Initial Setup of MikroTik hAP ax³ Router

Posted on by Radovan Brezula

The MikroTik hAP ax³ is the latest addition to MikroTik's family of dual-band wireless routers. It offers Wi-Fi 6 (802.11ax) support, a 2.5 GbE WAN port, improved hardware performance, and enhanced security features. While it shares many configuration principles with its predecessor, the hAP ac³, several new capabilities and setup steps require attention.

This tutorial focuses on configuration steps for the hAP ax³, highlighting differences from the older ac³ model. This guide builds upon our previous tutorial for the MikroTik hAP ac³ model. Whether you're upgrading from an earlier model or deploying this router for the first time, this guide will help you get it up and running securely and efficiently.

Table of Contents

  1. Connect to MikroTik AP ax³
  2. Change the default admin password
  3. Configure bridge IP Address
  4. Configure wireless Interfaces (wifi1 and wifi2)
  5. Enable HTTPS and disable unused services
  6. Connect the router to the Internet (PPPoE)
  7. Configure Network Address Translation (NAT) and firewall 
  8. Update RouterOS and firmware
  9. Backup and restore configuration

Before we dive into the configuration, let’s look at the hardware that makes the hAP ax³ a powerhouse. It features a Quad-core ARM64 CPU running at up to 1.8GHz and 1 GB of RAM (Figure 1).

Figure 1 - Hardware Specifications of the MikroTik hAP ax³

This hardware combination provides a significant performance boost over the previous hAP ac³ model, especially in Wi-Fi throughput (Figure 2).

MikroTik hAP ax³ also supports the 802.11ax protocol on both 2.4GHz and 5GHz bands. It introduces WPA3 support for superior security and MU-MIMO for handling multiple devices simultaneously.

Figure 2 - Wireless capabilities and specifications of the MikroTik hAP ax³

Figure 3 summarizes the key differences between MikroTik hAP ac³ and ax³ routers.

Figure 3 - MikroTik hAP ac³ and ax³ Parameters

1. Connect to MikroTik hAP ax3

There are two primary ways to access your new router for the first time:

  • Ethernet: Connect your PC to any port from ether2 to ether5. Your device will receive an IP address automatically via DHCP.
  • Wi-Fi network: You can connect using the default SSID (e.g., MikroTik-1ED097).  Unlike older models, the MikroTik hAP ax3 features a unique default password and Wi-Fi key printed on the sticker.

Credentials are also printed on hidden pull-out tab tab on the hAP ax3 unit itself, near the antennas (Figure 4). Simply pull the tab out to reveal a small sliding plastic card. This card contains the device's Serial Number, default SSID, unique Wi-Fi password, and the admin password for the initial RouterOS login.

Figure 4 - Hidden pull-out tab tab on the hAP ax3

Note: Even after a factory reset, the device will revert to these specific credentials printed on the card rather than a blank password.

2. Change the Default Admin Password

Security is paramount, so the first step is changing the default admin credentials. You can do this easily via the terminal:

> user set name=admin password=here_you_type_secret_pass 0

Note: '0' refers to the first user in the list, which is 'admin' by default).

3. Configure Bridge IP Address

By default, MikroTik groups all LAN ports and Wi-Fi interfaces into a single bridge named 'bridge.' Let’s verify whether the router IP address 192.168.88.1 is configured on the bridge interface, as shown in Figure 5:

> ip address/print detail

Figure 5 - Verification of the Bridge IP Address

Figure 6 shows the bridge interface with all connected interfaces. Only the ether1 interface (WAN) is not part of the bridge. This is the WAN port - a 2.5 Gb Ethernet interface with PoE.

> interface bridge port print

Picture 6 - Interfaces Assigned to Bridge Interface

4. Configure Wireless Networking

The MikroTik hAP ax³ uses the new WifiWave2 driver (referred to simply as wifi in RouterOS v7). It is essential for supporting Wi‑Fi 6 (802.11ax) and all related enhancements (OFDMA, BSS Coloring, Target Wake Time).

In older models (like the hAP ac³), the legacy wireless driver is used, which does not support Wi‑Fi 6. Therefore, Wi‑Fi configuration on the hAP ax³ is different – all commands are related to interface wifi and not interface wireless.

4.1 Check Default Wireless Configuration

Below is the default configuration for the wireless interfaces wifi1 and wifi2, as shown in Figure 7:

wifi1:

  • Interface wifi1 is the 5 GHz radio configured in AP mode.
  • It uses WPA2-PSK and WPA3-PSK authentication, with the default Wi-Fi key for the default SSID MikroTik-1ED097.
  • Fast Transition (FT) is enabled to ensure seamless roaming between access points.
  • The channel band is set to 5ghz-ax with a maximum channel width of 80 MHz
  • The Channel Availability Check (CAC) parameter forces the router to perform a 10-minute radar detection scan before activating DFS channels

wifi2:

  • Interface wifi2 is the 2.4 GHz radio configured in AP mode.
  • It also uses WPA2-PSK and WPA3-PSK authentication with the same default Wi‑Fi key as wifi1.
  • Fast Transition (FT) is enabled for seamless roaming.
  • The channel band is set to 2ghz-ax with a maximum channel width of 40 MHz.
  • CAC is not required for the 2.4 GHz band (frequencies 2412–2472 MHz), so the radio activates immediately.

