Configuring Repeater

Configuring Repeater

A wireless repeater extends the coverage range of an existing wireless network by receiving signals from an upstream access point and rebroadcasting them to cover areas with weak or no connectivity. In RouterOS, this functionality is primarily achieved through station-bridge mode combined with a virtual AP configuration, allowing the repeater to simultaneously connect to the upstream network while serving local clients.

Overview

The repeater configuration in RouterOS involves two distinct wireless interfaces working in concert. The first interface operates in station-bridge mode, connecting wirelessly to the upstream access point. The second interface operates as a standard access point, providing wireless connectivity to local clients. Both interfaces are then bridged together at the Ethernet level, creating a seamless network extension where clients connect to the repeater as they would to any standard access point.

This architecture provides several advantages over single-interface repeater solutions. By maintaining separate interfaces for upstream and downstream communications, RouterOS repeaters avoid the throughput halving that occurs in true half-duplex repeaters. The station interface handles all upstream traffic while the AP interface serves local clients, allowing concurrent transmit and receive operations when the hardware supports the required radio chains.

Key Capabilities

RouterOS repeater implementations support a comprehensive feature set for professional wireless deployments. The configuration supports both 2.4 GHz and 5 GHz frequency bands, enabling operators to select optimal frequencies based on environmental factors and client device capabilities. Virtual access point functionality allows a single radio to serve multiple SSIDs, useful for separating management, guest, and employee networks at the repeater location.

The station-bridge mode implements full 802.11 functionality including roaming support, power save mechanisms, and rate adaptation. When combined with RouterOS bridging capabilities, the repeater appears as a transparent extension of the upstream network, preserving VLAN tags, multicast traffic, and Layer 2 protocols across the wireless link. This transparency is essential for deployments requiring seamless integration with existing wired network infrastructure.

Security options for repeater configurations mirror those available on standard access points. The station interface must authenticate to the upstream AP using the configured security profile, while the local AP interface provides its own security configuration for connecting clients. This dual-security architecture ensures that the wireless backhaul link maintains appropriate encryption while allowing flexible security policies for local users.

Use Cases and Applications

Wireless repeaters address several common deployment scenarios where running Ethernet cabling is impractical or prohibitively expensive. Residential deployments benefit from repeaters when covering large homes or properties where a single access point cannot provide adequate signal strength throughout. The repeater placement extends the effective coverage area without requiring new cable runs to each location.

Outdoor deployments present similar challenges where distance between the main router and remote areas exceeds the practical range of standard wireless equipment. Repeaters mounted on poles, towers, or building rooftops can bridge gaps of several kilometers when proper line-of-sight is maintained, provided the upstream signal reaches the repeater location with sufficient strength for reliable communication.

Temporary installations for events, construction sites, or disaster recovery situations benefit from the portability of repeater configurations. A RouterOS device can be deployed quickly to provide network connectivity in areas where infrastructure damage or absence prevents wired connections. The same device can later be reconfigured for permanent installation or returned to inventory.

Multi-story buildings often require repeaters on different floors to ensure adequate signal strength throughout the structure. Concrete floors, metal structures, and electrical interference from building systems can significantly attenuate wireless signals, making repeater deployment essential for reliable connectivity in commercial and industrial facilities.

Prerequisites and Requirements

Before configuring a repeater, verify that the RouterOS device includes appropriate wireless hardware for the intended deployment. Devices with built-in wireless radios support repeater functionality out of the box, while devices without wireless capabilities require compatible mini-PCIe or M.2 wireless cards. The wireless card must support the intended frequency bands and meet power output requirements for the deployment range.

The upstream access point must be configured to accept the repeater as a client. This typically requires enabling station mode connections in the AP configuration and ensuring the security profile matches what the repeater will use for authentication. Some deployments may require MAC address whitelisting on the upstream AP if such restrictions are enabled.

Channel selection requires careful consideration to minimize interference and maximize throughput. Ideally, the repeater should connect to the upstream AP on a clear channel with minimal competing networks. The local AP interface should select a non-overlapping channel on the same band or use a different band entirely if the hardware supports simultaneous dual-band operation.

Power availability at the repeater location affects hardware selection and installation options. PoE (Power over Ethernet) capable devices allow flexible placement near the optimal antenna location while receiving power through the Ethernet cable. This is particularly valuable for outdoor installations where electrical outlets may not be conveniently located.

