Mikrotik hAP AC - A router for all occasions.

Strengths and
weaknesses of MikroTik hAP lite RB941 Power Mikrotik hAP lite
06.05.2020  Interesting 
MikroTik hAP Lite – one of the affordable and renowned routers on the market for similar equipment. Since 2016,
the router has been very popular and is not inferior to more expensive and recommended models.
What is the advantage of MikroTik hAP Lite in comparison with other routers, and why the model takes a leading
position, we will determine based on the technical characteristics of the router and user reviews.

Set
For an overview of the Mikrotik Hap Light router, see the following video:
 
The product is delivered in a cardboard box containing:

 instruction;
 power supply unit for 5V and 0.7A;
 Router BOARD hAP Lite (RB 941 2nD TC) is the official model name.

Design
The appearance of the router is shown in the picture:
The hAP Lite microtik has a plastic case consisting of white and blue parts. The front side of the case is
equipped with ventilation holes. On the back side there are activity lamps for the interface of four network ports,
two diodes, a multifunctional key and a Micro USB port (for power). The bottom of the router is equipped with
vents to dissipate heat away from the center chip area.

The case with connectors is shown in the picture:

The shape of the model's case allows the product to be used only in an upright position.

Software and functionality

The functionality of MikroTik hAP Lite RB941 2nD matches the high performance of the Qualcomm Atheros
QCA9533 processor. The processor frequency is 650 MHz. The port transfer rate is 100 Megabytes. RAM - 32
MB (16 MB permanent).

The gain of the two antennas of the router is 1.5 dB, which allows you to maintain speeds up to 300 Mbps. The
Wi-Fi power of the hAP Lite router is up to 158 mW (22 dB).

WiMikroTik hAP Lite Fi-routeroperates under a specialized operating system - Router OS.

MikroTik hAP Lite specifications (RB 941 2nD TC)

A type Wireless router

Standard Wi-Fi 802.11 b / g / n

Maximum connection speed, 150

Mbps

Multiple SSID support +

Connection interface (LAN port) 3x10 / 100 Ethernet

Input (WAN port) 1x10 / 100 Ethernet

Firewall +
NAT +

VPN (virtual networks) support +

DHCP server +

Antenna type (internal / external) internal

Number of antennas 2

MU-MIMO / MIMO support -/+

Web interface +

Telnet +

SNMP support +

Dimensions, mm 124x100x54

Power supply (PoE / adapter) -/+

Bridge mode +

qualcomm Atheros QCA9531 processor (650MHz), 32MB DDR RAM, RouterOS Level4
License

Customization
For a video instruction on setting up a router, see the following video:
 
The Router OS system is presented in English, and therefore, many users experience certain difficulties when
setting up the Mikrotik hAP Lite router . How to configure the router and set the required parameters, we will
consider below.
At the first stage, you must perform the following actions:

1. Connect a router to a PC (tablet, laptop, smartphone). Activate power.

2. Connect the Internet to the router. It is possible to activate the connection by Wi-Fi networks... If it is impossible,
connect the LAN port of the router and the port of the PC network card with a LAN wire
3. Connect to the “MikroTik” Wi-Fi network.

With a valid network password - reset the settings.

Regardless of the presence / absence network connection, you can proceed to the next step. To go to the router
settings, you should go to the page at 192.168.88.1. We will get access to the RouterOS control panel. At this
stage, you need to make sure that the device is in "Home AP" mode.
How to find out in which mode the router is operating, look at the picture:
The list of parameters is divided into three blocks and looks like this:

 connection to the network (Internet);

 Wi-Fi network (Wireless);
 password to protect the system interface (System).
Dynamic IP Settings
Provided that the Internet is already working through MikroTik hAP Lite, there is no need for additional settings.
Thanks to automatic connection, you can immediately set the parameters of the Wi-Fi network.
For connection type (no dynamic IP), contact your Internet service provider. It should also be clarified whether
the Internet provider allows you to bind by MAC address.

Provided there is a dynamic IP and the absence of binding by MAC address, the operation of the router at this
stage is carried out in full.

If you need to bind by MAC address, specify the MAC address of the network equipment (either from your
Internet service provider or in the "MAC address" field in the router parameters). The equipment address is
reflected in the MAC Address field.

Entering parameters when connecting PPPoE

How to connect can be seen in the picture:
This type of connection is not very popular. Here you should select the "PPPoE" connection type and indicate the
username and password. Then activate the "Reconnect" button and go to the Wi-Fi network settings. The data
containing the username and password is provided by the Internet service provider.

Setting up a password and Wi-Fi network

Let's turn to the "Wireless" section (located on the left side of the page). It is suggested to change the name of
the Wi-Fi network in the “Network Name” field. Further, in the opened menu "Country" we designate the
password ("WiFi Password").

This is the window where you can change the network name and update the password:
The password to access the Internet must contain at least eight characters. It is also recommended to specify
the region where the user is located.

Here you can also specify the list of clients connected to the router, and set the parameters of the guest Wi-Fi
network. Before exiting the section, save the settings using the “Apply Configuration” button.

Password for the web interface

In order to protect the RouterOS interface from unauthorized persons, it is recommended to set a password. To
do this, it is proposed to go to the "System" section (in the lower sector on the right). Further, in the fields
"Password" and "Confirm Password" specify the password. To save the parameters, use the “Apply
Configuration” button.

The page for entering a new password looks like this:

At this stage, the user will be kicked out of the system. To re-enter and gain access to the interface, you will need
to re-enter the specified password. In addition to the password, you must enter the username (admin).

The login page looks like this:

Router in operation
Numerous positive reviews owners of Mikrotik hAP Lite routers testify to the simplicity, but at the same time
reliability of this router model. The indisputable advantages of the RB941 2nD TC router are:
 the ability to simultaneously connect an unlimited number of gadgets (the scale of the connected devices does not
adversely affect the operation of the router);
 price - the cost of the device does not exceed 1,500 rubles;
 compactness;
 functional operating system;
 support - regular updates;
 quality of performance;
 wireless signal strength;
 convenience and simplicity of the interface;
 micro USB power supply;
 design.
Taking into account the functionality of the Mikrotik hAP Lite router and feedback on its work , we can confidently
conclude that this model is still the best in its price segment.
Today I will present you with a small overview of the router, which I have been waiting for a long time (it was
announced back in 2015) and finally waited. In short, I can say that for most users its rich capabilities will be
superfluous, however, for those who want to get flexible home network settings, there are practically no
alternatives (for comparative money). If interested, welcome to cat.

