In modern network security, administrators often resort to various methods to protect the wireless network perimeter. One of the first steps that comes to mind when trying to restrict access to the infrastructure is hiding the network ID. SSID (Service Set Identifier) — This is the name that appears in the list of available connections on user devices. When a network is hidden, it stops broadcasting its name, making it invisible to standard Wi-Fi scanners.
However, it is worth understanding that hiding the SSID on the equipment MikroTik This isn't a full-fledged security measure. It's more of a "security through obscurity" mechanism that makes life difficult for random neighbors, but won't stop a skilled attacker with a traffic analyzer. Nevertheless, for corporate environments or private networks that require minimizing visual noise and reducing the number of connection requests from unauthorized devices, this feature remains a useful tool in a system administrator's arsenal.
The setup process is quite simple and does not require deep knowledge of the 802.11 protocol, but it has its own nuances in implementation on the operating system. RouterOSIn this article, we'll take a detailed look at how to properly disable network name broadcasting, the impact this has on the performance and compatibility of client devices, and alternative security methods.
How a hidden SSID works and its impact on the network
In standard operating mode, the access point MikroTik regularly sends out broadcast packets known as Beacon framesThese frames contain information about the network, including its name (SSID), supported encryption standards, and other parameters. These packets are what allow your smartphone or laptop to see a list of available networks within range of the antenna. When you enable the SSID hiding feature, the access point stops including the network name in these broadcast packets, replacing it with an empty string or a zero-length string.
It's important to note that the data traffic doesn't disappear and isn't encrypted in any way. The hidden network still transmits data, and anyone using specialized software like Airodump-ng, will be able to see the presence of the network, its MAC address (BSSID), and channel. Moreover, when a legitimate client attempts to connect to a hidden network, it is forced to send out Probe Request packets with the network name, effectively making the SSID visible to anyone on the air at that moment.
There's a common misconception that hiding the SSID significantly improves security. In reality, it creates additional bandwidth overhead. Client devices, which previously simply waited for beacons from the router, are now forced to constantly poll the airwaves: "Are you there?" This leads to increased service traffic and can slightly reduce overall wireless throughput, especially in areas with high client density.
⚠️ Attention: Hiding your SSID is not a substitute for using strong encryption protocols. Always use WPA2 or WPA3 With a long, complex password. A hidden network without a password is accessible to anyone who knows its name.
Preparing to set up MikroTik via WinBox
Before making any changes to the wireless interface configuration, ensure a stable connection to the control device. It is recommended to perform all configurations while connected to the router. MikroTik via an Ethernet cable. This will eliminate the risk of losing connection when you change Wi-Fi settings and your device disconnects from the network.
To work you will need a utility WinBox, which is the standard administration tool for this brand's equipment. After launching the program and connecting to the router (via MAC address or IP), go to the wireless settings menu. The interface may vary depending on the version. RouterOS (v6 or v7), but the logic remains the same.
Make sure you have administrator rights. In some enterprise scenarios, rights may be limited, and changing radio interface parameters will be unavailable. Also, check the current firmware version, as newer versions may contain some bugs. RouterOS v7 Some parameters have been moved or renamed.
Instructions: Disabling SSID broadcast in the interface
You can hide your network name in the Wireless section. Open the menu. Wireless and double-click on the name of your wireless interface (usually it is wlan1 or wifi1). The interface parameters editing window will open.
Go to the tab WirelessHere you will see many parameters, such as operating mode (AP bridge), frequency, and power. Find the field labeled Hide SSIDBy default it is set to noYou need to change it to yes.
After changing the parameter, click the button OK or ApplyThe changes will take effect immediately. Now, if you open the list of Wi-Fi networks on your smartphone, your network name will disappear from the list. To connect, users will need to manually enter the network name (note the case) and password.
☑️ Checking the hidden SSID settings
Configuration via terminal and CLI commands
For experienced administrators or when automating processes, it is more convenient to use the command line. Terminal in MikroTik Allows you to quickly change parameters without navigating through the graphical interface. This is especially useful when configuring devices using scripts.
