From 1db1aeabae9257869a1a433dadfc077f278f124c Mon Sep 17 00:00:00 2001 From: Thomas Quinot Date: Sun, 5 Jan 2025 00:15:13 +0100 Subject: [PATCH] Router upgrade notes --- _source/_posts/2025-01-04-router-upgrade.md | 128 ++++++++++++++++++++ 1 file changed, 128 insertions(+) create mode 100644 _source/_posts/2025-01-04-router-upgrade.md diff --git a/_source/_posts/2025-01-04-router-upgrade.md b/_source/_posts/2025-01-04-router-upgrade.md new file mode 100644 index 0000000..50e8140 --- /dev/null +++ b/_source/_posts/2025-01-04-router-upgrade.md @@ -0,0 +1,128 @@ +--- +layout: post +title: "Home router upgrade notes" +date: 2025-01-04 16:00:00 +0200 +comments: true +categories: +--- + +# Upgrading from Mikrotik hAP ac-lite to hAP ax3. + +:warning: *Do not power on without antenna connected* + +## Initial setup + +[Setup instructions](https://help.mikrotik.com/docs/spaces/UM/pages/150601820/hAP+ax%C2%B3) + +Initial password is provided on pullout tab. + +* Power on +* Connect PC to factory wifi network +* Access webfig at 192.168.88.1 +* Log in +* Connect to LAN (Ehternet port 1) + * _At this stage, the Mikrotik does NAT for its wifi clients, so the PC can talk to the outside_ +* System > Packages > Check for updates +* _Updated to RouterOS 7.16.2_ + +## Change or not? + +*Change* + +* IP addresses on local network: .1 -> .3 +* Fixed MAC addresses + +*Keep* + +*TBD* + + +## Porting the configuration + +### Factory configuration + +`/sys export` + +``` +# 2025-01-04 15:43:22 by RouterOS 7.16.2 +# software id = 3K4M-7VES +# +# model = C53UiG+5HPaxD2HPaxD +# serial number = HG609PMT86R +/system note +set show-at-login=no +/system routerboard wps-button +set enabled=yes on-event=wps-accept +/system script +add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\ + "\r\ + \n :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\ + \n /interface/wifi wps-push-button \$iface;}\r\ + \n " +``` + +### MAC address + +* The configuration from the old router includes a to its MAC addresses which need to be adjusted (MAC address of the bridge). + To avoid having to change it again in the future, let's use a locally administered MAC address. + I'm already using `06:00:00:00:00:06` for the legacy firewall, let's make the new Mikrotik `06:00:00:00:00:07`. +* The virtual AP setup for the IoT wifi network also hardcodes a MAC address that needs to be adjusted. + Since it's VLAN 102, I will henceforth use `06:00:00:00:00:66` + +### Wifi settings + +The configuration for wireless interfaces has changed (`/interface wireless` -> `/interface wifi`) so I'll need to do it by hand in any case. + +Some 5 GHz channels overlap with radar and are conditionally enabled after listening for conflict (DFS channels). + +However some devices (MacBook, Pixel 7) will just ignore them: if the router happens to choose one of them, the SSID will be invisible. +So, the router must align with that and avoid them altogether: `/int wifi set [...] channel.skip-dfs-channels=all` + +### Manual config steps + +* Create bridge interface trunk + `/int bridge add` +* Set up VLANs + `/int vlan add interface=trunk vlan-id=... name=...` +* _Skip:_ Interface lists WAN and LAN already exist in the default configuration (would need to reset with no-defaults) +* Wifi: use temporary SSIDs to avoid conflict with existing ones during transition + * Set SSID, mode=ap + * Pay attention to which one is 5 GHz (wifi1) and which one is 2 GHz (wifi2). It was reverse in the old router. +* IoT virtual wifi: parent must be wifi2 (2 GHz) +* Set up IP addresses on VLAN interfaces +* Create DHCP options (CIDR route destinations must match above IP addresses!) +* DHCP pools +* DHCP networks +* Set tag on inactive WiFi SSID +* Move inactive WiFi to trunk +* Add WiFi interfaces wlan* to trunk +* Add DHCP server on the VLAN interface corresponding to the default WiFi VLAN +* Switch to tagged WiFi SSID +* Wait for ARP cache expiry! +* Swicth other WiFi to trunk/VLAN +* Ether ports config _will break connectivity_ (bridge membership and VLAN setting -- must disable default bridge membership) +* Proxy ARP +* Firewall rule: allow management traffic from WAN side +* dst-nat on Freebox network + * authoritative nameservers to authoritative container + * recursive resolver to resolver container +* IPv6 + + +No longer needed: + +Dummy routes for proxy ARP +``` +add comment="dummy route to enable selective proxy ARP (DNS resolver)" \ + distance=1 dst-address=192.168.0.53/32 gateway=fixed-containers +add comment=\ + "dummy route to enable selective proxy ARP (authoritative name server)" \ + distance=1 dst-address=192.168.0.99/32 gateway=fixed-containers + +``` + +### Other configurations to update + +* FreeBOX: Nothing to update, IPv6 uses role address fe80::7 and IPv4 role addresses 192.168.0.53 and .99 +* DNS: Nothing to update (no AAAA record) +* melitta: Nothing to update, no reference to MAC specific addresses (uses fe80::7)