How many connections does mikrotik wap support? Setting up secure wireless networks MikroTik hAP AC

The new device from MikroTik with support for 2G/3G/4G is made in the design of the wAP series devices, this is the company’s first multi-band device; last year a solution with only LTE support was already presented, which limited its scope of application.

This model will allow us to cover on our own the segment of both stationary solutions - a small house outside the city, an apartment in the city - and mobile solutions such as hot spot minibuses, buses, intercity buses and, of course, personal and company cars.

For transport, a power connector specially integrated on the board is permanent plus and plus from the ignition. The delivery set includes a cable with a connector


By opening the lid we get access to power connectors, Ethernet, indicators, SIM card slot and reset button



Having removed the case, we see the wi-fi antenna module and two LTE antennas similar in size to the ZyXEL MAX-206M2


PoE (8-30V), DC (8-30V) and vehicle power (8-30V) are available.


miniPCIe 2G/3G/4G module R11e-LTE, 2 x U.FL (Ultra Miniature Coaxial Connector Receptacle) Male connectors located on top


Module Specification:

2G Multislot Classes for GPRS/EGPRS

Multislot Class Downlink TS Uplink TS Active TS
12 4 4 5

3G Category 14 (21Mbps Downlinks, 5.76Mbps Uplink)

Evolved HSDPA User Equipment (UE) categories
Category Release Max. number
of HS-DSCH
codes (per cell)		 Modulation MIMO, Multi-Cell Code rate
at max. Data
Rate		 Max. Downlink
Speed
(Mbit/s)
14 7 15 64-QAM .98 21.1

LTE Category 4 (150Mbps Downlink, 50Mbps Uplink)

E-UTRA
Band		 Duplex-
Mode		 ƒ
(MHz)		 Common name Included in
(subset of)
Band		 Uplink (UL)
BS receive
UE transmit (MHz)		 Downlink (DL)
BS transmit
UE receive (MHz)		 Duplex
spacing
(MHz)		 Channel
bandwidths
(MHz)
1 FDD 2100 IMT 65 1920 – 1980 2110 – 2170 190 5, 10, 15, 20
2 FDD 1900 PCS blocks A-F 25 1850 – 1910 1930 – 1990 80 1.4, 3, 5, 10, 15, 20
3 FDD 1800 DCS 1710 – 1785 1805 – 1880 95 1.4, 3, 5, 10, 15, 20
7 FDD 2600 IMT-E 2500 – 2570 2620 – 2690 120 5, 10, 15, 20
8 FDD 900 E-GSM 880 – 915 925 – 960 45 1.4, 3, 5, 10
20 FDD 800 EU Digital Dividend 832 – 862 791 – 821 −41 5, 10, 15, 20
38 TDD 2600 IMT-E (Duplex Spacing) 41 2570 – 2620 N/A 5, 10, 15, 20
40 TDD 2300 2300 – 2400 N/A 5, 10, 15, 20

The reverse side of the board contains a slot for a SIM card.





Equipment


Pros of the device

  • The most affordable 2G 3G 4G modem is connected via a miniPCIe slot in the system, visible as usb, switching time between bands is 15 seconds
  • Built-in multi-band 4.5dBi MIMO antennas
  • Unlike the wAP LTE 2nD donor board, a heatsink is installed on the chipset
  • there is an indication of the signal level, sensitivity is set programmatically in the System - LEDs section
  • Power connector for car included
  • a security bolt for the cover and a key are included, the bolt is equipped with a spring, there is no need to catch it when unscrewing

Disadvantages of the device

  • Inconvenient Sim slot there is no return spring - you can get the SIM card by disassembling the device or using tweezers

UPDATES

The MikroTik product range now includes new accessories for retrofitting the wAP LTE kit with an external panel antenna:

  • ACSMAUFL cables - ACSMAUFL - pigtail U.fl-SMA - 2 pcs
  • mANT LTE 5o - MTAO-LTE-5D-SQ - 5dBi LTE antenna
  • SMASMA - cable assembly 1m SMA male - SMA male - 2 pcs

Testing the performance of different versions of ROS using the example of the Beeline operator

Factory default version ROS 6.39.2


Latest Release candidate version of ROS 6.43.14


Latest version of Bugfix only ROS 6.40.8


There is no significant difference in speeds; release candidate ROS 6.43.14 gives greater speed, but this can be attributed to measurement error

Settings

UPDATE It’s best not to touch the modem settings, the modem in automatic mode connects to the network faster, the only thing is to uncheck GSM (GPRS/EGPRS class 12) we don’t need it, the speed in the current sense is not there.

In the manual “bands” selection mode, the modem connects to the operator’s network much longer

Changes since RouterOS 6.41:


APN profiles

Parameter apn changes now in the LTE - apn profile tab:

/interface lte apn add name=profile1 apn=internet authentication=chap password=web user=web Example for Yota operator /interface lte apn add name=profile1 apn=yota.ru

Select a profile for the current LTE connection:

/interface lte set apn-profiles=profile1

For the web interface of USB modems, presets are sorted automatically by linking the profile to the operator; such functionality is not yet available in Mikrotik

Passthrough

Starting with RouterOS v6.41, some LTE interfaces support LTE Passthrough, where the IP configuration is applied directly to the client device. In this case, the modem firmware is responsible for configuring IP, and the router is used only for configuring modem parameters - APN, network technologies and IP type. In this configuration, the router will not receive the IP configuration from the modem. An LTE Passthrough modem can transmit both IPv4 and IPv6 addresses if they are supported by the modem. Some modems support multiple APNs, where you can forward traffic from each APN to a specific router interface.

