Strange behavior with Mikrotik CAP AX - CAPsMANv2

stefanelul2000 · Sun Mar 24, 2024 1:47 pm

Hello everyone,

We have recently switched our wifi setup to all Mikrotik CAP AX.
We are using CAPsMANv2 but we are experiencing some strange behavior in the following situations:

1. FT and FT over DS disabled - Device will connect to wifi but not to the closes AP, thus low performance and it can be observed that the device is on 2.4 rather than 5 GHz even thought band steering is enabled. Roaming does work but very slow and unreliable.
2. FT and FT over DS enabled - Device will connect to wifi, closest AP, initial performance is ok but after a couple of minutes the device begins to jump around APs even if they have worse signal / performance. We have some edge cases where the roaming happens so often that the device resuses to connect to wifi and dropps out of the network.

I have tried different variations of config and the issues do not seem to be linked to one particular device vendor. We observed this issues both on Android, iOS and Windows.

Attached the CAPsMAN configuration. All devices AP and CAPsMAN are on FW 7.14.1.

/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name="2.4 GHz" width=20mhz
add band=5ghz-ax disabled=no name="5 GHz" skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi datapath
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 24" vlan-id=24
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 26" vlan-id=26
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 40" vlan-id=40
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 50" vlan-id=50
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 60" vlan-id=60
add bridge=bridge-LAN client-isolation=yes disabled=no name="VLAN 168" vlan-id=168
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 500" vlan-id=500
/interface wifi security
add authentication-types=wpa2-psk disabled=no encryption="" name=WPA2-PSK
add authentication-types=wpa2-psk disabled=no encryption="" name="WPA2-PSK IoT"
add authentication-types=wpa3-psk disabled=no encryption="" name=WPA3-PSK
add authentication-types=wpa2-psk disabled=no name="WPA2-PSK Guest"
add authentication-types=wpa2-psk disabled=no encryption="" name="WPA2-PSK Ortoprofil"
/interface wifi configuration
add channel="2.4 GHz" country=Romania datapath="VLAN 24" disabled=no mode=ap name="VLAN 24 2.4" security=WPA2-PSK ssid="HCS WLAN"
add channel="5 GHz" country=Romania datapath="VLAN 24" disabled=no mode=ap name="VLAN 24 5" security=WPA2-PSK ssid="HCS WLAN"
add channel="2.4 GHz" country=Romania datapath="VLAN 26" disabled=no mode=ap name="VLAN 26 2.4" security=WPA2-PSK ssid="HCS Mobile"
add channel="5 GHz" country=Romania datapath="VLAN 26" disabled=no mode=ap name="VLAN 26 5" security=WPA2-PSK ssid="HCS Mobile"
add channel="2.4 GHz" country=Romania datapath="VLAN 26" disabled=no mode=ap name="VLAN 26 2.4 IoT" security="WPA2-PSK IoT" ssid="HCS IoT"
add channel="2.4 GHz" country=Romania datapath="VLAN 40" disabled=no mode=ap name="VLAN 40 2.4" security=WPA2-PSK ssid="HCS Printer"
add channel="2.4 GHz" country=Romania datapath="VLAN 50" disabled=no mode=ap name="VLAN 50 2.4" security=WPA2-PSK ssid="HCS CCTV"
add channel="2.4 GHz" country=Romania datapath="VLAN 60" disabled=no mode=ap name="VLAN 60 2.4" security=WPA2-PSK ssid="HCS VoIP"
add channel="2.4 GHz" country=Romania datapath="VLAN 168" disabled=no mode=ap name="VLAN 168 2.4" security="WPA2-PSK Guest" ssid="HCS Guest"
add channel="2.4 GHz" country=Romania datapath="VLAN 500" disabled=no mode=ap name="VLAN 500 2.4" security="WPA2-PSK Ortoprofil" ssid=Ortoprofil
add channel="5 GHz" country=Romania datapath="VLAN 40" disabled=no mode=ap name="VLAN 40 5" security=WPA2-PSK ssid="HCS Printer"
add channel="5 GHz" country=Romania datapath="VLAN 50" disabled=no mode=ap name="VLAN 50 5" security=WPA2-PSK ssid="HCS CCTV"
add channel="5 GHz" country=Romania datapath="VLAN 60" disabled=no mode=ap name="VLAN 60 5" security=WPA2-PSK ssid="HCS VoIP"
add channel="5 GHz" country=Romania datapath="VLAN 168" disabled=no mode=ap name="VLAN 168 5" security="WPA2-PSK Guest" ssid="HCS Guest"
add channel="5 GHz" country=Romania datapath="VLAN 500" disabled=no mode=ap name="VLAN 500 5" security="WPA2-PSK Ortoprofil" ssid=Ortoprofil
add channel="2.4 GHz" country=Romania datapath="VLAN 24" disabled=no mode=ap name="VLAN 24 2.4 Test" security=WPA2-PSK ssid="Test 2"
add channel="5 GHz" country=Romania datapath="VLAN 24" disabled=no mode=ap name="VLAN 24 5 Test" security=WPA2-PSK ssid="Test 5"
add channel="2.4 GHz" country=Romania datapath="VLAN 168" disabled=no mode=ap name="VLAN 168 2.4 Test" security="WPA2-PSK Guest" ssid="Guest 2"
add channel="5 GHz" country=Romania datapath="VLAN 168" disabled=no mode=ap name="VLAN 168 5 Test" security="WPA2-PSK Guest" ssid="Guest 5"
/interface wifi steering
add disabled=no name=HCS-WLAN-BS neighbor-group="dynamic-HCS WLAN-cfc186f4" rrm=yes wnm=yes
add disabled=no name=HCS-IoT-BS neighbor-group="dynamic-HCS IoT-9cdd3b02" rrm=yes wnm=yes
add disabled=no name=HCS-Mobile-BS neighbor-group="dynamic-HCS Mobile-cfc186f4" rrm=yes wnm=yes
add disabled=no name=HCS-Printer-BS neighbor-group="dynamic-HCS Printer-cfc186f4" rrm=yes wnm=yes
add disabled=no name=HCS-CCTV-BS neighbor-group="dynamic-HCS CCTV-cfc186f4" rrm=yes wnm=yes
add disabled=no name=HCS-Guest-BS neighbor-group="dynamic-HCS Guest-ba07952c" rrm=yes wnm=yes
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-C4AD3418D4F6 certificate=WiFi-CAPsMAN-C4AD3418D4F6 enabled=yes interfaces=bridge-LAN package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration="VLAN 24 2.4" name-format=%I-2G slave-configurations=\
    "VLAN 26 2.4,VLAN 26 2.4 IoT,VLAN 40 2.4,VLAN 50 2.4,VLAN 60 2.4,VLAN 168 2.4,VLAN 500 2.4,VLAN 24 2.4 Test" supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration="VLAN 24 5" name-format=%I-5G slave-configurations=\
    "VLAN 26 5,VLAN 40 5,VLAN 50 5,VLAN 60 5,VLAN 168 5,VLAN 500 5,VLAN 24 5 Test" supported-bands=5ghz-ax

