Menu
Is free
registration
home  /  Advice/ Comparison of Mikrotik wAP and wAP ac access points. Configuring CAPsMAN on MikroTik (seamless roaming) How many connections does mikrotik wap support

Comparison of Mikrotik wAP and wAP ac access points. Configuring CAPsMAN on MikroTik (seamless roaming) How many connections does mikrotik wap support

We will consider an example when wireless networks will be configured on a separate router (the role of an access point), on which only wireless networks will be configured and it will be connected to the main router on which a local network is already configured and which serves as a gateway to the Internet. The console shows config file settings from scratch. Wi-Fi settings networks correspond to the settings discussed in the previous examples and are a repetition for this configuration.

Main customization features:



* *: model, article, information on the processor (architecture, frequency, number of cores), license level, amount of RAM and ROM, availability of Wi-Fi modules at different frequencies and gains of built-in antennas, and much more. There are more than 30 parameters in total for each of the 151 devices in the list.

Through the graphical interface

Point setting Wi-Fi access on MicroTik device - Screenshot 1

Setting up a Wi-Fi access point on the MicroTik device - Screenshot 2

Setting up a Wi-Fi access point on the MicroTik device - Screenshot 3

Setting up a Wi-Fi access point on the MicroTik device - Screenshot 4

Setting up a Wi-Fi access point on the MicroTik device - Screenshot 5

Through the console

/ interface bridge add mtu = 1500 name = bridge-local / interface ethernet set [find default-name = ether1] name = ether1-LAN1-master set [find default-name = ether2] master-port = ether1-LAN1-master name = \ ether2-LAN1 set [find default-name = ether3] master-port = ether1-LAN1-master name = \ ether3-LAN1 set [find default-name = ether4] master-port = ether1-LAN1-master name = \ ether4-LAN1 set [find default-name = ether5] master-port = ether1-LAN1-master name = \ ether5-LAN1 / interface wireless security-profiles set [find default = yes] supplicant-identity = MikroTik add authentication-types = wpa2-psk eap-methods = "" mode = dynamic-keys name = \ profile_local_wi-fi supplicant-identity = "" wpa2-pre-shared-key = \ Pass66word! add authentication-types = wpa2-psk eap-methods = "" mode = dynamic-keys name = \ profile_guest_wi-fi supplicant-identity = "" wpa2-pre-shared-key = Pass55word! / interface wireless set [find default-name = wlan1] adaptive-noise-immunity = ap-and-client-mode \ band = 2ghz-b / g / n channel-width = 20 / 40mhz-Ce country = russia disabled = \ no distance = indoors frequency = auto frequency-mode = regulatory-domain \ hw-protection-mode = rts-cts mode = ap-bridge noise-floor-threshold = -100 \ security-profile = profile_local_wi-fi ssid = Main wireless- protocol = \ 802.11 wmm-support = enabled wps-mode = disabled add disabled = no mac-address = 00: 00: 00: 00: 00: 00 master-interface = \ wlan1 name = "Guest Wi-Fi" security-profile = profile_guest_wi-fi ssid = \ Guest wds-cost-range = 0 wds-default-cost = 0 wmm-support = enabled wps-mode = disabled / ip pool add name = dhcp_pool_local ranges = 172.16.18.101-172.16.18.150 add name = dhcp_pool_guest ranges = 10.11.12.101-10.11.12.150 / ip dhcp-server add address-pool = dhcp_pool_guest disabled = no interface = "Guest Wi-Fi" \ lease-time = 12h name = dhcp_guest / interface bridge port add bridge = bridge -local interface = ether1-LAN1-master add bridge = bridge-local interface = wlan1 / ip address add address = 172.16.18.5 / 24 interface = bridge-local network = 172.16.18.0 add address = 10.11.12.1 / 24 interface = "Guest Wi-Fi" network = 10.11.12.0 / ip dhcp-server network add address = 10.11.12.0 / 24 dns-server = 8.8.8.8,8.8.4.4 gateway = 10.11.12.1 / ip dns set allow-remote-requests = yes servers = 8.8.8.8,8.8.4.4 / ip firewall filter add chain = forward comment = "Deny guest reguests" dst-address = 172.16.18.0 / 24 src-address = 10.11.12.0 / 24 connection-state = new action = drop add chain = forward comment = "Deny guest reguests" dst-address = 10.11. 12.0 / 24 src-address = 172.16.18.0 / 24 connection-state = new action = drop / ip firewall nat add action = masquerade chain = srcnat out-interface = bridge-local src-address = \ 10. 11.12.0 / 24 / ip route add distance = 1 gateway = 172.16.18.1 / system identity set name = "AIR1"

Examination

When connecting to a network with SSID Main, you must have Internet and LAN access. When connecting to a network with the SSID Guest, you must only have access to the Internet.

