CAPsMAN & CAP-AX Wireless issues

stefanelul2000 · Tue Sep 17, 2024 10:20 pm

Hello everyone,

So I bought a quite high enough number (about 50) CAP-AX APs and to be honest I need/want to know if I am stupid / did something wrong or the APs are not quit up to the task. So unfortunately I do not have plans of the building but is a 3 story building, interior walls are mostly brick. We have about 2-3 APs per floor positioned as best as possible as to not physically overlap. Signal is overall great, performance is great, stability... almost non existent. If we run each AP individually (meaning having a SSID per AP) than everything is great, everything under one/multiple identical SSIDs and hell breaks loose, roaming when there is no need to, device dropping connection and then reconnecting back, roaming not working when it should etc.

This is the config I am currently having:

/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name="2.4 GHz" width=20mhz
add band=5ghz-ax disabled=no name="5 GHz" skip-dfs-channels=all width=20/40mhz
/interface wifi datapath
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 24" vlan-id=24
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 26" vlan-id=26
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 40" vlan-id=40
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 50" vlan-id=50
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 60" vlan-id=60
add bridge=bridge-LAN client-isolation=yes disabled=no name="VLAN 168" vlan-id=168
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN 500" vlan-id=500
add bridge=bridge-LAN client-isolation=no disabled=no name="VLAN Trunk"
add bridge=bridge-LAN disabled=no name=1 vlan-id=1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no encryption="" ft=yes name=WPA2-PSK
add authentication-types=wpa2-psk disabled=no encryption="" name="WPA2-PSK IoT"
add authentication-types=wpa3-psk disabled=no encryption="" name=WPA3-PSK
add authentication-types=wpa2-psk disabled=no name="WPA2-PSK Guest"
add authentication-types=wpa2-psk disabled=no encryption="" name="WPA2-PSK Ortoprofil"
add authentication-types=wpa2-eap disabled=no eap-certificate-mode=verify-certificate-with-crl encryption="" ft=yes ft-over-ds=yes name=WPA2-EAP
/interface wifi configuration
add channel="2.4 GHz" country=Romania datapath="VLAN 24" disabled=no mode=ap name="VLAN 24 2.4" security=WPA2-PSK ssid="HCS WLAN"
add channel="5 GHz" channel.skip-dfs-channels=all country=Romania datapath="VLAN 24" disabled=no mode=ap name="VLAN 24 5" security=WPA2-PSK ssid="HCS WLAN"
add channel="2.4 GHz" country=Romania datapath="VLAN 26" disabled=no mode=ap name="VLAN 26 2.4" security=WPA2-PSK ssid="HCS Mobile"
add channel="5 GHz" country=Romania datapath="VLAN 26" disabled=no mode=ap name="VLAN 26 5" security=WPA2-PSK ssid="HCS Mobile"
add channel="2.4 GHz" country=Romania datapath="VLAN 26" disabled=no mode=ap name="VLAN 26 2.4 IoT" security="WPA2-PSK IoT" ssid="HCS IoT"
add channel="2.4 GHz" country=Romania datapath="VLAN 40" disabled=no mode=ap name="VLAN 40 2.4" security=WPA2-PSK ssid="HCS Printer"
add channel="2.4 GHz" country=Romania datapath="VLAN 50" disabled=no mode=ap name="VLAN 50 2.4" security=WPA2-PSK ssid="HCS CCTV"
add channel="2.4 GHz" country=Romania datapath="VLAN 60" disabled=no mode=ap name="VLAN 60 2.4" security=WPA2-PSK ssid="HCS VoIP"
add channel="2.4 GHz" country=Romania datapath="VLAN 168" disabled=no mode=ap name="VLAN 168 2.4" security="WPA2-PSK Guest" ssid="HCS Guest"
add channel="2.4 GHz" country=Romania datapath="VLAN 500" disabled=no mode=ap name="VLAN 500 2.4" security="WPA2-PSK Ortoprofil" ssid=Ortoprofil
add channel="5 GHz" country=Romania datapath="VLAN 40" disabled=no mode=ap name="VLAN 40 5" security=WPA2-PSK ssid="HCS Printer"
add channel="5 GHz" country=Romania datapath="VLAN 50" disabled=no mode=ap name="VLAN 50 5" security=WPA2-PSK ssid="HCS CCTV"
add channel="5 GHz" country=Romania datapath="VLAN 60" disabled=no mode=ap name="VLAN 60 5" security=WPA2-PSK ssid="HCS VoIP"
add channel="5 GHz" country=Romania datapath="VLAN 168" disabled=no mode=ap name="VLAN 168 5" security="WPA2-PSK Guest" ssid="HCS Guest"
add channel="5 GHz" country=Romania datapath="VLAN 500" disabled=no mode=ap name="VLAN 500 5" security="WPA2-PSK Ortoprofil" ssid=Ortoprofil
/interface wifi steering
add disabled=no name=HCS-WLAN-BS neighbor-group="dynamic-HCS WLAN-cfc186f4" rrm=yes wnm=yes
add disabled=no name=HCS-IoT-BS neighbor-group="dynamic-HCS IoT-9cdd3b02" rrm=yes wnm=yes
add disabled=no name=HCS-Mobile-BS neighbor-group="dynamic-HCS Mobile-cfc186f4" rrm=yes wnm=yes
add disabled=no name=HCS-Printer-BS neighbor-group="dynamic-HCS Printer-cfc186f4" rrm=yes wnm=yes
add disabled=no name=HCS-CCTV-BS neighbor-group="dynamic-HCS CCTV-cfc186f4" rrm=yes wnm=yes
add disabled=no name=HCS-Guest-BS neighbor-group="dynamic-HCS Guest-ba07952c" rrm=yes wnm=yes
/interface wifi access-list
add action=accept allow-signal-out-of-range=2s disabled=no interface=any signal-range=-70..-10
add action=reject disabled=no interface=any signal-range=-120..-76
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-C4AD3418D4F6 certificate=WiFi-CAPsMAN-C4AD3418D4F6 enabled=yes interfaces=bridge-LAN package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration="VLAN 24 2.4" name-format=%I-2G slave-configurations=\
    "VLAN 26 2.4,VLAN 26 2.4 IoT,VLAN 40 2.4,VLAN 50 2.4,VLAN 60 2.4,VLAN 168 2.4,VLAN 500 2.4" supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration="VLAN 24 5" name-format=%I-5G slave-configurations=\
    "VLAN 26 5,VLAN 40 5,VLAN 50 5,VLAN 60 5,VLAN 168 5,VLAN 500 5" supported-bands=5ghz-ax

