Will try to describe my Warehouse wireless network setup based on Mikrotik solutions:

Plan

WareHouse Dimensions
height ~ 8 meters
lenght ~ 50 meters
widht ~ 30 meters

WareHouse-Photo

WareHouse-General-Plan

WareHouse-General-Scheme

General Description

1. We use USGw01(RB433UAH) for Internet access of entire office(Office Area).
2. USGw01 also used for Mesh Setup as DHCP Server and Firewall.
3. On warehouse we use Wireless Barcode Scanners - Symbol MC3090 as wireless clients.
4. They are working only with server in LAN(Office Area).
5. Scanners should have access only for DNS server(for name resolving) and for WarehouseServer.
6. All WAP have Static IP.
7. All Scanners have Dynamic IP obtained from DHCP Server(USGw01).
8. In this setup Wireless security settings are not described. And you will get network secured only by MAC. If you want to secure your WAP by authentication you should create an appropriate security profile and assign it to your WAP interface - on all WAP.
   
   
   RB433UAH

Setup mesh interface# add mesh interface
interface mesh add name=mesh-interface

assign ports to the mesh interface

interface mesh port add interface=ether2-warehouse mesh=mesh-interface

add ip to the mesh interface

ip address add address=192.168.14.1/24 interface=mesh-interfaceSetup DHCP serverip pool add name=warehouse-dhcp-ip-pool ranges=192.168.14.230-192.168.14.253
ip dhcp-server add name=warehouse-dhcp-server interface=mesh-interface lease-time=12:00:00 address-pool=warehouse-dhcp-ip-pool always-broadcast=yes disabled=no
ip dhcp-server network add address=192.168.14.0/24 gateway=192.168.14.1 netmask=24 dns-server=192.168.13.1Setup static leases for scanners# T001
ip dhcp-server lease add address=192.168.14.231 mac-address=00:00:00:00:00:01 server=warehouse-dhcp-server lease-time=0 address-list=US-WH-Scanners disabled=no comment=“Scanner T001”

T002

ip dhcp-server lease add address=192.168.14.232 mac-address=00:00:00:00:00:02 server=warehouse-dhcp-server lease-time=0 address-list=US-WH-Scanners disabled=no comment=“Scanner T002"Setup NTP Clientsystem ntp client set enabled=yes mode=unicast primary-ntp=64.73.32.134 secondary-ntp=38.229.71.1Setup NTP Serversystem ntp server set broadcast=no broadcast-addresses=”" enabled=yes manycast=no multicast=noSetup address list on firewallip firewall address-list add address=192.168.13.1 comment=“admin01” disabled=no list=Gw-admins
ip firewall address-list add address=192.168.13.2 comment=“linux for backups to SVN” disabled=no list=Gw-admins
ip firewall address-list add address=192.168.13.1 disabled=no list=US-Srv-DNS
ip firewall address-list add address=192.168.13.1 disabled=no list=US-Srv-WareHouseServer
ip firewall address-list add address=192.168.14.201 comment=WAP1 disabled=no list=US-WH-WAP
ip firewall address-list add address=192.168.14.202 comment=WAP2 disabled=no list=US-WH-WAP
ip firewall address-list add address=192.168.14.203 comment=WAP3 disabled=no list=US-WH-WAP
ip firewall address-list add address=192.168.14.204 comment=WAP4 disabled=no list=US-WH-WAP

US-WH-Scanners - dynamic via DHCPSetup firewalls rules for WAP zone# Input chain

ip firewall filter add action=accept chain=input comment=“Drop invalid connections” connection-state=invalid disabled=no
ip firewall filter add action=accept chain=input comment=“Allow Established connections to Gateway” connection-state=established disabled=no
ip firewall filter add action=accept chain=input comment=“Allow Related connections to Gateway” connection-state=related disabled=no
ip firewall filter add action=accept chain=input comment=“Allow SG Network Core: NTP on LAN” disabled=no dst-port=123 in-interface=!ether1-wan-primary protocol=udp

Forward chain

General rules

ip firewall filter add action=accept chain=forward comment=“Drop invalid connections” connection-state=invalid disabled=no
ip firewall filter add action=accept chain=forward comment=“Allow Established connections to Any” connection-state=established disabled=no
ip firewall filter add action=accept chain=forward comment=“Allow Related connections to Any” connection-state=related disabled=no