Learn to work with MikroTik you can use the video course "". In addition to all the topics from the official MikroTik MTCNA program, the course contains a lot of additional material. The course combines theoretical part and practice - configuring a router according to a technical assignment. The course is supported by its author Dmitry Skoromnov, who is the official trainer of MikroTik (TR0680) and also the author of this Wiki.
Useful materials on MikroTik topic:
* *: model, article, information on the processor (architecture, frequency, number of cores), license level, amount of RAM and ROM, availability of Wi-Fi modules at different frequencies and gains of built-in antennas, and much more. There are more than 30 parameters in total for each of the 151 devices in the list.

Internet for modern people, it has become not only an indispensable and necessary attribute, but also an object of first importance, replacing a large number of other things that were previously used. Therefore, high-quality and high-speed Internet is worth a lot. For building a wireless network you only need proven, reliable equipment and an integrator who will implement your project. Get what you need wifi network equipment it is not so easy for your network on free sale. Do not waste your time searching in vain, contact Online store website... Here you will find active and passive equipment in a wide range of world brands. Wi-fi equipment for restaurants and hotels, twisted pair cable for outdoor installation, optical cable, PON equipment, PON devices, OLT devices, CWDM equipment and many others are presented in our online Mstream catalog.

We cooperate only with trusted manufacturers of the IT market- Ubiquiti, Mikrotik, Cambium Networks, D-link, Hikvision, Furuno, Ajax, Ok-net, ICOM, Sailor, Zenitel, Cobham and that is why all equipment for radio communication, maritime navigation, wireless or local network presented in our store meet the highest quality standards. To order wifi internet equipment it is possible both retail and wholesale (we cooperate with Internet providers, integrators and resellers). For regular customers, the Mstream online store has a flexible system of discounts and payment deferrals. Prices wi-fi internet equipment will delight even retail buyers. Our task is not only to develop ourselves, but also to help develop the business of our clients. Wi fi space in Ukraine is not yet so developed and occupied, and our goal is the global integration of new technologies and developments in the Ukrainian technology market.

Having bought from us equipment for wifi network , you are guaranteed to receive very reliable, high-quality and durable solutions from the world's best manufacturers and brands of wireless technology in the shortest possible time. Huge assortment and direct deliveries Wifi equipment from the manufacturer allow us how system integrator, to satisfy any projects of our clients - the creation of a local wi fi network. Professional consultants will provide full advice when choosing the right network equipment, taking into account individual projects and the wishes of the client, which will save you time and effort. Delivery of network equipment to all cities of Ukraine - Odessa, Kiev, Kharkov, Kherson, Krivoy Rog, Kropyvnytskyi, Nikolaev, Dnepropetrovsk, Zaporozhye, Vinnitsa, Chernigov, Cherkassy, ​​Poltava, Mariupol, Lviv, Ternopil, Kramatorsk, Novomoskovsk, as well as Transnistria, Tiraspol, Moldova (Moldova) and others.

Copying any information from the site without placing an active backlink is prohibited.

Quantity wireless devices is growing rapidly, constantly increasing the requirements for bandwidth network and its coverage.

There are now enough solutions on the market to create a large wireless network both in a small private house and in a large country cottage, starting with Luma, Eero, and ending with and.

Some solutions are distinguished by simplicity of settings and high prices, while others provide great opportunities, but require a good basis for customization. In particular, we are talking about Mikrotik products, which are distinguished by an excellent combination of high reliability, great functionality and quite affordable cost. At the same time, Mikrotik will be difficult to understand the settings for the vast majority of home users, which increases the level of entry and greatly limits the real use of Mikrotik-based systems at home.

Despite the above disadvantage, once you set up Mikrotik, you can forget about it for months, and even years. Mikrotik equipment able to work for six months or even more without rebooting, saving even more time and nerves.

As part of this publication, we will show and tell you how to create and configure a reliable network based on Mikrotik with excellent wireless coverage for a large apartment, private house or small office with a minimum amount of wires.

Router selection

To create a high-performance network, a router (model RB960PGS) is well suited. The presence of an SFP slot allows you to connect to an Internet provider using optics; in addition, the device is equipped with 5 gigabit interfaces.

If SFP is not used, Internet connection can be made using the first RJ-45 network interface, which also supports PoE In. The remaining 4 interfaces support PoE Out, which allows powering several access points from them, but no more than 4.

In practice, a wired network is almost always used, so at least one port will need to be allocated for a wired LAN, in total we will have 3 PoE ports, which is enough for a medium-sized private house.

If you intend to use at home, any gigabit switch of any brand will do before expanding the wired network. At the same time, if you plan to use VLANs and other exotic things, you need a managed switch, or at least Easy-Smart, we advise you to pay attention to a managed switch.

