Teardown: Mikrotik hAP ac & hAP mini Routerboards

After my house move earlier this year, I was in a bit of a networking dilemma. As every self-confessed nerd knows – internet access is critical. I recently upgraded to a TP-Link Archer C7 AC1750 access point at the other house because the pair of WD MyNet N750 APs were driving us nuts with random bouts of suddenly denying all wireless association requests which could only be solved with a reboot. While I didn’t have a chance to blog about that, I had to leave the Archer C7 behind when moving away.

As a result, I moved out with only a TP-Link TL-WR740N and my Apotop DW21 travel router. Both were 2.4Ghz 802.11n units which meant slower-than-optimal speeds and interference issues. After getting a taste of 802.11ac “goodness”, there was no turning back.

At the new place, the ADSL2+ connectivity is estimated to be only about 3Mbit/s down and 0.5Mbit/s up. This was so slow that it’s not even worth signing up for a line, especially when NBN HFC (eugh) is coming mid-next-year. As a result, my network hinged upon a Xiaomi Redmi Note 4X providing LTE connectivity using whoever is the cheapest carrier that month (i.e. introductory offers) through Wi-Fi tethering.

Because of the limited number of tether clients supported, I enlisted the Apotop DW21 to act as a NAT client to the tethering so as to allow for all of my Ethernet cabled devices and more wireless users to access the LTE connectivity “masquerading” as one user to the phone (i.e. the DW21 itself). Because the DW21 had a pretty crappy Wi-Fi radio, I set up the TL-WR740N as an AP on the cabled side with its superior signal strength and sensitivity.

This was a sad situation. Even operating non-overlapping channels between the DW21/Note 4X and TL-WR740N combination, I couldn’t access the internet faster than about 8Mbit/s, often just 5Mbit/s owing to a combination of 2.4Ghz interference and DW21-specific issues under heavy load. VoIP was practically impossible, as high packet rates (e.g. 100pps on VoIP with 20ms packetisation) caused the DW21 to drop packets like mad. Something had to be done.

That’s when I did a little research, initially looking for something that might be well supported under DD-WRT or OpenWRT. After looking for a while, I found that consumer grade routers seemed expensive but no model was a sure-fire bet to be compatible with aftermarket firmware due to the constant revisions. Without access to such aftermarket firmware, it’s hard to be sure that such offerings would be the future-proof, flexible and versatile router that I needed it to be.

I then looked towards more serious brands – starting with Ubiquiti, which started to get confusing with all of this “Unifi Cloud” business, needing a Cloud Key for certain equipment, having their own AirMAX-only long-range devices. For the most part, everything seemed to be geared towards commercial use. I didn’t want or need any cloud connections or licensing issues … that’s when I discovered Mikrotik – a Latvian company – and never looked back. Their hAP offerings seemed to be just what I needed – relatively inexpensive, highly featureful, sharing many commonalities with Linux iptables amongst other things but also having more convenient configuration features.

Rather than be a complete review, this article will focus mainly on unboxing and teardown images. Frankly, the Mikrotik stuff is so configurable that it’s nearly impossible to review everything, but at least the RouterOS documentation online has been decent enough for most things.

hAP ac

When I was looking online four months ago, the hAP ac was the unit of choice – offering three streams on both 2.4Ghz and 5Ghz bands, five Gigabit Ethernet ports + a Gigabit SFP port (important to keep the radios fed), passive PoE in and out support and barrel-jack power and USB support for LTE modems/storage. I managed to obtain it for about AU$160 including shipping from Latvia with a few discount codes stacked on top, which wasn’t bad given the list price for the TP-Link Archer C7 was already AU$140. The only downsides I could see was its limited single-core CPU and the all-integrated nature of the antennas which was probably not optimal for RF performance. On the upside, the unit boasts a healthy transmit power of up to 29dBm with very good sensitivity performance down to -100dBm which should help make up for it somewhat.

A brown cardboard box, a little more compact than expected, was how it arrived.