So shortly, about 8 SSIDs on 2.4 and 7 SSIDs on 5GHz.
Roaming enabled on all of them except for the IoT.

I have tried various things such as implementing the access-list, reducing the power of the APs, enable/disable ft and ft-over-ds, but nothing seams to solve the issue.

So back to the initial question, am I stupid / did I do something wrong or the APs are not quit up to the task ?

erlinden · Tue Sep 17, 2024 11:12 pm

Decrease to a max of 4 SSID's per radio.

spippan · Tue Sep 17, 2024 11:13 pm

i do not know for sure but could this interfere somehow?

/interface wifi channel
add band=5ghz-ax disabled=no name="5 GHz" skip-dfs-channels=all width=20/40mhz

/interface wifi configuration
add channel="5 GHz" channel.skip-dfs-channels=all country=Romania datapath="VLAN 24" disabled=no mode=ap name="VLAN 24 5" security=WPA2-PSK ssid="HCS WLAN"

because of the double "skip dfs" entry?

neki · Wed Sep 18, 2024 12:12 am

Looks like you configured steering profiles, but they are not linked to configuration profiles.. also do not use access-list for signal checking, it's thing of past. And try to define FT domain in security profiles, different number (hex) for each one.

Anyway it's really a lot of SSIDs...

We have about 2-3 APs per floor positioned as best as possible as to not physically overlap.

I don't know how was this ment, signals should overlap but on different channels.

stefanelul2000 · Wed Sep 18, 2024 1:56 pm

Looks like you configured steering profiles, but they are not linked to configuration profiles.. also do not use access-list for signal checking, it's thing of past. And try to define FT domain in security profiles, different number (hex) for each one.

Anyway it's really a lot of SSIDs...

We have about 2-3 APs per floor positioned as best as possible as to not physically overlap.
I don't know how was this ment, signals should overlap but on different channels.

Well it's not 15 SSID's in total, only 8, but yes they are to many even in my view. It wasn't really my decision to have that many configured. I'll try to lower them down to only 2-3 SSIDs.

stefanelul2000 · Wed Sep 18, 2024 1:59 pm

Looks like you configured steering profiles, but they are not linked to configuration profiles.. also do not use access-list for signal checking, it's thing of past. And try to define FT domain in security profiles, different number (hex) for each one.

Anyway it's really a lot of SSIDs...

We have about 2-3 APs per floor positioned as best as possible as to not physically overlap.
I don't know how was this ment, signals should overlap but on different channels.

I have unlinked them also as a test, I have tried a lot of different things.
To be honest I lost track.