To begin with, I will outline the background of the purchase, what prompted me to take Mikrotik

For a long time, the time-tested old man Asus RT-16N worked for me as a home router. In general, very good
routerthat fully satisfied my home internet needs, plus provided enough good coverage Weifa. It was installed
with firmware from Oleg, and then from his followers, which significantly improved his work and added a
number additional functions into the router. In general, for (approximately) 5 years, this long-liver has provided
my requests in full. However, relatively recently, for work needs, I needed to raise the VLAN on the WAN port to
provide access to the work network from home and to home from work. And here certain difficulties arose: Oleg's
firmware in the webmord does not provide such an opportunity, and having rummaged through ssh I also failed
to do this. After reading the forums and asking around the great Google, I quickly came to the only solution on
RT-16N: install the OpenWRT firmware, which I safely did. We managed to register all the settings without any
problem and everything worked, but two VERY unpleasant jambs quickly emerged. The Asus company does not
provide enthusiasts with access to managing their hardware (which is understandable in principle) and therefore
all alternative firmware use either the base system core from Asus with minor functional changes (DD-WRT,
firmware from Oleg, etc.), or write that their own, (Openwrt) but due to the lack of documentation and
manufacturer support, they do not implement their commands in an optimal way. In my case, this resulted in:
1. Big dances with a tambourine around WiFi, since for a long time he agreed to rise only in the bg range at a
speed of 54 M / bit and N did not start with any forces.
2. Much more sad: with the network load on the jump at a rate of 100 megabits, the router ran up against the
maximum ceiling of 55-60 megabits with a processor load of 100%.

If we managed to cope with the first trouble more or less by talking on the VRT-shnikov forums and downloading
third-party “drivers” for Wi-Fi and seemingly reviving the N range (although it works strangely: when the router
reboots, it drops the breeches and the Wi-Fi has to be raised manually + disappeared the ability to form access
lists by MAC addresses). but in general, the wi-fi is more or less moving.

The second problem could not be solved in any way, although the multiple firewall rules were reduced to the
required minimum, but it did not help: the speed of the download from the Internet did not rise above 60 (the
speed inside the home network did not drop, but this is understandable - there is essentially no load there
everything goes directly).

In general, taking into account all of the above, I gradually began to come to the conclusion that it was time to
change the router, but after studying the market I realized that not everything is so simple. I wanted modern iron,
which will be relevant + N years, will provide good speed Internet in the future, even more than 100 M / bit (such
tariffs have already begun to appear, which means that in 2-3 years it will be commonplace with an affordable
price), and of course I wanted a dual-band router with support for WiFi AC networks for the future.
It was useful to choose and realized that the choice with such requests is small. Stock firmwares of common
brands do not provide flexible settings that I need (in most even expensive routers everything is limited to Vlan
settings for IPTv multicast, which I do not need. So I will have to sew again and again (possibly) have dances
with a tambourine in the future. take TPLink Archer 7, but I read in time that the AC mode is not yet available on
OpenVrt, and whether it will be available in the future - xs.
In general, I wanted something that would allow me to get everything I needed on the base firmware and without
hemorrhoids. And then I came across a mention on the network about the imminent (yeah, soon :) release of the
subject. I got acquainted with the characteristics and realized - this is the HE router of my dreams. It knows how
to do everything that is needed from its RouterOS, according to the settings it will satisfy any needs of network
management and is very promising for hardware (I hope its capabilities will be enough for me for the coming
years).
Let's take a closer look at the capabilities of this miracle box:
As you can see, the hardware is very decent, and it will cover all the requests of most users. You can take a look
at the guts of the router (I will honestly say that I did not disassemble my router, the photos were found on the
Internet)

In the figure: numbers 1.2 denote built-in 2.4 GHz antennas, numbers 3, 4 - 5 GHz antennas. Under the epoxy
are the UFL connectors to which antennas 5 and 6 (2.4 GHz and 5 GHz) are connected.
Router block diagram:

CAPsMAN - Another opportunity from Mikrotik for country houses / offices

Starting with version 6.11, RouterOS has the CAPsMAN functionality - the ability to centrally manage access
nodes.
That is, instead of configuring each such node separately, it is enough to configure one controller and then
connect the managed nodes to it. It is in this way, and not with the use of WiFi repeaters, which only repeat the
signal already received with errors and increased latency over a wider coverage area, - you can quickly and
easily organize a seamless single network that can cover almost any object in area.

It is clear that the quality of such coverage will directly depend on the hardware capabilities of the central
controller. When using three or four MikroTik hAP ac, for example, it will not be difficult to create a network that
does not require re-logging in the entire volume of a three-story country house (with a basement, attic and
outbuildings) or a whole vast floor of a business center.

At the same time, due to the ability to receive and send further along the chain the supply voltage via the
Ethernet line (Poe In / PoE Out), such devices will make it possible to do without excess wires and additional
load on electrical outlets.

For reliable WiFi coverage of extended (one, two or three dimensions) objects, two alternative methods are used:

1. You can install a really powerful universal router with several external antennas in the center of such an
object, with the ability to simultaneously create two or more non-intersecting communication channels in the 5-
GHz range, and hope that this monster will confidently "finish off ". And if not, then try to increase its power with
additional antennas, but a simple increase in the number of antennas will not lead to an increase in the total
power: the developer can either make individual antennas more powerful, or increase their number, but not both
together. Accordingly, a WiFi repeater can be installed at a great distance, but such a solution is fraught with
inevitable deterioration in the quality of communication.

