MikroTik Maplite Magic
Creating the perfect travel router · November 20, 2020
I've recently re-fallen in love with MikroTik equipment. This isn't the first time I've dabbled with them, back when I worked for TechKnow we used to sell MikroTik Hex Lites alongside the drive-thru timers for clients that could only give us a single static address to work with. A couple of simple tweaks and we had a little DHCP server, isolated routing between our timer, competition boards, and the POS system. Solid solution on the cheap!
So maybe I'm a little biased, MikroTik and I have a bit of history. But I've worked with enterprise Cisco switches and firewalls. I've even configured and maintained a 7Ghz PtP microwave bridge. It was fun, robust. Networking equipment is cool like that when you can dump thousands of dollars into it. And if you can afford a few grand, go out and buy a Cisco Meraki! It practically configures itself.
But MikroTik, now that's a real passion. It's extremely affordable equipment with configurability out the whazoo. It's literally like having a networking equivalent of a multitool. The documentation for the level of tooling it provides is also superb. And there's a bit of a cult following for the systems for anyone building WISP infrastructure. I could probably prattle on and on about the things I love about MikroTik, but let's focus on one piece of tech that has become a new staple in my techy EDC.
Map lite
The MikroTik Map Lite is an itty bitty version of the Map, only capable of doing 100M networking on the 2.4Ghz band, but it's no bigger than a smart watch (the LG G watch is nearly the same size). In that tiny form factor you get a mipsbe cpu, 64MB of RAM, a pwrline, fast ethernet and wireless radio, plus full blown RouterOS. That's right, it's a miniature router, entirely configurable. And only $22 USD.
How do I plan to use such a device? Well as a troubleshooting/traveling tool of course. The map lite can be configured in such a way that it will automatically seek out wireless networks it knows of and connect to them, using it as a uplink. We then simply provide a virtual AP to broadcast a network behind the firewall, complete with our VPN connections, DHCP/DNS, and whatever else. The end goal will be a little mobile LAN and a roving ethernet port for troubleshooting networks. Something that meshes extremely well with my mobile Linux setup, since the only thing my Alpine Droid lacks is an ethernet port!
Setup Overview
The MapLite has only two NICs, ether1 and wlan1. By default it's configured to pull a WAN address from ether1 and broadcast a LAN from wlan1. However I'm not always be able to physically connect to a network when on the go, other times I have to deal with physical networks, but the only system on hand is my Droid4. The easiest solution is to create a virtual AP attached to wlan1, and then to reverse the WAN/LAN configuration on the bridge.
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-eC \
country="united states" disabled=no distance=indoors frequency=auto \
installation=indoor security-profile="default" ssid="Enigma Wandering" \
wireless-protocol=802.11
add disabled=no keepalive-frames=disabled mac-address=C6:AD:34:D3:47:56 \
master-interface=wlan1 multicast-buffering=disabled name=wlan2 \
security-profile=EnigmaAP ssid=EnigmaAP wds-cost-range=0 \
wds-default-cost=0 wps-mode=disabled
Creating the virtual AP essentially splits the wireless NIC, we effectively rate limit our max speed (25mbps is typical), but it allows us to attach wlan1 to a wireless network as an uplink, and broadcast a LAN network. Our bridge essentially becomes ether1 and wlan2, with an isolated wlan1. We then remove ether1 from WAN and replace it with wlan1. I like to also add it to the LAN bridge so that the MapLite can be used as a wireless -> ethernet bridge.
/interface bridge port
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=wlan1 list=WAN
Great! But how does it connect to things? Well right now it doesn't, but if we add a dummy security profile and a legitimate profile for our LAN network we can force it to broadcast without needing an uplink.
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=wandering-ap-pass \
wpa2-pre-shared-key=wandering-ap-pass
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=\
EnigmaAP supplicant-identity="" unicast-ciphers=tkip,aes-ccm \
wpa-pre-shared-key=maplite-lan-pass wpa2-pre-shared-key=maplite-lan-pass
When we feed wlan1 this dummy profile and we drop the AP into station mode, it will broadcast a network off wlan1. Since wlan1 is up, it will also bring wlan2 up. We're effectively broadcasting two networks that lead nowhere, but we've got a quarter sized LAN network. We can connect to the network named EnigmaAP and just ignore the wandering network entirely. This works perfectly for situations where we need something isolated, don't have an uplink, or need to perform maintenance. That process can be triggered with the script below.
log info "Enigma Wandering!";
/interface wireless set wlan1 mode=ap-bridge frequency=auto ssid="Enigma Wandering" security-profile="default";
error "Enigma Wandering.."
