thomas
/
labnotes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Router upgrade notes
continuous-integration/drone/push Build is passing Details

Browse Source
main
Thomas Quinot 2 months ago
parent cad7e80056
commit 1db1aeabae
1 changed files with 128 additions and 0 deletions
Show Stats Download Patch File Download Diff File

128
_source/_posts/2025-01-04-router-upgrade.md
Unescape Escape View File

@ -0,0 +1,128 @@
---
layout: post
title: "Home router upgrade notes"
date: 2025-01-04 16:00:00 +0200
comments: true
categories:
---
# Upgrading from Mikrotik hAP ac-lite to hAP ax3.
:warning: *Do not power on without antenna connected*
## Initial setup
[Setup instructions](https://help.mikrotik.com/docs/spaces/UM/pages/150601820/hAP+ax%C2%B3)
Initial password is provided on pullout tab.
* Power on
* Connect PC to factory wifi network
* Access webfig at 192.168.88.1
* Log in
* Connect to LAN (Ehternet port 1)
* _At this stage, the Mikrotik does NAT for its wifi clients, so the PC can talk to the outside_
* System > Packages > Check for updates
* _Updated to RouterOS 7.16.2_
## Change or not?
*Change*
* IP addresses on local network: .1 -> .3
* Fixed MAC addresses
*Keep*
*TBD*
## Porting the configuration
### Factory configuration
`/sys export`
```
# 2025-01-04 15:43:22 by RouterOS 7.16.2
# software id = 3K4M-7VES
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HG609PMT86R
/system note
set show-at-login=no
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"\r\
\n :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\
\n /interface/wifi wps-push-button \$iface;}\r\
\n "
```
### MAC address
* The configuration from the old router includes a to its MAC addresses which need to be adjusted (MAC address of the bridge).
To avoid having to change it again in the future, let's use a locally administered MAC address.
I'm already using `06:00:00:00:00:06` for the legacy firewall, let's make the new Mikrotik `06:00:00:00:00:07`.
* The virtual AP setup for the IoT wifi network also hardcodes a MAC address that needs to be adjusted.
Since it's VLAN 102, I will henceforth use `06:00:00:00:00:66`
### Wifi settings
The configuration for wireless interfaces has changed (`/interface wireless` -> `/interface wifi`) so I'll need to do it by hand in any case.
Some 5 GHz channels overlap with radar and are conditionally enabled after listening for conflict (DFS channels).
However some devices (MacBook, Pixel 7) will just ignore them: if the router happens to choose one of them, the SSID will be invisible.
So, the router must align with that and avoid them altogether: `/int wifi set [...] channel.skip-dfs-channels=all`
### Manual config steps
* Create bridge interface trunk
`/int bridge add`
* Set up VLANs
`/int vlan add interface=trunk vlan-id=... name=...`
* _Skip:_ Interface lists WAN and LAN already exist in the default configuration (would need to reset with no-defaults)
* Wifi: use temporary SSIDs to avoid conflict with existing ones during transition
* Set SSID, mode=ap
* Pay attention to which one is 5 GHz (wifi1) and which one is 2 GHz (wifi2). It was reverse in the old router.
* IoT virtual wifi: parent must be wifi2 (2 GHz)
* Set up IP addresses on VLAN interfaces
* Create DHCP options (CIDR route destinations must match above IP addresses!)
* DHCP pools
* DHCP networks
* Set tag on inactive WiFi SSID
* Move inactive WiFi to trunk
* Add WiFi interfaces wlan* to trunk
* Add DHCP server on the VLAN interface corresponding to the default WiFi VLAN
* Switch to tagged WiFi SSID
* Wait for ARP cache expiry!
* Swicth other WiFi to trunk/VLAN
* Ether ports config _will break connectivity_ (bridge membership and VLAN setting -- must disable default bridge membership)
* Proxy ARP
* Firewall rule: allow management traffic from WAN side
* dst-nat on Freebox network
* authoritative nameservers to authoritative container
* recursive resolver to resolver container
* IPv6
No longer needed:
Dummy routes for proxy ARP
```
add comment="dummy route to enable selective proxy ARP (DNS resolver)" \
distance=1 dst-address=192.168.0.53/32 gateway=fixed-containers
add comment=\
"dummy route to enable selective proxy ARP (authoritative name server)" \
distance=1 dst-address=192.168.0.99/32 gateway=fixed-containers
```
### Other configurations to update
* FreeBOX: Nothing to update, IPv6 uses role address fe80::7 and IPv4 role addresses 192.168.0.53 and .99
* DNS: Nothing to update (no AAAA record)
* melitta: Nothing to update, no reference to MAC specific addresses (uses fe80::7)
Write Preview
Loading…
Cancel
Save