Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added description for configuration.client-isolation


As of the release of RouterOS 7.1, this means it is compatible with 4 devices:

  1. hAP ac³ (non-LTE)*
  2. Audience*
  3. Audience LTE6 kit*
  4. RB4011iGS+5HacQ2HnD**



  The wifiwave2 package is not compatible with CAPsMAN. And does not yet offer wireless meshing (4-address mode).



The 2.4GHz wireless interface on the RB4011iGS+5HacQ2HnD is not compatible with the wifiwave2 package. It will not be usable with the package installed.


  • WPA3 authentication and OWE (opportunistic wireless encryption)
  • 802.11w standard management frame protection
  • MU-MIMO and beamforming
  • 400Mb/s maximum data rate in the 2.4GHz band for IPQ4019 interfaces



chains (list of integer 0..7 )

Radio chains to use for receiving signals. Defaults to all chains available to the corresponding radio hardware.

client-isolation (no | yes)

  • yes - AP will not forward traffic between client devices connected to it
  • no -  AP will forward traffic between client devices connected to it

Default: no

country (name of a country)

Determines, which regulatory domain restrictions are applied to an interface. Defaults to "United States".

Note: It is important to set this value correctly to comply with local regulations and ensure interoperability with other devices.

hide-ssid (no | yes)

  • yes - AP does not include its SSID in beacon frames, and does not reply to probe requests that have broadcast SSID.

  • no - AP includes its SSID in the beacon frames, and replies to probe requests that have broadcast SSID.

Default: no

mode (ap | station)

Interface operation mode

  • ap (default) - interface operates as an access point
  • station - interface acts as a client device, scanning for access points advertising the configured SSID
ssid (string)The name of the wireless network, aka the (E)SSID. No default value.
tx-chains (list of integer 0..7)Radio chains to use for transmitting signals. Defaults to all chains available to the corresponding radio hardware.
tx-power (integer 0..40)A limit on the transmit power (in dBm) of the interface. Can not be used to set power above limits imposed by the regulatory profile. Unset by default.


Enterprise wireless security with User Manager v5

Resetting configuration


Assigning VLAN tags to wireless traffic can be achieved by following the generic bridge VLAN example here.

Resetting configuration

Wifiwave2 interface configurations can be reset by using the 'reset' command.


Access list provides multiple ways of filtering and managing wireless connections.

RouterOS will check each new connection to see if its parameters match parameters specified in any access list rule. This will happen when a connection is established and periodically after that.

The rules are checked in the order they appear in the list. Only management actions specified in the first matching rule are applied to the connectioneach connection.

Connections, which have been accepted by an access list rule, will be periodically checked, to see if they remain within the permitted time and signal-range. If they do not, they will be terminated.


Take care when writing access list rules which reject clients. After being repeatedly rejected by an AP, a client device may start avoiding it.


Filtering parameters
allow-signal-out-of-range (time period)

Modifies the signal-range parameter to still match established connections for a given length of time, even if their signal is outside the specified range.

Default: 0s.

interface (interfaceinterface (interface | interface-list | 'any')Match if connection takes place on the specified interface or interface belonging to specified list. Default: any.
mac-address (MAC address)Match if the client device has the specified MAC address. No default value.
mac-address-mask (MAC address)

Modifies the mac-address parameter to match if it is equal to the result of performing bit-wise AND operation on the client MAC address and the given address mask.

Default: FF:FF:FF:FF:FF:FF (i.e. client's MAC address must match value of mac-address exactly)

signal-range (min..max)Match if the strength of received signal from the client device is within the given range. Default: '-120..120'
ssid-regexp (regex)Match if the given regular expression matches the SSID.
time (start-end,days)Match during the specified time of day and (optionally) days of week. Default: 0s-1d


Action parameters
allow-signal-out-of-range (time period | 'always')

The length of time which a connected peer's signal strength is allowed to be outside the range required by the signal-range parameter, before it is disconnected.

If the value is set to 'always', peer signal strength is only checked during association.

Default: 0s.

action (accept | reject | query-radius)

Whether to authorize a connection

  • accept - new connections are accepted, established connections are maintainedreject - new connections are rejected, established connections are interruptedconnection is allowed
  • reject - connection is not allowed
  • query-radius - new connections are accepted   connection is allowed if MAC address authentication of the client's MAC address succeeds

Default: accept

passphrase (string)Override the default passphrase with given value. No default value.
radius-accounting (no | yes)Override the default RADIUS accounting policy with given value. No default value.

MAC address authentication

Implemented through the query-radius action, MAC address authentication is a way to implement a centralized whitelist of client MAC addresses using a RADIUS server.