2. Another approach, with Mikrotik with RouterOS - CAPsMAN, is directly opposite to the first. It provides for the
organization of a two-tier network from one control router and several controlled access points. Each of these
devices will be cheaper than a monstrous, ultra-powerful Internet center. Their combination of reasonably
distributed efforts will lead to the fact that over the entire covered length, or over the entire area, or in the entire
volume, the level wiFi signal will remain approximately the same, and the switching of mobile devices roaming
between access points will be seamless and invisible for both the user and the applications.
The range of hAP ac applicability further expands the presence of an SFP port for installing a fiber-optic
communication module. The use of an optical data delivery line to each of the access nodes allows you to
expand the area wiFi coverage a single network configuration almost indefinitely - as long as the central router
will have enough computing resources to process all requests in a timely manner.
Well, now, briefly about my own impressions:
This small box fully justified my hopes, the speed is strictly according to the tariff, nothing is cut or lost. I tested
the 5 GHz network, the wifi speed within the network exceeded 100 megabits (115-120). Unfortunately, I don't
have a single speaker device at hand, so I'll have to wait for the future to look into my house :) However, there is
no urgent need for an AU right now - all the same (my) Internet tariffs will not stretch it, so this technology is for
the future ...
As for the settings, you can really collapse your head by studying the tabs :) The tool is really flexible and allows
any network perversions.

For example, this is how you can configure the guest grid:
And this is how you can deploy HotSpot:

I decided not to drag it here under the spoller, in the end it makes no sense to pull the Internet floor here,
sometimes there are enough links. I am sure that if someone is interested, he will find any additional information.

Mikrotik has got a very interesting home router. The company has made a world name for itself in network
solutions for corporate needs, and now its time has apparently come to master the home segment of the market,
I am sure that they have prospects in this direction. In general, I am personally absolutely satisfied, the new
router began to work on the home network, I hope it will serve me no less than Asus. For sim I bow, if you have
any questions - write.

Down there in the comments, I was rightly noticed about the lack of purchase photos and was suspected of
being an advertising agent :) Fair remark. I did not take a photo of the parcel and unpacking, but I did not want a
working device, since I had not yet had time to lay the wires beautifully - they stick out in different directions. The
router was received just yesterday.

However, I understand that it looks like a custom, so here are the pictures of the purchase, don't look at the wires
- I'll think about how to carefully throw everything.
Well, in a couple of days I tidied up a little, and combed the wires:
Every day I find something interesting and NECESSARY in the settings of the router ... In general, now I'm
delving into the manuals - I really don't regret buying a second. Good luck friends!

I plan to buy +83 Add to favorites I liked the review +36 +87

All these smartphones, tablets, computers, and recently also refrigerators, kettles, light and temperature sensors ... Soon
we will connect tables and chairs to the network to find out how much our weight has changed since yesterday's hearty
dinner.
Nowadays, even the absence of water or light is often perceived as simpler than the absence or poor
performance of the Internet. Well, of course, light is needed, but there are also LTE and 3G connections :)
For me, July was a real nightmare, my old DLink DIR620 router was slowly but surely going crazy, at the same
time driving me crazy. Constant loss of ping both to the external network and to the router itself, the inability to
connect to the administration interface, and the need to change the router more and more often in order to bring
it to life for a while. All this finally got me and a decision was made - we need a new source of knowledge for cats
in the apartment.

Lately I have had DLink and Zyxel at home. Although at work I also came across Ubiquiti, TP-Link and Asus.
DLink was reluctant to take for certain reasons, including a developed hatred of my old man. I sat with the rest
and thought about who to replace. Confused by the eternal perversions with the router administration system,
then the firmware will cease to be released, then something with glitches, then with performance, some
compromise options. A 100% workhorse will cost 5-7 thousand. For an unemployed person, at the moment, this
is somehow a bit much for me.

Communicating with a friend, I found out that his friend was distributing the Internet to his neighbors through a
MikroTik router, plus it seems like this friend himself worked for a local small provider and would hardly have put
it anyway. Skeptically reacting to a new name for myself, I went to look for information.

It turned out that MikroTik is a new name just for me. This small Latvian company (only 100+ people) was
founded back in 1995. MikroTik produces a fairly large range of network equipment, wired and wireless (routers,
switches, access points), as well as its RouterOS, which is installed ON ALL Karl! company products.
I looked at routers for 20,000+, licked at the possibilities of configuring this RouterOS and decided that I would
probably have to take something from the planned budget. I was glad when I discovered that the MikroTik
product line has devices at a very affordable price that are suitable for home.

So I found out about ...

Microtik hAP lite

WiFi router for a home or a small office (soho) costing about 1400 rubles (at the time of this writing, I would like to look at
the price at the old rate).
Contents of delivery
The router is delivered in a box made of fashionable craft cardboard, with the Routerboard logo and a monochrome image
of the router. No ads, no description of the delights of the content, just a sticker with the hAP lite model, board ID and MAC
address. It's even better, MikroTik didn't spend on packaging, and we don't pay for printing services.
The box contains a brief instruction on how to connect to the router:

1. Connect to WIFI or directly by cable

2. Go to the browser at 192.168.88.1
3. Admin user without password
Also, the manufacturer offers to immediately update RouterOS "for best product experience". The update procedure is
quite simple, go to the MikroTik website, download the smips version of the firmware (especially for hAP lite), upload it to
the router (Files section), and then reboot. In the same section there is a file with add-ons, it is up to the user to install
them or not.
Inside the box is a power supply unit with a microUSB connector (a standard 5V-2A will do), a small instruction
and that's it.

Small LifeHack: MikroTik hAP lite, as you can see, the device is small in size, moreover, it can be powered from a laptop.
This I mean that in life there may be situations when a router that distributes WiFi locally is a handy thing. It would have
come in handy for me a year ago, when I was on the mobile Internet via a 4G whistle, and WiFi from the computer was
constantly cutting off my mobile phone, tablet and another laptop.
The usual patch cord is missing, but when you turn on the router, WiFi starts and it can be configured without a
wired connection. For me, the absence of "ruches" is only a plus, we all understand that the color box, manual,
discs, patch cord is worth our money. In my opinion, let them not be better.