Are we doing something wrong here ? What else could we try to improve the situation of our wifi setup ?

erlinden · Mon Mar 25, 2024 2:42 pm

I have configured FT and FT over DS on the security part of the config:

/interface wifi security
add authentication-types=wpa2-psk connect-priority=0/1 disabled=no ft=yes ft-over-ds=yes group-encryption=ccmp name=[whatever] wps=disable

I absolutely dislike steering, it is always up to the client to decide where to connect to.
Up to you to leave it, but it would not be my advice (haven't seen a good implementation on the brands I have worked with).

By reducing the transmission power on the 2.4GHz radio, clients will be motivated additionally to neglect the 2.4GHz radio at all.

/interface wifi configuration
add channel=24G-20 country=Netherlands datapath=DP_AC disabled=no dtim-period=3 name=[whatever]-2.4G-AC security=[whatever] ssid=[whatever] tx-power=5

carcuevas · Mon Mar 25, 2024 7:56 pm

Hi stefanelul2000 ,

Sorry that I cannot help with your question since I could not get to that point of the configuration as yet, but I have one question for you, you said that you are using FW 7.14.1 and from your config I saw that you are using multiple VLANs for the CAPs, just I am a bit curious if you are using the wifi-qcom package... Did you have any troubles for the CAPsMAN to communicate with the CAPs using VLANs? I am trying for days and days and I am not able I am a bit desperate already

, so for the CAPs I am not sure if the automatic detection of VLANs are working or not, or if I have to configure it manually.... (I have described my problem here: viewtopic.php?p=1065821#p1065821)

How did you config your CAPs?

Thanks a million...

stefanelul2000 · Tue Mar 26, 2024 8:18 pm

Hi stefanelul2000 ,

Sorry that I cannot help with your question since I could not get to that point of the configuration as yet, but I have one question for you, you said that you are using FW 7.14.1 and from your config I saw that you are using multiple VLANs for the CAPs, just I am a bit curious if you are using the wifi-qcom package... Did you have any troubles for the CAPsMAN to communicate with the CAPs using VLANs? I am trying for days and days and I am not able I am a bit desperate already , so for the CAPs I am not sure if the automatic detection of VLANs are working or not, or if I have to configure it manually.... (I have described my problem here: viewtopic.php?p=1065821#p1065821)

How did you config your CAPs?

Thanks a million...