Open the window New Terminal in WinBox or connect via SSH. To change the SSID hiding option, use the command /interface wireless setThe command syntax requires the interface name and parameter value.
/interface wireless set [find name=wlan1] hide-ssid=yes
If you have multiple virtual interfaces (APs) configured on a single physical card, you must run the command for each one separately or use a search mask. For example, to hide all interfaces, you can use a loop, but be careful with physical radio settings.
To check the current status, use the command print:
/interface wireless print
In the command output you will see a column hide-ssid, where it should be indicated true or yes for configured interfaces.
How to get everything back?
To make the network visible again, use the command: /interface wireless set [find name=wlan1] hide-ssid=no . The network will then appear in the list of available connections.
Comparison of wireless network security methods
Hiding the SSID is just one of many tools. To understand its place in an overall security strategy, it's important to compare it to other methods. Below is a table demonstrating the effectiveness of various approaches to securing Wi-Fi equipment. MikroTik.
| Method of protection | Difficulty level for hacking | Impact on convenience | Recommended use |
|---|---|---|---|
| Hiding the SSID | Short | High (you need to enter the name manually) | Reduce network visibility to neighbors |
| WPA2-PSK (complex password) | High | Low (standard input) | Basic protection for home and office |
| WPA3-Personal | Very tall | Low | Modern devices, high security |
| Access List (MAC filter) | Average | Average (MAC required) | Controlling specific devices in small networks |
As the table shows, hiding the SSID is inferior to modern encryption methods in terms of actual security, but is superior in terms of airwave hygiene. However, it cannot be relied upon solely.
⚠️ Attention: MAC address filtering is also not a reliable security method, as MAC addresses are easily spoofed. Use this only as an additional barrier, not as your primary defense.
Compatibility issues and possible complications
Not all client devices work equally well with hidden networks. Older printers, IoT devices (smart plugs, lamps), and some smartphone models may have difficulty reconnecting. They may constantly search for the network, draining the battery, or simply refuse to connect without a clear signal broadcast.
In addition, in the environment Windows When connecting to a hidden network, the system may assign it the "Public Network" profile, which will enable stricter firewall rules. This may prevent you from sharing a printer or files, even when you're on your local network.
Another issue is roaming. If you have multiple access points MikroTik With the same hidden SSID to create a single space, devices may "cling" to a distant point and not switch to a nearby one, since the fast switching mechanism (802.11r/k/v) works less predictably in hidden networks.
Alternative ways to improve security
Instead of relying on hiding the network name, cybersecurity experts recommend focusing on more effective measures. First and foremost, this is the use of a protocol WPA3, if your devices support it. It provides protection against password brute-force attacks even if an attacker intercepts the handshake.
For corporate segments, the ideal solution is to use WPA2/WPA3-Enterprise With an authorization server (RADIUS). In this case, each user logs in with their own username and password, and network access can be flexibly controlled.
Also on routers MikroTik You can set up a separate guest network with client isolation (Client-to-Client Forwarding = no). This will allow visitors to connect to the internet but prevent them from accessing your internal resources, which is much more effective than simply hiding your main network.
Frequently Asked Questions (FAQ)
Is it possible to hack a network with a hidden SSID?
Yes, it's possible. Tools like Aircrack-ng can intercept the connection of a legitimate client. At this point, the client itself transmits the network name in cleartext, after which an attacker can attempt to bruteforce the password or attack the network.
Does hiding the SSID speed up Wi-Fi?
No, quite the opposite. Devices spend more time and channel resources searching for a hidden network by sending additional probe requests, which can slightly increase latency and reduce overall broadcast efficiency.
How to connect to a hidden network on Android?
In the Wi-Fi settings, select "Add network" (or "Other network"). Enter the exact name (SSID), select the security type (usually WPA/WPA2 Personal), and enter the password. Automatic search will not work in this case.
Do Wi-Fi settings reset when updating RouterOS?
When updating firmware MikroTik Interface settings, including the hide-ssid parameter, are usually preserved. However, it is always recommended to have a current configuration backup (.backup file) in case of unexpected failures.