Appearance
The dimensions of the router itself pleased me 90x115x30 mm, at first I was embarrassed by the absence of the usual in
this case external antennas, but, looking ahead, I will say that I did not find any problems when working with WiFi (unless
the presence of a large number of wifi networks in 2.4Ghz nearby will somehow affect in the future)
Generally, appearance devices, like packaging, are minimalistic. The power connector, Ethernet connectors,
power and activity indication, as well as the reset button are placed on one side of the device, all the others
contain nothing. In addition to the plug for the USB port missing in the lite version.
A little more variety awaits us from the bottom of the case. Feet, ventilation holes, sticker with the same
information as on the box: MAC, serial, model name. In addition, on the bottom of the hAP lite there are 2 cross
brackets for wall mounting. It's great that you can hang the router both vertically and horizontally.

I don't see the point of climbing into the womb, if you wish, you can find what you need on the Internet,
because specifications I will take from available sources for general information.
Specifications
Processor: QCA9531-BL3A-R at 650 Mhz
RAM: 32 MB
LAN ports: 4
Radio module: 2.4Ghz, 802.11b / g / n, 2 internal antennas with 1.5dbi gain
RouterOS license level: 4
In general, the hAP lite hardware of stars from the sky is not enough, WiFi power is enough for an average
apartment or small office, however, as stated - SOHO. The most interesting thing in this case is the software
part.

RouterOS
I suspect that many have wondered what is the 4th license level of the MikroTik hAP lite router. Let's first figure out what
this RouterOS is all about. It's simple. ALL MikroTik devices run on a fancy router OS, with all modern capabilities: routing,
filtering, channel management, access point organization, VPN server and much more. This is the kind of functionality that
awaits you in all MikroTik devices. Including in our hAP lite for 1400 rubles.
RouterOS is MikroTik's first product released in 1997. Yes, at first there was software, then (after 5 years) they
also made hardware for it.

RouterOS is based on Linux kernel v3.3.5 (at the time of this writing), providing a fast and convenient interface
for managing all functions. By the way, you can try RouterOS absolutely for this, just download the image from
the official website http://www.mikrotik.com and install it on any PC.

RouterOS supports multi-core and multi-processor configurations of computers, installs on IDE, SATA and USB
drives... Installation requires at least 64 MB of free space. Numerous network interfaces are naturally supported,
including the latest 10 gigabit cards, 802.11a / b / g / n wireless devices, SFP modules, and 3G / LTE modems.
Again, this fancy router operating system will be in your hAP lite, ready for anything.
RouterOS configuration options:

 Graphical interface - Winbox (application for windows), Web interface

 Command interface - Telnet, ssh, local console, serial console
 API - allows you to build your application
Having entered through the web interface, the first thing that the user will see after entering the login and password (when
installed) is the section Quick Set.
Here are the main basic settings router:
Name WiFi networks, access key, monitoring of connected wireless devices. Here you can configure access to
the provider, in my case it is a static connection: we specify the IP, mask, you can substitute the desired MAC
address if the provider restricts access to it. Your local network settings are also available in this section.
Apply Configuration and internet access is configured.
These are basic settings, something like regular pages in routers familiar to all. Details await the user in
additional sections.

There, by default, non-secure WPA is enabled (in the picture it is already disabled)
It is very amusing when, having entered wiFi settings interface and looking at 4 pages of settings, you find the Advanced
Settings button. “Ah, so it was Easy mode,” I thought with surprise. However, all these difficulties are needed only when
you have a specific task in front of you and most likely you already know what exactly needs to be done.

In section Interfaces settings of all ports of the router. By the way, you can configure any number of LAN ports as WAN.
Suppose you have the desire and ability to connect to 4 providers at once - hAP lite will allow you to do that too. The main
thing is not to get confused :) perhaps for this, the field was invented Comment in many settings of the router, you can put
a note for yourself, if suddenly in a year you try to remember what happened there in the settings and when.
You should also pay attention to the section IP -\u003e Services... I like to keep everything unnecessary off, out
of harm's way, so I turned off everything for myself except ssh and the web interface.
I will briefly go through the main features. RouterOS is very rich in settings, so I don't see the point of showing all
the described items with screenshots, there will be a lot of pictures that do not say anything. If you are interested
in the system itself - put yourself on virtual machine and play around. There will be more sense.
Opportunities
Complete Firewall

Packet filtering, access control, NAT, UPnP, filtering by IP addresses, ports, IP protocols. supports IPv6. The router can
search the contents of packages using regular expressions.
CAPsMAN

Controlled Access Points system Manager

Allows a RouterOS device to be a WiFi hotspot controller. This, in turn, makes it possible to collect a configuration from
many access points and one SSID for all. You can move around in a large office building or hotel and not lose access to
WiFi for a minute. This technology also allows you to organize WiFi access for a large number of people in one place, but
usually this requires an expensive external controller, and here this role is taken over by one of the network devices.
Ubiquity UniFi, for example, requires a separate computer for this.
Routing

For IPv4: RIP v1 and v2, OSPF v2, BGP v4

For IPv6: RIPng, OSPFv3, and BGP
And also: VRF, routes by interface, by security policies and ECMP
But that's not all (c)
Redirecting

WDS, ®STP, HWMP +, OpenFlow

MPLS (MultiProtocol Label Switching)

Packet management can be based not only on the IP headers or routing table, but also on the labels that the Firewall
hung on the packet.
VPN

Ipsec - tunnel / transport, certificate or PSK

P2P - OpenVPN, PPTP, PPPoE, L2TP
Advanced PPP - MLPPP, BCP
Tunnels - IPIP, EoIP
6to4 tunnel - IPv6 over IPv4
VLAN - IEEE802.1q, Q-in-Q
MPLS VPN
Wireless

IEEE802.11a / b / g / n
Proprietary Nstreme and Nv2 TDMA protocols
Client polling
RTS / CTS
Wireless Distribution System (WDS)
Virtual hotspot
WEP, WPA, WPA2 encryption
ACL access
Seamless roaming of wireless clients
WMM
etc.
Hotspot
Allows you to organize public access to your Internet. The user will be shown a login screen when opening the browser for
the first time, after entering the login and password, access to the Internet is provided.
Ideal for hotels, airports, shops and any other public places. The user management interface allows you to control the
connection time, speed and amount of transmitted data.
RADIUS is supported as well as a built-in administration utility.
There is a time limit mode and a way to show your ads.
Quality of Service (QoS)

