Community discussions
https://forum.mikrotik.com/
Congratulations! This information is very helpful.http://wiki.mikrotik.com/wiki/Wireless_Debug_Logs
It's a work in progress, so suggestions and corrections are welcome.
did you read the page in the original post ???is there any specific log messege to kmow the reason of disconeection like network conjstion or authenticaion failure.
please read this topic from beginning. enable debug mode, and see what log says thenI could not debug but I tried to use C9 in ap bridge mode and clients get disconnected very often. How can I use it as AP and not have problems do clients "see" if it set to "client" mode?
I'm getting this a lot too with the newer wireless-test package with nstreme and polling enabled. One one specific tower, everything is fine if the noise floor is -99 or -100, but if it gets any worse than -98, everything starts freaking out and the only way to ensure a solid connection is with a -60 or better signal. It should be much more stable at much lower signals than that.How about "disconnected - too many poll timeouts"
what is your HW. retries value? If you have a newer ROS the default value is 4. It may be too low for the good link. I have just solved disconnect problems on nstreme link (no dual nstreme) with changing Hw. retries from 4 to 10 (ROS 3.30). The link was working fine except that it tended to disconnect frequently under load. After the change links never disconnected yet.I'm getting this a lot too with the newer wireless-test package with nstreme and polling enabled. One one specific tower, everything is fine if the noise floor is -99 or -100, but if it gets any worse than -98, everything starts freaking out and the only way to ensure a solid connection is with a -60 or better signal. It should be much more stable at much lower signals than that.How about "disconnected - too many poll timeouts"
Did you change the HW retries to 10 on the AP or the AP and CPE?I have just solved disconnect problems on nstreme link (no dual nstreme) with changing Hw. retries from 4 to 10 (ROS 3.30). The link was working fine except that it tended to disconnect frequently under load. After the change links never disconnected yet.How about "disconnected - too many poll timeouts"
I changed hw. retries on both sides. But it was a PtP link - not AP with many clients.Did you change the HW retries to 10 on the AP or the AP and CPE?How about "disconnected - too many poll timeouts"
nstreme config needs checking. email support with supout.rif file@Normis
Could you please explain this message: 'lost connection, not polled for too long'.
Can't find it here http://wiki.mikrotik.com/wiki/Wireless_Debug_Logs
TIA, Grzegorz.
is there any algorythm to solve such behaviour of the wireless interfaces. once i set "dynamic size" to give best performance, another time - "best fit"... what is the secret actually?nstreme config needs checking. email support with supout.rif file@Normis
Could you please explain this message: 'lost connection, not polled for too long'.
Can't find it here http://wiki.mikrotik.com/wiki/Wireless_Debug_Logs
TIA, Grzegorz.
it is "signal to noise" not just noiseandycelo:
Your noise is to hi -64?
I'll guess progress is slow.... Its 2012 now and NV2 already in use for some years but still no update on this document in regard of message produced in NV2 networks.....http://wiki.mikrotik.com/wiki/Wireless_Debug_Logs
It's a work in progress, so suggestions and corrections are welcome.
Hello Jarda, how's you. i hope its going good there and thanks for your post reply.Other side receives the packets sporadically, may happen it considers the link to be lost and then it receives another packet. As the connection from its point of view is not established anymore it responds with deauth. Your signal strength/quality is obviously too low.
So what is the problem . It's just debug logging . Ap check for acl entry and by default client got connected .i've got same problem for years..
22:33:20 wireless,debug wlan1: 00:80:48:41:AF:2A attempts to connect
22:33:20 wireless,debug wlan1: 00:80:48:41:AF:2A not in local ACL, by default accept
22:33:20 wireless,info 00:80:48:41:AF:2A@wlan1: connected
file.png
http://wiki.mikrotik.com/wiki/Wireless_Debug_Logs
It's a work in progress, so suggestions and corrections are welcome.
I don't know about mikrotik implementation but I would say: NEVER USE TKIP. In the Standard is antihack feature and all clients get deauth'ed if that kicks in. (This is true for other manufactures following that standard and I would guess that Mikrotik is following the rfc's as well.I'm getting the MIC Failures on several of my clients. Interference isn't an issue on one of them and their signal is -50, ccq is around 99.
Client is conecting to a RB112/CM9 using a laptop. Two other customers are using Tranzeo CPE 90's.
They connect fine....then out of the blue I see those MIC failures.
Is there another explanation for the cause of these? Or is it just a compatibility issue between the cpe's and ap and using TKIP.
