Common MikroTik WiFi mistakes and how to avoid them

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
right right good morning everybody thank you very much for improving the 60 gig wireless kit improving the range of we had a customer contact to Sony about a week or so ago and he was saying I put a pair of wireless wired dishes up and I'm now worried about them working or not at 900 meters these are the dishes that can already be quoted at 1.5 kilometers and he's worried about 900 meters and now we're looking at about 4k so that's cool he doesn't need to worry which is what I told him so Who am I started off being trained in the 1970s dealing with very very high powered radios for the Merchant Navy at a training college down in Kent called Green Heights at a village called Green Earth it's now gone but it was a big Training College down there and I learned everything about electronics and RF and did my hnd down there and was ready to go to sea except this was the late 1970s there was a massive worldwide oil crisis going on at the time and I couldn't get a ship for love nor money nobody wanted me and they basically said well there's a queue of about 100 officers once we've worked through the other 99 that are in front of you then you can have a ship and you can get on board and you can start your career in the Navy that never happened I actually ended up working for the UK government for the majority of my lifetime where I played with a large amount of devices on RF and very very small devices on RF building them because we worked in a department where we couldn't buy off-the-shelf commercially available equipment everything had to be constructed in-house so it's designed built printed circuit boards building the equipment making them as small as possible so that we could hide them and then hopefully at some time in the later date retrieve them again where we could find where we'd hidden them the other reason for building it all in house was it meant that nobody knew what we were doing because if you go to a manufacturer and say we'd like to have 100 of device X they now knew ah see your oh that's interesting wonder why they want one of those so now we don't tell anybody anything we built them all in-house it was a cool job and ended up doing about 30 years working with RF from DC to light which is why I tend to specialize in wireless but then they made me redundant because central government needed to downsize and it meant that I ended up if I can start back again I ended up going into private industry as a consultant IT support networking support and needed to do a wireless hotspot somewhere with a captive portal did some googling found mikrotik and it was a journey that's now lasted since another 2000 dot so I've been doing affinity nearly 20 years now been doing networking side of the business in the last few years of my life in government I worked in Ofcom or as it was before then the radio communications agency troubleshooting other people's interference problems licensing doing enforcement work shutting pirate radio stations down liaison with the local police raiding flats raiding all kinds of things great exciting job but then they say I got made redundant and don't do that anymore but basically my entire life has been dealing with RF and now mostly with mikrotik became a consult in 2008 became a trainer in 2009 and then joined Lyn ITX and we are now the UK's largest mikrotik master distributor and a value-added distributor we've got about seven employees with various numbers of mikrotik certifications which I have trained in-house why not it's free so we've got quite a few consultants that are in the company as well mikrotik lists the distributors on their website in order of sale volume so we're at number one but we're not just a master distributor we're actually also a training centre we have a dedicated training room and there may be some of you in there yeah I think I'm in there I know all of you all of you we've got two certified trainers in-house we are that we do trained in other manufacturers equipment as well but mostly mikrotik we're not just a box if tur we do training as well as distributing a product we're also a founding member of the week-long mikrotik training boot camp at my critics own in-house route OS training centre dedicated building renovated and constructed to be designed as a training center for mikrotik themselves for their own staff for in-house training but they hire it out to muggins like me you keep going over to Riga I love the place it's a fantastic city it's really cheap to get there if you go with the likes of Brian air or sleazy jet it's very very low cost to get there the hotel is a four-star hotel just round the corner from the training center you can see there for the amount of costs that you're looking at for a week's training because you're going to be doing a hundred percent training there's no fun involved okay hard work you're gonna say to your managers and your bosses I'm gonna knuckle down and do your training courses in Riga but you actually works out roughly the same cost as going to the other end of the country and staying in a hotel at the other end of the UK and all the railway anyone who's bought a railway ticket in the last couple of years knows exactly how expensive it is to go somewhere by rail so for the same sort of price you can actually enjoy I'm sorry not enjoy I mean work really hard at the mikrotik training center in in Riga Latvia we do two a year one in the summer one in the winter yes it does get cold in the winter wrap up warm but it's still fun lots of snow this is the last photograph that we did of our summer one that we did in in earlier this year we