Mikrotik WAP AC Quick Setup Guide & Guest Network Scripts

mikrotik wap acMikrotik WAP AC – Quick Setup – Guide & Guest Network Scripts

Oh boy, look what just arrived in the mail, a brand new Mikrotik WAP AC, also known as the “RBwAPG-5HacT2HnD”!

I’ve had a blast configuring this awesome little wireless access point.  Unlike exporting/importing a configuration which can cause major issues when imported to new hardware, this script is designed to be run on ANY factory-defaulted WAP AC. Just import the .RSC file (instructions below).

This post will provide three quick-setup scripts for the purpose of rapidly deploying multiple WAPs.

  1. Configure a 2.4GHz Wireless Access Point, connected to your private LAN
  2. Configure a 2.4GHz and 5GHz Wireless Access Point, connected to your private LAN.
  3. Configure a 2.4GHz and 5GHz Wireless Access Point connected to your private LAN, and add an isolated Guest Network, unable to access your internal LAN — Internet Only.
    1. This was a real conundrum, — the majority of isolation guides require a VLAN or bridging the wireless antennas to a separate physical port. I achieved the same goal by putting guest clients in their own subnet, and using firewall rules to block traffic between them. NAT Masquerade rules get both networks internet access through the primary gateway.

Overview

Incredible price, awesome range, ultra-reliable, with 2x 2.4GHz and 3x 5GHz antennas, what’s not to love?

Your average home ISP Router/WAP can only handle 5-10 clients before performance becomes terrible. A Ubiquiti UAP-Pro caps out around 25-30 clients. For the WAP AC, expect a maximum real world healthy-load of 30 clients on 2.4GHz and up to 40 clients on 5GHz) per WAP. This is based on the short-and-sweet rule of 15 clients per antenna.

The interface names are… different on the WAP AC than the WAP. For example, on the WAP: ether1-gateway, is now just ether1 on the WAP AC.

If you want to see what your current settings are, use the New Terminal > “export” command.

Update your packages first! System > Packages > Check For Updates > Release Candidate > Update and Install

Customize the scripts below to your liking. You can use these scripts as-is, just change the SSIDs, Passwords, etc in the variables section to meet your needs, and import.

I had to add a “hack” to the start and end of each command line to let the script continue running if there errors like having a setting already defined. For example, a common error would be “bridge with that name already exists, stopping.”

If you ever get stuck, you can always reset the WAP by holding the Reset Button when connecting power/POE (it only checks at boot), and waiting for the 2GHz and 5GHz lights to blink once, then let go of reset.

Script 1 – 2.4GHz Private LAN

#-----------------------------------#
#Mikrotik WAP AC 2.4GHz LAN Setup Script
#Jan 5th 2017, DanKruseWork (at) gmail (dot) com

#Private WiFi, 1x SSID
#This will be used for the majority of deployments, due to 5GHz having limited range [for any WAP].

#-----------------------------------#
#DIRECTIONS TO DEPLOY
#-----------------------------------#
#After changing your variables below, name this file "config.rsc"
#Using Winbox, drag the file into the root directory of "Files" (button on the left)
#Open "New Terminal" on the left, and run the command /import config.rsc
#You're done!

#######################################
#VARIABLES - Only Change Inside Quotes#
#######################################
#-----Device Name and "admin" Password
:global APName "AP01"
:global RouterPassword "adminpassword"

#-----Private Wireless Network
:global SSID "Company Wireless"
:global Password "companypassword"

#-----Guest Wireless Network
:global GuestSSID "Guest Wireless"
:global GuestPass "guestpassword"

#-----Set Transmitter Power. 12dB is 40' radius, 16dB is 80', 21dB is 120'+.
#Don't go above 21dB to prevent amplifier burn-out.
#If you have enough WAPs to overlap (4+), use 12dB. If you've only got one WAP, go 21dB.
:global TransmitPower "21"

#-----Static IP. Uncomment and edit the line below if you want a static IP on the WAP
#:global StaticIP "192.168.1.247/24"

#-----Roaming / Min-RSSI Kickoff Rules. Uncomment if part of a mesh network (4+ WAPs, walk around and stay connected).
#do { /interface wireless access-list add signal-range=-89..120 } on-error={}
#do { /interface wireless access-list add authentication=no forwarding=no signal-range=-120..-90 } on-error={}