Thanks
I haven't this message explained in your link...?.....disconnected, received deauth: 4-way handshake timeout (15)
/interface mesh
add name=Mesh-Interface
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
band=2ghz-b/g/n disabled=no frequency=2457 mode=ap-bridge \
noise-floor-threshold=-100 radio-name=RB951G_AP1 ssid=\
"xxxxxxxx" wds-default-bridge=Mesh-Interface \
wds-mode=dynamic-mesh wmm-support=enabled
/interface wireless nstreme
set wlan1 enable-polling=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=WDS_secure \
supplicant-identity="" wpa-pre-shared-key=13ctr4WDS wpa2-pre-shared-key=\
13ctr4WDS
/ip dhcp-server
add disabled=no interface=Mesh-Interface name=Relay_Server_DHCP1 relay=\
10.5.50.2
add disabled=no interface=Mesh-Interface name=Relay_Server_DHCP2 relay=\
10.5.50.3
add disabled=no interface=Mesh-Interface name=Relay_Server_DHCP3 relay=\
10.5.50.4
/ip hotspot profile
add dns-name=xxx.hotspot.fr hotspot-address=10.5.50.1 login-by=\
mac,http-chap mac-auth-mode=mac-as-username-and-password name=hsprof1
/ip pool
add name=hs-pool ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool=hs-pool disabled=no interface=Mesh-Interface lease-time=1h \
name=dhcp1
/ip hotspot
add address-pool=hs-pool addresses-per-mac=2 disabled=no interface=\
Mesh-Interface login-timeout=30m name=hotspot1 profile=hsprof1
/interface mesh port
add interface=wlan1 mesh=Mesh-Interface
/ip address
add address=10.5.50.1/24 comment="hotspot network" interface=wlan1 network=\
10.5.50.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=ether1
....
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/system leds
set 0 interface=wlan1
/system logging
add topics=hotspot
add topics=dhcp
/tool romon
set enabled=yesSame problem here out of box with new HEX3 and 3 WAP AC.Hi normis,
I have upgrade from 6.34.6 to 6.37.5 my RB951G-2HnD.
I have disabled wireless-fp package before restart and upgrade RouterOS. I have one wireless package and it was already activated (I think that installation is fine!)
But When I activate wireless...few second later I got this log message for every connecting devices:I haven't this message explained in your link...?.....disconnected, received deauth: 4-way handshake timeout (15)
Here is my configuration on Access Point 1 (Roaming with Dynamic Mesh):Code: Select all/interface mesh add name=Mesh-Interface /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \ band=2ghz-b/g/n disabled=no frequency=2457 mode=ap-bridge \ noise-floor-threshold=-100 radio-name=RB951G_AP1 ssid=\ "xxxxxxxx" wds-default-bridge=Mesh-Interface \ wds-mode=dynamic-mesh wmm-support=enabled /interface wireless nstreme set wlan1 enable-polling=no /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa-psk,wpa2-psk eap-methods="" \ management-protection=allowed mode=dynamic-keys name=WDS_secure \ supplicant-identity="" wpa-pre-shared-key=13ctr4WDS wpa2-pre-shared-key=\ 13ctr4WDS /ip dhcp-server add disabled=no interface=Mesh-Interface name=Relay_Server_DHCP1 relay=\ 10.5.50.2 add disabled=no interface=Mesh-Interface name=Relay_Server_DHCP2 relay=\ 10.5.50.3 add disabled=no interface=Mesh-Interface name=Relay_Server_DHCP3 relay=\ 10.5.50.4 /ip hotspot profile add dns-name=xxx.hotspot.fr hotspot-address=10.5.50.1 login-by=\ mac,http-chap mac-auth-mode=mac-as-username-and-password name=hsprof1 /ip pool add name=hs-pool ranges=10.5.50.2-10.5.50.254 /ip dhcp-server add address-pool=hs-pool disabled=no interface=Mesh-Interface lease-time=1h \ name=dhcp1 /ip hotspot add address-pool=hs-pool addresses-per-mac=2 disabled=no interface=\ Mesh-Interface login-timeout=30m name=hotspot1 profile=hsprof1 /interface mesh port add interface=wlan1 mesh=Mesh-Interface /ip address add address=10.5.50.1/24 comment="hotspot network" interface=wlan1 network=\ 10.5.50.0 /ip dhcp-client add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \ interface=ether1 .... /ip service set telnet disabled=yes set ftp disabled=yes set ssh disabled=yes /system leds set 0 interface=wlan1 /system logging add topics=hotspot add topics=dhcp /tool romon set enabled=yes
i am having same issue on the clear line of sight, where the client is not far than 500meters, so how can you say bad signal??extensive data loss, bad signal.