Passthrough will only work for one host. The router will automatically detect the MAC address of the first packet received and use it for Passthrough. If there are multiple hosts on the network, you can block Passthrough for a specific MAC. On a host on the network where Passthrough provides an IP address, the DHCP client must be enabled on that interface. Please note that it will not be possible to connect to an LTE router via a public IP address or from a host that is used by a passthrough. For setup purposes, it is suggested to create an additional connection to the LTE router to the host. For example, a vlan interface between an LTE router and a host.

Let's configure Passthrough on the ether1 interface:

/interface lte apn add apn=apn1 passthrough-interface=ether1 /interface lte set lte1 apn-profiles=apn1

Let's configure Passthrough on the ether1 interface for host 00:11:22:33:44:55:

/interface lte apn add apn=apn1 passthrough-interface=ether1 passthrough-mac=00:11:22:33:44:55 /interface lte set lte1 apn-profiles=apn1

Binding R11e-LTE to the base station sector

Using the following command in terminal

/interface lte info lte1 once

We get the modem status:

> /interface lte info lte1 once
pin-status: no password required
functionality: full
manufacturer: "MikroTik"
model: "R11e-LTE"
revision: "MikroTik_CP_2.160.000_v001"
current-operator: 25099
lac: 578
current-cellid: 200005126
phy-cellid: 74
access technology: Evolved 3G (LTE)
session-uptime: 1h33m38s
imei:
earfcn: 3300 (band 7, bandwidth 10Mhz)
rsrp: -90dBm
rsrq: -10dB
sinr: 5dB
cqi: 15

of the variables we need phy-cellid: 74, earfcn: 3300 (band 7, bandwidth 10Mhz) we will work with them further

Using these acquired variables, you can send an AT command to the modem to block the BS sector in the following format:

AT*Cell= ,,,,Where : 0 – Cell/Frequency disabled 1 – Frequency lock enabled 2 – Cell lock enabled 0 – GSM 1 – UMTS_TD 2 – UMTS_WB 3 – LTE add if blocking frequency slicing is required (usually the parameter is left empty) earfcn from lte info Phy-cellid from lte info

To block the modem in LTE mode and the previously used BS sector, use the following AT command: :

/interface lte at-chat lte1 input="AT*Cell=2,3,3300,74"

Unfortunately, after rebooting the device or resetting the modem, all installed locks are lost.

If you wish, you can always write a script that will automatically enter the same parameters

Default or default settings

you can output it to the terminal with the following command, it is better to output it via ssh

/system default-configuration print

classic configuration export option, the manufacturer uses address bir sheets and static dns

#| LTE CPE Router with wireless AP: #| * lte interface connected to providers network (WAN por> #| * WAN port is protected by firewall and enabled DHCP cl> #| wlan1 Configuration: #| mode: ap-bridge; #| band: 2ghz-b/g/n; #| ht-chains: 0.1; #| ht-extension: 20/40mhz-Ce; #| LAN Configuration: #| IP address 192.168.88.1/24 is set on bridge (LAN por> #| DHCP Server: enabled ; #| DNS: enabled; #| WAN (gateway) Configuration: #| gateway: lte1 ; #| ip4 firewall: enabled; #| NAT: enabled; /interface lte set [ find ] add-default-route=yes default- route-distance=2 mac-address=00:00:00:00:00:00 name=lte1 use-peer-dns=yes /interface bridge add admin-mac=E4:8D:8C:3B:1C:BA auto -mac=no comment=defconf name=bridge /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode =ap-bridge ssid=MikroTik-000000 /ip neighbor discovery set lte1 discover=no /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant- identity=MikroTik /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=default-dhcp disabled=no interface=bridge name=defconf /interface bridge port add bridge= bridge comment=defconf interface=ether1 add bridge=bridge comment=defconf interface=wlan1 /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=lte1 list=WAN /ip address add address=192.168.88.1 /24 comment=defconf interface=bridge network=192.168.88.0 /ip dhcp-server network add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.88.1 name=router.lan /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec -policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection- state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat- state=!dstnat connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN /tool mac-server set [ find default=yes ] disabled=yes add interface=bridge /tool ​​mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=bridge

Quick Set is an automatic configuration wizard that helps you quickly, without diving into the depths of fine-tuning RoS, configure your router and start using it. Depending on your device, several templates may be available to you:

Safety

The default configuration no longer allows you to connect to the router from an external network, but the protection is based only on a packet filter. Don't forget about setting a password for the admin user. So, in addition to filtering and password, I do the following:

Availability on external interfaces

I disable services that are not needed on the home network (and not on all non-home networks), and limit the remaining ones to their scope, indicating the addresses from which these services can be connected.

The next step will be to limit the detection of the router by searching for neighbors. To do this, you must have a list of interfaces where this protocol can work, let's configure it:

/interface list add exclude=dynamic name=discover

Let's add to the discovery list the interfaces on which we want the Neighbors Discovey protocol to work.

Now let’s configure the protocol by specifying the discovery list in its settings:

In a simple home configuration, the discovery list may contain interfaces on which the MAC address access protocol can operate, for situations where IP is not available, so let’s configure this function:

Now, the router will become “invisible” on external interfaces, which will hide information about it (not all of it, of course) from potential scanners, and even deprive bad guys of an easy opportunity to gain control of the router.

DDoS protection

Now, let's add some simple rules to the packet filter:

/ip firewall filter add action=jump chain=forward connection-state=new in -interface-list=ISP jump-target=anti-DDoS add action=jump chain=input connection-state=new in -interface-list=ISP jump -target=anti-DDoS add action=drop chain=forward connection-state=new src-address-list=BAN-DDoS add action=return chain=anti-DDoS dst-limit=15,15,src-address/10s add action=add-src-to-address-list address-list=BAN-DDoS address-list-timeout=1d chain=anti-DDoS add action=jump chain=input connection-state=new dst-port=22.8291 in -interface-list=ISP jump-target=anti-BruteForce-3 protocol=tcp add action=drop chain=forward connection-state=new src-address-list=BAN-BruteForce-3 add action=return chain=anti-BruteForce -3 dst-limit=4/1m,1,src-address/1m40s add action=add-src-to-address-list address-list=BAN-BruteForce-3 address-list-timeout=1d chain=anti-BruteForce -3

And we will place them after the defcon rule for the icmp protocol.