Limit speed for specific IPs, subnets, protocols, ports or other parameters
Limit P2P traffic
Prioritize specific packages
Distribute the channel between users
etc.
Proxy server

You can set up a caching proxy server to speed up or limit the internet. It is possible to cache to an external drive (in the
case of hardware solutions with the ability to connect a drive via USB)
Utilities

Ping, traceroute
Channel speed testing, ping flood
Packet sniffer
Telnet, SSH
Utilities for sending / receiving E-mail and SMS
The ability to run scripts
Data Mirroring CALEA (Communications Assistance for Law Enforcement Act)
Active connections table
NTP client and server, RADIUS
TFTP server
SNMP for statistics and graphs
and much more
The Dude

MikroTik network utility to manage your network utensils. Automatically scans devices, draws a network map, monitors
services and warns if something went wrong. You can monitor not only devices based on RouterOS. Any device
accessible via ping or sending SNMP data is supported.
But of course, The Dude shows ALL his skills with RouterOS: it works as a Syslog server for RouterOS devices, manages
configurations and allows updates.
Licenses

Let me remind you that our hAP lite has a 4th level of licenses.
The differences in license levels are small:
The ability to upgrade to ROS 7.0 in our case, 5 and 6 levels assume an upgrade to ROS 8.0 version.
PPPoE, PPTP, L2TP, OVPN tunnels, as well as HotSpot users for hAP lite 200. The fifth and sixth levels are 500 and
unlimited, respectively (we only rest on the hardware).
Active sessions managed users: 4 -\u003e 20, 5 -\u003e 50, 6 -\u003e unlimited
That's all. For the rest, your piece of hardware and the one that costs 20,000 rubles coincide in capabilities. Of
course, you need to understand that with a complex configuration, you will run into hardware performance, but
this will not be so easy at home, and you can buy a piece of hardware more expensive for the office.

For example, I was impressed by RB 2011UiAS-2HnD-IN. Smartly. Fashionable :)

I must note that not all the capabilities of RouterOS are immediately clear to me, due to the lack of experience in
managing complex networks, so sorry if I did not describe something or described it wrong. I think those who know all this
can figure out the details better than mine. It is impossible to consider everything within the framework of one review
article in any case. And the article is not about RouterOS, but about a small device, at a price as an initial solution from
ordinary representatives home internet, with the capabilities of a small provider and some obvious limitations.
Testing
Before us is a router for the house, I do not have enough to arrange a stress test technical capabilities, and it makes little
sense, at home. Let's try to load it with the usual household chores.
Test conditions
Downloaded 2.4Ghz WiFi (46 networks seen, according to NetSpot)
4 devices: 2 phones, tablet, laptop
Phones and a tablet are watching videos from Youtube, a laptop is torrenting a couple of Ubuntu distributions while
pinging a router and Yandex in parallel (sorry guys). All over WiFi.
The router was great, the video did not slow down on any device. The torrents were downloaded at an
acceptable speed. As soon as the video was turned off, the download speed increased.

I didn't bother much with SpeedTest:

WiFi @ MacBook Pro (early 2011)

LAN in the same place

WiFi @ iPad
In general, it was a great surprise for me to learn about the existence of this small company, and now I know that
they produce a large number of interesting hardware solutions, participate in building national networks In some
countries, training centers have been created around the world, including in St. Petersburg and Moscow, where
you can get training, become a certified MikroTik specialist and use these interesting and functional devices in
their own way.
In a nutshell, what are we talking about here?
MikroTik hAP lite - WiFi router for mere pennies with professional RouterOS on board, excellent performance and truly
enormous possibilities. Configures quickly, works confidently.
The device is well suited for sysadmins: junior - as a tool for advanced training, through independent study "on
cats", and more experienced - to connect the "feng shui" all at home, set up communication with the office, and
you never know what else.
Absolutely inexperienced people, without a desire to minimally understand RouterOS, should not put such a
device at home. How will the provider's technical support engineers help you over the phone?
Those who are able to set up an ordinary home router themselves will be able to deal with this baby.
Pros:
The cost
Opportunities
Diminutiveness
Performance
Minuses:
There is no model with 5Ghz WiFi (in general, MikroTik has 5Ghz devices, but they are in the more expensive
segment)
There is no way to write your own module
I honestly admit that until recently I was not familiar with MikroTik routers at all. I heard something, read
something, and all the time thought that it was some network devices for professionals. Complicated setup, many
functions and all that. But I recently saw several MikroTik models on sale. I decided to buy MikroTik hAP Lite TC
to see it myself, configure it, and tell you about it.
In this tutorial, I will show you how to set up MikroTik hAP Lite TC. Using this guide, you will be able to configure
almost any MikroTik RouterBOARD. RouterOS itself, on which the devices of this manufacturer work, is very
complex at first glance. In fact, it is complicated not only at first glance 🙂 There are many real sections, settings,
etc. On my router, the RouterOS system itself is in English. As I understand it, there is no way to change the
settings language to Russian. But, if you look at it, you understand that for the usual setup of MikroTik you don't
need to climb through some sections there, look for something, etc. There, all the most necessary and important
settings are on one page. Which opens immediately after entering the control panel. Now we will consider all this
in more detail.

I also want to say a few words about the MikroTik hAP Lite TC router itself. I liked the device. The case is made
of high quality plastic, although it stinks a little. Inexpensive, cool, apparently powerful and very functional. But all
this functionality is not needed by most users. It's funny that the power is from microUSB. You can even record
from a USB port of a computer, or a power bank. Or find another power adapter without any problems if the
native one breaks down. I didn't like the very boring packaging, completely incomprehensible setup
instructions (in English), and most importantly - the lack of a network cable included. Such are they, MikroTik
RouterBOARD routers. At least the hAP Lite TC model.
Judging by the instructions that come with the kit, this guide should be useful to many. As for MikroTik, here I am
a complete teapot. So the instructions, as you know, are for teapots like me 🙂

Connecting a MikroTik router and preparing for configuration

To set all the necessary parameters, we first need to connect to the router and connect the Internet to it. Since
there is no network cable included, you will most likely connect to it via a Wi-Fi network. You can configure it not
only from a laptop or PC. You can use a tablet, phone, or other device.

