While wireless is available in the most hotels these days, the good old ethernet cable seems to be disappearing bit by bit. That means you cannot simply plug-in your own wireless and have it just work. Having a device capable of bridging two wireless networks is becoming a necessity. Why would you even bother, you wonder?
One reason is convenience - if you always connect to your own wireless access point, you have everything setup and ready to go without annoying web prompts. Particularly handy if you bring your Roku or Chromecast with you as they generally have no provisions for even entering user name/password combination.
Other reason is security. Connecting to an open network (or one with widely known key) means every single device is fully exposed to snooping gremlins hiding around. And you will be surprised how much data is actually not encrypted. Yes, having your own wireless doesn’t necessarily fix that as you still go over unprotected media but it is a necessary first step. In one of the future posts we can talk about connecting over VPN and how to skin that particular cat.
For me a favorite wireless-to-wireless bridge device was aging Asus WL-330gE. Unfortunately, the device hasn’t had any update in ages and using alternative firmware makes wireless bridging functionality much more difficult than it should be.
Lately I’ve been using two Mikrotik mAP lite devices back-to-back. One serves the function of a wireless client toward the hotel’s wireless while the other is an access point with VPN on board. As I needed one mAP for another project of mine, I started to wonder how to setup the same device to be both wireless client and an access point.
This guide is going to assume you are to enter commands into the New Terminal window from WinBox. That way I will simply repeat commands needed instead of going through the screens. Commands are actually quite descriptive and easy to “translate” into GUI actions if that is your preference.
Assuming you start with fresh mAP lite, first order of business is connecting to its default wireless network and cleaning the whole router out. This will allow connecting WinBox via the cable to the router’s MAC address as default configuration assumes that port is intended for WAN.
/system
reset-configuration no-defaults=yes skip-backup=yes
Since all is deleted, pretty much the only thing one can do is connect to ethernet port and use neighbor discovery on your Mikrotik. When device is found, just connect using the MAC address.
If we do not know exact wireless network we are interested in, we can enable wireless and perform a scan to see what is around.
/interface wireless
scan wlan1
Once we wither find network by scan or because we already new its name, it is time to set it up. Of course, security profile mode and all other parameters must match network you are connecting to.
/interface
wireless security-profiles add name=client-profile mode=^^dynamic-keys^^ authentication-types=wpa2-psk wpa2-pre-shared-key=^^hotel_wireless_password^^
wireless set wlan1 ssid=^^hotel_network_name^^ security-profile=client-profile frequency=auto disabled=no
This is actually one of rare situations where it is probably worth actually using GUI and wireless Scanner tool instead of getting all this sorted out manually. Regardless, if all went well, you should see upper case R next to the wlan1 interface.
As we destroyed the whole network configuration, we need to setup DHCP client on wlan1 interface so we can obtain IP. This is a nice second checkpoint as you should see the hotel’s IP address getting assigned to your router.
/ip
dhcp-client add interface=wlan1 disabled=no
address print
Now that we have client sorted out, we need to create the access point. That involves setting up a security profile, creating the access point interface on top of the existing wlan1, getting its DHCP server interface sorted out, NAT, and lastly the basic firewall.
/interface
wireless security-profiles add name=ap-profile mode=dynamic-keys authentication-types=wpa2-psk wpa2-pre-shared-key=^^access_point_password^^
wireless add name=ap-wlan master-interface=wlan1 mode=ap-bridge ssid=^^access_point_network_name^^ security-profile=ap-profile disabled=no
/ip
address add interface=ap-wlan address=192.168.89.1/24
dhcp-server network add address=192.168.89.0/24 gateway=192.168.89.1
pool add name=ap-pool ranges=192.168.89.10-192.168.89.99
dhcp-server add name=ap-dhcp interface=ap-wlan address-pool=ap-pool disabled=no
/ip firewall nat
add chain=srcnat out-interface=wlan1 action=masquerade
/ip firewall filter
add chain=forward action=accept in-interface=wlan1 connection-state=established,related disabled=no
add chain=forward action=accept out-interface=wlan1 disabled=no
add chain=forward action=drop disabled=no
/system reboot
Assuming everything went fine, after reboot, you will have your access point going through hotel’s wireless.
This setup is not necessarily the most comfortable one as every time you want to connect to new network you will have to use WinBox over the ethernet cable. And no, you cannot use access point for configuration since access point is only active if its master - hotel’s connection - is running.
Again no, you cannot do it other way round - have the access point as the main wireless interface and station as slave because you need to have station tracking for your hotel’s access point. If you setup your access point first, you will need to set its frequency to match hotel’s access point at all times. That doesn’t play well if you roam through hotel and see APs with the same name and different frequency nor it will play well if AP changes its frequency, for example, due to radar detection.
However, this setup gives you the full power of Mikrotik to use in a wireless bridge at the cost of a single device.
Me? I’ll stick to my double mAP method.
PS: Yes, you could work around the need for Ethernet cable but it gets complicated enough that it is not worth the trouble.
PPS: Yes, firewall is VERY basic.