Configuring Station Interface

The station interface connects the repeater to the upstream access point. This interface handles all communication with the main network infrastructure, receiving data to be forwarded to local clients and transmitting data from local clients to the upstream network. Proper station configuration is essential for establishing a reliable wireless backhaul link.

Interface Creation and Mode Selection

Begin by creating the wireless interface that will operate as the station. Navigate to the wireless interface configuration and add a new interface. Select the appropriate wireless card or built-in radio for this interface, ensuring the card supports the desired frequency band. The mode setting determines how this interface operates within the wireless network.

Set the mode parameter to station-bridge for repeater configurations. This mode enables the interface to connect to an upstream AP while participating in the wireless network as a bridge rather than a simple client. The station-bridge mode supports WDS (Wireless Distribution System) when configured on the upstream AP, enabling transparent bridging of Ethernet traffic across the wireless link.

The master-interface parameter associates this station interface with the local AP interface that will serve clients. When configured correctly, frames received on the station interface from the upstream network are forwarded to the master interface for broadcast to local clients, while frames from local clients are transmitted upstream through the station interface. This association creates the logical connection between the wireless backhaul and the local access point.

Network Connection Settings

Configure the station interface to scan for and connect to the appropriate upstream access point. The ssid parameter specifies the network name of the target AP. For networks with hidden SSIDs, enable the hide-ssid option on the station interface to match the AP configuration. The station will only connect to APs matching the specified SSID and security configuration.

Select the appropriate frequency band and channel for the connection. The band parameter accepts values such as 2ghz-b/g/n for 2.4 GHz networks or 5ghz-a/n/ac for 5 GHz networks. When the AP supports multiple channels within a band, specify the exact frequency using the frequency parameter rather than relying on automatic selection. Manual frequency selection ensures the repeater connects predictably and avoids channels with interference.

The wireless-protocol parameter should typically remain on the default setting, allowing the interface to connect to either 802.11 or proprietary MikroTik protocols as available. For networks requiring specific protocol support, this parameter can restrict connections to 802.11-only or nv2-only networks as needed.

Security Profile Assignment

Apply the appropriate security profile to the station interface for authentication with the upstream AP. Create a new security profile or select an existing one that matches the AP’s security configuration. The profile must include the correct authentication type (WPA-PSK, WPA2-PSK, WPA3-SAE, or WPA-EAP depending on the AP configuration) and the corresponding password or certificate.

When connecting to enterprise networks using WPA-EAP authentication, additional configuration is required for the EAP method, identity, and certificate validation. The security profile for enterprise connections typically references a configured RADIUS client for certificate and user authentication. Ensure the upstream AP is configured to accept the authentication method specified in the security profile.

For WPA-PSK and WPA2-PSK connections, verify that the pre-shared key matches exactly between the station interface and the upstream AP. Mismatched keys prevent association even when all other settings are correct. Consider using WPA2-AES or WPA3-SAE encryption for improved security compared to TKIP-based options.

Configuring Access Point Interface

The access point interface provides wireless connectivity for clients connecting to the repeater. This interface broadcasts the SSID that local clients will use to connect and handles all client authentication and association traffic. The AP interface operates independently of the station interface’s upstream connection, allowing flexible configuration for local network requirements.

Interface Configuration

Create a second wireless interface on the same radio to serve as the local access point. This interface operates in ap mode, providing standard access point functionality for connecting clients. The master-interface parameter associates this AP with the station interface created earlier, creating the logical connection between local clients and the upstream network.

Configure the SSID for the local access point. This SSID identifies the wireless network that clients in the repeater’s coverage area will see and use for connection. The SSID can match the upstream network’s SSID for seamless roaming, or use a different name to distinguish the repeater’s network. Seamless roaming requires matching security configurations between the AP and repeater interfaces.

Set the appropriate frequency band for the AP interface. The band selection should consider client device capabilities, environmental factors, and regulatory limitations for the deployment location. The 2.4 GHz band offers greater range and better penetration through obstacles but has limited non-overlapping channels and higher congestion. The 5 GHz band provides more channels and reduced interference but with reduced range and penetration capability.

