After my house move earlier this year, I was in a bit of a networking dilemma. As every self-confessed nerd knows – internet access is critical. I recently upgraded to a TP-Link Archer C7 AC1750 access point at the other house because the pair of WD MyNet N750 APs were driving us nuts with random bouts of suddenly denying all wireless association requests which could only be solved with a reboot. While I didn’t have a chance to blog about that, I had to leave the Archer C7 behind when moving away.
As a result, I moved out with only a TP-Link TL-WR740N and my Apotop DW21 travel router. Both were 2.4Ghz 802.11n units which meant slower-than-optimal speeds and interference issues. After getting a taste of 802.11ac “goodness”, there was no turning back.
At the new place, the ADSL2+ connectivity is estimated to be only about 3Mbit/s down and 0.5Mbit/s up. This was so slow that it’s not even worth signing up for a line, especially when NBN HFC (eugh) is coming mid-next-year. As a result, my network hinged upon a Xiaomi Redmi Note 4X providing LTE connectivity using whoever is the cheapest carrier that month (i.e. introductory offers) through Wi-Fi tethering.
Because of the limited number of tether clients supported, I enlisted the Apotop DW21 to act as a NAT client to the tethering so as to allow for all of my Ethernet cabled devices and more wireless users to access the LTE connectivity “masquerading” as one user to the phone (i.e. the DW21 itself). Because the DW21 had a pretty crappy Wi-Fi radio, I set up the TL-WR740N as an AP on the cabled side with its superior signal strength and sensitivity.
This was a sad situation. Even operating non-overlapping channels between the DW21/Note 4X and TL-WR740N combination, I couldn’t access the internet faster than about 8Mbit/s, often just 5Mbit/s owing to a combination of 2.4Ghz interference and DW21-specific issues under heavy load. VoIP was practically impossible, as high packet rates (e.g. 100pps on VoIP with 20ms packetisation) caused the DW21 to drop packets like mad. Something had to be done.
That’s when I did a little research, initially looking for something that might be well supported under DD-WRT or OpenWRT. After looking for a while, I found that consumer grade routers seemed expensive but no model was a sure-fire bet to be compatible with aftermarket firmware due to the constant revisions. Without access to such aftermarket firmware, it’s hard to be sure that such offerings would be the future-proof, flexible and versatile router that I needed it to be.
I then looked towards more serious brands – starting with Ubiquiti, which started to get confusing with all of this “Unifi Cloud” business, needing a Cloud Key for certain equipment, having their own AirMAX-only long-range devices. For the most part, everything seemed to be geared towards commercial use. I didn’t want or need any cloud connections or licensing issues … that’s when I discovered Mikrotik – a Latvian company – and never looked back. Their hAP offerings seemed to be just what I needed – relatively inexpensive, highly featureful, sharing many commonalities with Linux iptables amongst other things but also having more convenient configuration features.
Rather than be a complete review, this article will focus mainly on unboxing and teardown images. Frankly, the Mikrotik stuff is so configurable that it’s nearly impossible to review everything, but at least the RouterOS documentation online has been decent enough for most things.
When I was looking online four months ago, the hAP ac was the unit of choice – offering three streams on both 2.4Ghz and 5Ghz bands, five Gigabit Ethernet ports + a Gigabit SFP port (important to keep the radios fed), passive PoE in and out support and barrel-jack power and USB support for LTE modems/storage. I managed to obtain it for about AU$160 including shipping from Latvia with a few discount codes stacked on top, which wasn’t bad given the list price for the TP-Link Archer C7 was already AU$140. The only downsides I could see was its limited single-core CPU and the all-integrated nature of the antennas which was probably not optimal for RF performance. On the upside, the unit boasts a healthy transmit power of up to 29dBm with very good sensitivity performance down to -100dBm which should help make up for it somewhat.
A brown cardboard box, a little more compact than expected, was how it arrived.
The box didn’t really say much, but it seems to make it sound like a simple affair to get up and running. To be fair, it’s pretty simple to get up and running … but to harness its full power takes some work.
A look inside makes the unit seem small for what it is and makes me question why the Archer C7 I had was so big. Everything is efficiently packed, which is nice.