The box didn’t really say much, but it seems to make it sound like a simple affair to get up and running. To be fair, it’s pretty simple to get up and running … but to harness its full power takes some work.

A look inside makes the unit seem small for what it is and makes me question why the Archer C7 I had was so big. Everything is efficiently packed, which is nice.

As far as the case goes, it’s a white matte finish plastic with four clear rubber feet and some wall mount cut-outs. The case is held together by clips – no screws! LED indicators are visible on the top, and there is plentiful ventilation grilles, which is nice.

The front has a barrel jack for DC power, the SFP port and five Gigabit Ethernet ports. While the printing does say “internet”, in truth, you can reconfigure it to whatever you’d like. The rear has a plastic label covering it – this is because …

… the rear of the case has cut-outs for other things to be mounted including external antennas. The quick-start pamphlet lets us know that one stream of each band can be connected to an external antenna if necessary but the antennas are not provided. Because of the similarity between RouterBoard products, it seems like the one case may be used for a number of designs.

The sides feature even more ventilation slots, along with USB and the reset button. The reset button is covered by a plastic lever, which looks quite “cheap”, but I suppose this doesn’t really matter as long as it works :).

It comes with a 24V 1.2A power supply, of the EU plug type. Unfortunately, I dislike the round pins as many adapters don’t accommodate it and those that do never really make a “secure” contact. Still, that should be more than ample power, even if you have another Mikrotik device downstream on the PoE out.

Removing the bottom, the first thing we are greeted with is a large aluminum plate covering a good portion of the rear of the PCB. That’s actually not a bad idea – probably for heatsinking, but also maybe as a ground plane.

The hAP ac seems to have a reputation for being “hot”, and that’s probably not too surprising looking at the density of the board. The solution is based on Qualcomm Atheros chipsets, which I very much like, with a number of chips covered by heatsinks to try and keep them cool. I didn’t remove the heatsinks since this was going to be my core router and I didn’t want to hurt it. There’s also a decent amount of shielding cans on the raedio front-ends as well, suggesting that some thought has been put into the design. To optimise the RF, it seems the onboard antennas are segmented by band – no more “dual band antenna” compromises. This should bode well for the 5Ghz coverage especially, as some of the consumer products boast <2.1dBi on their antennas at 5Ghz which means that a proper length wire would work better. There are the connectors for the third stream, glued to provide additional support during transit.

The third stream is mounted on the top of the lid, to provide additional separation so as to provide some orthogonality to the signals. Given the small size of the unit, external antennas might work even better, but in keeping with the looks, it’s actually not a bad compromise.

In regular use, I have absolutely no complaints. It easily blankets this house with quick dual-band coverage. Even using a single-stream 802.11ac device with the 5Ghz in “compatibility” mode (i.e. not ac-only), I can be out in the street and still have 90Mbit/s throughput. For a unit with no external antennas, that was rather impressive. Compared to the Apotop DW21, I had no signal by the time I reached the door, whereas with the TL-WR740N, I could be in the street but I’d have only 4Mbit/s on 2.4Ghz.

The unit is also mostly stable. I’ve gone over 60 days now without a reboot – the only time I reboot usually is after a software update, but occasionally because the mobile phone goes nuts about USB tethering and decides to connect/disconnect over and over. If you use a mobile phone for tethering (data only), consider setting call-forward-all to prevent data session interruptions by spam calling.

hAP mini

It’s not always a good idea to jump into something new headfirst with a large(ish) investment, so for those who just want a taste of Mikrotik RouterOS, the hAP mini makes a good starting point. I managed to get a few units at about AU$30 a piece and while they only have three Ethernet ports at 100Mbit/s and dual-stream 2.4Ghz 802.11n, they’re extremely compact and run from USB power making them great as emergency travel networking devices.

The unit comes in an unusually small cube-shaped box. Nothing flashy, which is good.

No big hassles – flip open the front and you’re in. For $30, you can’t expect too much.

