WiFi Basic Setup
WiFi Basic Setup
Section titled âWiFi Basic SetupâTL;DR (Quick Start)
Section titled âTL;DR (Quick Start)âFor the impatient: create a basic WiFi access point.
WiFi Package (RouterOS 7.13+, Wi-Fi 6 hardware):
/interface/wifi/security add name=home-sec authentication-types=wpa2-psk passphrase="YourPassword123"/interface/wifi set wifi1 configuration.ssid=MyNetwork configuration.country=UnitedStates security=home-sec disabled=noLegacy Wireless Package:
/interface/wireless/security-profiles set default mode=dynamic-keys authentication-types=wpa2-psk wpa2-pre-shared-key="YourPassword123"/interface/wireless set wlan1 mode=ap-bridge ssid=MyNetwork country=united_states disabled=noVerify with:
/interface/wifi/registration-table/print# or for legacy:/interface/wireless/registration-table/printOverview
Section titled âOverviewâWhat this does: Configures your MikroTik router as a WiFi access point, allowing wireless devices to connect to your network.
When to use this:
- Setting up home or office wireless network
- Providing guest WiFi access
- Extending network coverage with additional APs
- Replacing existing access points
Prerequisites:
- MikroTik device with WiFi radio hardware (not CHR)
- Appropriate WiFi package installed (
wifi-qcom,wifi-qcom-ac, orwireless) - Bridge configured for LAN traffic (typical home setup)
Which Package Do I Have?
/system/package/print where name~"wifi"| Package | Hardware Support | RouterOS Version |
|---|---|---|
wifi-qcom | Wi-Fi 6 (802.11ax) | 7.13+ |
wifi-qcom-ac | Wi-Fi 5 wave2 (802.11ac) | 7.13+ |
wireless | All older wireless | 6.x and 7.x |
Configuration Steps (WiFi Package)
Section titled âConfiguration Steps (WiFi Package)âUse these steps for Wi-Fi 6 hardware (hAP ax series, Audience, etc.) on RouterOS 7.13+.
Step 1: Check Available Interfaces
Section titled âStep 1: Check Available InterfacesâView your WiFi radio interfaces.
/interface/wifi/printExpected output:
Flags: X - disabled; R - running 0 X name="wifi1" mac-address=AA:BB:CC:DD:EE:FF arp=enabled ... 1 X name="wifi2" mac-address=AA:BB:CC:DD:EE:F0 arp=enabled ...Typically wifi1 is 5 GHz and wifi2 is 2.4 GHz.
Step 2: Create Security Profile
Section titled âStep 2: Create Security ProfileâCreate a WPA2 security profile with your password.
/interface/wifi/security add name=home-security \ authentication-types=wpa2-psk \ passphrase="YourSecurePassword123" \ wps=disableFor WPA2/WPA3 mixed mode (better security, broader compatibility):
/interface/wifi/security add name=home-security \ authentication-types=wpa2-psk,wpa3-psk \ passphrase="YourSecurePassword123" \ encryption=ccmp \ wps=disableStep 3: Configure and Enable Interface
Section titled âStep 3: Configure and Enable InterfaceâApply settings and enable the WiFi interface.
/interface/wifi set wifi1 \ configuration.ssid=MyNetwork \ configuration.country=UnitedStates \ security=home-security \ disabled=noImportant: Always set the correct country code for regulatory compliance and optimal channel selection.
Step 4: Add Interface to Bridge
Section titled âStep 4: Add Interface to BridgeâEnsure WiFi clients can reach your LAN.
/interface/bridge/port add bridge=bridge interface=wifi1Step 5: Verify Configuration
Section titled âStep 5: Verify ConfigurationâCheck that the interface is running.
/interface/wifi/printExpected output:
Flags: X - disabled; R - running 0 R name="wifi1" ... configuration.ssid=MyNetwork ...The R flag indicates the interface is running.
Configuration Steps (Legacy Wireless Package)
Section titled âConfiguration Steps (Legacy Wireless Package)âUse these steps for older wireless hardware or RouterOS 6.x.
Step 1: Check Available Interfaces
Section titled âStep 1: Check Available Interfacesâ/interface/wireless/printStep 2: Configure Security Profile
Section titled âStep 2: Configure Security ProfileâModify the default security profile with WPA2.
/interface/wireless/security-profiles set default \ mode=dynamic-keys \ authentication-types=wpa2-psk \ wpa2-pre-shared-key="YourSecurePassword123"Step 3: Configure and Enable Interface
Section titled âStep 3: Configure and Enable Interfaceâ/interface/wireless set wlan1 \ mode=ap-bridge \ ssid=MyNetwork \ band=2ghz-b/g/n \ channel-width=20/40mhz-XX \ country=united_states \ security-profile=default \ disabled=noStep 4: Add Interface to Bridge
Section titled âStep 4: Add Interface to Bridgeâ/interface/bridge/port add bridge=bridge interface=wlan1Common Scenarios
Section titled âCommon ScenariosâScenario: Dual-Band Setup (5 GHz + 2.4 GHz)
Section titled âScenario: Dual-Band Setup (5 GHz + 2.4 GHz)âConfigure both radios with the same SSID for seamless roaming.