I'm also seeing this one appear from time to time on v6.42.5I am also receiving "disconnected, received deauth: authentication not valid (2)" on AP side and "no beacons" on client side every few seconds while the link otherwise is able transfer data meanwhile.
13:55:48 wireless,info <removed1>@wlan1: disconnected, unicast key exchange timeout
13:55:52 wireless,info <removed2>@wlan1: connected, signal strength -68
13:55:55 wireless,info <removed2>@wlan1: disconnected, received deauth: authentication not valid (2)
13:56:00 wireless,info <removed1>@wlan1: connected, signal strength -72
13:56:05 wireless,info <removed1>@wlan1: disconnected, unicast key exchange timeout
13:56:32 wireless,info <removed2>@wlan1: connected, signal strength -66
13:56:35 wireless,info <removed2>@wlan1: disconnected, received deauth: authentication not valid (2)
Should I raise tickets for things like this or just mention here?02:1D:CF:58:E5:BD@guest-2g disconnected, SA Query timeout, signal strength -77
Thank god it’s just not me!Debugging new wifi is hopeless. Log messages hardly contain any useful debug info.
The whole wifi section suffers a lot of info. wifi radar event log - a void of not existing info. tapping in the dark. no log about CAC, no logs on why/when/which channel was chosen. no logs when rescan interval kicks in and switches channel - and why it did choose to change. o dear, infamous SA query timeout. people freaking out because it does not tell you anything about what causing it. Yah, timeout. shit happens. I see this very rarely but some members have it flooding their logs and it is just as useful as a pipe to /dev/null.
registration table - a bare minimum implemention. does not even have a hostname column, so you need to check up DHCP lease table to get an idea about the device (unless you are super brain remembering Mac addresses). requested to have that hostname column (as legacy wireless had it); answer from support: nah, won't add it. sorry.
configuration print is okayish, but keeping the overview when working with many configurations/channels/security/etc profiles and plumbing them all together and overriding derived values down the path can be challenge. there should be a representation to better display the hierarchy.
i think i might have some of it working now but sureCan you post your configuration ?
# 2024-09-13 18:09:14 by RouterOS 7.16rc4
# software id = V3PJ-CM9W
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = Hxxxxxxxxx
/interface bridge
add name=Dockers
add admin-mac=D4:01:C3:02:0F:6A auto-mac=no comment=defconf name=bridge priority=0x7000
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-Hallway
set [ find default-name=ether3 ] name=ether3-David
set [ find default-name=ether4 ] name=ether4-Dinning
set [ find default-name=ether5 ] name=ether5-LAN
/interface veth
add address=10.0.0.2/24 gateway=10.0.0.1 gateway6="" name=veth1-Adguard
/interface wireguard
add comment=back-to-home-vpn listen-port=58411 mtu=1420 name=back-to-home-vpn
/disk
set usb1 media-interface=bridge media-sharing=yes smb-sharing=yes smb-user=guest
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add disabled=no name=ch1-5Ghz
add disabled=no name=ch2-2.4Ghz
/interface wifi datapath
add bridge=bridge disabled=no name=datapath1
/interface wifi security
add authentication-types="" disabled=no name=sec1
/interface wifi steering
add disabled=no name=steering1 neighbor-group=dynamic-MikroTik-020F6E-97a21101 rrm=yes wnm=yes
/interface wifi configuration
add channel=ch1-5Ghz channel.frequency=5470-5725 .reselect-interval=1h..2h .width=20/40/80mhz country=Australia datapath=datapath1 \
datapath.bridge=bridge disabled=no dtim-period=3 mode=ap multicast-enhance=enabled name=cfg1-5Ghz security=sec1 \
security.authentication-types=wpa2-psk .connect-priority=0/1 .disable-pmkid=yes .ft=yes .ft-over-ds=yes .group-encryption=ccmp \
.group-key-update=2h .management-protection=disabled .wps=disable ssid=Pal29_WiFi steering=steering1 steering.neighbor-group=\
dynamic-MikroTik-020F6E-97a21101 .rrm=yes .wnm=yes
add channel=ch2-2.4Ghz channel.frequency=2300-7300 .reselect-interval=1h..1h30m .width=20/40mhz country=Australia datapath=datapath1 \
datapath.bridge=bridge disabled=no mode=ap name=cfg2-2.4Ghz security=sec1 security.authentication-types=wpa2-psk .connect-priority=0/1 \
.disable-pmkid=yes .ft=yes .ft-over-ds=yes .group-encryption=ccmp .group-key-update=2h .management-protection=disabled .wps=disable ssid=\
Pal29_WiFi steering=steering1 steering.neighbor-group=dynamic-MikroTik-020F6E-97a21101 .rrm=yes .wnm=yes
/interface wifi
set [ find default-name=wifi1 ] channel=ch2-2.4Ghz configuration=cfg2-2.4Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi \
datapath=datapath1 datapath.bridge=bridge disabled=no name=HapAx3_2.4Ghz security=sec1 security.authentication-types=wpa2-psk .ft=yes \
.ft-over-ds=yes steering=steering1 steering.neighbor-group=dynamic-MikroTik-020F6E-97a21101 .rrm=yes .wnm=yes
set [ find default-name=wifi2 ] channel=ch1-5Ghz channel.skip-dfs-channels=10min-cac configuration=cfg1-5Ghz configuration.country=Australia \
.mode=ap .ssid=Pal29_WiFi datapath=datapath1 datapath.bridge=bridge disabled=no name=HapAx3_5Ghz security=sec1 \
security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=\
dynamic-MikroTik-020F6E-97a21101 .rrm=yes .wnm=yes
add channel=ch1-5Ghz channel.frequency=5670-5730 configuration=cfg1-5Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi datapath=\
datapath1 datapath.bridge=bridge disabled=no name=cap-wifi1-Hallway-5Ghz radio-mac=78:9A:18:59:BA:50 security=sec1 \
security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=\
dynamic-MikroTik-020F6E-97a21101
add channel=ch2-2.4Ghz channel.frequency=2300-7300 configuration=cfg2-2.4Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi \
datapath=datapath1 datapath.bridge=bridge disabled=no name=cap-wifi2-Hallway-2.4Ghz radio-mac=78:9A:18:59:BA:51 security=sec1 \
security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=\
dynamic-MikroTik-020F6E-97a21101
add channel=ch1-5Ghz channel.frequency=5670-5730 configuration=cfg1-5Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi datapath=\
datapath1 datapath.bridge=bridge disabled=no name=cap-wifi3-Davids-5Ghz radio-mac=78:9A:18:59:BA:A7 security=sec1 \
security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=\
dynamic-MikroTik-020F6E-97a21101
add channel=ch2-2.4Ghz configuration=cfg2-2.4Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi datapath=datapath1 \
datapath.bridge=bridge disabled=no name=cap-wifi4-Davids-2.4Ghz radio-mac=78:9A:18:59:BA:A8 security=sec1 security.authentication-types=\
wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=dynamic-MikroTik-020F6E-97a21101
add channel=ch1-5Ghz channel.frequency=5510-5670 configuration=cfg1-5Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi datapath=\
datapath1 datapath.bridge=bridge disabled=no name=cap-wifi5-Dinning-5Ghz radio-mac=48:A9:8A:FD:26:89 security=sec1 \
security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=\
dynamic-MikroTik-020F6E-97a21101
add channel=ch2-2.4Ghz configuration=cfg2-2.4Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi datapath=datapath1 \
datapath.bridge=bridge disabled=no name=cap-wifi6-Dinning-2.4Ghz radio-mac=48:A9:8A:FD:26:8A security=sec1 security.authentication-types=\
wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=dynamic-MikroTik-020F6E-97a21101
/ip pool
add name=dhcp ranges=192.168.5.100-192.168.5.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=6h name=defconf
/system logging action
set 0 memory-lines=150
set 1 disk-lines-per-file=4
/container
add interface=veth1-Adguard root-dir=usb1/adguard start-on-boot=yes workdir=/opt/adguardhome/work
/container config
set ram-high=500.0MiB registry-url=https://registry-1.docker.io tmpdir=usb1/pull
/disk settings
set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes
/dude
set enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-Hallway
add bridge=bridge comment=defconf interface=ether3-David
add bridge=bridge comment=defconf interface=ether4-Dinning
add bridge=bridge comment=defconf interface=ether5-LAN
add bridge=bridge comment=defconf interface=HapAx3_5Ghz