Indeed, all you get is the unit, a power adapter and the quick start guide. No Ethernet cable, which is a little sad, but it’s still more than I was expecting given the price. The RouterOS L4 license for a regular desktop or upgrade (US$45) for a device costs more than than the whole unit does. In fact, it’s about as cheap as most mini travel routers do – I did consider picking up a TP-Link TL-WR802N as well but this unit does everything and more including interface combinations (i.e. like a “universal range extender” being a client, NAT router and an AP using the one radio on the one channel).

For the price, the unit is surprisingly sleek and elegant with a glossy black and orange colour scheme. It’s shaped a little like a shark fin …

The front side has a vent, whereas the rear has the three Fast Ethernet ports and microUSB-B for power input. There are small holes for the Power and User LEDs and some for ventilation

The underside even has small rubber feet to keep it steady on a desk. A mode button and a reset button is provided – this can change modes which might be helpful if you can’t connect to the unit, whereas the reset can reset to factory configuration, boot from backup or netboot to restore firmware.

The whole design is screwless, so you only need to press in the side tabs and the whole board slides out. There’s not much to see, as a single Qualcomm Atheros chipset handles everything, along with the Winbond RAM and Flash memory. The antennas are printed on the board and are at right angles to optimise orthogonality. Unlike my TL-WR740N, this is a dual-stream solution, but because of the integrated antenna and slightly lower specifications on the inbuilt chipset radio, its range didn’t seem to be as good. It wasn’t as bad as the DW21 though.

Nothing is on the underside, making it a rather neat board.

As for the power supply, being USB powered, you could probably just substitute a regular locally obtained supply. I don’t like the EU plug, but as I don’t really need to have the supply in working order, I decided to give it a squeeze.

Pop … and the unit opens up.

Like many modern devices, the mains isn’t even soldered onto the board – instead it’s wedged in-between a “loop” contact.

The board looks simple and rather anonymous – a paper-type single sided PCB with very few components on the top. The output has a solid electrolytic capacitor, a decent choice.

The primary side capacitors are Aishi, which are decent in my experience with lighting products. There is an inductor for filtering.

One surprise is the MOV on the input, which suggests the unit has a limited degree of surge protection inbuilt. That’s a nice feature, although the 560V rating is a little high – I wonder if the unit can survive such a transient as most mains surge protectors tend to use 470V MOVs.

The underside has a few diodes, resistors, bridge rectifiers and an anonymous 8-leg IC with one missing leg, one unconnected and two bridged together. Hmm. It looks like a feedback-less design with pure primary side regulation. The PCB is dated Week 28 of 2017.

RouterOS

I won’t go into the main details of RouterOS, but will provide just a few screenshots from the hAP mini. Basically, RouterOS is the operating system that RouterBoards run on, based on a hardened Linux kernel with added Mikrotik “magic”. The unit can be administered through a web interface, as well as through their API, WinBox utilities, SSH or Telnet.

By default, it comes without any passwords set and you’re left at the Quick Set page. This is mainly for those who just want to get something going, but is highly limiting and isn’t something I recommend using as some people have experienced odd configuration clashes.

Instead, it’s much better to go over to the WebFig which provides access to all of the features. By default, the main page shows you the interfaces – all of the various categories are along the left side, with each category having sub-categories by tabs along the top. Accessing the unit via WinBox application provides a slightly more streamlined appearance, not limited by a web browser, but the configuration possibilities are laid out in much the same fashion.

Just with a few of the side categories expanded, you can get an idea of just how many things can be set. As RouterOS is practically unified across their devices, there are configuration options which do not apply to your particular hardware, so don’t think that your device suddenly has LTE/USB/60Ghz capability just because there’s a tab for it.

