Community discussions

MikroTik App
 
gfunkdave
newbie
Topic Author
Posts: 45
Joined: Tue Jan 09, 2018 12:05 am

mAP Lite as travel router?

Tue Jan 09, 2018 12:10 am

I'm thinking of getting into the Mikrotik world and thought the mAP Lite would make a nice travel router. I can't seem to find info on a couple questions I have, though.

1. Can I use the mAP Lite in WISP mode, where it pulls in a public wifi signal and NATs to a private wifi network I create for my devices?
2. After initial configuration, can I connect wirelessly to the mAP Lite to have it connect to a new public wifi network, such as when arriving at a new hotel and connecting to the hotel's network? I had previously tried a travel router using OpenWRT, and it made me plug an ethernet cable into it if it didn't have a wifi connection - annoying.
3. Can I configure the mAP Lite to route all traffic through an OpenVPN connection if I want? (I am pretty sure the answer is yes, just checking)

Thanks!
 
yottabit
Member Candidate
Member Candidate
Posts: 198
Joined: Thu Feb 21, 2013 5:56 am

Re: mAP Lite as travel router?

Tue Jan 09, 2018 4:55 pm

Yes, it's perfect for this. I use it in hotels to enable Chromecast on the hotel TV, and on airplanes to share a single Wi-Fi purchase with my family or coworkers.

Specific answers:

1. Yes, but the configuration is a bit tricky. First you need to create a Virtual AP on top of the base radio interface. Member that Virtual AP to the bridge. Setup a Wi-Fi password of your choosing for the default security profile. For my configuration, I also member the Ethernet port to the bridge as well, as the default configuration uses the Ethernet port for the WAN interface. Next you reconnect to the Virtual AP you just created. Now create another security profile with the password of the Wi-Fi network to which you want the router to connect as WAN. (You still need a security profile even if the network does not use a password. Note this is the Wi-Fi password, not any password you need to enter into a captive portal once connected.) Now on the base radio interface, set the security profile that you just created. Next perform a background scan and connect to the Wi-Fi network you want to use for your WAN. If all goes well, you will still be connected to the Virtual AP and the base radio interface will report "connected ESS." Change the frequency to Auto (important for #2 below). This will disconnect you for a minute until the Wi-Fi scans again and reconnects to the Wi-Fi. Now go to the DHCP Client and set it to the wlan1 base radio that is now operating in Station Mode. Then go to the Firewall setting and change the NAT rule to use the wlan1 base radio interface instead of ether1. Everything else should be fine with the defaults. Now with your device you will connect to example.com and sign into the captive portal as necessary. After that, all devices that connect to your Virtual AP will be on the Internet NATed through the router! I like to save the config at this point with a filename descriptive of the network for which I configured it (this is important for #2 below). Make sure when you give the backup a filename you prefix the name with "flash/" so the backup file is stored in the flash memory instead of the RAMdisk.

2. Sadly no, and this can be quite infuriating until you get the hang of the steps in #1 above. If you move to another location and the old Wi-Fi SSID is no longer available for connection (also applies if you're too far away and/or the Wi-Fi password is wrong), the base radio will keep going into normal scan mode searching for the SSID. It does not seem to operate in Background Scan Mode. The result of this is that the Virtual AP will not be available since the base radio isn't up. This is why I recommended you save the config above. The hotels and planes where I use this configuration generally have the same SSID name no matter where I am. So once I have it configured once using the steps in #1, I just hold down the reset button while applying power, and keep the reset button held down until the lights start alternate-blinking. This resets the router to default, but does *not* clear the flash containing the backup configs! Then I connect to the default open Wi-Fi, go to Files, select the configuration for the hotel or plane I need, and restore. The router reboots with the new config, the Auto frequency setting from #1 above allows it to select the best Wi-Fi network with the preconfigured SSID and Wi-Fi password, and then I'm up and running. Alternatively, you can always connect via the Ethernet port and avoid the Virtual AP being down if you need to reconfigure the base radio. I travel with a Pixel Chromebook 2 LS, which doesn't have an Ethernet port, so I'm pretty good at doing the steps in #1 within a couple minutes, but I also have a USB-Ethernet adapter I could use for configuration through ether1. Maybe that would work for you, too. I even have a USB Type-C-to-A adapter that I could conceivably use on my Google Pixel XL phone, for the same purpose, but I have never tried.

3. Of course. You can use any of the RouterOS functionality, limited only by CPU, RAM, and flash space. The popular VPN protocols are built-in to the main package, so there shouldn't be a problem setting up OpenVPN, IPSec, PPTP, whatever. I don't do this though; I just use VPN or SSH on my client device as-needed, depending what I'm trying to accomplish. Hotel and plane networks are already slow enough--I don't want to needlessly add more overhead!
Last edited by yottabit on Wed Jan 10, 2018 11:32 pm, edited 2 times in total.
 
yottabit
Member Candidate
Member Candidate
Posts: 198
Joined: Thu Feb 21, 2013 5:56 am

Re: mAP Lite as travel router?