First, plug in the power adapter and plug it into a power outlet. You can also immediately connect the Internet to
MikroTik (network cable from provider, or modem)... To the port Internet.
If you have a network cable, and there is no way to connect via Wi-Fi, then simply connect one end of the cable
to the LAN port of the router, and the other to the port of the network card of your computer.

If in your case the network is closed with a password, or a password request appears when entering the router
settings, then most likely someone has already configured it. Reset the settings according to the instructions:.

It looks like this:

Internet access may not be available immediately. We have not yet configured the connection of the router to the
ISP. This is normal. Let's move on to setting up.

Setting up MikroTik using the hAP Lite TC model as an example

To enter the router settings, you need to go to the address in any browser 192.168.88.1 ... I wrote more about
this in the article:. The RouterOS control panel should open immediately (in my case version v6.34.2)... Check
that the router is in "Home AP" mode.

As I wrote above, all basic settings can be set directly on home page "Quick Set". It is divided into blocks. We
need to configure the following:
1. Internet connection (Internet).
2. Wi-Fi network (Wireless).
 3. Set a password to protect the control panel (System).

These settings are sufficient in most cases.

Setting up the Internet on MikroTik (Dynamic IP, PPPoE)
An important point! If the Internet is already working through a router, then most likely your ISP uses the
Dynamic IP connection type, and additional configuration is not needed. Since the connection type "Automatic" is
the default. You can immediately set up a Wi-Fi network.

You should have information about the type of connection your ISP is using. As well as all the necessary data to
connect to the Internet (if you do NOT have a dynamic IP)... It is also advisable to immediately find out whether
the provider makes a binding by MAC address.
So, if you have a "Dynamic IP" connection type, without binding by MAC address, then everything should work
right away. If there is a binding by MAC address, then you need to either register the MAC address of the router
with the provider (it is specified in the MAC Address field), or to which the Internet is tied and register it in the
"MAC-address" field in the router settings.
PPPoE setup
Select the type pPPoE connections, set the username and password (they are issued by the provider) and click
on the "Reconnect" button. The router should be connected to the internet. If all is well, then proceed to setting
up the Wi-Fi network. More on this below in the article.

L2TP / PPTP configuration

First, in the "PPP" section, add "PPTP Client".
Next, set the server address (Connect To), username (User) and password (Password). This data is provided by
the provider. Check the box next to "Add Default Route". Then we save the profile by clicking on the "Apply" and
"Ok" buttons.
Friends, I'm not sure if the PPTP setup instructions are correct. Unfortunately, there is no way to check this. If I
wrote something wrong, please correct me in the comments.

Setting up a Wi-Fi network and password on MikroTik hAP Lite TC

On the same page we are interested in the "Wireless" section. He's on the left.

In the "Network Name" field, change the name of the Wi-Fi network. In the drop-down menu "Country" it is
desirable to specify your region, and in the field "WiFi Password" set the password (minimum 8 characters)to be
used when connecting to a Wi-Fi network.
Below can be customized guest Wi-Fi network, and see a list of clients connected via Wi-Fi.
Remember or write down your Wi-Fi password. You can save the settings with the "Apply Configuration" button,
or set a password to protect the settings right away.

Password for the RouterOS web interface

When we went to the address 192.168.88.1, the control panel opened immediately. Anyone who is connected to
the router via a Wi-Fi network, or by cable will be able to enter it. To protect it, you need to set a password.
On the main page, in the lower right corner, in the "System" section, in the "Password" and "Confirm Password"
fields, create and enter a password. Save the settings by clicking on "Apply Configuration".

You will be kicked out of the system. And in order to enter the settings again, you need to specify the password
that you have set. The username is admin. Now you will need to log in every time you log into RouterOS.
Try not to forget the password, otherwise you will have to reset the settings of your MikroTik router and configure
everything again.

Afterword
I apologize in advance if I made a mistake somewhere in the instructions. There is no way to check everything
for yourself. For example, connecting via PPPoE, or PPTP. You need a provider that uses a specific protocol.
The setup itself seemed to me even easier than that of popular manufacturers with a more user-friendly
interface. I agree that setting up, for example, filtering by MAC addresses, blocking sites, speed limiting and
other functions will be difficult there. You need to figure it out.

For a long time I could not understand how the RouterOS system itself works. And I got it. It works well. Yes,
there are many settings. But everything is quickly opened, saved, deleted, etc. Nothing hangs, and does not
reboot several times.

Leave comments, share helpful tips, and ask questions!

When Mikrotik presented hAP lite at one time, it became a real impetus for wider use of the company's routers.
An excellent set of features, rich functionality, flexibility, reliability and an affordable price turned into a real
bestseller, which to this day leads the sales ratings of many online stores.

Meet hAP ac²!

Many people mistakenly consider hAP ac² to be a replacement for the previous flagship hAP, this is partly true,
but not entirely. We'll figure out.

The hAP ac² is delivered in the usual cardboard packaging, the only thing that has changed over the past few
years is the pattern added to the box and resembles an embroidered shirt.

As before, the device comes without a patch cord and color printing. However, many people would probably not
have given up on a high-quality patchcord.
Due to the matte soft-touch coating, hAP \u200b\u200bac² is packed in polyethylene, which should ensure safety
until the device falls into the hands of the end customer.
Of the non-standard options, the package contains only a stand-mount and a short illustrated instruction on how
to use this stand itself.

The article of the model turned out to be quite intricate - RBD52G-5HacD2HnD-TC, if for the same hEX in places
when communicating on the forums users could use the article identifier, then in the case of this model, not
everyone will succeed in remembering the article the first time.