had a lot of fun I mean I mean we all work very very hard but we're not just a box shifter we don't just do training we're hoping to hear the news that we will have the first UK Academy for mikrotik you may hear some more about what the Academy is all about from mikrotik themselves later on today but the idea is this is a Technical University over at Norwich and we're very very proud to be involved in helping them to train their students in my critique route OS up to MCC and a-level so this is teenagers now being able to go out into the world and actually have some real good core networking skills and understand about routing firewalling security and that that's gonna give them a good step it's gonna give them a good good step up in their in their future careers so we get a lot of phone calls from our customers saying this doesn't work why I think it's a bug I think I found a feature it's undocumented it doesn't work what is wrong with it do I need to email mikrotik and we have a look at it and it's just because of mistakes and assumptions that they have made as to the reasons for why it doesn't work because it's not actually my critics fault it's a lack of knowledge it's a lack of understanding on how they've configured it that's caused the problem so bear with me we can have a bit of fun we're gonna explain some of the common mistakes that we are getting all the time on the phones so I'm missing a guy where's he gone there we go Dave for those who went to the Berlin mum remember Mike and Dave he ended up with a happy C squared and he got it all configured he'd watched some guy at the mikrotik mum from from mikrotik and pointed out the problems with his slow path and fast path configuration errors and he's now got a really fast Rooter he's happy with what he's got however he then spotted but it's got wireless built into it and he could do with replacing and renewing the wireless in his office so let's use it for wireless he's just recently done his MTC and a so he knows how to configure Wireless he's now got his knowledge he knows how to do that he's even ended up with a free t-shirt from us as well the other cool thing he noticed but is dual band so he's got 2.4 and also 5 gigs onboard just in one small plastic box he's actually able to do both bands which he wasn't able to have before because he was just running 2.4 in the office previously it was just a really really old 802 dot eleven BG maybe he had some NIC gears or something or D links or something and it's about time they got put in the Skip and upgraded with this new AC thing was it's now called Wi-Fi five but the thing is he doesn't really know how far this happy C squared is going to go how many of these things he's going to need in his office so he doesn't googling he can't find anything on my critics website that says what the range of an access point actually is because that's funny because when he goes on to other manufacturers websites he finds it straight away so he's found a manufacturer that says you can get 600 feet out of an access point 183 meters range from one single tiny little plastic box fantastic which case I only need the one which is brilliant I love this mikrotik stuff wait till he sees the four kilometer range on that 60 gigs stuff so it's in the data cabinet well that's cool that's fine because you notice it's in the data cabinet and it's right in the middle of his office so his circle his radius of coverage is perfect so he doesn't even need to move it it's fine where it is in the rack in the data cabinet the steal data cabinet in the canteen and you see what's coming next just above the microwave oh you've done it yourself you've seen it ominous oK we've seen it and we've heard about it a lot every time they're having their lunch break of dinner break coffee break the wireless stops working why well I wonder why okay but he's so excited so excited about how quick it was to get him to enable it cause he's just logged in enabled the 2.4 enabled the 5 put an SSID on put a security profile in with a password on it he's up and running two minutes amazing two minutes he's now got working Wi-Fi in the office he tweeted he was so excited he tweeted can't hold this man back then he walks around the office using his phone doesn't matter whether it's an eye bling or an Android but he walks around the office with his phone I think that's a bit funny not quite getting the sort of signal strength I was hoping for and it doesn't change very much as I walk around and it the extremities of the office it's really really weak and sometimes even drops out completely that's not good because the competitor said you could do 183 metres 600-foot these things are rubbish what's the matter with these rubbish things from mikrotik he doesn't understand disease so your phone's Dave and Dave points out a few of the mistakes that he's made so what did he do well one of the things he did was he believed the sales and marketing material because that assumes a perfect world doesn't it it assumes your icon on an airfield on a runway with the access point on a six foot pole and then you go off and drive away from it as far as you can until eventually the Wi-Fi drops out and that was 600 feet you've seen the adverts from BT with the helicopter revving here yeah 600 feet it was yeah right so there's a slight difference between when you talk to a technical engineer and sales and marketing okay the other thing of course he put it into a Faraday cage the steel cabinet may have had a glass door in the front but certainly on them all the other sides it's metal so that was shielding it from going off into all those directions and not only that he put it on top of the microwave nearly a kilowatt