Tue Jan 09, 2018 5:11 pm

Here's my config, for reference.

Note there is one other change I made that may or may not make a difference. Since I'm using the new 6.41 now, there are these address lists called LAN and WAN that have a special significance. The default srcnat masquerade firewall rule is out-interface=WAN but I changed it explicitly to out-interface=wlan1 because in a captive-portal situation, I'm not sure if RouterOS will make the right decision since I think it determines the WAN interface based on ping reachability to Google DNS. In the captive portal situation, I may not be able to reach Google DNS yet, so I thought it better to explicitly specify the WAN interface as wlan1 instead of WAN.

# jan/07/2018 14:33:56 by RouterOS 6.41
# software id = FV38-I1HS
#
# model = RouterBOARD mAP L-2nD
# serial number = 73B2068D7DF9
/interface bridge
add comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country="united states" disabled=no distance=indoors frequency=auto frequency-mode=regulatory-domain mac-address=6C:3B:6B:FE:BF:FE ssid=HotelWiFi wireless-protocol=802.11 wmm-support=enabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=TravelNet supplicant-identity=MikroTik wpa2-pre-shared-key=onTheRoadAgain
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:FE:BF:19 master-interface=wlan1 name=wlan2 security-profile=TravelNet ssid=TravelNet wds-cost-range=0-4294967295 wds-default-bridge=bridge wds-default-cost=0 wmm-support=enabled wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=wlan1
/system clock
set time-zone-name=America/Los_Angeles
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
gfunkdave
newbie
Topic Author
Posts: 45
Joined: Tue Jan 09, 2018 12:05 am

Re: mAP Lite as travel router?

Tue Jan 09, 2018 5:18 pm

Thanks for all the detail! It's the needing to reset it and reload config that gets me. I'm starting to accept that it seems any OpenWRT or Mikrotik router I want to use for a travel router will have this limitation, and I don't understand why. Plenty of cheap consumer travel routers don't make you jump through those hoops.

I'll probably buy one anyway, just to learn Mikrotik.
 
Tdaddysimi
Member Candidate
Member Candidate
Posts: 108
Joined: Wed Sep 28, 2016 4:37 pm
Location: Minnesota

Re: mAP Lite as travel router?

Tue Jan 09, 2018 7:35 pm

My mAP is amazing. I set the primary wireless card and Ether1 on a bridge, and set it up as a dhcp client to pull an address from whatever it connects to.
I then created a second bridge for the virtual ap and Ether 2, and set them up with a dhcp server that nats out to the internet.
Then, I was able to add a vpn client on it, and dial out to my vpn server. I redirect all my 192.168.1.XXX traffic at the vpn, and send all 0.0.0.0/0 traffic at my bridge out to the internet.
It works flawlessly, and after you build up a nice connect list with wifi's in your tik, its seamless. I take a portable battery bank for my phone and I can power my little tik on the go from anywhere, and I always have vpn access as long as I have internet. I even set mine up to leech off my hotspot on my cell phone if needed if i ever needed vpn access that way. For the cheap price and full functionability, the little mAP is a fun tool to have out on the go.
 
User avatar
acruhl
Member
Member
Posts: 371
Joined: Fri Jul 03, 2015 7:22 pm

Re: mAP Lite as travel router?

Wed Jan 10, 2018 2:32 am

You can probably accomplish what you want to do a little bit easier if you chain the mAP-Lite with a hAP-Lite or hAP-Mini. Or regular mAP.

Just be sure to change the default 192.168.88.0/24 net to something else on one of them.

The 2nd device works great for mac-telnet in case you mess something up. Also it would be easier to log into the 2nd one and then the 1st one and set up the WiFi client.

They are all very small for what they do and are USB powered.
 
yottabit
Member Candidate
Member Candidate
Posts: 198
Joined: Thu Feb 21, 2013 5:56 am

Re: mAP Lite as travel router?

Wed Jan 10, 2018 11:23 pm

I can always use ether1 to get in if I bjork up the station Wi-Fi parameters. Slightly annoying, but really not that big of a deal, even with my Chromebook.

I think the solution to this would be if MikroTik could make the default station scan mode operate in the Background Scan mode like they allow when the interface is already up. This could, perhaps, allow the Virtual AP subinterface to remain up during the station scan.
 
micromaxi
newbie
Posts: 43
Joined: Fri Feb 06, 2015 10:32 am

Re: mAP Lite as travel router?

Sat Jan 27, 2018 11:58 am

Here's my config, for reference.

Note there is one other change I made that may or may not make a difference. Since I'm using the new 6.41 now, there are these address lists called LAN and WAN that have a special significance. The default srcnat masquerade firewall rule is out-interface=WAN but I changed it explicitly to out-interface=wlan1 because in a captive-portal situation, I'm not sure if RouterOS will make the right decision since I think it determines the WAN interface based on ping reachability to Google DNS. In the captive portal situation, I may not be able to reach Google DNS yet, so I thought it better to explicitly specify the WAN interface as wlan1 instead of WAN.