Hello,

No worries, I am using CAP AX which does not have any issues with the VLAN assignment via CAPsMAN.
I do have the following setup in another location where I have a CAP AC:

/interface bridge
add admin-mac=CC:2D:E0:1B:53:00 auto-mac=no comment=defconf name=bridgeLocal port-cost-mode=short vlan-filtering=yes
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2.4AX skip-dfs-channels=10min-cac width=20/40mhz
add band=5ghz-ax disabled=no name=5AX skip-dfs-channels=10min-cac width=20/40/80mhz
add band=2ghz-n disabled=no frequency=2412,2437,2462 name=2.4N skip-dfs-channels=10min-cac width=20/40mhz
add band=5ghz-ac disabled=no name=5AC skip-dfs-channels=10min-cac width=20/40/80mhz
/interface wifi datapath
add disabled=no name="D&C VLAN 200 (Untagged)"
add disabled=no name="D&C VLAN 200 (Tagged)" vlan-id=200
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" name="WPA2/3 PSK" wps=disable
/interface wifi configuration
add channel=2.4AX country=Romania datapath="D&C VLAN 200 (Tagged)" disabled=no mode=ap name="D&C 2.4 AX" security="WPA2/3 PSK" \
    security.encryption="" .ft=yes .ft-over-ds=yes ssid="D&C"
add channel=5AX country=Romania datapath="D&C VLAN 200 (Tagged)" disabled=no mode=ap name="D&C 5 AX" security="WPA2/3 PSK" security.ft=yes \
    .ft-over-ds=yes ssid="D&C"
add channel=2.4N country=Romania datapath="D&C VLAN 200 (Untagged)" disabled=no mode=ap name="D&C 2.4 N" security="WPA2/3 PSK" security.ft=yes \
    .ft-over-ds=yes ssid="D&C"
add channel=5AC country=Romania datapath="D&C VLAN 200 (Untagged)" disabled=no mode=ap name="D&C 5 AC" security="WPA2/3 PSK" security.ft=yes \
    .ft-over-ds=yes ssid="D&C"
/interface wifi
set [ find default-name=wifi1 ] configuration="D&C 2.4 N" disabled=no
set [ find default-name=wifi2 ] configuration="D&C 5 AC" disabled=no
/interface wifi steering
add disabled=no name=BandSteering-D&C neighbor-group="dynamic-D&C-1f57e1d6" rrm=yes wnm=yes
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridgeLocal interface=wifi1 pvid=200
add bridge=bridgeLocal interface=wifi2 pvid=200
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1 untagged=wifi1,wifi2 vlan-ids=200
/interface wifi cap
set discovery-interfaces=all enabled=yes
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-CC2DE01B5300 certificate=WiFi-CAPsMAN-CC2DE01B5300 enabled=yes package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration="D&C 2.4 AX" name-format=%I-2G supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration="D&C 2.4 N" name-format=%I-2G supported-bands=2ghz-n
add action=create-dynamic-enabled disabled=no master-configuration="D&C 5 AX" name-format=%I-5G supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration="D&C 5 AC" name-format=%I-5G supported-bands=5ghz-ac

Here one of the APs is also the controller. Unfortunatelly I only have 1 VLAN in this setup. But as far as I understood it will be something like this:

add action=create-enabled disabled=no master-configuration="D&C 5 AC" name-format=%I-5G supported-bands=5ghz-ac

This will create a static interface on which you can play around with the pvid.
Hope this helps.

carcuevas · Thu Mar 28, 2024 12:33 am

Hi stefanelul2000,

Thanks very much for answering

I had figure it out somehow with the CAP-AX ... in my case and weird enough was like in the CAPs I needed to somehow specify the datapaths... IT looks like it won't be enough to configure the datapaths just in the CAPsMAN... So for the CAP I needed to do the following:

/interface wifi datapath add bridge=bridge1 disabled=no name=vlan10_employees vlan-id=10
/interface wifi datapath add bridge=bridge1 disabled=no name=vlan80_guests vlan-id=80
/interface wifi set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap datapath=vlan10_employees disabled=no
/interface wifi set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap datapath=vlan10_employees disabled=no
/interface wifi cap set caps-man-addresses=10.0.99.1 enabled=yes slaves-datapath=vlan80_guests slaves-static=no

Otherwise I could not make it work...

Strange behavior with Mikrotik CAP AX - CAPsMANv2

Strange behavior with Mikrotik CAP AX - CAPsMANv2

Re: Strange behavior with Mikrotik CAP AX - CAPsMANv2

Re: Strange behavior with Mikrotik CAP AX - CAPsMANv2

Re: Strange behavior with Mikrotik CAP AX - CAPsMANv2

Re: Strange behavior with Mikrotik CAP AX - CAPsMANv2

Who is online