Versions Compared

Old Version 36

changes.mady.by.user Toms Filatovs

Saved on

compared with

New Version 37

changes.mady.by.user Toms Filatovs

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Fixed typo, regtable definitions, updated highlighter.

The wifiwave2 package offers a new wireless driver, supporting 802.11ac Wave 2 features and an alternative configuration menu. Installing it disables other means of configuring wireless interfaces, including CAPsMAN.

It can be downloaded as part of the 'Extra Packages' archive for the latest ARM release of RouterOS 7.Note: Before trying

Warning

Installing the wifiwave2 package disables other means of configuring wireless interfaces.

Before installation, make sure to back up any wireless and CAPsMAN configuration you may want to

...

retain.


 Requirements

The wifiwave2 package is compatible with IPQ4019 and QCA9984 wireless interfaces and is only available for ARM builds of RouterOS v7. It also requires 14MB of free space and at least 256MB of RAM.

...

Note:
PropertyDescription
arp (disabled | enabled | local-proxy-arp  | proxy-arp | reply-only)Address Resolution Protocol mode:
  • disabled - the interface will not use ARP
  • enabled - the interface will use ARP (default)
  • local-proxy-arp - the router performs proxy ARP on the interface and sends replies to the same interface
  • proxy-arp - the router performs proxy ARP on the interface and sends replies to other interfaces
  • reply-only - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the ARP table. No dynamic entries will be automatically stored in the ARP table. Therefore for communications to be successful, a valid static entry must already exist.
arp-timeout (time interval | 'auto')Determines how long a dynamically added ARP table entry is considered valid since the last packet was received from the respective IP address.
Value auto equals to the value ofarp-timeout in/ip settings, which defaults to 30s.

channel.band (2ghz-g | 2ghz-n | 2ghz-ax | 5ghz-a | 5ghz-ac | 5ghz-an | 5ghz-ax)

Supported frequency band and wireless standard. Defaults to newest supported standard.
Note that band support is limited by radio capabilities.

channel.frequency (list of integers or integer ranges)

Anchor
frequency-syntax
frequency-syntax
For an interface in AP mode, determines frequencies (in MHz) to consider when picking control channel center frequency.

For an interface in station mode, determines frequencies on which to scan for APs.

Leave unset (default) to consider all frequencies supported by the radio and permitted by the applicable regulatory profille.

The parameter can contain 1 or more comma-separated values of integers or, optionally, ranges of integers denoted using the syntax RangeBeginning-RangeEnd:RangeStep

Examples of valid channel.frequency values:

  • 2412
  • 2412,2432,2472
  • 5180-5240:20,5500-5580:20
channel.secondary-frequency (list of integers | 'disabled') 

Frequency (in MHz) to use for the center of the secondary part of a split 80+80MHz channel.

Only official 80MHz channels (5210, 5290, 5530, 5610, 5690, 5775) are supported.

Leave unset (default) for automatic selection of secondary channel frequency.

channel.skip-dfs-channels  (10min-cac | all | disabled)

Whether to avoid using channels, on which channel availability check (listening for presence of radar signals) is required.

  • 10min-cac - interface will avoid using channels, on which 10 minute long CAC is required
  • all - interface will avoid using all channels, on which CAC is required
  • disabled (default) - interface may select any supported channel, regardless of CAC requirements

channel.width ( 20mhz | 20/40mhz | 20/40mhz-Ce | 20/40mhz-eC | 20/40/80mhz | 20/40/80+80mhz20/40/80/160mhz)

Width of radio channel. Defaults to widest channel supported by the radio hardware.

configuration.chains (list of integer 0..7 )

Radio chains to use for receiving signals. Defaults to all chains available to the corresponding radio hardware.

configuration.country (name of a country)

Determines, which regulatory domain restrictions are applied to an interface. Defaults to "United States".

Note: It is important to set this value correctly to comply with local regulations and ensure interoperability with other devices.

configuration.hide-ssid (no | yes)

  • yes - AP does not include its SSID in beacon frames, and does not reply to probe requests that have broadcast SSID.

  • no - AP includes its SSID in the beacon frames, and replies to probe requests that have broadcast SSID.