The result will be a ban for a day for those who try to open more than 15 new connections per second. Whether 15 connections are too many or few is a moot point, you can choose the number yourself, I chose 50 for corporate use, and I get 1-2 such bans per day. The second group of rules is much stricter; it blocks connection attempts on port ssh(22) and winbox(8291), 3 attempts per minute, and rest for a day;). If you need to expose a DNS server to the Internet, then using a similar rule you can block DNS Amplification Attacks, but the solution is not ideal, and there are many false positives.

RFC 1918

RFC 1918 describes the allocation of address spaces for globally non-routable networks. Therefore, it makes sense to block traffic from/to such networks on the interface that faces the provider, except in situations where the provider gives you a “gray” address.

/ip firewall address-list add address=10.0.0.0/8 list="RFC 1918" add address=172.16.0.0/12 list="RFC 1918" add address=192.168.0.0/16 list="RFC 1918" /ip firewall filter add action=drop chain=input comment="Drop RFC 1918" in -interface-list=WAN src-address-list="RFC 1918" add action=drop chain=forward comment="Drop RFC 1918" dst-address -list="RFC 1918" out-interface-list=WAN add action=drop chain=output comment="Drop RFC 1918" dst-address-list="RFC 1918" out-interface-list=WAN

Place these rules closer to the beginning and do not forget to add to the list the WAN interface facing the provider.

UPnP

A rather controversial technology that allows applications to ask the router to forward ports through NAT, however, the protocol works without any authorization or control, this is simply not in the standard, and is often a point of reduced security. Customize as you wish:

SIP Conntrack

Among other things, it is worth disabling the conntrack SIP module, which can cause inadequate VoIP operation; most modern SIP clients and servers do just fine without its help, and SIP TLS makes it completely useless.

Dynamic and nested lists of interfaces

This feature has only recently appeared (from version 6.41), and it is very convenient. However, there is an unpleasant bug (I reported it, but it has not yet been fixed), the point is that after prestarting the router, the firewall rules that use these lists do not work for the interfaces included in the child lists. It is cured by re-adding child lists. Automation is simple:

In Sheduler, we write a script for the start event (lists of interfaces for a balanced configuration):

/interface list set ISP1TUN include="" set ISP include="" set TUN include="" :delay 2 set ISP1TUN include=ISP1,TUN1 set ISP include=ISP1 set TUN include=TUN1

WiFi

In an urban environment, when the airwaves are extremely noisy, it makes sense to abandon 40MGhz channels; this increases the specific signal power on the channel, since a 40MGHz channel is essentially two 20MGHz channels.

Bridge & ARP

If your router distributes the Internet and gives clients settings via DHCP, it makes sense to set the arp=reply-only setting, and enable add-arp=yes in the DHCP Server

This setting will prevent you from setting the IP address manually, since the router will only agree to work with the MAC-IP pair that it issued itself.

P.S. article taken from here https://habrahabr.ru/post/353730/

The number of wireless devices is growing rapidly, continuously increasing the requirements for network bandwidth and coverage.

There are now enough solutions on the market for creating a large wireless network in both a small private house and a large country cottage, starting with Luma, Eero, and ending with.

Some solutions are easy to set up and have a high price, while others provide great capabilities but require a good base for configuration. In particular, we are talking about Mikrotik products, which are distinguished by an excellent combination of high reliability, great functionality and quite affordable cost. At the same time, Mikrotik will be difficult to understand for the vast majority of home users, which increases the level of entry and greatly limits the actual use of Mikrotik-based systems in the home.

Despite the disadvantage described above, once you set up Mikrotik, you can forget about it for months, even years. Mikrotik equipment can work for six months or even more without rebooting, saving a lot of time and nerves.

In this publication, we will show and tell you how to create and configure a reliable Mikrotik-based network with excellent wireless coverage for a large apartment, private home or small office with a minimum number of wires.

Choosing a router

A router (model RB960PGS) is well suited for creating a high-performance network. The presence of an SFP slot allows you to connect to an Internet provider using optics; in addition, the device is equipped with 5 gigabit interfaces.

If SFP is not used, Internet connection can be made using the first RJ-45 network interface, which also supports PoE In. The remaining 4 interfaces support PoE Out, which allows you to power several access points from them, but no more than 4.

In practice, a wired network is almost always used, so at least one port will need to be allocated for a wired local network, so in total we will have 3 PoE ports at our disposal, which is enough for a medium-sized private house.

If you plan to use it at home, any gigabit switch of any brand will do before expanding your wired network. At the same time, if you plan to use VLANs and other exotic things, you will need a managed switch, or at least Easy-Smart, we recommend paying attention to a managed switch.

In cases where you need to power more than 3 access points, you can purchase an additional managed switch with PoE -. Please note that purchasing an additional PoE switch will only be justified if you will power 2-4 additional access points from it. Otherwise, buying a switch to power just one point will be a waste of money.

For 100 Mbit networks, more affordable router models with PoE are suitable:

It is not at all necessary to purchase devices that support PoE, but in this case you will need to assemble a small communication box and place all the injectors and adapters in it.

Selecting access points

In the case of access points, the choice is much wider. Below we have selected the most interesting offers, and they are sorted in ascending order of price.

Please note that the Groove 52 (RBGroove52HPn) model will not fit, because... Comes with a Level 3 license which does not allow use of AP mode.

