Mikrotik and Wireless Interference – Deploying High Density WiFi with CAPsMAN
This post is brought to you by over 100 hours of blood, sweat, and maybe a few tears, in making an optimal Mikrotik-based high density wireless system. One of the hardest projects I’ve ever done, but wow it feels good to be at the end. How to configure a wireless network using Mikrotik Access Points, and handling the wireless interference that comes from high-density deployments.
Controlled Access Point System Manager, what a mouthful. It can be your best friend in managing a very complex wireless network. When it’s set up correctly, you can just connect a WAP, it will automatically pull its settings based on it’s name, with multiple SSIDs going to separate networks (datapaths), able to cut through interference and give your clients a positive wireless experience.
When setup poorly, expect a world of pain to crash down on you, from intermittent connectivity (which plagues all wireless systems with interference), non-automatically provisioning devices, and bogged down WAPs.
The goal of this very long post is to set everything up correctly.
We will cover the following:
- Configuring CAPsMAN
- Dynamic Provisioning by Regular Expressions (RegExp)
- Local Forwarding / Client to Client Forwarding
- Security Cfg
- Access List
- Access Rates – The Answer to High Density interference
- Setting Mikrotik WAP to CAP mode by button presses
Make sure your device is updated to the newest BugFix or Current release: System > Packages > Check for Updates. Once done, you’ve got CAPsMAN v2.
- For starters, turn on CAPsMAN:
- CAPsMAN > Interfaces > CHECK: Enabled > OK
- Provisioning is the rules of assignment of settings to a WAP. Basically, if the device asking for settings (a WAP/CAP) matches these rules, it will be given these settings.
- Example: If the AP is named, “AP06”, it will be dynamically-enabled (approved/adopted), and given the master config “Private WiFi” and the slave config “Guest WiFi”.
- If you set your Radio MAC to the default of: 00:00:00:00:00:00, it will accept connections on any of the router’s interfaces.
- Action: Create Dynamic Enabled, will accept any CAP device asking for a config.
- Regular Expressions
- For this purpose, Regexp is a rule that allows you to approve devices by name.
- I have 15 APs, numbered: AP01-AP15
- I want APs 01-08 to have config1, and APs 09-15 to have config2.
- Regexp Example (Config1): AP0[1-8]
- AP0 is static, this must match the first part of the identity.
- [1-8] means the character after 0, can be different, but within the range 1-8.
- Regexp Example (Config2): AP09|AP1[0-5]
- AP09 is static, this matches the AP with the exact identity of “AP09”
- The Pipe Symbol ‘|’, above the enter key, stands for “or”.
- AP1 is static, range for the character after 1 can be 0-5, so this matches APs 10-15
- Master Configuration
- You’ll need to define your configurations later, but a config is the “profile” of everything from SSID to password to channel used to transmit power. You can stack configurations as slaves, the master defines the major settings though, like channel used to broadcast and transmit power.
- Slave Configuration: The slaves are more for data-paths (where network traffic will be routed to) and different SSIDs/Passwords. You could have one master config, and for example, 3 other SSIDs as slave configs.
- It is recommended to not use more than 4 SSIDs per WAP to reduce on beacon-time (gobbles up a good chunk of usable broadcasting frames).
- Name Format
- I recommend always using Identity. This will make it much easier to figure out which Radios belong to what device. You will need to edit the identity though of each AP, under System > Identity. (Add a password to each AP while you’re at it! System > Password).
In short, traffic connected to this SSID, will go into this network/bridge. This feature through CAPsMAN was a life saver for a multi-subnet network, because some SSIDs had to be isolated from each other, rather than having to VLAN every SSID to each WAP through switches to get to their respective networks, the Mikrotik Router/CCR simply pops the traffic into it’s respective bridge.
Local forwarding means all of the traffic from the client goes directly to the master router for well, routing.
Client-to-Client forwarding means clients connected to the same AP can talk directly to each other, no need to go all the way through the network just to talk to someone in the same room as you.
I recommend having Local Forwarding off: This means click on the arrow that unlocks the setting, and leave the box unchecked.
I recommend having Client to Client forwarding on: expand the setting, and check the box.
A configuration is a profile containing other settings, like SSID, channel, and password (Security Cfg).
