Correct setting of mikrotik 941. Mikrotik hAP AC - Router for all occasions. Mikrotik RB941 ports

The device is a compact access point that is ideal for apartments, houses and small offices. There is a WPS button on the case, which allows clients to connect wirelessly without entering a password, or switch the device to cAP mode for centralized control using the CAPsMAN controller, simply by pressing a button. The access point is equipped with a multifunctional operating system RouterOS with all its capabilities: firewall, user access control, bandwidth limiting, etc.

hAP lite TC is equipped with a powerful Atheros processor with a clock frequency of 650 MHz, 32 MB of RAM, a 2.4 GHz radio module with MIMO 2x2 support, four Fast Ethernet ports and a fourth license level of the RouterOS operating system. A USB power supply is included in the package.

Specifications

CPU	Atheros QCA9533, 650 MHz
RAM	32 MB DDR SDRAM
ROM	16 MB
Ethernet ports	4х 10/100 Mbps Fast Ethernet with Auto-MDI / X
Wi-Fi module	802.11b / g / n, MIMO 2x2
Peculiarities	Reset / WPS Button
Antenna gain	1.5 dBi
Maximum power of the radio module	Up to 20 dBm for RF (up to 22 dBm for other countries)
USB port	1x port (for power)
Nutrition	USB power supply 5 V, 0.7 A (included)
Maximum power consumption	3W @ 5V
The size	124 x 100 x 54 mm
Working ambient temperature	-20 .. +70 ° C
Operating system	Mikrotik RouterOS Level 4

Radio module characteristics

Bandwidth	Power	Sensitivity
1 Mbps	22 dBm	-96 dBm
11 Mbps	22 dBm	-89 dBm
6 Mbps	20 dBm	-93 dBm
54 Mbps	18 dBm	-74 dBm
MCS0	20 dBm	-93 dBm
MCS7	16 dBm	-71 dBm

The hAPac microtik is supplied with the following configuration:

• MikroTik hAPac (RB962UiGS-5HacT2HnT);
• Power supply 24V 1200mA;
• Quick start instructions.

The appearance of the model does not particularly differ from the classic MikroTik RB951 device. On the front side there are 5 gigabit Ethernet interfaces and an SFP interface of 1.25 Gbps. There is also a connector for connecting a power supply.

hAP ac has the ability to receive power over PoE on the first port. The fifth port can act as a PoE source for MikroTik devices and other compatible devices.

At the top of the model there are indicators of activity of ports, WiFi interfaces and a power light. There are ventilation holes on the top side to dissipate heat from the device.

On the reverse side of the hAP ac there are special anti-slip feet, holes for fastening to vertical surfaces, a sticker with the serial number and MAC addresses of the interfaces.

On the side there is a USB interface for connecting peripheral devices. The RESET button is also located here. It is responsible for resetting the device to factory settings and can control the hAPac boot mode.

Another function of this button is to activate the WPS mode. Designed to quickly set up WIFI between the access point and the client.

If you look inside the router, you can see the internal structure of the device. The presence of 6 antennas, two of which are fixed on the device body. They can be replaced with external antennas if required.

When Mikrotik presented hAP lite at one time, it became a real impetus for wider use of the company's routers. An excellent set of features, rich functionality, flexibility, reliability and an affordable price turned into a real bestseller, which to this day leads the sales ratings of many online stores.

Meet hAP ac²!

Many people mistakenly think that hAP ac² is a replacement for the previous flagship hAP, this is partly true, but not entirely. We'll figure out.

The hAP ac² is delivered in the usual cardboard packaging, the only thing that has changed over the past few years is the pattern added to the box and resembling an embroidered shirt.

As before, the device comes without a patch cord and color printing. However, many would not refuse a quality patchcord.

Due to the matte soft-touch coating, hAP ​​ac² is packed in polyethylene, which should ensure safety until the device falls into the hands of the end customer.

Of the non-standard options, the package contains only a stand-mount and a short illustrated instruction on how to use this stand itself.

The article of the model turned out to be very intricate - RBD52G-5HacD2HnD-TC, if for the same hEX in places when communicating on the forums users could use the article identifier, then in the case of this model, not everyone will succeed in remembering the article the first time.

