Wireless Client and Wireless Access Point Manual

 

General Information

Summary

The wireless interface operates using IEEE 802.11 set of standards. It uses radio waves as a physical signal carrier and is capable of wireless data transmission with speeds up to 108 Mbps (in 5GHz turbo-mode).

MikroTik RouterOS supports the Intersil Prism II PC/PCI, Atheros AR5000, AR5001X, AR5001X+, AR5002X+, and AR5004X+ chipset based wireless adapter cards for working as wireless clients (station mode), wireless bridges (bridge mode), wireless access points (ap-bridge mode), and for antenna positioning (alignment-only mode). For further information about supported wireless adapters, see Device Driver List

MikroTik RouterOS provides a complete support for IEEE 802.11a, 802.11b and 802.11g wireless networking standards. There are several features implemented for the wireless data communication in RouterOS - WEP (Wired Equivalent Privacy), AES encryption, WDS (Wireless Distribution System), DFS (Dynamic Frequency Selection), Alignment mode (for positioning antennas and monitoring wireless signal), VAP (Virtual Access Point), Fast Frames, disable packet forwarding among clients, and others. You can see the feature list which are supported by various cards.

The nstreme protocol is MikroTik proprietary (i.e., incompatible with other vendors) wireless protocol created to improve point-to-point and point-to-multipoint wireless links. Nstreme2 works with a pair of wireless cards (Atheros AR5210, AR5211, AR5212 and AR5213 MAC chips only) - one for transmitting data and one for receiving.

Benefits of nstreme protocol:

• Client polling
• Very low protocol overhead per frame allowing super-high data rates
• No protocol limits on link distance
• No protocol speed degradation for long link distances
• Dynamic protocol adjustment depending on traffic type and resource usage

Quick Setup Guide

Let's consider that you have a wireless interface, called wlan1.

• To set it as an Access Point, working in 802.11g standard in compatibility mode (i.e., both 802.11b and 802.11g clients are allowed to connect), using frequency 2442 MHz and Service Set Identifier test:

Now your router is ready to accept wireless clients.

• To make a point-to-point connection, using 802.11a standard, frequency 5805 MHz and Service Set Identifier p2p:

The remote interface should be configured to station as showed below.

• To make the wireless interface as a wireless station, working in 802.11a standard and Service Set Identifier p2p:

Specifications

Packages required: wireless
License required: Level4 (station and bridge mode) , Level5 (station, bridge and AP mode)
Submenu level: /interface wireless
Standards and Technologies: IEEE802.11a, IEEE802.11b, IEEE802.11g
Hardware usage: Not significant

Related Documents

• Package Management
• Device Driver List
• IP Addresses and ARP
• Log Management

Description

The Atheros card has been tested for distances up to 20 km providing connection speed up to 17Mbit/s. With appropriate antennas and cabling the maximum distance should be as far as 50 km. Nstreme has no distance limitations.

These values of ack-timeout were approximated from the tests done by us, as well as by some of our customers:

range	ack-timeout
	5GHz	5GHz-turbo	2.4GHz-G
0km	default	default	default
5km	52	30	62
10km	85	48	96
15km	121	67	133
20km	160	89	174
25km	203	111	219
30km	249	137	368
35km	298	168	320
40km	350	190	375
45km	405	-	-

Please note that these are not the precise values. Depending on hardware used and many other factors they may vary up to +/- 15 microseconds.

You can also use a dynamic value - the router will determine the ack-timeout setting automatically.

The nstreme protocol may be operated in three modes:

• Point-to-Point mode - controlled point-to-point mode with one radio on each side
• Dual radio Point-to-Point mode (nstreme2) - the protocol will use two radios on both sides simultaneously (one for transmitting data and one for receiving), allowing superfast point-to-point connection
• Point-to-Multipoint - controlled point-to-multipoint mode with client polling (like AP-controlled TokenRing)

Hardware Notes

The MikroTik RouterOS supports as many Atheros chipset based cards as many free adapter slots are there on your system. One license is valid for all cards on your system. Note that maximal number of PCMCIA sockets is 8.

Some chipsets are not stable with Atheros cards and cause radio to stop working. Via Epia, MikroTik RouterBoard and systems based on Intel i815 and i845 chipsets are tested and work stable with Atheros cards. There might be many other chipsets that are working stable, but it has been reported that some older chipsets, and some systems based on AMD Duron CPU are not stable.

Only AR5212 and newer Atheros MAC chips are stable with RouterBOARD200 connected via RouterBOARD14 four-port MiniPCI-to-PCI adapter. This note only applies to the RouterBOARD200 platform with multiple Atheros-based cards.

 

Wireless Interface Configuration

Submenu level: /interface wireless

Description

In this section we will discuss the most important part of the configuration.

