Wireless Interface

---

Overview

Package:wireless

RouterOS wireless complies with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more.Wireless featurescompatibility table for different wireless protocols.

Wireless can operate in several modes: client (station), access point, wireless bridge etc. Client/station also can operate in different modes, a complete list of supported modes can be foundhere.

General interface properties

Sub-menu:/interface wireless

802.11n wireless chipsets represent power per chain and the 802.11ac

wireless chipsets represent the total power, for reference see the table below:Transmit Power representation on 802.11n and 802.11ac

Basic and MCS Rate table

Used settings whenrate-set=configured

Settings independent fromrate-set:

1. allowed mcs depending on number of chains:
   • 1 chain: 0-7
   • 2 chains: 0-15
   • 3 chains: 0-23
2. if standard channel width (20Mhz) is not used, then 2ghz modes (except 2.4ghz-b) are not using b rates (1-11)

Frame protection support (RTS/CTS)

802.11 standard provides means to protect the transmission against other device transmission by using RTS/CTS protocol. Frame protection helps to fight "hidden node" problem. There are several types of protection:

• RTS/CTS based protection - device willing to send frame at first sends RequestToSend frame and waits for ClearToSend frame from intended destination. By "seeing" RTS or CTS frame 802.11 compliant devices know that somebody is about to transmit and therefore do not initiate transmission themselves
• "CTS to self" based protection - device willing to send frame sends CTS frame "to itself". As in RTS/CTS protocol every 802.11 compliant device receiving this frame know not to transmit. "CTS to self" based protection has less overhead, but it must be taken into account that this only protects against devices receiving CTS frame (e.g. if there are 2 "hidden" stations, there is no use for them to use "CTS to self" protection, because they will not be able to receive CTS sent by other station - in this case stations must use RTS/CTS so that other station knows not to transmit by seeing CTS transmitted by AP).

Protection mode is controlled byhw-protection-modesetting of wireless interface. Possible values:none- for no protection (default),rts-ctsfor RTS/CTS based protection orcts-to-selffor "CTS to self" based protection.

Frame size threshold at which protection should be used is controlled byhw-protection-thresholdsetting of wireless interface.

For example, to enable "CTS-to-self" based frame protection on AP for all frames, not depending on size, use command:

[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=cts-to-self hw-protection-threshold=0

To enable RTS/CTS based protection on client use command:

[admin@MikroTik] /interface wireless> set 0 hw-protection-mode=rts-cts hw-protection-threshold=0

Nv2

MikroTik has developed a new wireless protocol based on TDMA technology (Time Division Multiple Access) - (Nstreme version 2). See the Nv2 documentation:NV2

TDMA is a channel access method for shared medium networks. It allows several users to share the same frequency channel by dividing the signal into different time slots. The users transmit in rapid succession, one after the other, each using his own time slot. This allows multiple stations to share the same transmission medium (e.g. radio frequency channel) while using only a part of its channel capacity.

The most important benefits of Nv2 are:

• Increased speed
• More client connections in PTM environments
• 较低的拉tency
• No distance limitations
• No penalty for long distances

Nv2 protocol limit is 511 clients.

Warning:Nv2 doesn't have support for Virtual AP

Nv2 Troubleshooting

Increase throughput on long distance withtdma-period-size. In Every "period", the Access Point leaves part of the time unused for data transmission (which is equal toround trip time- the time in which the frame can be sent and received from the client), it is used to ensure that client could receive the last frame from Access Point, before sending its own packets to it. The longer the distance, the longer the period is unused.

For example, the distance between Access Point and client is 30km. Frame is sent in 100us one direction, respectively round-trip-time is ~200us.tdma-period-sizedefault value is 2ms, it means 10% of the time is unused. When tdma-period-size is increased to 4ms, only 5% of time is unused. For 60km wireless link, round-trip-time is 400ms, unused time is 20% for default tdma-period-size 2ms, and 10% for 4ms. Bigger tdma-period-size value increases latency on the link.

Access List

Sub-menu:/interface wireless access-list

Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.

Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.

