WIRELESS NETWORKING
Connect MikroTik to an open WiFi network and provide Internet over LAN and WLAN
We’ll show you how to set up a network, where you can assign and manage your local IP addresses and connect it to a public WiFi for internet access.

During our recent hackathon (Diffusion 2019 in Berlin), we’ve built a project that heavily relied on all devices being in one physical network where we could assign and manage their IPs. The hackathon’s venue had excellent WiFi coverage but — for obvious reasons — we were unable to access the network’s management interface. So we decided to set up our own private LAN/WLAN using a MikroTik Router. Our goal was to go from this:

to this:

Our router of choice was MikroTik’s RB952Ui-5ac2nD (or hAP ac lite for short). It has five Ethernet ports and two WLAN antennas — one working in the 2,4GHz and the other working in the 5GHz range. When MikroTik is in its default configuration, ether1 is an Internet port and ether2-ether5 & both WLAN interfaces are bridged. An internal DHCP Server handles IP assignment to the bridged devices.
The idea was simple. Why not take one of the wireless interfaces and use it to connect to the on-premise WiFi network? All that we had to do was:
- De-assign
ether1as WAN interface and assign it to the bridge - Turn one of the wireless interfaces into a WAN interface and connect it to an existing wireless network.
Luckily the routers from this Latvian company are configurable beyond everything a mere mortal might need. MikroTik’s devices run a Linux-based operating system called RouterOS. It exposes a configuration interface through a web application, CLI and through a proprietary application called WinBox (which sadly is a Windows-only application but it will run under Wine).
In this walkthrough, we’ll demonstrate how to do this set up your hAP ac lite using the command line — because the command line is just awesome.
1. Resetting MikroTik router
ATTENTION: Make sure to perform all modifications using a wired network connection with your laptop connected to port LAN2, LAN3, LAN4 or LAN5. Wireless connection will most likely drop during this process and the Internet port is a designated WAN port hence there will be no access to the router when MikroTik is in its default configuration.
Before we start, you’ll need to reset the router configuration to factory settings:

All you need to do is simply SSH into your MikroTik and execute the following command:
/system reset-configurationOnce you confirm, the router will be rebooted. At this point, you might have to remove the router’s previous entry from the ~/.ssh/known_hosts file on your computer or else the following message will appear after the first post-reset SSH connection attempt:

Once you successfully SSH into the router, confirm that you’d like to retain the default settings. They will serve as a starting template for all of our changes. The entire reset-configuration process should not take longer than a minute or so.
2. Configuring the wireless security profile
First, we’ll need to configure the wireless security profiles. RouterOS uses the security profiles for:
- securing its own wireless network
- connecting to any guest wireless network.
In our case, we’ll require two profiles. The first one will be used to authenticate users wanting to connect to WiFi Network provided by the Mikrotik router. SSH into your device and execute the following set of commands (don’t forget to select your own WiFi passphrase and replace MySecretPassowrd below):
/interface wireless security-profiles
set [ find default=yes ] \
authentication-types=wpa-psk,wpa2-psk \
mode=dynamic-keys \
supplicant-identity=MikroTik \
wpa-pre-shared-key=MySecretPassword \
wpa2-pre-shared-key=MySecretPasswordThe second profile will be used to connect to the on-premise wireless network. It should contain the authentication-types and credentials of the network we will be trying to establish a connection with:
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk \
management-protection=allowed \
mode=dynamic-keys name=dac_office \
supplicant-identity=MikroTik \
wpa-pre-shared-key=MySecretPassword \
wpa2-pre-shared-key=MySecretPassword3. Configuring the wireless interfaces
Now that we have prepared the profiles, let’s configure the wireless interfaces. As we’ve mentioned before, the hAP ac lite has two: wlan1 working in the 2,4GHz range and wlan2 working in the 5Ghz range. We will use the 5GHz one to connect to an existing access point to provide better internet speed. First, we must investigate the on-premise wireless network we’ll be trying to establish a connection with:
/interface wireless scan wlan2The output will resemble more-less the one below:

What you’re looking for is the number value in the CHANNEL section of the output:

Here we’re connecting to the WiFi network called DAC. Since we’re scanning it with a wlan2 interface, only the 5GHz range networks are displayed. In our example, the DAC network is running on channel 40 (center frequency is 5200).
With that information, we can proceed and set up the interfaces. First, the wlan1 interface. We will configure it to serve as MikroTik’s Access Point (the one our computers will be connecting to). It will use the default security profile and expose a WLAN with SSID DAC_PrivateNetwork:
/interface wireless
set [ find default-name=wlan1 ] \
band=2ghz-b/g/n \
disabled=no frequency=2412 \
mode=ap-bridge \
ssid=DAC_PrivateNetwork \
wireless-protocol=802.11The second one will be used to connect to an existing on-premise network. Pay attention to the security-profile parameter! Its value should correspond to the security profile we have created with the credentials of the guest wireless network we will be connecting with:
/interface wireless
set [ find default-name=wlan2 ] \
band=5ghz-a/n/ac \
channel-width=20/40mhz-Ce \
disabled=no \
distance=indoors \
frequency=5200 \
mode=station-bridge \
security-profile=dac_office \
ssid=DAC \
wireless-protocol=802.114. Configure the interface lists members
Looking good so far. Now we must configure the interface lists. MikroTik comes with two predefined ones: LAN and WAN. Both come with a set of pre-configured parameters for LAN and WAN connectivity respectively. By default, the ether1 is assigned to WAN list and ether2-ether5, wlan1 and wlan2 are bridged and assigned to theLAN list. Let’s identify the interface number associated with the WAN:
/interface list member print
In our case it was the number 1; we can remove ether1 from the WAN list with a simple command:
/interface list member remove numbers=1Now we can assign the wlan2 interface to the WAN list:
/interface list member
add comment=defconf interface=wlan2 list=WAN5. Configuring the bridge
We’re almost there. As we’ve mentioned before, ether2-ether5 as well as wlan1 and wlan2 interfaces are bridged in the default configuration. We need to change that. The wlan2 interface must be removed from the bridge and the ether1 port must be added to it. First, let’s identify the number of the wlan2 port in the bridge configuration:
/interface bridge port print
In our case, it is the number 5. We can now easily drop it from the bridge:
/interface bridge port remove numbers=5Now let’s add the ether1 interface to the bridge and conclude the bridge setup:
/interface bridge port
add bridge=bridge comment=defconf interface=ether16. Wrapping up — configuring the DHCP client
Great! One final thing to do. We need to configure the DHCP-client to be associated with thewlan2 interface. Our working assumption is that the wireless network we are connecting to has a DHCP server that will assign an IP address to our router (just as it would assign it to your laptop, should you connect to it directly):
/ip dhcp-client
add comment=defconf \
dhcp-options=hostname,clientid \
disabled=no \
interface=wlan2You’re all set! Once the final command is executed, within seconds you should be online.
7. Closing remarks
Bear in mind that this is not the most optimal network configuration. You are behind a double NAT (MikroTik’s and the one in the on-premise network), but you have the ability to assign static IP addresses within your own private network. If you’re looking for a permanent solution, you should definitely do your research, but for our short term use case, it was more then enough.
Have fun!

