From 524833a801581b2caf61f86e83414902ee43ec23 Mon Sep 17 00:00:00 2001 From: Thomas Quinot Date: Sun, 5 Jan 2025 19:42:18 +0100 Subject: [PATCH] Write up key learnings --- _source/_posts/2025-01-04-router-upgrade.md | 46 +++++++++++++++++++++ 1 file changed, 46 insertions(+) diff --git a/_source/_posts/2025-01-04-router-upgrade.md b/_source/_posts/2025-01-04-router-upgrade.md index 3ef135b..cfb1d61 100644 --- a/_source/_posts/2025-01-04-router-upgrade.md +++ b/_source/_posts/2025-01-04-router-upgrade.md @@ -113,3 +113,49 @@ So, the router must align with that and avoid them altogether: `/int wifi set [. * FreeBOX: Nothing to update, IPv6 uses role address fe80::7 and IPv4 role addresses 192.168.0.53 and .99 * DNS: Nothing to update (no AAAA record) * melitta: Nothing to update, no reference to MAC specific addresses (uses fe80::7) + +## Key learnings + +### DFS + +DFS is a standard allowing 5 GHz WiFi to share some frequency ranges with radar use cases. However, to use these ranges, an AP has to first listen +for conflicts for either 1 or 10 minutes. Some device (such as Macbook, Pixel 7) will simply ignore these bands altogether, and won't see beacons +from a router that happens to have selected them. + +On the Mikrotik AP, you can: +* keep DFS enabled (i.e. don't skip any DFS channel) +* keep DFS enabled only for those channels that only require 1 min of listening (skipping the 10 minutes ones) +* disable DFS (skipping all DFS channels). + +Only the last option (disable usage of DFS channels altogether) will ensure that your 5 GHz network is visible to devices that don't implement DFS. + +### Policy routing and fasttrack + +The old routing-mark system is gone, a routing mark now corresponds to a separate _routing table_ that must be created +explicitly. + +The default fasttrack rule bypasses the firewall (mangling) rules, so it's not compatible with policy routing rules (for the +transparent web proxy) that only set a routing mark. But this can elegantly be solved by: +* using a two step mangling process: + * at connection startup, mark the connection + * for relevant (egress) packages of the connection, apply the routing mark (i.e. select an alternate routing table) +* restricting the fasttrack rule to only unmarked connections + +So that the bulk of connections will benefit from fasttrack, while only those connections requiring policy routing will go through the slow path +(running through mangle rules for each packet). + +### Proxy ARP + +To proxy ARP for a _virtual_ address (i.e. not a separate reachable host, but an address that will be redirected by a dst-nat rule), you need +to artificially mark the IP address as reachable using a dummy routing table entry: + +``` +/ip route add comment="dummy route to enable selective proxy ARP (authoritative name server)" distance=1 dst-address=192.168.0.99/32 gateway=fixed-containers +``` + +The absence of this rule will not **prevent** the creation of the proxy ARP entry, but the Mikrotik won't generate the ARP answers. + +### Misc + +There is now a Linux version of Winbox :tada: +