From Mesh to LAN

ip firewall filter add action=accept chain=forward comment=“Allow Network Core: ICMP from Mesh” disabled=no in-interface=mesh-wap out-interface=bridge-lan protocol=icmp
ip firewall filter add action=accept chain=forward comment=“Allow Scanners to DNS - US-WH-Scanners” disabled=no dst-address-list=US-Srv-DNS dst-port=53 in-interface=mesh-wap out-interface=bridge-lan protocol=udp src-address-list=US-WH-Scanners
ip firewall filter add action=accept chain=forward comment=“Allow Scanners to WareHouseServer - US-WH-Scanners” disabled=no dst-address-list=US-Srv-WareHouseServer dst-port=80 in-interface=mesh-wap out-interface=bridge-lan protocol=tcp src-address-list=US-WH-Scanners
ip firewall filter add action=log chain=forward comment=“Log any other from scanners” disabled=yes in-interface=mesh-wap
ip firewall filter add action=drop chain=forward comment=“Drop any other from scanners” disabled=no in-interface=mesh-wap

From LAN to Mesh

ip firewall filter add action=accept chain=forward comment=“Allow SG Network Core: ICMP to WAP” disabled=no dst-address-list=US-WH-WAP in-interface=!ether1-wan-primary out-interface=mesh-wap protocol=icmp
ip firewall filter add action=accept chain=forward comment=“Allow SG Network Core: ICMP to Scanners” disabled=no dst-address-list=US-WH-Scanners in-interface=!ether1-wan-primary out-interface=mesh-wap protocol=icmp
ip firewall filter add action=accept chain=forward comment=“Allow SG Remote Access: Winbox for admins on WAP” disabled=no dst-port=8291 in-interface=!ether1-wan-primary out-interface=mesh-wap protocol=tcp src-address-list=Gw-admins
ip firewall filter add action=accept chain=forward comment=“Allow SG Remote Access: SSH for backup WAP” disabled=no dst-port=22 in-interface=!ether1-wan-primary out-interface=mesh-wap protocol=tcp src-address-list=Gw-admins
ip firewall filter add action=accept chain=forward comment=“Allow SG Monitoring: SNMP on WAP segment” disabled=no dst-port=161 in-interface=bridge-lan out-interface=mesh-wap protocol=udp
ip firewall filter add action=log chain=forward comment=“Log any other to scanners” disabled=yes out-interface=mesh-wap
ip firewall filter add action=drop chain=forward comment=“Drop any other to scanners” disabled=no out-interface=mesh-wapRB751U-2HnD

Install the following packages

# WAP1/WAP2/WAP3/WAP4
system
routerboard                          
dhcp                     
wireless                     
security
advanced-tools

Setup mesh interface# WAP1/WAP2/WAP3/WAP4
interface mesh add name=mesh-interface
interface mesh port add interface=ether1 mesh=mesh-interface
interface mesh port add interface=wlan1 mesh=mesh-interfaceSetup IP on the WAP# WAP1
ip address add address=192.168.14.201/24 interface=mesh-interface

WAP2

ip address add address=192.168.14.202/24 interface=mesh-interface

WAP3

ip address add address=192.168.14.203/24 interface=mesh-interface

WAP4

ip address add address=192.168.14.204/24 interface=mesh-interfaceSetup wireless interface# WAP1/WAP2/WAP3/WAP4
interface wireless set wlan1 disabled=no mode=ap-bridge band=2ghz-b/g/n frequency=2452 ssid=Mikrotik-Mesh default-authentication=no default-forwarding=noTuning wireless settings# WAP1/WAP2/WAP3/WAP4

ban Scanners with low signal strength

interface wireless access-list add interface=wlan1 mac-address=00:00:00:00:00:00 signal-range=-80 authentication=no forwarding=noAdd Scanner to ALC on WAP# WAP1/WAP2/WAP3/WAP4

T001

interface wireless access-list add disabled=no authentication=yes forwarding=no interface=wlan1 mac-address=00:00:00:00:00:01 comment=“Scanner T001”