However, a lot of information can be gleaned from the article:

RB - RouterBOARD

D - Dual-Chain (Full)

52 - Dual-Band 5 + 2.4 GHz

G - Gigabit Ethernet

5HacD - 5GHz 802.11ac, High-Power (Type 1), Dual-Chain

2HnD - 2.4GHz 802.11n, High-Power (Type 1), Dual-Chain

As for the transmitter power, Mikrotik has 4 gradations:

normal power (no index), less than 23-24 dBm;

H - increased power, 23-27 dBm;

HP - high power, 25-29 dBm;

SHP - very high power, more than 27-30 dBm;

Actually, "type 1" means the index "H". But the index "U" (USB) is not used in the name, although this interface is present here.

In general, the design itself is rather unusual. The company continues to experiment with the Tower-Case, with the hAP lite TC being the first "experimental" device. Then hAP ac lite TC (RB952Ui-5ac2nD-TC) and hAP mini (RB931-2nD) appeared.

Surveys show that almost 70% of respondents approve of the domesticated design of the hAP ac2.

The indicators and the interfaces themselves are located on opposite sides, which is the standard for home and SOHO solutions. The port indication is not very convenient, but it is not intrusive and will not bother you with its work at night.

All 5 interfaces are shielded, and there is no ground connection on the case.

In addition to the power indicator, hAP ​​ac² also has an additional user indicator, which is convenient to configure, for example, according to the status of the VPN connection.

The WPS and reset buttons are combined, you no longer need to carry a paper clip with you, now a pen or pencil will do - holding the button for a long time is still inconvenient, which will protect against accidental reset.

One of the highlights in the hAP ac² design is the stand.

It's not just a stand, it's a ceiling or wall mount. We have already installed this device to one of our clients on a plasterboard ceiling. The installation process is quick and convenient, with a placement height of 4 meters there are absolutely no problems with the quality of the coating.

The element is fastened with a latch to the bottom edge or to the cover. In the first case, you will receive a desktop standing version, in the second - a desktop recumbent version, or a wall (ceiling) mount. On the legs there are silicone inserts that provide anti-slip properties of the stand.

The ac2 itself is extremely compact, the size of the novelty is comparable to the usual hAP lite, and in a standing position it takes up a minimum of space.

Filling Mikrotik hAP ac²

Many owners tried to look into the insides of ac ^ 2, but not everyone succumbed to it, some of those to whom it succumbed simply broke the latches. For this reason, we urge you to refrain from opening this model.

The first thing worth paying attention to is the closedness of the internal space of the case. That is, there are ventilation "slots" on the front panel, but it is not necessary to say that they especially improve ventilation. The filling of the device easily warms up to 45 degrees when idle, and during load it can rise up to 52 degrees.

There is no need to panic about this, the old hAP ac warmed up much more. The device that we have chosen as a server even warms up to 62-65 degrees in idle time.

Almost half of the upper part of the RBD52G-5HacD2HnD-TC board is covered with a massive needle-type heatsink.

On the same side of the board, 2 antennas, interfaces, a power subsystem and a USB port are soldered.

There are 4 mounting holes along the perimeter of the board, probably the company has previously experimented with different case options, including the classic one.

All the main stuffing of hAP ac ^ 2 is located on the back of the PCB.

The device is based on the Qualcomm IPQ-4018 chip. It is a highly integrated solution combining a 32-bit ARM processor and wireless modules.

Despite the strong resemblance to the IPQ-4019, these 2 chips are not interchangeable. The older IPQ-4019 has a larger physical size, a different design and wiring diagram.

Although in general, IPQ-4018 and IPQ-4019 differ only in the set of interfaces.

The main computing unit of the IPQ-4018 is 4 ARM Cortex A7 cores with a clock frequency of 717 MHz. The chip includes a Hardware NAT and Crypto Engine block, as you might guess, the first block is responsible for NAT unloading, the second for hardware encryption.

Both wireless modules are MIMO 2x2 (Dual-Chain) configurations, with each module having its own co-processor that provides hardware offload. They are labeled CPU # 1 and CPU # 2 in the block diagram.

At the output of each chain, one amplification unit is soldered (hidden under the screens), in total there are 4 of them.

If you look at the official hAP ac2 block diagram, it lists the AR8327 gigabit switch, and it is labeled as built directly into the IPQ-4018.

At the same time, next to the processor, the QCA8075 is soldered on the board, which implements 5 gigabit ports.

If we return to the official Qualcomm block diagram, the IPQ-4018 contains "5GE L2 / 3/4 Switch Engine", a little to the left of the diagram there is an external block "QFE8075 / 2 (5/2 ports PHY)".