add bridge=bridge comment=defconf interface=HapAx3_2.4Ghz
add bridge=Dockers interface=veth1-Adguard
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set max-neighbor-entries=2048
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/interface wifi access-list
add action=accept allow-signal-out-of-range=10s disabled=no interface=any signal-range=-90..-20
/interface wifi capsman
set enabled=yes interfaces=all package-path="" require-peer-certificate=no upgrade-policy=none
/ip address
add address=192.168.5.1/24 comment=defconf interface=bridge network=192.168.5.0
add address=10.0.0.1/24 interface=Dockers network=10.0.0.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip cloud back-to-home-users
add allow-lan=yes comment=" samsung SM-S926B" name="Pal29Tik | C53UiG+5HPaxD2HPaxD" private-key=\
"KPOcy11F8wGNGDDOvl/1eg/7iDSOQzaATqK8JfMlrHA=" public-key="snMz+366/m/pJ+Cppd2o/3uZixpSf7Dqd1MdDAkKfk0="
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.5.12 client-id=1:d8:bb:c1:70:59:d3 comment="My PC" mac-address=D8:BB:C1:70:59:D3 server=defconf
add address=192.168.5.45 comment="LG Washing Machine" mac-address=80:5B:65:74:7F:C1 server=defconf
add address=192.168.5.2 client-id=1:78:9a:18:59:ba:4e comment="Hallway Cap" mac-address=78:9A:18:59:BA:4E server=defconf
add address=192.168.5.46 client-id=1:60:9:c3:68:75:21 comment="Fronius Solar inverter" mac-address=60:09:C3:68:75:21 server=defconf
add address=192.168.5.3 client-id=1:78:9a:18:59:ba:a5 comment="Davids Cap" mac-address=78:9A:18:59:BA:A5 server=defconf
add address=192.168.5.4 client-id=1:48:a9:8a:fd:26:84 comment="Dinning Room" mac-address=48:A9:8A:FD:26:84 server=defconf
add address=192.168.5.43 comment="LG Dryer" mac-address=4C:BA:D7:D3:66:D1 server=defconf
add address=192.168.5.60 client-id=1:38:86:f7:b8:19:a8 comment="Google outside" mac-address=38:86:F7:B8:19:A8 server=defconf
add address=192.168.5.66 comment="Ethans Google Minii" mac-address=D4:F5:47:11:3F:83 server=defconf
add address=192.168.5.62 comment="Google Home" mac-address=48:D6:D5:64:A9:F3 server=defconf
add address=192.168.5.23 client-id=1:5c:aa:fd:5:8a:50 comment=SONOZ mac-address=5C:AA:FD:05:8A:50 server=defconf
add address=192.168.5.27 client-id=1:58:e8:76:4:17:36 comment="IVSEC Cams" mac-address=58:E8:76:04:17:36 server=defconf
add address=192.168.5.26 client-id=1:10:62:e5:5e:92:dd comment="HP Printer" mac-address=10:62:E5:5E:92:DD server=defconf
add address=192.168.5.44 client-id=1:a4:36:c7:c1:e9:62 comment="LG Dishwasher" mac-address=A4:36:C7:C1:E9:62 server=defconf
add address=192.168.5.61 client-id=1:c:dc:7e:2a:ef:24 comment="Camp Chef" mac-address=0C:DC:7E:2A:EF:24 server=defconf
add address=192.168.5.13 client-id=1:38:2c:4a:af:d4:cf comment="Khloes PC" mac-address=38:2C:4A:AF:D4:CF server=defconf
add address=192.168.5.14 client-id=1:4c:cc:6a:8d:9c:33 comment="Ethans PC" mac-address=4C:CC:6A:8D:9C:33 server=defconf
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf dns-server=10.0.0.2 gateway=192.168.5.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=10.0.0.2
/ip dns static
add address=192.168.5.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp ports=2201
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d \
tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip service
set telnet address=192.168.5.0/24 port=2325
set ftp address=192.168.5.0/24 port=2277
set www disabled=yes
set ssh address=192.168.5.0/24 port=2280
set api address=192.168.5.0/24
set winbox address=192.168.5.0/24
set api-ssl address=192.168.5.0/24
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1-WAN type=external
/ipv6 address
add address=::d601:c3ff:fe02:f69 eui-64=yes from-pool=Leaptel interface=ether1-WAN
add address=::d601:c3ff:fe02:f6a eui-64=yes from-pool=Leaptel interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface=ether1-WAN pool-name=Leaptel request=prefix
/ipv6 dhcp-server
add address-pool=Leaptel interface=ether1-WAN name=server1
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Australia/Brisbane
/system identity
set name=Pal29Tik
/system logging
set 0 topics=info,!wireguard
