Hardening Wireless Networks Guide

RouterOS wireless security: WPA3-SAE, management frame protection, access list filtering.

Prerequisite: Ensure you have completed Firewall Best Practices before applying wireless-specific rules.

Prerequisites

• RouterOS: v7 or later (WPA3-SAE requires v7+).
• Hardware: Supported RouterOS-based device with wireless interface (wlan, cap).
• Access: WinBox, SSH, or serial console.

Configuration Flow

WPA3-SAE Authentication

Use WPA3-SAE (Simultaneous Authentication of Equals) where supported. Fallback to WPA2-PSK for legacy clients. Disable WPA and WEP.

/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa3-psk,wpa2-psk mode=dynamic-keys
/interface wireless security-profiles set [ find default=yes ] passphrase="<strong-passphrase>"

Management Frame Protection

Enable management frame protection (MFP) to mitigate deauth attacks. Requires client support. Use required when all clients support it.

/interface wireless security-profiles set [ find default=yes ] management-protection=required

Access List Filter

Restrict association by MAC address or use dynamic allow/deny. Whitelist mode requires explicit permit for each client.

/interface wireless access-list add interface=wlan1 mac-address=AA:BB:CC:DD:EE:FF authentication=yes
/interface wireless set wlan1 access-list=default-allow

Related

Firewall Best Practices — Input and Forward chain rules for wireless bridge or routed traffic.

Common Pitfalls

• Legacy client incompatibility: WPA3-only or MFP required excludes older devices. Use wpa3-psk,wpa2-psk or management-protection=optional for mixed environments.
• MAC address spoofing: Access list by MAC is not a security boundary. Clients can spoof permitted MACs. Use WPA3-SAE and certificate-based auth where possible.
• Hidden SSID issues: Hiding the SSID increases probe traffic and does not improve security. Clients broadcast the SSID when reconnecting. Prefer strong authentication over hidden SSID.
• Firewall rule order: Wireless traffic enters via the wlan interface. Ensure Input/Forward rules allow established/related and wireless bridge traffic before drop. Verify with /ip firewall filter print.