You probably have a natural question: what does hAP ac lite do in this table? It's simple. Firstly, it has PoE support, which allows you to power it remotely. Secondly, the router has the ability to be wall mounted. Thirdly, this is, of course, support for 802.11ac and the price is only 45 USD.

Thanks to the combination of these parameters, it can be used as a Dual-Band access point with the functionality of an additional switch. The only limitation is the speed of network interfaces of 100 Mbit.

Point GrooveA 52 is highlighted separately, because it is equipped with a powerful radio module and is suitable for outdoor use when it is necessary to cover a very large area. Please note that the device can only operate in one band at a time - either 2.4 GHz or 5 GHz. The range is selected manually in the control panel.

The table also does not include OmniTIK and Metal, due to the price/feature ratio. These solutions are more suitable for use in commercial networks.

The best option for building a network at home is, and. Moreover, wAP and wAP ac can be used outdoors.

The older wAP ac model is equipped with a gigabit network interface to provide high throughput; it supports simultaneous operation in two bands with channel speeds of 300 and 1300 Mbit for 2.4 and 5 GHz, respectively.

Actually, using the example of wAP and wAP ac in conjunction with the hEX PoE switch, we will consider building a home wireless network.

Connecting and configuring the gateway

hEX PoE will act as the main router, providing clients with access to the Internet. As expected, the gateway will issue IP addresses for other devices, but the DHCP server will be disabled on the access points themselves.

We connect the device and log in to the control panel.

The setup process will be discussed using the default settings as an example, in order to simplify the process as much as possible for novice Mikrotik users.

The standard configuration is quite suitable for us, the only thing you will need to do is configure the type of connection to the provider’s network and select the ETH1 port (twisted pair) or SFP (optics)

For convenience, we change the IP devices and local network settings to more familiar ones - 192.168.0.1/24.

Please note that we intentionally raised the DHCP pool up, which is not at all necessary. Personally, it’s easier for me to use static and MAC:IP binding in the lower part, and issue IP for other clients in the “upper” part.

Be sure to change the name of the device, in our case it will be “GATEWAY” (gateway); in the future, with a large number of devices, it will be much easier for you to navigate by names than by IP.

Apply the settings. After this, Winbox will become inaccessible; on some PCs you will need to reconnect to the network by unplugging the cable so that the network receives a new IP.

A good rule of thumb would be to go to IP - DHCP Server - Networks and manually add the IP of our router as a DNS server for clients receiving settings via DHCP. Mikrotik has its own DNS functionality, so using the provider's DNS on clients does not make sense.

By the way, you can also specify NTP here; you can easily raise it on Mikrotik itself. If you replace time.windows.com with the Mikrotik IP in static DNS records, machines running Windows OS will be able to take the exact time from the main gateway without additional settings. Read more in a separate publication, link above.

Don't forget to update the gateway to the latest version of RouterOS, in our case this is an update from 6.36.1 to 6.38.1. The device will reboot to update.

The general configuration of the gateway is complete. Creating a new user, changing the password, disabling unnecessary services and other Mikrotik security settings is a topic for a separate publication, so we will not dwell on this.

At this stage, you can connect access points to the router.

Connecting access points to the router

Both points will be powered via PoE from the main router. This approach will allow us to overload devices programmatically at a distance, and also get rid of unnecessary wires.

In practice, it is better to connect points in stages, since all wAPs have an open network and a standard password.

We will connect both points at once, because For an experienced user, the process takes only a couple of minutes.

A regular Mikrotik wAP access point received power via PoE without any problems, but for wAP ac we had to select the PoE “forced on” mode in the port settings. You can read more about priorities and setting up PoE Out in general in.

As you can see, in idle mode wAP consumes only 1.1 W, and its older brother wAP ac consumes 3.3 W.

In the IP - DHCP Server - Leases section, you can make sure that both access points have received an IP address.

Let's move on to the next setup step.

Mikrotik wAP connection

The process of setting up both wAPs is done by connecting to the access point's open wireless network. A netbook, laptop or PC with a wireless adapter is suitable for these purposes. In our case it will be a netbook.

As you can see, the netbook successfully identified all 3 networks. Why three and not two? The fact is that wAP ac has one network at 2.4 GHz, the second at 5 GHz.

MikroTik-5EDCC7 is our Mikrotik wAP, the MikroTik-7D550D and MikroTik-7D550E networks are Mikrotik wAP ac, which is easy to identify by the name of the network (the name is distinguished by the last character).

We will start setting up from the simplest point, this is faster and will allow you to understand how to set up a dual-band point.

After connecting to the MikroTik-5EDCC7 wireless network, Winbox will detect a device with standard IP 192.168.88.1

We accept the standard configuration. As you can see, the device operates in routing mode, which is why it is not possible to connect to it via cable.

Switch the point to bridge mode (Bridge = bridge), this will make the device completely transparent. We set the “Adress Acquisition” option to “Automatic”, i.e. The device will receive IP from the DHCP server. If you wish, you can implement a static IP, but more on that a little later; we will implement it a little differently.

“Adress Source” should be specified as “Any”, otherwise when you select the seemingly logical “Ethernet”, the device will have IP 0.0.0.0 and you simply will not connect to it. If everything is done correctly, the device will receive network settings.

As before, we change the name of the device.

Connecting Mikrotik wAP ac

We repeat all of the above steps for the new point, as well as each subsequent one that will be added to the network.

If everything is done correctly, all three devices will be visible in Winbox.

And, of course, don’t forget to update RouterOS on all network devices.

Setting up a wireless network in Mikrotik wAP

First, let's configure the wAP access point.

In the Wireless - Interfaces section, open the properties of the wireless interface.

Personally, I am a supporter of “Advanced Mode”, if the number of options scares you, you can use “Simple Mode”. Switching between modes is carried out at any time in the right side of the settings window.