Security for Local Clients

Configure security settings for the local AP interface to protect client connections. Create or select a security profile appropriate for the local network policy. The security profile for the AP interface governs how clients authenticate to the repeater, which may differ from the security used on the upstream link.

Most deployments use WPA2-PSK with AES encryption for client authentication, providing strong security with simple client configuration. For environments requiring enhanced security, WPA3-SAE offers improved protection against password cracking attacks. Enterprise deployments may use WPA-EAP with RADIUS authentication for centralized user management and detailed access control.

Consider whether the local AP security should match the upstream security for seamless roaming. When seamless roaming is desired, the security profile on the AP interface must match the authentication method used by the upstream AP. Mismatched security prevents clients from maintaining connections as they move between coverage areas.

Advanced AP Settings

Configure the beacon interval to balance network overhead with client connectivity. The default beacon interval of 100 milliseconds works well for most deployments. Reducing the beacon interval to 50 milliseconds improves roaming responsiveness but increases wireless overhead. Increasing the beacon interval reduces overhead but may slow client association and roaming.

Set the DTIM (Delivery Traffic Information Map) interval to control how often clients in power save mode receive buffered traffic notifications. The default DTIM period of 2 or 3 works for most networks with mobile clients. Higher values reduce overhead from power save traffic but increase latency for sleeping clients receiving data.

Enable or disable specific 802.11 features based on client requirements and network policy. Features such as WMM (Wi-Fi Multimedia) should typically remain enabled for proper QoS handling of voice and video traffic. The disabled parameter completely disables the interface, which is useful during initial configuration or maintenance windows.

Bridging Configuration

The repeater must bridge the station and AP interfaces to create a seamless network extension. RouterOS provides multiple bridging options depending on the network requirements, from simple hardware bridging to complex VLAN-aware configurations.

Basic Bridge Configuration

Create a bridge interface to connect the station and AP interfaces at Layer 2. Navigate to the Bridge configuration and add a new bridge. The bridge acts as a virtual switch, forwarding frames between interfaces based on MAC addresses. This configuration creates a flat network where the repeater appears as a transparent network device to connected clients.

Add both the station interface and the AP interface to the bridge ports list. The station interface receives frames from the upstream network, which are then forwarded through the bridge to the AP interface for broadcast to local clients. Conversely, frames from local clients are received on the AP interface and forwarded through the bridge to the station interface for transmission upstream.

Configure the bridge priority and forward delay parameters appropriately for the network size. The default settings work for most repeater deployments where the bridge only connects two interfaces. Larger bridged networks may require tuning these parameters to optimize spanning tree convergence and prevent temporary forwarding loops during topology changes.

VLAN-Aware Bridging

For networks using VLANs to segment traffic, configure the bridge to support VLAN tagging. Enable the vlan-filtering parameter on the bridge interface to allow VLAN-aware forwarding. Configure bridge ports with appropriate VLAN configurations using the pvid parameter for untagged traffic and membership lists for tagged traffic.

The station interface typically carries all VLANs used on the network, allowing the repeater to bridge tagged traffic transparently. The AP interface may carry all VLANs if clients support tagged VLAN assignment, or may use a single native VLAN if clients expect untagged connectivity. Configure each bridge port with the appropriate VLAN settings based on the network design.

When deploying multiple repeaters on the same network, ensure consistent VLAN configuration across all devices. The upstream AP must recognize the repeater’s MAC address and appropriately handle tagged traffic from the repeater’s bridge. Test VLAN connectivity through the repeater to verify proper configuration before deploying in production.

IP Configuration

The repeater requires IP configuration to participate in network management and, in some cases, to provide IP connectivity for clients. The IP configuration depends on whether the repeater operates as a Layer 2 bridge or requires Layer 3 functionality.

Management IP Address

Assign a static IP address to the repeater for management access, or configure DHCP client on an Ethernet interface to receive addressing automatically. The management IP allows network administrators to access the RouterOS device for configuration and monitoring regardless of the wireless link status.

Create an IP address configuration on a bridge interface or dedicated management interface. For bridged repeaters, the bridge interface typically serves as the management interface, receiving an IP address that is accessible from both the upstream network and local clients. This accessibility assumes the upstream network permits management traffic from the repeater’s bridge.

