WiFi Guide

MikroTik WiFi Guide

This guide covers everything you need to get MikroTik WiFi working optimally - from quick setup to advanced configurations.

Quick Start: Get WiFi Working in 5 Minutes

Option 1: Quick AP (RouterOS 7.13+ with WiFi package)

# Create security profile
/interface wifi security add name=mywifi authentication-types=wpa2-psk passphrase=YourSecurePassword

# Create channel configuration
/interface wifi channel add name=5ghz frequency=5180,5200,5220,5240 band=5ghz-ax width=20/40/80mhz

# Create configuration profile
/interface wifi configuration add name=myconfig security=mywifi channel=5ghz

# Add WiFi interface and set as AP
/interface wifi add configuration=myconfig name=wifi1 master-interface=none

# Enable the interface
/interface wifi enable wifi1

Verify the setup:

/interface wifi print
/interface wifi security print
/interface wifi channel print
/interface wifi configuration print

Option 2: Quick AP (Legacy wireless package)

/interface wireless set wlan1 mode=ap-bridge ssid=MikroTik frequency=2437 security-profile=default
/interface wireless enable wlan1

Known-Good Home WiFi Defaults

These settings work well for typical home networks. Start with these values and adjust only if you have specific requirements.

Single AP (RouterOS 7.13+ with WiFi package)

Setting	Recommended Value	Why
SSID	YourNetworkName	Use 2.4GHz for long-range, 5GHz for speed
Band	`5ghz-ac` or `2ghz-n`	5GHz is less congested; 2.4GHz has better range
Channel Width	40MHz (5GHz) / 20MHz (2.4GHz)	40MHz is max non-DFS; 20MHz avoids interference on 2.4GHz
Frequency	5180-5240 (5GHz) or 1/6/11 (2.4GHz)	Non-DFS channels avoid radar delays; 1/6/11 are non-overlapping
Security	WPA2-PSK	Best compatibility; add WPA3 if all clients support it
TX Power	17-20 dBm	Start conservative; increase only if needed
Mode	`ap-bridge`	Required for WiFi interface to act as AP

Quick apply these defaults:

# 5GHz - better performance
/interface wifi security add name=home-sec authentication-types=wpa2-psk passphrase=YourSecurePassword
/interface wifi channel add name=home-5ghz band=5ghz-ac frequency=5180,5200,5220,5240 width=20/40/80mhz
/interface wifi configuration add name=home-config security=home-sec channel=home-5ghz ssid=YourNetworkName
/interface wifi add configuration=home-config name=wifi1 master-interface=none

# 2.4GHz - better range
/interface wifi security add name=home-sec-2g authentication-types=wpa2-psk passphrase=YourSecurePassword
/interface wifi channel add name=home-2ghz band=2ghz-n frequency=2412,2437,2462 width=20/40mhz
/interface wifi configuration add name=home-config-2g security=home-sec-2g channel=home-2ghz ssid=YourNetworkName-2G
/interface wifi add configuration=home-config-2g name=wifi2 master-interface=none

Legacy Wireless Package (Older Devices)

Setting	Recommended Value	Why
Mode	`ap-bridge`	Required for AP operation
Frequency	2437 (2.4GHz) or 5180 (5GHz)	Center of non-DFS range
Band	`2ghz-n` (2.4GHz) or `5ghz-n/ac` (5GHz)	Best client compatibility
Channel Width	20MHz (2.4GHz) / 40MHz (5GHz)	Avoids overlap issues
Security Profile	`default` or custom	Use default initially
SSID	YourNetworkName	Visible network name
TX Power	17-20 dBm	Conservative starting point

Quick apply:

/interface wireless set wlan1 mode=ap-bridge ssid=YourNetworkName frequency=2437 band=2ghz-n channel-width=20/40mhz
/interface wireless enable wlan1

CAPsMAN Defaults (Multiple APs)

Setting	Recommended Value	Why
Provisioning	`create-dynamic-enabled`	Automatically provisions CAPs
Channel	40MHz (5GHz) / 20MHz (2.4GHz)	Same as single AP
Security	WPA2-PSK	Consistent across all APs
Forwarding	`local`	Better performance; CAP handles switching
Datapath	`bridge=your-bridge`	Add clients to your network bridge

Quick CAPsMAN defaults:

/caps-man channel add name=5ghz band=5ghz-n/ac frequency=5180 width=40mhz
/caps-man channel add name=2ghz band=2ghz-n frequency=2437 width=20mhz
/caps-man security add name=home authentication-types=wpa2-psk passphrase=YourPassword
/caps-man configuration add name=cfg-5ghz channel=5ghz security=home ssid=YourNetwork
/caps-man configuration add name=cfg-2ghz channel=2ghz security=home ssid=YourNetwork-2G
/caps-man provisioning add action=create-dynamic-enabled master-configuration=cfg-5ghz

Understanding RouterOS WiFi

RouterOS offers two WiFi systems:

Feature	Legacy Wireless	New WiFi (7.13+)
Package	`wireless`	`wifi` + `wifi-qcom-ac`/`wifi-qcom`
Hardware	802.11a/b/g/n/ac (MIPS/ARM)	Wi-Fi 5 wave2, Wi-Fi 6 (ARM only)
Menu path	`/interface wireless`	`/interface wifi`
Configuration	Direct interface settings	Profile-based
WPA3	No	Yes
802.11r/k/v	Limited	Full support

Which Should You Use?

Legacy wireless: Older devices (MIPS CPU), 802.11n or earlier
New WiFi (WifiWave2): ARM devices with Wi-Fi 5/6 (hAP ac², ac³, ax, Audience, etc.)

