Testwiki/Advanced MikroTik Wireless networks

From MikroTik Wiki
< Testwiki
Revision as of 14:40, 20 August 2010 by Andriss (talk | contribs)
Jump to: navigation, search

Advanced MikroTik Wireless networks

In this section, we offer more advanced information that related to wireless networks. Here we will discuss how to implement security into the wireless networks (how set up authentication type, encryption protocols, pre-shared key (password) etc.), and how to restrict access others devices.

Section includes also information about wireless bridge and mesh networks as well as provides simple configuration examples.

Wireless data protection (Security Profile)

There are more steps how to implement secure wireless network:

  • Set up password for wireless administration interface Administrator password is available almost on any wireless router and is used to log into the device for monitoring and changing configuration. Most producers by default set up a weak password like “pass” “password” or “admin” on MikroTik routers there is no any password by default. Therefore is recommended to change administration password to something else if you do not use this password very often, then to write it down and keep in a safe place. If you lost your password on MikroTik devices there is no way how you can recover it, as only reset router configuration to factory default settings.
  • Use encryption to protect data sent between access point and client station The Wired Equivalent Privacy (WEP) encrypts data only between 802.11 devices, using static keys. WEP includes static key in data encryption algorithm. This is not considered a very secure wireless data encryption mechanism, though it is better than no encryption at all. If some of your wireless devices only support WEP encryption, remember that WEP is better than nothing, only choose static encryption key that’s not easy to guess and is not very short (recommended more than 8 symbols) and change it time by time if it is possible. WPA (Wi-Fi Protected Access) provides much better protection to your Wireless network. WPA is combination of 802.1X, EAP, MIC, TKIP and AES protocols. Where:
  • 802.1X is used as authentication framework – users can be authenticate individually using Radius server
  • EAP is a protocol for wireless networks that expands on authentication methods. EAP can support multiple authentication mechanisms, such as one-time passwords, certificates, smart cards and public key encryption authentication.
  • MIC (message integrity code) or cryptographic checksum, verifies that messages have not been altered in transit (check whether received message is the same as sent message).
  • And TKIP and AES are data encryption algorithms. TKIP generates keys dynamically different for each client and alters keys for each successive packet.
  • WPA support is built into Windows XP and latest versions and all others modern operating systems. Now is available improved WPA version (WPA2) that provides stronger encryption, authentication and several others new features.
  • Use MAC address filtering for access control As we know MAC addresses unique to specify each network devices, so MAC address filtering allows you to limit network access only from specific MAC addresses or restrict access form specific MAC addresses. If you implement full MAC address filtering on your network you need to know entire list of your client MAC addresses, so it can be very complicated when you have hundreds of clients or if clients often change devices or MAC addresses. Remember that MAC addresses can be “spoofed” (imitated) by knowledgeable persons, so this mechanism is not guarantee perfect security, it only makes difficult access from undesirable persons and improve network security. How to configure access filtering is discussed below in the next paragraph 14.2.

Security profile configuration example on MikroTik

Security profiles are used to create security policies for wireless interfaces and allows to define such security parameters as authentication type, encryption algorithm, pre-shared keys and more others specific parameters. Full commands reference can be found here.

Security profiles are configured under the /interface wireless security-profiles menu when we use command line interface or Wireless > Security Profiles tab from WinBox configuration tool. Security profiles are referenced by the wireless interface (/interface wireless [name of wlan interface]) as security-profile parameter it means we can create different security profiles for different wireless interfaces (each wireless card is separate interface) as well as security-profile can be specified as parameter of connect list (/interface wireless connect-list).

Basic parameters required to specify to any security profile are:

name – profile name
mode – security profile mode. There are available four modes:
  • none - encryption is not used. Encrypted frames are not accepted.
  • static-keys-required - WEP mode. Do not accept and do not send unencrypted frames. Station in static-keys-required mode will not connect to an access point in static-keys-optional mode.
  • static-keys-optional - WEP mode. Support encryption and decryption, allows also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as none.
    Station in static-keys-optional mode will not connect to an access point in static-keys-required mode.
  • dynamic-keys - WPA mode.

Configuring WEP with (40bit) static key

Create new WEP security profile named “wep_profile”:

[admin@MikroTik] /interface wireless security-profiles> add name=wep_profile \
mode=static-keys-required static-algo-1=40bit-wep static-key-1=1234123412 static-transmit-key=key-1

Statically configured WEP keys:

Different algorithms require different length of keys:

  • 40bit-wep (static-key-1) - 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.
  • 104bit-wep (static-key-2) - 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.
  • tkip (static-key-3)- At least 64 hexadecimal digits (256 bits).
  • aes-ccm (static-key-3)- At least 32 hexadecimal digits (128 bits).

Key must contain even number of hexadecimal digits.

static-transmit-key – define which key is used. We can specify different key static-key-1 static-key-2 static-key-3 and static-key-4, this option allows to specify which of we want to use.

Assign profile to wireless interface:

[admin@MikroTik] /interface wireless> set wlan1 security-profile=wep_profile

Configuring WPA protection (authentication type – WPA-PSK, encryption protocol – AES)

Create WPA security profile named “wpa_profile”:

[admin@MikroTik] /interface wireless security-profiles> add name=wap_profile mode=dynamic-keys \
authentication-types=wpa-psk,wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm \
wpa-pre-shared-key=123412341234 wpa2-pre-shared-key=123412341234

Specify encryption algorithm:

unicast-ciphers (multiple choice of tkip, aes-ccm; default value is empty) : Access point advertises that it supports specified ciphers. Client attempts connection only to access points that supports at least one of the specified ciphers. Encrypt unicast frames that are sent between access point and station.

group-ciphers (multiple choice of tkip, aes-ccm; default value is empty) : Access point advertises one of these ciphers, and uses it to encrypt all broadcast and multicast frames.

wpa-pre-shared-key, wpa2-pre-shared-key: WPA and WPA2 pre-shared key mode requires all devices in a BSS to have common secret key. Value of this key can be an arbitrary text. These properties have effect only when authentication-types contains either wpa-psk or wpa2-psk

Wireless Access List

Access list is used by Access Point (AP) to deny or allow access for specific clients as well as control connection parameters.

Authentication can be rejected or allowed by MAC address, Signal strength, Time (which days and how long per day you can be connected by AP).

Available access-list matching properties:

mac-address – rule matches client with the specified MAC address. Default value 00:00:00:00:00:00 matches always.

interface (by default value: all) – rules with interface=all are used for all wireless interfaces. To make rule that applies only to one wireless interface, specify that interface as a value of this property.

Match properties that also set connection parameters.

signal-range (default range: -120..120) – rule matches if signal strength of the station is within the range. If signal strength of the station will go out of the range that is specified in the rule, access point will disconnect that station.

time – rule will match only during specified time. Time is indicated in format [start TIME – end TIME,days. For example, set time on Monday from 8:00 a.m. to 5:00 p.m. [time=28800-62100, mon]; (default value is not set) Station will be disconnected after specified time ends. Both start and end time is expressed as time since midnight, 00:00. Rule will match only during specified days of the week.

Connection properties:

authentication (can assume values: yes or no)

  • no - Client connection always will be rejected.
  • yes - Use authentication procedure that is specified in the security-profile of the interface.

forwarding (yes or no) – control frames forwarding between clients that are connected to the same access point.

  • no - Client cannot send frames to other station that are connected to same access point.
  • yes - Client can send frames to other stations on the same access point.

ap-tx-limit (default value: 0bits/s (unlimited)) : Rate limit of data transmission to this client. (download traffic limitation for client)

client-tx-limit (default value: 0bits/s (unlimited)) : Ask client to limit rate of data transmission.

This is a proprietary extension that is supported by RouterOS clients, for example, between two MikroTik routers.

The association procedure is as follows: when a new client wants to connect to the AP that is configured on interface wlanN, an entry with client's MAC address and interface wlanN is looked up in the access-list. If such entry is found, action specified in the access list is performed, else there is no impact, default-authentication and default-forwarding arguments of interface wlanN are taken.

How set up wireless access list:

To reject client with MAC address 00:11:22:33:44:55:01 to authenticate on the access point.

/interface wireless access-list> add mac-address=00:11:22:33:44:55:01 interface=all authentication=no  

To allow client with MAC address: 00:11:22:33:44:55:02 to authenticate to the access point on the wlan1 interface on working days from 8:00 a.m. to 5:00 p.m.

/interface wireless access-list> add interface=wlan1 authentication=yes \
mac-address=00:11:22:33:44:55:02 time=''28800-62100,mon,tue,wed,thu,fri''

Wireless connect list

The Connect-list is can be configured on wireless interface which works in station mode (mode=station) and determine to which AP the station should connect to. The Connect List is organized as a list of rules that can assign priority and security settings to connections with remote access points or restrict connection to specific access point.

At first, the station is searching for APs all frequencies in the respective band and makes a list of Access Points. If the SSID is set under /interface wireless, the router removes all Access Points from its AP list which do not have such SSID (SSID under /interface wireless menu must be the same on Station and Access point). After that occur rule matching that is defined under connect-list, rule list is checked sequentially until the first matching rule is found. Rule can includes two actions, connection on AP is allowed or not:

connect=yes - connect to access point that matches this rule.

connect=no - do not connect to any access point that matches this rule, we jump to the next rule.

If we have gone through all rules and haven't connected to any AP, yet. The router chooses an AP with the best signal and SSID that is set under /interface wireless.

In case when the station has not connected to any AP, this process repeats from beginning.

There are several values that can be matched into connect-list:

interfacename of wireless interface (required). Each rule in connect list applies only to one wireless interface that is specified by this setting.

area-prefix – rule matches if ‘area’ value under AP configuration begins with such value of ‘area-prefix’.

mac-addressrule matches only AP with the specified MAC address. (default value: 00:00:00:00:00:00 – MAC address of APs is not important)

SSIDrule matches access points that have this SSID. Empty value matches any SSID. This property has effect only when station mode interface SSID is empty, or when access point mode interface has ‘wds-ignore-ssid=yes’.

signal-rangematches if signal strength of the access point is within the range. (is indicated in the following format NUM..NUM - both NUM are numbers in the range -120..120). If signal strength is in this range connection will be accept, it will disconnect from that access point when signal strength goes out of the specified range.

security-profilename of security profile that is used when connecting to matching access points, If value of this property is none, then security profile specified in the interface configuration will be used. In station mode, rule will match only access points that can support specified security profile.

Configuring examples:

Allow station connect only to specific access points:

Set value of default-authentication interface property to no under /interface wireless menu.

/interface wireless set wlan1 default-authentication=no

The default-authentication interface property determines whether station will attempt to connect to any access point if there is not matched any rules. In this case interface wlan1 works in station mode.

Create rules that matches allowed access points. These rules must have connect=yes and interface equal to the name of station wireless interface. As you can see then connecting to second AP signal strength is checked too.

[admin@MikroTik]/interface wireless connect-list> add interface=wlan1 mac-address=00:11:22:33:aa:bb
[admin@MikroTik]/interface wireless connect-list> add interface=wlan1 mac-address=00:11:22:33:44:55 \

Each rule in connect-list is attached to specific wireless interface, specified in the interface''''' property of that rule (this is unlike access-list, where rules can be applied to all interfaces).


Note: {{{1}}}


Note: weerwcew qwqe qeqqqqqqqqqqqqqq

Wireless Bridge

To Bridge two networks using WDS

Remote network that is connected using wireless network can be easily bridged using WDS feature of MikroTik RouterOS. WDS works only on Prism and Atheros based cards. This example is given for the case when the networks are connected through Atheros wireless interface.

The same example can be found: http://wiki.mikrotik.com/wiki/Transparently_Bridge_two_Networks

To better understand the main purpose of this example you have to be sure that you know what is the “Bridge” and what is the major benefit of it. So, I remind simple definition of Bridge.