However, a lot of information can be gleaned from the article:

RB - RouterBOARD

D - Dual-Chain (Full)
 52 - Dual-Band 5 + 2.4 GHz

G - Gigabit Ethernet

5HacD - 5GHz 802.11ac, High-Power (Type 1), Dual-Chain

2HnD - 2.4GHz 802.11n, High-Power (Type 1), Dual-Chain


As for the transmitter power, Mikrotik has 4 gradations:

normal power (no index), less than 23-24 dBm;

H - increased power, 23-27 dBm;

HP - high power, 25-29 dBm;

SHP - very high power, more than 27-30 dBm;

Actually, "type 1" means the index "H". But the index "U" (USB) is not used in the name, although this interface is
present here.

In general, the design itself is rather unusual. The company continues to experiment with the Tower-Case, with
the hAP lite TC being the first "experimental" device. Then hAP ac lite TC (RB952Ui-5ac2nD-TC) and hAP mini
(RB931-2nD) appeared.

Surveys show that nearly 70% of respondents approve of the domesticated design of the hAP ac2.
The indicators and the interfaces themselves are located on opposite sides, which is the standard for home and
SOHO solutions. The port indication is not very convenient, but it is not intrusive and will not bother you with its
work at night.

All 5 interfaces are shielded, and there is no ground connection on the case.
In addition to the power indicator, hAP \u200b\u200bac² also has an additional user indicator, which is
convenient to configure, for example, according to the status of the VPN connection.

The WPS and reset buttons are combined, you no longer need to carry a paper clip with you, now a pen or pencil
will do - holding the button for a long time is still inconvenient, which will protect against accidental reset.

One of the highlights in the hAP ac² design is the stand.

It's not just a stand, it's a ceiling or wall mount. We have already installed one of our clients this device it is on the
plasterboard ceiling. The installation process is quick and convenient, with a placement height of 4 meters there
are absolutely no problems with the quality of the coating.
The element is fastened with a latch to the bottom edge or to the cover. In the first case, you will receive a
desktop standing version, in the second - a desktop recumbent version, or a wall (ceiling) mount. On the legs
there are silicone inserts that provide anti-slip properties of the stand.
The ac2 itself is extremely compact, the size of the novelty is comparable to the usual hAP lite, and in a standing
position it takes up a minimum of space.

Filling Mikrotik hAP ac²

Many owners tried to look into the insides of ac ^ 2, but not everyone succumbed to it, some of those to whom it
succumbed simply broke the latches. For this reason, we urge you to refrain from opening this model.

The first thing worth paying attention to is the closedness of the internal space of the case. That is, there are
ventilation "slots" on the front panel, but it is not necessary to say that they especially improve ventilation. The
filling of the device easily warms up to 45 degrees when idle, and during a load it can rise up to 52 degrees.
There is no need to panic about this, the old hAP ac warmed up much more. The device that we have chosen as
a server even warms up to 62-65 degrees in idle time.

Almost half of the upper part of the RBD52G-5HacD2HnD-TC board is covered with a massive needle-type
heatsink.
On the same side of the board, 2 antennas, interfaces, a power subsystem and a USB port are soldered.
There are 4 mounting holes along the perimeter of the board, probably the company has previously
experimented with different variants of the case, including the classic one.

All the main stuffing of hAP ac ^ 2 is located on the back of the PCB.
The device is based on the Qualcomm IPQ-4018 chip. It is a highly integrated solution combining a 32-bit ARM
processor and wireless modules.
Despite the strong resemblance to the IPQ-4019, these 2 chips are not interchangeable. The older IPQ-4019 has
a larger physical size, a different design and wiring diagram.
Although in general, IPQ-4018 and IPQ-4019 differ only in the set of interfaces.

The main computing unit of the IPQ-4018 is 4 ARM Cortex A7 cores with clock frequency 717 MHz. The chip
includes a Hardware NAT and Crypto Engine block, as you might guess, the first block is responsible for NAT
unloading, the second for hardware encryption.
Both wireless modules have a MIMO 2x2 (Dual-Chain) configuration, with each of the modules having its own
co-processor that provides hardware offload. They are labeled CPU # 1 and CPU # 2 in the block diagram.
At the output of each chain, one amplification unit is soldered (hidden under the screens), in total there are 4 of
them.
If you look at the official hAP ac2 block diagram, it lists the AR8327 gigabit switch, and it is labeled as built
directly into the IPQ-4018.

At the same time, next to the processor, the QCA8075 is soldered on the board, which implements 5 gigabit
ports.

If we return to the official Qualcomm block diagram, the IPQ-4018 contains "5GE L2 / 3/4 Switch Engine", a little
to the left of the diagram there is an external block "QFE8075 / 2 (5/2 ports PHY)".

Thus, in fact, physical layer (PHY) is implemented on a separate external chip QCA8075, but the rest of the
harness is located directly in the SoC. RouterOS itself identifies the switch as Atheros-8327.
As usual, there is not a lot of permanent memory - only 16 MB (Winbond 25Q128JVSM).

The situation with RAM is more interesting. Officially, hAP \u200b\u200bac2 has 128 MB of RAM. At the same
time, the first batches are equipped with 256 MB Nanya NT5CC128M16IP-DI chips.
The end user has 233 MB available. Mikrotik confirmed this fact, but they will not correct the description and
characteristics for hAP ac ^ 2, because there are batches with 128 MB. Someone from the logistics department
messed up a lot.

So far, we have not come across a single device with 128 MB, all copies we tested were equipped with 256 MB
of RAM.
The hAP ac2 platform will be partially used in the RB450Gx4, although it is based on the IPQ-4019 with disabled
wireless interfaces. The cost of the board will be almost double that of the tested device. In return, Mikrotik offers
1 GB of RAM, 512 MB of NAND Flash, a 5th license level and microSD support.

HAP ac 2 performance with L2TP / MPPE

At the moment, there is a fairly wide range of possibilities for combining remote networks into a single computer
network. The most popular tools are PPTP, L2TP, OpenVPN, and IPsec.