CAPsMAN: Centralized WiFi Management

CAPsMAN (Controlled Access Point Manager) lets you manage multiple APs from one router.

When to Use CAPsMAN

3+ APs needing consistent configuration
Multiple floors/buildings
Guest/VLAN segmentation
Centralized monitoring

Quick CAPsMAN Setup

# On CAPsMAN router (the controller)
/caps-man manager set enabled=yes

# Create provisioning rules
/caps-man provisioning add action=create-dynamic-enabled master-configuration=default

# Create configuration profiles
/caps-man channel add frequency=5180 name=5ghz-ch band=5ghz-n/ac width=40mhz
/caps-man security add name=mysec authentication-types=wpa2-psk passphrase=YourPassword
/caps-man configuration add name=mycfg channel=5ghz-ch security=mysec ssid=MyNetwork

# On each CAP (the APs)
/system routerboard caps-mode set enabled=yes

Verify the CAPsMAN setup:

/caps-man manager print
/caps-man provisioning print
/caps-man channel print
/caps-man security print
/caps-man configuration print

Key CAPsMAN Concepts

Configuration Profiles: Channel, Security, Datapath, Configuration
Provisioning: Automatic or manual radio assignment
Forwarding Modes: Local (CAP handles traffic) vs Manager (CAPsMAN handles traffic)
Certificates: For secure CAP-to-CAPsMAN DTLS connections

Common CAPsMAN Issues

Problem	Solution
CAP not connecting	Check discovery interface, use bridge not ethernet
SSIDs not broadcasting	Reset AP to CAP mode, check provisioning rules
Slow performance	Enable local forwarding in datapath
iPhone disconnects	Use 40MHz on 5GHz, 20MHz on 2.4GHz, fix channels not auto

Performance Optimization

Channel Selection

2.4 GHz: Use channels 1, 6, or 11 only (non-overlapping)

# Fixed channels for 2.4GHz
/interface wifi channel add band=2ghz-n frequency=2412 name=ch1
/interface wifi channel add band=2ghz-n frequency=2437 name=ch6
/interface wifi channel add band=2ghz-n frequency=2462 name=ch11

Verify channel configuration:

/interface wifi channel print

5 GHz: More options, avoid DFS if possible

# Common 5GHz channels (non-DFS)
/interface wifi channel add frequency=5180,5200,5220,5240 name=5ghz band=5ghz-n/ac

TX Power

# Set TX power (in dBm)
/interface wifi set wifi1 tx-power=20

Rule of thumb: Start low and increase only if needed. Too high = more interference, worse performance.

Throughput Tips

Use 5 GHz whenever possible - more channels, less congestion
80 MHz channels for max throughput, 20/40 MHz for reliability
Enable local forwarding in CAPsMAN datapath for better performance
Limit signal strength to reduce co-channel interference
Use iperf3 for testing, not RouterOS built-in speed test

Security: WPA2/WPA3

Security Profile Options

# WPA2-PSK (most compatible)
/interface wifi security add authentication-types=wpa2-psk passphrase=password name=wpa2

# WPA3-SAE (latest, most secure)
/interface wifi security add authentication-types=wpa3-psk passphrase=password name=wpa3

# WPA2/WPA3 mixed
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk passphrase=password name=mixed

Verify security profiles:

/interface wifi security print

Fast Roaming (802.11r)

For seamless roaming between APs:

/interface wifi security add authentication-types=wpa2-psk ft=yes ft-r0-key-lifetime=10000 \
  ft-mobility-domain=1234 passphrase=password name=fast-roam

Verify fast roaming is enabled:

/interface wifi security print

Important:

All APs must be managed by the same RouterOS instance
WPA2-only works best; WPA3 has device compatibility issues
Android devices may have problems with WPA3 roaming

See Fast Roaming (802.11r/k/v) for detailed configuration and troubleshooting.

Enterprise (RADIUS)

/interface wifi security add authentication-types=wpa2-eap eap-certificate-mode=verify-certificate \
  name=enterprise radius-called-format=mac:ssid radius-mac-format=xx:xx:xx:xx:xx:xx

Troubleshooting

Common Problems and Solutions

No WiFi interface appears

Check RouterOS version and packages (/system package print)
New WiFi requires wifi + wifi-qcom-ac or wifi-qcom packages
Legacy wireless requires wireless package

Slow speeds

Switch to 5 GHz
Reduce channel width
Lower TX power
Check for interference (/interface wifi scan)

Client disconnects

WPA2/WPA3 mixed mode issues - try WPA2-only
Check DHCP lease times
Enable 802.11w management frame protection
Update RouterOS (7.3.1 fixed many WPA issues)

CAPsMAN won’t see CAPs

Use bridge as discovery interface, not ethernet
Check firewall allows CAPsMAN ports
Verify CAP is in CAP mode

Debug Commands

# Scan for networks
/interface wifi scan wifi1

# View connected clients
/interface wifi registration-table print

# Enable wireless debug logs
/system logging add topics=wireless,debug action=memory

# Check signal levels
/interface wifi registration-table print where interface=wifi1

Summary: Getting WiFi Right

Choose the right system: Legacy wireless (MIPS) vs New WiFi (ARM with WifiWave2)
Use 5 GHz for performance, 2.4 GHz for range/compatibility
Fixed channels beat auto-select
CAPsMAN for 3+ APs
WPA2 for best compatibility, WPA3 if you need latest security
802.11r for fast roaming (WPA2-only works best)
Keep RouterOS updated - many WiFi fixes in 7.3.1+