WiFi Package:
# Create shared security profile/interface/wifi/security add name=dual-band-sec \ authentication-types=wpa2-psk,wpa3-psk \ passphrase="SecurePassword123" \ encryption=ccmp wps=disable
# Create channel profiles/interface/wifi/channel add name=ch-5ghz \ frequency=5180,5200,5220,5240 width=20/40/80mhz band=5ghz-ax/interface/wifi/channel add name=ch-2ghz \ frequency=2412,2437,2462 width=20mhz band=2ghz-ax
# Apply to interfaces/interface/wifi set wifi1 \ configuration.ssid=HomeNetwork \ configuration.country=UnitedStates \ channel=ch-5ghz security=dual-band-sec disabled=no/interface/wifi set wifi2 \ configuration.ssid=HomeNetwork \ configuration.country=UnitedStates \ channel=ch-2ghz security=dual-band-sec disabled=no
# Add both to bridge/interface/bridge/port add bridge=bridge interface=wifi1/interface/bridge/port add bridge=bridge interface=wifi2Scenario: Guest Network with Isolation
Section titled âScenario: Guest Network with IsolationâCreate a separate guest network that isolates clients from each other and the main LAN.
WiFi Package:
# Create guest security/interface/wifi/security add name=guest-sec \ authentication-types=wpa2-psk passphrase="GuestAccess2024" wps=disable
# Create datapath with client isolation/interface/wifi/datapath add name=guest-dp client-isolation=yes
# Create virtual AP on wifi1/interface/wifi add master-interface=wifi1 name=wifi1-guest \ configuration.ssid=GuestNetwork \ security=guest-sec datapath=guest-dp disabled=noThen configure firewall rules to restrict guest network access to internet only.
Scenario: Station Mode (WiFi Client)
Section titled âScenario: Station Mode (WiFi Client)âConnect your MikroTik as a client to an existing WiFi network.
WiFi Package:
/interface/wifi/security add name=upstream-sec \ authentication-types=wpa2-psk passphrase="UpstreamPassword"
/interface/wifi set wifi1 \ mode=station \ configuration.ssid=UpstreamNetwork \ security=upstream-sec disabled=noLegacy Wireless:
/interface/wireless/security-profiles add name=upstream \ mode=dynamic-keys authentication-types=wpa2-psk \ wpa2-pre-shared-key="UpstreamPassword"
/interface/wireless set wlan1 \ mode=station \ ssid=UpstreamNetwork \ security-profile=upstream disabled=noScenario: Hidden SSID
Section titled âScenario: Hidden SSIDâHide your network name from broadcast (security through obscurity - not recommended as primary security).
WiFi Package:
/interface/wifi set wifi1 configuration.hide-ssid=yesLegacy Wireless:
/interface/wireless set wlan1 hide-ssid=yesScenario: Limit Maximum Clients
Section titled âScenario: Limit Maximum ClientsâRestrict number of connected devices.
WiFi Package:
/interface/wifi/configuration add name=limited-config \ ssid=LimitedNetwork max-clients=10 country=UnitedStates/interface/wifi set wifi1 configuration=limited-configVerification
Section titled âVerificationâConfirm your WiFi setup is working correctly.
Check 1: Verify Interface is Running
Section titled âCheck 1: Verify Interface is RunningâWiFi Package:
/interface/wifi/print where running=yesLegacy Wireless:
/interface/wireless/print where running=yesExpected: Interface shows with R flag (running).
Check 2: View Connected Clients
Section titled âCheck 2: View Connected ClientsâWiFi Package:
/interface/wifi/registration-table/printLegacy Wireless:
/interface/wireless/registration-table/printExpected: Lists MAC addresses, signal strength, and connection info for connected devices.
Check 3: Scan for Your Network
Section titled âCheck 3: Scan for Your NetworkâFrom another device, scan for WiFi networks and verify your SSID appears.
From the router (WiFi package):
/interface/wifi/scan wifi1 duration=5sCheck 4: Test Client Connectivity
Section titled âCheck 4: Test Client ConnectivityâConnect a device to the WiFi network, then verify it received an IP address and can reach the gateway.