Property Description

802.1x-mode (PEAP-MSCHAPV2 | none; default: none) - whether to use Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 for authentication

ack-timeout (integer | dynamic | indoor) - acknowledgment code timeout (transmission acceptance timeout) in microseconds or one of these:

dynamic - ack-timeout is chosen automatically
indoor - standard constant for indoor environment

antenna-mode (ant-a | ant-b | rxa-txb | txa-rxb; default: ant-a) - which antenna to use for transmit/receive data:

ant-a - use only antenna a
ant-b - use only antenna b
rxa-txb - use antenna a for receiving packets, use antenna b for transmitting packets
txa-rxb - use antenna a for transmitting packets, antenna b for receiving packets

arp - Address Resolution Protocol setting

band - operating band

2.4ghz-b - IEEE 802.11b
2.4ghz-b/g - IEEE 802.11b and IEEE 802.11g
2.4ghz-g-turbo - IEEE 802.11g up to 108 Mbit
2.4ghz-onlyg - IEEE 802.11g
5ghz - IEEE 802.11a up to 54 Mbit
5ghz-turbo - IEEE 802.11a up to 108Mbit

basic-rates-a/g (multiple choice: 6Mbps, 9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps; default: 6Mbps) - basic rates in 802.11a or 802.11g standard (this should be the minimal speed all the wireless network nodes support). It is recommended to leave this as default

basic-rates-b (multiple choice: 1Mbps, 2Mbps, 5.5Mbps, 11Mbps; default: 1Mbps) - basic rates in 802.11b mode (this should be the minimal speed all the wireless network nodes support). It is recommended to leave this as default

burst-time (time; default: disabled) - time in microseconds which will be used to send data without stopping. Note that other wireless cards in that network will not be able to transmit data for burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+ chipset based cards

default-authentication (yes | no; default: yes) - specifies the default action for clients or APs that are not in access list

yes - enables AP to register a client even if it is not in access list. In turn for client it allows to associate with AP not listed in client's access list

default-forwarding (yes | no; default: yes) - to use data forwarding by default or not. If set to 'no', the registered clients will not be able to communicate with each other

dfs-mode (none | radar-detect | no-radar-detect; default: none) - used for APs to dynamically select frequency at which this AP will operate

none - do not use DFS
no-radar-detect - AP scans channel list from scan-list and chooses the frequency which is with the lowest amount of other networks detected
radar-detect - AP scans channel list from scan-list and chooses the frequency which is with the lowest amount of other networks detected, if no radar is detected in this channel for 60 seconds, the AP starts to operate at this channel, if radar is detected while working in AP mode, the AP continues searching for the next available channel where no radar is detected

disable-running-check (yes | no; default: no) - disable running check. If value is set to 'no', the router determines whether the card is up and running - for AP one or more clients have to be registered to it, for station, it should be connected to an AP. This setting affects the records in the routing table in a way that there will be no route for the card that is not running (the same applies to dynamic routing protocols). If set to 'yes', the interface will always be shown as running

disconnect-timeout (time; default: 3s) - how long after the disconnect to keep the client in the registration table and keep trying to sending packets

fast-frames (yes | no; default: no) - whether to pack smaller packets into a larger one, which makes larger data rates possible

frequency (integer; default: 5120) - operating frequency of the card

hide-ssid (yes | no; default: no) - whether to hide ssid or not in the beacon frames:

yes - ssid is not included in the beacon frames. AP replies only to probe-requests with the given ssid
no - ssid is included in beacon frames. AP replies to probe-requests with the given ssid ant to 'broadcast ssid' (empty ssid)

interface-type (read-only: text) - adapter type and model

mac-address (read-only: MAC address) - MAC address

master-device (name) - physical wireless interface name that will be used by Virtual Access Point (VAP) interface

max-station-count (integer: 1..2007; default: 2007) - maximal number of clients allowed to connect to AP

mode (alignment-only | ap-bridge | bridge | nstreme-dual-slave | station | station-wds | wds-slave; default: station) - operating mode:

alignment-only - this mode is used for positioning antennas (to get the best direction)
ap-bridge - the interface is operating as an Access Point
bridge - the interface is operating as a bridge
nstreme-dual-slave - the interface is used for nstreme-dual mode
station - the interface is operating as a client
station-wds - the interface is working as a station, but can communicate with a WDS peer
wds-slave - the interface is working as it would work in ap-bridge mode, but it adapts to its WDS peer's frequency if it is changed

mtu (integer: 68..1600; default: 1500) - Maximum Transmission Unit

name (name; default: wlanN) - assigned interface name

noise-floor-threshold (integer | default: -128..127; default: default) - noise level threshold in dBm. Below this threshold we agree to transmit

on-failure-retry-time (time; default: 100ms) - in what interval keep trying to send packets in case of failure

prism-cardtype (30mW | 100mW | 200mW) - specify the output of the Prism chipset based card

radio-name (name) - MT proprietary extension for Atheros cards

rate-set (default | configured) - which rate set to use:

default - basic and supported-rates settings are not used, instead default values are used.
configured - basic and supported-rates settings are used as configured

scan-list (multiple choice: integer | default-ism; default: default-ism) - the list of channels to scan

default-ism - for 2.4ghz mode: 2412, 2417, 2422, 2427, 2432, 2437, 2442, 2447, 2452, 2457, 2462, 2467, 2472; for 5ghz mode: 5180, 5200, 5220, 5240, 5260, 5280, 5300, 5320, 5745, 5765, 5785, 5805; for 5ghz-turbo: 5210, 5250, 5290, 5760, 5800

server-certificate - not implemented, yet

ssid (text; default: MikroTik) - Service Set Identifier. Used to separate wireless networks

supported-rates-a/g (multiple choice: 6Mbps, 9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps) - rates to be supported in 802.11a or 802.11g standard

supported-rates-b (multiple choice: 1Mbps, 2Mbps, 5.5Mbps, 11Mbps) - rates to be supported in 802.11b standard

tx-power (integer | default; default: default) - transmit power in dBm

default - default value of the card

update-stats-interval (integer | disabled; default: disabled) - specifies how often the card will ask the remote end for information about connection quality.