of 2.4 gigs on within about two feet of it the other thing is is the five gig radio also is also going to be very very significantly shielded so even though it's not going to get interference from the microwave oven it's certainly gonna get shielded by the metal work in the case in the cabinet the other thing that he made an assumption about was that the amount of signal strength you receive on your phone indicator is just garbage you may as well just ignore it it is not gonna give you an accurate description of the real genuine performance of a wireless network it is not all about signal strength at all the other thing is since antenna gate the infamous little problem that they had with the antennas on the iPhones was they slowed the response time down so that when you put your hands to short out the antennas on the iPhone it still gave you five bars and so members of the public who are unknowledgeable about this thought oh they fixed it if you held your hands shorting out the antenna for a good ten minutes or so then you seek a donk donk dun dun dropout but most people have got bored by then and wouldn't look at it anymore so don't use your phone don't use a tablet for telling you how strong or good the Wi-Fi is it's meaningless completely meaningless the other problem is is the newest update from Google with PI is they have now crippled the Wi-Fi scanning speed they've now not permitted Wi-Fi analyzer apps to scan at the speed at which they previously did on older versions of Android so if you download an app onto your Android tablet or onto your Android phone yes that will now give you a faster update refresh time unlike the Apple does but unfortunately if you've updated it to PI it won't anymore it'll be some like five scans a minute or something it's really really slowed it down they apparently the reasoning is to do with battery saving or something it's to try and improve the battery time but it didn't go down very well with developers so he goes back to doing some googling and he's found a website that talks about the fact that there is more than one channel on 2.4 and on five and there's a very strong possibility that you're sharing the same channel as someone else next door to you that must be it I'm on the wrong channel there are 13 channels he's read in Europe on 2.4 and is about 19 of them depends on exactly which country you're in in Europe on 5 gigs I'm going to put the access point onto every single channel and I'm going to test with my phone again you can feel the swirling hole he's drowning myself in Korean the trouble is when it goes into the mikrotik scan list think well that's funny I haven't got 13 channels on 2.4 I've only got 7 that's weird must be a bug can't be me it must be a bug so he chooses each of the seven channels in turn walks around the site does some speed testing now doesn't make any difference is still rubbish wish I'd never bought mic receipt now he's time to think unless he's actually standing right outside the data cabinet and then it's not so bad he's actually starting to get some reasonable speeds if he's within a few meters of it and here's his config it's the standard out-of-the-box default mikrotik configuration and you want to spot the mistake on two point four forty makes seee but talk about that in a second and then the five gig one again a very very basic setup indeed what bandwidth is are using on five gigs eighty in an office environment Cee so what's he gone done wrong well he's basically trusted that mikrotik can read your mind he's trusted into the fact that my critics default configuration works in every single situation in every single setup everywhere in the world except it doesn't does it so therefore don't use the default config you're going to have to do each one by hand for your particular setup the one thing that it defaults to is the United States FCC channels it assumes that when you buy a mikrotik you're going to use it and deploy it in the United States if you use the default configuration of 40 megahertz then there are only seven for image channels I'm not saying that they're any good but you can select from seven different 40 mega channels and that's the reason why you can only find seven in the drop-down list of what frequencies to choose from the other thing is is that it contains all of the channels that are available for you to select from even if they're stupid because they're going to end up overlapping with each other if you're not already aware there may well be seven 13 19 or however many channels they're MEAP there may be in the scan list but they'll all be five megahertz apart the Wi-Fi standard is that the channel bandwidth is increments of 20 not 5 and so therefore the scan list being in five megahertz increments are not individually able to be used you can only use every fall because then they're going to be 20 megahertz apart and won't overlap the other thing is that he has not realized as well is that he has not reduced the transmitter power it is running to the American Standard they're allowed something like about 2 watts on 2.4 gigs you'll never get a client talk back to the AP at those kind of powers but therefore it means that the mikrotik out of the box with the fractured default settings will run at full power that actually causes some of the higher MCS data rates to start to get distorted and not to perform as well as if you is to reduce the transmitter power maybe even if you drop wireless card settings by about 2 DB things subtly improve dramatically and it's not just my critique that does that there's loads of different vendors who have the same I wouldn't call it an issue but lack of understanding that you don't run it at full power the