Configure appropriate routing if the repeater requires access to networks beyond the local subnet. A default route pointing to the upstream gateway IP address provides basic connectivity to external networks. More complex routing requirements may necessitate static routes or dynamic routing protocol configuration.

DHCP Relay Considerations

When clients require DHCP addressing through the repeater, configure the DHCP relay agent if the repeater operates at Layer 3 between clients and the DHCP server. The DHCP relay forwards broadcast DHCP requests from clients to the DHCP server on a different subnet, receiving the DHCP offer and relay it back to the client.

Install the DHCP relay package if not already included in the RouterOS installation. Configure the DHCP relay to forward requests to the appropriate DHCP server IP address and specify the interface facing the DHCP server. The relay listens for DHCP requests on all bridged interfaces and forwards them appropriately.

For Layer 2 repeater configurations where the repeater simply bridges traffic, DHCP relay configuration is typically unnecessary. Broadcast DHCP traffic is bridged transparently to the upstream network where the DHCP server can receive and respond to requests. Verify that the upstream infrastructure properly handles broadcast traffic through the wireless link.

Verification and Testing

After completing the repeater configuration, verify that all interfaces are operational and traffic flows correctly between the upstream network and local clients. Systematic testing ensures the repeater functions as designed before deploying into production use.

Interface Status Verification

Check the status of both wireless interfaces to confirm successful configuration. The station interface should show a connected state with signal strength, data rate, and upstream AP information. The AP interface should show an enabled state ready to accept client associations. Monitor interface statistics to verify traffic flows in both directions.

Use the /interface wireless print command to view detailed interface status. The connected station information includes signal-to-noise ratio, tx/rx rates, and the upstream AP’s MAC address. Verify these values against expected performance characteristics for the deployment location and distance.

Monitor the wireless registration table to track connected clients and their activity. The registration table shows all clients currently associated with the AP interface, including signal strength, tx/rx rates, and session duration. Verify that expected clients appear in the table and that signal strengths are adequate for reliable connectivity.

Connectivity Testing

Test basic connectivity from the repeater to the upstream network and beyond. Ping the upstream gateway IP address to verify the wireless backhaul link functions correctly. Test connectivity to external hosts or the internet to verify routing and upstream network functionality.

Test client connectivity by associating a device with the repeater’s AP interface. Verify that the client receives appropriate IP addressing through DHCP or static configuration. Test connectivity from the client to the upstream network, gateway, and internet to verify end-to-end functionality.

Perform throughput testing to verify the repeater provides adequate performance for intended use. Use iperf or similar tools to measure sustainable data rates between the client and a server on the upstream network. Compare measured throughput against expected performance based on wireless link characteristics and client capabilities.

Signal Quality Assessment

Evaluate the signal quality of the wireless backhaul link to ensure reliable operation. The signal-to-noise ratio (SNR) indicates the link quality, with higher values indicating better signal clarity. SNR values above 20-25 dB typically support reliable 802.11n/ac connections, while values below 15 dB may experience connectivity issues.

Monitor the CCQ (Client Connection Quality) percentage to assess link efficiency. CCQ values above 70-80% indicate good link quality with minimal retransmission overhead. Lower CCQ values suggest interference, distance issues, or configuration problems affecting the wireless link quality.

Consider spectrum analysis if signal quality issues persist despite adequate signal strength. The spectrum analyzer can identify sources of interference on the operating channel that may degrade performance. Relocating the repeater, changing channels, or using different frequency bands may resolve interference-related issues.

Troubleshooting Common Issues

Repeater deployments occasionally experience connectivity, performance, or configuration issues that require troubleshooting. Understanding common problems and their solutions accelerates problem resolution in production environments.

Association Failures

When the station interface fails to associate with the upstream AP, verify several configuration elements. Confirm that the SSID matches exactly between the station and AP configurations, including case sensitivity. Verify that the security profile authentication type and password match the AP configuration.

Check that the upstream AP accepts station mode clients and is not configured for client isolation that would prevent the connection. Some AP configurations restrict connections based on MAC addresses, requiring the repeater’s MAC address to be added to an allowed list. Verify that the wireless channel selected on the repeater matches a channel active on the upstream AP.