Thus, in fact, the physical layer (PHY) is implemented on a separate external chip QCA8075, but the rest of the harness is located directly in the SoC. RouterOS itself identifies the switch as Atheros-8327.

As usual, there is not a lot of permanent memory - only 16 MB (Winbond 25Q128JVSM).

The situation with RAM is more interesting. Officially, hAP ​​ac2 has 128 MB of RAM. At the same time, the first batches are equipped with 256 MB Nanya NT5CC128M16IP-DI chips.

The end user has 233 MB available. Mikrotik confirmed this fact, but they will not correct the description and characteristics for hAP ac ^ 2, because there are batches with 128 MB. Someone from the logistics department messed up a lot.

So far, we have not come across a single device with 128 MB, all copies we tested were equipped with 256 MB of RAM.

The hAP ac2 platform will be partially used in the RB450Gx4, although it is based on the IPQ-4019 with disabled wireless interfaces. The cost of the board will be almost double that of the tested device. In return, Mikrotik offers 1 GB of RAM, 512 MB of NAND Flash, a 5th license level and microSD support.

HAP ac 2 performance with L2TP / MPPE

At the moment, there is a fairly wide range of possibilities for combining remote networks into a single computer network. The most popular tools are PPTP, L2TP, OpenVPN, and IPsec.

PPTP is the oldest and most insecure protocol, at the same time, oddly enough, the overwhelming majority of Mikrotik users use the outdated pptp protocol for remote connections. Due to the fact that this protocol is completely outdated and even Apple devices have stopped supporting it, we will not test this protocol.

The most optimal protocols are IPsec and OpenVPN.

IPsec is one of the most secure methods of network interconnection that exists today. With strong AES encryption with support for 128 and 256-bit keys, this protocol provides the highest reliability and confidentiality of transmitted data, which can be of critical importance to businesses and government agencies. Today, even using the power of supercomputers, it will take billions of years to decrypt data encrypted with AES. There are also disadvantages to this method - the presence of external static IPs at both ends of the connection and high requirements for the hardware platform. In principle, an IPsec connection is also possible between dynamic IPs, although in this case you will have to reconfigure the parameters each time one of the addresses changes. The hardware platform is also not so simple, entry-level budget RouterBOARDs can provide at best 10-20 Mbit with a full CPU load.

More advanced devices such as RB750Gr3, RB850Gx2 (discontinued), RB450Gx4, RB3011, RB1100AHx2, RB1100AHx4, and CCR1009 are capable of faster IPsec speeds. With the advent of hAP ac2, this list can be supplemented with one more model, but first things first.

There is also the possibility of using L2TP in conjunction with IPsec, the main advantage of this combination is high security, quick and easy configuration, as well as great loyalty to NAT on the end client side. Of the serious drawbacks of this option, very high requirements for the hardware platform should be noted, perhaps L2TP / IPsec is the most demanding protocol. It's all to blame for the double encapsulation of data and the need for encryption.

The OpenVPN protocol, which is based on the OpenSSL library and the SSL / TLS protocols, is devoid of these shortcomings. OVPN itself is extremely flexible in configuration and even allows you to mask traffic as normal HTTPS, making it possible to bypass all sorts of restrictions on the part of the provider. Generally, OVPN is faster than IPsec and still supports a variety of encryption algorithms, including AES. There are still disadvantages to this method - more complex configuration and high hardware requirements (as well as for IPsec).

For our part, to begin with, we will test L2TP with standard MPPE 128-bit encryption.

L2TP is more reliable and secure compared to the previous generation protocol - PPTP. We strongly recommend that you abandon the use of PPTP in favor of more modern protocols. If you do not have the ability and / or desire to use OVPN / IPsec / L2TP + IPsec, we recommend using L2TP / MPPE.

The main recommendation for increasing L2TP / MPPE security is to use very long passwords consisting of a set of random letters (with different layouts), numbers and special characters. The use of "dictionary" passwords is not recommended, since L2TP / MPPE has a number of drawbacks that allow using dictionary methods of password guessing, which ultimately leads to a decrease in the security of a 128-bit key, making it equivalent to 56-bit (). In any case, it is much better than using PPTP.

As a pair for hAP ac2, we chose the proven CCR1009 platform, namely the.

It is the most affordable member of the CCR line, which has a powerful 9-core Tile Gx processor and 1 GB of RAM. This combination provides high performance and the ability to handle up to 2.5 Gbps of IPsec traffic.