There are the following parameters for access list rules:

• client matching parameters:
  • address - MAC address of the client
  • interface - optional interface to compare with the interface to which client actually connects to
  • time - time of day and days when rule matches
  • signal-range - range in which client signal must fit for the rule to match
  • allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval
• connection parameters:
  • ap-tx-limit - tx speed limit in direction to client
  • client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)
  • private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used
  • vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).
  • vlan-id - VLAN ID to use if doing VLAN tagging

Operation:

• Access list rules are checked sequentially.
• Disabled rules are always ignored.
• Only the first matching rule is applied.
• 如果没有匹配规则的远程康涅狄格州ection, then the default values from the wireless interface configuration are used.
• If remote device is matched by rule that hasauthentication=novalue, the connection from that remote device is rejected.

Warning:If there is no entry in ACL about client which connects to AP (wireless,debug wlan2: A0:0B:BA:D7:4D:B2 not in local ACL, by default accept), then ACL for this client is ignored during all connection time.

For example, if client's signal during connection is -41 and we have ACL rule

/interface/wireless/access-list add authentication=yes forwarding=yes interface=wlan2 signal-range=-55..0

Then the connection is matched to the ACL rule, but if signal drops below -55, client will not be disconnected.

Please note that if "default-authentication=yes" is set on the wireless interface, clients will be able to join even if there are no matching access-list entries.
To make it work correctly it is required that client is matched by any of ACL rules.

If we modify ACL rules in the previous example to:

/interface/wireless/access-list add interface=wlan2 signal-range=-55..0 add authentication=no forwarding=no interface=wlan2 signal-range=-120..-56

Then if signal drops to -56, client will be disconnected.

Properties

Align

Sub-menu:/interface wireless align

Align tool is used to help in alignment devices running this tool.

Menu Specific Commands

Connect List

Sub-menu:/interface wireless connect-list

connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections. connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in theinterfaceproperty of that rule (this is unlikeaccess-list, where rules can apply to all interfaces). Rule can match MAC address of remote access point, it's signal strength and many other parameters.

Operation:

• connect-list rules are always checked sequentially, starting from the first.
• disabled rules are always ignored.
• Only the first matching rule is applied.
• If SSID or exact wireless protocol is provided in the wireless interface configuration Connect List SSIDs or wireless protocols not covered by wireless interface configuration are ignored.
• If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used.
• If access point is matched by rule that hasconnect=novalue, connection with this access point will not be attempted.
• If access point is matched by rule that hasconnect=yesvalue, connection with this access point will be attempted.
  • In station mode, if several remote access points are matched by connect list rules withconnect=yesvalue, connection will be attempted with access point that is matched by rule higher in the connect-list.
  • If no remote access points are matched by connect-list rules withconnect=yesvalue, then value ofdefault-authenticationinterface property determines whether station will attempt to connect to any access point. Ifdefault-authentication=yes, station will choose access point with best signal and compatible security.
• In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value ofdefault-authenticationdetermines whether WDS link will be established.

Properties

Usage

Restrict station connections only to specific access points

• Set value ofdefault-authenticationinterface property tono.

/interface wireless set station-wlan default-authentication=no

• Create rules that matches allowed access points. These rules must haveconnect=yesandinterfaceequal to the name of station wireless interface.

/interface wireless connect-list add interface=station-wlan connect=yes mac-address=00:11:22:33:00:01/interface wireless connect-list add interface=station-wlan connect=yes mac-address=00:11:22:33:00:02

Disallow connections to specific access points

• Set value ofdefault-authenticationinterface property toyes.

/interface wireless set station-wlan default-authentication=yes

• Createconnect=norules that match those access points that station should not connect to. These rules must haveconnect=noandinterfaceequal to the name of station wireless interface.

/interface wireless connect-list add interface=station-wlan connect=no mac-address=00:11:22:33:44:55

Select preferred access points

• Create rules that match preferred access points. These rules must haveconnect=yesandinterfaceequal to the name of station wireless interface.
• Put rules that match preferred access points higher in the connect-list, in the order of preference.

Restrict WDS link establishment

• Place rules that match allowed access points at the top.
• Add deny-all rule at the end of connect list.

