How To Manually add a Virtual Access Point (VirtualAP)
Often you will need to add an additional wireless Access Point to an existing device, like for a dedicated bridge, or for Guest access. Here are the simple steps for adding one to a 951Ui or an SXT Sector AP (may work with other models):
#1. Open the Wireless tables. (click "Wireless" in the Winbox menu)
#2. Click the + (plus sign) choose VirtualAP from the pulldown.
#3. By default the name will be the next wlan available (wlan2 if it's your first virtual)
3a. you will notice that visually it will be connected to your default wlan1 and the MAC Address will be the same.
3b. You can change the MAC Address if you like, but for most usage this is not necessary.
#4. Click the Wireless Tab:
-Enter a SSID for this Virtual AP
-Leave the Master Interface on your master interface (wlan1 by default)
-Security Profile: if you choose default it will be the same passkey as wlan1 (see #5 to change)
-VLAN and VLAN ID: leave it unless you know why you need to change
-Default AP TxRate: this is the Max Transmit rate for this Virtual AP, this is where you limit the available bandwidth for this Virtual AP, note 2mb is entered as 2048k or 2m, 0 means no limit
#5. Need a different passkey for your new Virtual AP? Under the Wireless Tables click the "Security Profiles" tab.
-Click the + (plus sign)
-Give the profile a name and choose the authentication type(s), Apply, OK
#6. Click on the "Interfaces" tab, Double click on your new VirtualAP (Named wlan2 in the previous steps)
- click the "Wireless" tab
- change the Security Profile to the new profile you created in step 5. Apply, OK
#7. Add your new Virtual AP to the default Bridge:
- Click "Bridge" in the left menu
- Click the "ports" tab
- click the + (plus sign)
- choose the virtual interface you just added (wlan2) and the default bridge (bridge1) Apply, OK.
Test it!
Tuesday, December 15, 2015
Tuesday, November 17, 2015
Wireless Bridge - simplified, part 2. The "receiving" side of a Bridge.
Wireless Bridging continued, part 2. Receiving.
I'm using a MikroTik SXT 2nD r2 for the receiving side of my wireless bridge. This device is super cheap due to the licencing being at "level 3". Level 3 licensing basically means one connection only, that is perfect for a device that is dedicated to bridging. I paid about $40 for mine, sometimes they are even less. Note that level 3 licensing is often billed as a "CPE" device, (Customer Premises Equipment). The idea is you are an ISP and you want to setup a simple cheap device at your Customers Premises to sell them Internet service, this device fits nicely for that scenario. Note that your local Internet provider may have a problem with you "reselling" your Internet, check your ISP agreement for details.
#1. Use the injector and boot the device up, connect with WinBox. You will be asked to install a default configuration, Click "Remove Configuration".
#2. Click "Quickset" in the left side menu.
Choose Bridge under Mode, put in a static IP, Gateway and DNS server that work on the network you are extending.
VERY IMPORTANT: click the "Bridge All LAN Ports" checkbox. I'm not sure where this option is in the menu, but you will NOT have a good bridge without it.
Under the Wireless Section choose the Wireless network you want to extend (see second picture below)
Click "Apply"
Notes: depending on the RouterOS version sometimes the DNS Servers field doesn't work, you can find it under IP, DNS. For added security (recommended) put in a password in the Password/Confirm Password boxes, this is the admin logon for this device.
choosing a country, Channel Width, (20ghz for this model) and a network. The password field will display once you choose a network to join.
#3. After you hit Apply you will likely be kicked off the SXT 2nD r2. I always have to set a static IP on my laptop network interface to match the network on the device to get WinBox to work again. Not sure why the MAC address connection doesn't continue to work.
UPDATE. fixing the join/drop problem...
Sorry I didn't get this in the write up sooner, I'm understanding RouterOS and these devices better and figured something very important out, a missing step!:
Step #4. Lastly you need to go to Wireless > Security Profiles > open default. Select the EXACT Authentication Types and Ciphers you setup on the Sending side. See an explanation below.
This is a good time to test some pings to the other side of your wireless bridge (10.10.6.3 in my case) and see if you can get to the gateway (10.10.6.253 in this example). Also a good time to upgrade the device to the latest RouterOS (click Quickset, Check for updates, download and upgrade).
