- Introduction
- Firewall Configuration
- Working with Profiles
- Create a Mikrotik Site
- Assign a Profile to a Site
- Supported Mikrotik Router boards and Router OS version
- Provisioning Mikrotik Router using Encapto Install Script
Introduction
This guide covers the use of an Encapto-configured Mikrotik site to interface with Encapto Wi-Fi.
The integration will enable the use of the site to manage a Mikrotik and the application of Encapto smart hotspot features.
Note: Only Mikrotik devices that have been pre-configured by an Encapto authorised distributor or following the section 7 can be integrated with the Encapto platform.
The Mikrotik provides the highest degree of control over Encapto hotspot features directly from the Cloud Deck control panel. Features include the setting of Walled Garden Entries, MAC address Whitelist and Blacklists, and Content filtering. The device can also be used as an inline gateway device to any wired or wireless network. In addition to providing smart Wi-Fi hotspots, the device will also run a POS system, digital signage, or any other network application.
To enable mass configuration of sites, the Encapto Mikrotik integration utilises a unique Profile system, in which device interface and network settings are configured. Profiles can then be applied to multiple sites for rapid network deployment.
Firewall Configuration
The Mikrotik device requires internet access with outbound access to Encapto Core. If there is a firewall between Mikrotik and Encapto, specific ports will need to be configured to enable Encapto services.
Required
Service | Port Number | Inbound/ Outbound |
Portal Web Access | TCP 80 and 443 | Outbound |
Radius Authentication | UDP 1812 | Outbound |
Radius Accounting | UDP 1813 | Outbound |
VPN |
TCP 1723 GRE Protocol 47 |
Outbound |
DNS and Content Filtering | UDP 53, 50053 | Outbound |
NTP | UDP 123 | Outbound |
ICMP | Outbound |
Optional
Service | Port Number | Inbound/ Outbound |
SMTP | TCP 25, 143, 587, 465, 993 | Outbound |
Working with Profiles
The first step in setting up an Encapto-configured Mikrotik device on your Encapto account is the creation of a Profile. A Profile is where information about your Mikrotik site configurations is stored. A Profile can be applied to one or more Mikrotik Sites with simple steps.
Create a Profile
Log on to your Encapto Wi-Fi Cloud deck account.
-
Expand the Sites by clicking +.
-
Select Mikrotik from the sub menu under Sites.
-
Select the Profiles tab.
-
Click +NEW.
-
Give the Profile a name.
-
If required, Search and select an existing tag or press enter to create a new tag.
-
Add notes, if required.
Tip: tags and notes are for your administrative purposes so that you can quickly locate, identify, and apply a particular Profile to one or more sites.
-
Save.
On clicking Save, the Profile’s details panel will appear, where the profile can be configured.
Add and edit Interfaces.
Interfaces are the points at which networks can be connected to your Device. Four types of interface can be configured on an Encapto profile: two physical interfaces, Ethernet and WLAN, and two Virtual interfaces, Bridge and VLAN.
Tip: not all Mikrotik devices come with onboard Wi-Fi. When a profile on which a WLAN has been configured is applied to a Device with no WLAN interface, this will have no effect.
To add or configure an interface:
-
Click the Interfaces tab. This will show all interfaces that have currently been configured on the Profile arranged under ETHERNET, WLAN, AND VIRTUAL panels. Then:
-
Click the +Add button or anywhere on an existing interface in the ETHERNET panel to configure an Ethernet Interface; or
-
Click the +Add button or anywhere on an existing interface in the WLAN panel to configure a Wireless Interface; or
-
Click the +Add button or anywhere on an existing interface in the VIRTUAL panel and make a selection to configure a VLAN or a Bridge Interface.
-
Add or Edit Ethernet Interfaces
Add or edit an Ethernet interface to configure physical ethernet ports on your Profile by clicking the +Add button as shown in Figure 3 a or clicking on an existing interface line item in the ETHERNET panel.
You can configure all Ethernet ports on the device or just the ports you will be using.
Usually, it is only necessary to name an Ethernet interface and leave additional settings as default values. However, settings may be configured differently in particular circumstances.
-
MTU field – Maximum Transmission Unit – is set to 1500 by default but may be lowered if required.