In your configuration, define your SSID, I also recommending setting a Max Station Count to keep your APs from getting overloaded. Use the “rule of 15”, that is, 15 clients per physical antenna max. You’ve got a 2×2 wireless access point? Great! After you have more than 30 clients connected, your WAP will be brought to its knees and all clients will be miserable with poor connectivity. Add up your antennas, and reduce by a few. For example, on a Mikrotik WAP, which is 2×2, I set my Max Station Count to 25.
- HW Retries
- In the event a wireless frame fails or is dropped, how many times the WAP will attempt to resend the frame before moving on. Default is 15, I recommend using 4 if you are in high-density.
Though you can define your frequencies explicitly, and it can help a lot with interference, it can be very challenging to manage. If you do decide to define your frequencies, only use channels 1, 6, and 11, as they offer full spatial separation from one another — less interference. If you don’t manually specific channels, the AP will do a frequency scan and look for the least-busy channel, and select that.
Always use 20MHz for 2.4GHz. This is the width of the channel a client can use to transmit speed, the larger the width, the higher the maximum speed can be. In reality, unless your clients need more than 54Mbps of traffic, there is no benefit of going 40MHz. You really start to see gains in the 5GHz spectrum, or in point-to-point links over large distances. 20MHz is an absolute must for high-density.
I recommend having a few different power levels, here is my go-to example:
- Frequency: Blank (automatic based on channel scan)
- Width: 20MHz
- Band: 2ghz-onlyn
- By not allowing a or b clients you allow for much more efficient bandwidth utilization. If you need some older equipment connected, you may need to use 2ghz-g/n.
- Extension Channel: Disabled
- Extension Channel is 20Mhz + another range. Mainly useful in very small offices or homes, effectively bumps you up to 40MHz for higher speeds.
- Tx Power: 12dB
- Depends on your device, if you’ve got your own external antennas, don’t go too high or risk burning out the amplifiers.
- Everything is the same except Tx Power is 16dB.
- Everything is the same except Tx Power is 18dB.
More power does not mean better WiFi. Just as you amplify your signal, you also amplify noise. As power goes up, sensitivity goes down, and vice versa. You will have much better coverage and usable WiFi with more WAPs running at lower power, rather than just one super-powerful WAP.
If you have overlapping APs, less is more, counter-intuitive of what you may naturally think. “Signal is bad and I’m dropping packets, boost the range, that will help!” — Wrong! Higher loads require more ability to get the signal through the noise. If you’ve got high density loads, lower power will give you FAR better results, at the expense of reduced range.
- WPA2 PSK
- Encryption: AES CCM
- Group Encryption: AES CCM
- Passphrase: YourPassword
One important note — Group Key Timeout, a critical setting for Apple devices like iPhones or MacBook Pros, can only be set via the Winbox terminal. I recommend using 1 hour as your minimum. This setting was added to CAPsMAN in 6.38.5.
Example terminal code:
/caps-man security set Security-Config group-key-update=1h To confirm: /caps-man security get Security-Config print
For “ghetto-roaming”. That is, non-zero-handoff. If you want seamless roaming, you’ll need to spend more than $40/Mikrotik WAP, and even Ubiquiti’s $200 WAPs are incredibly unreliable for zero-handoff. To get true seamless roaming you’re looking at $400/WAP minimum. However, if you are ok with a 0.5s-3s drop while switching from WAP to WAP, this has what you need:
Access List, at the top add an accept rule:
- Action: Accept
- If your signal is between -88dB and +120dB, you are allowed to connect.
- Action: Reject
- If your signal drops below -89dB, you’re kicked from this AP, go find another AP to connect to that has a stronger signal.
Your usable signal depends on the equipment you are using. With Ubiquiti, expect signal to become unusable after -75dB. For Mikrotik, I tend to get unusable signal ariybd -86dB. The reject rule goes into effect once the client signal drops below the defined strength for about 2 seconds.
From here, it’s entirely on the client to choose how aggressively (quickly) to roam to another AP. General results are between 1-3 seconds, but some very crappy old (<2004)equipment can take up to 8-10s to flip over to another available AP.
Access Rates — How to Handle Massive Interference
This is the big one, your very definition of handling high-density interference. By default, all access rates are approved, everything from 1Mbps to 54Mbps. This is the difference between standing 5 feet from the WAP, and being unable to connect or having 90% packet loss due to interference, and everything working flawlessly.