default - each time you registration-tabe print command is issued or this information queried via SNMP, the results from last similar action will be returned

wds-default-bridge (name; default: none) - the default bridge for WDS interface. If you use dynamic WDS then it is very useful in cases when wds connection is reset - the newly created dynamic WDS interface will be put in this bridge

wds-ignore-ssid (yes | no; default: no) - if set to 'yes', the AP will create WDS links with any other AP in this frequency. If set to 'no' the ssid values must match on both APs

wds-mode (disabled | dynamic | static) - WDS mode:

disabled - WDS interfaces are disabled
dynamic - WDS interfaces are created 'on the fly'
static - WDS interfaces are created manually

Notes

It is strongly suggested to leave basic rates at the lowest setting possible.

Before it will be possible to manually control

If disable-running-check value is set to no, the router determines whether the network interface is up and running - in order to show flag R for AP, one or more clients have to be registered to it, for station, it should be connected to an AP. If the interface does not appear as running (R), its route in the routing table is shown as invalid! If set to yes, the interface will always be shown as running.

The tx-power default setting is the maximum tx-power that the card can use. If you want to use larger tx-rates, you are able to set them, but do it at your own risk! Usually, you can use this parameter to reduce the tx-power.

You should set tx-power property to an appropriate value as many cards do not have their default setting set to the maximal power it can work on. For the cards MikroTik is selling (5G/ABM), 20dBm (100mW) is the maximal power in 5GHz bands and 18dBm (65mW) is the maximal power in 2.4GHz bands.

For different versions of Atheros chipset there are different value range of ack-timeout property:

Chipset version	5GHz		5GHz-turbo		2GHz-B		2GHz-G
	default	max	default	max	default	max	default	max
5000 (5.2GHz only)	30	204	22	102	N/A	N/A	N/A	N/A
5211 (802.11a/b)	30	409	22	204	109	409	N/A	N/A
5212 (802.11a/b/g)	25	409	22	204	30	409	52	409

If wireless interfaces are put in nstreme-dual-slave mode, all configuration will take place in /interface wireless nstreme-dual submenu described further on. In that case, configuration made in this submenu will be ignored. Also WDS mode can not be used together with the Nstreme-dual

Example

Let us consider an example: a MikroTik router is connected to an AP using Atheros card and the AP is operating in IEEE 802.11b standard with ssid=hotspot.

To see current interface settings:

Set the ssid to hotspot and enable the interface. Use the monitor command to see the connection status.

Monitor from the Access Point:

 

Nstreme Settings

Submenu level: /interface wireless nstreme

Description

You can switch a wireless card to the nstreme mode. In that case the card will work only with nstreme clients.

Property Description

enable-nstreme (yes | no; default: no) - whether to switch the card into the nstreme mode

enable-polling (yes | no; default: yes) - whether to use polling for clients

framer-limit (integer; default: 3200) - maximal frame size

framer-policy (none | best-fit | exact-size | fast-frames | dynamic-size; default: none) - the method how to combine frames (like fast-frames setting in interface configuration). A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:

none - do nothing special, do not combine packets
fast-frames - use fast-frame mode of the radio card
best-fit - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets
exact-size - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance)
dynamic-size - choose the best frame size dynamically

name (name) - reference name of the interface

Example

To enable the nstreme protocol on the wlan1 radio with exact-size framing:

 

Nstreme2 Group Settings

Submenu level: /interface wireless nstreme-dual

Description

Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection

Property Description

arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol setting

disable-running-check (yes | no) - whether the interface should always be treated as running even if there is no connection to a remote peer

framer-limit (integer; default: 4000) - maximal frame size

framer-policy (none | best-fit | exact-size; default: none) - the method how to combine frames (like fast-frames setting in interface configuration). A number of frames may be combined into one bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not waiting for frames, but in case a number packets are queued for transmitting, they can be combined. There are several methods of framing:

none - do nothing special, do not combine packets
best-fit - put as much packets as possible in one frame, until the framer-limit limit is met, but do not fragment packets
exact-size - put as much packets as possible in one frame, until the framer-limit limit is met, even if fragmentation will be needed (best performance)

mac-address (read-only: MAC address) - MAC address of the receiving wireless card in the set

mtu (integer: 0..65536; default: 1500) - Maximum Transmission Unit

name (name) - reference name of the interface

rates-a/g (multiple choice: 6Mbps, 9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps) - rates to be supported in 802.11a or 802.11g standard

