Mikrotik wireless client disconnection at specified signal levels

Allow everything on WLAN1 that has a signal above -87dBm (eg, signal between -86 and+120 dBm) , and allow even that signal to drop below -87 dBm for 30 sec.

The allow is authenticate (associate) and forwarding (connect to other clients).
The allow-signal-out-of-range is needed because devices are in their hands, so the signal fluctuates, but I prefer not to drop them immediately.

To stop the weak signal connections on WLAN1 the next line is needed. For everything with signal between -87 and -120 dBm there is no authentication allowed.

The allow-signal-out-of range is short here (1 sec) because this is used for roaming clients that are sticky to their first AP, but they may come back very soon to this AP, and I prefer not to deny them longer than needed.

/interface wireless access-list
add allow-signal-out-of-range=30s interface=wlan1 signal-range= -86..120 
add allow-signal-out-of-range=1s authentication=no forwarding=no interface=wlan1 signal-range=-120..-87

Configuration Cambium from command line

Default Cambium EMP 1000 IP:

Default user name: admin and password: admin

1. Open SSH terminal and connect to

2. Enable DHCP with command (1 – Static, 2 – DHCP):

config set networkLanIPAddressMode 2

Configure network IP, Mask and Gateway parameters:

config set networkLanIPAddr
config set networkLanNetmask
config set networkLanGatewayIP

3. Save configuration with command:

config save
config apply

4. Reboot devise for changes to take effect.


Now you can open Web-browser and go to http://IP configuration page.

Bdcom P3310 delete, block and unblock ONU

To delete OUN from OLT on EPON 2 interface go to config and use interface EPON0/2:

interface EPON0/2

To delete ONU use command (note, that adter delete ONU will register on OLT again):

no epon bind-onu mac e067.b37d.d3d3

To add ONU to Black List use command:

epon onu-blacklist mac e067.b37d.d3d3

To remove ONU from Black List use command:

no epon onu-blacklist mac e067.b37d.d3d3

Best and simplest Mikrotik Firewall rules

Don’t forget to update your Mikrotik firmware to 6.41.1 or higher! Current stable and secure firmware is 6.47.10.
Simple Mikrotik Firewall configuration:

In Mikrotik terminal go to Firewall Filter:

/ip firewall filter

For increase the speed of router fist rule should be:

add chain=forward action=fasttrack-connection connection-state=established,related

Allow Established and Related connections for forward and input chains:

add chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
add chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""

Drop invalid connections for forward and input chains only from WAN interfaces:

add chain=forward action=drop connection-state=invalid in-interface-list=WAN log=no log-prefix=""
add chain=input action=drop connection-state=invalid in-interface-list=WAN log=no log-prefix=""

Allow ICMP ping from WAN only width 128 bits packets:

add chain=input action=accept protocol=icmp in-interface-list=WAN packet-size=0-128 log=no log-prefix=""

Allow remote control by Winbox or SSH only from IP addresses from AccessList:

add chain=input action=accept protocol=tcp src-address-list=AccessList in-interface-list=WAN dst-port=8291,22 log=no log-prefix=""

In IP -> Firewall -> Address List create new address list width name AccessList and add there all IP addresses you want to use for remote connection to your router.

Allow OpenVPN connections:

add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1194 log=no log-prefix=""

Allow PPTP VPN connections:

add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1723 log=no log-prefix=""
add chain=input action=accept protocol=gre log=no

Allow SSTP VPN connection (443 port,
change port if yout SSTP server run on other port):

add chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=443 log=no log-prefix=""

Allow L2TP IPsec VPN connection:

add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp comment="allow L2TP VPN (ipsec-esp)"
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN protocol=udp comment="allow L2TP VPN (500,4500,1701/udp)"

Drop all other connections to Mikrotik and to local network:

add chain=input action=drop in-interface-list=WAN log=no log-prefix=""
add chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""

In IP -> Services menu enable only SSH and Winbox services, for more security you can change default Winbox and SSH ports:

It is all you need to secure your home or office router and network.

Don’t forget to update your Mikrotik firmware to 6.41.1 or higher! Current stable and secure firmware is 6.48.6. For more stability use firmware from “long term” channel.

How to remove ONT from the BDCOM OLT configuration

Connect to OLT and go into the configuration mode:


Let’s look at the current configuration and find the MAC address of the ONT you want to delete:

show running-config

Choose the interface (port) on which ONT is registered:

interface EPON0/1

And delete ONT, for example with mac address 8014.a8b4.eb2c:

no epon bind-onu mac e067.b336.88e8


Cambium ePMP 1000 configure 30 km wireless link

To build 30 km point-to-point wireless connection on speed 100 Mbit/s we used two Cambium ePMP 1000 and two 27 dBi parabolic MIMO antennas.

To create point-to-point wireless link we need to configure first antenna as Access Point and the second antenna as Station. First of all make sure there are no interference in front of the antennas:

Let’s configure access point, to log in to the configuration panel open in your web browser address: (Access Point) or (Station). By default enter login: admin and password: admin

We will configure our link based on this schema:

On Access Point select SSID, your country code, work frequency, channel width (20 or 40 mHz) and security password:

Also to achieve the best result select TDD wireless protocol.

On the other side on Station antenna select the same parameters, but in Radio Mode select Subscriber Module.

Don’t forget to change default administrator passwords on both antennas and change your own static or dynamic IP addresses.

On page Monitor->Wireless make sure that your Station connected to Access Point:

Mikrotik – block access between two networks

We have two local networks on Mikrotik router, for example:
Network1: on ether1 interface
Network2: on ether2 interface

Let’s prevent access between devices of this two networks.

In Mikrotik terminal go to Firewall Filter:

/ip firewall filter

And create this two rules:

add chain=forward action=drop src-address= dst-address=
add chain=forward action=drop src-address= dst-address=

That’s all, now Mikrotik will block all traffic from computers in Network1 to computers in Network2 and from Network2 to Network1.

All other traffic to Internet will be working normally.

If You want to block traffic only from Network2 to Network1 – write only one rule:

add chain=forward action=drop src-address= dst-address=

Mikrotik firewall DNS attach prevent

If You have white IP on Your mikrotik You can watch high transmit traffic on the WAN interface.

To prevent this – block DNS traffic to 53 port on Your WAN interface (IP > Firewall > Filter):

On graph we can see that after blocking 53 port transmit traffic fell from 25 Mbit/s to 5 Mbit/s:

Mikrotik create SSTP server

1. Create CA certificate on Mikrotik:

On tab “Key Usage” leave only crl sign and key cert. sign

2. Create server certificate:

On tab “Key Usage” uncheck all options:

3. Open certificate CA and Sign it:

CA CRL Host – host where your certificate will be checked, write there IP address or domain name of Your Mikrotik.

Field CA need to be empty.

4. Now we signed root certificate, let’s sign Server certificate: open Server certificate, click Sign, in field CA select certificate CA.

That’s all we created our certificates, now let’s create SSTP Server on Mikrotik

5. Creating SSTP Server on Mikrotik.

And now create Your user profile: go to PPP > Secrets, click Add (+) and write user name, password, service, IP address like on screenshot:

Configure SSTP client in Windows 10

First go to the System > Certificates and Export CA certificate:

Download certificate from Mikrotik > Files to Your PC and install it:

Now create new VPN connection:

Also You can use this SSTP connection in Linux – How to install SSTP Client in Linux read in this article: Connect to SSTP server from Linux