-
ARP selector – Address Resolution Protocol – set to Enabled by default but may also be set to Disabled, proxy-arp, or reply-only.
-
Speed check radio – set to Auto by default but can be set to match the corresponding port's speed on the device connected to the port.
-
Full Duplex checkbox – checked by default – uncheck for half-duplex communications.
Tip: Ethernet interface settings can be applied to specific device ports by entering the port number next to the line item in the Ethernet panel shown in Figure 3, above.
Add or Edit WLAN Interfaces
For Wi-Fi enabled Mikrotik Devices, adding a WLAN Interface sets the basic parameters for a Wi-Fi network. This can be either a standard Wi-Fi network or a Hotspot network. To set up or edit a WLAN Interface, click the +Add button as shown in Figure 3, b, or anywhere on an existing interface in the WLAN panel, and:
-
Enter a name for the Interface (for administrative purposes).
Tip: When entering a name for WLAN interface, Encapto recommends to use “wan1”, “wlan2” as the name.
-
Enter an SSID – the network name that will display on end-user devices.
-
Select the band that will be configured for this Interface (note that for the dual-band and other multi-radio devices, each radio must be configured as a separate WLAN Interface).
-
Select a Channel width to define how broad the frequency range used by the radio will be.
-
Select a Frequency to set the device to a particular Channel or leave it at Auto to allow the interface to channel hop for the least busy channel. 20Mhz is the default frequency when creating a new WLAN.
Tip: If a channel width of 20MHz is selected and frequency is 2452, the radio will broadcast in the following frequencies 2442, 2447, 2452, 2457, 2462.
If channel width of 40MHz is selected and frequency is 2452 the radio will broadcast in 2432, 2437, 2442, 2447, 2452, 2457, 2462, 2467, 2472.
Note: 2467 and 2472 are not selectable as main frequency.
-
Set Encryption mode to None (for a Hotspot network) or WPA/WPA2 PSK for encrypted access (if the latter is selected, a pre-shared key must also be entered).
-
Select Default Authenticate to auto-authenticate end-user devices to the SSID.
-
Select Default Forward (or uncheck for isolation of client devices at the network layer).
-
Select Hide SSID to create a WLAN Interface that can only be found by an end-user by searching for the SSID name.
-
Save.
Tip: Channel width and frequency can only be set once for each radio. Encapto will apply these settings to all subsequent WLAN Interfaces created for that radio.
Configure Bridges
A Bridge allows administrators to group Interfaces to perform the same Interface function.
To add a Bridge to a Profile, click the +Add button as shown in Figure 3, c, and select Bridge from the dropdown. Or, to edit an existing bridge, click anywhere on the line item in the VIRTUAL panel and:
-
Give the Bridge a name.
-
Set the ARP (or leave as default enabled).
-
Select the bridge Protocol mode (how the Bridge will communicate with other Bridges).
-
Select the Interfaces to be bridged.
-
Save.
Configure VLANs
VLANs can be created on any Interface that has been set up on a Profile – that is, an Ethernet port, a WLAN or a Bridge.
To add a VLAN to a Profile, click the +Add button and select VLAN from the dropdown or anywhere on an existing interface in the VIRTUAL panel (See Figure 3, 1c, above):
-
Give the VLAN a name.
-
Give it a VLAN ID to distinguish it from other VLANs. The VLAN ID will be a number between 1 and 4096.
-
Set the ARP (or leave as default enabled).
-
Assign it to an Interface.
-
Save.
Define Networks
The second set of components of a Profile is the Network settings. These define the logical position of the Device within a broader network topology. Network settings include defining the Device as part of a WAN (from which internet backhaul can be provided) and a LAN, which defines the relationship between the Site and connected clients (end-user devices). To function correctly, at least one WAN and one LAN must be set up on the Site.
To add or edit a WAN or a LAN:
-
Click the Network tab. This will show a list of all WANs and LANs that are currently configured on the Profile.
-
Click the +Add dropdown button and select either WAN or LAN, or click anywhere on an existing WAN or LAN to configure and follow the instructions below.
-
Existing Network settings can be deleted by clicking the delete symbol or edited by clicking the edit symbol:
Configure WAN settings
WAN settings define the logical position of the Device in relation to a wide area network (WAN). This may be a modem providing internet backhaul to a public Wi-Fi system, or some other corporate or municipal WAN router.
