As a security-minded individual I wanted to make sure my wireless network is as secure as the devices on it allow. The most important piece is of course the router. In my case, some time ago I replaced my Archer MR200 proudly running OpenWRT with hAP ac3 LTE6 kit router running Mikrotik 6 at the time. It was my first Mikrotik router and it had some learning curve for me. I was mostly running basic settings. It was providing quite a punch over the MR200 due to RAM and CPU resorces increase and also 5GHz wireless network worked much better, as on MR200 it was present but problematic - I usually kept it turned off and only worked on 2.4GHz. That 5GHz network was actually one of the main reasons to upgrade as the 2.4GHz space in my area was becoming too crowded.

However, hAP ac3 was only capable of connecting to 4G/LTE network and since it got discontinued in the meantime and my area got new 5G coverage, I upgraded once more to the Mikrotik Chateau 5G ax. It was a little bit pricey, but hey, it might be a bit future-proof now. Instantly, my downlink/uplink risen from around 20/20Mbps to 250/250Mbps and that is on a SIM card. No metallic cable, no fiber, no external antenna. Pretty impressive if you ask me.

Intricacies of 802.11ax and WPA3 compatibility

Upgrade from 802.11ac a.k.a. Wi-Fi5 to 802.11ax a.k.a. Wi-Fi6 was also a nice thing, but it came with it's own drawbacks I was not aware of at first. With my old setup using hAP ac3, the device produced one 5GHz network in a 802.11a/n/ac mode and one 2.4GHz network in 802.11b/g/n mode. Also WPA3 got there only probably in the upgrade to RouterOS7.1 and thus I have had configured WPA2 on both networks, not even being aware I could use WPA3 for some time already. This way, with older Wi-Fi modes and purely on WPA2 security, every single device I have worked with it. I of course named both networks with the same SSID and same password, so usually the device just connected to the one it could work with. No problem here.

The problems started with the switch to 2.4GHz 802.11ax mode alongside with WPA3 or WPA2/WPA3 Transition mode. Both, the ax and the WPA appear to be problematic to some of my devices, which is very sad as the 802.11ax should be backwards compatible on both 2.4GHz and 5GHz bands. For instance, Original Prusa MK3.5 is broken on WPA2/WPA3 and won't connect, with fix not in sight. For Kindle PaperWhite 2024 which is 12th generation (6th iteration) I cannot even find the exact spec, but it is a particularly new product causing problems. It can connect to both 2.4GHz and 5GHz of 802.11ax, but I had not find any way to make it work with WPA3 so far, even though I am finding notes around the internet that it should support WPA3, maybe since firmware 5.15.1 and I am currently on 5.17.1.

Even worse, Brother DCP-L2530DW printer does not support 5GHz at all, nor does it support WPA3. Transition mode does not apppear to be working either. Since it has no Ethernet port, falling back on Wi-Fi is essential, not to mention how easy it is to print or scan directly from or into the phone (as opposed to USB connection). ReMarkable 2 is the same story. No 5GHz network and no WPA3 either.

802.11g with WPA2 to the rescue!

The only two devices that I poses that appear to be working with WPA2/WPA3 Transition mode is Macbook M3 Pro and Motorola Moto Edge G3o Pro Android phone. And from what I understood so far, this mode is not a proper solution and I would like to avoid it.

If I set the radio 0, which is 5GHz on Chateau to WPA3 security and no predefined Channel band, it defaults to 802.11ax. My phone and laptop can connect without problems, securely and with with full speed. No need to enable WPA2 transition mode here at all. But what with the rest of the devices that need occasional connection, like printers and ebook readers?

What I found to be working perfectly for me is to setup radio 1 which is 2.4GHz to pure WPA2 and 802.11g. The reason is that setting it to ax cuts most of the devices out and I even had problems with 802.11n for some devices, which is strange since specs sheets for all of them say it is supported. But anyway, 802.11g is the lowest common denominator, with speed not being an important factor for these other devices anyway. This setup works without any problem, apart from the fact that Wi-Fi in the garden will be very slow, if usable at all. Problem for a future Peter.

What about the overall security?

Now why run WPA3 on the 5GHz if attacker could just join the 2.4GHz network which is running on WPA2 anyway, one might ask? Great question! Note that I have already set up static leases on all of these other devices. Apart from Kindle, rest of the pack (both printers and ReMarkable 2) benefit from static IP in one way or another, I had envisioned two options to increase overall security:

  1. Add MAC filtering whitelist keeping DHCP active
  2. Disable DHCP for 2.4GHz network and rely on static leases

Both options would prevent unauthorized devices to connect to 802.11g on less secure WPA2 network, compared to WPA3. There was a third consideration though:

  1. Add MAC filtering whitelist and turning off the DHCP too

I had to learn more about this option and here are my findings about DHCP alongside MAC filtering, also called ACL or Access Control List:

Keeping DHCP active with MAC filtering

Advantages:

  • I can see attempted connections in the DHCP logs, which helps identify devices trying to connect
  • Easier to add new devices - I can see them appear in the lease list and convert to static lease in one click
  • If I accidentally forget to whitelist a MAC address, I can still see the device attempting to connect in DHCP logs

Disadvantages:

  • Unauthorized devices can still attempt DHCP requests (though they won't get network access due to MAC filtering)
  • Very slight additional load on the router (negligible in practice)
  • Potential for DHCP-based attacks (though MAC filtering will prevent unauthorized access)

Disabling DHCP while using MAC filtering

Advantages:

  • Slightly more secure as unauthorized devices won't even get an IP assignment attempt
  • Cleaner logs without failed DHCP attempts

Disadvantages:

  • Harder to troubleshoot connection issues since I won't see DHCP attempts
  • More manual work when adding new devices since I can't convert from DHCP lease
  • Need to manually configure static IP for each new device

I decided to keep the DHCP running as disadvantages outweighed the advantages by a lot.

How to ACL on RouterOS7

Now that I knew what I wanted to do, I need to find a way how to do it. The problem is that in most of the sources I could find, there was a reference to commands like authentification and forwarding. But I could not find these anywhere. Not in WebFig UI, not in command line terminal.

What happened is that this setuop got revamped in newer version of RouterOS and now the access list works differently. One needs to add accept rules first and then add global reject at the bottom of the list:

Mikrotik Wi-Fi Access List seen in WebFig with reject rule at the bottom

Just for sake of completeness, here is how to poke around it in Terminal:

/interface wifi access-list print

Results in this table:

;;; prusa-mk35

0 all 08:F9:E0:**:**:\*\* accept 2025-02-04 12:27:38 2

;;; reMarkable2

1 all B8:2D:28:**:**:\*\* accept 2025-02-04 18:46:18 2

;;; brother-DCP-L2530DW

2 all A8:93:4A:**:**:\*\* accept 1

;;; kindle-paperwhite-2024

3 all 20:BE:B8:**:**:\*\* accept 2025-02-04 19:01:04 3

;;; android-moto-edge-G30

4 all BC:1D:89:**:**:\*\* accept 2025-02-04 11:58:22 2

;;; macbook-pro-M3

5 all 80:A9:97:**:**:\*\* accept 1

;;; reject-other

6 wifi24 reject 43

This setup is I believe the best of both worlds, with respect to balance between security with fast and modern 5GHz 802.11ax network running WPA3 on one side and simultaneously older 2.4GHz 802.11g running WPA2 and MAC address filtering on the other side.

The only thing I do not like about the setup is that I did not found a way to run the 2.4GHz network in compatibility 802.11g/n mode (omitting 802.11ax for 2.4GHz) as there appears to be only the option to either let router decide whatever to use (and it happily decides for 802.11ax on 2.4GHz not letting my devices in somehow) or to use strictly the one of selected (either g, n, or ax and nothing else). I would really prefer for 2.4GHz to run at least 802.11n without issues but so far I have not found how to do it with my current devices. Hopefully it will not be such a problem in that garden, we will see. Enjoy!