other thing is is out of the box it's running B we don't like B anymore except they make honey but we don't like B 802 dot 11 B if you are really saying that in your office someone's going to walk into the premises with a device that only and only supports 802 dot 11b be afraid be very afraid okay we don't need to support if you're running a warehouse and you've got barcode scanners from the 1980s and they are be only chipsets then fine okay then in which case you need to deploy access points supporting B but if you're trying to support office workers with iPhones tablets laptops no no no no no not running B not on 2.4 so that's what happens when you make assumptions you assume that the default configuration is fine for you it won't be so on 2.4 geeks when you change it to 20 megahertz channel spacing not 40 it will now open up the full set of channels you won't just get 7 but you can't choose them all you can only have one 6 or 11 because those are the only ones that don't overlap because they are 4 sets of 5 megahertz apart 1 6 and 11 the other thing he needs to do is he needs to go into the Advanced Mode because it's hidden until you press Advanced Mode once you click on Advanced Mode you will then see that you can change the country that you're in you can set it to a regulatory domain setting and input whichever country you're physically in the United Kingdom France Holland or rather actually Netherlands because Holland is part of the Netherlands Holland is not the Netherlands the other thing is is the antenna gain it doesn't get inserted in by default so if you've bought a hapc I think all you guys have got hapc lights when you set it in to regulatory domain and country being say United Kingdom it doesn't magically know what type of antenna is fitted to Reuter OS it doesn't know it it's not going to extract the information from some hardware device on the board you need to manually put it in and if you look it up on Marcus website it will tell you how and ten again the Wi-Fi card has got usually around to 2 dB I and 10 again well then type that in and that will then ensure that you're compliant and it will stop Ofcom banging on your door because they do and they have they've got sharp teeth and let's remove a 2 to 11 B so that was his mistakes he didn't set it to the right country he didn't reget rid of the 40 makes he didn't put the antenna gain in he didn't remove a Oh 2 dot 11 beam so he's done some more googling he may bought them from us but he didn't bother phoning us he was too embarrassed so he's done some more googling and he actually found that just one single access point is going to end up being blocked by the walls of the office and that explains why the signal so rubbish writes the walls are blocking it in which case he decides having read a blog about how to deploy access points successfully it said you need one access point for every single room in the building preferably mounted in the middle very nice for us he puts in an order for a dozen access points and deploys them one in every single room he then tries to put each one of those onto non-overlapping channels and finds of course that when you go round the building with just 1 6 11 160 160 living around the room you're still going to have some of them see each other but he doesn't realise that really fully because he's thinking all the walls will shield it it'll be fine funny thing is though because he forgot to do the 40 to 20 make setting change he's now gone from seven channels to nine he's learning very slowly isn't it the other thing that he's noticed is that he's now finally got a tablet that does five gigs as well as 2.4 and he walks around and he finds that when he sits underneath a pea he doesn't even see it at all he logs into the Rooter OS settings and it's definitely operating but there's nobody registered to it there's nothing in the registration table and it will not connect to it the mobile device when he's in the room with the AP set to that five gigahertz channel which has been set to either one he's put it on manually or set to automatic it won't connect it weird wire got black holes of coverage we'll soon find out he's made an assumption so what is the problem with running with 40 Meg's on 2.4 for a start off there aren't that many clients that will support it out of the box you have to go out of your way to force it quite often and the other clever trick with running 40 megahertz on 2.4 gigs is that the standard the 802 11 n standard that gave us 40 megahertz channel spacing and channel bonding on 2.4 gigs the standard says that there is this scanning capability built into the Wi-Fi device that says if you see anybody out there that is using a 20 megahertz channel back off drop down to 20 Meg's so it's not to cause them interference so you may have an access point which is running 40 megahertz but if it sees a client walk into the building on the same channel doesn't need to be connected it just needs to see its beacons or its probes just needs to see transmissions coming from that device and if it sees that the settings on that device is a 20 megahertz only channel that it's transmitting with the 40 Meg's drops down to 20 automatically it's called an intolerant bit or 40 megahertz intolerant bit so what's the point because if any access point in the building here's anyone using 20 Meg's it's gonna drop and fall back to 20 anyway so we've got the black hole's problem still what's he gonna do about his black holes who's he gonna call hopefully us eventually cuz it's gonna save him an enormous amount of time but he talks to Dave and Mike gets advice from Dave and he says all your problems are solved if you put in the country put in regulatory