving a lot on auto, you never know what will happen. I.e. all frequencies can be equal making roaming terrible.
What I would do, is configure per radio:I added the option for lowering tx-power on the 2.4GHz radio. As well I removed .encryption property (which you are very wellcome to use ofcourse.Code: Select all/interface wifi channel add disabled=no frequency=2412 name="CH 1 (2412)" width=20mhz add disabled=no frequency=2437 name="CH 6 (2437)" width=20mhz add disabled=no frequency=2462 name="CH 11(2462)" width=20mhz add disabled=no frequency=5180 name="CH 36 (5180)" width=20/40/80mhz add disabled=no frequency=5260 name="CH 52 (5260)" width=20/40/80mhz add disabled=no frequency=5500 name="CH 100 (5500)" width=20/40/80mhz add disabled=no frequency=5680 name="CH 136 (5680)" width=20/40/80mhz /interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes name=sec1 wps=disable /interface wifi configuration add country=""North Macedonia" disabled=no mode=ap name=AP1-2412 security=sec1 ssid=DOMA channel="CH 1 (2412)" tx-power=10 add country=""North Macedonia" disabled=no mode=ap name=AP2-2437 security=sec1 ssid=DOMA channel="CH 2 (2437)" tx-power=10 add country=""North Macedonia" disabled=no mode=ap name=AP3-2462 security=sec1 ssid=DOMA channel="CH 3 (2462)" tx-power=10 add country=""North Macedonia" disabled=no mode=ap name=AP1-5180 security=sec1 ssid=DOMA channel="CH 36 (5180)" add country=""North Macedonia" disabled=no mode=ap name=AP2-5260 security=sec1 ssid=DOMA channel="CH 52 (5260)" add country=""North Macedonia" disabled=no mode=ap name=AP3-5500 security=sec1 ssid=DOMA channel="CH 100 (5500)" /interface wifi provisioning add action=create-dynamic-enabled master-configuration=AP1-2412 radio-mac=[INSERT MAC address of AP1, 2.4GHz radio] add action=create-dynamic-enabled master-configuration=AP2-2437 radio-mac=[INSERT MAC address of AP2, 2.4GHz radio] add action=create-dynamic-enabled master-configuration=AP3-2462 radio-mac=[INSERT MAC address of AP3, 2.4GHz radio] add action=create-dynamic-enabled master-configuration=AP1-5180 radio-mac=[INSERT MAC address of AP1, 5GHz radio] add action=create-dynamic-enabled master-configuration=AP2-5260 radio-mac=[INSERT MAC address of AP2, 5GHz radio] add action=create-dynamic-enabled master-configuration=AP3-5500 radio-mac=[INSERT MAC address of AP3, 5GHz radio]
Hope this gives insights on how you can configure more precisely.
Re: CAPSMAN Setup Help for better roaming
Thanks for the assistance!Check that you have some meaningful identity set on all caps.
Code: Select all/interface wifi provisioning add action=create-dynamic-enabled disabled=no master-configuration=cfg1
Change to:Code: Select all/interface wifi provisioning add action=create-enabled disabled=no name-format=%I-wifi master-configuration=cfg1
- name-format with variable %I (capital i) will create list of interfaces: IdentityOfCap-wifi1 and so on, that way you will be able easily identify each interface
- create-enabled instead of create-dynamic-enabled will allow you to manually set frequency of each cap (on CAPsMAN), that way you will prevent overlapping on same frequency
Remember, you want your signal to overlap but on different frequencies. Anyway, your 802.11k/r/v looks good, not much more can be done. As it was already mentioned, at the end client decides when to roam.
Re: CAPSMAN Setup Help for better roaming
You are very welcome. The radio mac address van be found on the Radios tab (in Winbox).Perfect, thank you very much. I will do the configuration and report back.
Re: CAPSMAN Setup Help for better roaming
Thanks.You are very welcome. The radio mac address van be found on the Radios tab (in Winbox).Perfect, thank you very much. I will do the configuration and report back.
By the way, any superior knowledge of firewall and queues? I tried posting in other sections of the forum but no responses.
I would like to setup my queues so that my L2TP tunnel over which I am receiving multicast IPTV to a set-top-box to take priority and after it all other video streaming followed by the rest of the stuff. Since I have the L2TP tunnel and a Wireguard tunnel for my home network, I am confused on how to set that up. I posted a diagram in a previous post with the whole config, if you'd like to take a look.
Re: CAPSMAN Setup Help for better roaming
please stay on topic ...
Re: CAPSMAN Setup Help for better roaming
Can't help you on that. CAPsMAN is what I have most experience with (besides VLAN).
Only remark I have, I would use VLAN's instead of multiple bridges. Think it will simplify the firewall as well. (Simple) Queues with VLAN's is pretty easy (like setting minimum bandwidth), but not sure if that solves your problem.
Only remark I have, I would use VLAN's instead of multiple bridges. Think it will simplify the firewall as well. (Simple) Queues with VLAN's is pretty easy (like setting minimum bandwidth), but not sure if that solves your problem.
Re: CAPSMAN Setup Help for better roaming
Got it, thanks for the tips.Can't help you on that. CAPsMAN is what I have most experience with (besides VLAN).
