thomas
/
labnotes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1db1aeabae'
${ noResults }
labnotes/_source/_posts/2025-01-04-router-upgrade.md

4.3 KiB
Raw Blame History

layout title date comments categories
post Home router upgrade notes 2025-01-04 16:00:00 +0200 true

Upgrading from Mikrotik hAP ac-lite to hAP ax3.

⚠️ Do not power on without antenna connected

Initial setup

Setup instructions

Initial password is provided on pullout tab.

  • Power on
  • Connect PC to factory wifi network
  • Access webfig at 192.168.88.1
  • Log in
  • Connect to LAN (Ehternet port 1)
    • At this stage, the Mikrotik does NAT for its wifi clients, so the PC can talk to the outside
  • System > Packages > Check for updates
  • Updated to RouterOS 7.16.2

Change or not?

Change

  • IP addresses on local network: .1 -> .3
  • Fixed MAC addresses

Keep

TBD

Porting the configuration

Factory configuration

/sys export

# 2025-01-04 15:43:22 by RouterOS 7.16.2
# software id = 3K4M-7VES
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HG609PMT86R
/system note
set show-at-login=no
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "

MAC address

  • The configuration from the old router includes a to its MAC addresses which need to be adjusted (MAC address of the bridge). To avoid having to change it again in the future, let's use a locally administered MAC address. I'm already using 06:00:00:00:00:06 for the legacy firewall, let's make the new Mikrotik 06:00:00:00:00:07.
  • The virtual AP setup for the IoT wifi network also hardcodes a MAC address that needs to be adjusted. Since it's VLAN 102, I will henceforth use 06:00:00:00:00:66

Wifi settings

The configuration for wireless interfaces has changed (/interface wireless -> /interface wifi) so I'll need to do it by hand in any case.

Some 5 GHz channels overlap with radar and are conditionally enabled after listening for conflict (DFS channels).

However some devices (MacBook, Pixel 7) will just ignore them: if the router happens to choose one of them, the SSID will be invisible. So, the router must align with that and avoid them altogether: /int wifi set [...] channel.skip-dfs-channels=all

Manual config steps

  • Create bridge interface trunk /int bridge add
  • Set up VLANs /int vlan add interface=trunk vlan-id=... name=...
  • Skip: Interface lists WAN and LAN already exist in the default configuration (would need to reset with no-defaults)
  • Wifi: use temporary SSIDs to avoid conflict with existing ones during transition
    • Set SSID, mode=ap
    • Pay attention to which one is 5 GHz (wifi1) and which one is 2 GHz (wifi2). It was reverse in the old router.
  • IoT virtual wifi: parent must be wifi2 (2 GHz)
  • Set up IP addresses on VLAN interfaces
  • Create DHCP options (CIDR route destinations must match above IP addresses!)
  • DHCP pools
  • DHCP networks
  • Set tag on inactive WiFi SSID
  • Move inactive WiFi to trunk
  • Add WiFi interfaces wlan* to trunk
  • Add DHCP server on the VLAN interface corresponding to the default WiFi VLAN
  • Switch to tagged WiFi SSID
  • Wait for ARP cache expiry!
  • Swicth other WiFi to trunk/VLAN
  • Ether ports config will break connectivity (bridge membership and VLAN setting -- must disable default bridge membership)
  • Proxy ARP
  • Firewall rule: allow management traffic from WAN side
  • dst-nat on Freebox network
    • authoritative nameservers to authoritative container
    • recursive resolver to resolver container
  • IPv6

No longer needed:

Dummy routes for proxy ARP

add comment="dummy route to enable selective proxy ARP (DNS resolver)" \
    distance=1 dst-address=192.168.0.53/32 gateway=fixed-containers
add comment=\
    "dummy route to enable selective proxy ARP (authoritative name server)" \
    distance=1 dst-address=192.168.0.99/32 gateway=fixed-containers

Other configurations to update

  • FreeBOX: Nothing to update, IPv6 uses role address fe80::7 and IPv4 role addresses 192.168.0.53 and .99
  • DNS: Nothing to update (no AAAA record)
  • melitta: Nothing to update, no reference to MAC specific addresses (uses fe80::7)