Figure 7 - Default Wireless Interface Configuration

4.2 Check Wireless Frequency, Channel Width and TX Power

Since this is the default configuration and no parameters have been set yet, the channel frequency and TX power are not displayed. To check these settings, enter the command (Figure 8):

The left column shows the 5 GHz radio (wifi1), while the right column shows the 2.4 GHz radio (wifi2). Both interfaces are active, allowing clients to connect to the AP on either frequency. Both radios use the standard 802.11ax (Wi-Fi 6).

> interface wifi monitor

Figure 8 - WiFiWave2 Interfaces Showing Frequency, Band, and Current TX Power

Interface wifi2 - 2467/ax/eC

  • The channel width is 40 MHz, composed of two 20 MHz channels labeled C and e :
    • C (Control Channel): The primary 20 MHz channel where network management occurs (beacons, connection acknowledgments). Devices connect through this channel.
    • e (Extension Channel): The additional 20 MHz channel that extends the primary channel to increase data throughput.
  • Channel frequencies:
    • C (Control): 2467 MHz (channel 12)
    • e (Extension): 2462 MHz (channel 11)
  • TX power: 16 dB = 39.8 milliwatts

Interface wifi1 - 5680/ax/eCee/D

  • The channel width is 80 MHz, composed of four 20 MHz channels labeled eCee.
  • D (DFS): Indicates the channel requires Dynamic Frequency Selection (radar monitoring on 5 GHz).
  • I (Indoor): Channel intended for indoor use only.
  • Channel layout (5680/ax/eCee/D):
    •  C (Control): 5680 MHz (Channel 136) – the main control channel where all devices primarily coordinate.
    • e (Extension 1): 5660 MHz (Channel 132) – first block to the left of the control channel.
    • e (Extension 2): 5700 MHz (Channel 140) – first block to the right of the control channel.
    • e (Extension 3): 5720 MHz (Channel 144) – second block to the right, completing the 80 MHz band.
  • TX power: 24 dB = 250 milliwatts

4.3 Explain Channel Selection

MikroTik routers can automatically scan and select the best 5 GHz and 2.4 GHz channels by detecting neighboring Wi-Fi signals to minimize interference. So why did MikroTik select these specific channels? Let’s take a look at the spectrum scan (Figure 9):

> /interface/wifi/frequency-scan wifi2

MikroTik prioritized channel 12 (Figure 9) because:

  • Low Noise Floor (NF -100 dBm): A 20 dB cleaner environment compared to surrounding channels, allowing the router to capture even weak signals from mobile devices.
  • Minimal Traffic (20% LOAD): Approximately 37% more “airtime” is available for data compared to the congested channel 1, which has a 57% load.
  • No Strong Interferers (MAX-SIGNAL -95 dBm): Unlike channel 1, which suffers from a strong interfering signal (-55 dBm), interference on channel 12 is practically negligible.

Figure 9 - Frequency Scan of the 2.4 GHz Band

4.4 Configure Wireless Interfaces

We will use separate SSIDs for the 2.4 GHz and 5 GHz bands to maintain full control over device connectivity. The 5 GHz band provides higher speed and less interference. However, using DFS channels introduces a startup delay. After a reboot, only the 2.4 GHz network is immediately available because the router must perform a Channel Availability Check (CAC) for radar.

If both radios shared the same SSID, devices would initially connect to the 2.4 GHz network. Because of “sticky client” behavior, they may stay on the slower band even after the 5 GHz network is ready. Using separate SSIDs prevents this and ensures that high-performance devices connect to the optimal band.

Commands to set SSIDs and passwords:

> interface/wifi/ set wifi1 configuration.country="Slovakia" configuration.ssid="internethome1-5GHz" security.passphrase="change_me"
> interface/wifi/ set wifi2 configuration.country="Slovakia" configuration.ssid="internethome1-2.4GHz" security.passphrase="change_me"

The Country parameter ensures the router complies with local regulations. It governs allowed frequencies and maximum transmit power (EIRP). This prevents illegal interference with critical systems, such as weather radars.

If the country is not set, some devices may transmit at reduced power. This is done intentionally to avoid violating regional rules, but it can limit network performance.

Figure 10 -  Wireless Interface Configuration

4.5 Fixing the 5GHz-n Fallback Issue

It is important to verify that your WiFi 6 devices are actually connecting via the 802.11ax protocol. If they connect via the older 802.11n protocol despite the router being configured for AX, the most likely culprit is the frequency selection (specifically DFS channels).

> /interface/wifi/registration-table print

Figure 11 -  802.11ax devices connecting to a WiFi 6 AP using the legacy 802.11n protocol.

High-frequency channels (above 100) are shared with radar systems. If the MikroTik router detects any potential interference, it will automatically downgrade the connection to a "safe" legacy mode (802.11n). To resolve this, we should set the 5GHz frequency to a non-DFS channel (such as 36, 40, 44, or 48).

Let’s select Channel 36 (5180 MHz):

> /interface/wifi set [find name=wifi1] channel.frequency=5180

Now, we can verify if the change helped. As you can see, the first and third devices have successfully switched from 802.11n to the 802.11ax (WiFi 6) band. The second device is 802.11ac only.

> /interface/wifi/registration-table print

Figure 12  - Devices Successfully Utilizing the 802.11ax Protocol after a Frequency Change

If you don’t want to connect to the router and check its registration table, you can use the iw utility on the wireless client (Linux) as shown in Figure 13:

# iw dev wlp0s20f3 link

The iw link output confirms that the protocol has successfully upgraded to WiFi 6. The presence of 'HE' (High Efficiency) indicators and an RX bitrate of 960.7 MBit/s on an 80 MHz channel proves the client is now utilizing the 802.11ax standard.

Figure 13 - Checking the WiFi interface Status on Debian Linux

5. Enable HTTPS and Disable Unused Services

By default, the MikroTik web interface is accessible only via HTTP. To encrypt traffic between the router and the management station, TLS must be enabled. To do this, we need to create a root Certificate Authority (CA) on the MikroTik, generate a certificate, and sign it using the private key of the root CA.

Create own Certification Authority:

> certificate add common-name=LocalCA key-usage=key-cert-sign,crl-sign

Sign Newly Created CA Certificate:

> certificate sign LocalCA

Create a New Certificate for Webfig (non-root certificate):

> certificate add common-name=192.168.88.1 days-valid=3650 name=Webfig

Sign New Certificate:

> certificate sign Webfig

Enable www-ssl:

> ip service set www-ssl certificate=Webfig disabled=no

We should always harden a router by managing active services. Therefore, disable any service that you do not actively use.

> /ip/service/disable ftp,www,telnet,api,api-ssl,winbox

6. Connect Router to the Internet

To connect the router to the Internet using PPPoE, first create a new interface ppoe-client. Then link it to the WAN interface ether1.

> interface pppoe-client add interface=ether1 name=pppoe_int user=user_xyx@domain password=enter_pass_here use-peer-dns=yes add-default-route=yes
> interface pppoe-client enable pppoe_int

Check the status of the PPPoE interface using the following command (Figure 15):

> interface pppoe-client monitor

Picture 15 - Checking PPPoE Interfaces Status

By default, only the ether1 interface is a member of the WAN list (Figure 16). Therefore, we need to add the pppoe_int interface to the WAN list:

> interface/ list/ member/ add list=WAN interface=pppoe_int

Figure 16 - Interface pppoe_int added to WAN List

At this point, the router should have a working Internet connection.

7. Configure Firewall and NAT 

7.1  Configure Source NAT

The firewall and Source NAT (PAT) are already configured by default. No changes to NAT table are necessary (Figure 17). You can verify the NAT configuration using the following command:

> ip firewall/nat/print detail

Figure 17 - Default Source NAT Configuration

7.2 Configure Firewall Filter Rules

The default firewall filter configuration depicted in Figure 18 needs to be modified as follows:

Figure 18 -  Default Firewall Table Filter Configuration

Remove all rules except dynamic ones (rule 0).

> /ip firewall filter remove [find where !dynamic]

Add the following firewall rules:

>  /ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=fasttrack-connection chain=forward hw-offload=yes comment="fasttrack established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

Explanation of the new rules shown in Figure 17:

  • Rule 0: Dummy passthrough for FastTrack counters; does not affect traffic.
  • Rule 1: Accepts established, related, and untracked connections to the router.
  • Rule 2: Drops invalid connections to the router.
  • Rule 3: Allows ICMP traffic (ping).
  • Rule 4: Drops traffic to the router not from LAN interfaces.
  • Rule 5: Drops invalid forwarded connections.
  • Rule 6: FastTracks established/related forwarded connections with hardware offload.
  • Rule 7: Accepts established, related, and untracked forwarded connections.
  • Rule 8: Allows forwarded traffic matching inbound IPsec policy.
  • Rule 9: Allows forwarded traffic matching outbound IPsec policy.
  • Rule 10: Drops all unsolicited traffic from WAN not destination-NATed.

Figure 19 - Firewall Configuration

8. Update RouterOS and Firmware

Follow this guide to update RouterOS, upgrade the firmware, and back up your router: Initial Setup of MikroTik hAP AC³ Router.

9. Backup and Restore Configuration

Backup and restore of the configuration are described in Initial Setup of MikroTik hAP AC³ Router.

Conclusion

The MikroTik hAP ax³ is a powerhouse that brings enterprise-level performance to your home. By following this guide you ensure your network is lightning-fast and secure.

Reference:
https://tangentsoft.com/mikrotik/home

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.