--- layout: post title: "Home router upgrade notes" date: 2025-01-04 16:00:00 +0200 comments: true categories: --- # Upgrading from Mikrotik hAP ac-lite to hAP ax3. :warning: *Do not power on without antenna connected* ## Initial setup [Setup instructions](https://help.mikrotik.com/docs/spaces/UM/pages/150601820/hAP+ax%C2%B3) Initial password is provided on pullout tab. * Power on * Connect PC to factory wifi network * Access webfig at 192.168.88.1 * Log in * Connect to LAN (Ehternet port 1) * _At this stage, the Mikrotik does NAT for its wifi clients, so the PC can talk to the outside_ * System > Packages > Check for updates * _Updated to RouterOS 7.16.2_ ## Change or not? *Change* * IP addresses on local network: .1 -> .3 * Fixed MAC addresses *Keep* *TBD* ## Porting the configuration ### Factory configuration `/sys export` ``` # 2025-01-04 15:43:22 by RouterOS 7.16.2 # software id = 3K4M-7VES # # model = C53UiG+5HPaxD2HPaxD # serial number = HG609PMT86R /system note set show-at-login=no /system routerboard wps-button set enabled=yes on-event=wps-accept /system script add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\ "\r\ \n :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\ \n /interface/wifi wps-push-button \$iface;}\r\ \n " ``` ### MAC address * The configuration from the old router includes a to its MAC addresses which need to be adjusted (MAC address of the bridge). To avoid having to change it again in the future, let's use a locally administered MAC address. I'm already using `06:00:00:00:00:06` for the legacy firewall, let's make the new Mikrotik `06:00:00:00:00:07`. * The virtual AP setup for the IoT wifi network also hardcodes a MAC address that needs to be adjusted. Since it's VLAN 102, I will henceforth use `06:00:00:00:00:66` ### Wifi settings The configuration for wireless interfaces has changed (`/interface wireless` -> `/interface wifi`) so I'll need to do it by hand in any case. Some 5 GHz channels overlap with radar and are conditionally enabled after listening for conflict (DFS channels). However some devices (MacBook, Pixel 7) will just ignore them: if the router happens to choose one of them, the SSID will be invisible. So, the router must align with that and avoid them altogether: `/int wifi set [...] channel.skip-dfs-channels=all` ### Manual config steps * Create bridge interface trunk `/int bridge add` * Set up VLANs `/int vlan add interface=trunk vlan-id=... name=...` * _Skip:_ Interface lists WAN and LAN already exist in the default configuration (would need to reset with no-defaults) * Wifi: use temporary SSIDs to avoid conflict with existing ones during transition * Set SSID, mode=ap * Pay attention to which one is 5 GHz (wifi1) and which one is 2 GHz (wifi2). It was reverse in the old router. * IoT virtual wifi: parent must be wifi2 (2 GHz) * Set up IP addresses on VLAN interfaces * Create DHCP options (CIDR route destinations must match above IP addresses!) * DHCP pools * DHCP networks * Set tag on inactive WiFi SSID * Move inactive WiFi to trunk * Add WiFi interfaces wlan* to trunk * Add DHCP server on the VLAN interface corresponding to the default WiFi VLAN * Switch to tagged WiFi SSID * Wait for ARP cache expiry! * Swicth other WiFi to trunk/VLAN * Ether ports config _will break connectivity_ (bridge membership and VLAN setting -- must disable default bridge membership) * Proxy ARP (make sure to include dummy routes to mark the target virtual addresses as reachable) * Firewall rule: allow management traffic from WAN side * dst-nat on Freebox network * authoritative nameservers to authoritative container * recursive resolver to resolver container * IPv6 ### Other configurations to update * FreeBOX: Nothing to update, IPv6 uses role address fe80::7 and IPv4 role addresses 192.168.0.53 and .99 * DNS: Nothing to update (no AAAA record) * melitta: Nothing to update, no reference to MAC specific addresses (uses fe80::7) ## Key learnings ### DFS DFS is a standard allowing 5 GHz WiFi to share some frequency ranges with radar use cases. However, to use these ranges, an AP has to first listen for conflicts for either 1 or 10 minutes. Some device (such as Macbook, Pixel 7) will simply ignore these bands altogether, and won't see beacons from a router that happens to have selected them. On the Mikrotik AP, you can: * keep DFS enabled (i.e. don't skip any DFS channel) * keep DFS enabled only for those channels that only require 1 min of listening (skipping the 10 minutes ones) * disable DFS (skipping all DFS channels). Only the last option (disable usage of DFS channels altogether) will ensure that your 5 GHz network is visible to devices that don't implement DFS. ### Policy routing and fasttrack The old routing-mark system is gone, a routing mark now corresponds to a separate _routing table_ that must be created explicitly. The default fasttrack rule bypasses the firewall (mangling) rules, so it's not compatible with policy routing rules (for the transparent web proxy) that only set a routing mark. But this can elegantly be solved by: * using a two step mangling process: * at connection startup, mark the connection * for relevant (egress) packages of the connection, apply the routing mark (i.e. select an alternate routing table) * restricting the fasttrack rule to only unmarked connections So that the bulk of connections will benefit from fasttrack, while only those connections requiring policy routing will go through the slow path (running through mangle rules for each packet). ### Proxy ARP To proxy ARP for a _virtual_ address (i.e. not a separate reachable host, but an address that will be redirected by a dst-nat rule), you need to artificially mark the IP address as reachable using a dummy routing table entry: ``` /ip route add comment="dummy route to enable selective proxy ARP (authoritative name server)" distance=1 dst-address=192.168.0.99/32 gateway=fixed-containers ``` The absence of this rule will not **prevent** the creation of the proxy ARP entry, but the Mikrotik won't generate the ARP answers. ### Misc There is now a Linux version of Winbox :tada: