Article Updated: 11 Mar 2023
MikroTik company offers some very affordable and extremely powerful devices, along their main product – RouterOS (routing operating system) dedicated to networking.
MikroTik runs RouterOS operating system, an overwhelmingly complex feature-rich piece of software which you can use, control and configure both using command line terminal and graphical interfaces WinBox (on Microsoft Windows PCs) and WebFig (in web browsers like Chrome, Firefox, Opera, Edge…). Thing is, you will frequently find only the command line configuration tutorials online, but easy to follow step-by-step illustrated guides are virtually nowhere to be found.
MikroTik routers and “access points” models such as hAP and hAP lite (including their more advanced variants hAP AC² and hAP AC³) are mainly targeted at home networks and small offices (SOHO) environments, they come with RouterOS L4 license and out-of-the-box are usually configured as classic, conventional, well, routers – despite “AP” in their name.
The problem is if you don’t want a routing function, DHCP or NAT, in another words, you do not desire a network subnet change because of routing – e.g. your main router/gateway network IP is 192.168.1.1 and MikroTik router devices attached to MikroTik will have its default subnet range 192.168.88.* which is what we are trying to avoid.
What is the difference between computer networking Hub, Bridge, and Switch?
Network hubs are simplest (“dumbest”) of the bunch. Externally (physically) they look like switches but they aren’t the same thing internally. They have multiple ports and they operate on Physical Layer (L1 or Layer 1) of the OSI model, which means that they are transmitting all incoming packets to all other ports simultaneously. In another words, they are prone to packet collisions if multiple devices try to send the data at the same time — they aren’t smart and efficient (in network traffic sense) at all!
Enter more intelligent networking world: meet Bridges and Switches!
Both switches and bridges function using Data Link Layer (L2), better known as MAC addresses, to forward Ethernet frames between two devices.
For an end-user concern, both can be used to connect two different LANs, devices or networks into one (hence, the bridge name), however, switches, like network hubs, usually have many Ethernet I/O ports (3/4/5/8/24/48), which means they can split or concentrate multiple LAN segments into single one.
Bridges commonly have only 2 I/O ports, which inherently limits their functionality to, well, joining two network segments.
L3/L4 Switches – even more intelligent!
As technology matures, chip integration reaches higher processing powers, miniaturization, efficiency, performance, lower price points, so do feature sets expand, as well.
Basic idea between different layers of switching/routing comes from the fact that earlier a device learns where the traffic needs to be directed (routed or switched to), the faster and more efficient it can perform its task. This may sound trivial in home or small office environments with less than e.g. 10 devices, but enter enterprise and service providers world, where constant saturated streams of information occur, and suddenly total switching or routing capacity (throughput) becomes an important factor. Additional features like traffic shaping, prioritizing applications etc. also comes into play.
L3 switches are crossbred between advanced routers (L3) and plain switches (L2), with an ability to perform traffic routing on Network Layer (L3) using IP Addresses, group network segments / hosts into Virtual LANs (VLAN), and so on.
L4 switches support policy based switching to limit different traffic types and prioritize packets based on application importance. L4 switch is also known as a session switch.
L3/L4 switches may not yet entirely replace routers, but they can perform traffic routing based on IP addresses instead only on MACs, load balance networks between grouped ports, and so on.
What should you do to make a MikroTik router work like a classic switch?
(or wireless switch aka “access point” if you’re old enough to remember products like Cisco Linksys WAP54G)
Those devices are simple bridges between remote clients (e.g. mobile phones, tablets, laptops, Smart TVs, IoT devices) over WiFi and actual router or gateway from your ISP.
Another confusion regarding this matter is that many online resources, including MikroTik’s own support forum where various members can exchange their knowledge about RouterOS and networking, and resolve various tasks and problems, state that for common switching function you need to use WISP AP mode configured as Bridge. Well, this does not work at all in our case. The required manual configuration procedure is quite simple, actually.
How to convert MikroTik router hAP / hAP lite into ordinary Switch or Wireless Access Point Bridge (without routing function)
What is the difference between configs described in PART 1 and PART 2 ?
- AP Switch mode described in PART 1: We must connect one of the MikroTik router’s LAN ports (e.g. port #1) to ISP router/gateway using Ethernet/LAN cable. Other LAN ports (e.g. ports #2, #3, #4, …) and MikroTik’s Wi-Fi can be used to connect wired and wireless devices to Internet through classic switch/bridge without network subnet change. Please note that all LAN ports in this mode are equal – it does not matter which one you use for ISP connection, and which for other wired devices!
Wired+Wireless Devices connected via MikroTik LAN Ports (#2, #3, #4, …) and Wi-Fi <<==>> MikroTik LAN Port (#1) <<==>> ISP router/gateway (wired) <<==>> INTERNET
- LAN to Wireless Bridge Wi-Fi mode described in PART 2: We must connect MikroTik router’s Wireless (Wi-Fi) interface to ISP router/gateway. Wi-Fi section is thus occupied / reserved for remote connection to Internet (ISP AP), and we can use all available LAN ports (e.g. ports #1, #2, #3, #4, …) to connect wired devices to Internet wirelessly without network subnet change.
Wired Devices connected via MikroTik LAN Ports (any) <<==>> MikroTik Wi-Fi <<==>> ISP AP Wi-Fi router/gateway <<==>> INTERNET
PART 1: MikroTik classic Access Point (AP) mode (uses ethernet LAN port for bridge internet access)
This is what we are trying to achieve:
INTERNET
|
|
ISP ROUTER / GATEWAY @ 192.168.1.1
|
|
LAN Cable (connected between ISP router/gateway client port and any MikroTik's LAN port)
|
|
MikroTik Router configured as Switch/Bridge/AP
|
|
LAN Cable(s) (-1 available port) or Wireless link (other Wi-Fi devices connected to MikroTik's Wi-Fi)
|
|
Multiple PCs/Printers/Phones/IoT Devices @ 192.168.1.* over LAN/Wi-Fi
[same network segment / no network change]
STEP 1
Reset MikroTik hAP / hAP lite to factory default
- Turn Off power cord
- Push Reset button with a pen or stick and HOLD IT
- Turn On power back while still holding Reset button above pressed until ACT LED starts flashing (after ~ 5 seconds)
- Release Reset button and wait 30-120 seconds until MikroTik device loads default Home AP mode
Connect now to your hAP MikroTik router using WinBox and LAN Port (e.g. use port #2, #3 or #4).
STEP 2
Go to Bridge > Ports tab > click on + to add ether1 to the bridge (it may already be selected under Interface dropdown selector or you will have to manually do it).
STEP 3
Go to IP > DHCP Server and delete defined one.
STEP 4
Go to IP > DHCP Client and delete defined one.
STEP 5
Go to Routing > BFD and disable defined “all” entry by double-clicking on it and pressing Disable button (cannot be deleted!).
STEP 6
Optionally remove defined pool line(s) e.g. 192.168.88.10-192.168.88.254 however it won’t affect bridge function on it’s own.
STEP 7
Reboot MikroTik device [Turn Off Power, Turn On Power sequence]
CONGRATULATIONS!
Your MikroTik hAP/hAP lite router has become Access Point / Switch.
💡 TROUBLESHOOTING TIPS / NOTES
- To access MikroTik and reconfigure it later you must use ethernet-enabled computer (laptop or desktop) and UTP / LAN cable on MikroTik (ports #2, #3, #4, etc.) with WinBox tool to access it via MAC address (it won’t work over Wi-Fi and MikroTik’s AP link now).
- This procedure in general, particularly steps 1, 2 and 7, should be enough and used with other MikroTik wireless router boards and models.
- Connect your main router/gateway from your ISP with UTP / LAN cable to one of the LAN ports on your MikroTik router. Rest of the free LAN ports can be used to connect other equipment / PCs / Printers etc.
💡 What if WinBox doesn’t detect your MikroTik router in this case?
You need to manually input MAC address e.g. 4C:5E:0C:AB:CD:EF in the Connect To: field and press Connect button. Use Neighbors tab in WinBox and Refresh button to scan available MikroTik devices and MAC addresses automatically (doesn’t always work, and it’s not 100% reliable). Note that wired ethernet interfaces (ether1, ether2, ether3 …) on LAN ports and wireless wlan interface (wlan1) all have different MAC addresses!
Also, don’t forget to disable Wi-Fi adapter connection on your PC temporarily, otherwise, Windows will auto select by preference network adapter that has internet connection present (in another words, it will ignore direct wired connection to your MikroTik router if WiFi works and is connected to another access point!).
Because of the WinBox bug and unexplained glitches you might have to press Connect / Reconnect buttons several times before successful connection is established. Don’t worry, you will successfully login into the router eventually (assuming you entered correct username and password as well).
Alternatively, perform a factory reset procedure and start over if you are stuck.
PART 2: MikroTik LAN To Wireless Wi-Fi Bridge mode (uses wireless connection for bridge internet access)
This section was not part of the original article, but we thought that this modification is quite common and could be useful. It builds up on top of the modification presented above.