  • Ethernet bridges represent the software analog to a physical Ethernet switch. The Ethernet bridge can be thought of as a kind of software switch which can be used to connect multiple Ethernet interfaces (physical or virtual) on a single router and share a single IP subnet.

The major benefit of bridge (also wireless bridge) is found in a phrase “to share a single IP subnet”. It means that local and remote networks can use IP address from the same subnet as well as obtain full connectivity between local and remote LAN. Look at figure bellow.

Simple configuring example


In this example I assume that wireless communication is implemented between both sites.

In this case IP address is already assigned, on Access Point (AP) wireless interface and on wireless station

Configuration on AP router:

Create the bridge interface on AP and add ether1 to the bridge:

[admin@AP]/interface bridge> add name=wireless_bridge protocol-mode=rstp
[admin@AP]/interface bridge port> add interface=ether1 bridge=wireless_bridge

Configure wlan1 interface (mode=bridge or mode=ap-bridge)

 [admin@AP]/interface wireless set wlan1 ssid=MikroTik frequency=5180
 mode=bridge disabled=no

Create WDS interface on AP (with setup wds-mode=dynamic, wds-default-bridge=wds-bridge):

 [admin@AP]/interface wireless> set wlan1 wds-mode=dynamic wds-default-bridge=wds-bridge

Add IP address on the bridge interface (in this case the name of bridge interface is wireless_bridge):

 [admin@AP]/ip address add address= interface=wds-bridge

Configuration on wireless station:

Create bridge and add ether1 and wlan1 interface to the bridge

[admin@Station]/interface bridge> add name=wireless_bridge protocol-mode=rstp

[admin@Station]/interface bridge> port 
[admin@Station]/interface bridge port> add interface=ether1 bridge=wireless_bridge 
[admin@Station]/interface bridge port> add interface=wlan1 bridge=wireless_bridge

Configure wlan1 interface (mode=station-wds):

 [admin@Station]/interface wireless> set wlan1 mode=station-wds ssid=MikroTik frequency=5180 disabled=no

Add IP address on the bridge interface (in this case the name of bridge interface is wireless_bridge):

 [admin@Station]/ip address add address= interface=wds-bridge

Add DHCP server on the bridge interface (optional configuration ''– this is not mandatory):

The first we need to define IP pool:

[admin@Station]/ip pool> add name=wireless_bridge ranges=

Create DHCP server:

[admin@Station]/ip dhcp-server> add interface=wireless_bridge  address-pool=wireless_bridge disabled=no
[admin@Station]/ip dhcp-server network> add address= gateway=

Check and test your configuration:

Check wds interface on AP router:

[admin@AP] /interface wireless wds> print detail 
Flags: X - disabled, R - running, D - dynamic 
 0  RD name="wds1" mtu=1500 l2mtu=2290 mac-address=00:0C:42:1F:9F:FD arp=enabled \
 master-interface=wlan1 wds-address=00:0C:42:2C:6A:04

Test the bridge by pinging from to

[admin@AP]/ip address> /ping 64 byte ping: ttl=64 time=2 ms 64 byte ping: ttl=64 time=5 ms 64 byte ping: ttl=64 time=5 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 2/4/5 ms

As well as you can ping workstations (PCs) from one LAN to remote.

To Bridge two wireless networks using EoIP

The similar configuration can be implemented using EoIP feature. EoIP functionality is discussed in section 9.2.

Set up IP address on ether1 and wlan1 (on both site)

/ip address add address= interface=ether1 disabled=no 
/ip address add address= interface=wlan1 disabled=no

Setup wlan1 interface configuration (on both site)

(mode=ap-bridge for access point, client side – set mode=station)

/ interface wireless> set wlan1 mode=station-wds ssid=MikroTik frequency=5180 disabled=no

Create EoIP interface on both endpoints (tunnel IP is the same on both ends, as remote address point out wlan1 address of remote router. (on both site)

/interface eoip> add mac-address=00:00:5E:80:00:01 remote-address=

/interface eoip> add mac-address=00:00:5E:80:00:02 remote-address= tunnel-id=1

Create Bridge interface and to bridge EoIP and ether1 interface (on both site)

/interface bridge> add name=eoip_bridge
/interface bridge> port 
/interface bridge port> add interface=eoip-tunnel1 
/interface bridge port> add interface=ether1 

This setup is based on the same principles as given section 9.2. “EoIP” there you find another example.

