Setting up a MikroTik AP

Setting up a MikroTik AP
Photo by Misha Feshchak / Unsplash

For some time now, I've been renovating my home network, and this past weekend, I decided to upgrade the quite janky WiFi infrastructure that had become very unreliable. I was using an ISP-provided router/modem/AP and a WiFi repeater, both only on 2,4 GHz.

The Access Points

For the new equipment, I decided to use two MikroTik router/APs. The main access point is the hAP ac^2, with dual-band 2,4GHz and 5GHz antennas and 5 gigabit ethernet ports. It is positioned to cover most of the house, and will probably also act as the gateway at some point in the future. The second access point I'm using is the hAP mini. It has far less features, as it supports only 2,4GHz WiFi and only has three 100 mbps ports. That does not matter, however, since it will be located where there is little wireless traffic. Both access points are connected to a switch with ethernet drops wired throughout the house.

Initial setup

A factory-new MikroTik device comes with a default password and configuration. To access it, use install WinBox and plug your computer into the second port on the router. To login, use the username Admin and no password. Once you're logged in, head to the Reset Configuration menu in the System tab. Once there, tick off No Default Configuration and Do Not Backup. The router will then reboot with no configuration.

Configuring the AP

For ease of writing, the rest of the configuration will be terminal-based. To open the terminal, just press on the New Terminal tab. Everything can also be configured in the GUI just by going to the appropriate menu. The text WRITTEN_IN_BOLD should be replaced with your own config.

First, we will create a bridge interface, which puts all the interfaces in the bridge in the same broadcast domain.

/interface bridge
add fast-forward=no name=BridgeLAN

Next, we'll create two security profiles. You could alternatively use just one, but I feel that making a hidden profile, which is inaccessible to be safer.

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=LANSecurity supplicant-identity="" \
    wpa2-pre-shared-key=SET_PASSWORD_HERE
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=hidden supplicant-identity="" \
    wpa2-pre-shared-key=VERY_LONG_UNGUESSABLE_PASSWORD_HERE

Then, we configure the wireless interfaces.

/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n channel-width=\
    20/40mhz-XX country=no_country_set default-authentication=no disabled=no \
    frequency-mode=manual-txpower hide-ssid=yes mode=ap-bridge \
    security-profile=hidden ssid=hidden station-roaming=enabled \
    wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:F6:B1:CA \
    master-interface=wlan1 multicast-buffering=disabled name=WIFI_INT_NAME \
    security-profile=LANSecurity ssid=WIFI_NAME station-roaming=enabled \
    wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-virtual-only

This is a user policy that must be configured on all MikroTik devices.

/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"

After configuring all the interfaces, we add them to the BridgeLAN bridge.

/interface bridge port
add bridge=BridgeLAN interface=ether1
add bridge=BridgeLAN interface=ether2
add bridge=BridgeLAN interface=ether3
add bridge=BridgeLAN interface=WIFI_INT_NAME multicast-router=disabled

All that's left to configure then is the IP settings for the AP. A default gateway, a DNS server and the IP address of the AP.

/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=ADDRESS/24 interface=BridgeLAN network=NETWORK
/ip dns
set servers=1.1.1.1
/ip route
add distance=1 gateway=GATEWAY
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote

Optionally, you can set the name of the AP and its password.

/system identity
set name=AP_NAME
/password

And that should be about it for the most basic access point configuration.