Default: no

configuration.mode (ap | station)

Interface operation mode

  • ap (default) - interface operates as an access point
  • station - interface acts as a client device, scanning for access points advertising the configured SSID
configuration.ssid (string)The name of the wireless network, aka the (E)SSID. No default value.
configuration.tx-chains (list of integer 0..7)Radio chains to use for transmitting signals. Defaults to all chains available to the corresponding radio hardware.
configuration.tx-power (integer 0..40)A limit on the transmit power (in dBm) of the interface. Can not be used to set power above limits imposed by the regulatory profile. Unset by default.
disable-running-check (no | yes)

  • yes - interface's running property will be true whenever the interface is not disabled

  • no (default) - interface's running property will only be true when it has established a link to another device

disabled (no | yes) (X)

Hardware interfaces are disabled by default. Virtual interfaces are not.

mac-address (MAC)

MAC address (BSSID) to use for an interface.

Hardware interfaces default to the MAC address of the associated radio interface.

Default MAC addresses for virtual interfaces are generated by

  1. Taking the MAC address of the associated master interface

  2. Setting the second-least-significant bit of the first octet to 1, resulting in a locally administered MAC address

  3. If needed, incrementing the last octet of the address to ensure it doesn't overlap with the address of another interface on the device

master-interface (interface)

Multiple interface configurations can be run simultaneously on every wireless radio.

Only one of them determines the radio's state (whether it is enabled, what frequency it's using, etc). This  'master' interface, is bound  to a radio with the corresponding radio-mac.

To create additional ('virtual') interface configurations on a radio, they need to be bound to the corresponding master interface.

No default value.

name (string)

A name for the interface. Defaults to wifiN, where N is the lowest integer that has not yet been used for naming an interface.

security.authentication-types (list of wpa-psk, wpa2-psk, wpa-eap, wpa2-eap, wpa3-psk, owe, wpa3-eap, wpa3-eap-192)

Authentication types to enable on the interface.

The default value is an empty list (no authenticaion, an open network).

Configuring a passphrase, adds to the default list the wpa2-psk authentication method (if the interface is an AP) or both wpa-psk and wpa2-psk (if the interface is a station).

Configuring an eap-username and an eap-password adds to the default list wpa-eap and wpa2-eap authentication methods.

security.dh-groups (list of 19, 20, 21)

Identifiers of elliptic curve cryptography groups to use in SAE (WPA3) authentication.

security.disable-pmkid (no | yes)Whether to include PMKID into the EAPOL frame sent out by the Access Point. Disabling PMKID can cause compatibility issues with devices that use the PMKID to connect to an Access Point.
  • yes - Do not include PMKID in EAPOL frames.
  • no (default) - include PMKID in EAPOL frames.


Info

The properties related to EAP, which are listed below, are only relevant to interfaces in station mode. APs delegate EAP authentication to the RADIUS server.


security.eap-accounting (no | yes)Explicitly enable accounting packets for RADIUS EAP authentication. Default: no.
security.eap-anonymous-identity (string)Optional anonymous identity for EAP outer authentication. No default value.
security.eap-certificate-mode (dont-verify-certificate | no-certificates | verify-certificate | verify-certificate-with-crl)

Policy for handling the TLS certificate of the RADIUS server.

  • verify-certificate (default) - require server to have a valid certificate. Check that it is signed by a trusted certificate authority.
  • dont-verify-certificate - Do not perform any checks on the certificate.
  • no-certificates - Do not use certificates. TLS session is established using 2048 bit anonymous Diffie-Hellman key exchange.
  • verify-certificate-with-crl - Same as verify-certificate, but also checks if the certificate is valid by checking the Certificate Revocation List.
security.eap-methods (list of peap, tls, ttls)EAP methods to consider for authentication. Defaults to all supported methods.
security.eap-password (string)Password to use, when the chosen EAP method requires one. No default value.
security.eap-tls-certificate (certificate)Name or id of a certificate in the device's certificate store to use, when the chosen EAP authentication method requires one. No default value.
security.eap-username (string)Username to use when the chosen EAP method requires one. No default value.
security.encryption (list of  ccmp, ccmp-256, gcmp, gcmp-256, tkip)

A list of ciphers to support for encrypting unicast traffic.

Defaults to ccmp.

security.group-encryption(ccmp | ccmp-256 | gcmp | gcmp-256 | tkip)

Cipher to use for encrypting multicast traffic.

Defaults to ccmp.

security.group-key-update (time interval 30s..1h)

Interval at which the group temporal key (key for encrypting broadcast traffic) is renewed. Defaults to 5 minutes.

security.management-encryption (cmac | cmac-256 | gmac | gmac-256)

Cipher to use for encrypting protected management frames. Defaults to cmac.

security.management-protection (allowed | disabled | required)

Whether to use 802.11w management frame protection. Incompatible with management frame protection in standard wireless package.