In the case when you need to power more than 3 access points, you can purchase a managed switch with PoE -. Please note that purchasing an additional PoE switch will only be justified if you power 2-4 additional access points from it. Otherwise, buying a switch to power just one point will be a waste of money.

For 100 Mbps networks, more affordable models of PoE routers are suitable:

It is not necessary to purchase devices with PoE support, but in this case you will need to assemble a small communication box and place all injectors and adapters in it.

Selecting access points

In the case of access points, the choice is much wider. Below we have selected the most interesting offers, and they are sorted in ascending order of price.

Please note that the Groove 52 (RBGroove52HPn) model will not work, because comes with a Level 3 license that does not allow AP mode.

You are probably wondering what hAP ac lite does in this table? It's simple. First, it has PoE support, which allows it to be powered remotely. Secondly, the router provides the possibility of wall installation. Thirdly, it is, of course, 802.11ac support and the price is only 45 USD.

Due to the combination of these parameters, it can be used as a Dual-Band access point with the functionality of an additional switch. The only limitation is the speed of network interfaces at 100 Mbps.

GrooveA 52 point is highlighted separately, because it is equipped with a powerful radio module and is suitable for outdoor use when a very large area needs to be covered. Please note that the device can only operate in one band at a time - either 2.4 GHz or 5 GHz. The range is selected manually in the control panel.

OmniTIK and Metal are also missing from the table, due to the price / performance ratio. These solutions are more suitable for use in commercial networks.

Most the best option to build a network at home -, and. Moreover, wAP and wAP ac can be used outdoors.

The older wAP ac model is equipped with a gigabit network interface to provide high bandwidth, it supports simultaneous dual-band operation with channel speeds of 300 and 1300 Mbps for 2.4 and 5 GHz, respectively.

Actually, using the example of wAP and wAP ac in conjunction with a hEX PoE switch, we will consider building a home wireless network.

Connecting and configuring the gateway

hEX PoE will act as the main router providing clients with Internet access. As expected, the gateway will issue IP addresses for other devices, while the DHCP server will be disabled on the access points themselves.

We connect the device and log into the control panel.

The configuration process will be considered using the default settings as an example, in order to simplify the process as much as possible for novice Mikrotik users.

The standard configuration is fine for us, the only thing you need is to configure the type of connection to the provider's network and select the ETH1 (twisted pair) or SFP (optics) port

For convenience, we change the IP devices and local network settings to the more familiar ones - 192.168.0.1/24.

Please note that we deliberately raised the DHCP pool up, which is not necessary at all. Personally, it is easier for me to use static and MAC: IP binding in the lower part, and to issue IP for other clients in the "upper" part.

Be sure to change the name of the device, in our case it will be "GATEWAY" (gateway), in the future, with a large number of devices, it will be much easier for you to navigate by name than by IP.

We apply the settings. After that, Winbox will become inaccessible, on some PCs you will need to reconnect to the network by poking the cable so that the network receives a new IP.

It is a good practice to go to IP - DHCP Server - Networks and manually add the IP of our router as a DNS server for clients receiving settings via DHCP. Mikrotik has its own DNS functionality, so the use of provider DNS on clients does not make sense.

By the way, you can also specify NTP right there, you can easily raise it on the Mikrotik itself. If time.windows.com is substituted in static DNS records for microtic IP, Windows machines will be able to take the exact time from the main gateway without additional settings... Read more in a separate publication, link above.

Don't forget to update the gateway to latest version RouterOS, in our case this is an update from 6.36.1 to 6.38.1. The device will reboot to update.

The general configuration of the gateway is now complete. Creating a new user, changing a password, disabling unnecessary services and other Mikrotik protection settings is a topic for a separate publication, so we will not dwell on this.

At this point, you can connect the access points to the router.

Connecting Access Points to a Router

Both points will be powered by PoE from the main router. This approach will allow us to programmatically overload devices remotely, as well as get rid of unnecessary wires.

In practice, it is better to connect points in stages, since all wAPs have an open network and a standard password.

We will connect both points at once, because for experienced user the process takes only a couple of minutes.

The usual Mikrotik wAP Access Point received power over PoE without any problems, but for wAP ac I had to select the "forced on" PoE mode in the port settings. For more information about priorities and PoE Out configuration in general, you can read in.

As you can see, in idle mode wAP consumes only 1.1 W, and its older brother wAP ac - 3.3 W.

In the IP - DHCP Server - Leases section, you can make sure that both access points have received an IP address.

We proceed to the next stage of configuration.

Mikrotik wAP connection

Both wAPs are configured by connecting to the open wireless network of the access point. For these purposes, a netbook, laptop or PC with wireless adapter... In our case, it will be a netbook.

