|
|
|
@ -113,3 +113,49 @@ So, the router must align with that and avoid them altogether: `/int wifi set [.
|
|
|
|
* FreeBOX: Nothing to update, IPv6 uses role address fe80::7 and IPv4 role addresses 192.168.0.53 and .99
|
|
|
|
* FreeBOX: Nothing to update, IPv6 uses role address fe80::7 and IPv4 role addresses 192.168.0.53 and .99
|
|
|
|
* DNS: Nothing to update (no AAAA record)
|
|
|
|
* DNS: Nothing to update (no AAAA record)
|
|
|
|
* melitta: Nothing to update, no reference to MAC specific addresses (uses fe80::7)
|
|
|
|
* melitta: Nothing to update, no reference to MAC specific addresses (uses fe80::7)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
## Key learnings
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### DFS
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
DFS is a standard allowing 5 GHz WiFi to share some frequency ranges with radar use cases. However, to use these ranges, an AP has to first listen
|
|
|
|
|
|
|
|
for conflicts for either 1 or 10 minutes. Some device (such as Macbook, Pixel 7) will simply ignore these bands altogether, and won't see beacons
|
|
|
|
|
|
|
|
from a router that happens to have selected them.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
On the Mikrotik AP, you can:
|
|
|
|
|
|
|
|
* keep DFS enabled (i.e. don't skip any DFS channel)
|
|
|
|
|
|
|
|
* keep DFS enabled only for those channels that only require 1 min of listening (skipping the 10 minutes ones)
|
|
|
|
|
|
|
|
* disable DFS (skipping all DFS channels).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Only the last option (disable usage of DFS channels altogether) will ensure that your 5 GHz network is visible to devices that don't implement DFS.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Policy routing and fasttrack
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The old routing-mark system is gone, a routing mark now corresponds to a separate _routing table_ that must be created
|
|
|
|
|
|
|
|
explicitly.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The default fasttrack rule bypasses the firewall (mangling) rules, so it's not compatible with policy routing rules (for the
|
|
|
|
|
|
|
|
transparent web proxy) that only set a routing mark. But this can elegantly be solved by:
|
|
|
|
|
|
|
|
* using a two step mangling process:
|
|
|
|
|
|
|
|
* at connection startup, mark the connection
|
|
|
|
|
|
|
|
* for relevant (egress) packages of the connection, apply the routing mark (i.e. select an alternate routing table)
|
|
|
|
|
|
|
|
* restricting the fasttrack rule to only unmarked connections
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
So that the bulk of connections will benefit from fasttrack, while only those connections requiring policy routing will go through the slow path
|
|
|
|
|
|
|
|
(running through mangle rules for each packet).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Proxy ARP
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
To proxy ARP for a _virtual_ address (i.e. not a separate reachable host, but an address that will be redirected by a dst-nat rule), you need
|
|
|
|
|
|
|
|
to artificially mark the IP address as reachable using a dummy routing table entry:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
/ip route add comment="dummy route to enable selective proxy ARP (authoritative name server)" distance=1 dst-address=192.168.0.99/32 gateway=fixed-containers
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The absence of this rule will not **prevent** the creation of the proxy ARP entry, but the Mikrotik won't generate the ARP answers.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
### Misc
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There is now a Linux version of Winbox :tada:
|
|
|
|
|
|
|
|
|
|
|
|
|
Thomas Quinot
2 months ago