rates-b (multiple choice: 1Mbps, 2Mbps, 5.5Mbps, 11Mbps) - rates to be supported in 802.11b standard

remote-mac (MAC address; default: 00:00:00:00:00:00) - which MAC address to connect to (this would be the remote receiver card's MAC address)

rx-band - operating band of the receiving radio

2.4ghz-b - IEEE 802.11b
2.4ghz-g - IEEE 802.11g
2.4ghz-g-turbo - IEEE 802.11g in Atheros proprietary turbo mode (up to 108Mbit)
5ghz - IEEE 802.11a up to 54 Mbit
5ghz-turbo - IEEE 802.11a in Atheros proprietary turbo mode (up to 108Mbit)

rx-frequency (integer; default: 5320) - Frequency to use for receiving frames

rx-radio (name) - which radio should be used for receiving frames

tx-band - operating band of the transmitting radio

2.4ghz-b - IEEE 802.11b
2.4ghz-g - IEEE 802.11g
2.4ghz-g-turbo - IEEE 802.11g in Atheros proprietary turbo mode (up to 108Mbit)
5ghz - IEEE 802.11a up to 54 Mbit
5ghz-turbo - IEEE 802.11a in Atheros proprietary turbo mode (up to 108Mbit)

tx-frequency (integer; default: 5180) - Frequency to use for transmitting frames

tx-radio (name) - which radio should be used for transmitting frames

Notes

WDS can not be used on Nstreme-dual links.

Example

To enable the nstreme2 protocol on a router:

1. Having two Atheros AR5212 based cards which are not used for anything else, to group them into a nstreme interface, switch both of them into nstreme-slave mode:

33. Then add nstreme2 interface with exact-size framing:

36. And configure which card will be receiving, and wich - transmitting

 

Registration Table

Submenu level: /interface wireless registration-table

Description

In the registration table you can see various information about currently connected clients. It is used only for Access Points.

Property Description

ack-timeout (read-only: integer) - acknowledgment code timeout (transmission acceptance timeout) in microseconds or one of these

ap (read-only: no | yes) - whether the connected node is an Access Point or not

bytes (read-only: integer, integer) - number of received and sent bytes

distance (read-only: integer) - the same as ack-timeout

framing-mode (read-only: none | best-fit | exact-size | fast-frames | dynamic-size; default: none) - the method how the frames are combined

interface (read-only: name) - interface that client is registered to

last-activity (read-only: time) - last interface data tx/rx activity

mac-address (read-only: MAC address) - MAC address of the registered client

nstreme (read-only: yes | no) - whether the client uses Nstreme protocol or not

packets (read-only: integer, integer) - number of received and sent packets

radio-name (read-only: name) - MT proprietary extension for Atheros cards

routeros-version (read-only: text) - if the client is a MikroTik router, this value shows its version

rx-ccq (read-only: integer: 0..100) - Client Connection Quality - a value in percent that shows how effective the receive bandwidth is used regarding the theoretically maximum available bandwidth

rx-rate (read-only: integer) - receive data rate

signal-strength (read-only: integer) - signal strength in dBm

tx-ccq (read-only: integer: 0..100) - Client Connection Quality - a value in percent that shows how effective the transmit bandwidth is used regarding the theoretically maximum available bandwidth

tx-rate (read-only: integer) - transmit data rate

tx-signal-strength (read-only: integer) - transmit signal level in dBm

uptime (read-only: time) - time the client is associated with the access point

wds (read-only: yes | no) - whether client uses WDS or not

Example

To see registration table showing all clients currently associated with the access point:

To get additional statistics:

 

Access List

Submenu level: /interface wireless access-list

Description

The access list is used by the Access Point to restrict associations of clients and by clients to restrict associations to a given list of APs. This list contains MAC address of client and associated action to take when client attempts to connect. Also, the forwarding of frames sent by the client is controlled.

The association procedure is as follows: when a new client wants to associate to the AP that is configured on interface wlanN, an entry with client's MAC address and interface wlanN is looked up in the access-list. If such entry is found, action specified in the access list is performed, else default-authentication and default-forwarding arguments of interface wlanN are taken.

Property Description

authentication (yes | no; default: yes) - whether to accept or to reject this client when it tries to connect

forwarding (yes | no; default: yes) - whether to forward the client's frames to other wireless clients

interface (name) - AP interface name

mac-address (MAC address) - MAC address of the client

private-algo (104bit-wep | 40bit-wep | aes-ccm | none) - which encryption algorithm to use

private-key (text; default: "") - private key of the client to use for private-algo

skip-802.1x (yes | no) - not implemented, yet

Notes

If you have default authentication action for the interface set to yes, you can disallow this node to register at the AP's interface wlanN by setting authentication=no for it. Thus, all nodes except this one will be able to register to the interface wlanN.

If you have default authentication action for the interface set to no, you can allow this node to register at the AP's interface wlanN by setting authentication=yes for it. Thus, only the specified nodes will be able to register to the interface wlanN.

