MikroTik Wireless : Complete WiFi, CAPsMAN, and Access Point Configuration Guide

Introduction: MikroTik's Wireless Ecosystem

MikroTik offers one of the most flexible and cost-effective wireless solutions in the networking market. Whether you're deploying a simple home WiFi network or managing hundreds of enterprise access points, RouterOS provides the tools you need. This guide covers everything from basic wireless interface configuration to advanced CAPsMAN centralized management.

Wireless Package Evolution: Understanding Your Hardware

Wireless Package Types

MikroTik has evolved its wireless drivers across different RouterOS versions:

# Check installed wireless packages
/system package print

# Common wireless packages:
# - wireless (legacy, up to 802.11ac)
# - wifi-qcom (802.11ax, RouterOS v7.13+)
# - wifi-qcom-ac (optional 802.11ac drivers)

Hardware Compatibility

• Legacy Devices: Use wireless package (hAP ac, RB951Ui-2HnD)
• WiFi 6/AX Devices: Require wifi-qcom package (hAP ax, Audience)
• Mixed Environments: CAPsMAN can manage both package types

Basic Wireless Interface Configuration

Initial Wireless Setup

# Enable wireless interface
/interface wireless enable wlan1

# Basic access point configuration
/interface wireless set wlan1 \
    disabled=no \
    mode=ap-bridge \
    ssid="MyOffice-WiFi" \
    band=2ghz-b/g/n \
    frequency=auto \
    channel-width=20/40mhz-ce \
    wireless-protocol=802.11 \
    security-profile=default

# Check wireless status
/interface wireless print

Security Profile Configuration

# Create WPA2 security profile
/interface wireless security-profiles add \
    name=wpa2-enterprise \
    authentication-types=wpa2-psk \
    mode=dynamic-keys \
    unicast-ciphers=aes-ccm \
    group-ciphers=aes-ccm \
    wpa2-pre-shared-key="StrongPassword123!"

# Create WPA3 security profile (for compatible devices)
/interface wireless security-profiles add \
    name=wpa3-personal \
    authentication-types=wpa3-psk \
    mode=dynamic-keys \
    wpa3-pre-shared-key="EvenStrongerPassword456!"

Advanced Wireless Settings

Frequency and Channel Optimization

# 5GHz access point configuration
/interface wireless set wlan2 \
    mode=ap-bridge \
    band=5ghz-a/n/ac \
    frequency=auto \
    channel-width=20/40/80mhz-XXXX \
    ssid="MyOffice-5GHz" \
    security-profile=wpa2-enterprise

# Manual frequency selection for crowded areas
/interface wireless set wlan1 \
    frequency=2412 \
    channel-width=20mhz \
    skip-dfs-channels=all

Advanced Radio Settings

# Optimize for high-density environments
/interface wireless set wlan1 \
    adaptive-noise-immunity=ap-and-client-mode \
    amsdu-limit=8192 \
    ampdu-priorities=0,1,2,3,4,5,6,7 \
    hide-ssid=no \
    installation=indoor \
    multicast-helper=full

# TX power adjustment
/interface wireless set wlan1 tx-power-mode=card-rates \
    tx-power=20

CAPsMAN: Centralized Wireless Management

CAPsMAN Controller Setup

# Enable CAPsMAN
/interface wireless capsman set enabled=yes
/interface wireless capsman set ca-certificate=none

# Create configuration templates
/interface wireless capsman configuration \
    add name=office-2ghz \
    ssid="Office-2G" \
    mode=ap-bridge \
    band=2ghz-b/g/n \
    security-profile=wpa2-enterprise

/interface wireless capsman configuration \
    add name=office-5ghz \
    ssid="Office-5G" \
    mode=ap-bridge \
    band=5ghz-a/n/ac \
    security-profile=wpa2-enterprise

# Create provisioning rules
/interface wireless capsman provisioning \
    add action=create-dynamic-enabled \
    master-configuration=office-2ghz \
    slave-configurations=office-5ghz \
    supported-bands=2ghz-n