In simple, plain words: we are trying to convert MikroTik router into a Wired Ethernet LAN to Wireless Wi-Fi adapter which will allow us to connect multiple wired-only devices (e.g. only with physical Ethernet LAN ports / without built-in Wi-Fi) like older TVs, Printers, DVRs, Wired LAN IP cameras and desktop PCs to another local wireless network access point (AP) or WISP provider gateway/router network. Another very important condition is that we do not desire network subnet change, thus routing function of our MikroTik “router” must be bypassed / turned-off, and DHCP or manual IP addressing / assignment function will be obtained and performed by the upstream wireless link, ISP router or gateway device. Some manufacturers and device manuals, such as TP-LINK TL-WA801N / TP-LINK TL-WA801ND or Tenda AP4 / Tenda AP5 Desktop AP (Access Point) models, refer to this as Client Mode AP operation. Needless to say, but MikroTik is far better device for this purpose because you have a greater control, more free LAN ports (no need for separate Switch), despite required work to configure it initially.
This mode is derived from Switch / Wireless Access Point Bridge Mode configuration above. You must have a working MikroTik router configured with previous steps first (PART 1) before proceeding to the following steps (hence the continuous STEPs numbering scheme in parentheses).
This is what we are trying to achieve now:
INTERNET
|
|
ISP ROUTER / GATEWAY / Wi-Fi AP @ 192.168.1.1 acting as Internet Wi-Fi Wireless Access Point
|
|
MikroTik's Wi-Fi wireless interface link
|
|
MikroTik Router configured as Ethernet LAN to Wi-Fi Wireless Bridge
|
|
LAN Cable(s) (all available ports) but no Wi-Fi! | Wi-Fi is now reserved/used* to bridge/connect to ISP AP wirelessly
|
|
Multiple wired desktop PCs/Printers/DVRs/older Game Consoles/IoT Devices @ 192.168.1.* over LAN only
[same network segment / no network change]
* in case of multiple MIMO WLAN interfaces and bands (2.4 GHz and 5 GHz) it is theoretically possible to use other radio(s) for other connections but we haven’t tried that and can’t guarantee that it will work.
How to modify existing MikroTik AP-Switch mode into Wired Ethernet LAN to Wi-Fi Wireless Bridge mode?
Final reminder: do not immediately jump to “STEP 1” instruction below unless you followed previous tutorial’s steps above and prepared your MikroTik for the following mod!
STEP 1 (8)
Connect computer to MikroTik over Ethernet cable to e.g. LAN port #2.
STEP 2 (9)
Run WinBox app and connect to MikroTik router using MAC address (default password is blank / empty). Alternatively, switch to Neighbors tab to find your router on local network connection automatically.
STEP 3 (10)
Go To Interfaces > Interface List tab and double-click on “defconf” WAN interface. Change (drop-down select) from “Interface: ether1” to “Interface: wlan1“.
STEP 4 (11)
Go To Wireless (window is titled Wireless Tables) > Security Profiles tab. Double-click on default profile > General tab and configure security requirements of your network. For example, use WPA/WPA2 Pre-Shared Key with TKIP/AES support (we should drop TKIP for security reasons and focus on WPA3 in the future, but for now use it for maximum compatibility with various devices).
Mode: dynamic keys
Authentication Types (checkboxes): WPA PSK, WPA2 PSK
Unicast Ciphers (checkboxes): aes ccm, tkip
Group Ciphers (checkboxes): aes ccm, tkip
WPA Pre-Shared Key: [ enter your Wi-Fi ISP/AP/Router/Gateway password here ]
WPA2 Pre-Shared Key: [ enter your Wi-Fi ISP/AP/Router/Gateway password here ]
Hit Apply/OK
STEP 5 (12)
Go To Wireless (Wireless Tables alt title) > WiFi Interfaces tab. Double-click on wlan1 interface > and switch to Wireless tab. Example configuration is shown below:
Mode: station pseudobridge
Band: 2GHz-B-G-N (and / or 5 GHz if available on your MikroTik hardware)
Channel Width: 20/40MHz eC (note: default is 20MHz mode only for hAP lite router model, values depend on hardware support, band(s) and standards, set largest available values for maximum performance / speed)
SSID: [ enter your Wi-Fi ISP/AP/Router/Gateway SSID name here ]
Security Profile: default
Frequency Mode: regulatory-domain
Country: [ select your country or leave “etsi” ]
Installation: indoor
Default Authenticate: checkbox ticked
Optionally, you can use Scan… button on the right panel side, select “wlan1” from drop-down selector list, tick “Background Scan” checkbox and hit Start button. MikroTik won’t be able to connect to your WiFi network unless background scan option is ticked.