In the current window we are interested in “Freq. Usage..." After clicking on this button, a new window will open in which you should click “Start”. The system will start scanning channels and you will be able to see the channel usage level in real time.

As you can see, 2442-2452 MHz is used, so it is best to work in the 2412-2432 MHz range. It should not be forgotten that when using wide channels of 40 MHz, the number of non-overlapping channels is 3.

When setting up a wireless interface, I prefer to explicitly specify 2GHz-only-N, which sets the 802.11n mode. if you have old devices without support for the new standard, use mixed modes.

We set the channel width to “20/40 Ce”; you can also specify “20/40 eC”. The eC and Ce index indicate where the range needs to be expanded in relation to the main channel. eC - downward expansion, Ce - upward expansion. Thus, if you select the first channel, you can only expand it upwards; in the case of the last channel, the situation is the opposite, it can only be expanded downwards.

SSID - name of the wireless network. If you have 5GHz-capable access points, you can explicitly specify the 2G and 5G suffixes to help differentiate the bands. If this is not done, instead of two networks on the client, only one will be visible in the list, and the connection will be carried out according to the priorities of the adapter (Prefer 2G/Prefer 5G).

WPS should be disabled if not used.

“Frequency Mode” is set to “regulatory-domain”, and “Country” is set to “ukraine”. This setting will allow you not to violate regional restrictions on the use of radio frequency resources.

“WMM Support” can be selected “enabled”. This is a special QoS add-on that allows you to increase the priority of multimedia traffic.

Go to the “Advanced” tab. For the option “Hw. Protection Mode" select "rts cts". In short, this option helps to avoid conflicts when clients connected to the point do not see each other and cannot agree on the order of data transfer.

For “Adaptive Noise Immunity” we set “ap and client mode”. Again, in short, this option allows you to activate a special algorithm for filtering noise created by the point and/or client, for example, multiple signal reflections from walls. Please note that the option will only work on adapters with Atheros chips.

On the HT tab, check the “Tx/Rx Chains” parameters, which should be checked everywhere. If the checkbox is not checked on one of the channels, the adapter will not be able to use it during operation.

Since we did not change the power parameters of the radio module, the standard values ​​will apply.

In this case, we are exclusively interested in HT20-x and HT40-x. Essentially, this is a kind of power guide for a specific radio module.

HT20 and HT40 indicate channel widths of 20 and 40 MHz, respectively. The number in the suffix is ​​the MCS speed index for the 802.11n standard. The higher the number, the higher the speed. As you can see, higher speeds use less power, and the higher the speed, the lower the power. Take this data into account if you decide to adjust the power of the wireless module manually.

At the final stage, go to the “Security Profiles” tab. This section requires you to adjust your security profile. Select the “dynamic keys” mode, as well as the WPA2 and AES options. You can forget about WPA and TKIP forever (not to mention the outdated WEP); these security options have long been compromised and have “loopholes” that allow an experienced attacker to gain access to a wireless network protected by this method.

The network password is entered in the “WPA2 Pre-Shared Key” field. This completes the setup of the first point.

Setting up a wireless network in Mikrotik wAP ac

When setting up the second access point, we do everything similarly to the first access point.

Do not forget that it is necessary to scan the wireless network for each point, since air conditions may vary depending on the location. If you want to trust automation, choose the “auto” channel; Mikrotik copes with this task quite well on its own.

Do not forget to specify for the new and each subsequent point exactly the same SSID as on the first device. This is necessary for automatic roaming of clients between APs.

The operating frequency can be specified the same, but only if the access points overlap slightly. Otherwise, the points will share the airwaves among themselves, which will negatively affect the speed when working simultaneously. It is best to use the “chessboard” principle, i.e. alternate channels so that they do not intersect at all.

In the case of Dual-Band access points, there will be 2 interfaces in the Wireless Interfaces list; each is configured separately.

The principle is the same, we scan the range and select the optimal frequency. If your range 5745-5805 is clear, we recommend using it. In our case, it is already “crowded” with local providers.

By the way, experienced administrators will be interested in spectral-scan and spectral-history. Both tools work through the terminal.

To call, use the following commands:

/interface wireless spectral-scan

/interface wireless spectral-history

The channels and frequencies have been decided.

For the 5 GHz range, we indicate the 5G suffix; this is not at all necessary, as was already mentioned earlier.

The default channel width will be 20/40 MHz, but we know that 802.11ac can use 80 MHz channels and it is on them that it provides high speed.

For 80 MHz channels, the eCee add-on is used in different combinations, there are 4 in total, because an 80 MHz channel combines 4 20 MHz channels. The selection logic is the same as for 2.4 GHz.

We make the settings in the same way as we did for the previous point and the 2.4 GHz range. Don't forget to check Chains and configure your security settings (profile).

The nuances of roaming on Mikrotik

In principle, this could be the end of the short instructions, but there is one more nuance.

In practice, there are quite often cases when wireless networks intersect. In such cases, the client may stubbornly hang on to a point with a weak signal, even though there is a point with an excellent signal level “under his nose.”

Actually, an example of such a case is in the screenshot above. On the left we see that the phone is connected to the 5 GHz network with good signal strength. After moving to another zone, the smartphone still remains stuck on the 5 GHz network, despite the fact that the channel speed has dropped to 87 Mbit, and there is a 2.4 GHz network nearby with an excellent signal.

What to do in this case? You can switch networks manually if the networks have different names, but you can also use a file and crutches.

First of all, you need to disable the “Default Authenticate” option on all wireless interfaces. This is necessary in order to use the ACL functionality.

In the Access List tab (the section is still the same, Wireless) we create 2 rules.

First rule. We set the signal level range -75...120 dBm, set the Authentication and Forward options. This rule will allow connections for clients whose signal level is at least -75 dBm.