Troubleshooting
Section titled âTroubleshootingâ| Symptom | Cause | Solution |
|---|---|---|
| Interface wonât enable | Package not installed | Check /system/package/print; install appropriate wifi package |
| Interface wonât enable | Wrong package for hardware | Use wifi-qcom for Wi-Fi 6, wifi-qcom-ac for Wi-Fi 5 wave2 |
| Clients canât see network | SSID hidden or wrong country | Verify hide-ssid=no; set correct country code |
| Clients canât connect | Wrong password | Verify passphrase matches exactly (case-sensitive) |
| Clients canât connect | WPA3 incompatibility | Use WPA2-only or WPA2/WPA3 mixed mode |
| Connected but no internet | Not in bridge | Add WiFi interface to bridge port |
| Clients disconnect every 10-15 min | WPA3 SAE anti-clogging | Disable SAE anti-clogging (see Community Tips) |
| Intel laptops fail with WPA3 | Intel driver limitation | Use CCMP encryption, not GCMP |
| Poor signal/speed | Wrong channel width | Reduce width in congested environments |
| Station mode wonât connect | Security mismatch | Verify security type and password match AP |
Common Mistakes
- Donât forget the country code - Required for regulatory compliance and affects available channels/power
- Donât use GCMP encryption with Intel WiFi - Intel drivers only support CCMP for WPA3-Personal
- Donât forget to add interface to bridge - Clients wonât reach the network without bridge membership
- Donât use WPA3-only for mixed environments - Older devices wonât connect; use WPA2/WPA3 mixed mode
- Donât enable WPS in production - WPS has known security vulnerabilities
Channel Width Reference
Section titled âChannel Width Referenceâ| Environment | 2.4 GHz | 5 GHz |
|---|---|---|
| Dense urban/many neighbors | 20 MHz | 40-80 MHz |
| Suburban/moderate interference | 20 MHz | 80 MHz |
| Rural/isolated | 20/40 MHz | 80-160 MHz |
| Long distance links | 20 MHz | 20-40 MHz |
Wider channels = faster speeds but more susceptible to interference.
Security Recommendations
Section titled âSecurity Recommendationsâ| Scenario | Recommended Security |
|---|---|
| Home network | WPA2-PSK + WPA3-PSK (mixed mode) |
| Guest network | WPA2-PSK with client isolation |
| High security | WPA3-PSK only with MFP required |
| Enterprise | WPA2-EAP or WPA3-EAP with RADIUS |
| Legacy devices present | WPA2-PSK only (avoid TKIP) |
Related Topics
Section titled âRelated TopicsâPrerequisites
Section titled âPrerequisitesâ- Bridge Configuration - bridge configuration for LAN connectivity
- IP Address Configuration - addressing fundamentals
Multiple Access Points
Section titled âMultiple Access Pointsâ- CAPsMAN - centralized wireless management for 3+ access points
Network Segmentation
Section titled âNetwork Segmentationâ- VLAN Configuration - VLAN tagging for guest networks
- Firewall Basics - restrict guest network access
Related Wireless Topics
Section titled âRelated Wireless Topicsâ- WiFi Security (WPA2/WPA3) - advanced security configuration
Reference
Section titled âReferenceâ- MikroTik WiFi Documentation
- MikroTik Wireless Documentation
- Version changes:
- v7.13: Introduced wifi package for Wi-Fi 5 wave2 and Wi-Fi 6 hardware
- v7.18: Improved WPA3 SAE anti-clogging handling
Package Comparison
Section titled âPackage Comparisonâ| Feature | wifi Package | wireless Package |
|---|---|---|
| Hardware | Wi-Fi 5 wave2, Wi-Fi 6 | All older wireless |
| RouterOS Version | 7.13+ | 6.x and 7.x |
| Configuration Model | Profile-based | Direct properties |
| WPA3 Support | Yes | No |
| 802.11r/k/v Roaming | Yes | Limited |
Key Properties Reference
Section titled âKey Properties ReferenceâWiFi Package Security Properties
Section titled âWiFi Package Security Propertiesâ| Property | Type | Default | Description |
|---|---|---|---|
authentication-types | list | - | wpa2-psk, wpa3-psk, wpa2-eap, wpa3-eap |
passphrase | string | - | 8-63 characters for WPA2 |
encryption | list | ccmp | ccmp, gcmp, tkip |
management-protection | enum | allowed | disabled, allowed, required |
wps | enum | push-button | push-button, disabled |
WiFi Package Interface Properties
Section titled âWiFi Package Interface Propertiesâ| Property | Type | Default | Description |
|---|---|---|---|
mode | enum | ap | ap, station, station-bridge |
configuration.ssid | string | - | Network name |
configuration.country | string | - | Regulatory domain (required) |
configuration.hide-ssid | bool | no | Hide SSID in beacons |
channel.frequency | MHz list | - | Operating frequencies |
channel.width | enum | - | 20mhz, 20/40mhz, etc. |
security | profile | - | Security profile reference |