My travel router: Mikrotik hap ac lite

While travelling, I connect my devices to the internet via a travel router. This allows me to have a local network for my phones, tablets and laptops, and particularly useful for SyncThing to sync my photos between devices. It also allows me to connect VPN tunnels and prevent data leakage while on shady/untrusted WAN networks. (Updated 2018/02/21 for firmware 6.41+)


My requirements:

  1. Fast 802.11ac 5GHz wireless for my devices
  2. Ability to connect to hotel’s 2.4GHz wireless and/or 10/100 hardwire Ethernet internet connection, while also offering an internal 2.4GHz hotspot to my legacy devices
  3. Small, ideally battery powered router, with trusted NAT/Firewall implementation
  4. OpenVPN support to backhaul my devices to a trusted internet connection elsewhere, encrypting traffic from the open wireless hotel connection

Parts list:

  1. Mikrotik hap ac lite [About] [Amazon]
  2. BTECH USB Smart Charger (9-10.8V) Transformer Cable [Amazon]
  3. Your favourite portable battery charger, like an Anker PowerCore 10000 [Amazon]

My device of choice for this is the Mikrotik hap ac lite, (model RB952Ui-5ac2nD). The router is not easy to configure, but once configured, it is immensely powerful. It has dual 2.4GHz and 5GHz (802.11ac) radios, along with five 10/100 mbps Ethernet ports. I typically connect the 2.4GHz radio to the hotel wireless, then use the 5GHz radio for my devices, but I can also connect the hardwire jack in a hotel room to the WAN port. This delivers fantastic wireless performance. The router also has a USB port if you want to connect an LTE/cellular radio. The router is extremely flexible and can be powered via passive 24V PoE, or a 10V-30V external power supply.

I power the device on-the-go with a USB transformer, and a portable battery unit.


Here’s a good starter configuration script, courtesy of Jacob McDonald: Google Doc (via Mikrotik Forums)

I made some modifications to this configuration. To use my configuration:

  1. Edit the LAN 2.4GHz and 5GHz SSIDs and PSKs. In “/interface wireless security-profiles” change default to what you want your private network AP password to be.
  2. Edit the WAN 2.4GHz SSID and PSK for the hotel WiFi. It’s currently set to “HotelPublicWiFiName” with security-profile “none”. If you need a PSK, edit the “wlan-WAN” profile to set the password from “somepublickey” to whatever the WiFi uses, then switch the security-profile.
  3. Apply/import the configuration to the device.
  4. Plug in the hotel Ethernet cable to eth1 or just let it connect to the hotel WiFi.
  5. Configure OpenVPN client on the router to meet your requirements.
# jan/01/2018 09:02:44 by RouterOS 6.41.1
# software id = CYFM-254Q
# model = RouterBOARD 952Ui-5ac2nD
/interface bridge
add auto-mac=yes comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-master
/interface wireless
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge name=wlan2-5G-LAN ssid=Ephesus2 wireless-protocol=802.11 wps-mode=disabled
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=MyWirelessPasswordGoesHere
add authentication-types=wpa2-psk eap-methods="" name=wlan-WAN supplicant-identity="" wpa2-pre-shared-key=somepublickey
add name=none supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=station-pseudobridge name=wlan1-2G-WAN security-profile=none ssid=HotelPublicWiFiName wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=E6:8D:8C:49:23:FA master-interface=wlan1-2G-WAN multicast-buffering=disabled name=wlan3-2G-LAN ssid=My24GHzNetwork wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=
add name=dhcp ranges=
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp disabled=no name=dhcp1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=wlan2-5G-LAN
add bridge=bridge hw=no interface=wlan3-2G-LAN
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether3
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=wlan2-5G-LAN list=discover
add interface=bridge list=discover
add interface=wlan3-2G-LAN list=discover
add interface=bridge list=mactel
add interface=ether2-master list=mactel
add interface=ether3 list=mactel
add interface=bridge list=mac-winbox
add interface=ether4 list=mactel
add interface=ether2-master list=mac-winbox
add interface=ether5 list=mactel
add interface=ether3 list=mac-winbox
add interface=wlan2-5G-LAN list=mactel
add interface=ether4 list=mac-winbox
add interface=wlan3-2G-LAN list=mactel
add interface=ether5 list=mac-winbox
add interface=wlan2-5G-LAN list=mac-winbox
add interface=wlan3-2G-LAN list=mac-winbox
/ip address
add address= comment=defconf interface=bridge network=
add address= interface=ether2-master network=
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=wlan1-2G-WAN
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN
/ip dhcp-server network
add address= comment=defconf gateway=
/ip dns
set allow-remote-requests=yes
/ip dns static
add address= name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
# no interface
add action=accept chain=input dst-port=68 in-interface=*9 protocol=udp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1-WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1-WAN
add chain=input protocol=icmp
add chain=input connection-state=established
add chain=input connection-state=related
add action=drop chain=input in-interface=ether1-WAN
add action=drop chain=input in-interface=wlan1-2G-WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1-WAN
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=masquerade chain=srcnat out-interface=wlan1-2G-WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add type=internal
add interface=ether1-WAN type=external
add interface=wlan1-2G-WAN type=external

Some WiFi Configurations:

Windows Powershell: netsh wlan show all

Location SSID Observed vendor
Aloft Aloft Guest Ruckus 802.11ac
Element Element Guest Ruckus 802.11ac
Fairmont Fairmont  
Park Plaza Hotel Park Plaza Hotels & Resorts 2016/06/02
Ritz Carlton RitzCarlton_GUEST 2017/07/10
  #HKAirport Free WiFi  
  Delta Kingston Waterfront 5G  
  Toronto Pearson Wi-Fi  
  W Austin  
  W Austin Guest  

Other accessories/additional reading:

  1. Cable Matters 72W 4-Port USB-C Charger with USB Power Delivery - Dedicated 60w USB-C port supporting 5V, 9V, 12V, 15V and 20V @ 3A; with three 12W USB-A CHARGING PORTS deliver a shared 5V-2.4A over these 3 ports.
  2. Powering other APs with a battery pack
  3. WiFi Nigel