--- layout: post title: "Home router upgrade notes" date: 2025-01-04 16:00:00 +0200 comments: true categories: --- # Upgrading from Mikrotik hAP ac-lite to hAP ax3. :warning: *Do not power on without antenna connected* ## Initial setup [Setup instructions](https://help.mikrotik.com/docs/spaces/UM/pages/150601820/hAP+ax%C2%B3) Initial password is provided on pullout tab. * Power on * Connect PC to factory wifi network * Access webfig at 192.168.88.1 * Log in * Connect to LAN (Ehternet port 1) * _At this stage, the Mikrotik does NAT for its wifi clients, so the PC can talk to the outside_ * System > Packages > Check for updates * _Updated to RouterOS 7.16.2_ ## Change or not? *Change* * IP addresses on local network: .1 -> .3 * Fixed MAC addresses *Keep* *TBD* ## Porting the configuration ### Factory configuration `/sys export` ``` # 2025-01-04 15:43:22 by RouterOS 7.16.2 # software id = 3K4M-7VES # # model = C53UiG+5HPaxD2HPaxD # serial number = HG609PMT86R /system note set show-at-login=no /system routerboard wps-button set enabled=yes on-event=wps-accept /system script add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\ "\r\ \n :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\ \n /interface/wifi wps-push-button \$iface;}\r\ \n " ``` ### MAC address * The configuration from the old router includes a to its MAC addresses which need to be adjusted (MAC address of the bridge). To avoid having to change it again in the future, let's use a locally administered MAC address. I'm already using `06:00:00:00:00:06` for the legacy firewall, let's make the new Mikrotik `06:00:00:00:00:07`. * The virtual AP setup for the IoT wifi network also hardcodes a MAC address that needs to be adjusted. Since it's VLAN 102, I will henceforth use `06:00:00:00:00:66` ### Wifi settings The configuration for wireless interfaces has changed (`/interface wireless` -> `/interface wifi`) so I'll need to do it by hand in any case. Some 5 GHz channels overlap with radar and are conditionally enabled after listening for conflict (DFS channels). However some devices (MacBook, Pixel 7) will just ignore them: if the router happens to choose one of them, the SSID will be invisible. So, the router must align with that and avoid them altogether: `/int wifi set [...] channel.skip-dfs-channels=all` ### Manual config steps * Create bridge interface trunk `/int bridge add` * Set up VLANs `/int vlan add interface=trunk vlan-id=... name=...` * _Skip:_ Interface lists WAN and LAN already exist in the default configuration (would need to reset with no-defaults) * Wifi: use temporary SSIDs to avoid conflict with existing ones during transition * Set SSID, mode=ap * Pay attention to which one is 5 GHz (wifi1) and which one is 2 GHz (wifi2). It was reverse in the old router. * IoT virtual wifi: parent must be wifi2 (2 GHz) * Set up IP addresses on VLAN interfaces * Create DHCP options (CIDR route destinations must match above IP addresses!) * DHCP pools * DHCP networks * Set tag on inactive WiFi SSID * Move inactive WiFi to trunk * Add WiFi interfaces wlan* to trunk * Add DHCP server on the VLAN interface corresponding to the default WiFi VLAN * Switch to tagged WiFi SSID * Wait for ARP cache expiry! * Swicth other WiFi to trunk/VLAN * Ether ports config _will break connectivity_ (bridge membership and VLAN setting -- must disable default bridge membership) * Proxy ARP (make sure to include dummy routes to mark the target virtual addresses as reachable) * Firewall rule: allow management traffic from WAN side * dst-nat on Freebox network * authoritative nameservers to authoritative container * recursive resolver to resolver container * IPv6 ### Other configurations to update * FreeBOX: Nothing to update, IPv6 uses role address fe80::7 and IPv4 role addresses 192.168.0.53 and .99 * DNS: Nothing to update (no AAAA record) * melitta: Nothing to update, no reference to MAC specific addresses (uses fe80::7)