The hAP ac2 device provided by MikroTik is an all-in-one router & wireless access point that can be used on small office/home office networks. Some highlights of the device include:

  • ~$70
  • Supports 2.4GHz & 5GHz wireless
  • Gigabit
  • SIP ALG can be disabled
  • DNS servers can be changed to improve DNS resolution efficiency to prevent registration issues with Polycom devices.
  • QoS can be implemented by marking traffic and setting up queues.

Firmware

It is highly recommended to update the firmware on the device. This is mainly for security reasons. You can do this right in the web UI by navigating to WebFig > System > Auto Upgrade.

WiFi

Important: out of the box, the device has no WiFi password set. This should be set immediately after logging into the web UI of the device. This can be set on the Quick Set page under WiFi password. Simply select the arrow drop-down, set the password you would like, and then click on Apply Configuration. Additional documentation on the device's WiFi can be found here: https://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Setting_up_Wireless

Static IP

If you need to setup a static IP on the device you can refer to the following KB article: Configuring static WAN IP on MikroTik hAP ac2

Setting up the device

  1. Out of the box DHCP is enabled and the device runs off a 192.168.88.0/24 subnet.

  2. Port 1 (ether1) is used as the WAN port, while the rest of the ports can be used as LAN/switch ports.

  3. Web UI is accessible at 192.168.88.1. Upon initially logging into the web UI of the device, you will not be prompted for a password. Be sure to set a new password. Click on password in the bottom right-hand corner.

  4. SIP ALG can be disabled by navigating to WebFig (top right-hand corner) > IP (left-hand side) > Firewall > Service ports > click on the D icon next to SIP to disable it.

  5. By default, the router will use dynamically assigned DNS servers (DNS servers handed by the ISP), and we want to disable this. The easiest way to do it is at the command line in the terminal. In the top right-hand corner of the web UI select Terminal and then issue the commands below.

    • /ip dhcp-client set use-peer-dns=no 0
    • /ip dns set servers=8.8.8.8,8.8.4.4
    • /ip dhcp-server network set dns-server=8.8.8.8,8.8.4.4 0
  6. Set DNS commands
  7. To tell the router to respond to pings from Intermedia ping servers, we’ll first create an address list and then adjust the ICMP firewall rule. Go to the terminal and put in the following commands:

    • /ip firewall address-list
    • add list="PingServers" address=<First IP goes here>
    • add list="PingServers" address=<Second IP goes here>
    • You will need to contact Intermedia support to obtain the IP addresses.
  8. Our goal in this step is to configure the router in such a way that it will respond to WAN pings, but only from Intermedia's ping servers. Navigate back to WebFig > IP > Firewall. Click on rule #3 for accepting ICMP traffic. The rule should already be set to accept ICMP traffic by default, but we need to modify the rule.

  9. Locate the Src. Address List section and click on the downward arrow. From the drop down select the PingServers address list we created earlier. Scroll back up to the top and click on Apply > OK

  10. Navigate back to Terminal and issue the following command: /ip firewall connection tracking set udp-timeout=300s

Implementing QoS

It's a good idea to implement QoS on the router, especially if bandwidth is limited. We want to ensure VoIP traffic has the highest priority. This can be accomplished by first marking traffic appropriately, and then setting up queues. There will be a queue for the VoIP traffic which will be given highest priority, and a queue for general traffic which will be given lower priority. To mark the traffic we will create mangle rules in the firewall. Mangle is a firewall feature that is used to mark packets. NOTE: You will need to obtain the necessary IP address blocks from Intermedia support.

  1. Navigate to WebFig > IP > Firewall > Mangle. Click on Add New to create a new rule. For the first rule, put in the following:

    • Chain: prerouting
    • Src. Address: <IP block> (for Cloud PBX 2.0) or <IP block> (for Intermedia Unite)
    • Action: mark connection
    • New Connection Mark: VoIP
    • Ensure passthrough option is checked
    • Comment: From VoIP Addr
    • Apply > OK
  2. Mangle rule screen cap 1
  3. Mangle rule screen cap 2
  4. For the second mangle rule put in the following:

    • Chain: prerouting
    • Dst. Address: <IP block> (for Cloud PBX 2.0) or <IP block> (for Intermedia Unite)
    • Action: mark connection
    • New Connection Mark: VoIP
    • Ensure passthrough option is checked
    • Comment: To VoIP Addr
    • Apply > OK
  5. 2nd Mangle rule screen cap 1
  6. 2nd Mangle rule screen cap 2
  7. Lastly, we just need to setup the queues; however, before doing so you will need to know the Internet speed/bandwidth of your connection. You can obtain this here. You will take this into consideration, along with how many VoIP devices (computers and desk phones) are in place. Being a bit on the conservative side, each VoIP call can consume roughly 100Kbps of bandwidth. Take the number of the devices you have and multiply it by 100. For example, if you have 10 devices (phones and computers) that will be used for VoIP, take 10 x 100Kbps. This is then equal to 1000Kbps or 1Mbps. An even more conservative approach to take would be to double this value. So the max limit in our queue could be set to 2M. 

  8. Click on the Queues tab on the left-hand side, and then add new. For the first queue, input the following parameters:

    • Name: VoIP traffic
    • Target: 192.168.88.0/24
    • Target upload max limit: <Value you calculated goes here>
    • Target download max limit: <Value you calculated goes here>
    • Packet marks: VoIP
    • Priority: 1 (on download and upload)
    • Leave everything else on the defaults. Apply > OK
  9. VoIP queue screen cap
  10. We have created the queue for the VoIP traffic, now we just need to create a queue for the rest of the traffic on the network. Click on the Queues tab on the left-hand side, and then add new. For this queue, input the following parameters:

    • Name: All Other Traffic
    • Target: 192.168.88.0/24
    • Target upload max limit: <Take total bandwidth and subtract max limit set in VoIP queue>
    • Target download max limit: <Take total bandwidth and subtract max limit set in VoIP queue>
    • Packet marks: no-mark
    • Priority: 8 (on download and upload)
    • Leave everything else on the defaults. Apply > OK
  11. Other traffic queue screen cap

Setting max limits in the queues

When setting the max limits in each of the queues, this is usually done via a drop-down option or you may be able to just manually type in the value you want after double-clicking in the drop-down text box; however, if for some reason the drop-down option that you need isn't available and you aren't able to manually type it in, this custom value can be set at the command line by following the instructions below.

  1. In the top right-hand corner of the web UI select Terminal and then issue the commands below:

    • queue

    • simple

    • print

  2. In the screenshot below we can see that our VoIP queue has a flag of zero, and the other traffic queue has a flag of 1.

  3. Queue Flags

  4. As an example, if we wanted to set the VoIP queue upload max limit at 7M and the download max limit at 10M, we would issue the following commands:

    • set max-limit=7M/10M 0

  5. Max Limit Screenshot 1

  6. Notice that the upload max limit comes before the download, and they are separated by a slash (/). The zero in this case is the flag associated with the VoIP queue.

  7. We can then do the same for the other traffic queue.

    • set max-limit=22M/100M 1

  8. Max Limit Screenshot 2