add disabled=yes topics=wireless
add action=disk disabled=yes topics=disk
/system note
set show-at-login=no
/system package update
set channel=testing
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\
\n :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\
\n /interface/wifi wps-push-button \$iface;}\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user group
add name=admin policy=local,ftp,reboot,read,write,test,winbox,password,web,sniff,sensitive,romon,rest-api,!telnet,!ssh,!policy,!apiThis is what i have so far and seems to be working some what ok
Edit 2.4Ghz is roaming just seen it just slower than 5Ghz to show it
no roaming from 2.4Ghz tho that i can see so far not to really conserned tho with the 2.4Ghz as i only have a few to connect to that that have to every thing els is 5Ghz
but yer let me know what you think if any thing could be made better
i have taken a few bits and pieces from everyones topics here and made this config
have tried alot of ideas and settings this is todays latest try so far so good lol
Code: Select all# 2024-09-13 18:09:14 by RouterOS 7.16rc4 # software id = V3PJ-CM9W # # model = C53UiG+5HPaxD2HPaxD # serial number = Hxxxxxxxxx /interface bridge add name=Dockers add admin-mac=D4:01:C3:02:0F:6A auto-mac=no comment=defconf name=bridge priority=0x7000 /interface ethernet set [ find default-name=ether1 ] name=ether1-WAN set [ find default-name=ether2 ] name=ether2-Hallway set [ find default-name=ether3 ] name=ether3-David set [ find default-name=ether4 ] name=ether4-Dinning set [ find default-name=ether5 ] name=ether5-LAN /interface veth add address=10.0.0.2/24 gateway=10.0.0.1 gateway6="" name=veth1-Adguard /interface wireguard add comment=back-to-home-vpn listen-port=58411 mtu=1420 name=back-to-home-vpn /disk set usb1 media-interface=bridge media-sharing=yes smb-sharing=yes smb-user=guest /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wifi channel add disabled=no name=ch1-5Ghz add disabled=no name=ch2-2.4Ghz /interface wifi datapath add bridge=bridge disabled=no name=datapath1 /interface wifi security add authentication-types="" disabled=no name=sec1 /interface wifi steering add disabled=no name=steering1 neighbor-group=dynamic-MikroTik-020F6E-97a21101 rrm=yes wnm=yes /interface wifi configuration add channel=ch1-5Ghz channel.frequency=5470-5725 .reselect-interval=1h..2h .width=20/40/80mhz country=Australia datapath=datapath1 \ datapath.bridge=bridge disabled=no dtim-period=3 mode=ap multicast-enhance=enabled name=cfg1-5Ghz security=sec1 \ security.authentication-types=wpa2-psk .connect-priority=0/1 .disable-pmkid=yes .ft=yes .ft-over-ds=yes .group-encryption=ccmp \ .group-key-update=2h .management-protection=disabled .wps=disable ssid=Pal29_WiFi steering=steering1 steering.neighbor-group=\ dynamic-MikroTik-020F6E-97a21101 .rrm=yes .wnm=yes add channel=ch2-2.4Ghz channel.frequency=2300-7300 .reselect-interval=1h..1h30m .width=20/40mhz country=Australia datapath=datapath1 \ datapath.bridge=bridge disabled=no mode=ap name=cfg2-2.4Ghz security=sec1 security.authentication-types=wpa2-psk .connect-priority=0/1 \ .disable-pmkid=yes .ft=yes .ft-over-ds=yes .group-encryption=ccmp .group-key-update=2h .management-protection=disabled .wps=disable ssid=\ Pal29_WiFi steering=steering1 steering.neighbor-group=dynamic-MikroTik-020F6E-97a21101 .rrm=yes .wnm=yes /interface wifi set [ find default-name=wifi1 ] channel=ch2-2.4Ghz configuration=cfg2-2.4Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi \ datapath=datapath1 datapath.bridge=bridge disabled=no name=HapAx3_2.4Ghz security=sec1 security.authentication-types=wpa2-psk .ft=yes \ .ft-over-ds=yes steering=steering1 steering.neighbor-group=dynamic-MikroTik-020F6E-97a21101 .rrm=yes .wnm=yes set [ find default-name=wifi2 ] channel=ch1-5Ghz channel.skip-dfs-channels=10min-cac configuration=cfg1-5Ghz configuration.country=Australia \ .mode=ap .ssid=Pal29_WiFi datapath=datapath1 datapath.bridge=bridge disabled=no name=HapAx3_5Ghz security=sec1 \ security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=\ dynamic-MikroTik-020F6E-97a21101 .rrm=yes .wnm=yes add channel=ch1-5Ghz channel.frequency=5670-5730 configuration=cfg1-5Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi datapath=\ datapath1 datapath.bridge=bridge disabled=no name=cap-wifi1-Hallway-5Ghz radio-mac=78:9A:18:59:BA:50 security=sec1 \ security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=\ dynamic-MikroTik-020F6E-97a21101 add channel=ch2-2.4Ghz channel.frequency=2300-7300 configuration=cfg2-2.4Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi \ datapath=datapath1 datapath.bridge=bridge disabled=no name=cap-wifi2-Hallway-2.4Ghz radio-mac=78:9A:18:59:BA:51 security=sec1 \ security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=\ dynamic-MikroTik-020F6E-97a21101 add channel=ch1-5Ghz channel.frequency=5670-5730 configuration=cfg1-5Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi datapath=\ datapath1 datapath.bridge=bridge disabled=no name=cap-wifi3-Davids-5Ghz radio-mac=78:9A:18:59:BA:A7 security=sec1 \ security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=\ dynamic-MikroTik-020F6E-97a21101 add channel=ch2-2.4Ghz configuration=cfg2-2.4Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi datapath=datapath1 \ datapath.bridge=bridge disabled=no name=cap-wifi4-Davids-2.4Ghz radio-mac=78:9A:18:59:BA:A8 security=sec1 security.authentication-types=\ wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=dynamic-MikroTik-020F6E-97a21101 add channel=ch1-5Ghz channel.frequency=5510-5670 configuration=cfg1-5Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi datapath=\ datapath1 datapath.bridge=bridge disabled=no name=cap-wifi5-Dinning-5Ghz radio-mac=48:A9:8A:FD:26:89 security=sec1 \ security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=\ dynamic-MikroTik-020F6E-97a21101 add channel=ch2-2.4Ghz configuration=cfg2-2.4Ghz configuration.country=Australia .mode=ap .ssid=Pal29_WiFi datapath=datapath1 \ datapath.bridge=bridge disabled=no name=cap-wifi6-Dinning-2.4Ghz radio-mac=48:A9:8A:FD:26:8A security=sec1 security.authentication-types=\ wpa2-psk .ft=yes .ft-over-ds=yes steering=steering1 steering.neighbor-group=dynamic-MikroTik-020F6E-97a21101 /ip pool add name=dhcp ranges=192.168.5.100-192.168.5.254 /ip dhcp-server add address-pool=dhcp interface=bridge lease-time=6h name=defconf /system logging action set 0 memory-lines=150 set 1 disk-lines-per-file=4 /container add interface=veth1-Adguard root-dir=usb1/adguard start-on-boot=yes workdir=/opt/adguardhome/work /container config set ram-high=500.0MiB registry-url=https://registry-1.docker.io tmpdir=usb1/pull /disk settings set auto-media-interface=bridge auto-media-sharing=yes auto-smb-sharing=yes /dude set enabled=yes /interface bridge port add bridge=bridge comment=defconf interface=ether2-Hallway add bridge=bridge comment=defconf interface=ether3-David add bridge=bridge comment=defconf interface=ether4-Dinning add bridge=bridge comment=defconf interface=ether5-LAN add bridge=bridge comment=defconf interface=HapAx3_5Ghz add bridge=bridge comment=defconf interface=HapAx3_2.4Ghz add bridge=Dockers interface=veth1-Adguard /ip neighbor discovery-settings set discover-interface-list=LAN /ipv6 settings set max-neighbor-entries=2048 /interface detect-internet set detect-interface-list=all /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1-WAN list=WAN /interface wifi access-list add action=accept allow-signal-out-of-range=10s disabled=no interface=any signal-range=-90..-20 /interface wifi capsman set enabled=yes interfaces=all package-path="" require-peer-certificate=no upgrade-policy=none /ip address add address=192.168.5.1/24 comment=defconf interface=bridge network=192.168.5.0 add address=10.0.0.1/24 interface=Dockers network=10.0.0.0 /ip cloud set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m /ip cloud back-to-home-users add allow-lan=yes comment=" samsung SM-S926B" name="Pal29Tik | C53UiG+5HPaxD2HPaxD" private-key=\ "KPOcy11F8wGNGDDOvl/1eg/7iDSOQzaATqK8JfMlrHA=" public-key="snMz+366/m/pJ+Cppd2o/3uZixpSf7Dqd1MdDAkKfk0=" /ip dhcp-client add comment=defconf interface=ether1-WAN /ip dhcp-server lease add