MikroTik wAP Quick Setup Guide
Hello there, this post will provide instructions configuring a MikroTik wireless access points from start to finish with a quick script. The goal is a wireless network where you can walk around the building and have client devices jump from WAP to WAP via access rules (Min-RSSI).
These principles will work on any Mikrotik device with wireless capability since they all run the same Routerboard software.
My company deployed 12 Ubiquiti UAP Pros to a client, we experienced intermittent connectivity with Apple devices (MacBook Air, MBP, and iPhones), Ubiquiti forums were not helpful, firmware upgrades/downgrades didn’t make a difference, and devs shifted the blame to Apple. We decided to try a different vendor, MikroTik, and purchased four RBwAP2nD units (Looks like a rounded, white rectangle).
The Mikrotiks did the job beautifully after proper setup! Not only did they not have issues with Apple devices, but the quality of signal was FAR higher than with Ubiquiti. More capacity, better signal, 1/4 the cost, with granted much harder management than the beautiful UniFi Controller, but in this setting it is acceptable — one location, set it and forget it.
Rather than set up a Wireless Mesh (WDS) or use the CAPsMAN controller, I’m keeping it simple. Set each AP in each corner of the building, use Min-RSSI to kick off clients when their signal is too weak, then they join the strongest signal near them. It’s short-and-sweet roaming, not seamless, but good enough.
The wAP can be powered by PoE or power-plug, between 12v-57v. We are using our already purchased Ubiquiti Toughswitch-8-Pro to power the units, but you could use any standard 24v or 48v PoE switch.
By default the WAP runs a DHCP Server, so I made sure to not plug it directly into our existing
network. You can connect directly to the WAP through wireless with a laptop. Once connected, you’ll pull a DHCP IP, usually 192.168.88.254. You can connect to the Mikrotik wAP with Winbox, their management software — very powerful!
Click the three dots next to “Connect” and WinBox will search for any Mikrotik devices. You can connect by IP, or direct MAC address (no matching IP/subnet needed!). Default username/password is admin/<blank>.
All of these commands are menu presses. So “/system identity” means click the System button on the left, then the identity drop-down, further commands are tabs or fields. These commands can be entered DIRECTLY into the WAP applying immediately by using “New Terminal” on the left. The terminal lets you rapidly set up units after you’ve got your base commands in a text file. With these codes I’m able to crank out a matching WAP in about 4 minutes.
Name the AP
/system identity set name="NAME"
Wireless / Wired Bridge
Allow the wireless and wired connections to talk to each other. A bridge functions like a switch, it lets different interfaces talk to each other (whether that is a physical port, antenna, or VLAN, it connects them together).
/interface bridge add name="bridge1" /interface bridge port add interface=ether1-gateway bridge=bridge1 /interface bridge port add interface=wlan1 bridge=bridge1
LAN Dynamic IP
Force the wired connection to pull a dynamic IP address by turning on the DHCP-Client service.
/ip dhcp-client add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
Overwrite the existing (192.168.88.1/24) IP Address applied to the wired NIC. This will be an additional static IP to the wired NIC, the first being by DHCP Client.
Edit the IP /ip address set address=10.10.10.53/24 interface=ether1-gateway numbers=0
Disable DHCP Server
This is just an access point, no DHCP Server needed.
/ip dhcp-server disable 0
Minimum-RSSI (Kickoff when the signal is too weak)
Called Min-RSSI by Ubiquiti, Mikrotik uses an access rule to allow or deny connections. It is almost like a firewall yes/no rule, if your signal is between this range (-84dB through 120dB, written as -84..120), you are allowed to authenticate and to talk to other devices (forward). If your signal is below this range (-120 through -85dB, written as -120..-85), you will be kicked. In reality, it takes about 1-2 seconds of a device having a signal lower than -84dB before the kick happens.
The way signal measurements work, a negative number is a receive number. A positive number is a transmitted or sent number.
Here are some quick dB examples. I have found the Mikrotiks to continue running well at even -85dB because the hardware has such an extremely low/quiet noise floor: -105dB, which is insanely quiet, means you get MUCH better range for the power. 1000mW is a great marketing feature, but it doesn’t mean squat without a good noise floor to compare to. For comparison, Ubiquiti gear (which is usually quite good for the money) signal becomes unusable around -72dB.
General Client Receiving Signal Examples
- -55dB, this is a great signal quality for a client like a laptop or cell-phone
- -75dB, we are nearing the limits of usable signal, expect some packet loss or stutters in video/VOIP.
- -30dB, power is extremely high, you are probably standing within 3 feet of the antenna, or your transmit power is way too high.
## Each of these commands will restart the networking interfaces, so you'll probably be disconnected. #Configure Min-RSSI Connect /interface wireless access-list add signal-range=-84..120 #Configure Min-RSSI Kickoff /interface wireless access-list add authentication=no forwarding=no signal-range=-120..-85
Edit the Wireless Password:WPA or WPA2
####Edit the Password in two places, once for WPA and WPA2#### /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=MyPassword wpa2-pre-shared-key=MyPassword
Edit the SSID, and set your transmit power in dB
Antenna/Station Transmitting Examples
- +12dB, low power, usable 40 foot radius with 1 piece of drywall between station and client.
- +16dB, medium power, usable 60 fo0t radius with 2 drywalls between station and client..
- +21dB, high power, range is unpredictable, could be 400 foot radius with line of sight, or 120 foot radius with interference.
High transmit power for MikroTiks is 19-21dB, be aware that though your transmitter may be loud, clients may not be loud enough to reply back. You would see this as a client having full bars of signal, but extreme packet loss or “unable to connect”. For comparison, a Ubiquiti running on High power (Auto) is +30dB.
Don’t just turn up the dB to get farther range, it’s possible to burn out amplifiers/antennas if you don’t know what you’re doing, and may make your signal-to-noise ratio worse.
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto l2mtu=1600 mode=ap-bridge name=wlan1-local rx-chains=0,1 ssid=WirelessName tx-chains=0,1 tx-power=16 tx-power-mode=all-rates-fixed wireless-protocol=802.11
Configure Time (NTP) and Automatic Nightly Reboot
Mikrotiks do not have a battery inside, and thus the time resets whenever they reboot. Configure a NTP server to have the clock auto-update after boot.
In addition, it never hurts to reboot once per day to work out any glitches.
#Reboot router every day at 12:10AM /system scheduler add interval=1d name="Reboot Router Daily" on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=00:10:00 #Configure the client to use Google as time servers /system ntp client set enabled=yes primary-ntp=184.108.40.206 secondary-ntp=220.127.116.11 server-dns-names=time1.google.com,time2.google.com
I updated each WAP at the end, since it was easier to configure them to a usable state and avoid conflict with DHCP-Servers, so data can be pulled via the ethernet cable once they are hooked into the primary switches.
Winbox > System > Packages > Check for Updates > Download and Install
Hopefully this quick start guide was helpful in getting you going on MikroTik WAPs. I’m really amazed by what these units can do for so little money. Harder to configure than most WAPs for sure, but they are extremely reliable — I never have to reboot them, they just take a beating with capacity and handle it like a champ, and don’t even get me started on the reliability of home routers like Netgear, ASUS, or Linksys. Have fun! 😉