As you can see, the netbook has successfully detected all 3 networks. Why three and not two? The fact is that wAP ac has one 2.4 GHz network, the second one at 5 GHz.

MikroTik-5EDCC7 is our Mikrotik wAP, MikroTik-7D550D and MikroTik-7D550E networks are Mikrotik wAP ac, which is easy to identify by the name of the network (the name is distinguished by the last character).

We'll start with the simplest point, it is faster and will allow you to understand how to adjust the dual band point.

After connecting to the MikroTik-5EDCC7 wireless network, Winbox will detect a device with standard IP 192.168.88.1

We accept standard configuration... As you can see, the device operates in routing mode, which is why it is not possible to connect to it via a cable.

Switch the point to bridge mode (Bridge = bridge), this will make the device completely transparent. Set the "Adress Acquisition" option to "Automatic", i.e. The device will receive an IP from a DHCP server. If you wish, you can implement static IP, but more on that later, we will implement it in a slightly different way.

"Address Source" should be specified "Any", otherwise when choosing a seemingly logical "Ethernet", the device will have IP 0.0.0.0 and you simply will not connect to it. If everything is done correctly, the device will receive the network settings.

As before, we change the name of the device.

Mikrotik wAP ac connection

We repeat all the above steps for a new point, as well as for each subsequent point that will be added to the network.

If everything is done correctly, all three devices will be visible in Winbox.

And, of course, do not forget to update RouterOS on all devices on the network.

Configuring a wireless network in Mikrotik wAP

First, let's configure the wAP access point.

In the Wireless - Interfaces section, open the properties of the wireless interface.

Personally, I am a supporter of "Advanced Mode", if the number of options scares you - you can use "Simple Mode". Switching between modes is carried out at any time in the right part of the settings window.

On the current window we are interested in “Freq. Usage ... ". After clicking on this button, a new window will open in which you should click "Start". The system will start scanning the channels and you can see the channel usage in real time.

As you can see, 2442-2452 MHz is used, so it is best to work in the 2412-2432 MHz range. It should not be forgotten that when using wide channels of 40 MHz, the number of non-overlapping channels is equal to 3.

When configuring the wireless interface, I prefer to explicitly specify 2GHz-only-N, which exposes the 802.11n mode. if you have old devices without support for the new standard, use mixed modes.

Set the channel width to "20/40 Ce", you can also specify "20/40 eC". The eC and Ce index indicate where the range needs to be extended in relation to the main channel. eC - downward extension, Ce - upward extension. Thus, if you choose the first channel, you can expand it only upward, in the case of the last channel, the situation is the opposite, it can only be expanded downward.

SSID is the name of the wireless network. If you have 5GHz APs, you can explicitly specify the 2G and 5G suffixes to help differentiate the bands. If this is not done, on the client, instead of two networks, only one will be visible in the list, and the connection will be carried out according to the priorities of the adapter (Prefer 2G / Prefer 5G).

WPS should be disabled if not in use.

Set “Frequency Mode” to “regulatory-domain”, and “Country” to “ukraine”. This setting will allow not to violate regional restrictions on the use of the radio frequency resource.

"WMM Support" can be selected "enabled". This is a special QoS add-on that allows you to prioritize media traffic.

Go to the "Advanced" tab. For option “Hw. Protection Mode ”select“ rts cts ”. In short, this option helps to avoid conflicts when clients connected to the point cannot see each other and cannot agree on the sequence of data transmission.

For "Adaptive Noise Immunity" set "ap and client mode". Again, in a nutshell, this option allows you to activate a special noise filtering algorithm, created by the point and / or by the client, for example, multiple reflections of the signal from the walls. Please note that this option will only work on adapters with Atheros chips.

On the HT tab, check the "Tx / Rx Chains" parameters, next to which there should be a checkmark everywhere. If the checkbox is not checked on one of the channels, the adapter will not be able to use it during operation.

Since we have not changed the power parameters of the radio module, the default values ​​will apply.

In this case, we are only interested in HT20-x and HT40-x. Basically, it is a kind of power guide for a specific radio module.

HT20 and HT40 indicate channel widths of 20 and 40 MHz, respectively. The number in the suffix is ​​the MCS rate index for the 802.11n standard. The higher the number, the greater the speed. As you can see, for higher speeds, less power is used, and the higher the speed, the lower the power. Take this data into account if you decide to adjust the power. wireless module in manual mode.

At the final stage, go to the "Security Profiles" tab. This section requires you to adjust the security profile. We select the "dynamic keys" mode, as well as the WPA2 and AES options. You can forget about WPA and TKIP forever (not to mention outdated WEP), these security options have long compromised themselves and have loopholes that allow an experienced attacker to gain access to a wireless network protected by this method.