address=192.168.5.12 client-id=1:d8:bb:c1:70:59:d3 comment="My PC" mac-address=D8:BB:C1:70:59:D3 server=defconf add address=192.168.5.45 comment="LG Washing Machine" mac-address=80:5B:65:74:7F:C1 server=defconf add address=192.168.5.2 client-id=1:78:9a:18:59:ba:4e comment="Hallway Cap" mac-address=78:9A:18:59:BA:4E server=defconf add address=192.168.5.46 client-id=1:60:9:c3:68:75:21 comment="Fronius Solar inverter" mac-address=60:09:C3:68:75:21 server=defconf add address=192.168.5.3 client-id=1:78:9a:18:59:ba:a5 comment="Davids Cap" mac-address=78:9A:18:59:BA:A5 server=defconf add address=192.168.5.4 client-id=1:48:a9:8a:fd:26:84 comment="Dinning Room" mac-address=48:A9:8A:FD:26:84 server=defconf add address=192.168.5.43 comment="LG Dryer" mac-address=4C:BA:D7:D3:66:D1 server=defconf add address=192.168.5.60 client-id=1:38:86:f7:b8:19:a8 comment="Google outside" mac-address=38:86:F7:B8:19:A8 server=defconf add address=192.168.5.66 comment="Ethans Google Minii" mac-address=D4:F5:47:11:3F:83 server=defconf add address=192.168.5.62 comment="Google Home" mac-address=48:D6:D5:64:A9:F3 server=defconf add address=192.168.5.23 client-id=1:5c:aa:fd:5:8a:50 comment=SONOZ mac-address=5C:AA:FD:05:8A:50 server=defconf add address=192.168.5.27 client-id=1:58:e8:76:4:17:36 comment="IVSEC Cams" mac-address=58:E8:76:04:17:36 server=defconf add address=192.168.5.26 client-id=1:10:62:e5:5e:92:dd comment="HP Printer" mac-address=10:62:E5:5E:92:DD server=defconf add address=192.168.5.44 client-id=1:a4:36:c7:c1:e9:62 comment="LG Dishwasher" mac-address=A4:36:C7:C1:E9:62 server=defconf add address=192.168.5.61 client-id=1:c:dc:7e:2a:ef:24 comment="Camp Chef" mac-address=0C:DC:7E:2A:EF:24 server=defconf add address=192.168.5.13 client-id=1:38:2c:4a:af:d4:cf comment="Khloes PC" mac-address=38:2C:4A:AF:D4:CF server=defconf add address=192.168.5.14 client-id=1:4c:cc:6a:8d:9c:33 comment="Ethans PC" mac-address=4C:CC:6A:8D:9C:33 server=defconf /ip dhcp-server network add address=192.168.5.0/24 comment=defconf dns-server=10.0.0.2 gateway=192.168.5.1 netmask=24 /ip dns set allow-remote-requests=yes cache-size=4096KiB servers=10.0.0.2 /ip dns static add address=192.168.5.1 comment=defconf name=router.lan type=A /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \ in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN /ip firewall service-port set ftp ports=2201 /ip ipsec profile set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5 /ip kid-control add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d \ tur-thu=0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d /ip service set telnet address=192.168.5.0/24 port=2325 set ftp address=192.168.5.0/24 port=2277 set www disabled=yes set ssh address=192.168.5.0/24 port=2280 set api address=192.168.5.0/24 set winbox address=192.168.5.0/24 set api-ssl address=192.168.5.0/24 /ip upnp set enabled=yes /ip upnp interfaces add interface=bridge type=internal add interface=ether1-WAN type=external /ipv6 address add address=::d601:c3ff:fe02:f69 eui-64=yes from-pool=Leaptel interface=ether1-WAN add address=::d601:c3ff:fe02:f6a eui-64=yes from-pool=Leaptel interface=bridge /ipv6 dhcp-client add add-default-route=yes interface=ether1-WAN pool-name=Leaptel request=prefix /ipv6 dhcp-server add address-pool=Leaptel interface=ether1-WAN name=server1 /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN /system clock set time-zone-name=Australia/Brisbane /system identity set name=Pal29Tik /system logging set 0 topics=info,!wireguard add disabled=yes topics=wireless add action=disk disabled=yes topics=disk /system note set show-at-login=no /system package update set channel=testing /system routerboard wps-button set enabled=yes on-event=wps-accept /system script add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\ \n :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\ \n /interface/wifi wps-push-button \$iface;}\r\ \n " /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN /user group add name=admin policy=local,ftp,reboot,read,write,test,winbox,password,web,sniff,sensitive,romon,rest-api,!telnet,!ssh,!policy,!api