Click on SSID or Signal columns to sort scanned networks by name or signal strength, select your wireless network from the available list > right click > Connect
Close this window, you should still see Interface <wlan1> window opened, and at the bottom status bar:
enabled | running | slave | connected to ess
STEP 6 (13)
You can now safely disconnect Ethernet LAN cable between ISP router/gateway and MikroTik’s LAN port from PART 1 in case you have it connected. It is no longer required, because now we have internet connection established over wireless interface.
CONGRATULATIONS!
Your MikroTik hAP/hAP lite router has become a Wireless Bridge (switch).
MikroTik router is now configured as a basic Ethernet LAN 2 Wireless Bridge / Switch (LAN 2 Wi-Fi adapter), allowing you to connect multiple wired LAN devices to Internet over Wi-Fi wireless network bridge to your main ISP router/gateway or another router in another room or department using the same network segment (no subnet change). Remember, your ISP router/gateway is still doing all the smart routing and DHCP stuff!
💡 TROUBLESHOOTING TIPS / NOTES
- Avoid using Ethernet port #1 during troubleshooting / frequent factory reset cycles and config changes!
Why? LAN port #1 is reserved / mapped as Internet/WAN port in factory configuration, so WinBox can’t really connect to MikroTik on this port! (think of WAN as “output”, not “input”). You will have a big headache and also back and fort switching different ports during Wi-Fi bridge configuration fiddling.
- WinBox won’t be able to connect to MikroTik configured this way via MAC address until MikroTik’s wlan1 interface becomes connected to the upstream AP (ISP), so make sure you have properly configured Wi-Fi AP parameters. Also, if AP loses connectivity, MikroTik will become unconnectable and it will require manual reboot (power ON/OFF cycle) to become connected again, which will affect devices connected to MikroTik router via LAN.
- Remember, each factory reset operation requires another power ON/OFF cycle to actually load default configuration! At least, this is true for hAP Lite 2nd, possibly the same with other models.
- When performing factory reset operation, make sure to use original or adequate replacement power supply (avoid USB power banks), and make sure to disconnect all LAN cables before that procedure.
- Remember, hAP Lite 2nd requires 40-45 seconds to actually boot, so be patient and don’t expect to become instantly connectible after power ON/OFF cycle!
- If WinBox still can’t connect to MikroTik router AFTER factory reset procedure, try enabling Tools > Legacy mode.
- If WinBox still can’t connect to MikroTik router AFTER factory reset procedure, if you use a laptop try disabling Wi-Fi LAN adapter on Windows PC (just in case to avoid confusion), and manually configure wired Ethernet adapter under TCP/IP v4 settings with the following parameters:
IP address: 192.168.88.3
Subnet mask: 255.255.255.0
Default gateway: 192.168.88.1
Preferred DNS server: 192.168.88.1Follow-up tip #1: Perform another power ON/OFF cycle in case if it doesn’t work right away!
Follow-up tip #2: Don’t forget to switch back your PC to default DHCP mode as soon as you configure MikroTik router or restore .backup configuration, otherwise your PC/WinBox will be still without connection!
- If you plan to change Wi-Fi network, password (passphrase or security mode) or WISP provider that MikroTik wlan1 interface connects to, you will either (1) need connection to the original network first while you define new security profile and connect to the new network / parameters during switchover procedure described further below, or (2) you will have to perform a factory reset and re-configure it from scratch (PARTS 1+2 of this tutorial)!
The proper procedure for changing Wi-Fi network parameters is as following:
- Connect to the MikroTik router via LAN cable and appropriate MAC port address using WinBox while still connected to the old (original) Wi-Fi network.
- Under Wireless > Security Profiles click on + to create a new one (do not modify existing default profile we use in STEP 4 (11) above!), set proper TKIP/AES checkboxes and password.
- Now go to Wireless > WiFi Interfaces tab > Double-click on wlan1 interface and under Security profile select newly created one in previous step. Then switch to Wireless tab > click Scan… button (background scan checkbox should be left unticked) and select new wireless network SSID. Wait until new connection is established, and reconnect in WinBox.
Beware, if you make a mistake and Wi-Fi connection is not successful you will lose the ability to access router via WinBox later! In another words, you’ll have to factory reset it and start over again. This is why it’s a good idea to create backups of working configurations before risky changes or use Safe Mode instead, so that changes you make aren’t permanent (they will be reverted after reboot / power ON/OFF cycle).