#-----------------------------------#
#CONFIGURATION COMMANDS
#-----------------------------------#
do { /system identity set name="$APName" } on-error={}
do { /user set [find name=admin] password=$RouterPassword } on-error={}
do { /interface bridge add name="bridge"  } on-error={}

#Ethernet Plug
do { /interface bridge port add interface=ether1 bridge=bridge } on-error={}

#2.4GHz Antenna
do { /interface bridge port add interface=wlan1 bridge=bridge } on-error={}
do { /ip address set address=$StaticIP interface=bridge numbers=0 } on-error={}

#Enable DHCP Client on Ethernet Plug
do { /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=bridge } on-error={}
#Disable DHCP Server from breaking your existing network
do { /ip dhcp-server disable 0 } on-error={}

#Disable the default static IP of 192.168.88.1, only use DHCP or manually set static (from variables)
/ip address remove 0

#Set Password for SSID profile
#Group-Key-Update needed for iOS compatibility, default is 5m, set higher.
do { /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys group-key-update=60m wpa2-pre-shared-key=$Password } on-error={}

#Configure 2.4GHz
do { /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto l2mtu=1600 mode=ap-bridge name=wlan1 rx-chains=0,1 ssid=$SSID tx-chains=0,1 tx-power=$TransmitPower tx-power-mode=all-rates-fixed wireless-protocol=802.11 } on-error={}

#Disable 5GHz
do { /interface wireless disable wlan2 } on-error={}

#Set the clock for logging
do { /system clock set time-zone-name=America/Los_Angeles } on-error={}

#-----Daily Reboot at 12:10AM
do { /system scheduler add interval=1d name="Reboot Router Daily" on-event="/system reboot" start-date=jan/01/1970 start-time=00:10:00 } on-error={}
#Configure the client to use Google for time-syncing
do { /system ntp client set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4 server-dns-names=time1.google.com,time2.google.com } on-error={}

 

Script 2 – 2.4GHz & 5GHz Private LAN

#-----------------------------------#
#Mikrotik WAP AC 2.4GHz and 5GHz LAN Setup Script
#Jan 5th 2017, DanKruseWork (at) gmail (dot) com

#Private WiFi, 2x SSIDs

#-----------------------------------#
#DIRECTIONS TO DEPLOY
#-----------------------------------#
#After changing your variables below, name this file "config.rsc"
#Using Winbox, drag the file into the root directory of "Files" (button on the left)
#Open "New Terminal" on the left, and run the command /import config.rsc
#You're done!

#######################################
#VARIABLES - Only Change Inside Quotes#
#######################################
#-----Device Name and "admin" Password
:global APName "AP01"
:global RouterPassword "adminpassword"

#-----Private Wireless Network
:global SSID "Company Wireless"
:global SSID5GHz "Company Wireless 5GHz"
:global Password "companypassword"

#-----Set Transmitter Power. 12dB is 40' radius, 16dB is 80', 21dB is 120'+.
#Don't go above 21dB to prevent amplifier burn-out.
#If you have enough WAPs to overlap (4+), use 12dB. If you've only got one WAP, go 21dB.
:global TransmitPower "21"

#-----Static IP. Uncomment and edit the line below if you want a static IP on the WAP
#:global StaticIP "192.168.1.247/24"

#-----Roaming / Min-RSSI Kickoff Rules. Uncomment if part of a mesh network (roaming).
do { /interface wireless access-list add signal-range=-89..120 } on-error={}
do { /interface wireless access-list add authentication=no forwarding=no signal-range=-120..-90 } on-error={}


#-----------------------------------#
#CONFIGURATION COMMANDS
#-----------------------------------#
do { /system identity set name="$APName" } on-error={}
do { /user set [find name=admin] password=$RouterPassword } on-error={}

do { /interface bridge add name="bridge"  } on-error={}
#Ethernet Plug
do { /interface bridge port add interface=ether1 bridge=bridge } on-error={}
#2.4GHz Antenna
do { /interface bridge port add interface=wlan1 bridge=bridge } on-error={}
#5GHz Antenna
do { /interface bridge port add interface=wlan2 bridge=bridge } on-error={}
#Assign Static IP if variable is set
do { /ip address set address=$StaticIP interface=bridge numbers=0 } on-error={}