T002

interface wireless access-list add disabled=no authentication=yes forwarding=no interface=wlan1 mac-address=00:00:00:00:00:02 comment=“Scanner T002"Setup default route# WAP1/WAP2/WAP3/WAP4
ip route add dst-address=0.0.0.0/0 gateway=192.168.14.1Setup SSH access to WAP devices# WAP1/WAP2/WAP3/WAP4
ip service set ssh port=22Setup time synchronization# WAP1/WAP2/WAP3/WAP4
system clock set time-zone-name=America/Detroit
system ntp client set enabled=yes mode=unicast primary-ntp=192.168.14.1Disable unused services# WAP1/WAP2/WAP3/WAP4
ip service disable ftp
ip service disable telnet
ip service disable www
ip service disable www-sslCreate user for monitoring purpose# WAP1/WAP2/WAP3/WAP4
/user group add name=monitoring policy=winbox,read comment=“Group for monitoring purpose”
/user add name=dude password=”********" group=monitoring address=192.168.13.1/32 comment="User for Dude monitoring"Setup backup to SVN
Backup Mikrotik config to Subversion/SVN repository via SSH


Add new scanner to WareHouse wireless network

Add new scanner to ACL on RB751U-2HnD# This must be done on all AP in Mesh

T0XY

interface wireless access-list add disabled=no authentication=yes forwarding=no interface=wlan1 mac-address=00:00:00:00:00:03 comment="Scanner T0XY"Add static lease on RB433UAH# T0XY
ip dhcp-server lease add address=192.168.14.2zz mac-address=00:00:00:00:00:03 server=warehouse-dhcp-server lease-time=0 address-list=US-WH-Scanners disabled=no comment=“Scanner T0XY”
Testing

Scan from Mikrotik

Android Wi-Fy Analyser - in center of WareHouse

Android Wi-Fy Analyser - WareHouse perimeter

Test (Android) when WAP1 goes down, device connect to WAP2

Test (PC) when WAP1 goes down, device connect to WAP2

Live

The Dude

WAP3 Registration Table

Comments

1. Clients see only one network with SSID Mikrotik-Mesh and they don’t know anything about 4 AP.
2. Now is ROS 5.18.
3. Scanners are Motorola Symbol MC3000, MC3100.
4. Traffic from scanners is very low.
5. Scanners have access only to DNS and Web servers in LAN.
6. Hopefully this will be useful for someone.

In answer to your comment.

1. Clients see only one network with SSID Mikrotik-Mesh and they don’t know anything about 4 AP.

What are you expecting? Mesh is not some magic setting that turns a cheap access point into a Ruckus supporting seamless handoff.

Firstly, you dont need mesh. Get rid of it.
Set the access points to run on non overlapping channels. 1, 6, 11, 1 and drop the power output.
Set an access rule to drop clients with -80 signal (may help)

Clients will still drop from one access point (when they decide) and connect to another, with a few seconds max disconnect.
That is normal behaviour and no settings or tweaking will fix it.

This should not cause a problem for the scanners, we have a lot in fruit picking warehouses (and fields) that work on the same basis and they work flawlessly.

TheWiFiGuy

What are you expecting? Mesh is not some magic setting that turns a cheap access point into a Ruckus supporting seamless handoff.

I want only one SSID per my Warehouse - not four

This should not cause a problem for the scanners, we have a lot in fruit picking warehouses (and fields) that work on the same basis and they work flawlessly.

I can’t see any troubles with my wireless setup.

What’s is your question?

This is for me ?

I only shared my experience.

Thank you for sharing your setup! I hope it will help somebody to build his own

are u using the same freq. to all of the AP? if so, why havent you select channels 1 6 11?

Setup wireless interface

# WAP1/WAP2/WAP3/WAP4
interface wireless set wlan1 disabled=no mode=ap-bridge band=2ghz-b/g/n frequency=2452 ssid=Mikrotik-Mesh default-authentication=no default-forwarding=no

Have you seen what Wireless scanner see in case with different channels ?

I saw that, but some people are saying that you should altering 1 6 and 11. but you only runs on one channel. howcome? what is best?