NICE! Really love this. Just a quick question before i dive into it aswell. Currently i use the hap lite with you setup (with some manual tweaks) but im wondering whether this config would work for my RBmAP2nD which is slightly older. Which is way smaller and is way easier to take on my travel!
 
yottabit
Member Candidate
Member Candidate
Posts: 198
Joined: Thu Feb 21, 2013 5:56 am

Re: mAP Lite as travel router?

Sat Jan 27, 2018 4:40 pm

Yes, should work just the same. I think all Routerboards with Wi-Fi support this mode since implementation of the "repeater mode" several versions of RouterOS ago.
 
richardfranks
just joined
Posts: 2
Joined: Mon May 22, 2017 4:54 am

Re: mAP Lite as travel router?

Thu Apr 11, 2019 11:49 pm

Bumping because this is the first thing that comes up if you google "mikrotik as travel router" (for me at least)

I get around the issue of not being able to connect locally to WiFi when out of range of the last network I connected to by using a netwatch for 8.8.8.8. Command for the down script looks like:
/interface wireless set wlan1 mode=ap-bridge ssid=unconfigured security-profile=DefaultFailover

This way, when wlan loses internet connectivity for > 1 minute, it kicks wlan1 into ap-bridge mode which allows it to transmit on the virtual interface I'd normally connect to again. It will also kick it to this config if it loses power. I've used this for the past couple hotels I've been to and it's been successful.
 
adrons
just joined
Posts: 1
Joined: Sat May 25, 2019 7:55 am

Re: mAP Lite as travel router?

Sat May 25, 2019 2:51 pm

Hello. Why You don't make a USB cable for a mAP lite, with the help of which You can get a direct LAN connection to the mAP Lite on your laptop (just like you did for the PWR-Line)? I found out that the micro USB port of mAP Lite already contains an ethernet signal(2 pairs) and using a special cable (which should consist of a USB network card(on a RTL8152 chip), without a network transformer), it would be possible to connect a mAP Lite directly to a laptop via this micro USB cable. What do you think about this?
 
thousandlegs
just joined
Posts: 1
Joined: Sun Jul 21, 2019 2:36 am

Re: mAP Lite as travel router?

Sun Jul 21, 2019 2:52 am

I've been playing with these ideas on my hAP Lite. Here's a refinement that is working for me: Instead of using backups for each network, I write a per-network script, like:
:log info "script: Connecting to <SSID> as station"
/interface wireless set wlan1 mode=station frequency=auto ssid=<SSID> security-profile=<SECPROF>
I save this script with a name like connect_to_SSID. Then I can switch to it without changing any settings except the base radio's. If I use backups, then I need to make sure to update all the backups when I change firewall rules or similar.

To connect via the virtual interface when the base radio is not connected as station, as noted previously, you can put the base radio into ap-bridge mode. I do this with a script too. (I call this "lost duckling mode", and the script is "lost_duckling").

I like the netwatch idea, but was having trouble with one of my networks just taking a long time to connect. So instead, I set lost_duckling as the action for when I press the physical Mode button:
:log info "script: Going into Lost Duckling mode"
/interface wireless set wlan1 mode=ap-bridge ssid="Lost Duckling" security-profile=lost_duckling

The next step will be to use scan-to-file to automatically search for networks I already know (or maybe just try all the ones in my list of connection scripts)
 
stefan6900
just joined
Posts: 1
Joined: Thu May 28, 2020 8:25 am

Re: mAP Lite as travel router?

Thu May 28, 2020 8:38 am

I would like to have a script that - when the known SSID is not avail it tries my list of possible SSID's before it goes to 'failover' to manually edit. What I have so far is a Netwatch script:

/interface wireless set wlan1 mode=ap-bridge ssid="error lost connection" security-profile=default

Above prevents me loosing connection when SSID is no longer available.

However I would also like to do a scrip which checks for all my previous SSID before doing that. I have found the below but it does not seem to work:

# Script for verify internet status and do modifications in case of internet fail

# Creating local variables
:local currentStat 1;
:log info ("Verifying if internet is up");

# Check by ping if intenet is up
:if ([/ping 8.8.8.8 count=1] = 0) do={
:set currentStat 0;
}

#Modifier process Starts
:while ($currentStat = 0) do={
:log info ("No internet access, searching new connection");
:if ($currentStat = 0) do={
/interface wireless set wlan1 mode=station ssid="SSID1" security-profile=PROFILE1
:delay 5s
:if ([/ping 8.8.8.8 count=1] != 0) do={
/log info ("Switched to Connection SSID1");
:set currentStat 1;}}
:if ($currentStat = 0) do={
/interface wireless set wlan1 mode=ap-bridge ssid="Error - Lost connection" security-profile=default
:delay 5s
:if ([/ping 8.8.8.8 count=1] != 0) do={
:log info ("Switched to Connection Lost Mode");
:set currentStat = 1;}}
}

Who is online

Users browsing this forum: GoogleOther [Bot] and 50 guests