domain put in that you don't want B so you just select G and then only put in the antenna gain put in just the three frequencies that are available on 2.4 you may as well enable wmm quality of service support and turn off that vulnerability with WPS as well while you're at it very very similar setup on five gigs as well antenna gain of two just leave the frequency on automatic there's loads of channels on five gigs just let it select anyone that it wants now this is the reason why we have a black hole this is the reason why we have lack of coverage on five gigs is because of that setting there not every client has been certified to operate on all of the five gigahertz radio channels there are a large number of Google devices or you know Android devices that do not support what is called in the UK band B they support band a and ban C because they're the American Wi-Fi channels but they don't support the radar DFS channels on band B and if they don't support them they won't listen for them they won't connect to them they won't see them and that's why when he walked into a room with his mobile device and that aap had been set to automatic it had decided that there was a nice clear unused vacant Chan all on say 5600 which is a DFS channel and he walked in there with the device that can't even see it black hole so if you are going to use Wi-Fi on DFS radio channels because there's loads of them available and it's not a bad idea to do that it's fine for indoors Wi-Fi however bear in mind that if you've got people walking into your premises with devices while they call it bring your own device and you have no control over them as to what they're going to bring into your property like hotels cafes whatever make sure that the five gigahertz channels in the building has sufficient coverage on the first four channels as well to overlap the DFS channels it sounds wasteful but if you don't you're going to have clients drop off your network because they walk into a black hole whereas if in that location you have enough crossover from another aap perhaps in the room next door that is on say 50 180 which is one of the first four channels on five gigs she'll stay connected to the AAP next door it will never even see the AAP in this room say but at least you've still got connectivity because you've thought ahead that you need to provide coverage for those devices that don't support the DFS channels Dave gives up at this point and says you need to speak to a consultant so he talks to us apparently I know one or two things about Wi-Fi and I basically tell him he's got a hell of a lot of spare access points that he can put on the shelf now we do not have a very high failure rate with micro tech devices I think we find that they're one of the lowest in the industry the actual quantity of our mas that we get due to dead-on-arrival products products that actually been plugged in and failed to function because of a electronics fault is near zero we do however find a very high failure rate Elya rate due to configuration errors we find that when we reset the device and put just a simple config on them they work absolutely fine so it's a configuring so I sits in basically you've got a lot of access points you can now put on the shelf and they'll be spares for you for one day in the future whenever you need to replace any because you don't need them all you got too many only use channels 1 6 and 11 only use 20 mix and the other trick I told him is reduce the transmitter power on 2.4 gigs by at least 7 DB why is this magical number well 7 is a lucky number so if you remember that 7 is a lucky number as an aide memoire oh look I can talk fringe and that 7 DB is the approximate difference in loss of a Wi-Fi signal on 2.4 versus 5 so 5 gigs will have 7 DB more loss over X number of meters compared to 2.4 so two point four will always be better than five the danger of 2.4 being transmitted with the same power as five is that that means the client will receive a 2.4 signal from the same AP with the same antenna type from the same distance away he will receive 2.4 stronger than 5 I can hear alarm bells ringing and it's not the fire alarm this time right not yet so 2.4 gigs is going to come through the majority of the time stronger than 5 gigs so what's your client device going to do is going to go all I have that I'll connect to the 2.4 know what we actually want to do is want to push the clients on to 5 because there's less interference and there's going to be a better higher throughput as a result so we actually need to discourage the client from connecting to 2.4 by dropping the power on 2.4 to in turn then make the client if you chose exactly it would see it at roughly the same level so you need to be a little bit more than that if you want to really really discourage a client from connecting to 2.4 the other thing is yeah sort of saying 2.4 turn 802 11 be off we don't need that anymore so why has 5 gigs got 40 or 80 megahertz well by default mikrotik puts it on 80 for use in the home if you're going to use a mikrotik router in the home 5 gigs Wi-Fi 80 megahertz fine I won't have any complaints about that however if you've got 80 megahertz you are going to have 4 times the channels operating compared to 20 megahertz in a 20 40 80 you've now got much more spectrum being consumed if you do that in the enterprise office and business sector you're going to run out of radio channels very very fast you're going to come back to what it's like on 2.4 you've only got 3 channels so you started off with 19 and if you deploy your office network with 80 megahertz you're only gonna have about 3 or 4 channels available that you can deploy in the building also if you are using 