Info

Sub-menu:/interface wireless info

Manual TX Power Table

Sub-menu:/interface wireless manual-tx-power-table

Wireless hardware table

Warning:你必须遵循监管领域的需求in your country. If you are allowed to use other frequencies, note that Antenna Gain and Transmit Power may decrease depending on board and frequency. Devices are calibrated only for regulatory frequencies, use non standard frequencies at your own risk. The list only specifies frequencies accepted by the wireless chip, these frequencies might not always work due to antenna that is built into the product, device design, filters and other factors. USE STRICTLY AT YOUR OWN RISK

It is possible to deduce supported channel width from the product page, to do so you need to check the following parameters:number of chainsand themax data rate. Once you know these parameters, you need to check the modulation and coding scheme (MCS) table, for example, here:https://mcsindex.com/.

If we take hAP ac, as an example, we can see that number of chains is 3, and the max data rate is 1300 in the MCS table. In the MCS table we need to find entry for 3 spatial streams - chains, and the respective data rate, which in this case shows us that 80MHz is the maximum supported channel width.

Integrated wireless interface frequency table

NOTES:

1. - Only in 802.11a/n standard

Overview

Advanced Channels feature provides extended opportunities in wireless interface configuration:

• scan-list that covers multiple bands and channel widths;
• non-standard channel center frequencies (specified with KHz granularity) for hardware that allows that;
• non-standard channel widths (specified with KHz granularity) for hardware that allows that.

Hardware support

Non standard center frequency and width channels can only be used with interfaces that support it.

Currentlyonly Atheros AR92xxbased chips support non-standard center frequencies and widths with the following ranges:

• center frequency range: 2200MHz-2500MHz with step 0.5MHz (500KHz), width range: 2.5MHz-30MHz width step 0.5MHz (500KHz);
• center frequency range: 4800MHz-6100MHz with step 0.5MHz (500KHz), width range: 2.5MHz-30MHz width step 0.5MHz (500KHz);

AR93xx doesn't support this feature

Configuring Advanced Channels

Advanced Channels are configured ininterface wireless channelsmenu. This menu contains ordered list of user-defined channels that can be grouped by means oflistproperty. Channels have the following properties:

• name- name by which this channel can be referred to. Ifnameis not specified when adding channel, it will be automatically generated from channel frequency and width;
• list- name of list this channel is part of. Lists can be used to group channels;
• frequency- channel center frequency in MHz, allowing to specify fractional MHz part, e.g.5181.5;
• width- channel width in MHz, allowing to specify fractional MHz part, e.g.14.5;
• band- defines default set of data rates when using this channel;
• extension-channel- specifies placement of 11n extension channel.

Using Advanced Channels

In order to use Advanced Channels in wireless interface configuration, several interface settings accept channel names or list names as arguments. It is possible to configure interface with channel that interface does not support. In this case interface will not become operational. It is sole responsibility of administrator to configure channels in proper way.

frequency

To use particular Advanced Channel for wireless interface (applies to modes that make use of interfacefrequencysetting) specify channel name in interfacefrequencysetting. For example, to configure interface to operate with center frequency 5500MHz and channel width 14MHz, use the following commands:

[admin@雷竞技网站MikroTik] /无线>频道添加界面name=MYCHAN frequency=5500 width=14 band=5ghz-onlyn list=MYLIST [admin@MikroTik] /interface wireless> set wlan1 frequency=MYCHAN

scan-list

Interfacescan-listis used in multiple modes that either gather information for list of channels (like interactivescancommand) or selects channel to work on (like any ofstationmodes or AP modes performing DFS). Interfacescan-listcan be configured with comma-separated list of the following items:

• default- default .11 channel list for given country and interface band and channel width;
• numeric frequency ranges in MHz;
• Advanced Channel, referred to by name;
• Advanced Channel list, referred to by list name.

For example, to configure interface to scan 5180MHz, 5200MHz and 5220MHz at first using channel width 20MHz and then using channel width 10MHz, the following commands can be issued:

[admin@雷竞技网站MikroTik] /无线>频道添加界面frequency=5180 width=20 band=5ghz-a list=20MHz-list [admin@MikroTik] /interface wireless> channels add frequency=5200 width=20 band=5ghz-a list=20MHz-list [admin@MikroTik] /interface wireless> channels add frequency=5220 width=20 band=5ghz-a list=20MHz-list [admin@MikroTik] /interface wireless> channels add frequency=5180 width=10 band=5ghz-a list=10MHz-list [admin@MikroTik] /interface wireless> channels add frequency=5200 width=10 band=5ghz-a list=10MHz-list [admin@MikroTik] /interface wireless> channels add frequency=5220 width=10 band=5ghz-a list=10MHz-list [admin@MikroTik] /interface wireless> set wlan1 scan-list=20MHz-list,10MHz-list

Nstreme

Sub-menu:/interface wireless nstreme

这个菜单允许切换一个无线网卡nstreme mode. In this case the card will work only with nstreme clients.

