MikroTik Wireless Access List

We are still on the same LAB scenario.

We can see that R2 is shown on the wireless registration table of R1:

On R1, you can put a station in an access list. An access list is a place where you can define rules to a specific station. You can for example say that a particular station if it has a signal level below a level that you define, then it will get disconnected. Or you can give it a password different than the password that you have configured on the global wireless setting. Or maybe you can say that this station can get connected in a specific day/time.

Let’s add R2 to the access list and see what we can do there:

[mepr-show rules=”319″ unauth=”message”]

Now R2 is in the access list of R1.

We have the default authenticate enabled on the wireless setting. Let’s go to the access list and disable it on the entry of R2 and see if R2 can still go to the internet:

So now default authenticate is enabled on R1 global wireless setting but disable on the entry of R2 inside the access list. So, do you think R2 will be able to go to the internet or not? Let’s try:

Unfortunately, R2 cannot go to the internet. This means that the access list has a higher priority than the global wireless setting that it set on the WLAN1 interface. Got it?

You can also set a specific password for that station. By default, the password that we set was 123456789, but you can go inside the access list and put another password for R2 entry, then R2 should have the password that you have set in the access list entry and not in the global wireless setting so R2 can be connected to the wireless.

While the Authenticate is unchecked on the access entry of R2, I have decided to create a new entry in the access list saying that any MAC address station can be authenticated, then I want to see if R2 can go to the internet in this case:

So now I do have those 2 rules inside the access list on R1:

The 1st rule is saying that R2 cannot be authentication, and the 2nd rule is saying that every station can be authenticated (including R2).

Do you think that R2 will be able to go to the internet after we have added the 2nd rule? Let’s try:

Still R2 is not able to go to the internet. But why? We have a rule saying that all station MAC addresses are allowed to be authenticated.

Well, the answer is because the access list works in sequence. It will check the 1st rule, if it matches then it doesn’t go to the 2nd rule. So, when R2 is trying to get authenticated, R1 will check the 1st access list rule and it sees that it match the MAC address of R2 then it doesn’t allow it to get authenticated and it doesn’t go to the 2nd rule anymore. Got the idea?

The last 2 things that I want to show you in the access list are the bandwidth limitation and the time.

Let’s speak 1st about the bandwidth limitation.

You can from the access list say that this station is allowed to do a specific bandwidth speed, so you can limit it. I will enable the authentication on the entry of R2 in the access list, and then I will run a bandwidth test on R2 to see how much bandwidth speed it can do:

I can see that R2 can do around 50 Mbps on upload and 50 Mbps on download on the wireless link.

I want to limit that to 10 Mbps on upload and 10 Mbps on download. To do that, I need to go to R1 to the access list entry of R2 and add the limitation there. Let me show you:

Now it is set to 10 Mbps full duplex.

Let’s redo the test on R2 and see if it is limited to 10 Mbps on both upload and download:

Indeed, the limitation has worked perfectly ????

One more setting that you can do on the access list is the time. You can define in which day/time a particular station can be connected.

Let me show you this:

Here I have set that R2 can get connected during working day from 8:00 to 17:00. Outside those hours, R2 will not be connected to R1 wireless.

This is all what I wanted to show about the Access list.

There is still 1 thing that I want to explain about in the global wireless setting which the default forwarding that you see it here:

By default, the default forward is checked and enable. This has a function to allow any machine, connected to the wireless network, to communicate to another machine which is on the same wireless network.

If you do not want that users who are connected to the wireless network to see each other on that network, you can simple uncheck the default authenticate ????



Submit a Comment

Your email address will not be published. Required fields are marked *

The reCAPTCHA verification period has expired. Please reload the page.

Please Login to Reply or add a comment!