Ensure the wireless regulatory domain is configured correctly for the deployment location. Regulatory restrictions affect available channels and maximum transmit power. Devices configured for incorrect regulatory domains may be unable to transmit on channels needed for the connection.

Poor Throughput Performance

Low throughput on the repeater link often results from wireless signal quality issues or configuration inefficiencies. Check the CCQ percentage to assess link quality, as low CCQ indicates high retransmission rates that reduce effective throughput. Consider repositioning the repeater to improve signal strength if CCQ values are consistently poor.

Verify that the wireless channel is not congested with traffic from other networks or devices. Channel congestion forces the repeater to share airtime with competing transmissions, reducing available bandwidth. Use the frequency scan or spectrum analyzer to identify clearer channels.

Ensure that the configured data rates are appropriate for the link quality. The wireless-protocol and rate-sets parameters affect the available data rates. Using automatic rate selection typically provides the best performance across varying signal conditions, though manual rate restrictions may improve reliability in marginal conditions.

Client Connectivity Issues

Clients unable to connect to the repeater’s AP interface typically have configuration or compatibility problems. Verify that the client’s wireless adapter supports the frequency band and security protocol configured on the AP interface. Older clients may not support WPA3 or 802.11ac features used by modern AP configurations.

Check for client isolation settings on the AP interface that may prevent clients from communicating with each other or the upstream network. Client isolation is sometimes enabled by default on AP configurations and must be explicitly disabled for normal repeater operation.

Verify that the client’s IP configuration is appropriate for the network. Clients receiving IP addresses in a different subnet than the upstream network may lack routing to reach destinations. Configure DHCP relay or ensure DHCP server scope covers the repeater’s local network.

Security Considerations

Repeater deployments introduce additional attack surface to the wireless network and require appropriate security measures. Both the backhaul link and the local access point require protection against unauthorized access and attacks.

Backhaul Link Security

Secure the wireless backhaul link between the repeater and upstream AP using strong encryption and authentication. WPA3-SAE provides the strongest protection for PSK-based networks, preventing offline dictionary attacks on captured handshake data. WPA2-AES remains suitable for deployments where WPA3 client support is limited.

Consider using certificate-based authentication for high-security environments. WPA-EAP with TLS certificates provides mutual authentication between the repeater and upstream AP, ensuring that only authorized devices can join the network. Certificate authentication eliminates password-based vulnerabilities and supports centralized credential management.

Implement MAC address filtering on the upstream AP to restrict which devices can establish backhaul connections. While not a primary security mechanism, MAC filtering adds a barrier against casual unauthorized connection attempts. Combine MAC filtering with strong encryption for defense-in-depth.

Local Network Security

Configure appropriate security on the repeater’s AP interface to protect local clients. Use WPA2-AES or WPA3-SAE encryption with strong pre-shared keys for small deployments. Enterprise deployments should use WPA-EAP with RADIUS authentication for centralized access control and user accounting.

Enable wireless access lists on the AP interface to restrict which clients can associate. The access list can use MAC addresses, authentication status, or other criteria to control access. Combine access lists with encryption for comprehensive client authentication.

Consider deploying a separate guest network isolated from the main network. Guest networks prevent visitors from accessing internal resources while providing internet connectivity. Configure client isolation and VLAN tagging to isolate guest traffic from production networks.

Physical Security

Protect the repeater device from physical tampering that could compromise network security. Outdoor deployments should use tamper-resistant enclosures and secure mounting hardware. Devices in public or accessible locations should be secured to prevent unauthorized access or theft.

Disable unused services and ports on the RouterOS device to reduce attack surface. The repeater only requires wireless and bridge functionality for basic operation. Disable SSH, winbox, webfig, and other management access if not needed, or restrict access to specific IP addresses.

Keep RouterOS updated with security patches to address known vulnerabilities. Subscribe to MikroTik’s security announcements or regularly check for updates to maintain protection against emerging threats. Test updates in a staging environment before deploying to production repeaters.

Related Topics

• Wireless Interface Configuration - Basic wireless interface setup
• Security Profiles - WPA/WPA2/WPA3 encryption and authentication
• CAPsMAN - Centralized wireless management for multiple APs
• WDS - Wireless Distribution System for bridging
• Bridging and Switching - Layer 2 network configuration
• VLANs on Wireless - Wireless with VLAN tagging