Configuring wireless on wAP R from zero (2024)

Good question. IMO, the defaults in recent RouterOS are pretty good. And, it acts like any common home router by default. So you don't necessarily need to do very much.

Here are some general pointers & most are just considerations, rather than "you MUST do this":

0. The most important thing is NOT to use "admin" and/or even the default password. So create your own account, using a different username and complex password, and put the new user in the "full" group to use as the "admin" account. Then remove (or disable) the admin account.

1. Upgrade firmware RouterBOOT and set "auto-update=yes" for automatic updates - https://help.mikrotik.com/docs/spaces/R ... outerBOARD
- To check/update the firmware, it's in System > RouterBoard in webfig/winbox
- If you enable autoupdate it applies ONLY the firmware & mean if you upgrade RouterOS and reboot, if you reboot a 2nd time, the latest firmware will be upgraded. RouterOS cannot do BOTH OS and firmware in one step... I just set the auto-update once, and "reboot twice" when upgrading RouterOS packages as routine in future.
- Especially for LTE, the firmware version matching the RouterOS version may avoid some issues.

2. Upgrade LTE modem - see https://help.mikrotik.com/docs/spaces/R ... areupgrade

3. Think about if "device-mode" changes are needed - https://help.mikrotik.com/docs/spaces/R ... evice-mode
- RouterOS has the ability to disable certain features, this reduces the attack surface.
- Specific to wAP R, I cannot imagine any changes be need - but newer devices might want/need to enable container
- The default are pretty reasonable in 7.16 (but may change in future) ... but if you're really not using IPSec or PPTP, etc, you can theoretically disable them.

4. Remove unused /ip/services - https://help.mikrotik.com/docs/spaces/R ... P+Services
- disable any of the ftp, api, etc protocols (unless you're using them)
- the web/browser admin interface, webfig, need http and/or https — but if only using winbox to manage, then even http is not needed

5. Disable /interface/detect-internet - https://help.mikrotik.com/docs/spaces/R ... t+Internet
- this may be enabled by default, and does NOT do exactly what the name implies & mostly useless
- but... detect-internet being enabled can have nasty and potentially surprising side effects
- to disable set the "detect-interface-list" to "none" (its dialog box is under Interfaces in winbox/webfig from the button)

6. Do "something" with /ipv6/settings
- See docs https://help.mikrotik.com/docs/spaces/R ... v6Settings
- if your LTE carrier/WAN does not have an IPv6 address, or not using IPv6... I'd recommend disabling using "disable-ipv6=yes"
- and if disabled in /ipv6/settings, you'd likely want to disable it on the LTE APN settings set mode to ipv4 if you disable IPv6, see https://help.mikrotik.com/docs/spaces/R ... PNprofiles
- If you want to use IPv6, the defaults are okay, but IPv6 typically requires tweaking based on the ISP or cell carrier. The specifics of LTE with IPv6 depend a lot on the carrier, so it's not generally a simple "cut-and-paste" of some config since it depends on a carrier's specific IPv6 topology/schemes.

7. WireGuard - https://help.mikrotik.com/docs/spaces/R ... /WireGuard - ... or QuickSet + L2TP
- One thing to note is QuickSet does support adding "VPN" via a checkbox on the QuickSet window. This enable enable get a IPSec+L2TP VPN setup pretty automatically (using vpn as user, and "password" is the PSK and password AFAIK) so that's one option, although you might go to /ip/ipsec to secure the account further
- WireGuard also work, and docs describe the steps, and in most cases requires limited firewall modification.
- Both WireGuard and L2TP require one end to have a public IP, since this not common with LTE. The other end of the connection would need have a public IP (and WG or IPSec being enabled as a "responder", see docs)

8. /tool/watchdog and /tool/netwatch
- The hardware watchdog (i.e. kernel panics or get frozen) is enabled by default, which reboots the router. I'd recommend making sure that's enabled. See https://help.mikrotik.com/docs/spaces/R ... 4/Watchdog
- Likely you'd want also enable the "ping watchdog" and use the same DNS server as RouterOS is using in /ip/dns. What this does is if a ping fails for the period configured (see doc links above), it will automatically reboot the router. Since LTE interface might have some future problem/issue, and rebooting the entire router might potentially get LTE running again. So if remote... you'd want it to reboot if WAN link was down, to perhaps/hopefully, get back in....
- /tool/netwatch has a lot of similar options, but it's not checkbox... rather a few more sophisticated scheme, than plain "ping watchdog & takes some scripting take any action. See https://help.mikrotik.com/docs/spaces/R ... 8/Netwatch - - If using LTE, adding a netwatch that runs every 1 second, sometimes, can help a little with LTE speeds/latency/etc and maintaining CA - cell towers prioritize active users. So if there are periods of NO traffic on LTE, keeping a "heartbeat" using netwatch going might prevent the tower from re-allocating things on the LTE session. LTE bandwidth is somewhat a "use it or lose it" situation.

9. Limiting LAN(s) /ip/firewall/filter or /interface/bridge/filter or /routing/rules
- By default, all devices can talk to all other devices on LAN, including the routers... If this is what you want, no change to firewall should be needed.
- And all inbound ports (other than ping and IPSec) are block to LAN, a /ip/firewall/nat with a dst-nat (or QuickSet) is how you do "port forwarding" - but LAN is protected by default config without changes.
- If you want "block" some devices from communicating with other devices, the specifics matter... VLANs is a typical way to separate/control traffic since crossing VLANs causes the traffic to flow through the router where an IP firewall filter can be applied.
- But even without a VLAN, you can certainly restrict some LAN devices from reaching the internet access via a /routing/rule using "src-address=192.168.88.xx action=drop" - https://help.mikrotik.com/docs/spaces/R ... cy+Routing
- Also, without a VLAN, you can restrict traffic between two [LAN] ports on the wAP R router using https://help.mikrotik.com/docs/spaces/R ... geFirewall

10. If public IP, think about enabling DDNS
- since you're using LTE, may not be possible... and really only needed if using webfig or VPN/etc services that use certificates...
- but it's likely a good idea to get a certificate for https in /ip/services since that will encrypt webfig's traffic, so you can disable http in /ip/services
- Mikrotik supports Let's Encrypt and has a built-in DDNS services - BUT it requires a public IP on WAN, which is not likely with LTE.

11. Specific to DHCP client and LTE APN, you may want to disable "Use Peer DNS" and manually set the DNS servers in /ip/dns - https://help.mikrotik.com/docs/spaces/R ... 748767/DNS
- by default the LTE or other WAN's DNS servers are used, but in nearly all cases using one of the public DNS servers be better to avoid have no DNS set in future - i.e. if LTE gets disabled, the DNS servers go away go. Now if LTE is only internet, it kinda does not matter - but if you add a 2nd WAN etc, then using a fixed set of DNS servers avoid a lot problems with multiwan routing.

Configuring wireless on wAP R from zero (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Duane Harber

Last Updated:

Views: 5901

Rating: 4 / 5 (51 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Duane Harber

Birthday: 1999-10-17

Address: Apt. 404 9899 Magnolia Roads, Port Royceville, ID 78186

Phone: +186911129794335

Job: Human Hospitality Planner

Hobby: Listening to music, Orienteering, Knapping, Dance, Mountain biking, Fishing, Pottery

Introduction: My name is Duane Harber, I am a modern, clever, handsome, fair, agreeable, inexpensive, beautiful person who loves writing and wants to share my knowledge and understanding with you.