At this point you should have a working wireless bridge. Next we will configure an Access point at the remote location.
(update note) Mikrotik has designed their devices for point-to-point bridges to be on two dedicated devices (for example a CPE to a CPE). This is an ideal way to setup a wireless bridge and would maximize throughput because your just routing traffic over the devices from point to point not competing with wireless clients. However in my installation I have a very slow Internet connection (sub 10mbps) and maximizing throughput with dedicated equipment doesn't really make sense since everything bottle-necks at my modem (the slowest part of my network). I decided to save the dollars and use an outdoor Access Point for the "sending" side of my bridge configured essentially as a WISP AP instead of a PTP Bridge. In PTP Bridge mode you chose a "Server side" (send side) and a "Client side" (receive side) and the Quick set menu asks you all the appropriate encryption questions and helps you make them match. When you configure as I have (one side AP mode, (send side) and one side CPE mode (receive side)) you must manually configure the encryption on the receive side to match because the default for a CPE device selects both WPA & WPA2 and all the cipher types. During Authentication between the two devices the CPE device cannot upgrade from WPA to WPA2 and gets stuck in a "loop" connecting and disconnecting. Very frustrating! If you want to simplify this configuration just use a dedicated CPE device on both ends and use the PTP Bridge mode from the Quick Set menu.
I'm using a MikroTik SXT 2nD r2 for the receiving side of my wireless bridge. This device is super cheap due to the licencing being at "level 3". Level 3 licensing basically means one connection only, that is perfect for a device that is dedicated to bridging. I paid about $40 for mine, sometimes they are even less. Note that level 3 licensing is often billed as a "CPE" device, (Customer Premises Equipment). The idea is you are an ISP and you want to setup a simple cheap device at your Customers Premises to sell them Internet service, this device fits nicely for that scenario. Note that your local Internet provider may have a problem with you "reselling" your Internet, check your ISP agreement for details.
#1. Use the injector and boot the device up, connect with WinBox. You will be asked to install a default configuration, Click "Remove Configuration".
#2. Click "Quickset" in the left side menu.
Choose Bridge under Mode, put in a static IP, Gateway and DNS server that work on the network you are extending.
VERY IMPORTANT: click the "Bridge All LAN Ports" checkbox. I'm not sure where this option is in the menu, but you will NOT have a good bridge without it.
Under the Wireless Section choose the Wireless network you want to extend (see second picture below)
Click "Apply"
Notes: depending on the RouterOS version sometimes the DNS Servers field doesn't work, you can find it under IP, DNS. For added security (recommended) put in a password in the Password/Confirm Password boxes, this is the admin logon for this device.
#3. After you hit Apply you will likely be kicked off the SXT 2nD r2. I always have to set a static IP on my laptop network interface to match the network on the device to get WinBox to work again. Not sure why the MAC address connection doesn't continue to work.
UPDATE. fixing the join/drop problem...
Sorry I didn't get this in the write up sooner, I'm understanding RouterOS and these devices better and figured something very important out, a missing step!:
Step #4. Lastly you need to go to Wireless > Security Profiles > open default. Select the EXACT Authentication Types and Ciphers you setup on the Sending side. See an explanation below.
This is a good time to test some pings to the other side of your wireless bridge (10.10.6.3 in my case) and see if you can get to the gateway (10.10.6.253 in this example). Also a good time to upgrade the device to the latest RouterOS (click Quickset, Check for updates, download and upgrade).
At this point you should have a working wireless bridge. Next we will configure an Access point at the remote location.