Access via Telnet or SSH is possible with a CLI that’s very powerful and easy to get along with. There’s no access to Linux – the terminal is simple – /tool for example changes into the tool category where you can type a command. If you ever need help, ? will provide a listing of valid commands. Use a proper terminal and you get colour coding to help you out. From here, you can even back-up your configuration by using export or export compact, and pasting the resulting text back into a fresh unit will apply the configuration (which is basically a list of CLI commands). For example, this is an excerpt from a fresh hAP mini that just underwent a firmware upgrade (MAC censored):

/interface bridge
add admin-mac=CC:2D:E0:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-XXXXXX wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface=ether3

Conclusion

Mikrotik is my new favourite brand of networking equipment. Price-wise, the hAP series is cheap like most commodity consumer-grade equipment, but the functionality and flexibility is unrivalled. Software updates are frequent and performance is good enough for my needs. Best of all, there no need to worry about whether you can “hack” a commercial off-the-shelf unit to unlock features as basically all features that you’d normally need are available. It’s really down to your time, skills and imagination to configure the network in a way that you desire. In some ways, the hAP series can serve as an introduction to the Mikrotik ecosystem so that you can build your own RouterBoard with the radios you need in case the regular units don’t address your needs.

On the downside, the RouterOS software isn’t exactly the most user friendly. It can easily be overwhelming to novices, especially those who don’t like command line interfaces. That being said, once you get used to it, it’s actually extremely powerful even if some of the options are not as logically placed as you might expect. That being said, some options available on other units aren’t available in RouterOS – things like beacon interval or DTIM interval, which I found rather surprising given the otherwise featureful software. Licensing isn’t a big issue either, as the hAP hardware comes with a license already up to level 4 – features in the higher levels are not likely to be necessary for most home users.

That being said, I’ve managed to use the hAP series to do a number of interesting things – now that I’ve tethered my LTE phone over USB, the (tested) throughput reaches up to 42Mbit/s and that’s likely due to a phone/carrier limitation. I’ve also managed to set up a number of “slave” Wi-Fi interfaces (three on 2.4Ghz and three on 5Ghz), with some of them being bridged to specific ports on the router, allowing for multiple physically partitioned networks to share the Wi-Fi radios. While this does share the air-channel bandwidth, it’s easier than having three dual-band APs for my own experimentation. I’ve also got it accessible with multiple addresses on these separate partitioned networks, serving a SOCKS4 proxy so I could access the router’s WAN through these networks as well. I’ve played with onboard data rate graphing and recording, rate limiting through queues (which works exceptionally well) and that’s only scratching the surface as there is support for VLANs, link bonding, EoIP/IP tunnels, SMB serving and much more.

Another hAP mini was set up to emulate a number of Wi-Fi networks so I could demo my own IoT devices when away from the home – broadcasting SSID and encryption matching my home network while also broadcasting another set for joining devices which are developed for others where I have to share the credentials. Being USB powered means I can easily just plug it into a laptop or powerbank for a demo – very useful when working with Wi-Fi based devices (e.g. ESP8266).

Finally, just last week, I managed to configure an hAP mini to take over a specialised firewalling task which I employed a Raspberry Pi over 4 years ago to do. The Pi was still working, but a more elegant solution was demanded – basically it had to operate like a bridge on layer 2, but filtered on layer 3 by source IP. Because of “external” factors, it was not allowed to operate at layer 3 (e.g. masquerade) or proxy ARP for the devices behind and it could not “appear” with its own MAC/IP in any way on the interface. After a little messing about, I was able to get the hAP mini to do just that on the Ethernet side, being configured over Wi-Fi. For security, once we were happy with the configuration, we disabled the Wi-Fi interface leaving the unit no longer accessible via any port and without any address or access via MAC Winbox. The only way out was a full reset.

As a result, I’d have to say that the Mikrotik stuff has saved my bacon quite a few times – the hAP mini is great just to have around as a spare emergency device but also as a travel router. If you’re considering the hAP ac, the downside is the cost and weak single-core CPU which does limit throughput somewhat. Triple-stream 802.11ac devices are also somewhat rare, SFP interface isn’t that useful (unless you buy an adapter). So, unless you need that or PoE output, I’d say that the hAP ac² is the one to get – it’s much beefier for CPU while offering two streams on each band at two-thirds the price. A fair deal, I’d say. Just make sure you take the time to configure it properly and keep it up to date!

