I have RB951Ui-2HnD with RouterOS 7.20. I do not use a default configuration and only use Ether1 for the ISP + wlan1 on my laptop and mobile phone.
I live in a very crowded place with many random people, and some of them might want to get free Internet access through hacking.
What technologies and options do I need to use to set up more secure Wi-Fi on Mikrotik?
Deepseek gave me recommendations, but he told me that it’s not very useful because every option has its threats.
Should I use Radius server, hotspot, Access List, Default forward, default authentication and etc?
If you need that much security...
Ignore the Wi-Fi security and only provide access to a VPN on the device via Wi-Fi.
There are various solutions; this way, they "can" still access the wireless network somehow,
but then they're faced with another, even more secure, layer of protection.
If you only use those two devices, you could run the wifi with just the two MACs of your two devices assigned statically and allowed.
The attacker would have to guess both the wifi password AND one of the two allowed MACs (and won't be able to connect anyway if both are connected and/or guess the "other" one if you are using one).
Based on this quoted fact and the kind of questions you ask: please start with default configuration. Default configuration is actually secure starting point. You can harden your wireless afterwards by using access lists, etc.
If you set up a VPN, as I wrote for example, they can't do anything, not even accidentally.
Wireless becomes just a method of connecting to the RouterBOARD,
where you then have to set up a secure VPN to be able to do ANYTHING...
I looked at the default configuration (/export file=config.rsc ) and found nothing to stand out. Took some firewall rules from the default configuration, and I adapted them for the current configuration.
Maybe there are some hidden items?
I am now using the access list (in white mode). Deepseek told me that it’s not a problem for the hacker to get my MAC addresses, because he can easily
get them on the radio channel. What do you think about that?
The 1990s are a long time ago... Today, the number of threats has increased significantly. There is no reason to distrust DeepSeek. If my laptop has a Wi-Fi module that sends traffic and the handshake can be stolen, why can’t the MAC address be stolen? Moreover, the wi-fi driver can work in p2p mode.
It's true though. Even with the newest WPA3, both the MAC addresses, as well as the SSID being communicated with, are in cleartext over the radio and everyone nearby can see them, using normal WiFi adapters. WiFi Access control by MAC address, as well hiding (not broadcasting) the SSID are both useless methods that are extremely easy to bypass.
I chose the Radius server and installed it entirely on Mikrotik. User manager v5 as a Radius server.
It wasn’t very easy, but after a few days of setup everything works fine. If evaluated according to DeepSeek’s recommendation, it will be really safe.
I created the script, and the router can be reset + set up with a new certificate within 15 minutes
I don’t know why it’s said so little. It could easily make more people work safely on Wi-Fi (particularly over WPA2).
This is the link to start setting up your Radius server.