Only remark I have, I would use VLAN's instead of multiple bridges. Think it will simplify the firewall as well. (Simple) Queues with VLAN's is pretty easy (like setting minimum bandwidth), but not sure if that solves your problem.
Re: CAPSMAN Setup Help for better roaming
I made the changes and it seems to be working good so far.Can't help you on that. CAPsMAN is what I have most experience with (besides VLAN).
Only remark I have, I would use VLAN's instead of multiple bridges. Think it will simplify the firewall as well. (Simple) Queues with VLAN's is pretty easy (like setting minimum bandwidth), but not sure if that solves your problem.
I noticed for this channel below there is no configuration or provisioning. Is this by design?
Code: Select all
add disabled=no frequency=5680 name="CH 136 (5680)" width=20/40/80mhzRe: CAPSMAN Setup Help for better roaming
You don't need 4 frequencies for 3 APs ?
Re: CAPSMAN Setup Help for better roaming
You may be rightYou don't need 4 frequencies for 3 APs ?
Re: CAPSMAN Setup Help for better roaming
I implemented the config and it is working better but just wanted to confirm that I am still having the issue with my Android tablet when being in AP3’s zone of coverage, going to AP2’s zone of coverage it is still being barely connected to AP3 but this time it’s the 5ghz radio. AP1 is a bit farther so no problem there.
I am assuming this is so because the TX power is not set on the 5ghz radios. Should I tone them down a level until it is working. The maximum is 17db correct?
I am assuming this is so because the TX power is not set on the 5ghz radios. Should I tone them down a level until it is working. The maximum is 17db correct?
Re: CAPSMAN Setup Help for better roaming
Difficult to advise, as some relevant information is missing. What is the signal and what are the tx and rx rates in that case?
Ofcourse you can play with tx power, as well you can add access lists to block clients when a thresshold is reached.
Ofcourse you can play with tx power, as well you can add access lists to block clients when a thresshold is reached.
Re: CAPSMAN Setup Help for better roaming
Sorry for my delayed response but I have not had enough time the past days to get sufficient data. I have been playing with the TX power of the 2ghz radios and lowering them, I think it’s pretty good now where going room from room I am getting almost seemless roaming. I even tested with a live tv channel playing on the tablet and there was abojt a second drop off when it switched. Is that good?
Re: CAPSMAN Setup Help for better roaming
AFAIK it is advised not to do that since some clients may completely avoid an AP playing such tricks.Ofcourse you can play with tx power, as well you can add access lists to block clients when a thresshold is reached.
Re: CAPSMAN Setup Help for better roaming
You may get rid of that dropoff by enabling ft and ft-over-ds.I even tested with a live tv channel playing on the tablet and there was abojt a second drop off when it switched. Is that good?
Re: CAPSMAN Setup Help for better roaming
What is the logging showing? It doesn't sound as fast transitioning.I even tested with a live tv channel playing on the tablet and there was abojt a second drop off when it switched. Is that good?
Thanks @holvoetn, wasn't aware of that.
Re: CAPSMAN Setup Help for better roaming
I will check if I can find the log from that moment but just right now, it is not roaming again from AP3 to AP2's zone of coverage.. still connected to AP3 at a signal of -60db, tx rate of 52mbps and rx rate of 60mbps.What is the logging showing? It doesn't sound as fast transitioning.I even tested with a live tv channel playing on the tablet and there was abojt a second drop off when it switched. Is that good?
Thanks @holvoetn, wasn't aware of that.
Re: CAPSMAN Setup Help for better roaming
At a signal of -60dB, why would you expect it to roam?
Re: CAPSMAN Setup Help for better roaming
my iPhone roams but the Android tablet does not, I'm assuming it has a better antenna since it's bigger. So I can lower the TX power more?
Re: CAPSMAN Setup Help for better roaming
What do you expect that you will gain? There is no need to lower TX power at all... It sounds like you have APs too close (closer that needed) and now you chase ghosts. Note that there is tons of guides for ROS6 and wireless package that didn't support proper roaming.
Re: CAPSMAN Setup Help for better roaming
Just seeing your response that sparked some interest. On my rb5009, I have the wireless package. My APs have the wifi-qcom package. Could this have something to do with the roaming?What do you expect that you will gain? There is no need to lower TX power at all... It sounds like you have APs too close (closer that needed) and now you chase ghosts. Note that there is tons of guides for ROS6 and wireless package that didn't support proper roaming.
Re: CAPSMAN Setup Help for better roaming
You do not need wireless (unless that RB5009 acts as capsman controller for legacy wifi APs).
If you only have AX or Qcom-AC APs, remove wireless from RB5009.
As of 7.13 support is default available in base ROS package to act as capsman controller for wave2 devices.
If you only have AX or Qcom-AC APs, remove wireless from RB5009.
As of 7.13 support is default available in base ROS package to act as capsman controller for wave2 devices.
Re: CAPSMAN Setup Help for better roaming
So if I remove the wireless package, my capman config will not be affected?You do not need wireless (unless that RB5009 acts as capsman controller for legacy wifi APs).
If you only have AX or Qcom-AC APs, remove wireless from RB5009.
As of 7.13 support is default available in base ROS package to act as capsman controller for wave2 devices.
Re: CAPSMAN Setup Help for better roaming
At least the wifi CAPsMAN config remains