MikroTik Wireless Optimization Guide | Boost Performance & Security

Byadmin
Share
Tweet
Share
Pin
0 Shares

Let’s see how to optimize your MikroTik-based wireless network.

1. Introduction: The Wireless Battleground

High-density networks and IoT devices demand reliable wireless performance. Users expect fast, secure connectivity. MikroTik provides powerful wireless features. This power requires careful configuration. Unoptimized wireless becomes a bottleneck. It impacts user productivity and network security. This guide delivers actionable optimization strategies. You will transform your MikroTik wireless network.

2. Pre-Flight Check: Know Your Airspace

Effective optimization starts with planning. 80% of wireless issues stem from poor site surveys. Understand your RF environment before configuring devices.

2.1. Site Survey Tools

  • MikroTik Built-in Tools:
    • /interface wireless scan: Discovers nearby access points and channels.
    • /interface wireless freq-monitor: Shows real-time frequency usage.
    • /interface wireless snooper: Captures wireless packets for analysis.
    • /interface wireless spectral-history: Displays spectrum analyzer data.
  • External Tools:
    • NetSpot (Free/Paid): Heatmap generation and interference detection.
    • Wireshark: Protocol analysis and spectrum monitoring.
    • Acrylic Wi-Fi Analyzer: Real-time channel monitoring.

2.2. Key Survey Actions

  • Measure Signal-to-Noise Ratio (SNR): Target >25 dB for reliable performance.
  • Identify co-channel interference from neighboring APs.
  • Map signal propagation to locate dead zones.
  • Document existing APs, channels, and 802.11 standards (a/b/g/n/ac/ax).
  • Check for DFS events if using 5 GHz bands: /log print.

3. Core Configuration: Tuning MikroTik for Peak Performance

Apply your survey findings to the configuration. Follow these best practices.

3.1. Band & Channel Strategy

Choose bands and channels based on environment and client capabilities.

Band Characteristics Use Case
2.4 GHz Longer range, higher interference (3 non-overlapping channels). Legacy devices only. Avoid for high-performance networks.
5 GHz Higher throughput, more channels, less congestion. Primary band for modern devices (802.11ac/ax).
6 GHz (Wi-Fi 6E) Interference-free spectrum, very high throughput. Use if supported (e.g., hAP ax³).

Channel Width Guidelines

  • 20 MHz: Use as default. Minimizes interference.
  • 40/80 MHz: Use only in low-interference environments. Monitor for co-channel interference.
  • 160 MHz: Requires contiguous DFS spectrum. Use only if you control the entire spectrum.

Transmit Power Settings

  • Avoid maximum power. High power causes distortion.
  • Recommended: tx-power-mode=all-rates-fixed with tx-power=17-21 dBm.
  • Adjust based on environment: Start at 17 dBm and increase only if needed.

Example Configuration:

/interface wireless set [find name="wlan1"] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX tx-power-mode=all-rates-fixed tx-power=19
/interface wireless set [find name="wlan1"] frequency=5180

3.2. Protocol Selection: 802.11, NV2, Nstreme

Choose the correct protocol for your use case.

Protocol Best For Key Settings Avoid When
802.11 General use, multi-vendor compatibility hw-protection-mode=rts-cts High interference environments
NV2 Point-to-Multipoint, low latency nv2-cell-radius=10 (adjust for density) Mixed vendor environments
Nstreme Point-to-Point, maximum throughput nstreme=yes, framer-limit=3200 VoIP or real-time traffic

NV2 Configuration Example:

/interface wireless set [find name="wlan1"] protocol=nv2 nv2-cell-radius=10 nv2-preshared-key=YourStrongPassphrase

3.3. Security Hardening

Wireless networks are prime attack targets. Implement strong security.

Encryption Standards

  • Use WPA2-AES exclusively. TKIP is vulnerable.
  • For enterprise: Use WPA2-EAP with RADIUS.

Authentication

  • PSK (Pre-Shared Key):
    • Use strong passphrases (minimum 14 characters, mix character types).
    • Rotate passphrases quarterly.
  • EAP (Extensible Authentication Protocol):
    • Secure your RADIUS server (use IPsec or strong firewall rules).
    • Disable legacy EAP types (e.g., MD5, LEAP).

Additional Security Measures

  • Disable WPS: wps-mode=disabled.
  • Hide SSID: hide-ssid=yes (limited value but recommended).
  • Enable 802.11w (PMF): management-protection=required.
  • Use Access Lists: 
    /interface wireless access-list add interface=wlan1 mac-address=AA:BB:CC:DD:EE:FF allow-signal-out-of-range=10s

4. Scaling to the Enterprise: CAPsMAN Deep Dive

Centralized management simplifies large deployments. CAPsMAN provides centralized control.

4.1. CAPsMAN Architecture

  • CAPsMAN Router: Dedicated device (e.g., CCR2004) for management.
  • CAPs (Controlled APs): hAP ax², hAP ax³, cAP ax devices.
  • Datapaths: Isolate traffic using VLANs: 
    /interface wireless cap set caps-man-addresses=192.168.88.1
/interface wireless cap set bridge=bridge1 vlan-mode=use-tag

4.2. Critical CAPsMAN Configurations

  • Provisioning: Auto-provision CAPs using MAC or identity: 
    /caps-man provisioning add action=create-dynamic-enabled master-configuration=YourConfig
  • Channel Plans: Define per band: 
    /caps-man channel add band=5ghz-a/n/ac name="5GHz-Channels" frequency=5180,5200,5220,5240
  • Security: Push certificates for EAP: 
    /caps-man configuration add name=SecureConfig security.authentication-types=wpa2-eap security.eap-methods=passthrough

4.3. Roaming Optimization

  • Set fast handoff: reselect-interval=1s.
  • Increase hardware retries: hw-retries=7.
  • Steer clients to 5 GHz/6 GHz using Access Lists: 
    /caps-man access-list add action=accept interface=all signal-range=-70..120

CAPsMAN Redundancy (VRRP):

/interface vrrp add name=vrrp1 interface=ether1 vrid=1 priority=100
/caps-man set enabled=yes manager=vrrp1

5. QoS: Taming the Wireless Beast

Wireless is a half-duplex medium. Prioritize critical traffic.

5.1. WMM (Wi-Fi Multimedia)

  • Enable WMM: wmm-support=enabled.
  • WMM Access Categories:
    • VO (Voice): Highest priority.
    • VI (Video): Second priority.
    • BE (Best Effort): Default.
    • BK (Background): Lowest priority.

5.2. Traffic Marking and Queueing

Use Mangle to mark traffic and Queue Trees for prioritization.

Traffic Marking Examples

/ip firewall mangle add chain=prerouting protocol=udp dst-port=5060,10000-20000 dscp=46 action=mark-packet new-packet-mark=voip-up
/ip firewall mangle add chain=postrouting protocol=udp dst-port=5060,10000-20000 dscp=46 action=mark-packet new-packet-mark=voip-down

Queue Tree Configuration

/queue tree add name="voip-up" parent=global packet-mark=voip-up priority=1 max-limit=5M
/queue tree add name="voip-down" parent=global packet-mark=voip-down priority=1 max-limit=5M
/queue tree add name="default" parent=global packet-mark=no-mark priority=8 max-limit=50M

5.3. PCQ for Fair Sharing

Use PCQ when traffic types are unknown.

/queue type add name="pcq-up" kind=pcq pcq-classifier=src-address pcq-rate=1M
/queue type add name="pcq-down" kind=pcq pcq-classifier=dst-address pcq-rate=1M
/queue simple add name="LAN-Users" target=bridge1 queue=pcq-up/pcq-down max-limit=10M

6. Monitoring, Maintenance & Troubleshooting

Proactive management prevents issues.

6.1. Proactive Monitoring

Key Metrics

  • CCQ (Client Connection Quality): >90% indicates healthy link. Check with: 
    /interface wireless registration-table print stats
  • Retransmission Rate: <10%. High rates indicate interference.
  • Data Rate vs. Throughput: Throughput should be 60-70% of negotiated rate.
  • Latency/Jitter: Use ping and traceroute.

Monitoring Tools

  • The Dude: Auto-discovers devices, creates maps, sends alerts.
  • SNMP: Monitor using Zabbix or LibreNMS. Track OIDs:
    • mtxrWlRtabStrength: Signal strength.
    • mtxrWlRtabCCQ: CCQ percentage.
  • Packet Sniffer: Capture traffic to file or stream to Wireshark: 
    /tool sniffer set filter-interface=wlan1
/tool sniffer start file=wireless.pcap

6.2. Maintenance Tasks

  • Firmware Updates:
    • Test updates in a lab first.
    • Check change logs: MikroTik ChangeLogs.
    • Update process: 
      /system package update check-for-updates
/system package update install
  • Preventive Reboots: Schedule during maintenance windows: 
    /system scheduler add name="Weekly-Reboot" on-event="/system reboot" interval=7d
  • Antenna Calibration: Re-run site surveys every 6 months.

6.3. Troubleshooting Common Issues

Slow Speeds

  • Check negotiated rates: 
    /interface wireless registration-table print
  • Test throughput between devices: 
    /tool bandwidth-test address=192.168.88.2 protocol=tcp duration=10s
  • Look for DFS events in logs: 
    /log print where topics~"wireless"

Intermittent Drops

  • Increase hardware retries: 
    /interface wireless set [find] hw-retries=15
  • Verify country regulations for DFS: 
    /interface wireless info country-info us

Authentication Failures

  • Verify RADIUS server status: 
    /radius print stats
  • Check firewall rules for UDP 1812/1813.

7. Conclusion

You now have a comprehensive optimization strategy. Follow these steps:

  1. Conduct a thorough site survey.
  2. Configure bands, channels, and protocols based on your environment.
  3. Implement strong security measures.
  4. Use CAPsMAN for large-scale deployments.
  5. Apply QoS to prioritize critical traffic.
  6. Monitor, maintain, and troubleshoot proactively.

Optimization is an ongoing process. Regularly review your network performance. Adjust configurations as your environment changes. MikroTik provides enterprise features at an affordable price. Master these techniques to build a high-performance wireless network.

Check our list of MikroTik guides.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *