I have some RB411-based Hana Wireless HW5-20's (5GHz band). I am setting up a point-to-point link for an Axia Livewire system in our radio station. In essence, this link shows what I am doing. http://www.axiaaudio.com/stl/

I have the links operating, basically, but need to tighten up the security, and need some advice please. Here are some details.

2x RB411 running RouterOS v2.9.4, configured in bridge mode with WDS dynamic and 5GHz-turbo.

Axia's Livewire is an Audio-over-IP system http://www.axiaaudio.com/manuals/files/ ... ire2.1.pdf. It basically requires the link to be transparent to the data, uncompressed. Axia reports that Mikrotik-based systems are OK for up to 6 channels of broadcast quality audio - I am only using 2, plus ancillary data to/from equipment at the transmitter site, so there should be enough bandwidth.

My question is, what security method should I use for minimum impact on performance? My thoughts and questions:

Hide SSIDs
Use WPA2, preshared keys
Use a VPN?
Use MAC filtering (Access list?)
Nstreme?
EAP?

I don't seem to have NV2 on my RouterOS version.

Any advice welcome. I only have a week before I go home (I am in Mongolia now) so quick replies would be appreciated.

Thanks

On the point to point links I have, I simply use wpa2. Sometimes I also hide ssid, but any hacker worth his salt can extract a hidden ssid, so this should not be used as a primary security measure. Nstreme is a polling mechanism. It has nothing to do with security. It will usually increase your throughput though. Search the forums and you should find lots of advise on tuning your link for maximum throughput and stability. Also, thats a pretty old version of routeros. I would recommended ver3.30 running the wireless test package which seems very stable when tuned properly.

On the point to point links I have, I simply use wpa2. Sometimes I also hide ssid, but any hacker worth his salt can extract a hidden ssid, so this should not be used as a primary security measure. Nstreme is a polling mechanism. It has nothing to do with security. It will usually increase your throughput though. Search the forums and you should find lots of advise on tuning your link for maximum throughput and stability. Also, thats a pretty old version of routeros. I would recommended ver3.30 running the wireless test package which seems very stable when tuned properly.

Thanks for your quick reply. Much appreciated. That sounds easy, and I will look into the Nstreme more to see what it does.

Re the version: Yes, I know. After a lot of looking around, I found a v3.3 download on a site, and tried to do an upgrade of the RouterOS from 2.9.4 to 3.30 using winbox, with file routeros-mipsbe-3.30.npk. Despite my software saying "Upgradedable to: v3.x", the upgrade fails with the error "Could not change the key - invalid key".

I guess another is to buy an upgrade to a later version.

Thanks.

I'm not an expert on the upgrade path, but if it says its upgradable to 3.x, then it probably is. Note that 3.3 is not the same as 3.30. You will want 3.30. Also, make sure you are downloading the correct version for the hardware you have, IE. mipsbe for a mipsbe devise, powerpc for a powerpc device etc. It will show what type of hardware you have right at the top of you winbox window. Also, you may need to upgrade the firmware of the routerboard itself. Try issuing the command 'system routerboard upgrade'. Do this prior to upgrading the routeros version. If all else fails, you can buy brand new rb411's for dirt cheap.

I just recently had to go through and update a bunch of legacy devices (532's) from 2.9.4 to current. I had to upgrade via netinstall. I brought them up to 3.30 via netinstall, updated the license via winbox, then I was able to FTP upgrade to 4.17, update the license again, and finally update to 5.2.

Just make sure you upgrade the bootloader when you are done as nateful suggested (/system routerboard upgrade).

Now, as for security:
Adding a VPN is just going to introduce additional overhead and latency in a point-to-point link.
MAC filtering and SSID hiding are not security measures, since they are TRIVIAL to bypass for anyone with enough information to attack the WPA2 encryption.
While SSID hiding doesn't make your AP invisible, it does make people have to look a little harder to figure out what it is, so it's not a horrible idea for long point-to-point links, but it's more personal preference at that point.

Presently for WPA2-PSK, the only known attacks are bruteforcing the key and Denial of Service by either RF interference or de-authentication.

• Bruteforcing is easily mitigated by using long, random keys (think something like https://www.grc.com/passwords.htm).
  
  RF interference, whether intentional or accidental, is a potential problem you will have with any unlicensed band, and unfortunately there is little you can do about it short of changing frequencies and hoping it clears up.
  
  Deauthentication / Disassociation attacks abuse 802.11 management headers to disconnect the client from the AP. These attacks can be preformed regardless of the encryption used for the connection. Recent versions of RouterOS (4+ I think) offer protection against this via "Management Frame Protection" using a shared secret key.

Something else you might consider is looking into NV2. Admittedly, I don't have much experience with it, yet, but it does offer some form of symmetric key encryption, and has very little overhead in my testing. I'm not sure if it would lend itself to latency sensitive applications such as audio, but it is worth at least asking around.

I hope this gives you somewhere to get started.
@CC_DKP