Example

To allow authentication and forwarding for the client 00:01:24:70:3A:BB from the wlan1 interface using WEP 40bit algorithm with the key 1234567890:

 

Info

Submenu level: /interface wireless info

Description

This facility provides you with general wireless interface information.

Property Description

2ghz-b-channels (multiple choice, read-only: 2312, 2317, 2322, 2327, 2332, 2337, 2342, 2347, 2352, 2357, 2362, 2367, 2372, 2412, 2417, 2422, 2427, 2432, 2437, 2442, 2447, 2452, 2457, 2462, 2467, 2472, 2484, 2512, 2532, 2552, 2572, 2592, 2612, 2632, 2652, 2672, 2692, 2712, 2732) - the list of 2.4ghz IEEE 802.11b channels (frequencies are given in MHz)

2ghz-g-channels (multiple choice, read-only: 2312, 2317, 2322, 2327, 2332, 2337, 2342, 2347, 2352, 2357, 2362, 2367, 2372, 2412, 2417, 2422, 2427, 2432, 2437, 2442, 2447, 2452, 2457, 2462, 2467, 2472, 2512, 2532, 2552, 2572, 2592, 2612, 2632, 2652, 2672, 2692, 2712, 2732, 2484) - the list of 2.4ghz IEEE 802.11g channels (frequencies are given in MHz)

5ghz-channels (multiple choice, read-only: 4920, 4925, 4930, 4935, 4940, 4945, 4950, 4955, 4960, 4965, 4970, 4975, 4980, 4985, 4990, 4995, 5000, 5005, 5010, 5015, 5020, 5025, 5030, 5035, 5040, 5045, 5050, 5055, 5060, 5065, 5070, 5075, 5080, 5085, 5090, 5095, 5100, 5105, 5110, 5115, 5120, 5125, 5130, 5135, 5140, 5145, 5150, 5155, 5160, 5165, 5170, 5175, 5180, 5185, 5190, 5195, 5200, 5205, 5210, 5215, 5220, 5225, 5230, 5235, 5240, 5245, 5250, 5255, 5260, 5265, 5270, 5275, 5280, 5285, 5290, 5295, 5300, 5305, 5310, 5315, 5320, 5325, 5330, 5335, 5340, 5345, 5350, 5355, 5360, 5365, 5370, 5375, 5380, 5385, 5390, 5395, 5400, 5405, 5410, 5415, 5420, 5425, 5430, 5435, 5440, 5445, 5450, 5455, 5460, 5465, 5470, 5475, 5480, 5485, 5490, 5495, 5500, 5505, 5510, 5515, 5520, 5525, 5530, 5535, 5540, 5545, 5550, 5555, 5560, 5565, 5570, 5575, 5580, 5585, 5590, 5595, 5600, 5605, 5610, 5615, 5620, 5625, 5630, 5635, 5640, 5645, 5650, 5655, 5660, 5665, 5670, 5675, 5680, 5685, 5690, 5695, 5700, 5705, 5710, 5715, 5720, 5725, 5730, 5735, 5740, 5745, 5750, 5755, 5760, 5765, 5770, 5775, 5780, 5785, 5790, 5795, 5800, 5805, 5810, 5815, 5820, 5825, 5830, 5835, 5840, 5845, 5850, 5855, 5860, 5865, 5870, 5875, 5880, 5885, 5890, 5895, 5900, 5905, 5910, 5915, 5920, 5925, 5930, 5935, 5940, 5945, 5950, 5955, 5960, 5965, 5970, 5975, 5980, 5985, 5990, 5995, 6000, 6005, 6010, 6015, 6020, 6025, 6030, 6035, 6040, 6045, 6050, 6055, 6060, 6065, 6070, 6075, 6080, 6085, 6090, 6095, 6100) - the list of 5ghz channels (frequencies are given in MHz)

5ghz-turbo-channels (multiple choice, read-only: 4920, 4925, 4930, 4935, 4940, 4945, 4950, 4955, 4960, 4965, 4970, 4975, 4980, 4985, 4990, 4995, 5000, 5005, 5010, 5015, 5020, 5025, 5030, 5035, 5040, 5045, 5050, 5055, 5060, 5065, 5070, 5075, 5080, 5085, 5090, 5095, 5100, 5105, 5110, 5115, 5120, 5125, 5130, 5135, 5140, 5145, 5150, 5155, 5160, 5165, 5170, 5175, 5180, 5185, 5190, 5195, 5200, 5205, 5210, 5215, 5220, 5225, 5230, 5235, 5240, 5245, 5250, 5255, 5260, 5265, 5270, 5275, 5280, 5285, 5290, 5295, 5300, 5305, 5310, 5315, 5320, 5325, 5330, 5335, 5340, 5345, 5350, 5355, 5360, 5365, 5370, 5375, 5380, 5385, 5390, 5395, 5400, 5405, 5410, 5415, 5420, 5425, 5430, 5435, 5440, 5445, 5450, 5455, 5460, 5465, 5470, 5475, 5480, 5485, 5490, 5495, 5500, 5505, 5510, 5515, 5520, 5525, 5530, 5535, 5540, 5545, 5550, 5555, 5560, 5565, 5570, 5575, 5580, 5585, 5590, 5595, 5600, 5605, 5610, 5615, 5620, 5625, 5630, 5635, 5640, 5645, 5650, 5655, 5660, 5665, 5670, 5675, 5680, 5685, 5690, 5695, 5700, 5705, 5710, 5715, 5720, 5725, 5730, 5735, 5740, 5745, 5750, 5755, 5760, 5765, 5770, 5775, 5780, 5785, 5790, 5795, 5800, 5805, 5810, 5815, 5820, 5825, 5830, 5835, 5840, 5845, 5850, 5855, 5860, 5865, 5870, 5875, 5880, 5885, 5890, 5895, 5900, 5905, 5910, 5915, 5920, 5925, 5930, 5935, 5940, 5945, 5950, 5955, 5960, 5965, 5970, 5975, 5980, 5985, 5990, 5995, 6000, 6005, 6010, 6015, 6020, 6025, 6030, 6035, 6040, 6045, 6050, 6055, 6060, 6065, 6070, 6075, 6080, 6085, 6090, 6095, 6100) - the list of 5ghz-turbo channels (frequencies are given in MHz)