80 megahertz you're gonna pick up more interference you're gonna pick up more noise you're opening the door wider open you're gonna get more stuff coming in and that means more collisions that means more dropping of the data rate to slow down to make the link still connect because Wi-Fi is designed to go as slow as possible to make it work it goes as slow as possible to make it work it will only go faster if conditions are really great and an office enterprise environment 80 Meg's will never be great so don't do it so you could possibly get away with 40 I'll let you get away with 40 sometimes but that is still causing throughput issues you can even find you'll get more throughput by reducing the bandwidth because of the problems of noise and interference you think oh if I double the bandwidth from twenty to forty to eighty I'm gonna get higher and higher and higher data rates I'm gonna get higher and higher throughput in actual fact the opposite can happen you can actually end up with slower and slower throughput make sure you provide coverage from Ofcom band a or uni one channels so as to overlap those areas where you're using the Uni two or Uni three space the other problem is if you're going to be using the DFS channels what's going to happen when an access point picks up a radar pulse it goes off the air which now means you've lost the AP in that room we have a black hole but this time the black hole is not because of the client not seeing the AP it's because the AP has gone off the air because it believes it's picked up a radar transmission and has dropped itself off the off the spectrum so that's another reason why you need to make sure you provide coverage from some of the other access points nearby on the first four channels in uni one or of comm band aid the other problem is is off comm with a fanfare and I'm not knocking off comm in any way at all in fact as an ex-employee I have a contract which still exists which says I'm not allowed to but of common downst-- with a big fanfare that they'd expanded the amount of frequencies available for Wi-Fi up into the five point seven 5.8 gigahertz what was called Bansi block of spectrum fantastic great so now you've got even more channels to choose from to build your office Enterprise Wi-Fi system however I haven't found any clients that reliably support it so I know you have to build it and we wait for them to come but if you end up deploying ApS on these new frequencies on the 5.7 5.8 gig part of the band you're not going to get many people connect to those AP's so feel free to build it and wait for them to come but you may be waiting a long time or if you are going to deploy stuff in Bansi make sure you've got some other aps nearby on band day to cover them for when no one connects to them so I've told him to turn off all of the other APs he's only got a limited number of ApS running on 2.4 a ton of turn the two point four gigs off completely on half of them I'm using one six channels one six and eleven which is 24 12 24 37 and 2462 20 megahertz channels and forget the one in the canteen completely pointless just let that won't be a Rooter and leave it as a Rooter and don't have any Wi-Fi on it at all five gigs yes okay you can have it in every single room if you want but you can keep the power down now because you don't need to cover more than one room you can turn the five gig power down so that the device is roam a little bit better and don't end up becoming sticky clients go to this expression of sticky client a client stays connected to an access point and it is up to the client to decide when to roam there is very little that you can do to make a client roam you can kick them off the access point but they could very very easily reconnect back from whence you've just kicked them from it is down to the client and it's up to the client to decide where it will connect to so one of the other vendors for example do what they call a soft kick which is that when you have said you want to enforce a limited number of clients to be connected to a particular ap to do a bit of load balancing on it they'll kick the client once but if the client comes back they let it reconnect so even though you may have set a hard limits that say 10 10 clients maximum you may find you've got 12 or 13 clients I was loud so how to stop a client from being sticky is very very difficult but the one thing you can do is because it's down to the clients software to decide when to go when to scan when to move to somewhere else reduce the signal strength on every ap still make sure that every ap has enough RF signal strength in each area to do the coverage in that room or in that location but when the client moves away from the AP the signal drops off very quickly so you use the room the walls the building to your advantage use the attenuated properties of the building to enforce your rules of when they need to drop off the AP so when they walk out of the room and go out the door and go around the corner and go into another room somewhere else you're hoping that the signal that they are currently connected to weakens very quickly forcing the client to rescan and find a brand new ap to connect to which is strong enough for it to work with and one of the ways you can do that is also by lowering is sorted not by lowering by raising the basic rate by default the basic rate is 6 megabits per second on say 5 gigs and 6 megabits if you lift it to 12 megabits or even 24 what happens is that the client will get kicked much sooner or will kick itself off your network much sooner do this carefully test it if you're going to be running more than two access points I would recommend it to the guy that what he should do is just