Wireless Mesh

What is Wireless Mesh network?

Wireless Mesh network is based on mesh clients (basically wireless routers (AP) and gateways to wired network) that is organized in a mesh topology and can act as communication network.

What is mesh topology?

Decentralized network structure that can be created by independent wireless access points that installed at each network user and each of these access points can forward traffic to other wireless access point. Full wireless mesh network is network where each wireless device can communicates with each other.


If some of mesh device goes down, network topology is changed immediately and alternative routes can be found. To provide such dynamic mesh network operation is necessary protocol that provides network topology re-calculation and loops free network.

What is loop-free network?

Network, where data packets cannot get loop when are transmitted among two or more switches or routers.

Here can be layer 2 and layer 3 network loops, redundant links can be cause of the layer 2 loops, layer 3 network loop can occur by incorrect routing table. Assume that we have two different paths (redundant links) to particular destination. In such case packet (frame) from the same host can be sent through all redundant links simultaneously and destination device can receive multiple frame copies. Such process can totally confuse MAC (ARP) table of mesh node that contain information about other devices location. MAC table is constantly updated with information about what MAC addresses are reachable behind each port so if failed information can cause the layer 2 network loops.

Which protocol re-calculate mesh topology if something change happen as well as provides loop-free network?

Protocols as STP, RSTP, HWMP+ and others provide a mechanism for disabling redundant links. Disabling process is made dynamically in logical level, it means that if there are two links on the same destination one of links becomes inactive, but if primary links goes down then the second (redundant) link become active (goes up). Each node maintains topology database which is updated according to the selected protocol algorithm. Redundancy is good practice in your network to reduce congestion to provide availability and prevent complete network failure if one of links go down, but that is recommended to be configured together with some of these protocols.

HWMP+ is a MikroTik specific layer-2 routing protocol for wireless mesh networks. But instead of to ensure only loop-free network HWMP+ also provides optimal routing mechanism.

  • It is based on Hybrid Wireless Mesh Protocol (HWMP) from IEEE 802.11s draft standard.
  • It can be used instead of (Rapid) Spanning Tree protocols (RSTP) in mesh setups to ensure loop-free network and optimal routing.
  • HWMP+ works not only with WDS (Wireless Distributed Interface) interface but among wired Ethernet interfaces as well.
  • Main configuration occurs under /interface mesh menu.

The HWMP+ protocol however is not compatible with HWMP from IEEE 802.11s draft standard.

Here are two operation modes of HWMP+:

  • Reactive mode – path to destination node are discovered on demand by flooding special message in the network. This mode is recommended for mobile networks (rapidly changing networks) when communication happens between mesh node.
  • Proactive mode – in case when network includes one or more general entry/exit point (portal nodes) to mesh network, these portal nodes are chosen as roots for logical network topology creation (loop-free network).

Proactive mode is recommended when most of traffic goes between internal mesh nodes and few portal nodes.

More information about reactive and proactive modes can be found:


How the HWMP+ makes route selection?

The route with best metric is always selected after the discovery process. There is also a configuration option to periodically re-optimize already known routes.

Route metric is calculated as sum of individual link metrics.

Link metric is calculated in the same way as for (R)STP protocols:

  • For Ethernet links the metric is configured statically (like for OSPF, for example).
  • For WDS links the metric is updated dynamically depending on actual link bandwidth, which in turn is influenced by wireless signal strength, and the selected data transfer rate.

Currently the protocol does not take in account the amount of bandwidth being used on a link, but that might be also used in future.

Wireless mesh configuration example:


Mesh configuration in RouterOS allows to setup WDS interface dynamically (automatically) when we using wds-mode=dynamic-mesh under /interface wireless menu, or add WDS interface manually when wds-mode=static-mesh is used. WDS is necessary to bridge wireless interface together to mesh network can shares the same subnet.