ack-timeout-control (read-only: yes | no) - provides information whether this device supports transmission acceptance timeout control

alignment-mode (read-only: yes | no) - is the alignment-only mode supported by this interface

burst-support (yes | no) - whether the interface supports data bursts (burst-time)

firmware (read-only: text) - current firmware of the interface (used only for Prism chipset based cards)

interface-type (read-only: text) - shows the hardware interface type

noise-floor-control (read-only: yes | no) - does this interface support noise-floor-thershold detection

scan-support (yes | no) - whether the interface supports scan function ('/interface wireless scan')

supported-bands (multiple choice, read-only: 2ghz-b | 2ghz-g | 5ghz | 5ghz-turbo) - the list of supported bands

tx-power-control (read-only: yes | no) - provides information whether this device supports transmission power control

virtual-aps (read-only: yes | no) - whether this interface supports Virtual Access Points ('/interface wireless add')

Notes

There is a special argument for the print command - print count-only. It forces the print command to print only the count of information topics.

In RouterOS v2.8 and above /interface wireless info print command shows only channels supported by particular card. This behaviour differs from one in v2.7, where wireless info print command showed all channels, even those not supported by particular card.

Example

 

Virtual Access Point Interface

Submenu level: /interface wireless

Description

Virtual Access Point (VAP) interface is used to have an additional AP. You can create a new AP with different ssid. It can be compared with a VLAN where the ssid from VAP is the VLAN tag and the hardware interface is the VLAN switch.

Note that you cannot use the Virtual Access Point on Prism based cards!

Property Description

802.1x-mode (PEAP-MSCHAPV2 | none) - to use Protected Extensible Authentication Protocol Microsoft Challenge Handshake Authentication Protocol version 2 for authentication

arp (disabled | enabled | proxy-arp | reply-only) - ARP mode

default-authentication (yes | no; default: yes) - whether to accept or reject a client that wants to associate, but is not in the access-list

default-forwarding (yes | no; default: yes) - whether to forward frames to other AP clients or not

disabled (yes | no; default: yes) - whether to disable the interface or not

disable-running-check (yes | no; default: no) - disable running check. For 'broken' cards it is a good idea to set this value to 'yes'

hide-ssid (yes | no; default: no) - whether to hide ssid or not in the beacon frames:

yes - ssid is not included in the beacon frames. AP replies only to probe-requests with the given ssid
no - ssid is included in beacon frames. AP replies to probe-requests with the given ssid and to 'broadcast ssid'

mac-address (read-only: MAC address; default: 00:00:00:00:00:00) - MAC address of VAP. Is assigned automatically when the field master interface is set

master-interface (name) - hardware interface to use for VAP

max-station-count (integer; default: 2007) - number of clients that can connect to this AP simultaneously

mtu (integer: 68..1600; default: 1500) - Maximum Transmission Unit

name (name; default: wlanN) - interface name

ssid (text; default: MikroTik) - the service set identifier

Notes

You can create a VAP only in the same frequency an the same band as specified in the master-interface

Example

Add a VAP:

Now you can connect cliets to 8AP with ssid=VAP1

 

WDS Interface Configuration

Submenu level: /interface wireless wds

Description

WDS (Wireless Distribution System) allows packets to pass from one wireless AP (Access Point) to another, just as if the APs were ports on a wired Ethernet switch. APs must use the same standard (802.11a, 802.11b or 802.11g) and work on the same frequencies in order to connect to each other.