#Enable DHCP Client on Ethernet Plug
do { /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=bridge } on-error={}
#Disable DHCP Server from breaking your existing network
do { /ip dhcp-server disable 0 } on-error={}

#Disable the default static IP of 192.168.88.1, only use DHCP or manually set static (from variables)
/ip address remove 0

#Configure Min-RSSI Connect Rule
do { /interface wireless access-list add signal-range=-89..120 } on-error={}
#Configure Min-RSSI Kickoff Rule
do { /interface wireless access-list add authentication=no forwarding=no signal-range=-120..-90 } on-error={}

#Set Password for SSID profile
#Group-key-update required for iOS compatibility, default is 5m, set higher.
do { /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys group-key-update=60m wpa2-pre-shared-key=$Password } on-error={}

#Configure 2.4GHz
do { /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto l2mtu=1600 mode=ap-bridge name=wlan1 rx-chains=0,1 ssid=$SSID tx-chains=0,1 tx-power=$TransmitPower tx-power-mode=all-rates-fixed wireless-protocol=802.11 } on-error={}

#Configure 5GHz
do { /interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=$SSID5GHz tx-power-mode=all-rates-fixed wireless-protocol=802.11 tx-power=$TransmitPower } on-error={}

#Set the clock for logging
do { /system clock set time-zone-name=America/Los_Angeles } on-error={}

#-----Daily Reboot at 12:10AM
do { /system scheduler add interval=1d name="Reboot Router Daily" on-event="/system reboot" start-date=jan/01/1970 start-time=00:10:00 } on-error={}
#Configure the client to use Google for time-syncing
do { /system ntp client set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4 server-dns-names=time1.google.com,time2.google.com } on-error={}

 Script 3 – 2.4GHz & 5GHz, Private LAN & Guest Network

#-----------------------------------#
#Mikrotik WAP AC 2.4GHz and 5GHz LAN and Guest Setup Script
#Jan 5th 2017, DanKruseWork (at) gmail (dot) com

#Private and Guest WiFi, Up to 4x SSIDs
#This script is good for a standalone WAP.

#If 4 SSIDs is too many, run this command to disable wlan2 (5GHz Antenna)
#/interface disable wlan2


#-----------------------------------#
#DIRECTIONS TO DEPLOY
#-----------------------------------#
#After changing your variables below, name this file "config.rsc"
#Using Winbox, drag the file into the root directory of "Files" (button on the left)
#Open "New Terminal" on the left, and run the command /import config.rsc
#You're done!

#######################################
#VARIABLES - Only Change Inside Quotes#
#######################################
#-----Device Name and "admin" Password
:global APName "AP01"
:global RouterPassword "adminpassword"

#-----Private Wireless Network
:global SSID "Company Wireless"
:global SSID5GHz "Company Wireless 5GHz"
:global Password "companypassword"

#-----Guest Wireless Network
:global GuestSSID "Guest Wireless"
:global GuestSSID5GHz "Guest Wireless 5GHz"
:global GuestPass "guestpassword"

########################################################################################
#Guest Isolation - Adjust the isolation firewall rules to match your internal networks.#
########################################################################################

#-----Set Transmitter Power. 12dB is 40' radius, 16dB is 80', 21dB is 120'+.
#Don't go above 21dB to prevent amplifier burn-out.
#If you have enough WAPs to overlap (4+), use 12dB. If you've only got one WAP, go 21dB.
:global TransmitPower "21"

#-----Static IP. Uncomment and edit the line below if you want a static IP on the WAP
#:global StaticIP "192.168.1.247/24"

#-----Roaming / Min-RSSI Kickoff Rules. Uncomment if part of a mesh network (roaming).
#do { /interface wireless access-list add signal-range=-89..120 } on-error={}
#do { /interface wireless access-list add authentication=no forwarding=no signal-range=-120..-90 } on-error={}