run caps man because by using caps man you then have one single system one single setup and if you make a change in that one single location on caps man it will propagate to all of the access points on the network and within seconds you've got the whole lot all configured the same significantly reduces the amount of time it takes you to configure the network it's very very simple to set up caps man even if I did design a one day training course for it the other thing to bear in mind is if you are deploying caps man is that you can press the button on a cap to put it into caps mode so that it will auto join your caps man really easily but you haven't actually done anything about the security of the wireless access point if you don't want people to gain access to the wireless access points you need to put some security on it don't you because otherwise someone could log into it with same Mac telnet or Mac wind box and it's hacker day time so don't do it don't forget to go back once you've got it configured put security on it so I'm going to very very quickly go through this download the slides they'll be available off the mikrotik youtube video channel it'll be underneath the video or have a link to my PDF and in which case you can read through this at leisure but very very quickly this is the config that I recommended to him so that's a typical channel configuration so I've reduced the power you notice there's about a 10 DB difference between the two and 5 gig radio channels 20 Meg's I have disabled the extension channel because there's an interesting feature on CAPS man that if you select that the channel width is 20 megahertz what you're saying is is that each individual Channel to be bonded is 20 megahertz now let's have a look to see how many channels are bonded none so if you just set that to a width of 20 you'll get 40 because you haven't configured in caps man what kind of bonding you want to perform and in this case I don't want any okay but if you leave it at blank or default it will end up doing 40 mix or even 80 if you're unlucky create a data rate profile which does not have B in it so I've removed all the B data rates so an example 42.4 which only supports the G and n data rates we don't need to provide any support for WPA tkip or any of the other older encryption types we only need to support wpa2 AES so there's no need to do WPA and wpa2 just do two with AES disable this latest pmk ID caching feature this hackable parameter of Wi-Fi that allows you to get your foot in the door or you can disable that which is just recent new vulnerability that's been published turn that off the other thing is is that group key update it doesn't have a value by default it is the group key there are two encryption keys for every connection so when your laptop your phone whatever it is connected with wpa2 encryption there are actually two encryption keys configured you may only put the one password in in this case today mikrotik but actually on initial connection for the first time with the access point negotiates two unique encryption keys with you you get an encryption key for your data for your user data for you going on to the web getting your emails but then there is another encryption key which is used for broadcast and multicast traffic because that is an encryption key that's needed to be for shared by everybody because if it's a broadcast packet that is not sent to each individual client device it's a broadcast packet and so the AP transmits that broadcast packet with a commonly known shared everyone has the same one encryption key we need to change that frequently because that's another vulnerability that someone could monitor those broadcast packets transmitted with that single key that never changes so let's change it a bit more often so I set it to one hour hopefully there won't be many broadcast packets there won't be too many for you to be at a store but even if you stored one hours worth there should not be enough to be able to decode what the key is we set up say a data path setting put it onto a bridge on the caps man controller that brings all of the connections back to the caps man router through its own tunnel but bear in mind that the users traffic itself is not encrypted in that tunnel it's a layer 2 tunneling back to Capps man so if your caps man is in the in the cloud if your catchment controller is a public IP address then bear in mind that all of your customers Wi-Fi traffic is all going over the Internet unencrypted put it up a tunnel or something we set up the country for the configuration we refer to the data path I've I've configured before we choose the data rates that I've defined which only does the G and n data rates really simple similar thing for five gigs as two point four very similar config because we don't need to disable the B rates on five gigs we have a provisioning rule which means that if the radio supports G mode I know that's got to be a radio interface that is 2.4 so therefore apply the 2.4 gig configuration profile if it supports a C then it's got to be a new 5 gig card so in which case apply the 5 gig profile so you can have to provisioning rules one beneath each other and you'll then be able to provision automatically your caps interfaces in Katzman so all the 2.4 s will have no B modes and all of the five gift cards will all have the full rates and then all you then have to do is enable caps man manager server mode switch that on and tell it to listen to one of the interfaces of where all your caps come back to you are running on a cap span based system here today we had a slight problem first thing in the morning first of all there was a problem with the hotel internet connection that