To configure a WAN:
-
Give the WAN a name.
-
Select the Interface that the WAN will use.
-
Enter a Distance number. Where more than one WAN has been configured on a Device, WANs with lower numbers will be prioritised over WANs with higher numbers.
-
Set the DHCP client mode to:
-
Yes, for the Device to be dynamically assigned network address settings when connected to a DHCP-enabled network.
-
Tick Use Peer DNS (or leave it unchecked to use Encapto’s DNS).
-
Tick Use Peer NTP (or leave it unchecked to use Encapto’s NTP).
-
Save
-
-
No, if you wish to set a static IP, and
-
Enter the IP address, subnet mask and default gateway.
-
Tick, the Check gateway to test the connection to the Gateway IP address.
-
Select either Ping or ARP as the check gateway Method.
-
Save.
-
-
Configure a LAN
LAN settings define the logical relationship between the Site and connected devices (such as end-user clients in a Wi-Fi network). To configure a Hotspot network on the Site, you first need to configure a LAN that will host the Hotspot clients.
To configure a LAN:
-
Give the LAN a name.
-
Select an Interface on which the LAN will be configured.
-
Set DHCP server mode to:
-
Yes, for the Device to assign IP addresses to connected clients, enter the IP address range that the Device will assign to connected clients by selecting IP Pool Start and End IP Addresses or
-
No, if clients are required to enter a static IP to connect to the network or
-
Relay to allow another DHCP server to pass DHCP details to Encapto (in this case the Encapto site still acts as a DHCP server but uses externally provided IP addresses). To enable this option, a Server and Agent IP Address must be entered.
-
External, to use another DHCP server (in this case the Encapto site hands over all DHCP functionality to an external server). The device's IP address must be configured in an external DHCP server.
-
-
Enter an IP address for the Site interface.
-
Enter a subnet mask for the Site IP.
If DHCP Server mode is set to “Yes” (shown): -
Set an IP Pool start IP address; and
-
Set an IP Pool end IP address.
If DHCP Server mode is set to Relay, enter a Server IP and Agent IP (not shown). -
Select Allow internet access (masquerade).
-
Save.
Tip: For public and other guest networks, DHCP is required to automatically assign clients connecting to the Hotspot network with an IP address.
Assigning a Profile to a Site
The Profile Assignment tab enables profile assignment to one or more Mikrotik Sites. To assign the profile to a site:
-
Click the +Add button next to SITES USING THIS PROFILE.
-
Select the sites to which the profile will be applied using the tick box.
-
Save.
Tip: A Profile can be applied to a Site from here or from the Site itself in the Sites Module.
Editing Profiles
Several edit functions can be performed on an existing Profile from the Profiles list view. To assign, rename, or duplicate a profile:
-
Search Profiles by name or tag.
-
Click a tag to auto-search Profiles by that tag.
-
Select a Profile using the adjacent tick box and
-
Delete the Profile;
-
Edit tags (if multiple Profiles are selected, this will add tags to all selected Profiles);
-
Rename the Profile;
-
Assign the Profile to a Device or
-
Duplicate the Profile.
-
-
Click a link under ASSIGNED TO to assign the profile to one or more Sites (or view if a single Site has been assigned).
-
To edit the details of any Profile, click on any non-linked area of the relevant line item.
Tip: Editing any Profile details will immediately affect all Sites to which the Profile is assigned.
Create a Mikrotik Site
Once a Profile has been created, it can be applied to an Encapto Configured Mikrotik Site. To create a Mikrotik Site:
-
Click Sites.
-
Click the + New button.
Select Mikrotik from the Site type dropdown and click the Select button (not shown). -
Give the Site a name for your reference.
-
Enter the Device Serial number.
-
Save.
Assign a Profile to a Site
Note that Profiles can ONLY be applied to Encapto-configured Mikrotik sites - for information on configuring other devices, refer to the relevant integration Guide.
Profiles can either be applied to a Site from the Profile’s Assignment tab as described in Section 3.4 or from the Site’s Hardware settings tab.
Apply a Profile from the Site Hardware Settings Tab
To apply for a new Site or edit an existing site:
-
Click Sites. This will show a list view of all Sites currently configured on your account.