Note:这里的设置(启用nstreme除外)基于“增大化现实”技术e relevant only on Access Point, they are ignored for client devices! The client automatically adapts to the AP settings.
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations with WDS between AP modes (bridge and ap-bridge) will not work.

Nstreme Dual

Sub-menu:/interface wireless nstreme-dual

Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point connection. To put wireless interfaces into a nstreme2 group, you should set their mode to nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the nstreme2, except:

• frequency-mode
• country
• antenna-gain
• tx-power
• tx-power-mode
• antenna-mode

Warning:WDS cannot be used on Nstreme-dual links.

Note:The difference between tx-freq and rx-freq should be about 200MHz (more is recommended) because of the interference that may occur!

Note:You can use different bands for rx and tx links. For example, transmit in 2ghz-g and receive data, using 2ghz-b band.

Registration Table

Sub-menu:/interface wireless registration-table

In the registration table, you can see various information about currently connected clients. It is used only for Access Points.

All properties are read-only.

Security Profiles

Sub-menu:/interface wireless security-profiles

Security profiles are configured under the/interface wireless security-profilespath in the console, or in the "Security Profiles" tab of the "Wireless" window in the WinBox. Security profiles are referenced by the Wireless interfacesecurity-profileproperty andsecurity-profileproperty of Connect Lists.

Basic properties

WPA properties

These properties have effect only whenmodeis set todynamic-keys.

Note:RouterOS also allows to override pre-shared key value for specific clients, using either theprivate-pre-shared-keyproperty, or theMikrotik-Wireless-Pskattribute in the RADIUS MAC authentication response. This is an extension.

WPA EAP properties

These properties have effect only whenauthentication-typescontainswpa-eaporwpa2-eap, andmodeis set todynamic-keys.

Note:The order of allowed authentication methods ineap-methodsis important, the same order is going to be used to send authentication method offers to the Station. Example: Access Point uses security-profile whereeap-methodsis set toeap-tls,passthrough; 1) Access Point offers EAP-TLS method to the client; 2) Client refuses; 3) Access Point starts relaying EAP communication to the radius server.

Note:When the AP is used for passthrough it is not required to add certificates on the AP itself, the AP device works as a transparent bridge and forwards the EAP-TLS association data from RADIUS server to the end client.

Note:Whentls-modeis using eitherverify-certificateordont-verify-certificate, then the remote device has to support one of theRC4-MD5,RC4-SHAorDES-CBC3-SHATLS cipher suites. When usingno-certificatesmode, then the remote device must support "ADH-DES-CBC3-SHA" cipher suite.

RADIUS properties

WEP properties

These properties have effect only whenmodeis set tostatic-keys-requiredorstatic-keys-optional.

Management frame protection

Used for: Deauthentication attack prevention, MAC address cloning issue.

RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices.

Management protection mode is configured in security-profile withmanagement-protectionsetting. Possible values are:disabled- management protection is disabled (default),allowed- use management protection if supported by remote party (for AP - allow both, non-management protection and management protection clients, for client - connect both to APs with and without management protection),required- establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection).

Management protection shared secret is configured with security-profilemanagement-protection-keysetting.

When interface is in AP mode, default management protection key (configured in security-profile) can be overridden by key specified in access-list or RADIUS attribute.