Second rule. Set the range to -120...-76 dBm, disable the Authentication and Forward options. This rule will disconnect clients whose signal level drops below -76 dBm.

The Authentication option allows the connection; therefore, its absence denies the connection. The Forward option allows data exchange between stations/clients. Forward can be useful in a secure home network, but in a public open network, data exchange between clients must be prohibited for security reasons.

If desired, here you can set up rules for days of the week and time. For these purposes, below under the Time spoiler there are the necessary parameters.

Once the ACL rules are created, you can see a list of authorized clients in the Registration table. Moreover, the comment for each client will contain a comment from the ACL rule (if it is specified), which is very convenient.

We check the work on the smartphone. When the signal level deteriorates to -75 dBm, the device still remains at the old point. As soon as the signal deteriorates to -76 dBm, the point automatically disconnects the client, after which the client connects to the strongest point.

However, this method is not without drawbacks. The thing is that the points forcefully disconnect the client, which causes the end client to experience a short-term loss of communication. At best it's ~2 seconds. Much depends on the client equipment.

I set the signal level to -75 dBm solely as an example; this is a more recommended level than the universal “for any occasion” parameter. In practice, it is sometimes necessary to use -80 dBm or lower. In any case, the value is selected exclusively by experimental method on site, based on the specific coverage and sensitivity of the client equipment.

Finally

Of course, there are many options for implementing a home wireless network on Mikrotik, from manual configuration to the use of CAPsMAN and even Mesh.

We have described a completely manual configuration option so that the end user understands “how it works”; moreover, this option does not require deep knowledge. At the same time, this configuration allows you to create a reliable wireless network that can operate stably without your intervention.

Among the disadvantages, it is worth noting the need to separately configure all devices, which takes a little more time than when using CAPsMAN. When using multiple points, this option is quite suitable and provides good flexibility.

I continue the story about a wonderful series of devices from Latvia that have proven themselves to be functional and reliable devices. In this article I will take a detailed look at the issue of basic configuration of mikrotik routers using the example of the budget and most popular model RB951G-2HnD. These instructions are suitable for almost any model, since they are all based on the same operating system.

This article is part of a single series of articles about.

Introduction

Mikrotik routerboard routers have been on the market for a long time, but have still not gained much popularity. Although they have occupied their niche. Personally, I think that this is an excellent router for the home; it has no competitors in terms of reliability. This is truly a router that you can set up once and forget about. Personally, I have never come across a device that had to be forced to reboot in order to bring it out of a coma, as is often the case with other budget hardware.

Distribution among home users is limited primarily by the complexity of setup. And although it may seem to a more or less advanced user that there is nothing complicated here. But in fact there is. And I often came across requests to set up a router at home to distribute the Internet via wifi, since users who bought it on someone’s recommendation could not fully configure the required functionality themselves, although there are enough instructions on the Internet.

I want to fill this gap and write detailed step-by-step instructions for setting up Mikrotik from scratch for dummies, using the example of the most suitable model for home use, the RB951G-2HnD. I have long ago prepared a personal cheat sheet in the form of a text file. Using it, I literally set up a router in 10 minutes and give it to the user. That is, there is really nothing complicated if you know what you are doing. I will write material based on this cheat sheet.

Description Mikrotik RB951G-2HnD

Here he is, the hero of today’s article -. Its description, reviews and cost can be quickly checked on Yandex.Market. Judging by the number of reviews, we can already conclude that this router is somewhat popular.

An important feature of this router, which I personally actively use, is the ability to power it using a special poe adapter.

He is on the right in the image. Take a standard power supply from the router and a poe adapter. The power supply is connected to the adapter, and a patch cord is already sent from the adapter to the first port of the routerboard. The router can be hung on the wall anywhere, there is no need to be tied to an outlet. I should immediately note that the router can only be powered with a Mikrotik poe adapter. It has a different standard and the usual 802.3af poe switches will not work.

Click on the Mac address of the device, it should be copied into the field Connect To. The default password for logging into mikrotik routers is empty, and the user is admin. Enter your username and leave the password field blank. Click connect. We are greeted by an information window that provides a description of the standard settings.

Here you can either leave them or delete them. I always delete it, since the standard settings most often do not suit a specific situation. Let me give you a few examples why this is so:

  1. I powered my router via the first port via a poe adapter and therefore am forced to use this port as a local one. In the default settings, this port is used as a wan port to receive Internet from the provider.
  2. The default settings are to automatically receive settings from the provider via dhcp. If you have a different type of connection, then the standard setting is not suitable for you.
  3. By default, the address space is set to 192.168.88.0/24. I personally don’t like default networks, because if you accidentally plug a new device into them, where the default address is also clogged, then problems will begin on the network. This may not be relevant at home, but in commercial organizations I had to deal with this. That's why I always change the grid just in case.

So we press Remove Configuration to delete the settings. After this, the router will reboot. We wait about a minute and connect to it again.

If for some reason you did not delete the presets immediately, you can reset mikrotik to factory settings later. To do this, you must first type in the terminal system, and then reset. You will be asked for confirmation and after that the routerboard will reboot with factory settings.

Firmware update

After clearing the settings, I recommend immediately updating the firmware of the Mikrotik router. To do this, go to the Download section of the official website and download the required file. In this case it is the platform mipsbe, download package Main package. Download it to your computer and connect to the router using winbox. Select a section on the left Files. Then open two windows side by side - one with the firmware file, the second with winbox and drag the file from the folder in winbox to the list of files with the mouse.

We wait for the firmware to finish downloading and reboot Mikrotik through the menu section System -> Reboot. The firmware will be updated while the router is booting. You will have to wait about 3 minutes. After this, we connect to the device again. After updating the firmware, you need to update the bootloader. This is done in the menu item System - RouterBoard. Go there and check the lines Current Firmware And Upgrade Firmware. If they are different, then press the button Upgrade. If they are the same, then you can do nothing. The changes will take effect after a reboot.