During testing, we additionally checked the stability and reliability under high loads, performance data are indicated for user traffic (useful traffic), the average sample is taken into account. Peak performance values ​​are not included in the calculation of the average indicator if their duration is less than 30 seconds.

On both sides, PCs with iperf are used as traffic generators, which gives more reliable values ​​and flexibility than the built-in BTest.

CCR1009 - WAN IP 192.168.106.20 / VPN 10.0.0.1 / LAN 192.168.1.0

hAP ac2 - WAN IP 192.168.106.30 / VPN 10.0.0.2 / LAN 192.168.2.0

For CCR1009, a manual configuration was used, similar to defconf on low-level devices. ETH1 (not Combo) is used as WAN, standard Firewall rules, port 1701 is additionally open.

The L2TP Server configuration is based on a standard encrypted profile, MTU has not been changed, and the "Allow Fast Path" option is additionally activated.

All legacy authentication methods MSCHAP1, CHAP and PAP are disabled, only MSCHAP2 (MS-CHAPv2) is active.

In modern realities, it is best not to use compression for maximum performance.

On the client side, the settings are similar, the default profile with encryption is used, as well as the "Allow Fast Path" option.

Routing to the remote network is provided by a static route in combination with NAT masquerade, the default route is not used.

Both devices have a fasttrack connection configured in the Firewall for established and related connections.

At the output, we have a classic combination of 2 networks based on L2TP / MPPE

Depending on the direction of traffic and configuration, CCR loads 1 core, or distributes calculations between all 9 cores. For example, when sending data from CCR, 1 core is used, while when receiving data for decryption, all cores are loaded evenly.

Packet exchange of 1400 bytes, TCP mode

The first throughput test is done for 1400-byte packets.

The average performance of a 1-thread test is 112 Mbps for receiving and 128 Mbps for sending.

With an increase in the number of sessions to 10, the speed changes to 111 and 170 Mbit, as you can see, there is an increase in performance for sending with an increase in the number of sessions.

There is no special increase for Download, regardless of the packet size. Interestingly, in all these cases, the IPQ-4018 utilization averaged up to 25%. Only 1 core is loaded, only occasionally the system performs unloading on other cores - in multi-threaded modes.

A further test is carried out for Upload and we increase the number of sessions to 20 and 100, as a result, the speed increases to 201 and 235 Mbps, respectively.

For additional monitoring during the tests, the Tools - Profile tool was periodically used, with which we tracked the distribution of resources and their load.

Actually, it clearly shows that with an increase in the number of simultaneous connections, RouterOS, albeit with a bias, distributes part of the calculations to the rest of the cores. Along with the increase in performance, the load on the CPU rises to 35-45%.

The last test in this block is carried out for FDX (Full Duplex) with 10 opposite connections in each direction, for a total of 10 + 10 sessions.

As a result, the total throughput was 185 Mbps.

The resulting performance diagram for 1400-byte packets looks like this:

According to the sales statistics, this is the most popular router from our range. There are a great many reasons for this, but two of them, in our opinion, are the most significant: first, it costs only $ 20, Secondly, this is Mikrotik... In total it turns out "Mikrotik for $ 20", which is really impressive.

Let's express our opinion about it in advance: the router is more than worthy of attention. It works very stably, the speeds of wired and wireless connections are quite consistent with those stated, and its functionality is comparable to the top-end Cisco / Juniper routers, which cost sky-high thousands of dollars in price tags. Disadvantages are also present: it has only 4 Ethernet ports (including the WAN port), the radio module is weak and does not support the 802.11ac standard. However, here, as in the well-known vulgar joke: "Well, what did you want for $ 20?"

So, let's tame the hero of our material... Our baseline is the provider giving us a dynamic IP address. Let's get started:
1. We turn on the cable of the provider in 1st port of the router
2. We connect the cable from the computer to any remaining free port
3. Like all Mikrotik devices, by default hAP Lite is assigned the IP address 192.168.88.1... Let's assign our computer network settings from the same subnet. For example, address 192.168.88.10, mask 255.255.255.0, gateway 192.168.88.1, DNS 192.168.88.1:

4. Let's go to the router via browser:

Here we will make a small digression: in hAP Lite Mikrotik has implemented a default configuration, which provides for a quick start. The router is already configured to receive a dynamic address on the 1st interface, a DHCP server is enabled, a bridge between ports is configured. In fact, in our topology, the router worked as expected immediately after being turned on. However, we are not here for this, so ...