Default value depends on value of selected authentication type (WPA (1) does not support MFP, while WPA3 requires it).

security.owe-transition-interface (interface)

Name or internal id of an interface whose MAC address and SSID to advertise as the matching AP when running in OWE transition mode.

Required for setting up open APs that offer OWE, but also work with older devices that don't support the standard. See configuration example below.

security.passphrase (string of up to 63 characters)

Passphrase to use for PSK authentication types. Defaults to an empty string - "".

WPA-PSK and WPA2-PSK authentication requires a minimum of 8 chars, while WPA3-PSK does not have minimum passphrase length.

security.sae-anti-clogging-threshold ('disabled' | integer)

Due to SAE (WPA3) associations being CPU resource intensive, overwhelming an AP with bogus authentication requests makes for a feasible denial-of-service attack.

This parameter provides a way to mitigate such attacks by specifying a threshold of in-progress SAE authentications, at which the AP will start requesting that client devices include a cookie bound to their MAC address in their authentication requests. It will then only process authentication requests which contain valid cookies.

Default: disabled.

security.sae-max-failure-rate ('disabled' | integer)Rate of failed SAE (WPA3) associations per minute, at which the AP will stop processing new association requests. Defaults to disabled.
security.wps (disabled | push-button)
  • push-button (default) - AP will accept WPS authentication for 2 minutes after 'wps-push-button' command is called. Physical WPS button functionality not yet implemented.
  • disabled - AP will not accept WPS authentication

...

Wifiwave2 interface configurations can be reset by using the 'reset' command.

Code Block
languagerosros1
/interface/wifiwave2 reset wifi1

...

Basic password-protected AP

Code Block
languagerosros1
/interface/wifiwave2 
set wifi1 disabled=no configuration.ssid=MikroTik \
security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=8-63_characters

...

This configuration is referred to as OWE transition mode.

Code Block
languagerosros1
/interface/wifiwave2
add master-interface=wifi1 name=wifi1_owe configuration.ssid=MikroTik_OWE \
security.authentication-types=owe security.owe-transition-interface=wifi1 \
configuration.hide-ssid=yes
set wifi1 configuration.ssid=MikroTik security.authentication-types="" security.owe-transition-interface=wifi1_owe
enable wifi1,wifi1_owe

...

ParameterDescription
duration (time interval)Length of time to perform the scan for before exiting. Useful for non-interactive use. Not set by default.
freeze-frame-interval (time interval)Time interval at which to update command output. Default: 1s.
frequency (list of frequencies/ranges)Frequencies to perform the scan on. See channel.frequency parameter syntax above for more detail. Defaults to all supported frequencies.
number numbers (string)Either the name or internal id of the interface to perform the scan with. Required. Not set by default.
rounds (integer)Number of times to go through list of scannable frequencies before exiting. Useful for non-interactive use. Not set by default.
save-file (string)Name of file to save output to. Not set by default.

...

An AP can be made to accept WPS authentication by a client device for 2 minutes by running the following command.

Code Block
languagerosros1
/interface/wifiwave2 wps-push-button wifi1

...

ParameterDescription
duration (time interval)Length of time after which the command will time out if no AP is found. Unlimited by default.
interval (time interval)Time interval at which to update command output. Default: 1s.
mac-address (MAC)Only attempt connecting to AP with the specified MAC (BSSID). Not set by default.
number numbers (string)Name or internal id of the interface with which to attempt connection. Not set by default.
ssid (string)Only attempt to connect to APs with the specified SSID. Not set by default.

...

ParameterDescription
authorized (boolean) (A)True when the peer has successfully authenticated.
bytes (list of integers)Number of bytes in packets transmitted to a peer and received from the peer and sent to it.
interface (string)Name of the interface, which was used to associate with the peer.
mac-address (MAC)The MAC address of the peer.
packets (list of integers)Number of packets transmitted to a peer and received from the peer and sent to it.
rx-rate (string)Bitrate of received transmissions from peer.
signal (integer)

Strength of signal received from the peer (in dBm).

tx-rate (string)Bitrate used for transmitting to the peer.
uptime (time interval)Time since association.

...

Wireless peers can be manually de-authenticated (forcing re-association) by removing them from the registration table.

Code Block
languagerosros1
/interface/wifiwave2/registration-table remove [find where mac-address=02:01:02:03:04:05]

...