[admin@mikrotik] /interface wireless security-profiles> print 0 name="default" mode=none authentication-types="" unicast-ciphers="" group-ciphers="" wpa-pre-shared-key="" wpa2-pre-shared-key="" supplicant-identity="n-str-p46" eap-methods=passthrough tls-mode=no-certificates tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none static-sta-private-key="" radius-mac-authentication=no radius-mac-accounting=no radius-eap-accounting=no interim-update=0s radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username radius-mac-caching=disabled group-key-update=5mmanagement-protection=disabled management-protection-key=""

[admin@mikrotik] /interface wireless security-profiles> set default management-protection= allowed disabled required

Operation details

RADIUS MAC authentication

Note: RAIDUS MAC authentication is used by access point for clients that are not found in theaccess-list, similarly to thedefault-authentication无线接口的属性。它控制whether client is allowed to proceed with authentication, or is rejected immediately.

Whenradius-mac-authentication=yes, access point queries RADIUS server by sending Access-Request with the following attributes:

• User-Name - Client MAC address. This is encoded as specified by theradius-mac-formatsetting. Default encoding is "XX:XX:XX:XX:XX:XX".
• Nas-Port-Id -nameof wireless interface.
• User-Password - Whenradius-mac-mode=as-username-and-passwordthis is set to the same value as User-Name. Otherwise this attribute is empty.
• Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".
• Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (minus separated pairs of MAC address digits, followed by colon, followed by SSID value).
• Acct-Session-Id - Added whenradius-mac-accounting=yes.

When access point receives Access-Accept or Access-Reject response from the RADIUS server, it stores the response and either allows or rejects client. Access point uses following RADIUS attributes from the Access-Accept response:

• Ascend-Data-Rate
• Ascend-Xmit-Rate
• Mikrotik-Wireless-Forward - Same asaccess-listforwarding.
• Mikrotik-Wireless-Enc-Algo - Same asaccess-listprivate-algo.
• Mikrotik-Wireless-Enc-Key - Same asaccess-listprivate-key.
• Mikrotik-Wireless-Psk - Same asaccess-listprivate-pre-shared-key.
• Mikrotik-Wireless-Mpkey - Same as Management-protection-key in Access list
• Session-Timeout - Time, after which client will be disconnected.
• Acct-Interim-Interval - Overrides value ofinterim-update.
• Class - If present, value of this attribute is saved and included in Accounting-Request messages.

Caching

Caching of RADIUS MAC authentication was added to support RADIUS authentication for clients that require from the access point very quick response to the association request. Such clients time out before response from RADIUS server is received. Access point caches authentication response for some time and can immediately reply to the repeated association request from the same client.

RADIUS EAP pass-through authentication

When using WPA EAP authentication type, clients that have passed MAC authentication are required to perform EAP authentication before being authorized to pass data on wireless network. With pass-through EAP method the access point will relay authentication to RADIUS server, and use following attributes in the Access-Request RADIUS message:

• User-Name - EAP supplicant identity. This value is configured in thesupplicant-identityproperty of the client security profile.
• Nas-Port-Id -nameof wireless interface.
• Calling-Station-Id - Client MAC address, encoded as "XX-XX-XX-XX-XX-XX".
• Called-Station-Id - MAC address and SSID of the access point, encoded as "XX-XX-XX-XX-XX-XX:SSID" (pairs of MAC address digits separated by minus sign, followed by colon, followed by SSID value).
• Acct-Session-Id - Added whenradius-eap-accounting=yes.
• Acct-Multi-Session-Id - MAC address of access point and client, and unique 8 byte value, that is shared for all accounting sessions that share single EAP authentication. Encoded asAA-AA-AA-AA-AA-AA-CC-CC-CC-CC-CC-CC-XX-XX-XX-XX-XX-XX-XX-XX.Added when radius-eap-accounting=yes.

Access point uses following RADIUS attributes from the Access-Accept server response:

• Class - If present, value of this attribute is saved and included in Accounting-Request messages.
• Session-Timeout - Time, after which client will be disconnected. Additionally, access point will remember authentication result, and if during this time client reconnects, it will be authorized immediately, without repeating EAP authentication.
• Acct-Interim-Interval - Overrides value ofinterim-update.

Statically configured WEP keys

Different algorithms require different length of keys:

• 40bit-wep- 10 hexadecimal digits (40 bits). If key is longer, only first 40 bits are used.
• 104bit-wep- 26 hexadecimal digits (104 bits). If key is longer, only first 104 bits are used.
• tkip- At least 64 hexadecimal digits (256 bits).
• aes-ccm- At least 32 hexadecimal digits (128 bits).

