Multiple APs and SSIDs with Mikrotik RouterOS 7
I replaced my old Mikrotik hardware recently. The oldest AP was almost fifteen years old, and Mikrotik still delivered OS upgrades for it: Fantastic. I'm a fan.
But I replaced it. My new setup involves three APs (my home has a very difficult layout) and four SSIDs. Setting it up was a little too tricky, RouterOS 7.14 is substantially different from both of the older approaches (capsman
and interface wifiwave2
). Mikrotik's documentation mostly explains it, this posting explains it differently.
Each AP is a router, and forwards incoming packets. This includes packets that arrive from a wifi station such as a laptop.
Each AP makes its own radios available as interfaces on the main AP. The main AP sends packets using these interfaces, but it does not receive.
The APs must be switched together, not routed together. Many devices assume that all APs provide access to the same DHCP leases. This effectively requires that a broadcast packet sent to any AP reaches the same DHCP server. I think most configurations will involve one VLAN per SSID, and bridge interfaces.
The only sensible way to combine VLANs and a bridge is now to set physical interfaces as ports, and then configure which VIDs can be received and sent on each physical interface. If you want to assign an IP address to a particular VID, you use interface vlan add
to create an interface with the right VID on the bridge, and assign the address to the vlan interface.
Bridges are separately configured on each AP. interface wifi
configures the wifi interfaces of satellite APs, but it does not configure bridge interfaces.
That's it. That's all you really need to understand.
In my case, the main Mikrotik AP is called chanel, and one of the others is called miu-miu. Both serve an SSID called tralala. I have a laptop called attovax that's currently connected to miu-miu.
A packet from attovax to the general internet goes from attovax to miu-miu, which sees that its wlan2 interface is connected to a bridge with VID 7. That bridge is also connected to an ethernet cable for which VID 7 is enabled, and after passing through an ethernet switch, the packet arrives at my border router. Note that this packet does not pass through chanel.
Return traffic from the internet arrives at chanel, which routes it to its corresponding bridge and assigns it VID 7. Chanel has an interface called miu-miu2, which is also connected to the same bridge and has VID 7. The packet goes out over miu-miu2, which is really a tunnel, and is physically sent by miu-miu's radio. Note that this packet does pass through chanel, but does not pass through miu-miu's bridge.
Simple? At least it's understandable, given the points above.