As far as the case goes, it’s a white matte finish plastic with four clear rubber feet and some wall mount cut-outs. The case is held together by clips – no screws! LED indicators are visible on the top, and there is plentiful ventilation grilles, which is nice.
The front has a barrel jack for DC power, the SFP port and five Gigabit Ethernet ports. While the printing does say “internet”, in truth, you can reconfigure it to whatever you’d like. The rear has a plastic label covering it – this is because …
… the rear of the case has cut-outs for other things to be mounted including external antennas. The quick-start pamphlet lets us know that one stream of each band can be connected to an external antenna if necessary but the antennas are not provided. Because of the similarity between RouterBoard products, it seems like the one case may be used for a number of designs.
The sides feature even more ventilation slots, along with USB and the reset button. The reset button is covered by a plastic lever, which looks quite “cheap”, but I suppose this doesn’t really matter as long as it works :).
It comes with a 24V 1.2A power supply, of the EU plug type. Unfortunately, I dislike the round pins as many adapters don’t accommodate it and those that do never really make a “secure” contact. Still, that should be more than ample power, even if you have another Mikrotik device downstream on the PoE out.
Removing the bottom, the first thing we are greeted with is a large aluminum plate covering a good portion of the rear of the PCB. That’s actually not a bad idea – probably for heatsinking, but also maybe as a ground plane.
The hAP ac seems to have a reputation for being “hot”, and that’s probably not too surprising looking at the density of the board. The solution is based on Qualcomm Atheros chipsets, which I very much like, with a number of chips covered by heatsinks to try and keep them cool. I didn’t remove the heatsinks since this was going to be my core router and I didn’t want to hurt it. There’s also a decent amount of shielding cans on the raedio front-ends as well, suggesting that some thought has been put into the design. To optimise the RF, it seems the onboard antennas are segmented by band – no more “dual band antenna” compromises. This should bode well for the 5Ghz coverage especially, as some of the consumer products boast <2.1dBi on their antennas at 5Ghz which means that a proper length wire would work better. There are the connectors for the third stream, glued to provide additional support during transit.
The third stream is mounted on the top of the lid, to provide additional separation so as to provide some orthogonality to the signals. Given the small size of the unit, external antennas might work even better, but in keeping with the looks, it’s actually not a bad compromise.
In regular use, I have absolutely no complaints. It easily blankets this house with quick dual-band coverage. Even using a single-stream 802.11ac device with the 5Ghz in “compatibility” mode (i.e. not ac-only), I can be out in the street and still have 90Mbit/s throughput. For a unit with no external antennas, that was rather impressive. Compared to the Apotop DW21, I had no signal by the time I reached the door, whereas with the TL-WR740N, I could be in the street but I’d have only 4Mbit/s on 2.4Ghz.
The unit is also mostly stable. I’ve gone over 60 days now without a reboot – the only time I reboot usually is after a software update, but occasionally because the mobile phone goes nuts about USB tethering and decides to connect/disconnect over and over. If you use a mobile phone for tethering (data only), consider setting call-forward-all to prevent data session interruptions by spam calling.
It’s not always a good idea to jump into something new headfirst with a large(ish) investment, so for those who just want a taste of Mikrotik RouterOS, the hAP mini makes a good starting point. I managed to get a few units at about AU$30 a piece and while they only have three Ethernet ports at 100Mbit/s and dual-stream 2.4Ghz 802.11n, they’re extremely compact and run from USB power making them great as emergency travel networking devices.
The unit comes in an unusually small cube-shaped box. Nothing flashy, which is good.
No big hassles – flip open the front and you’re in. For $30, you can’t expect too much.
Indeed, all you get is the unit, a power adapter and the quick start guide. No Ethernet cable, which is a little sad, but it’s still more than I was expecting given the price. The RouterOS L4 license for a regular desktop or upgrade (US$45) for a device costs more than than the whole unit does. In fact, it’s about as cheap as most mini travel routers do – I did consider picking up a TP-Link TL-WR802N as well but this unit does everything and more including interface combinations (i.e. like a “universal range extender” being a client, NAT router and an AP using the one radio on the one channel).