5. Let's reset the router to factory settings. To do this, click above the section System button Reset Configuration:

6. Check the parameter No Default Configuration and press Reset Configuration:

7. We confirm our intention:

8. After about a minute, the router will reboot. There is a slight hitch here: after resetting the router with the deletion of the default configuration, it will no longer be assigned an IP address, and it will not be possible to access it by the browser. No problem, for this case, Mikrotik has a special application for configuration - WinBox... Download it from the site http://www.mikrotik.com/download in the section Useful tools and utilities:

9. WinBox does not require installation. We launch it and at the bottom, click on the tab Neighbors... All Mikrotik devices within the broadcast domain should appear in the list below. In our case, this will be the only hero of the article. Click on its MAC address (it is important!), then press the button Connect at the top of the screen:

10. The interface of the router appears in all its glory. Window R outerOS Default Configuration close by pressing OK:

11. In the menu on the left, click Interfaces... Note that in an empty configuration, the wireless interface is disabled on the router... It is called wlan1. Select it and click the blue checkmark at the top of the window. This will be useful to us in the near future:

12. Double click open the ether2 interface, change its name to ether2-master and press OK:

13. Now open the ether3 interface, and change the parameter Master port on ether2-master:

14. We repeat the same action for the ether4 interface: open it and change the Master Port parameter to ether2-master.

This paragraph should be read only by those who are strongly interested in the technical side of the issue! If you opened the article just to have a setup cheat sheet in front of your eyes, then you can skip it!
And now we will decipher what was done in paragraphs 12-14: unlike more familiar household routers, in Mikrotik routers, ports by default are not included in a single switching matrix, i.e. are not part of the switch as such. To "collect" them into a logical switch, there are 2 ways: software and hardware. Software - bridge - uses the central processor of the router for switching. The hardware uses a special hardware switching chip, and the CPU is not used. Thus, for the operation of ports in switch mode, the use of a switching chip naturally suggests itself. Now to what we did earlier: we renamed the ether2 port to ether2-master so that we can clearly see in the configuration console which port is the master for the others, and told the router that the ether2 port is the master port for the other two. Using the master port, we used a switching chip, and the CPU is no longer involved in calculating packet switching between ether2-ether4 ports. You can read more about switching chips and their capabilities here: http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features

15. Let's create a bridge for the interfaces that form a local network outline. On the left in the menu, click Bridge, in the first tab Bridge push + , in the opened window enter the name of the bridge(for example, LAN) and press Ok:

16. We pass to the Ports tab, press + , choose Interface- wlan1, Bridge- LAN, press OK:

17. We repeat the procedure for the ether2-master interface.

18. Your the final list of ports in the bridge should look like this:

19. As mentioned above, in our topology, the provider provides us with a dynamic IP address... Turn on the DHCP client on the WAN port of the router. To do this, open the menu on the left IP-> DHCP Client and in the window that appears, click + :

20. The provider's cable is inserted into the 1st port of the router. We choose Interface- ether1, necessarily set the parameter Add Default Route into position Yes and press OK:

21. Now, in the DHCP client window, you will see on which interface the DHCP client is enabled, and what address it received:

22. Turn on NAT. To do this, in the menu on the left, open IP-> Firewall, go to the tab NAT, press + , in the window that appears, set the parameter Chain into position srcnat, parameter Out. Interface into position ether1:

23. Without leaving the New NAT Rule window, go to the Action tab, and set the parameter Action into position masquerade and then press Ok:

24. Let's configure DNS. In the menu on the left IP-> DNS... Our provider has already given us 2 dynamic servers, but their list can be supplemented (filled in in the Servers parameter) with your own hand. The main thing in this window do not forget to tick Allow Remote Requests, after which you can press Ok:

25. It's time to assign an IP address to the router to work in the local network. Go to the menu on the left IP-> Addresses, in the window that opens, click + and enter the IP address / subnet mask... In our case we will use 192.168.88.1/24... Parameter Interface should be set to position LAN(this is our Bridge, created in step 15; it may have a different name for you), after which you can press OK:

Now our list of IP addresses should look something like this(of course, the address on the ether1 interface will be different for you):

26. By the way, we should have access to the Internet on our computer! Let's check:

Really appeared! But we will postpone the celebration until later.