Two different frequencies are used: one for AP interconnections, and one for client connections to APs, so the AP must have at least two wireless interfaces.

In this example show mesh configuring between RouterA and RouterB because configuration on other mesh nodes are very similar main difference is IP address.

Configuration on RouterA:

The first we are going to create mesh interface with name “mesh1” and add interfaces to mesh interface, this configuration is very similar to bridge configuring in the RouterOS.

 [admin@A] /interface mesh> add name=mesh1

 [admin@A] /interface mesh port> add interface=wlan1 mesh=mesh1
 [admin@A] /interface mesh port> add interface=wlan2 mesh=mesh1

 [admin@A] /interface mesh> print 
 Flags: X - disabled, R - running 
  0    name="mesh1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00 
       admin-mac=00:00:00:00:00:00 mesh-portal=no hwmp-default-hoplimit=32 
       hwmp-preq-waiting-time=4s hwmp-preq-retries=2 
       hwmp-preq-destination-only=yes hwmp-preq-reply-and-forward=yes 
       hwmp-prep-lifetime=5m hwmp-rann-interval=10s 
       hwmp-rann-propagation-delay=0.5 hwmp-rann-lifetime=22s 

Configuring dynamic mesh interface for AP interconnection on RouterA:

[admin@A] /interface wireless> set wlan1 mode=ap-bridge ssid=meshNetwork frequency=2452 \
band=2.4ghz-b/g wds-mode=dynamic-mesh wds-default-bridge=mesh1

[admin@A] /interface wireless> set wlan2 mode=ap-bridge ssid=meshNetwork frequency=2452 \
band=2.4ghz-b/g wds-mode=dynamic-mesh wds-default-bridge=mesh1

wds-mode''=dynamic-mesh – means that all WDS interfaces will be created automatically.

Set up IP address on mesh interface:

[admin@MikroTik_PE2] /ip address> add interface=mesh1 address=

Configuring interface for client connection on Router A:

 [admin@A] /interface wireless> set wlan3 ssid=clients disabled=no frequency=2437 band=2.4ghz-b/g \

Configuration on RouterB:

 [admin@B] /interface mesh> add name=mesh1

[admin@B] /interface mesh port> add interface=wlan1 mesh=mesh1
[admin@B] /interface mesh port> add interface=wlan2 mesh=mesh1

Configuring dynamic mesh interface for AP interconnection on RouterB:

[admin@B] /interface wireless> set wlan1 mode=ap-bridge ssid=meshNetwork frequency=2452 \
band=2.4ghz-b/g wds-mode=dynamic-mesh wds-default-bridge=mesh1

[admin@B] /interface wireless> set wlan2 mode=ap-bridge ssid=meshNetwork frequency=2452 \
band=2.4ghz-b/g wds-mode=dynamic-mesh wds-default-bridge=mesh1

Set up IP address on mesh interface:

[admin@B] /ip address> add interface=mesh1 address=

Check dynamically created WDS interface on RouterA:

[admin@A] /interface wireless wds> print detail 

Flags: X - disabled, R - running, D - dynamic 
 0 RD name="wds1" mtu=1500 l2mtu=2290 mac-address=00:0C:42:2C:6A:04 arp=enabled \
 master-interface=wlan2 wds-address=00:0C:42:1F:9F:FD

As you can see WDS interface is running and wds-address=00:0C:42:1F:9F:FD – is MAC address of remote node.

Show mesh interface ports on RouterA:

 [admin@A] /interface mesh> port print 

 Flags: X - disabled, I - inactive, D - dynamic 
  #    INTERFACE                                MESH                               
  0    wlan1                                    mesh1
  1    wlan2                                    mesh1                         
  2  D wds1                                     mesh1

Test using ping:

[admin@A] > ping 64 byte ping: ttl=64 time=10 ms 64 byte ping: ttl=64 time=5 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 5/7.5/10 ms

If you want more security in your network you have to configure wireless security profile under /interface wireless security-profile menu.