I have not tested my wireless scanners with AP on different channels.
I want an easy setup of scanners with one SSID.
I don’t know that will be with 4 AP on different channel and same SSID and I think this depends of MU device.
I works without issue. Now this is a production and I don’t want to touch it.

Multi AP Same SSID
Wireless client roaming
WLAN coverage for large area. Whats the best practice?
Try to force roaming. How to force roaming.
Smoth hopping on roaming mobile client, is this possible?
WIFI Roaming within different l2 domains?
Mesh setup
Are there any large WLAN clouds made with mikrotik
Mikrotik Roaming Ready?
Fast Roaming support - 802.11r
Mesh WDS headaches… HWMPplus mixed wired wireless help
ROAMING
Roaming
Best way to achieve Fast Roaming?
Seemless Roaming?
Anyone running mesh networks
Wireless for a school
IEEE 802.11r or IEEE 802.11F
wireless client roaming
Mikrotik + (centralized) wireless controller?
Capacity Planning for 25,000 user venue
Problems trying to set up WDS network
WDS vs Mesh vs MME
how do you setup seamless roaming with WDS?
Mikrotik roaming solution
Roaming Plan
wireless automatic connection
5 Mikrotiks and one ssid how?
MME and Dynamic WDS Mesh?
Symbol scan gun issues

Most of these topics say that we should setup 4 AP on different channels and same SSID.

The “whole” point of MESH is in this case is to be able to use 1 channel/ssid and have (as far as the clients is concerned) one big roaming network with good coverage all over.

The kind of setup above that refer to different separate channels 1, 6, 11 would only be relevant if (as far as the clients is concerned) u wish to make several standalone APs with same SSIDs , so clients can semi-roam between them whenever they come within reach of the client.

These are two totally different topologies that work approximatly the same, but has different pros and cons. (MESH: Example: cons: reduced/half speed over wireless. Pro: Needs only 1 channel to operate all APs. / Ordinary several APs with same SSID and different channels: Example: cons: Must have different channels for each AP. Pro:Full speed for wireless links.)

If u scan for wireless networks from the Client if u have a MESH network as described, the Client will only see 1(One) network present with good signal even though there are 4 APs present.
In other setup the same scan will probably show 4 different APs/networks with same SSID, but different signalstrenghts depending on your distance to the different APs.

I hope this was a short and understandable explanation on the difference.

Feel free to correct me if I am unclear!

Why ? This is not WDS.

Sorry, didn’t read it well enough, and made assumptions.
Disregard my comments.

So you can run all APs on the same channel whitout running WDS?

For example in my site where I have a rb1100 whit ports 1 - 10 bridge and connected to 10 AP via cable. The AP have the eth and the wlan interface bridged. Now I’am running channel 1, 6 and 11.

If I put them all on the same channel I will get faster roaming ?

Ty for sharing

Enviado desde mi GT-I9100 usando Tapatalk 2

That is incorrect.

Mesh setting does not change how the wireless works, its a protocol that deals with how the links are managed. Running multiple access points on the same SSID, same frequency will still produce multiple SSIDS in a scan, as the beacons are will show the MAC. Setting it on non overlapping channels will work better if they are wired. Of course, if they are wireless you need to stick to one channel for the WDS links to work (and yes, Mesh uses WDS links)

so is this a true mesh network setup? I’ve seen conflicting stories everywhere of using WDS and whether not it is meant for a true mesh network setup? I have followed these instructions from what Slesh posted. I want to make sure that the RB751U is setup as a fail over in the event one gets unplugged. Any suggestions or am I on the right track?

I want to make sure that the RB751U is setup as a fail over in the event one gets unplugged

You can see on my tests that MU device is reconnected to another AP when first is Down.

Slech - I’m running into an issue where I need to have multiple of these RB751’s wired and the rest setup in Mesh. So how would that work? I tried making the ones wired setup as the Mesh portal but still isn’t working properly. I do have them all setup and most of it’s working but I can’t figure out how to get this to work. Any ideas or do you know what I am doing wrong? I also followed this tutorial as well http://wiki.mikrotik.com/wiki/Wireless_WDS_Mesh.

Are the running a truck whit the scanner or do they walk?