Key must contain even number of hexadecimal digits.

WDS security configuration

WDS links can use all available security features. However, they require careful configuration of security parameters.

It is possible to use one security profile for all clients, and different security profiles for WDS links. Security profile for WDS link is specified inconnect-list. Access point always checks connect list before establishing WDS link with another access point, and used security settings from matching connect list entry. WDS link will work when each access point will have connect list entry that matches the other device, hasconnect=yesand specifies compatiblesecurity-profile.

WDS and WPA/WPA2

If access point uses security profile withmode=dynamic-keys, then encryption will be used for all WDS links. Since WPA authentication and key exchange is not symmetrical, one of the access points will act as a client for the purpose of establishing secure connection. This is similar to howstatic-meshanddynamic-meshWDS modes work. Some problems, like single sided WDS link between two incorrectly configured access points that use non-meshmode, is not possible if WPA encryption is enabled. However, non-meshmodes with WPA still have other issues (like constant reconnection attempts in case of configuration mismatch) that are solved by use of the-meshWDS modes.

In general, WPA properties on both access points that establish WPA protected WDS link have to match. These properties areauthentication-types,unicast-ciphers,group-ciphers. For non-meshWDS mode these properties need to have the same values on both devices. InmeshWDS mode each access point has to support the other one as a client.

Theoretically it is possible to use RADIUS MAC authentication and other RADIUS services with WDS links. However, only one access point will interact with the RADIUS server, the other access point will behave as a client.

Implementation ofeap-tlsEAP method in RouterOS is particularly well suited for WDS link encryption.tls-mode=no-certificatesrequires no additional configuration, and provides very strong encryption.

WDS and WEP

mode,static-sta-private-keyandstatic-sta-private-algoparameters in the security profile assigned to the WDS link need to have the same values on both access points that establish WDS link with WPA encryption.

Security profile and access point matching in the connect list

Client uses value ofconnect-listsecurity-profileproperty to match only those access points that support necessary security.

• mode=static-keys-requiredandmode=static-keys-optionalmatches only access points with the samemodein interfacesecurity-profile.
• Ifmode=dynamic-keys, then connect list entry matches if all of theauthentication-types,unicast-ciphersandgroup-cipherscontain at least one value that is advertised by access point.

Virtual interfaces

VirtualAP

It is possible to create virtual access points using theaddcommand in the wireless menu. You must specify themaster-interfacewhich the virtual interface will belong to. If "master-interface" mode is "station", Virtual AP will work only when "master-interface" will be active. The Virtual AP can have it's own SSID and Security Profile.

Virtual AP interface will only work if master interface is inap-bridge,bridge,stationor wds-slave mode. It works only with 802.11 protocol, Nv2 is not supported.

This feature is useful for separating access for different types of users. You can assign different bandwidth levels and passwords and instruct users to connect to the specific virtual network, it will appear to wireless clients as a different SSID or a different device. For example, when using QuickSet to configure a guest network, the VirtualAP feature is used in the background.

To create a new virtual-ap:/interface> wireless add mode=ap-bridge master-interface=wlan1 ssid=guests security-profile=guests(such security profile first needs to be created)

Note: you can create up to 127 virtual interfaces per physical interface. It is not recommended to create more 30, since the performance will start to degrade.

Virtual Clients

Note:Starting from 6.35 only in wireless-rep or wireless-cm2 package

It is also possible to create virtual clients and have both an AP and a Client on the same physical interface. This allows to make a repeater setup with only using one hardware card. The process of configuration is exacly the same as above, but use modestation:

To create a new virtual-client:/interface> wireless add mode=station master-interface=wlan1 ssid=where-to-connect security-profile=your-profile(such security profile first needs to be created)

Note:Virtual interfaces will always use the Master interface wireless frequency. If the Master interface has 'auto' frequency enabled it will use the wireless frequency that the Master interface selected.

Sniffer

Sub-menu:/interface wireless sniffer

Wireless sniffer allows to capture frames including Radio header, 802.11 header and other wireless related information.

Packets

Sub-menu:/interface wireless sniffer packet

Sub-menu shows captured packets.