/interface wireless capsman provisioning \
    add action=create-dynamic-enabled \
    master-configuration=office-5ghz \
    slave-configurations=office-2ghz \
    supported-bands=5ghz-ac

CAPsMAN Security Configuration

# Certificate-based security (enterprise)
/interface wireless capsman security \
    add name=enterprise-security \
    authentication-types=wpa2-eap \
    eap-methods=peap \
    disable-pmkid=no \
    management-protection=allowed

# Pre-shared key security
/interface wireless capsman security \
    add name=psk-security \
    authentication-types=wpa2-psk \
    mode=dynamic-keys \
    wpa2-pre-shared-key="SecurePassphrase123"

Wireless Modes and Use Cases

Access Point Mode

# Standard AP configuration
/interface wireless set wlan1 \
    mode=ap-bridge \
    ssid="Office-Network" \
    security-profile=default

Station Mode (Client)

# Connect as client to another AP
/interface wireless set wlan1 \
    mode=station \
    ssid="Upstream-AP" \
    security-profile=client-profile

Bridge Modes

# Station bridge for transparent bridging
/interface wireless set wlan1 \
    mode=station-bridge \
    ssid="Remote-Office" \
    security-profile=bridge-profile

# Station pseudobridge for specific use cases
/interface wireless set wlan1 \
    mode=station-pseudobridge \
    ssid="Pseudo-Bridge" \
    security-profile=bridge-profile

Mesh Networking

# Mesh point configuration
/interface wireless set wlan1 \
    mode=mesh \
    mesh-id="Office-Mesh" \
    security-profile=mesh-profile

Wireless Security Best Practices

Enterprise Security Setup

# RADIUS integration for enterprise WiFi
/interface wireless security-profiles \
    add name=enterprise-wpa2 \
    authentication-types=wpa2-eap \
    eap-methods=peap \
    management-protection=allowed \
    tls-mode=verify-certificate \
    tls-certificate=corp-ca

# Configure RADIUS server
/radius add service=wireless \
    address=192.168.88.10 \
    secret="radius-shared-secret" \
    timeout=10s \
    called-id="office-wifi"

MAC Authentication and Access Control

# MAC address access list
/interface wireless access-list \
    add mac-address=AA:BB:CC:DD:EE:FF \
    interface=wlan1 \
    allowed=yes \
    comment="CEO Laptop"

/interface wireless access-list \
    add mac-address=11:22:33:44:55:66 \
    interface=wlan1 \
    allowed=no \
    comment="Blocked Device"

Advanced Wireless Features

Virtual AP Configuration

# Create multiple SSIDs on single radio
/interface wireless add \
    name=virtual-guest \
    master-interface=wlan1 \
    ssid="Office-Guest" \
    security-profile=guest-profile \
    disabled=no

/interface wireless add \
    name=virtual-iot \
    master-interface=wlan1 \
    ssid="Office-IoT" \
    security-profile=iot-profile \
    disabled=no

Wireless Uplink Monitoring

# Monitor wireless connection quality
/interface wireless monitor wlan1

# Check registered clients
/interface wireless registration-table print

# Monitor wireless statistics
/interface wireless snooper print

Quality of Service for Wireless

Simple Queue Setup

# Limit bandwidth per wireless client
/queue simple add \
    name="wifi-client-limit" \
    target=wlan1 \
    max-limit=10M/10M \
    burst-limit=15M/15M \
    burst-threshold=5M/5M \
    burst-time=30s

PCQ for Fair Bandwidth Distribution

# Create PCQ queue type
/queue type add \
    name="pcq-wifi-download" \
    kind=pcq \
    pcq-rate=5M \
    pcq-limit=50 \
    pcq-classifier=dst-address

/queue type add \
    name="pcq-wifi-upload" \
    kind=pcq \
    pcq-rate=2M \
    pcq-limit=50 \
    pcq-classifier=src-address

# Apply PCQ to wireless interface
/queue tree add \
    name="wifi-download" \
    parent=global \
    packet-mark=wifi-download \
    queue=pcq-wifi-download

/queue tree add \
    name="wifi-upload" \
    parent=global \
    packet-mark=wifi-upload \
    queue=pcq-wifi-upload

