Upgrading from Mikrotik hAP ac-lite to hAP ax3.

⚠️ Do not power on without antenna connected

Initial setup

Setup instructions

Initial password is provided on pullout tab.

  • Power on
  • Connect PC to factory wifi network
  • Access webfig at 192.168.88.1
  • Log in
  • Connect to LAN (Ehternet port 1)
    • At this stage, the Mikrotik does NAT for its wifi clients, so the PC can talk to the outside
  • System > Packages > Check for updates
  • Updated to RouterOS 7.16.2

Change or not?

Change

  • IP addresses on local network: .1 -> .3
  • Fixed MAC addresses

Keep

TBD

Porting the configuration

Factory configuration

/sys export

# 2025-01-04 15:43:22 by RouterOS 7.16.2
# software id = 3K4M-7VES
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = HG609PMT86R
/system note
set show-at-login=no
/system routerboard wps-button
set enabled=yes on-event=wps-accept
/system script
add comment=defconf dont-require-permissions=no name=wps-accept owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "\r\
    \n   :foreach iface in=[/interface/wifi find where (configuration.mode=\"ap\" && disabled=no)] do={\r\
    \n     /interface/wifi wps-push-button \$iface;}\r\
    \n "

MAC address

  • The configuration from the old router includes a to its MAC addresses which need to be adjusted (MAC address of the bridge). To avoid having to change it again in the future, let’s use a locally administered MAC address. I’m already using 06:00:00:00:00:06 for the legacy firewall, let’s make the new Mikrotik 06:00:00:00:00:07.
  • The virtual AP setup for the IoT wifi network also hardcodes a MAC address that needs to be adjusted. Since it’s VLAN 102, I will henceforth use 06:00:00:00:00:66

Wifi settings

The configuration for wireless interfaces has changed (/interface wireless -> /interface wifi) so I’ll need to do it by hand in any case.

Some 5 GHz channels overlap with radar and are conditionally enabled after listening for conflict (DFS channels).

However some devices (MacBook, Pixel 7) will just ignore them: if the router happens to choose one of them, the SSID will be invisible. So, the router must align with that and avoid them altogether: /int wifi set [...] channel.skip-dfs-channels=all

Manual config steps

  • Create bridge interface trunk /int bridge add
  • Set up VLANs /int vlan add interface=trunk vlan-id=... name=...
  • Skip: Interface lists WAN and LAN already exist in the default configuration (would need to reset with no-defaults)
  • Wifi: use temporary SSIDs to avoid conflict with existing ones during transition
    • Set SSID, mode=ap
    • Pay attention to which one is 5 GHz (wifi1) and which one is 2 GHz (wifi2). It was reverse in the old router.
  • IoT virtual wifi: parent must be wifi2 (2 GHz)
  • Set up IP addresses on VLAN interfaces
  • Create DHCP options (CIDR route destinations must match above IP addresses!)
  • DHCP pools
  • DHCP networks
  • Set tag on inactive WiFi SSID
  • Move inactive WiFi to trunk
  • Add WiFi interfaces wlan* to trunk
  • Add DHCP server on the VLAN interface corresponding to the default WiFi VLAN
  • Switch to tagged WiFi SSID
  • Wait for ARP cache expiry!
  • Swicth other WiFi to trunk/VLAN
  • Ether ports config will break connectivity (bridge membership and VLAN setting – must disable default bridge membership)
  • Proxy ARP (make sure to include dummy routes to mark the target virtual addresses as reachable)
  • Firewall rule: allow management traffic from WAN side
  • dst-nat on Freebox network
    • authoritative nameservers to authoritative container
    • recursive resolver to resolver container
  • IPv6

Other configurations to update

  • FreeBOX: Nothing to update, IPv6 uses role address fe80::7 and IPv4 role addresses 192.168.0.53 and .99
  • DNS: Nothing to update (no AAAA record)
  • melitta: Nothing to update, no reference to MAC specific addresses (uses fe80::7)

Key learnings

DFS

DFS is a standard allowing 5 GHz WiFi to share some frequency ranges with radar use cases. However, to use these ranges, an AP has to first listen for conflicts for either 1 or 10 minutes. Some device (such as Macbook, Pixel 7) will simply ignore these bands altogether, and won’t see beacons from a router that happens to have selected them.

On the Mikrotik AP, you can:

  • keep DFS enabled (i.e. don’t skip any DFS channel)
  • keep DFS enabled only for those channels that only require 1 min of listening (skipping the 10 minutes ones)
  • disable DFS (skipping all DFS channels).

Only the last option (disable usage of DFS channels altogether) will ensure that your 5 GHz network is visible to devices that don’t implement DFS.

Policy routing and fasttrack

The old routing-mark system is gone, a routing mark now corresponds to a separate routing table that must be created explicitly.

The default fasttrack rule bypasses the firewall (mangling) rules, so it’s not compatible with policy routing rules (for the transparent web proxy) that only set a routing mark. But this can elegantly be solved by:

  • using a two step mangling process:
    • at connection startup, mark the connection
    • for relevant (egress) packages of the connection, apply the routing mark (i.e. select an alternate routing table)
  • restricting the fasttrack rule to only unmarked connections

So that the bulk of connections will benefit from fasttrack, while only those connections requiring policy routing will go through the slow path (running through mangle rules for each packet).

Proxy ARP

To proxy ARP for a virtual address (i.e. not a separate reachable host, but an address that will be redirected by a dst-nat rule), you need to artificially mark the IP address as reachable using a dummy routing table entry:

/ip route add comment="dummy route to enable selective proxy ARP (authoritative name server)" distance=1 dst-address=192.168.0.99/32 gateway=fixed-containers

The absence of this rule will not prevent the creation of the proxy ARP entry, but the Mikrotik won’t generate the ARP answers.

Misc

There is now a Linux version of Winbox 🎉