we got given an IP address by the hotel Rooter but we couldn't get any internet activity out through their Rooter that took a while to fix that and then I made the biggest mistake that I must be in I need 10 years I have been training students consistently do not upgrade to the latest beta it's my own fault so you guys are all now running on the latest beta after I've now fixed a feature of upgrading to the latest beta which went a bit unnoticed that because it accidentally switched a few of the bridge ports around which meant that I'm running to SS IDs and some of the access points had accidentally messed up which SSID was connected to which of the two internal networks so but in here the 2.4 should be lower power than 5 and I'm still going to go around and fix some of the frequencies to remove them away from the hotel system so it will improve when I get back to my desk but at the moment it's all on automatic with the frequency selection so there may well be poor Wi-Fi coverage in some areas but give me about an hour and I'll have it all sorted miss I did a site survey last night to check what Wi-Fi was in use already so I know where the holes are I know where I can plant the channels that I want to put on the other thing that you can never beat is having good back all you can design the Wi-Fi as well as you like but if you don't have a high enough backhaul speed connection into your Wi-Fi network it will be the pits so if you find that the Wi-Fi works today come up to the Lin I TX stand at next door and congratulate me make me feel good if on the other hand it does not work very well make me feel bad and tell me about it I've got thick skin we've got a TV set up there with the dude and that is then showing the actual caps Man Network and the wireless native that we've got in here today so thank you very much [Applause] so you just to reduce the power of access point in its room and just to get just to give enough coverage for the devices there how do have you define enough coverage or good coverage in terms of signal like - 75 DBM or youdo throughput test okay this is a piece of string it's elasticated and now I'm asking you how long is it it varies okay it depends it depends on what type of service you're actually trying to provide to the end customer are you just trying to provide background Internet general surfing I don't care it's just garbage I don't I'm not bothered then the levels for that will be significantly lower that their signal strength can go to before they can drop off the network but if you're trying to provide a voice network and you've got cordless VoIP phones please don't do that okay if you ever get a customer tell you they want to put VoIP on to your Wi-Fi network try and dissuade them to go over to DECT instead okay nine times out of ten decks will be far superior for voice over IP phones over a wireless network which is on dedicated spectrum using fast roaming protocols and it works really really well it's a really old system now but it's a fantastic protocol that works really effectively well so use decks but the levels would depend upon the clients requirements next 70 isn't a bad signal level to go for for the client and to say anything but anything that's below next 70 that our client is connecting to anything less than that needs to be considered to be beyond the range of the AP and therefore that client wherever they're standing there needs to be some provision for them with another AP in their vicinity if you can go down to sort of negate a or negate you v you know if you want to do in the home and you don't care about your kids laptop in the bedroom having a really rubbish Wi-Fi signal so it's a bit depending whether you're in a hospital educational office home what signal levels you go for doesn't really fully answer your question but I think you get the idea that it's about Nick's seventy five ish in that area because it depends on the client the one problem that we have is the client device is the weakest link in our system you can design the most wonderful Y site Wi-Fi system in the world and the mistake that you can make is walking around to do a survey afterwards with your laptop are they going to use your laptop no they're going to use their laptop which their IT department may have purchased which may not have the right drivers they may be broken configuration on the mobile devices there may be really old software might be very very sticky and and refused to disconnect from an AP even though they've gone long long way down the corridor and should really be connecting somewhere else you have no control over the mobile devices you don't really have much control over the signal levels either it's only in a very very tightly controlled environment life or deploying Wi-Fi into a hospital where you are now going to say not only will we be supplying the APS but we're going to be talking to you and using your devices to do the survey with and we've now proven with your devices that the Wi-Fi works really well with your devices you can then walk off the site happy but the minute someone brings a new device in of a new model new type a new software version your config is could easy be broken again no other Wi-Fi could not be functioning as well again you'll learn to hate Wi-Fi as much as I do anyone with another question which case I'll go back to my table and fix the Wi-Fi thank you really thank you thank you thank you your honor [Applause]
Info
Channel: MikroTik
Views: 74,394
Rating: 4.9348269 out of 5
Keywords: mikrotik, routerboard, routeros, latvia
Id: JRbAqie1_AM
Channel Id: undefined
Length: 58min 29sec (3509 seconds)
Published: Thu Oct 11 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.