You could get a Ph.D. on access rates alone, but I’ll do my best to explain what is going on.
The issue is time, you only have so long to transmit a signal between your WAP and client devices. Let’s use some fake numbers, in reality, it’s in the microsecond timescale, but let’s use a scale of 10 seconds.
Remember, there is only one “wire” — the air! So only one device can talk at a time.
- The beacon (announcement of the SSID) takes up 1 second.
- The WAP speaks, sending data to your laptop for 2 seconds, the laptop listens.
- The laptop responds for 2 seconds, the WAP listens.
- A cell-phone receives data from the WAP.
- The cell-phone responds with data to the WAP.
- The WAP announces the frame is over, we have 10 more seconds to talk.
What if we were able to let everyone speak faster. So the laptop doesn’t require 2 full seconds to speak its sentence/frame (1Mbps), it only needs 0.1s (54Mbps). Because devices are talking more quickly, we can squeeze in more conversations — more devices, more load!
This is the essence behind access rates. The faster you can talk, the more load you can handle. The downside is you must have a good signal to speak quickly and have the WAP still understand you. If you’re 200 feet away with -85dB signal, you can’t talk as quickly, maybe 6Mbps, you’re taking up more time…. load is reduced and interference goes up if there are a lot of people or cell-phones idling in pockets, transmitting at 1Mbps….
So how do we handle this? — Add more access points for the range issue, and require everyone who wants to speak/communicate to only speak quickly.
Basic means minimum. This is the minimum speed the WAP will speak with your device. If it’s your house, 1Mbps is fine. If it’s a stadium with 10,000 people, try 24Mbps or 36Mbps as the minimum. You only check a single box for basic. From there, how high do you want to go? I personally recommend for a high-density, high-interference environment, to use 36Mbps as your minimum, and 36, 48, and 54 as your supported rates.
MCS Rates: MCS is a series of overlapping rates, why have just one stream when you can layer them for more speed?
For example, MCS Index 3, is the speed 26Mbps on 802.11n. I recommend enabling all MCS Indexes which are not QPSK or BPSK. This would mean, check all boxes except for: 0,1,2,8,9,10,16,17,18,24,25,26. Enabling the MCS Indexes will massively boost your speeds for 802.11n.
VHT MCS: same as above, but it’s for 5GHz rather than 2GHz, they are restricted into the ranges of 0-7, 0-8, and 0-9. I recommend 0-9.
Many cell-phones idle at 1Mbps to stay connected to their WAP but not use much power. However, we don’t want 20 cell phones in pockets, not transmitting, to take up active slots on our WAPs. If your phone tries idling for low power, it gets kicked off because it’s access rate is low. The moment you wake up the phone, you’ll reconnect back at the full-power rates and be able to browse the internet.
Mikrotik – Enter CAP Mode
You need to upgrade your packages in order for an AP in CAP mode to be adopted by a CAPsMAN controller. If under “System > Packages”, everything shows 2015, you’re on CAPsMAN v1, your device will not be adoptable by a CAPsMAN v2 controller. Manually update the packages on the Mikrotik AP, the next time it reboots, it will provision according to your CAPsMAN provisioning rules.
This is a step that was surprisingly difficult to learn, hard to find any clear notes on it. Though there is “Quick Set: CAP” option, it never seems to work for me no matter how many devices I try. The best method I’ve found to put a WAP into CAP mode — ready to be adopted by a CAPsMAN controller, is a special set of holding the reset button at boot.
For the WAP:
- Unplug power/PoE.
- While holding down the reset button, connect power/PoE.
- All 4 lights will turn on (booting).
- The middle two lights will begin blinking
- The CAP light will turn on
- LET GO OF RESET!
- The middle two lights will flash very quickly for 1 second, and the WAP will reboot, now as DHCP Client (rather than a DHCP Server) and CAP mode enabled, ready to be adopted.
You will know if you are in CAP mode upon logging into an AP, it takes a good 30 full seconds to come back up after going into CAP mode. After it’s been reset, it will either say “ap-bridge” mode — the default for a router, or “cap mode”, ready for being adopted. Now give it a name through System > Identity, such as AP05 or CompanyAP12, whatever naming format you want. Set a password. The CAP should be auto-adopted by your CAPsMAN Controller and pull SSIDs and other settings.
That’s it for now, have fun and good luck!