The network password is entered in the WPA2 Pre-Shared Key field. This completes the setting of the first point.

Configuring a wireless network in Mikrotik wAP ac

When setting up the second access point, we do everything in the same way as the first access point.

Keep in mind that it is necessary to scan the wireless network for each location, as the broadcast conditions may vary depending on the location. If you want to rely on automation, choose the "auto" channel, Mikrotik copes with this task quite well itself.

Do not forget to specify for the new and each subsequent point exactly the same SSID as on the first device. This is necessary for automatic roaming of clients between APs.

The operating frequency can be specified the same, but only if the access points overlap weakly. Otherwise, the points will share the ether with each other, which will negatively affect the speed during simultaneous operation. It is best to use the "checkerboard" principle, i.e. alternate channels so that they do not intersect at all.

In the case of Dual-Band access points, there will be 2 interfaces in the Wireless Interfaces list, each is configured separately.

The principle is the same, we scan the range and select the optimal frequency. If you have a clear range of 5745-5805, we recommend using it. In our case, it is already packed with local providers.

By the way, speсtral-scan and spectral-history will be interesting for experienced administrators. Both tools work through the terminal.

To call the commands are used:

/ interface wireless spectral-scan

/ interface wireless spectral-history

We decided on the channels and frequencies.

For the 5 GHz band, we indicate the 5G suffix, it is not at all necessary to do this, as already mentioned earlier.

The default channel width will be 20/40 MHz, but we know that 802.11ac can use 80 MHz channels and it is on these that it provides high speed.

For channels at 80 MHz, the eCee add-on is used in different combinations, there are 4 of them in total, since the 80 MHz channel combines 4 channels of 20 MHz. The selection logic is the same as for 2.4 GHz.

We perform the settings in the same way as for the previous point and the 2.4 GHz band. Don't forget to check Chains and configure your security settings (profile).

Roaming nuances on Mikrotik

In principle, this could complete the brief instruction, but there is one more nuance.

In practice, it is quite common for wireless networks to overlap. In such cases, the client can stubbornly hang on a point with a weak signal, even though there is a point with an excellent signal level “under his nose”.

Actually an example of such a case is shown in the screenshot above. On the left we can see that the phone is connected to a 5 GHz network with a good signal strength. After moving to another zone, the smartphone still hangs on the 5 GHz network, despite the fact that the channel speed has dropped to 87 Mbps, and there is a 2.4 GHz network with an excellent signal nearby.

What to do in this case? You can switch the network manually if the networks have different names, but you can also use "files" and "crutches".

The first step is to disable the "Default Authenticate" option on all wireless interfaces. This is necessary in order to use the ACL functionality.

In the Access List tab (the section is still the same, Wireless), create 2 rules.

First rule. Set the signal level range -75 ... 120 dBm, set the Authentication and Forward options. This rule will allow connections for clients with a signal level of at least -75 dBm.

Second rule. Set the range -120 ...- 76 dBm, disable the Authentication and Forward options. This rule will disable clients whose signal level has dropped below -76 dBm.

The Authentication option allows the connection, therefore, its absence denies the connection. The Forward option allows data exchange between stations / clients. A forward can be useful in a protected home network, but in the public open network the exchange of data between clients must be prohibited for security reasons.

If desired, here you can also configure rules for the days of the week and time. For these purposes, there are the necessary parameters below the Time spoiler.

After the ACL rules are created, in the Registration table you can see the list of authorized clients. Moreover, the comment for each client will contain a comment from the ACL rule (if specified), which is very convenient.

We check the work on a smartphone. When the signal level deteriorates to -75 dBm, the device is still holding on to the old point. As soon as the signal degrades to -76 dBm, the point automatically disconnects the client, after which the client connects to the strongest point.

However, this method not without flaws. The point is that the points are forced to disconnect the client, which causes the end client to have a short-term disconnection. At best, this is ~ 2 seconds. Much depends on the client hardware.

I set the signal level at -75 dBm solely as an example, this is a more recommended level than a universal parameter "for any occasion." In practice, sometimes it is necessary to use -80 dBm and below. In any case, the value is selected exclusively by experimental method right on the spot, based on the specific coverage and the sensitivity of the client's equipment.

Finally

Of course, there are many options for implementing a home wireless network on Mikrotik, starting with manual setting and ending with the use of CAPsMAN and even Mesh.

We have described a completely manual configuration option so that the end user understands "how it works", moreover, this option does not require deep knowledge. At the same time, this configuration allows you to create a reliable wireless network that can work stably without your intervention.

Among the shortcomings, it is worth noting the need for separate configuration of all devices, which takes a little longer than when using CAPsMAN. When using multiple points, this option is quite suitable and provides good flexibility.