You can check the installed firmware version in the section System - Packages.

In my case, the firmware version is 6.43.4. In the future, when the Internet is configured on the router, you can update automatically in this section by clicking on Check For Updates.

The firmware has been updated, you can start setting up.

Combining ports into a bridge

One of the features of mikrotik routerboard routers is the lack of preset port settings. I explain in my fingers what it is. When buying a regular budget router, you will see labels for the ports. One of them will definitely say WAN, the others will either say nothing or LAN. That is, you will already have one port configured in a certain way for connecting the Internet and the remaining ports will be combined into a switch for the convenience of connecting equipment.

This is not the case with Mikrotik. There, all ports are equal and absolutely any WAN port you want can become. Since I use the 1st port to connect power, I will use the 5th port as the WAN. And I will combine all the rest into a single network using a bridge and add a wifi interface to them. To do this, go to the section Bridge and create a new bridge1.

We leave all the settings as default. We now have bridge1. Go to the ports tab and click the plus sign. Add all ports to brdige1 except WAN. In my case this is port 5.

We have combined all the necessary interfaces into a bridge to organize a single space for all connected devices.

Setting up a static IP

Before this, we connected to the router using the MAC address. Now you can assign it a static local IP address, at which it will be accessible on the network. To do this, go to the section IP -> Addresses and press the plus sign.

Specify any subnet in the Address section. I chose 192.168.9.0 . Accordingly, we assign an address to Mikrotik 192.168.9.1/24 . Select as interface bridge1. The Network field can be left blank; it will be filled in automatically. Now our router is accessible both via local interfaces and via wifi (which still needs to be configured) at 192.168.9.1.

Internet setup in Mikrotik

Now is the time to connect to your provider and set up the Internet. It is difficult to cover all possible connection options. There can be many of them. I will look at the two most popular methods:

  1. You receive settings from the provider automatically via dhcp.
  2. The provider gave you ready-made settings and you enter them manually.

As I wrote earlier, we will use port 5 to connect to the provider. Connect the provider's wire.

To get settings via dhcp, go to winbox in the section IP -> DHCP Client and press the plus sign. Choose an interface ether5 and click OK.

If you did everything correctly, you will see what IP address you received. In chapter IP -> Addresses there will be information about the settings.

Let's consider the option when the provider has provided all the settings and you need to set them yourself. Let's assume that our Internet settings are as follows:

First, let's specify the IP address. We do the same as in the previous paragraph when setting up a static IP. Only now instead of the interface bridge1 indicate ether5 and enter the corresponding address - 192.168.1.104/24 . Here we immediately indicated both the address and the subnet mask.

Next we need to set the default gateway. Without this mandatory step, the Internet will not work. Let's go to the section IP -> Routes and click the plus sign to add a default gateway. IN Dst. Address leave it as is 0.0.0.0/0 , and in the field Gateway Enter the provider's gateway and click OK.

The Internet should be working now, but without specifying a DNS server, you can only access direct IP addresses. For example, you can ping the IP address of Google servers. Open New Terminal and check.

Now let's install the DNS server. To do this we go to IP -> DNS, in field Servers Enter the address of the provider's DNS server. If you have two of them, then by clicking on the triangle with its vertex pointing down, you can enter another value. Be sure to check the box opposite Allow Remote Requests.

If you have an external IP address and have allowed remote DNS queries, be sure to execute and block all incoming connections. If this is not done, then your router may become a victim of fake DNS requests that are used for DDoS attacks.

That's all, we have completely installed the Internet provider settings. You can check and ping the usual site address.

The router itself already has Internet access. We need to configure it for users. To do this, we continue setting up mikrotik.

Setting up a dhcp server

In order for connected devices to receive network settings automatically from the router, a DHCP server must be configured on it. This is not difficult to do, I will now describe everything step by step. Let's go to IP -> DHCP, go to the DHCP tab and click DHCP Setup. We are asked to select the interface on which the server will run. Choose bridge1.

Click next. Now you need to select the address space from which IP addresses will be issued. By default, the subnet that includes the router's IP address is specified. This is fine, leave the default value 192.168.9.0/24 .

Now you need to specify the range of addresses that will be issued to clients. If it is not important to you and you do not know why it needs to be changed, then leave it as is. All free subnet addresses will be used.

At the last stage, enter the DNS server address that will be issued to clients. This can be either Mikrotik itself or the provider’s DNS server. This is not important, but it is better to indicate the router itself. So we write the local address there 192.168.9.1 .

Leave the next parameter as default and click Next. This completes the setup of the dhcp server for the local network.

If we now connect any client to mikrotik by wire, it will receive network settings, but will not be able to access the Internet. Another important setting is missing - NAT.

NAT setup

NAT is a transformation, or as they also say, network address translation. I won’t tell you what it is, you can read it yourself on the Internet. All modern routers have a NAT function to provide subscribers with access to the Internet. So we will also configure NAT in mikrotik.

Let's go to the section IP -> Firewall, open the NAT tab and click the plus sign. On the General tab we specify only one parameter Out. Interface - ether5(interface for connecting to the provider), we do not touch everything else.

Go to the Action tab, select from the drop-down list masquerade. Leave the rest alone and click OK.

That's it, NAT is configured. Now if you connect a client by wire to one of the ports, it will receive network settings via DHCP and will have access to the Internet. All we have left is to configure wifi to connect wireless clients.

Setting up a wifi access point in mikrotik

Our router is almost ready to go. All that remains is to set up a wi-fi access point and you can forget about it :). Setting up wifi in Mikrotik deserves a separate article. There are a lot of nuances and possibilities there. We will now make the simplest setup that will suit and fully satisfy the needs of a home wifi router. And for deeper knowledge, you can use separate material on this topic.