Scan

扫描命令允许fre看到可用的美联社quency range defined in the scan-list. Using scan command the interface operation is disabled (wireless link is disconnected during the scan operation) Since RouterOS v6.35 (wireless-rep) background scan is supported which can be used during the wireless interface operation without disconnecting the wireless link. Background scan is supported only using 802.11 wireless protocol.

Scan tool will continue scanning for AP until user stops the scan process. It is possible to use 'rounds' setting for the scan tool to do scan through the scan-list entries specific times. It is useful when running scan tool using scripts. Example of scan command for one round:

/interface wireless scan wlan1 rounds=1

'save-file' option allows to do scripted/scheduled scans and save the results in file for future analysis. Also this feature together with rounds setting allows to get scan results from the remote wireless clients - executing that command will start the scan tool which disconnect the wireless link, does the scan through the scan-list frequencies and saves the results to file, exits the scan and connects the wireless link back. Example:

/interface wireless scan wlan1 rounds=1 save-file=scan1

To use background wireless scan the 'background=yes' setting should be provided. Example:

/interface wireless scan wlan1 background=yes

Background scan feature is working in such conditions:

• Wireless interface should be enabled
• For wireless interface in AP mode - when it is operating in 802.11 protocol mode and is on fixed channel (that is - channel selection and initial radar checking is over)
• For wireless interface in Station mode - when it is connected to 802.11 protocol AP.

Scan command is supported also on the Virtual wireless interfaces with such limitations:

• It is possible when virtual interface and its master is fixed on channel (master AP is running or master station is connected to AP).
• Scan is only performed in channel master interface is on.
• It does not matter if background=yes|no - on virtual interface scan does not disconnect clients/AP, so it is always "background".

Snooper

This tool monitors surrounding frequency usage, and displays which devices occupy each frequency. It's available both in console, and also in Winbox.Snooper will use frequencies from scan-list.

Sub-menu:/interface wireless snooper

Settings

光谱l scan

• See separate documentManual:Spectral_scan

WDS

Sub-menu:/interface wireless wds

Properties:

Read-only properties:

WPS

Wireless interface supports WPS Server and also WPS Client (supported by wireless-rep package starting from RouterOS v6.35).

WPS Server

WPS Server allows to connect wireless clients that support WPS to AP protected with the Pre-Shared Key without specifying that key in the clients configuration.

WPS Server can be enabled by changing the WPS Mode setting for the wireless interface. Example:

/interface wireless set wlan1 wps-mode=push-button

Wps-mode has 3 options

• disabled
• push-button - WPS is activated by pushing physical button on the board (few boards has such button marked on the board case/label)
• push-button-virtual-only - WPS is activated by pushing "WPS Accept" button from the RouterOS wireless interface menu

通过将WPS物理/虚拟按钮美联社enables the WPS functionality. If within 2 minutes the WPS process isn't initiated the WPS Accept Function is stopped.

WPS Server is enabled by default on few boards that has physical WPS button marked. For example, hap lite, hap, hap ac lite, hap ac, map lite

WPS Server is active only when wireless AP interface has Pre-Shared Key Authentication (PSK) enabled. It is possible to configure this mode for the Virtual AP interfaces as well.

WPS Client

WPS Client function allows the wireless client to get the Pre-Shared Key configuration of the AP that has WPS Server enabled. WPS Client can be enabled by such command:

/interface wireless wps-client wlan1

WPS客户机命令输出的所有信息the WPS Enabled AP on the screen. Example:

[admin@MikroTik] /interface wireless> wps-client wlan1 status: disconnected, success ssid: MikroTik mac-address: E4:8D:8C:D6:E0:AC passphrase: presharedkey authentication: wpa2-psk encryption: aes-ccm

It is possible to specify additional settings for the WPS-Client command:

• create-profile - creates wireless security profile with the specified name, configures it with security details received from the WPS AP, specifies the wireless interface to use the new created security profile
• ssid - get WPS information only from AP with specified SSID
• mac-address - get WPS information only from AP with specified mac-address

Repeater

无线中继器将允许接收信号from the AP and repeat the signal using the same physical interface locally for connecting other clients. This will allow to extend the wireless service for the wireless clients. Wireless repeater function will configure the wireless interface to connect to the AP with station-bridge or station-pseudobridge option, create a virtual AP interface, create a bridge interface and add both (main and the virtual) interfaces to the bridge ports.