#-----------------------------------#
#CONFIGURATION COMMANDS
#-----------------------------------#
do { /system identity set name="$APName" } on-error={}
do { /user set [find name=admin] password=$RouterPassword } on-error={}

#Create Private and Guest bridges
do { /interface bridge add name="bridge"  } on-error={}
do { /interface bridge add name="guestbridge" } on-error={}

#Ethernet Plug
do { /interface bridge port add interface=ether1 bridge=bridge } on-error={}
#2.4GHz Antenna
do { /interface bridge port add interface=wlan1 bridge=bridge } on-error={}
#5GHz Antenna
do { /interface bridge port add interface=wlan2 bridge=bridge } on-error={}

#-----Assign static IP to the bridge (if uncommented above)
do { /ip address set address=$StaticIP interface=bridge numbers=0 } on-error={}

#Enable DHCP Client on Ethernet Plug
do { /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=bridge } on-error={}
#Disable DHCP Server on ether1 from taking over your existing network
do { /ip dhcp-server disable 0 } on-error={}

#Disable the default static IP of 192.168.88.1, only use DHCP or manually set static (from variables)
do { /ip address remove 0 } on-error={}

#-----Set Passwords
#Password for SSID profile
#Group-key-update required for iOS compatibility, default is 5m, set higher to 50m.
do { /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys group-key-update=60m wpa2-pre-shared-key=$Password } on-error={}

#Guest SSID profile
do { /interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=guest group-key-update=60m wpa2-pre-shared-key=$GuestPass } on-error={}

#-----Configure 2.4GHz
do { /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto l2mtu=1600 mode=ap-bridge name=wlan1 rx-chains=0,1 ssid=$SSID tx-chains=0,1 tx-power=$TransmitPower tx-power-mode=all-rates-fixed wireless-protocol=802.11 } on-error={}

#Configure 2.4GHz Guest SSID
do { /interface wireless add disabled=no master-interface=wlan1 mode=ap-bridge name=wlan3 security-profile=guest ssid="$GuestSSID" } on-error={}

#Add 2.4GHz Guest to Bridge
do { /interface bridge port add interface=wlan3 bridge=guestbridge } on-error={}

#-----Configure 5GHz
do { /interface wireless set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=$SSID5GHz tx-power-mode=all-rates-fixed wireless-protocol=802.11 tx-power=$TransmitPower } on-error={}

#Configure 5GHz Guest SSID
do { /interface wireless add disabled=no master-interface=wlan2 mode=ap-bridge name=wlan4 security-profile=guest ssid="$GuestSSID5GHz" } on-error={}

#Add 5GHz Guest to Bridge
do { /interface bridge port add interface=wlan4 bridge=guestbridge } on-error={}

#-----Guest DHCP Server
do { /ip address add address=10.10.200.1/24 interface=guestbridge network=10.10.200.0 } on-error={}
do { /ip pool add name=guestdhcppool ranges=10.10.200.10-10.10.200.200 } on-error={}
do { /ip dhcp-server add address-pool=guestdhcppool disabled=no interface=guestbridge name=guestdhcp } on-error={}
do { /ip dhcp-server network add address=10.10.200.0/24 dns-server=8.8.8.8 gateway=10.10.200.1 } on-error={}

#Isolate the Private and Guest Networks from each other
do { /ip firewall filter add action=drop chain=forward dst-address=192.168.1.0/24 src-address=10.10.200.0/24 } on-error={}
do { /ip firewall filter add action=drop chain=forward dst-address=10.10.200.0/24 src-address=192.168.1.0/24 } on-error={}

#NAT the Private and Guest networks so they can reach the internet
do { /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=bridge } on-error={}
do { /ip firewall nat add action=masquerade chain=srcnat out-interface=guestbridge } on-error={}

#-----Set Clock
do { /system clock set time-zone-name=America/Los_Angeles } on-error={}

#Configure the client to use Google for time-syncing
do { /system ntp client set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4 server-dns-names=time1.google.com,time2.google.com } on-error={}

#-----Daily Reboot at 12:10AM
do { /system scheduler add interval=1d name="Reboot Router Daily" on-event="/system reboot" start-date=jan/01/1970 start-time=00:10:00 } on-error={}

 

Leave a Reply

Your email address will not be published. Required fields are marked *