Also, I have an issue with the 2.4 channels, even thought I list 3 of them and expect that the AP's will choose one after a scan, they all go to a single channel.
Why should I not use access-list if they are still available ? Any better / alternative way to perform this implementation ?
What advantages to the FT Domains bring ?

erlinden · Wed Sep 18, 2024 2:07 pm

Use fixed channels and lower their transmission power on the 2.4GHz radios .
Second best, add reselect-interval to let the radios periodically scan for best frequencies.

Wed Sep 18, 2024 2:24 pm

My take:

1- Plan your channels, both on 2.4 and 5Ghz so they don't overlap. It helps to use drawings of building/floor.
2- try to avoid DFS channels _if possible_
3- use provisioning rules so you KNOWN which channels get fixed assigned to which cap. You can also use regex expressions if you name your caps in a usable way. I prefer provisioning rules based on MAC address. A bit more preparation work upfront but always right afterwards.
4- don't squeeze the max out of those connections. Stability and reliability is more important here (which means using narrower channel width. Max 40MHz, even go as low as 20MHz on 5GHz)

If you leave it up to "luck" which channel gets assigned where, when and how, you're also left to luck as far as performance is concerned.
E.g. if you use free channel assignment in combination with DFS, you have to accept your 5GHz connections will sometimes drop for up to 10 minutes, sometimes multiple times a day.
E.g. if all CAPs are left on their own to use the same 2.4GHz channel by accident, performance will drop substantially. Air spectrum will not have a lot of room to pass any data then.

infabo · Wed Sep 18, 2024 2:42 pm

Yes, I second that.

reselect-interval kind of helps when you have neighbor SSIDs not in your control which switch channels or something. So it is more a thing for the unexpected. Better plan your channels manually and dont rely on "auto". One case Mikrotik did not think of for a CAPsMAN setup: after provisioning or powerloss all APs start a "CAC" simultaneously. That's why they chose often the same frequency. That's a really weird thing and I wonder why Mikrotik does nothing about this "dumbness". IMHO CAPsMAN must make sure that CAPs do not scan at the same time. Of course it could make sense to use the same channel on e.g. very far apart located CAPs as they do not interfere each other. But CAPs near each other must avoid to use same channels. Mikrotik, are you reading?

But still: better use proper provisioning rules and restrict available frequencies by CAP for reliable and non-overlapping distribution of channels.

stefanelul2000 · Wed Sep 18, 2024 8:27 pm

My take:

1- Plan your channels, both on 2.4 and 5Ghz so they don't overlap. It helps to use drawings of building/floor.
2- try to avoid DFS channels _if possible_
3- use provisioning rules so you KNOWN which channels get fixed assigned to which cap. You can also use regex expressions if you name your caps in a usable way. I prefer provisioning rules based on MAC address. A bit more preparation work upfront but always right afterwards.
4- don't squeeze the max out of those connections. Stability and reliability is more important here (which means using narrower channel width. Max 40MHz, even go as low as 20MHz on 5GHz)

If you leave it up to "luck" which channel gets assigned where, when and how, you're also left to luck as far as performance is concerned.
E.g. if you use free channel assignment in combination with DFS, you have to accept your 5GHz connections will sometimes drop for up to 10 minutes, sometimes multiple times a day.
E.g. if all CAPs are left on their own to use the same 2.4GHz channel by accident, performance will drop substantially. Air spectrum will not have a lot of room to pass any data then.

Regarding 3, honestly I feel sad that I would have to to that. From my point of view, having to manually provision (in term of rules) each AP defeats the prupose of having everything in a controller. I have worked with Unifi, Ruckus, Meraki and even Alcatel Lucent and I never ever had to work this much to even an acceptable/usable wifi connection. For sure that was not the intention of Mikrotik... I hope.

Wed Sep 18, 2024 9:57 pm

Obviously you can leave everything to auto and use the controller to do its thing.
But it may result in a sub-optimal setup.
That's my personal view.

Mikrotik gives you the advantage to take all those things in your own hands and decide what frequency gets used where.

CAPsMAN & CAP-AX Wireless issues

CAPsMAN & CAP-AX Wireless issues

Re: CAPsMAN & CAP-AX Wireless issues

Re: CAPsMAN & CAP-AX Wireless issues

Re: CAPsMAN & CAP-AX Wireless issues

Re: CAPsMAN & CAP-AX Wireless issues

Re: CAPsMAN & CAP-AX Wireless issues

Re: CAPsMAN & CAP-AX Wireless issues

Re: CAPsMAN & CAP-AX Wireless issues

Re: CAPsMAN & CAP-AX Wireless issues

Re: CAPsMAN & CAP-AX Wireless issues

Re: CAPsMAN & CAP-AX Wireless issues

Who is online