For some time now, I've been renovating my home network, and this past weekend, I decided to upgrade the quite janky WiFi infrastructure that had become very unreliable. I was using an ISP-provided router/modem/AP and a WiFi repeater, both only on 2,4 GHz.
The Access Points
For the new equipment, I decided to use two MikroTik router/APs. The main access point is the hAP ac^2, with dual-band 2,4GHz and 5GHz antennas and 5 gigabit ethernet ports. It is positioned to cover most of the house, and will probably also act as the gateway at some point in the future. The second access point I'm using is the hAP mini. It has far less features, as it supports only 2,4GHz WiFi and only has three 100 mbps ports. That does not matter, however, since it will be located where there is little wireless traffic. Both access points are connected to a switch with ethernet drops wired throughout the house.
A factory-new MikroTik device comes with a default password and configuration. To access it, use install WinBox and plug your computer into the second port on the router. To login, use the username
Admin and no password. Once you're logged in, head to the
Reset Configuration menu in the
System tab. Once there, tick off
No Default Configuration and
Do Not Backup. The router will then reboot with no configuration.
Configuring the AP
For ease of writing, the rest of the configuration will be terminal-based. To open the terminal, just press on the
New Terminal tab. Everything can also be configured in the GUI just by going to the appropriate menu. The text WRITTEN_IN_BOLD should be replaced with your own config.
First, we will create a bridge interface, which puts all the interfaces in the bridge in the same broadcast domain.
/interface bridge add fast-forward=no name=BridgeLAN
Next, we'll create two security profiles. You could alternatively use just one, but I feel that making a
hidden profile, which is inaccessible to be safer.
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa2-psk eap-methods="" management-protection=\ allowed mode=dynamic-keys name=LANSecurity supplicant-identity="" \ wpa2-pre-shared-key=SET_PASSWORD_HERE add authentication-types=wpa2-psk eap-methods="" management-protection=\ allowed mode=dynamic-keys name=hidden supplicant-identity="" \ wpa2-pre-shared-key=VERY_LONG_UNGUESSABLE_PASSWORD_HERE
Then, we configure the wireless interfaces.
/interface wireless set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n channel-width=\ 20/40mhz-XX country=no_country_set default-authentication=no disabled=no \ frequency-mode=manual-txpower hide-ssid=yes mode=ap-bridge \ security-profile=hidden ssid=hidden station-roaming=enabled \ wireless-protocol=802.11 wps-mode=disabled add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:F6:B1:CA \ master-interface=wlan1 multicast-buffering=disabled name=WIFI_INT_NAME \ security-profile=LANSecurity ssid=WIFI_NAME station-roaming=enabled \ wds-cost-range=0 wds-default-cost=0 wps-mode=push-button-virtual-only
This is a user policy that must be configured on all MikroTik devices.
/user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\ sword,web,sniff,sensitive,api,romon,dude,tikapp"
After configuring all the interfaces, we add them to the
/interface bridge port add bridge=BridgeLAN interface=ether1 add bridge=BridgeLAN interface=ether2 add bridge=BridgeLAN interface=ether3 add bridge=BridgeLAN interface=WIFI_INT_NAME multicast-router=disabled
All that's left to configure then is the IP settings for the AP. A default gateway, a DNS server and the IP address of the AP.
/ip neighbor discovery-settings set discover-interface-list=!dynamic /ip address add address=ADDRESS/24 interface=BridgeLAN network=NETWORK /ip dns set servers=126.96.36.199 /ip route add distance=1 gateway=GATEWAY /ip ssh set allow-none-crypto=yes forwarding-enabled=remote
Optionally, you can set the name of the AP and its password.
/system identity set name=AP_NAME /password
And that should be about it for the most basic access point configuration.