Initial Setup of MikroTik hAP ac³ Router

This tutorial will help you install and configure the MikroTik hAP ac³ dual-band wireless router for home use. In terms of hardware, the router is an excellent device offerening 5 Gigabit Ethernet ports and has two high gain wireless antennas with outstanding coverage. Operating system - RouterOS is preinstalled and licensed (Layer 4) which never expires and offers unlimited software upgrades. It can be configured using a GUI (web browser, WinBox), CLI (SSH or Python RouterOS API). Here is my personal list of pros and cons:

Pros:
- affordable solution with good price.performance ratio
- more features compared to other brand at the same price
- free software updates for the life of the product or a minimum of 5 years starting from date of purchase
- wide MikroTik community and support forum
- bandwidth management ability
- RouterOS built-in scripting language to automate maintenance tasks

Cons:
- the initial setup can be quite challenging if you do not have a deeper knowledge of how computer networks work

Picture 1 - MikroTik hAP ac³ Dual-band Wireless Router

Specifications:

- 5 Gigabit Ethernet ports, 1 GB port with PoE (input volatge 18-28V, max total out 0.5A)
- CPU IPQ-4019 ARM 32bit 716MHz (4 cores)
- 256 MB RAM
- Storage size 128MB
- 2.4GHZ 802.11b/g/n (max speed 300Mbps), 5GHz band 802.11a/n/ac (max speed 867Mbps)
- Antenna gain for 2.4Gz: 3dBi, 5GHz: 5.5dBi
- Wireless mode: AP, Client, WDS, Bridge, WISP, Repeater
- Tested ambient temperature: -40°C to 70°C
- IPSec hardware acceleration
- 1x USB 2.0 port
- Max power consumption: 30W, 12 W without attachments
- RouterOS, license 4

1. Installation

Mount the base plate on the MikroTik depending on whether you want to place the device horizontally or vertically (Picture 2). After that you can connect provided antennas to the device and enable device.

Picture 2 - Mouting Plate for Horizontal Position

2. Connect to hAP ac³ via Default Open WiFi network

Connect to the router via a default unsecured wireless network. The ESSID is MikroTik-E316BB. Remember that information sxachanged between the router and the management station is sent as plain text over an unsecured wireless network. Anyone connected to the network can read credentials because SSL is not yet enabled on the router.

The default LAN IP address is 192.168.88.1 and HTTP management interface is accessible via URL http://192.168.88.1. Username is admin and the password is not set. DHCP server is enabled on the router. Therefore, the client should obtain an IP address from the router if DHCP client is running on the client.

3. Quick Setup Wizard

MikroTik hAP ac³ provides a Quick Set button that allows you to configure the device with just few clicks. Click the Quick Set button in the right corner of router administration page and select preferred Quick Set mode. Select either Dual Home AP Dual or WISP AP modes.

Dual Home AP is the the default Access Point configuration page for most home users, which provides fewer options and simplified terminology. WISP AP is similar to the Home AP mode, but provides more advanced options.

Since our goal is to configure MikroTik hAP ac³ step-by-step using console, we will skip the Quick Setup Wizard. Nevertheless, I strongly recommend you to use the wizard in case you are not a network guru or just want to speed up the configuration process.

4. Changing Default Password for Admin Account

W will set a password for the admin account.

[admin@MikroTik] > user set name=admin password=here_you_type_secret_pass 0

However, we are logged in as the admin user, so we can simply enter the command:

[admin@MikroTik] > user set password=here_you_type_secret_pass 0

Note: If you want to create a new user john and set the IP address the user john is allowed to login from, just type:

[admin@MikroTik] > user add name=john group=full password=secret_string address=192.168.88.251

To list all users type the command below (Picture 3).

[admin@MikroTik] > user print

Picture 3 - Checking Available Users

We have assigned user john to the default group full which is one of the default groups read/write/full. The group full is almost identical to the group write but also has ftp and policy policies (Picture 4).

[admin@MikroTik] > user group print

Picture 4 - Checking Group and Policies

5. Bridge IP Address Configuration

So far, we have working connection from LAN network to the router IP 192.168.88.1. The IP address 192.168.88.1 is configured on physical interface ether2 by default (Picture 5).

Picture 5 - LAN IP Address Configuration

The Picture 6 depicts the bridge interface with all interfaces connected to the bridge. Only the interface ether1 (WAN interfaces) is not connected to the bridge.