If your APsupports button-enabled WPSmode, you can use the automatic setup command:

/interface wireless setup-repeater wlan1

The setup-repeater does the following steps:

• searches for WPS AP with button pushed
• acquires SSID, key, channel from AP
• resets main master interface config (same as reset-configuration)
• removes all bridge ports that were added for virtual interfaces added to this master (so there are no dangling invalid bridge ports later)
• removes all virtual interfaces added to this master
• creates security profile with name "--repeater", if such security profile already exists does not create new, just updates settings
• configures master interface, interface mode is selected like this: if AP supports bridge mode, use station-bridge, else if AP supports WDS, use station-wds, else use station-pseudobridge
• creates virtual AP interface with same SSID and security profile as master
• if master interface is not in some bridge, creates new bridge interface and adds master interface to it
• adds virtual AP interface to the same bridge master interface is in.

If your APdoes not support WPS, it is possible to specify the settings manually, using these parameters:

• address- MAC address of AP to setup repeater for (optional)
• ssid- SSID of AP to setup repeater for (optional)
• passphrase- key to use for AP - if this IS specified, command will just scan for AP and create security profile based on info in beacon and with this passphrase. If this IS NOT specified, command will do WPS to find out passphrase.

Roaming

Station Roaming

Station Roaming feature is available only for 802.11 wireless protocol and only for station modes. When RouterOS wireless client is connected to the AP using 802.11 wireless protocol it will periodically perform the background scan with specific time intervals. When the background scan will find an AP with better signal it will try to roam to that AP. The time intervals between the background scans will become shorter when the wireless signal becomes worse and the background scan interval will become longer when the wireless client signal will get better.

VLAN tagging

Sub-menu:/interface wireless

With VLAN tagging it is possible to separate Virtual AP traffic on Ethernet side of "locally forwarding" AP (the one on which wireless interfaces are bridged with Ethernet). This is necessary to separate e.g. "management" and "guest" network traffic of Ethernet side of APs.

VLAN is assigned for wireless interface and as a result all data coming from wireless gets tagged with this tag and only data with this tag will send out over wireless. This works for all wireless protocols except that on Nv2 there's no Virtual AP support.

You can configure your RADIUS authentication server to assign users or groups of users to a specific VLAN when they authenticate to the network. To use this option you will need to useRADIUS attributes.

Note:In case to use this option you must enable wireless-fp or wireless-cm2 package for RouterOS version up to 6.37. Starting from RouterOS v6.37 you can do that with regular wireless package.

Vlan tag override

Per-interface VLAN tag can be overridden on per-client basis by means of access-list and RADIUS attributes (for both - regular wireless and wireless controller).

This way traffic can be separated between wireless clients even on the same interface, but must be used with care - only "interface VLAN" broadcast/multicast traffic will be sent out. If working broadcast/multicast is necessary for other (overridden) VLANs as well, multicast-helper can be used for now (this changes every multicast packet to unicast and then it is only sent to clients with matching VLAN ids).

Winbox

Winboxis a small utility that allows the administration of Mikrotik RouterOS using a fast and simple GUI.

Note:Current Tx Power gives you information about transmit power currently used at specific data rate. Currently not supported for Atheros 802.11ac chips (e.g. QCA98xx).

Interworking Realms setting

For more information about interworking-profiles see themanual.

realms-raw- list of strings with hex values. Each string specifies contents of "NAI Realm Tuple", excluding "NAI Realm Data Field Length" field.

Each hex encoded string must consist of the following fields:

- NAI Realm Encoding (1 byte) - NAI Realm Length (1 byte) - NAI Realm (variable) - EAP Method Count (1 byte) - EAP Method Tuples (variable)

For example, value "00045465737401020d00" decodes as:

- NAI Realm Encoding: 0 (rfc4282) - NAI Realm Length: 4 - NAI Realm: Test - EAP Method Count: 1 - EAP Method Length: 2 - EAP Method Tuple: TLS, no EAP method parameters

注意,设置“realms-raw = 00045465737401020 d00" produces the same advertisement contents as setting "realms=Test:eap-tls".

Refer to 802.11-2016, section 9.4.5.10 for full NAI Realm encoding.