For the price, the unit is surprisingly sleek and elegant with a glossy black and orange colour scheme. It’s shaped a little like a shark fin …
The front side has a vent, whereas the rear has the three Fast Ethernet ports and microUSB-B for power input. There are small holes for the Power and User LEDs and some for ventilation
The underside even has small rubber feet to keep it steady on a desk. A mode button and a reset button is provided – this can change modes which might be helpful if you can’t connect to the unit, whereas the reset can reset to factory configuration, boot from backup or netboot to restore firmware.
The whole design is screwless, so you only need to press in the side tabs and the whole board slides out. There’s not much to see, as a single Qualcomm Atheros chipset handles everything, along with the Winbond RAM and Flash memory. The antennas are printed on the board and are at right angles to optimise orthogonality. Unlike my TL-WR740N, this is a dual-stream solution, but because of the integrated antenna and slightly lower specifications on the inbuilt chipset radio, its range didn’t seem to be as good. It wasn’t as bad as the DW21 though.
Nothing is on the underside, making it a rather neat board.
As for the power supply, being USB powered, you could probably just substitute a regular locally obtained supply. I don’t like the EU plug, but as I don’t really need to have the supply in working order, I decided to give it a squeeze.
Pop … and the unit opens up.
Like many modern devices, the mains isn’t even soldered onto the board – instead it’s wedged in-between a “loop” contact.
The board looks simple and rather anonymous – a paper-type single sided PCB with very few components on the top. The output has a solid electrolytic capacitor, a decent choice.
The primary side capacitors are Aishi, which are decent in my experience with lighting products. There is an inductor for filtering.
One surprise is the MOV on the input, which suggests the unit has a limited degree of surge protection inbuilt. That’s a nice feature, although the 560V rating is a little high – I wonder if the unit can survive such a transient as most mains surge protectors tend to use 470V MOVs.
The underside has a few diodes, resistors, bridge rectifiers and an anonymous 8-leg IC with one missing leg, one unconnected and two bridged together. Hmm. It looks like a feedback-less design with pure primary side regulation. The PCB is dated Week 28 of 2017.
I won’t go into the main details of RouterOS, but will provide just a few screenshots from the hAP mini. Basically, RouterOS is the operating system that RouterBoards run on, based on a hardened Linux kernel with added Mikrotik “magic”. The unit can be administered through a web interface, as well as through their API, WinBox utilities, SSH or Telnet.
By default, it comes without any passwords set and you’re left at the Quick Set page. This is mainly for those who just want to get something going, but is highly limiting and isn’t something I recommend using as some people have experienced odd configuration clashes.
Instead, it’s much better to go over to the WebFig which provides access to all of the features. By default, the main page shows you the interfaces – all of the various categories are along the left side, with each category having sub-categories by tabs along the top. Accessing the unit via WinBox application provides a slightly more streamlined appearance, not limited by a web browser, but the configuration possibilities are laid out in much the same fashion.
Just with a few of the side categories expanded, you can get an idea of just how many things can be set. As RouterOS is practically unified across their devices, there are configuration options which do not apply to your particular hardware, so don’t think that your device suddenly has LTE/USB/60Ghz capability just because there’s a tab for it.
Access via Telnet or SSH is possible with a CLI that’s very powerful and easy to get along with. There’s no access to Linux – the terminal is simple – /tool for example changes into the tool category where you can type a command. If you ever need help, ? will provide a listing of valid commands. Use a proper terminal and you get colour coding to help you out. From here, you can even back-up your configuration by using export or export compact, and pasting the resulting text back into a fresh unit will apply the configuration (which is basically a list of CLI commands). For example, this is an excerpt from a fresh hAP mini that just underwent a firmware upgrade (MAC censored):
/interface bridge add admin-mac=CC:2D:E0:XX:XX:XX auto-mac=no comment=defconf name=bridge /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \ disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\ MikroTik-XXXXXX wireless-protocol=802.11 /interface ethernet set [ find default-name=ether2 ] name=ether2-master /interface list add comment=defconf name=WAN add comment=defconf name=LAN add exclude=dynamic name=discover add name=mactel add name=mac-winbox /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=default-dhcp disabled=no interface=bridge name=defconf /interface bridge port add bridge=bridge comment=defconf interface=ether2-master add bridge=bridge comment=defconf interface=wlan1 add bridge=bridge interface=ether3
Mikrotik is my new favourite brand of networking equipment. Price-wise, the hAP series is cheap like most commodity consumer-grade equipment, but the functionality and flexibility is unrivalled. Software updates are frequent and performance is good enough for my needs. Best of all, there no need to worry about whether you can “hack” a commercial off-the-shelf unit to unlock features as basically all features that you’d normally need are available. It’s really down to your time, skills and imagination to configure the network in a way that you desire. In some ways, the hAP series can serve as an introduction to the Mikrotik ecosystem so that you can build your own RouterBoard with the radios you need in case the regular units don’t address your needs.
On the downside, the RouterOS software isn’t exactly the most user friendly. It can easily be overwhelming to novices, especially those who don’t like command line interfaces. That being said, once you get used to it, it’s actually extremely powerful even if some of the options are not as logically placed as you might expect. That being said, some options available on other units aren’t available in RouterOS – things like beacon interval or DTIM interval, which I found rather surprising given the otherwise featureful software. Licensing isn’t a big issue either, as the hAP hardware comes with a license already up to level 4 – features in the higher levels are not likely to be necessary for most home users.
That being said, I’ve managed to use the hAP series to do a number of interesting things – now that I’ve tethered my LTE phone over USB, the (tested) throughput reaches up to 42Mbit/s and that’s likely due to a phone/carrier limitation. I’ve also managed to set up a number of “slave” Wi-Fi interfaces (three on 2.4Ghz and three on 5Ghz), with some of them being bridged to specific ports on the router, allowing for multiple physically partitioned networks to share the Wi-Fi radios. While this does share the air-channel bandwidth, it’s easier than having three dual-band APs for my own experimentation. I’ve also got it accessible with multiple addresses on these separate partitioned networks, serving a SOCKS4 proxy so I could access the router’s WAN through these networks as well. I’ve played with onboard data rate graphing and recording, rate limiting through queues (which works exceptionally well) and that’s only scratching the surface as there is support for VLANs, link bonding, EoIP/IP tunnels, SMB serving and much more.
Another hAP mini was set up to emulate a number of Wi-Fi networks so I could demo my own IoT devices when away from the home – broadcasting SSID and encryption matching my home network while also broadcasting another set for joining devices which are developed for others where I have to share the credentials. Being USB powered means I can easily just plug it into a laptop or powerbank for a demo – very useful when working with Wi-Fi based devices (e.g. ESP8266).
Finally, just last week, I managed to configure an hAP mini to take over a specialised firewalling task which I employed a Raspberry Pi over 4 years ago to do. The Pi was still working, but a more elegant solution was demanded – basically it had to operate like a bridge on layer 2, but filtered on layer 3 by source IP. Because of “external” factors, it was not allowed to operate at layer 3 (e.g. masquerade) or proxy ARP for the devices behind and it could not “appear” with its own MAC/IP in any way on the interface. After a little messing about, I was able to get the hAP mini to do just that on the Ethernet side, being configured over Wi-Fi. For security, once we were happy with the configuration, we disabled the Wi-Fi interface leaving the unit no longer accessible via any port and without any address or access via MAC Winbox. The only way out was a full reset.
As a result, I’d have to say that the Mikrotik stuff has saved my bacon quite a few times – the hAP mini is great just to have around as a spare emergency device but also as a travel router. If you’re considering the hAP ac, the downside is the cost and weak single-core CPU which does limit throughput somewhat. Triple-stream 802.11ac devices are also somewhat rare, SFP interface isn’t that useful (unless you buy an adapter). So, unless you need that or PoE output, I’d say that the hAP ac² is the one to get – it’s much beefier for CPU while offering two streams on each band at two-thirds the price. A fair deal, I’d say. Just make sure you take the time to configure it properly and keep it up to date!