We can then configure the reset button on the MapLite to run the script by doing the following.
/system routerboard reset-button set on-event=wandering enabled=yes
That's really helpful because we have absolutely no uplinks right now, but if the MapLite broadcasts something we can connect to it, even if we're traveling and only have access to our phone, or a netbook without a NIC. So go ahead, add a bunch of network information, any wireless network you have the credentials for and might travel to, add them as security profiles. That hotel you visited pre-covid lockdown? Add it, they typically have semi-standardized wireless networks, try and front load what you can while you can! It's the same format as the EnigmaAP and default commands from earlier, just replace the SSID and credentials.
Once you've gotten your security profiles together add this script to the MapLite, replacing the networklist array with the names of the security profiles you just added, the name should correlate with an ssid.
I know this breaks the flow a bit, but I wrote the entire script on my Motorola Droid 4, and want to specifically share the pretty scripty colors. I feel like Lucidiot will particularly enjoy this.
Anyways that script in its entirety is this:
global F 0 ;
:global attempts 0;
:global max 0;
:global google "8.8.8.8";
:global networklist {"Chenmark Guest"; "Wicked Good Wifi"; "Wizard's Tower"};
:global InternetStatus "nil";
:foreach network in=$networklist do={
:set max ($max +1);
};
:while ($InternetStatus!="True") do={
:foreach network in=$networklist do={
:set F 0;
:set attempts ($attempts +1);
:log info "Connecting to $network";
/interface wireless set wlan1 mode=station frequency=auto ssid=$network security-profile=$network;
:delay 30;
:for i from=1 to=5 do={
if ([/ping $google count=1]=0) do={:set F ($F + 1)}\
:delay 1;
};
:if ($F!=5) do={:set InternetStatus "True"; :log info "Connected to $network"; :error "I haven't a clue how to break except via error";};
:if (($attempts > $max)&&($InternetStatus!="True")) do={
:log info "Failed to connect, Wandering Station Active";
:set InternetStatus "True";
/interface wireless set wlan1 mode=ap-bridge frequency=auto ssid="Enigma Wandering" security-profile="default";
:error "Enigma Wandering!";
};
};
}"
This little script is the heart of our travel router. It takes the length of your networklist, and iterates through the networks, attempting to connect to each one and subsequently attempting to ping Google once connected. Assuming it fails it moves onto the next, if it can't ping out to any network after trying all of them, it drops into wandering mode.
This said we just need to add this script to run on startup, and voila! Your MapLite is ready for travel.
/system scheduler
add name=Setup on-event="/system script run Configure_WAN" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-time=startup
If it can't connect to a network it'll drop into our wandering station mode where we can add new networks. There are obviously additional things that should be done, such as disabling unneeded services (ftp, telnet, etc), adding firewall rules (bogon re-routing, NATing potentially). Follow the best practices and treat your little travel MapLite like what it is, a micro firewall!
Thoughts
I spent a little bit of time getting this all together because I have to travel a bit with my current job, and having a little router which I can power with a battery bank in and of itself sounds handy. But since the MapLite is running a full RouterOS instance it's feasible to add VPN connections (even wireguard!), full firewall rules, custom routing, the whole nine yards. Having a NIC means in my workflow I can physically connect a device, and then ssh into the MapLite with my droid to do complex network diagnostics. Hell it can even be configured to point to a PXE server, my droid is powerful enough to run lighttpd/tftpd, and samba/nfs, a mobile micro battery powered emergency PXE server is doable, maybe not performant, but possibilities abound.
At the end of the day, I thrive off of these boundless possibility type things. I love Linux because I can create with it. Mikrotik fits well right alongside it because it have the same energy, build with it, do what you want, the tools are there.