Troubleshooting Wireless Issues

Diagnostic Commands

# Check wireless interface status
/interface wireless print

# Monitor wireless connections
/interface wireless registration-table print

# Check wireless security profiles
/interface wireless security-profiles print

# Monitor wireless traffic
/interface wireless snooper print

# Check frequency usage
/interface wireless sniffer

Common Issue Resolution

# Reset wireless configuration
/interface wireless reset [find]

# Clear wireless statistics
/interface wireless reset-counters [find]

# Restart wireless interface
/interface wireless disable wlan1
/interface wireless enable wlan1

Enterprise Deployment Examples

Multi-AP Office Deployment

# CAPsMAN configuration for office with multiple APs
/interface wireless capsman configuration \
    add name=office-2g-config \
    ssid="Corporate-WiFi" \
    mode=ap-bridge \
    band=2ghz-b/g/n \
    channel-width=20/40mhz-ce \
    security-profile=corp-security

/interface wireless capsman configuration \
    add name=office-5g-config \
    ssid="Corporate-WiFi" \
    mode=ap-bridge \
    band=5ghz-a/n/ac \
    channel-width=20/40/80mhz-XXXX \
    security-profile=corp-security

# Provisioning rules for different AP models
/interface wireless capsman provisioning \
    add action=create-dynamic-enabled \
    master-configuration=office-2g-config \
    supported-bands=2ghz-n \
    identity-regexp="^AP-OFFICE-.*$"

Hotel/Public WiFi Setup

# HotSpot configuration for guest WiFi
/ip hotspot profile add name=hotel-guest \
    dns-name=hotel-wifi.com \
    html-directory=hotspot1 \
    http-cookie-lifetime=1d

/ip hotspot add name=hotel-guest \
    interface=wlan1 \
    profile=hotel-guest \
    address-pool=hotel-guests \
    disabled=no

# Create user accounts
/ip hotspot user add name=room101 \
    password=welcome101 \
    profile=hotel-guest

/ip hotspot user add name=room102 \
    password=welcome102 \
    profile=hotel-guest

Performance Optimization

Channel Planning and Optimization

# Manual channel selection for minimal interference
/interface wireless set wlan1 \
    frequency=5180 \
    channel-width=20mhz \
    country="united states" \
    antenna-gain=3

# DFS channel usage for 5GHz
/interface wireless set wlan2 \
    frequency=5500 \
    channel-width=80mhz \
    skip-dfs-channels=no

Client Management and Load Balancing

# Connect list for client management
/interface wireless connect-list \
    add interface=wlan1 \
    mac-address=AA:BB:CC:DD:EE:FF \
    allowed=yes \
    signal-range=-70..120

# Load balancing across multiple APs
/interface wireless capsman set \
    channel.reselect-interval=1h \
    configuration.band=5ghz-only

Monitoring and Maintenance

Wireless Monitoring Setup

# Enable wireless logging
/system logging add topics=wireless

# Set up wireless graphing
/tool graphing interface add \
    interface=wlan1 \
    allow-address=0.0.0.0/0

# Monitor client connections
:local clients [/interface wireless registration-table print count-only]
:put ("Connected clients: " . $clients)

Automated Maintenance Scripts

# Script to monitor AP status
/system script add name=check-wireless \
    source="/interface wireless print; \
    /interface wireless registration-table print; \
    /interface wireless access-list print"

# Schedule regular wireless checks
/system scheduler add name=wireless-check \
    interval=1h \
    on-event=check-wireless

Conclusion: Building Robust Wireless Networks

MikroTik's wireless capabilities provide enterprise-grade features at consumer-level pricing. The key to successful wireless deployments lies in:

1. Proper hardware selection for your use case
2. Strategic channel planning to minimize interference
3. Robust security configuration including WPA3 where supported
4. CAPsMAN implementation for multi-AP environments
5. Continuous monitoring and performance optimization

Whether you're deploying a simple home network or managing a large enterprise wireless infrastructure, MikroTik provides the tools and flexibility needed for success.

---

Follow for more networking insights: Connect on LinkedIn | Join our WhatsApp Channel

---