First of all, we activate the wireless interface. By default it is disabled. Let's go to the section Wireless, select wlan1 and click the blue checkmark.

The interface will change from gray to light. Go to the Security profiles tab, double-click on the line with the default profile. In field Mode choose dynamic keys. Check the boxes opposite WPA PSK And WPA2PSK And aes ccm. Into the fields WPA Pre-Shared Key And WPA2 Pre-Shares Key enter the password for the future wireless network. I recommend using a long password (at least 12 characters) with numbers and special characters. Yes, it’s not very convenient to enter, but after I myself brute-forced hashes of simple passwords without any problems, I was convinced that it’s better to set a complex password if you don’t want anyone to connect to your wifi.

Save the settings. Returning to the tab Interfaces and double-click on wlan1, the Mikrotik wifi interface settings open. Go to the Wireless tab. We set the settings as in my screenshot.

I draw your attention to the following settings:

  • SSID— the name of your wireless network. Write what you want.
  • Frequency— frequency corresponding to one of 12 channels. The very first value is the first channel and so on. Here it is recommended to select the channel that, in your particular case, is least occupied by other access points. If you don’t know what these channels are and how to check them, then don’t pay attention, you can select any value from the list.

Save the settings by clicking OK. That's it, the wifi access point on mikrotik is configured, you can check it. Launch any device, search for your network, enter your access password and check the Internet. Everything should work.

This completes the basic setup of Mikrotik, but I recommend making a few more settings for convenience and security.

Changing the default administrator password

As I wrote earlier, the default administrator password in mikrotik is not set, it is empty. Username - admin. Let's set our own password to restrict third-party access to your settings. To do this, go to the section System -> Users. Selecting a single user admin, right-click and select the very last item password.

In the window that opens, enter your password 2 times and save it. Now, to connect via winbox, you will need to specify not only the admin user, but also the set password.

In light of the recent Mikrotik hacks, I strongly recommend not just setting a complex password for the administrative account, but creating a completely new one, with a username other than admin. To do this, in the list of users, press the plus sign and create a new user.

After this, the admin user can be disabled.

Setting the time

I recommend setting the correct time and enabling automatic synchronization. This can be useful if you need to look at some logs and compare times. If it is not installed, then it is difficult to do. So let's set it up. Let's go to System -> Clock, manually set the time, date and time zone.

We will make sure that the time is automatically updated via the Internet. Let's go to the section System -> SNTP Client. Put a tick Enabled, in the field with server addresses we enter 193.171.23.163 And 85.114.26.194 . Click Apply and observe the result of synchronization.

Now the router clock will always have the current time.

This completes the basic setup of the mikrotik router for home use. You can install it in place and use it.

Conclusion

I gave an example of setting up Mikrotik for a home user as a replacement for other popular budget routers. For more complex and meaningful settings, you can use my articles on this topic:

— an article about how to connect two Internet providers and automatically switch access from one to another in case of connection problems with one of them. The situation is taken from a real example of a country house with two Internet channels.

  • - popular material on the topic of organizing a single wifi network, consisting of many access points to cover a large area. This may be relevant for both home users (country house) and corporate users.
  • — a story about how to centrally store Mikrotik logs. This is completely irrelevant for the home, but for the corporate sector, where it is important to store information about who, where and why.

    • I'm finishing my story. I would be glad to receive any comments on this topic. Let me remind you that this article is part of a single series of articles about.

    Internet for modern people it has become not only an irreplaceable and necessary attribute, but also an object of first importance, replacing a large number of other things used previously. Therefore, high-quality and high-speed Internet is expensive. For building a wireless network You only need proven, reliable equipment and an integrator who will implement your project. Buy what you need wifi network equipment for your network in free sale is not so simple. Don't waste your time searching in vain, contact Online store website. Here you will find active and passive equipment in a wide range from world brands. Wi-Fi equipment for restaurants and hotels, twisted pair for outdoor installation, optical cable, PON equipment, PON devices, OLT devices, CWDM equipment and much more are presented in our online Internet catalog Mstream.

    We cooperate only with proven IT market manufacturers - Ubiquiti, Mikrotik, Cambium Networks, D-link, Hikvision, Furuno, Ajax, Ok-net, ICOM, Sailor, Zenitel, Cobham and that is why all the equipment for radio communications, marine navigation, wireless or local network presented in our store meets the highest quality standards. Order wifi internet equipment It is possible both retail and wholesale (we cooperate with Internet providers, integrators and resellers). For regular customers, the Mstream online store has a flexible system of discounts and payment deferments. Prices for wi-fi Internet equipment will please even retail buyers. Our task is not only to develop ourselves, but also to help develop the business of our clients. The Wi-Fi space in Ukraine is not yet so developed and occupied, and our goal is the global integration of new technologies and developments in the Ukrainian technology market.

    By purchasing from us equipment for wi-fi network, you are guaranteed to receive very reliable, high-quality and durable solutions from the world's best manufacturers and brands of wireless equipment in the shortest possible time. Huge range and direct deliveries Wifi equipment from the manufacturer allow us, as a system integrator, to satisfy any projects of our clients - creating a local wi-fi network. Professional consultants will provide full advice on choosing the right network equipment, taking into account individual projects and the client’s wishes, which will save your effort and time. Delivery of network equipment to all cities of Ukraine - Odessa, Kiev, Kharkov, Kherson, Krivoy Rog, Kropyvnytskyi, Nikolaev, Dnepropetrovsk, Zaporozhye, Vinnitsa, Chernigov, Cherkassy, ​​Poltava, Mariupol, Lviv, Ternopil, Kramatorsk, Novomoskovsk, as well as Transnistria, Tiraspol, Moldova and others.

    Copying any information from the site without placing an active backlink is prohibited.

    Related publications