(update note) Mikrotik has designed their devices for point-to-point bridges to be on two dedicated devices (for example a CPE to a CPE). This is an ideal way to setup a wireless bridge and would maximize throughput because your just routing traffic over the devices from point to point not competing with wireless clients. However in my installation I have a very slow Internet connection (sub 10mbps) and maximizing throughput with dedicated equipment doesn't really make sense since everything bottle-necks at my modem (the slowest part of my network). I decided to save the dollars and use an outdoor Access Point for the "sending" side of my bridge configured essentially as a WISP AP instead of a PTP Bridge. In PTP Bridge mode you chose a "Server side" (send side) and a "Client side" (receive side) and the Quick set menu asks you all the appropriate encryption questions and helps you make them match. When you configure as I have (one side AP mode, (send side) and one side CPE mode (receive side)) you must manually configure the encryption on the receive side to match because the default for a CPE device selects both WPA & WPA2 and all the cipher types. During Authentication between the two devices the CPE device cannot upgrade from WPA to WPA2 and gets stuck in a "loop" connecting and disconnecting. Very frustrating! If you want to simplify this configuration just use a dedicated CPE device on both ends and use the PTP Bridge mode from the Quick Set menu.
Monday, November 2, 2015
Wireless Bridge - simplified. Part 1. The "sending" side of a Bridge.
A simple Wireless Bridge - Sending side.
Initially I though I had to use a WDS (Wireless Distributed System) https://en.wikipedia.org/wiki/Wireless_distribution_system to make wireless bridging work, but then after some playing and reading I realized that with the distance between access points I don't really care about the number one WDS advantage (maintaining MAC address across access points) and it will hurt the performance of my wifi network. WDS is great (and necessary) for a college campus or a large office building where people roam around while using devices, but with 1/4 mile between buildings I wouldn't expect someone to steam a video while traveling between buildings, so the MAC address preservation will never be needed.
In the interest of simplicity this guide will show how to setup a wireless bridge between two MikroTik devices. This setup assumes you have a DEDICATED device on one end just for doing the bridging, in my case on the "recieve" side. Note that I also assume you are using routerOS 6.23 or better. I'm also assuming you have setup a simple access point as detailed here. I'm using a RBSXTG-2HnD device to do my sending.
Add a VirtualAP (virtual Access Point) to the "sending" device:
#1. use Winbox and navigate to Wireless, click the Security Profiles tab, add a new Security Profile. (click the plus button)
#2. on the general tab enter a name for the new profile (I called mine Wireless-Bridge-Security) click the box for only WPA2 PSK and enter a password in the WPA2 Pre-Shared key box. (must be 8 characters or longer) I recommend copy and paste from notepad to prevent mistakes. All other settings are fine at the defaults. Click Apply and OK when done.
#3. Navigate to Wireless, Interfaces, Click the + and add a VirtualAP
on the general tab give it a name and enter a MAC Address. For the MAC Address good place to start is to just add one digit to your wlan1 MAC Address. You can make one up to if you wish, but that could cause problems later.
#4. Click on the Wireless tab put in a SSID (I used the same name as the interface name) choose the Master Interface (probably wlan1), choose the Security Profile you created in Step 2. Leave the "Hide SSID" check-box unchecked for now, we will come back later and turn that off.
Note that you can change the default AP TxRate here. This would be a good place to limit the bandwidth for just this link. For a first try I would leave it alone though.
We are done for now on the "sending" side. Next we have to configure a dedicated "receive" device.
see the next post, Wireless Bridge - Simplified, Part 2.
Initially I though I had to use a WDS (Wireless Distributed System) https://en.wikipedia.org/wiki/Wireless_distribution_system to make wireless bridging work, but then after some playing and reading I realized that with the distance between access points I don't really care about the number one WDS advantage (maintaining MAC address across access points) and it will hurt the performance of my wifi network. WDS is great (and necessary) for a college campus or a large office building where people roam around while using devices, but with 1/4 mile between buildings I wouldn't expect someone to steam a video while traveling between buildings, so the MAC address preservation will never be needed.
In the interest of simplicity this guide will show how to setup a wireless bridge between two MikroTik devices. This setup assumes you have a DEDICATED device on one end just for doing the bridging, in my case on the "recieve" side. Note that I also assume you are using routerOS 6.23 or better. I'm also assuming you have setup a simple access point as detailed here. I'm using a RBSXTG-2HnD device to do my sending.
Add a VirtualAP (virtual Access Point) to the "sending" device:
#1. use Winbox and navigate to Wireless, click the Security Profiles tab, add a new Security Profile. (click the plus button)
#2. on the general tab enter a name for the new profile (I called mine Wireless-Bridge-Security) click the box for only WPA2 PSK and enter a password in the WPA2 Pre-Shared key box. (must be 8 characters or longer) I recommend copy and paste from notepad to prevent mistakes. All other settings are fine at the defaults. Click Apply and OK when done.
#3. Navigate to Wireless, Interfaces, Click the + and add a VirtualAP
on the general tab give it a name and enter a MAC Address. For the MAC Address good place to start is to just add one digit to your wlan1 MAC Address. You can make one up to if you wish, but that could cause problems later.
Note that you can change the default AP TxRate here. This would be a good place to limit the bandwidth for just this link. For a first try I would leave it alone though.
We are done for now on the "sending" side. Next we have to configure a dedicated "receive" device.
see the next post, Wireless Bridge - Simplified, Part 2.
Thursday, October 29, 2015
A plain old Access Point
Just a plain old Access Point.
I already have a firewall, NAT configuration, and DHCP on a Cisco ASA so I don't need any of that on a MikroTik device. Out of the box it wants to turn all that on for you. For my configuration I will strip all that and start from a truly blank router, I will build up the stuff I need and leave the rest for a more complex install.
(Note: I'm assuming you are using routerOS 6.23 or better in all the below instructions)
I already have a firewall, NAT configuration, and DHCP on a Cisco ASA so I don't need any of that on a MikroTik device. Out of the box it wants to turn all that on for you. For my configuration I will strip all that and start from a truly blank router, I will build up the stuff I need and leave the rest for a more complex install.
(Note: I'm assuming you are using routerOS 6.23 or better in all the below instructions)
First Access Point:
#1. Plug it in and use Winbox to configure: Clicking the 3 dots lets you view everything Winbox finds on the local network, no need to even be on the subnet the MikroTik device is on, you can connect via MAC Address alone.
#2. On first load Winbox will ask if you want to apply a generic config:
If you click "Remove Configuration" you will have a pretty blank router. I recommend you start here.
Notes: Need to reset the config and start over? In Winbox, Click System, Reset Configuration, Choose any options you need and then click the Reset Configuration button.
Using the web interface? Don't do this step! see explanation on step #3.
#3. Once you remove the configuration the router will disconnect you because the default IP will be removed. Just reconnect via the MAC Address in Winbox. (If you are using the web interface to configure, or you just switched over to the web interface at this step, you have no IP to connect to. You can Reset the device manually to try again, see MikroTik documentation for instructions on resetting your device)
#4. Basic config: I use the QuickSet function and set Network Name (SSID), Frequency, Country, WPA Security, a WiFi Password, Set Bridge Mode, IP, Subnet, Gateway. Also you may want to Bridge all LAN Ports (unless you need multiple Ethernet interfaces) and set a system Identity (makes life easier when you are managing 8 access points). You may also want an Admin password, that is the Password entry in the lower right corner of the QuickSet. A Note about the DNS Servers entry: I can't make DNS stay when I enter it here, (maybe a 6.23 bug?) but you can enter it under IP, DNS.
Click Apply
#5. This is a good time to test connectivity and if you want, upgrade to the latest routerOS (QuickSet, Check for Updates, Download & Upgrade)
Now you have a basic, Stand-alone Access Point configured for your subnet. This configuration will work on both the RB951Ui-2HnD indoor access point and the RBSXTG-2HnD outdoor access point equally as well.
See the next post: Wireless Bridge Part 1.
#1. Plug it in and use Winbox to configure: Clicking the 3 dots lets you view everything Winbox finds on the local network, no need to even be on the subnet the MikroTik device is on, you can connect via MAC Address alone.
#2. On first load Winbox will ask if you want to apply a generic config:
Notes: Need to reset the config and start over? In Winbox, Click System, Reset Configuration, Choose any options you need and then click the Reset Configuration button.
Using the web interface? Don't do this step! see explanation on step #3.
#3. Once you remove the configuration the router will disconnect you because the default IP will be removed. Just reconnect via the MAC Address in Winbox. (If you are using the web interface to configure, or you just switched over to the web interface at this step, you have no IP to connect to. You can Reset the device manually to try again, see MikroTik documentation for instructions on resetting your device)
#4. Basic config: I use the QuickSet function and set Network Name (SSID), Frequency, Country, WPA Security, a WiFi Password, Set Bridge Mode, IP, Subnet, Gateway. Also you may want to Bridge all LAN Ports (unless you need multiple Ethernet interfaces) and set a system Identity (makes life easier when you are managing 8 access points). You may also want an Admin password, that is the Password entry in the lower right corner of the QuickSet. A Note about the DNS Servers entry: I can't make DNS stay when I enter it here, (maybe a 6.23 bug?) but you can enter it under IP, DNS.
Click Apply
#5. This is a good time to test connectivity and if you want, upgrade to the latest routerOS (QuickSet, Check for Updates, Download & Upgrade)
Now you have a basic, Stand-alone Access Point configured for your subnet. This configuration will work on both the RB951Ui-2HnD indoor access point and the RBSXTG-2HnD outdoor access point equally as well.
See the next post: Wireless Bridge Part 1.
Monday, October 26, 2015
Mikrotik WiFi project overview
Project Overview
I have scoured the net and found so little information on SIMPLE MikroTik / Routerboard WiFi installations I decided to write my configuration in detail for other to see working examples and so I have a record of what I did.
Here are my requirements:
1. I need WiFi in several buildings.
2. I need WiFi is some outdoor work areas.
3. I need to share a single Internet connection that is at the entrance to the property and at the lowest geographic location.
4. I don't want to daisy-chain the WiFi. As much as geographically possible I will bridge back to the original installation.
5. I need a single network so I can access equipment and provide desktop support throughout the property.
To accomplish this I am using the following MikroTik 2.4ghz WiFi models:
- RB951Ui-2HnD - Indoor AP and router. see specs here: http://routerboard.com/RB951Ui-2HnD
- RBSXTG-2HnD - outdoor AP and router. specs: http://routerboard.com/RBSXTG2HnD
- RBSXT-2nD or SXT Lite2 - CPE station. specs: http://routerboard.com/RBSXT2nDr2
Mikrotik makes products that are MUCH faster and more robust then these and I recommend all their equipment, however, this installation is in a remote location with 10mb Internet and I don't need 1gb ethernet or amazing throughput, plus these models are extremely affordable. A note about the SXT Lite2: this is an SXT with a level 3 license which means it can only have one connection. We are using these devices to create wireless bridges so we only need one network connection. You could use the full level 4 licensed SXT's to do the same thing and they would be more versatile. I chose the Lite2 because it was $15 cheaper than the full licensed SXT.
Here is the basic installation in a picture:
I have scoured the net and found so little information on SIMPLE MikroTik / Routerboard WiFi installations I decided to write my configuration in detail for other to see working examples and so I have a record of what I did.
Here are my requirements:
1. I need WiFi in several buildings.
2. I need WiFi is some outdoor work areas.
3. I need to share a single Internet connection that is at the entrance to the property and at the lowest geographic location.
4. I don't want to daisy-chain the WiFi. As much as geographically possible I will bridge back to the original installation.
5. I need a single network so I can access equipment and provide desktop support throughout the property.
To accomplish this I am using the following MikroTik 2.4ghz WiFi models:
- RB951Ui-2HnD - Indoor AP and router. see specs here: http://routerboard.com/RB951Ui-2HnD
- RBSXTG-2HnD - outdoor AP and router. specs: http://routerboard.com/RBSXTG2HnD
- RBSXT-2nD or SXT Lite2 - CPE station. specs: http://routerboard.com/RBSXT2nDr2
Mikrotik makes products that are MUCH faster and more robust then these and I recommend all their equipment, however, this installation is in a remote location with 10mb Internet and I don't need 1gb ethernet or amazing throughput, plus these models are extremely affordable. A note about the SXT Lite2: this is an SXT with a level 3 license which means it can only have one connection. We are using these devices to create wireless bridges so we only need one network connection. You could use the full level 4 licensed SXT's to do the same thing and they would be more versatile. I chose the Lite2 because it was $15 cheaper than the full licensed SXT.
Here is the basic installation in a picture:
Subscribe to:
Posts (Atom)