PPTP is the oldest and most unsafe protocol, at the same time, oddly enough, the overwhelming majority of
Mikrotik users use the outdated pptp protocol for remote connections. Due to the fact that this protocol is
completely outdated and even Apple devices have stopped supporting it, we will not test this protocol.

The most optimal protocols are IPsec and OpenVPN.

IPsec is one of the most secure methods of network interconnection available today. Thanks to the reliable aES
encryption With support for 128 and 256-bit keys, this protocol provides the highest reliability and confidentiality
of transmitted data, which can be of critical importance for business and government agencies. Today, even
using the power of supercomputers, it will take billions of years to decrypt data encrypted with AES. Cons of this
method also available - the presence of external static IP at both ends of the connection and high requirements
for the hardware platform. In principle, an IPsec connection is also possible between dynamic IPs, although in
this case you will have to reconfigure the parameters each time one of the addresses changes. The hardware
platform is also not so simple, entry-level budget RouterBOARDs can provide at best 10-20 Mbit with a full CPU
load.
More advanced devices such as RB750Gr3, RB850Gx2 (discontinued), RB450Gx4, RB3011, RB1100AHx2,
RB1100AHx4, and CCR1009 are capable of faster IPsec speeds. With the advent of hAP ac2, this list can be
supplemented with one more model, but first things first.
There is also the possibility of using L2TP in conjunction with IPsec, the main advantage of this combination is
high security, quick and easy configuration, as well as great loyalty to NAT on the end client side. Of the serious
drawbacks of this option, very high requirements for the hardware platform should be noted, perhaps L2TP /
IPsec is the most demanding protocol. It's all to blame for the double encapsulation of data and the need for
encryption.

The OpenVPN protocol, which is based on the OpenSSL library and the SSL / TLS protocols, is devoid of these
shortcomings. OVPN itself is extremely flexible in configuration and even allows you to mask traffic as normal
HTTPS, making it possible to bypass all sorts of restrictions on the part of the provider. Generally, OVPN is faster
than IPsec and still supports a variety of encryption algorithms, including AES. This method still has
disadvantages - more complex configuration and high hardware requirements (as well as for IPsec).

For our part, to begin with, we will test L2TP with standard MPPE 128-bit encryption.

L2TP is more reliable and secure compared to the previous generation protocol - PPTP. We strongly recommend
that you abandon the use of PPTP in favor of more modern protocols. If you do not have the ability and / or
desire to use OVPN / IPsec / L2TP + IPsec, we recommend using L2TP / MPPE.

The main recommendation for increasing L2TP / MPPE security is to use very long passwords consisting of a set
of random letters (with different layouts), numbers and special characters. The use of "dictionary" passwords is
not recommended, since L2TP / MPPE has a number of shortcomings that allow using dictionary methods of
password guessing, which ultimately leads to a decrease in the security of a 128-bit key, making it equivalent to
56-bit (). In any case, this is much better than using PPTP.
As a pair for hAP ac2, we chose the proven CCR1009 platform, namely the.
It is the most affordable member of the CCR line, which has a powerful 9-core Tile Gx processor and 1 GB of
RAM. This combination provides high performance and the ability to handle up to 2.5 Gbps of IPsec traffic.

During testing, stability and reliability were additionally checked under high loads, performance data are indicated
for user traffic (useful traffic), the average sample is taken into account. Peak performance values \u200b\
u200bare not included in the calculation of the average indicator if their duration is less than 30 seconds.
On both sides, PCs with iperf are used as traffic generators, which gives more reliable values \u200b\u200band
flexibility than the built-in BTest.

CCR1009 - WAN IP 192.168.106.20 / VPN 10.0.0.1 / LAN 192.168.1.0

hAP ac2 - WAN IP 192.168.106.30 / VPN 10.0.0.2 / LAN 192.168.2.0

For CCR1009, a manual configuration was used, similar to defconf on low-level devices. ETH1 (not Combo) is
used as WAN, standard Firewall rules, port 1701 is additionally open.
The L2TP Server configuration is based on a standard encrypted profile, MTU has not been changed, and the
"Allow Fast Path" option is additionally activated.

All legacy authentication methods MSCHAP1, CHAP and PAP are disabled, only MSCHAP2 (MS-CHAPv2) is
active.
In modern realities, it is best not to use compression for maximum performance.

On the client side, the settings are similar, the default profile with encryption is used, as well as the "Allow Fast
Path" option.
Routing to the remote network is provided by a static route in combination with NAT masquerade, the default
route is not used.
Both devices have a fasttrack connection configured in the Firewall for established and related connections.
At the output, we have a classic combination of 2 networks based on L2TP / MPPE
Depending on the direction of traffic and configuration, CCR loads 1 core, or distributes calculations between all
9 cores. For example, when sending data from CCR, 1 core is used, while when receiving data for decryption, all
cores are loaded evenly.
Packet exchange of 1400 bytes, TCP mode
The first throughput test is done for 1400-byte packets.

The average performance of a 1-thread test is 112 Mbps for receiving and 128 Mbps for sending.
With an increase in the number of sessions to 10, the speed changes to 111 and 170 Mbit, as you can see, there
is an increase in performance for sending with an increase in the number of sessions.
There is no special increase for Download, regardless of the size of the packages. Interestingly, in all these
cases, the IPQ-4018 utilization averaged up to 25%. Only 1 core is loaded, only occasionally the system
performs unloading on other cores - in multi-threaded modes.

We carry out a further test for Upload and increase the number of sessions to 20 and 100, as a result, the speed
increases to 201 and 235 Mbps, respectively.
For additional monitoring during the tests, the Tools - Profile tool was periodically used, with which we tracked
the distribution of resources and their load.

Actually, it clearly shows that with an increase in the number of simultaneous connections, RouterOS, albeit with
a bias, distributes part of the calculations to the rest of the cores. Along with the increase in performance, the
load on the CPU rises to 35-45%.

The last test in this block is carried out for FDX (Full Duplex) with 10 opposite connections in each direction, for a
total of 10 + 10 sessions.
As a result, the total throughput was 185 Mbps.

The resulting performance diagram for 1400-byte packets looks like this: