Sunday, August 11, 2019

Using a MikroTik cAP as a Home Wireless Access Point

My people have no tradition of proofreading.  —Ken White

Beware: if you follow these instructions and then expose your device to the Internet, it will be hacked immediately. The instructions that follow are for installing the cAP inside an already firewalled network.  You have been warned!

The MikroTik cAP

The MikroTik cAP is a very cool device.  It's about the size and shape of a smoke detector and can be easily ceiling-mounted in any location that you can reach with an Ethernet cable.  It's a PoE device, so the wall wart that powers it can be in a network closet, or, in my case, in the garage, where there's a UPS.  The trouble is, it's a router, running the full RouterOS product.  It's designed to be plugged directly into the ISP's interface device and be the only source of Internet where it's installed.  I wanted to use it as a wireless access point in a mostly-wired network, and there was the rub!

Initial Access

 You will need a wireless device with a reasonable screen and keyboard, like a laptop.  Out of the box, the cAP's configurator is accessible only through the wireless interface.  That makes sense if the Ethernet interface is exposed to the wilds of the Internet, but it makes initial access hard.  The setup guide says you can associate with the cAP and it'll give you an compatible address via DHCP.  That didn't work for me.  Neither did MikroTik's Winbox software.

So, set your wireless device with a fixed address of 192.168.88.88, a gateway of 192.168.88.1, and no DNS.  Fire up the cAP and cause the laptop to associate with it.  Now you can open 192.168.88.1 with a web browser and you will get the web interface.  If you make a configuration mistake, you can get back to this state by holding the reset switch of the cAP while powering on and for five seconds afterward, until the LED starts to flash.

Gather Information

I suggest assigning a fixed internal address to the cAP, so you'll need an IPv4 address that's not in your DHCP pool. You will also need your IPv4 netmask, the address of your default gateway, and the addresses of your DNS server(s).

If, at this point, these instructions "seem complicated" you have overextended yourself.  The cAP is not really a consumer device.  Return it and get a consumer AP.

Configuration

Everything I read warned me not to mix changes to the Webfig interface with changes to the Quick Set interface.  I wasn't able to accomplish everything that way.  Here are the steps.

Set DNS: Click Webfig (top right) then, in the menu at the left, IP and then DNS.  Add the addresses of your DNS servers.  Click the down-triangle to add more addresses.  Click the "Apply" button.

Delete the firewall rules:  Still in Webfig and IP, click Firewall.  Delete all the rules except "drop invalid" and "special dummy rule to show fasttrack counters" by clicking the tiny minus-sign button before each rule.  This will allow future configuration through the Ethernet interface.  If you expose the Ethernet interface to the Internet, it will also enable hacking of your AP. 

Click the images to enlarge.


Return to Quick Set by clicking the button at the top right.  Leave the pull-down at the top right set to "WISP AP," the default.  Set each of the following:

Network name:  This is the service set identifier (SSID) that the cAP will broadcast.

Set network security:  Check "wpa2" and "aes ccm" unless you have very old devices that need WPA or TKIP, in which case check those, too, and plan to replace the old devices!  In "WiFi password" put the preshared key.  It should be long but easy to type.  Four Dicewords will give almost 52 bits of entropy.  (Note that hacking this key requires physical proximity to the cAP.)

You can later set up a MAC access control list from the "Wireless" selection of Webfig if you like.

Set network parameters and admin password: Under "Configuration" select "bridge."

Under "Bridge" choose "Static" and fill in the IP address the router is to have, the netmask, and the default gateway.  DNS servers were set earlier.

Fill in the router administrative password twice.  (Make this a good one; an adversary who gets past the preshared key can then try to brute-force the administrative password.)  The two password fields will be replaced by a "Password" button after the password has been set and the configuration applied.

Apply the configuration: Click the "Apply configuration" button.  You will lose your connection to the router because its IPv4 address has been changed.  You can now remove the fixed address from your laptop and browse to the IP address you just set from a wired or wireless connection to your network.

Update the RouterOS Software

Return to the router, log in, and on the Quick Set screen, press the "Check for Updates" button.   If an update is offered, apply it by clicking the "Download&Upgrade" button.

Optimize WiFi Performance

Author 'gryzli' has written a guide for optimizing RouterOS WiFi performance.  He's absolutely right about the WiFi Analyzer app for your Android phone.

It is unfortunate that RouterOS uses frequencies rather than channel assignments.  Wikipedia has a list of channels and frequencies.


Copyright © 2019 by
Creative Commons License
Using a MikroTik cAP as a Home Wireless Access Point by Bob Brown is licensed under a
Creative Commons Attribution-ShareAlike 3.0 Unported License.