OverviewStandards: Show
Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be found here. General interface propertiesSub-menu: /interface wireless
Transmit Power representation on 802.11n and 802.11ac802.11n wireless chipsets represent power per chain and the 802.11ac wireless chipsets represent the total power, for reference see the table below:
Basic and MCS Rate table
Used settings when rate-set=configured
Frame protection support (RTS/CTS)802.11 standard provides means to protect transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:
Protection mode is controlled by hw-protection-mode setting of wireless interface. Possible values: none - for no protection (default), rts-cts for RTS/CTS based protection or cts-to-self for "CTS to self" based protection. Frame size threshold at which protection should be used is controlled by hw-protection-threshold setting of wireless interface. For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command: [admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0To enable RTS/CTS based protection on client use command: [admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0Nv2MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation: NV2 TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity. The most important benefits of Nv2 are:
Starting from RouterOS v5.0beta5 you can configure Nv2 in the Wireless menu. Please take a look at the NV2 protocol implementation status. Nv2 protocol limit is 511 clients.
Warning: Nv2 doesn't have support for Virtual AP Nv2 TroubleshootingIncrease throughput on long distance with tdma-period-size. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal to round trip time - the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused. For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us. tdma-period-size default value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link. Access ListSub-menu: /interface wireless access-list
Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule. There are the following parameters for access list rules:
Operation:
Warning: If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time. For example, if client's signal during connection is -41 and we have ACL rule /interface wireless access-list add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0Then the connection is matched to the ACL rule, but if signal drops to -70..-80, the client will not be disconnected. Please note that if "default-authentication=yes" is set on wireless interface, clients will be able to join even if there are no matching access-list entries. To make it work correctly it is required that client is matched by any of ACL rules. If we modify ACL rules in the previous example to: /interface wireless access-list add interface=wlan2 signal-range=-55..0 add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56Then if signal drops to -56, client will be disconnected. Properties
AlignSub-menu: /interface wireless align Align tool is used to help in alignment devices running this tool.
Menu Specific Commands
Connect ListSub-menu: /interface wireless connect-list
Operation:
Properties
UsageRestrict station connections only to specific access points
Disallow connections to specific access points
Select preferred access points
Restrict WDS link establishment
InfoSub-menu: /interface wireless info Is used to gather information
Manual TX Power TableSub-menu: /interface wireless manual-tx-power-table
Wireless hardware table
Warning: You must follow to regulatory domain requirements in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK
NOTES:
NstremeSub-menu: /interface wireless nstreme
Note: The settings here (except for enabling nstreme) are relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings. Nstreme DualSub-menu: /interface wireless nstreme-dual
Warning: WDS cannot be used on Nstreme-dual links.
Note: The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!
Note: You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band. Registration TableSub-menu: /interface wireless registration-table
All properties are read-only.
Security ProfilesSub-menu: /interface wireless security-profiles
Basic properties
WPA propertiesThese properties have effect only when mode is set to dynamic-keys.
Note: RouterOS also allows to override pre-shared key value for specific clients, using either the private-pre-shared-key property, or the Mikrotik-Wireless-Psk attribute in the RADIUS MAC authentication response. This is an extension. WPA EAP propertiesThese properties have effect only when authentication-types contains wpa-eap or wpa2-eap, and mode is set to dynamic-keys.
Note: The order of allowed authentication methods in eap-methods is important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile where eap-methods is set to eap-tls,passthrough; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server.
Note: When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client.
Note: When tls-mode is using either verify-certificate or dont-verify-certificate, then the remote device has to support one of the RC4-MD5, RC4-SHA or DES-CBC3-SHA TLS cipher suites. When using no-certificates mode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite. RADIUS properties
WEP propertiesThese properties have effect only when mode is set to static-keys-required or static-keys-optional.
Management frame protectionUsed for: Deauthentication attack prevention, MAC address cloning issue. RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices. Management protection mode is configured in security-profile with management-protection setting. Possible values are: disabled - management protection is disabled (default), allowed - use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection), required - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection). Management protection shared secret is configured with security-profile management-protection-key setting. When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute. [admin@mikrotik] /interface wireless security-profiles> print 0 name="default" mode=none authentication-types="" unicast-ciphers="" group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" supplicant-identity="n-str-p46" eap-methods=passthrough tls-mode=no-certificates tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled group-key-update=5m management-protection=disabled management-protection-key="" [admin@mikrotik] /interface wireless security-profiles> set default management-protection= allowed disabled required
Operation detailsRADIUS MAC authenticationNote: RADIUS MAC authentication is used by access point for clients that are not found in the access-list, similarly to the default-authentication property of the wireless interface. It controls whether client is allowed to proceed with authentication, or is rejected immediately. When radius-mac-authentication=yes, access point queries RADIUS server by sending Access-Request with the following attributes:
When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:
CachingCaching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client. RADIUS EAP pass-through authenticationWhen using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:
Access point uses following RADIUS attributes from the Access-Accept server response:
UsageRadius authentication with one server 1.Create security-profile. /interface wireless security-profiles add name=radius mode=dynamic-keys authentication-types=wpa2-eap supplicant-identity=RadUserIdent2. Asign the security-profile to WLAN interface: /interface wireless set security-profile=radius3.Add Radius server client: /radius add address=x.x.x.x secret=MySecret service=wireless
1.Create security-profile: /interface wireless security-profiles add name=radius mode=dynamic-keys authentication-types=wpa2-eap supplicant-identity=RadUserIdent radius-called-format=ssid2. Asign the security-profile to WLAN interface: /interface wireless set security-profile=radius3.Add Radius server1 client: /radius add address=x.x.x.x secret=MySecret service=wireless called-id=WLAN_SSID14.Add Radius server2 client: /radius add address=y.y.y.y secret=MySecret service=wireless called-id=WLAN_SSID2Statically configured WEP keysDifferent algorithms require different length of keys:
Key must contain even number of hexadecimal digits. WDS security configurationWDS links can use all available security features. However, they require careful configuration of security parameters. It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified in connect-list. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, has connect=yes and specifies compatible security-profile. WDS and WPA/WPA2If access point uses security profile with mode=dynamic-keys, then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to how static-mesh and dynamic-mesh WDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non-mesh mode, is not possible if WPA encryption is enabled. However, non-mesh modes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the -mesh WDS modes. In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties are authentication-types, unicast-ciphers, group-ciphers. For non-mesh WDS mode these properties need to have the same values on both devices. In mesh WDS mode each access point has to support the other one as a client. Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client. Implementation of eap-tls EAP method in RouterOS is particularly well suited for WDS link encryption. tls-mode=no-certificates requires no additional configuration, and provides very strong encryption. WDS and WEPmode, static-sta-private-key and static-sta-private-algo parameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption. Security profile and access point matching in the connect listClient uses value of connect-list security-profile property to match only those access points that support necessary security.