There are two possibilities to create a WDS interface:

• dynamic - is created 'on the fly' and appers under wds menu as a dynamic interface
• static - is created manually

Property Description

arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol

disabled - the interface will not use ARP
enabled - the interface will use ARP
proxy-arp - the interface will use the ARP proxy feature
reply-only - the interface will only reply to the requests originated to its own IP addresses. Neighbour MAC addresses will be resolved using /ip arp statically set table only

disable-running-check (yes | no; default: no) - disable running check. For 'broken' wireless cards it is a good idea to set this value to 'yes'

mac-address (MAC address; default: 00:00:00:00:00:00) - MAC address of the master-interface. Specifying master-interface, this value will be set automatically

master-interface (name) - wireless interface which will be used by WDS

mtu (integer: 0..65336; default: 1500) - Maximum Transmission Unit

name (name; default: wdsN) - WDS interface name

wds-address (MAC address) - MAC address of the remote WDS host

Notes

When the link between WDS devices, using wds-mode=dynamic, goes down, the dynamic WDS interfaces disappear and if there are any IP addresses set on this interface, their 'interface' setting will change to (unknown). When the link comes up again, the 'interface' value will not change - it will remain as (unknown). That's why it is not recommended to add IP addresses to dynamic WDS interfaces.

If you want to use dynamic WDS in a bridge, set the wds-default-bridge value to desired bridge interface name. When the link will go down and then it comes up, the dynamic WDS interface will be put in the specified bridge automatically.

As the routers which are in WDS mode have to communicate at equal frequencies, it is not recommended to use WDS and DFS simultaneously - it is most probable that these routers will not connect to each other.

WDS can not be used on Nstreme-dual links.

Example

 

Align

Submenu level: /interface wireless align

Description

This feature is created to position wireless links. The align submenu describes properties which are used if /interface wireless mode is set to alignment-only. In this mode the interface 'listens' to those packets which are sent to it from other devices working on the same channel. The interface also can send special packets which contains information about its parameters.

Property Description

active-mode (yes | no; default: yes) - whether the interface will receive and transmit 'alignment' packets or it will only receive them

audio-max (integer; default: 64) - signal-strength at which audio (beeper) frequency will be the highest

audio-min (integer; default: 0) - signal-strength at which audio (beeper) frequency will be the lowest

audio-monitor (MAC address; default: 00:00:00:00:00:00) - MAC address of the remote host which will be 'listened'

filter-mac (MAC address; default: 00:00:00:00:00:00) - in case if you want to receive packets from only one remote host, you should specify here its MAC address

frame-size (integer: 200..1500; default: 300) - size of 'alignment' packets that will be transmitted

frames-per-second (integer: 1..100; default: 25) - number of frames that will be sent per second (in active-mode)

receive-all (yes | no; default: no) - whether the interface gathers packets about other 802.11 standard packets or it will gather only 'alignment' packets

ssid-all (yes | no; default: no) - whether you want to accept packets from hosts with other ssid than yours

test-audio (integer) - test the beeper for 10 seconds

Notes

If you are using the command /interface wireless align monitor then it will automatically change the wireless interface's mode from station, bridge or ap-bridge to alignment-only.

Example

 

Align Monitor

Command name: /interface wireless align monitor

Description

This command is used to monitor current signal parameters to/from a remote host.

Property Description

address (read-only: MAC address) - MAC address of the remote host

avg-rxq (read-only: integer) - average signal strength of received packets since last display update on screen

correct (read-only: percentage) - how many undamaged packets were received

last-rx (read-only: time) - time in seconds before the last packet was received

last-tx (read-only: time) - time in seconds when the last TXQ info was received

rxq (read-only: integer) - signal strength of last received packet

ssid (read-only: text) - service set identifier

txq (read-only: integer) - the last received signal strength from our host to the remote one

Example

 

Network Scan

Description

This is a feature that allows you to scan all avaliable wireless networks. While scanning, the card unregisters itself from the access point (in station mode), or unregisters all clients (in bridge or ap-bridge mode). Thus, network connections are lost while scanning.

Property Description

(name) - interface name to use for scanning

address (read-only: MAC address) - MAC address of the AP

band (read-only: text) - in which standard does the AP operate

bss (read-only: yes | no) - basic service set

freq (read-only: integer) - the frequency of AP

privacy (read-only: yes | no) - whether all data is encrypted or not

refresh-interval (time; default: 1s) - time in seconds to refresh the displayed data

signal-strength (read-only: integer) - signal strength in dBm

ssid (read-only: text) - service set identifier of the AP

Example

 

Wireless Security

Description

This section provides the WEP (Wired Equivalent Privacy) functions to wireless interfaces.

Note that Prism card doesn't report that the use of WEP is required for all data type frames, which means that some clients will not see that access point uses encryption and will not be able to connect to such AP. This is a Prism hardware problem and can not be fixed. Use Atheros-based cards (instead of Prism) on APs if you want to provide WEP in your wireless network.

Property Description

algo-0 (40bit-wep | 104bit-wep | aes-ccm | none; default: none) - which encryption algorithm to use:

40bit-wep - use the 40bit encryption (also known as 64bit-wep) and accept only these packets
104bit-wep - use the 104bit encryption (also known as 128bit-wep) and accept only these packets
aes-ccm - use the AES (Advanced Encryption Standard) with CCM (Counter with CBC-MAC) encryption and accept only these packets
none - do not use encryption and do not accept encrypted packets

algo-1 (40bit-wep | 104bit-wep | aes-ccm | none; default: none) - which encryption algorithm to use:

40bit-wep - use the 40bit encryption (also known as 64bit-wep) and accept only these packets
104bit-wep - use the 104bit encryption (also known as 128bit-wep) and accept only these packets
aes-ccm - use the AES (Advanced Encryption Standard) with CCM (Counter with CBC-MAC) encryption and accept only these packets
none - do not use encryption and do not accept encrypted packets

algo-2 (40bit-wep | 104bit-wep | aes-ccm | none; default: none) - which encryption algorithm to use:

40bit-wep - use the 40bit encryption (also known as 64bit-wep) and accept only these packets
104bit-wep - use the 104bit encryption (also known as 128bit-wep) and accept only these packets
aes-ccm - use the AES (Advanced Encryption Standard) with CCM (Counter with CBC-MAC) encryption and accept only these packets
none - do not use encryption and do not accept encrypted packets

algo-3 (40bit-wep | 104bit-wep | aes-ccm | none; default: none) - which encryption algorithm to use:

40bit-wep - use the 40bit encryption (also known as 64bit-wep) and accept only these packets
104bit-wep - use the 104bit encryption (also known as 128bit-wep) and accept only these packets
aes-ccm - use the AES (Advanced Encryption Standard) with CCM (Counter with CBC-MAC) encryption and accept only these packets
none - do not use encryption and do not accept encrypted packets

key-0 (text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep, 104bit-wep or aes-ccm algorithm (algo-0)

key-1 (text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep, 104bit-wep or aes-ccm algorithm (algo-0)

key-2 (text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep, 104bit-wep or aes-ccm algorithm (algo-0)

key-3 (text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep, 104bit-wep or aes-ccm algorithm (algo-0)

radius-mac-authentication (no | yes; default: no) - whether to use Radius server MAC authentication

security (none | optional | required; default: none) - security level:

none - do not encrypt packets and do not accept encrypted packets
optional - if there is a sta-private-key set, use it. Otherwise, if the ap-bridge mode is set - do not use encryption, if the mode is station, use encryption if the transmit-key is set
required - encrypt all packets and accept only encrypted packets

sta-private-algo (40bit-wep | 104bit-wep | aes-ccm | none) - algorithm to use if the sta-private-key is set. Used to commumicate between 2 devices

sta-private-key (text) - if this key is set in station mode, use this key for encryption. In ap-bridge mode you have to specify private keys in the access-list or use the Radius server using radius-mac-authentication. Used to commumicate between 2 devices

transmit-key (key-0 | key-1 | key-2 | key-3; default: key-0) - which key to use for broadcast packets. Used in AP mode

Notes

The keys used for encryption are in hexadecimal form. If you use 40bit-wep, the key has to be 10 characters long, if you use 104bit-wep, the key has to be 26 characters long, aes-ccm key should contain 32 hexadecimal characters.

 

Wireless Aplication Examples

AP to Client Configuration Example

You need Level5 license to enable the AP mode. To make the MikroTik router to work as an access point, the configuration of the wireless interface should be as follows:

• A unique Service Set Identifier should be chosen, say "test1"
• A frequency should be selected for the link, say 5180MHz
• The operation mode should be set to ap-bridge

The following command should be issued to change the settings for the wireless AP interface:

Then we need to configure the wireless client interface:

Now we can monitor our connection from the AP:

... and from the client:

WDS Configuration Example

WDS (Wireless Distribution System) makes it able to connect APs to each other with the same ssid and share the same network. On one physical wireless interface you can create multiple WDS interfaces which will connect to other APs.

This is just a simple example how to get a connection between APs using WDS. Afterwards you can bridge it with the wireless and/or ethernet interface.

Let us consider the following example:

Router Home

• ssid = wds-test
• IP Address = 192.168.0.2
• Network Mask = 255.255.255.0

Router Neighbour

• ssid = wds-test
• IP Address = 192.168.0.1
• Network Mask = 255.255.255.0

Router Home configuration.

At first we should configure the wireless interface for router Home:

We should add and configure a WDS interface. Note that the value of wds-address is the remote wds host's wireless interface MAC address (to which we will connect to):

Add the IP address to the WDS interface:

Router Neighbour configuration.

At first we should configure the wireless interface for router Neighbour:

Now the WDS interface configuration:

Add the IP address:

And now you can check whether the WDS link works:

Wireless Security Example

Let us consider that we want to secure all data for all wireless clients that are connecting to our AP.

At first, add addresses to the wireless interfaces.

On the AP:

And on the client:

On the AP set the security to required and choose which encryption algorithm to use:

On the client side do the same:

Finally, test the link:

 

Troubleshooting

Description

• If I use WDS and DFS, the routers do not connect to each other!

As the WDS routers must operate at the same frequency, it is very probable that DFS will not select the frequency that is used by the peer router.

• MikroTik RouterOS does not send any traffic through Cisco Wireless Access Point or Wireless Bridge

If you use CISCO/Aironet Wireless Ethernet Bridge or Access Point, you should set the Configuration/Radio/I80211/Extended (Allow proprietary extensions) to off, and the Configuration/Radio/I80211/Extended/Encapsulation (Default encapsulation method) to RFC1042. If left to the default on and 802.1H, respectively, you won't be able to pass traffic through the bridge.