27. Now let's configure the DHCP server. Go to the menu on the left IP-> DHCP Server, in the window that opens, click DHCP Setup:

28. We select as the interface on which DHCP will work, our bridge - LAN, click Next:

29. We set the address space. We plan to issue addresses on the 192.168.88.0 network with a mask 255.255.255.0, therefore we enter 192.168.88.0/24 and press Next:

30. We indicate the gateway. We have it 192.168.88.1. Push Next:

31. Define the pool of IP addresses that will be issued to clients. Here we advise you to make your own decision based on your network topology. We will use the range 192.168.88.2-192.168.88.254, enter and click Next:

32. Enter DNS servers(you can have your own, or use public DNS from Google or Yandex), click Next:

33. Enter the lease period for IP addresses(you can not change the default one), click Next:

On this DHCP server configuration is complete:

34. Now let's configure WiFi. Click in the menu on the left on Wireless, in the opened window open the wlan1 interface by double clicking, and setting parameters:
- Mode- ap bridge
- Band- 2GHz-B / G / N
- SSID- enter the name of your WiFi network
- Wireless protocol - 802.11
- WPS Mode - disabled

After that click ok:

35. Now let's set a password for our network. Let's move on to the Security Profiles tab, let's open default profile... Now:
-set the Mode parameter into position dynamic keys
- put a tick WPA2 PSK in parameter Authentication Types
- put all the boxes in Unicast Ciphers and Group Ciphers
- in the WPA2 Pre-Shared Key field, enter the password from WiFi network
- press OK

36. Let's connect to WiFi, check its performance. Active connections can be viewed in the Registration tab:

37. Now turn off all the interfaces for managing the router, except for WinBox(if necessary, keep the ones you need, but from a security point of view, we do not recommend using a firewall). To do this, go to IP-> Services, select unnecessary services and click the red cross:

38. It remains to set the administrator password. Go to System-> Users, enter the user profile admin, press Password, enter the password twice in the fields New Password and Confirm Password and click OK:

So, at the moment we have a standard configuration without network separation. In order to delimit our local network, we will create a segment (part) of the network for children. To do this, select in the menu winbox → Bridge (1) → Bridge (2) → plus (3) → General (4) → and add the name bridge-child to the name (5) field. Save changes - OK.

Let's prepare the interfaces (ports) for inclusion in the bridge-child. In our configuration, a fourth ether4 port and an additional children's wifi network will be configured for the child. This means that by connecting to the fourth port with a cable and / or to the children's network via WiFi, you will have children's access to the Internet through these interfaces.

Let's set up a security Profile for a children's WiFi network. WinBox → Wireless (1) → Security Profiles (2) → plus (3) → General (4) → in the Name (5) field, enter child → in the WPA (6) and WPA2 (6) fields, enter the future password on the Wifi of the children's network ... Let's save the settings - OK.

Let's add a new wifi network. WinBox → Wireless (1) → Interfaces (2) → plus (3) → Virtual AP (4) → Wireless (5) → enter the name of the children's WiFi network in the SSID (6) field → select the security profile (7) for our network. Let's save the settings - OK.

Let's configure the ether4 interface. Winbox → Interfaces (1) → Interface (2) → double-click the left button on ehter4 (3) and enter the interface settings → select none in the Master Port (4) field. Apply the settings - OK.

Next, we will include our interfaces in the prepared bridge-child. Winbox → Bridge (1) → Ports (2) → plus (3) → add ether4 (4) interface → to Bridge (5) bridge-child. We will also do for the wlan2 (6) (7) interface. Save all changes - OK.

Let's assign an internal address to the bridge-child interface. WinBox → IP (1) → address (2) → plus (3) → fill in the fields (4), (5), (6) in accordance with the screenshot.

Now you need to assign a DHCP server to the child's network segment to automatically configure the IP parameters of network clients. To do this, you need to Winbox → IP (1) → DHCP server (2) → DHCP (3) → DHCP Setup (4) → select the bridge-child interface in the dhcp Server Interface (5) field.

After that, you must click the Next button and follow the DHCP server configuration wizard without changing anything. Once you reach the Select lease time window:

Here you need to change the standard lease time to 3d 00:10:00 and finish configuring the DHCP server.

If you did everything correctly, by this point you should have two network segments:

Children's LAN-4 network; wifi. Addressing - 192.168.99.0/24 Adult network LAN-2, LAN-3; wifi. Addressing - 192.168.88.0/24

Now these two networks have no restrictions and are completely equal. To start setting up restrictive functions for a children's network, you must complete the preliminary settings of the router, namely:

• Set password and SSID (network name) to adult wifi network
• Set a password for the Admin user
• Update your router to the latest version.

If you find it difficult to do it yourself, you can find step-by-step instructions for setting these parameters in