-
Click in any non-active area of the line item for the Site created in Section 4. This will show the Site’s Details tab, where you can edit the details entered in Section 4 (not shown).
-
Click the Hardware settings tab (not shown).
By default, Encapto-configured Mikrotik Sites will have a Provisioning profile assigned. -
Click the Change button next to PROFILE.
-
Select the Profile to be applied.
-
Save.
Ignored settings
The Hardware Settings tab shows vital information about the profile that is currently applied to your Site. In particular, it shows the Interfaces and Network settings that the site has inherited from the profile. Encapto will only apply the settings from the Profile that are compatible with the site and ignore other Profile settings. For example, if the Profile has three ports, but the site itself only has two, an additional panel called IGNORED SETTINGS, which lists the extra port, will appear.
Your Mikrotik Site is now set up and ready to accept Hotspot Settings. For help with configuring these settings, please refer to the Configuring Hotspots User Guide.
Supported Mikrotik Router boards and Router OS version
The following Mikrotik routers, running Router OS Long-term release 6.49.10 (for V7, Stable version 7.11.2 or below) may be configured to work with Encapto:
Minimum* | Recommended | |
CPU | 600MHz | 650MHz and above |
RAM | 64MB | 128MB and above |
* not recommended if more than one network (including hotspot) and the recommended maximum concurrent user amount will be 10 or less due to insufficient RAM.
Encapto supported and tested Mikrotik Routerboard Architectures:
-
MIPSBE
-
ARM 32bit
-
TILE
Encapto supported and tested Mikrotik Routerboard including (as of Nov 2019):
- RB951Ui-2HnD
- RB951G-2HnD
- RB2011XXX
- RB3011XXX
- RB4011XXX
- CCR10XXX
- hAP (RB951Ui-2nD)
- hAP ac (RB962UiGS-5HacT2HnT)
- hAP ac light (RB952Ui-5ac2nD)
Please take a look at Encapto Powered NAS Gateways - Mikrotik (concurrent users per model) for more details about supported Mikrotik models and maximum concurrent users.
Below is the Encapto, UNSUPPORTED Mikrotik Routerboard due to different architecture (SMIPS) type and amount on RAM, is lower than the minimum, below models are designed for home use.
-
hAP mini (RB931-2nD)
-
hAP lite (RB941-2nD)
-
hAP lite TC (RB941-2nD-TC)
Provisioning Mikrotik Router using Encapto Install Script.
This section provides step-by-step instructions to configure a supported Mikrotik Routerboard as an Encapto Cloud Managed Gateway appliance and assumes the reader is familiar with the configuration of a Mikrotik Routerboard (Router OS/Winbox), which is outside the scope of this section.
To set up your Mikrotik device, you will require:
-
A Windows PC directly connected to the new Mikrotik Router (Connect the PC to Ethernet port 2).
-
The Mikrotik Winbox application was installed on the aforementioned Windows PC to perform the configuration. Winbox can be downloaded at http://www.mikrotik.com/download/winbox.
Note: Encapto recommends that you to upgrade your router to Mikrotik Router OS Long-term release 6.49.10.
Resetting the Default Configuration on the Mikrotik
Regardless of whether the Mikrotik is new out-of-the-box or previously configured, a system reset MUST be performed according to the instructions below.
Warning: This will remove all configuration settings from the Mikrotik and return it to a basic configuration. You will lose any previous configuration settings.
Login to the Mikrotik Router using Winbox
Connect your Windows PC to Mikrotik router ethernet port 2 using the network cable. On your Windows PC, open the Winbox application (winbox.exe) downloaded earlier.
-
Click “Neighbors” in the Winbox window to will display the MAC address of the connected Mikrotik router.
-
Click on the MAC address of the router.
-
Login as “admin” and leave the password section blank (for brand new Mikrotik routers)
-
-
Click the “Connect” button.
-
Current Router OS version.
Resetting the Mikrotik Router
For New Out-of-the-box Mikrotik routers
You will be shown the following dialogue box at login.
-
Click on “Remove Configuration”.
After you click “Remove Configuration” you’ll be disconnected from the Mikrotik router while it resets.
Wait for around 30 seconds and then log back into the Mikrotik router as shown in the above section to continue the provisioning.
For previously configured Mikrotik routers
Navigate to the system reset tool as below:
-
Click “System” in the Winbox window.