About lui_gough

I'm a bit of a nut for electronics, computing, photography, radio, satellite and other technical hobbies. Click for more about me!
This entry was posted in Computing, Telecommunications and tagged , , , . Bookmark the permalink.

5 Responses to Teardown: Mikrotik hAP ac & hAP mini Routerboards

  1. Kerry says:

    Thanks for an interesting article, tho I can’t claim to be more than a duffer when it comes to networking. I had an unpleasant surprise awhile back with a Netgear security issue and found they are annoyingly casual about fixing security holes. So I got a Pepwave Surf SOHO MK3 and am so far pleased with it. WRT seemed to demand too much of a learning curve & was not very stable, to boot.

  2. Jefff D says:

    Similar good experience with MikroTik’s CRS106-1C-5S, which shares the same form factor as the Hap AC – but five SFP ports and one combo ethernet/SFP port (no WiFi). It’s worked perfectly for a project where we needed something to connect multiple buildings via fiber. It’s inexpensive for such a capable little device, but the flexibility, including switching, routing, filtering, monitoring, etc., surprised me. It does run hot, but that doesn’t seem to have affected it. The UI would be overwhelming to someone used to a home router, but if you’ve had even a small bit of experience with business-focused equipment, you’ll be comfortable here. I almost feel bad that we only need it as a layer 2 switch!

    • lui_gough says:

      If it’s cheaper, meets the brief and does the job … it’s a winner. Always good to hear a happy story – the heat seems to be a common thing due to the size of the unit and the power dissipation of the chips inside, but as long as you’re not putting it in a tree behind a set of solar panels with no ventilation in a weatherproof box, it seems to run stable. It’s winter here, so ambient temperature now is about 16C, my hAP ac with all ports occupied passing moderate traffic and both radios working decently hard is at 42C (dT of +26C) so that’s not bad. In summer, it might be about 15C higher, but even that’s not too bad. Half the time, we don’t actually know how hot consumer grade routers are – I suspect it’s quite similar.

      I’ve managed to employ another hAP mini to just split a VLAN trunk into port-based VLANs for some consumer-grade gear that doesn’t understand VLAN tagging. Internet port connects to the VLAN trunk from my hAP ac (going through a number of switches), the hAP mini’s port 2 and 3 are untagged interfaces for the “dumb” gear. That way, I can “share” the one 30m cable that runs through the house – the headaches saved from not needing to run more cables is worth it on its own. The hAP mini might only be 100Mbit/s but that’s plenty for what I need for these experimental VLANs… cheaper than the cheapest smart-switch on the market and no need for any of the smarts or even Wi-Fi radio. The semi-smart TP-Link TL-SG105E switches which can do VLAN tagging/untagging at a reasonable price might become a part of the network in the future.

      Might actually write up something about my VLAN-at-home operating experience, mixing in lots of non-VLAN aware gear, but in all I count it as another success.

      – Gough

  3. Jason says:

    Hi Gough, Duxtel in Geelong have been selling Mikrotik approved for Australia and with Aussie plugpacks for years! https://shop.duxtel.com.au I don’t work there, just buy a lot of Mikrotik from them.

    • lui_gough says:

      Hi Jason,

      Indeed, I am aware they are the local distributor, although given my thrifty nature and their limited range and stock levels at times, I buy mine from the likes of EuroDK (https://www.eurodk.com/) / UBNTSHOP (https://www.ebay.com/str/UBNTSHOP/) which tend to offer even better prices even shipping half-way around the world. The best thing was prior to the GST change, when we could beat GST and stack eBay 10% off coupon codes – the difference was getting my hAP ac for AU$160 posted, compared to Duxtel’s AU$203.62 using the lowest cost postage – a 21% saving. The power adapter is a bit of an annoyance being of the EU type, but as Mikrotik only make two versions of a product (i.e. US or International), the units are still very much identical and should be compliant for Australia. If I recall correctly, I did see at least one of my boxes have an Australian RCM on the packaging.

      – Gough

Error: Comment is Missing!