Quick Set is an automatic configuration wizard that helps you quickly, without diving into depths fine tuning RoS, configure the router and start using it. Depending on the device, several templates may be available to you:

Security

The default configuration no longer allows you to connect to the router from external network but the protection is based only on the packet filter. Do not forget about setting a password for the admin user. Therefore, in addition to filtering and password, I do the following:

Availability on external interfaces

I disable the services that are not needed in the home network (and not in all non-home networks), and restrict the remaining services to the scope, indicating the addresses from which you can connect to these services.

The next step will be to limit the discovery of the router by searching for neighbors. To do this, you must have a list of interfaces where this protocol can work, configure it:

/ interface list add exclude = dynamic name = discover

Add to the discovery list the interfaces on which we want the Neighbors Discovey protocol to work.

Now let's configure the protocol to work by specifying the discovery list in its settings:

In a simple, home configuration, the discovery list may contain interfaces on which the access protocol by MAC address can work for situations when IP is not available, so we will configure this function as well:

Now, the router will become "invisible" on external interfaces, which will hide information about it (not all of it, of course) from potential scanners, and even deprive the bad guys of an easy opportunity to gain control over the router.

DDoS protection

Now, let's add some simple rules to the packet filter:

/ ip firewall filter add action = jump chain = forward connection-state = new in -interface-list = ISP jump-target = anti-DDoS add action = jump chain = input connection-state = new in -interface-list = ISP jump -target = anti-DDoS add action = drop chain = forward connection-state = new src-address-list = BAN-DDoS add action = return chain = anti-DDoS dst-limit = 15,15, src-address / 10s add action = add-src-to-address-list address-list = BAN-DDoS address-list-timeout = 1d chain = anti-DDoS add action = jump chain = input connection-state = new dst-port = 22.8291 in -interface-list = ISP jump-target = anti-BruteForce-3 protocol = tcp add action = drop chain = forward connection-state = new src-address-list = BAN-BruteForce-3 add action = return chain = anti-BruteForce -3 dst-limit = 4 / 1m, 1, src-address / 1m40s add action = add-src-to-address-list address-list = BAN-BruteForce-3 address-list-timeout = 1d chain = anti-BruteForce -3

And place them after the defcon rule for the icmp protocol.

The result will be a ban for a day for those who are trying to open more than 15 new connections per second. There are many or few 15 connections, a moot point, here you can choose the number yourself, I chose 50 for corporate use, and I have 1-2 bans per day. The second group of rules is much stricter, it blocks connection attempts to the ssh (22) and winbox (8291) ports, 3 attempts per minute, and rest for a day;). If you need to expose DNS server on the Internet, then with a similar rule you can cut off DNS Amplification Attacks attempts, but the solution is not ideal, and there are many false positives.

RFC 1918

RFC 1918 describes the allocation of address spaces for globally non-routable networks. Therefore, it makes sense to block traffic from \ to such networks on the interface that looks to the provider, except for situations when the provider gives you a "gray" address.

/ ip firewall address-list add address = 10.0.0.0 / 8 list = "RFC 1918" add address = 172.16.0.0 / 12 list = "RFC 1918" add address = 192.168.0.0 / 16 list = "RFC 1918" / ip firewall filter add action = drop chain = input comment = "Drop RFC 1918" in -interface-list = WAN src-address-list = "RFC 1918" add action = drop chain = forward comment = "Drop RFC 1918" dst-address -list = "RFC 1918" out-interface-list = WAN add action = drop chain = output comment = "Drop RFC 1918" dst-address-list = "RFC 1918" out-interface-list = WAN

Put these rules closer to the beginning and do not forget to add the interface facing the ISP to the WAN list.

UPnP

A rather controversial technology that allows applications to ask the router to forward ports through NAT, however, the protocol works without any authorization and control, this is simply not in the standard, and is often a point of compromising security. Customize to your liking:

SIP Conntrack

Among other things, it is worth disabling the conntrack SIP module, which can cause inadequate VoIP operation, most modern SIP clients and servers do fine without its help, and SIP TLS makes it completely useless.

Dynamic and nested interface lists

This feature has appeared quite recently (since version 6.41) and it is very handy. However, there is an unpleasant bug (I reported about it, but it has not been fixed yet), the point is that after restarting the router, the firewall rules that use these lists do not work for the interfaces included in the child lists. It is treated before adding child lists. Automation is simple:

In Sheduler, write a script for the start event (lists of interfaces for balanced configuration):

/ interface list set ISP1TUN include = "" set ISP include = "" set TUN include = "": delay 2 set ISP1TUN include = ISP1, TUN1 set ISP include = ISP1 set TUN include = TUN1

WiFi

In an urban environment, when the air is extremely noisy, it makes sense to abandon 40MGhz channels, this increases the specific signal power on a channel, since a 40MGHz channel is essentially two 20MGHz channels.