-
Click “Reset Configuration” in the menu list, and the Reset dialogue will appear.
-
Check the “No Default Configuration” and “Do Not Backup” checkboxes.
-
Click “Reset Configuration”
After you click “Reset Configuration” you’ll be disconnected from the Mikrotik router while it resets.
Wait for around 30 seconds and then log back into the Mikrotik router, as shown in Section 7.1.1 above, to continue the provisioning.
Note: Before proceeding to next step, Encapto recommends that you to upgrade your router to Mikrotik Router OS Long-term release 6.49.10
Provisioning the Mikrotik router for Encapto using the Install script
Download “Install Script” from Cloud Deck and configure Mikrotik Router.
To download the Install Script, log on to your Encapto Wi-Fi Cloud deck account.
-
Expand the Sites by clicking +.
-
Select Mikrotik from the sub menu under Sites.
-
Click the Install Script button to download the “mikrotik_install_script.rsc” file.
-
Open Winbox and log back to the Mikrotik router (as above Section 7.1.1), Open Windows file manager and navigate to the Downloads folder from your PC and drag and drop the downloaded install script “mikrotik_install_script.rsc” file to the Winbox window as shown below.
-
In the Winbox window, click the Files menu and confirm the Install script has been copied to Mikrotik successfully.
-
Click on “New Terminal”, and the Mikrotik command terminal will appear.
-
Type import mikrotik_install_script.rsc and hit Enter within the new terminal window as shown.
-
Once the file is imported successfully, you’ll see “Script file loaded and executed successfully” in the Mikrotik Terminal.
-
Now you have completed the Mikrotik Router provisioning, and the Mikrotik router is ready to add to the Cloud deck using its serial number.
Checking the Serial number and Checking Provisioning status
As a part of the install script, Mikrotik Ethernet port 1 is configured to receive an IP address and internet from a DHCP Server (Modem). Connect the Mikrotik Router Ethernet port 1 to your WAN network (modem) to receive internet.
Once the Mikrotik Router has been fully configured, as described in Section 7.2, open Winbox as described in Section 7.1.1. Use the following default username and password to connect to the configured Mikrotik and click connect.
Username: admin
Password: <leave it blank>
IMPORTANT: YOU SHOULD CHANGE YOUR DEFAULT PASSWORD TO A SECURE PASSWORD TO PREVENT UNAUTHORISED ACCESS, PLEASE REFER TO THE MIKROTIK WIKI TO FIND HOW TO CHANGE THE PASSWORD.
Confirm the Mikrotik has Internet Access.
The router should now have received an IP address on Ethernet Port 1 from the DHCP server on your network.
You can Ping “google.com” to confirm the internet is working as below:
-
Click “Tools.”
-
Click “Ping”, and the Ping tool window will appear.
-
Type “google.com” In the “Ping To” field
-
Click “Start”.
Confirm Install Script is running.
Once the Mikrotik router has an internet connection, you can confirm the script is running as below:
-
Click “System”.
-
Click “Scripts”, and the Script list window will appear.
-
Click the “Environment” tab.
-
Check the Status; it should be in the “READY” stage.
Checking the Serial number
You will need the serial number of the new Mikrotik router to add it to Cloud Deck. Once the Mikrotik Router has been fully configured, as described in Section 7.2, open Winbox as described in Section 7.1.1.
Navigate to the system Routerboard as below:
-
Click “System” in the Winbox window.
-
Click “Routerboard” in the menu list, and a pop-up window will appear.
-
Check the Serial Number and copy it to the clipboard.
Accessing Mikrotik remotely once it’s onsite
By default, Encapto will not allow remote access to any Mikrotik routers provisioned using this guide. You can only log in to the Mikrotik router by connecting your PC directly to the Mikrotik previously described.
Once you install the Mikrotik router on site, you cannot access it remotely for troubleshooting.
If you need remote access to Mikrotik, please copy the below command and paste it into a new terminal window in Winbox (access as described in Section 7.2).
Replace the example IP address (127.0.0.1) with the WAN (Public) IP of your office (or other location from where you will be accessing your remote Mikrotik). You can run this numerous times with the new IPs if you have multiple WAN IPs.
{
/ip firewall address-list add address=127.0.0.1 list=EN-TRUSTED
}