[admin@MikroTik] > interface bridge port print

Picture 6 - Interfaces Assigned to Bridge Interface

The correct approach is to configure IP address 192.168.88.1 on the bridge interface and remove the IP address from the interface ether2.

[admin@MikroTik] > ip address add interface=bridge address=192.168.88.1/24 broadcast=192.168.88.255 netmask=255.255.255.0 network=192.168.88.0 comment="default gw address for LAN"

Picture 7 depicts IP address configuration.

Picture 7 - IP Address Configuration for All Interfaces

Notice, the IP address 192.168.88.1/24 is configured for the both interfaces ether2 and bridge. Remove the IP address from the interface ether2 with the command:

[admin@MikroTik] > ip address remove 0

At this point, I lost my network connection with the router. Therefore, I restarted the device, but the connection to the router did not work yet. While troubleshooting, I realized that the web interface was working. So I logged in to the device using a browser and started the SSH service from the menu (IP-> Services-> ssh) by clicking the Enable button.

Picture 8 - IP Address 192.168.88.1 Configured on Bridge Interface

6. Wireless Network Configuration

The default wireless network installed is insecure, so we need to set up WPA2-PSK. First we will create a new security profile my home wifi with wpa2-psk authentication.

[admin@MikroTik] > interface wireless security-profiles add name="my home wifi" authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=veery_secret_pass

They are two wireless interfaces - wlan1 (port 0) and wlan2 (port 1). The interfaces wlan1 is for the band 2ghz-b/g/n and interface wlan2 is for the band 5ghz-a/n/ac. We will assign the security profile my home wifi to both interfaces with the same ssid internethome1 (Picture 9).

[admin@MikroTik] > interface wireless set 0 security-profile="my home wifi" mode=ap-bridge ssid="internethome1"
[admin@MikroTik] > interface wireless set 1 security-profile="my home wifi" mode=ap-bridge ssid="internethome1"

Picture 9 - Wireless Interfaces Configured for WPA2-PSK

Note: If both SSIDs are good quality signal, most modern devices choose 5GHz for the speed. If there is some distance (walls), 2GHz signal is better at obstacles, so at one point, the 2GHz signal will be simply stronger than 5GHz. Then the device usually will choose 2GHz because of signal strength.

7. Enable HTTPS

By default, MikroTik web interface is only available via HTTP. To encrypt traffic between the router and the management station we need to enable TLS. To do so, we must create our root Certificate Authority (CA) on MikroTik, generate the certificate and sign the certificate with a private key of root CA.

Create own Certification Authority:

[admin@MikroTik] > certificate add common-name=LocalCA key-usage=key-cert-sign,crl-sign

Sign Newly Created CA Certificate:

[admin@MikroTik] > certificate sign LocalCA

Create a New Certificate for Webfig (non-root certificate):

[admin@MikroTik] > certificate add common-name=192.168.88.1 days-valid=3650 name=Webfig

Sign New Certificate:

[admin@MikroTik] > certificate sign Webfig

Enable www-ssl:

[admin@MikroTik] > ip service set www-ssl certificate=Webfig disabled=no

8. Disable Unused Services

If more services are enabled, the device may be more vulnerable. For instance, due to vulnerability in the WinBOx interface, MikroTik RouterOS through 6.42 allows unauthenticated remote attackers to read arbitrary files and remote authenticated attackers to write arbitrary files (CVE-2018-14847). That is why, it is definitely a good idea
do disable unused services.

[admin@MikroTik] > ip service disable www
[admin@MikroTik] > ip service disable telnet
[admin@MikroTik] > ip service disable api
[admin@MikroTik] > ip service disable ap-ssl
[admin@MikroTik] > ip service disable winbox

9. Connecting Router to the Internet

The interface bridge is listed in the LAN list and the interface ether1 is listed in WAN list (Picture 10). The list allows to define set of interfaces for easier interface management in different interface based configuration sections such as Neighbor discovery, Firewall, Bridge and Internet Detect.

[admin@MikroTik] > interface list member print

Picture 10 - Interface Ether 1 Assigned To WAN List

To connect the router to the Internet using pppoe protocol, create a new interface ppoe-client and associate the WAN interface ether1 with the pppoe-client interface:

[admin@MikroTik] > interface pppoe-client add interface=ether1 name=pppoe_int user=user_xyx@domain password=enter_pass_here use-peer-dns=yes add-default-route=yes
[admin@MikroTik] > interface pppoe-client enable pppoe_int

Hheck the status of the pppoe interface with the command  below (Picture 11):

[admin@MikroTik] > interface pppoe-client monitor

Picture 11 - Checking PPPoE Interfaces Status

We also need to add a firewall rule source nat in order to hide local addresses to public IP address:

[admin@MikroTik] > ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN

At this point, we should have be able to connect from the client to the Internet.

10. MikroTik hAP ac³ Firewall

The device has firewall already enabled and it is fully operational. Remember, you can find out whether the interface is in WAN or LAN interface list with the command "interface list member print". In our case, ether1 and pppoe_int are assigned in to WAN and the bridge is in the LAN list. The most important rules are explained below.

Input table:
Rules:
1 - allows established connection that are invoked from the router itself
5 - allows to connect to router from LAN only

Forward table:
Rule:
9 - allows established connections only
11 - drop all new connections from WAN that are not DSTANted

Note: if you want to edit the rule just check the rule number. For instance, the rule number 3 allows ICMP traffic:

3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""

To block ICMP traffic temporary, edit the rule as following:

[admin@MikroTik] > ip firewall filter set 3 action=drop

The NAT table has only a single rule for source NAT which allows inside local IP addresses (from LAN clients) to be translated to inside global address:

[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface-list=WAN

11. Update RouterOS (Packages) and Firmware (Boootloader)

Updating is very important because it fixes discovered vulnerabilities and corrects or removes bugs. It also adds new features. The MikroTik hAP ac³ is configured for a long chain release by default.

Long term is a version mostly bug free, with new features added later "without" bugs and bug correction. When a Stable release has been out for a while and seems to be stable enough, it gets promoted into the Long Term branch, replacing an older release.

Stable is the current version of RouterOS that is good enough to use, with new features and older bugs corrected but new bugs can be introduced. It is released every few weeks, includes all tested features and fixes.

To switch from the long-term to stable release chain:

[admin@MikroTik] > system package update set channel=stable

Check if  packages are updated:

[admin@MikroTik] > system package update print

Picture 12 - Checking New Updates

Note:  Use command below to check if the packages can be updated.

[admin@MikroTik] > system package update check-for-updates

To update to the latest stable RouterOS version 6.48.3, enter the command:

[admin@MikroTik] > system package update install

After the reboot, check the version of all packages:

[admin@MikroTik] > system package print

Picture 13 - Checking Packages Version

Note: Packages are upgraded but firmware is still in the old version. Figure 14 shows the case where RouterOS v 6.49.2 is installed, but the bootloader is v6.47.8.

Picture 14 - Packages and Firmware Versions Are Different

Mikrotik recommends updating the firmware after the RouterOS upgrade. To check the firmware version, enter the command:

[admin@MikroTik] > system routerboard print

To upgrade firmware we need to enter the command a reboot the device:

[admin@MikroTik] > system routerboard upgrade

12. Backup and Restore MikroTik Configuration

12.1 Backup Configuration to Remote OpenSSH Server

Finally, we backup MikrTik configuration. The export command prints a script that can be used to restore configuration. The export generates a file that is supposed to be applied to a "fresh" installation of RouterOS.

Export configuration file:

[admin@MikroTik] > export file=configuration-file.txt

You can check if the script has been exported with the command:

[admin@MikroTik] > file print

Picture 15 - Exporting Script Configuration File

To upload the script from MikroTik to OpenSSH server listening on the socket 192.168.88.253:22 enter the command below from MikroTik:

[admin@MikroTik] > tool fetch url="sftp://192.168.88.253/home/user123/configuration-file.txt.rsc" user=user123 password=secret_pass_here upload=yes src-path=configuration-file.txt.rsc

12.2 Restore Configuration From Remote OpenSSH Server

Download configuration script from remote location. Connect to MikroTik and enter the command below:

[admin@MikroTik] > tool fetch url="sftp://192.168.88.253/home/user123/configuration-file.txt.rsc" user=user123 password=secret_pass_here upload=no dst-path=configuration-file.txt.rsc

Import configuration:

[admin@MikroTik] > import configuration-file.txt.rsc verbose=yes

Note: The export generates a file that should be applied to a "fresh" installation of RouterOS. For instance, if your config contains the line that adds the bridge interface, system will complain about the interface that already exists. Therefore, you must inspect the configuration file before import and "manually" delete the line that adds a bridge.

End.

 

 

2 thoughts on “Initial Setup of MikroTik hAP ac³ Router

  1. excellent documentation! thank you!!! This is the best routerOS doc my CLI-centric brain has found.

    a small correction:

    user set password=here_you_type_secret_pass 0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.