Bridge & ARP

If your router distributes the Internet and gives clients settings via DHCP, it makes sense to set the arp = reply-only setting, and enable add-arp = yes in the DHCP Server

This setting will prevent you from setting the IP address manually, since the router will agree to work only with the MAC-IP pair that it issued itself.

P.S. article taken from here https://habrahabr.ru/post/353730/

CAPsMAN from MikroTik - A good inexpensive solution if you need a single wireless coverage over a large area. It can be a large house with 2-3 floors, an office space, a cafe, etc.

All points managed by CAPsMAN can be combined into a single network ( analogue of the UniFi network in Ubiquiti) with seamless roaming. This gives increased comfort using Wi-Fi: if you move your smartphone or laptop out of the coverage area of ​​one point controlled by CAPsMAN, to the coverage area of ​​another one controlled by the same controller, the connection will not be dropped and you will not need to reconnect.


If we talk specifically about seamless roaming, then it could be configured on MikroTik even before the advent of CAPsMAN by deploying a MESH network. Therefore, the main advantage of this controller is the ability to centrally configure and manage access points from one device, which greatly facilitates the work of the network administrator. Also thanks to CAPsMAN setting a single seamless wifi coatings have become much easier, which means more affordable.


In this article, we will explain how to install and configure the controller. MikroTik CAPsMAN, taking as an example and .

Preliminary information on configuring CAPsMAN

The CAPsMAN (Controlled Access Point system Manager) wireless point controller is included in the standard installation package for the latest versions of RouterOS. MikroTik access points latest models- cAP-2nD, hAP ​​Lite and others, fully support control using this software, also, by updating RouterOS, you can use the controller on previously released devices.

CAPsMAN is installed on a router that will act as a central point control device, and this can be a router without a wireless module. To work on the router, RouterOS must be installed at least version 6.11. CAPsMAN v.2 works since RouterOSv6.22rc7. It is best, of course, to use the second version of the controller - it eliminates most of the shortcomings of the first.

Points connected to the controller (CAP, or Controlled Access Points) must have a license level of at least 4. Access Points are connected to a router with installed CAPsMAN using a twisted pair, and can also be connected to each other in series along a chain (also using a twisted pair).

RouterOS update

The first thing we need to do before configuring CAPsMAN is to update the device software.

Resetting the router settings to factory defaults:

RB2011UiAS-2HnD-IN can be reset both using the Reset button, which is located on the back of the device between the antennas (hold it until the green LED starts blinking and release), or using the jumper hole on the bottom of the router, located under the Reset button (insert a screwdriver into the hole, turn on the device, wait 10 seconds before resetting the configuration).

MikroTik Reset the cAP-2nD to factory settings using the Reset button located to the left of the Ethernet port. Hold it until the LEDs start blinking and release.

We go to the official website and download the corresponding firmware.

As you can see, the same one is suitable for us for both devices - mipsbe, download it. We recommend flashing the points using the netinstall program.

We connect RB2011UiAS-2HnD-IN to the computer for configuration.

We connected the cable to the ETH6 port, but you can connect to any port except the first. Network settings computers must be preconfigured so that the router and Network Card computers had addresses on the same subnet.

IP address of devices MikroTik by default is 192.168.88.1, login is admin, password is empty.

Launch WinBox, go to the router.

In the first window, we reset the default configuration. If we went by IP, the winbox in this place will be disabled, since we have reset the IP address of the router as well. We go again, at the poppy-address.

To update, go to Files menu.

Open it up and drag We put our downloaded file in this window with new firmware.We confirm the update.

After the download of the file with the firmware is finished, go to the System menu and click the Reboot item.

The router will reboot and update the firmware. Please note that this can be a long process - 3-5 minutes, although in our case the reboot was quick. Do not turn off the power during the update process!

Check if the bootloader has been updated correctly.

Go to the System - RouterBoard menu and check if the versions in the Current Firmware and Upgrade Firmware fields match. If not, press the button Upgrade and reboot the router (the screen was made during the cap-2nD update, the picture is similar on the router).

Configuring a router with a CapsMan controller

We configure RB2011UiAS-2HnD-IN in the QuickSet tab, setting the Ethernet mode and selecting Bridge mode, as in the screenshot:

We combine all ports and channels WiFi devices into a single bridge (so that points connected via WiFi and a wired network can see each other).

To do this, go to the Interface tab and create a new one (plus from the top left), select bridge in the drop-down menu and give it a new name. We used an existing bridge and did not create a new one, but for personal convenience and ease of managing points, we recommend creating a separate interface.