Virtual interfacesVirtualAPIt is possible to create virtual access points using the add command in the wireless menu. You must specify the master-interface which the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile. Virtual AP interface will only work if master interface is in ap-bridge, bridge, station or wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported. This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background. To create a new virtual-ap: /interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests (such security profile first needs to be created) Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade. Virtual Clients
Note: Starting from 6.35 only in wireless-rep or wireless-cm2 package It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use mode station: To create a new virtual-client: /interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile (such security profile first needs to be created)
Note: Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected. SnifferSub-menu: /interface wireless sniffer
Note: Use the command /interface wireless info scan-list to verify your scan-list defined under /interface wireless channels when using multiple-channels=yes PacketsSub-menu: /interface wireless sniffer packet Sub-menu shows captured packets. ScanScan command allows to see available AP in the frequency range defined in the scan-list. Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation) Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol. Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round: /interface wireless scan wlan1 rounds=1'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example: /interface wireless scan wlan1 rounds=1 save-file=scan1To use background wireless scan the 'background=yes' setting should be provided. Example: /interface wireless scan wlan1 background=yesBackground scan feature is working in such conditions:
Scan command is supported also on the Virtual wireless interfaces with such limitations:
SnooperThis tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox. Snooper will use frequencies from scan-list. Sub-menu: /interface wireless snooper Settings
Spectral scan
WDSSub-menu: /interface wireless wds Properties:
WPSWireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35). WPS ServerWPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration. WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example: /interface wireless set wlan1 wps-mode=push-buttonWps-mode has 3 options
By pushing the WPS physical/virtual button the AP enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped. WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled. It is possible to configure this mode for the Virtual AP interfaces as well. WPS ClientWPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled. WPS Client can be enabled by such command: /interface wireless wps-client wlan1WPS Client command outputs all the information of the WPS Enabled AP on the screen. Example: [admin@MikroTik] /interface wireless> wps-client wlan1 status: disconnected, success ssid: MikroTik mac-address: E4:8D:8C:D6:E0:AC passphrase: presharedkey authentication: wpa2-psk encryption: aes-ccmIt is possible to specify additional settings for the WPS-Client command:
RepeaterWireless repeater will allow to receive the signal from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients. Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports. If your AP supports button-enabled WPS mode, you can use the automatic setup command: /interface wireless setup-repeater wlan1The setup-repeater does the following steps:
If your AP does not support WPS, it is possible to specify the settings manually, using these parameters:
Note: Configuring the address field will add a connection-list entry with the specified MAC address and set master WLAN interface with default-authenticate=no
Station-RoamingStation Roaming feature is available only for 802.11 wireless protocol and only for station modes. When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.
Note: If you have only one possible AP that the station/-s connects to, it is recommended to disable the feature as it can increase traffic latency during the background scan or in some cases even briefly disconnect station from the AP VLAN taggingSub-menu: /interface wireless With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs. VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support. You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to use RADIUS attributes.
Note: In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.
Vlan tag overridePer-interface VLAN tag can be overridden on per-client basis by means of access-list and RADIUS attributes (for both - regular wireless and wireless controller). This way traffic can be separated between wireless clients even on the same interface, but must be used with care - only "interface VLAN" broadcast/multicast traffic will be sent out. If working broadcast/multicast is necessary for other (overridden) VLANs as well, multicast-helper can be used for now (this changes every multicast packet to unicast and then it is only sent to clients with matching VLAN ids). [ Top | Back to Content ] WinboxWinbox is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.
Note: Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx). Interworking Realms settingStarting from RouterOS v6.42rc27 we have added such feature: realms-raw - list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field. Each hex encoded string must consist of the following fields: - NAI Realm Encoding (1 byte) - NAI Realm Length (1 byte) - NAI Realm (variable) - EAP Method Count (1 byte) - EAP Method Tuples (variable)For example, value "00045465737401020d00" decodes as: - NAI Realm Encoding: 0 (rfc4282) - NAI Realm Length: 4 - NAI Realm: Test - EAP Method Count: 1 - EAP Method Length: 2 - EAP Method Tuple: TLS, no EAP method parametersNote, that setting "realms-raw=00045465737401020d00" produces the same advertisement contents as setting "realms=Test:eap-tls". Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding. |