Our bridge settings ultimately look like this:

Settings on the Ports tab, all router interfaces are added here:

In the IP - Addresses menu, we register the address for the router (when setting up, we assigned it regular address default is 192.168.88.1).

We update the access point in the same way. MikroTik cAP-2nD, we also combine its ports into bridge1, and register the IP address (we assigned the address 192.168.88.28 to our "experimental" cAP-2nD).

V simple case(we configured this way) all points belong to the same subnet, however, it is also possible to configure CAPsMAN if the devices are in different subnets.

CAPsMAN module activation

In the latest firmware, the module is activated by default (it is sewn into the wireless package), and in the menu at the top left there is always a CAPsMAN tab. In this case, we skip this item.

If you have old firmware, where the CAPsMAN control module is disabled by default, do the following.

Go to System - Packages, go to the package wireless-cm2 and click Enable. The package is marked as ready for activation.

To activate the package, you need to restart the router. After rebooting, we see the line wireless-cm2 active, and the wireless-fp package - on the contrary, inactive.

Please note that we are activating the wireless-cm2 package - this is the CAPsMAN v2 module. Early instructions contain instructions for activating wireless-fp - this is the first, now outdated version of the module.

Configuring the CAPsMAN module

On the device that will act as a point controller (in our case, on RB2011UiAS-2HnD), we configure the CAPsMAN control module.

We find the item of the same name in the menu. We go into it and turn on the controller (CAPsMAN - InterFace tab - Manage - checkbox in the Enable item).

We register the ones we need WiFi settings channel on the Channel tab.

Then - the Datapath settings, here only the name and select our bridge (the name depends on which one you created and use).

If we check the local-forwarding checkbox, then we transfer traffic control directly to the access points. If the checkbox is unchecked, then the controller takes over traffic control.


On the remaining tabs, we simply select those Channel, Datapath and Security settings that we created earlier, thus combining them into one configuration. In principle, it was possible to create them here, but for complex cases it is still more convenient to do this separately.

Now we need the Provisioning or "Deploy" tab. Here we write the configuration deployment rule. We do not touch the first field (Radio MAC), in the Action field we indicate that dynamic interfaces enabled by default will be created.

Configuring an access point controlled by CAPsMAN on a router

Since we have a router with WiFi support, in addition to the functions of a controller of controlled wireless points, it is also such a point. We configure it in the appropriate mode, that is, we indicate that it should take the configuration from the controller.

These settings will be slightly different from those of the normal dots.

Go to the Wireless menu, press the CAP button, check the Enabled checkbox. In the CAPsMAN Addresses field, write the address of the controller. In this case, this is the address of the device itself. and select the bridge we created from the list. We do not touch the rest of the fields.

After saving the settings, red lines appear above the interface line, which indicate that the access point built into the router is controlled CAPsMAN.

Configuring the MikroTik cAP-2nD point under the control of the controller

So, now we set up a separate access point under CAPsMAN. We remind you that before configuring, you need to do everything the same as for the router: reset to factory settings, reset the default configuration, update the firmware to the latest version, check. whether the bootloader has been updated and update it, combine all ports in a bridge, register the IP address. All this is described at the beginning of the article.

On the QuickSet tab on the controlled access points, we can only register the IP, the rest of the settings will be pulled from the CAPsMAN configuration.


Important: all CAPsMAN devices must have the same version.

If you have an old firmware, then the activated package with CAPsMAN looks like this:

Go to the Wireless menu, press the CAP button, check the Enabled checkbox. Filling out the rest of the fields differs from a similar setting in the router in that instead of the CAPsMAN address, we prescribe Discovery Interfaces, that is, the interfaces through which cAP should connect to the controller - in our case, via a bridge.

We save the settings and after a few seconds two red lines should appear alternately above the wireless interface. This indicates that our point has connected to the controller CAPsMAN, loaded the configuration we wrote and is now under his control.

Returning to the router, we see that new wireless point interfaces have appeared in the CAPsMAN section:

The same interfaces can be observed in the general section:

Module configuration CAPsMAN is now complete. If you do not need to write special settingsDNS, DHCP server, NAT, etc. - everything is already working further and you can connect clients to points. In our case, all settings were registered FOR RB2011UiAS-2HnD on the main router, so the system started working right away.

Test of seamless roaming on CAPsMAN in real conditions

For testing, we spaced two CAPsMAN-controlled access points to different floors.

  • RB2011 acted as the controller and the first access point.
  • cAP-2nD - as a second access point.

There were approximately 30 meters between the points, a reinforced concrete floor and several walls.

As the transition proceeded, we can see in the video how the Tx data rate gradually changed from one CAP Interface to another, which means that the device was smoothly switched between access points.

In order to see all the details on the video, expand it to full screen and set the resolution to 1080.

At the same time, none of the 100 requested data packets was lost.


site