First time configuration Ax-Lite LTE with NordVPN

Dear Experts,

I am a quite experienced IT specialist. Not good at networking though and as I found out yesterday - terrible at Mikrotik !!
I bought the router Mikrotik L41G-2axD&FG621-EA and tried to set it up yesterday! And I failed on almost everything that I wanted to do!

1. First of all, the router seems to not have a WAN port. So I would have to insert a SIM card to get it to connect to the internet.
   I thought I could connect it to my other router at least for doing the initial setup. Anyway, this is not a major problem.

2. Configuring VPN client using the OpenVPN protocol. This doesn’t work at all !! First of all, I could find the corresponding option
   only with the help of ChatGPT. Then uploading the .ovpn configuration file doesn’t work at all !! I found a long guide how to do that
   on the command line. Still not completely through with this, so I am currently unable to report back whether that worked or not.

3. I am failing on extremely simple things like even changing the SSID name !! When I try to do it over the web interface, it simply
   says “Invalid value in undefined” !! Well, this is really one of the clearest error messages I’ve ever seen !!
   After some time, I found out that right above the field for the SSID name, there is a field named Configuration. It is just an empty
   combo box, without any possibility to choose something there or to make any manual entry !! When the setting is left open, the
   above mentioned error message when saving the configuration changes to “Invalid value in Configuration” !!! OK, what VALUE !!
   It doesn’t even let me enter a value !! For me, this is clearly a terrible software bug !!!
   So I went on and I tried to do that on the command line. I tried really hard, asked ChatGPT and so on. Every command I tried
   entering, using quotation marks around the names of the wifi1 interface and the desired new SSID name - everything was simply
   failing !!
   Is there any syntax help option or command autocompletion or something that might ease up this hell a little ??

4. The router supposedly supports 5 GHz. Didn’t find any setting on how to enable it, no matter how hard I tried looking for it!

5. I had turned off the device for the night. This morning I found out that it did NOT remember the wi-fi password I have set.
   Only the default password worked. Other settings seem to be persisted though.

Do you have any advice that you could give me how to solve these problems ? Unfortunately I quite lack an alternative option,
otherwise I would give this one back IMMEDIATELY !! Many many thanks for giving me a hand on that!

First things first … Mikrotik does have a quite steep learning curve.
Nobody should tell you otherwise, it is what it is.
Once you get how it works, the things you can do with it are tremendous.

I have the exact same device in my backpack and I already used it on a lot of occasions for varying setups.
Mobile hotspot, temporary switch, VPN to home, router for a shop (with mobile backup for WAN), … config changed/adjusted on the moment I need it and off we go.

As for your points:
1- remove ether1 from bridge. Add it to WAN list. Add DHCP client to ether1. That should be it.
Ether1 should be a WAN port now.

2- can’t really help with ovpn. I use Wireguard wherever I can (easier to setup and a lot faster)
Already checked this guide ?
https://help.mikrotik.com/docs/spaces/ROS/pages/2031655/OpenVPN#OpenVPN-Example

3- I assume you are working via Webfig ?
Maybe best to move to Winbox. A lot more flexibility if you goof up IP settings on your device since it can also connect via MAC address.
Go to Wifi menu, double click on the required interface (there should only be one, see further), then tab Configuration and there you can change SSID.
See also here:
https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-BasicConfiguration

4- AX Lite LTE does NOT have 5GHz radio.
It’s clearly indicated in the specs for that device.

5- Not sure how you changed that password and if you saved that change.
Care to try again ?

It might help to indicate what you want to do with this device and what config you already have.
And then we can work from there.

From terminal:
/export file=anynameyouwish
Move to PC, remove sensitive info (serial, passwords, …)
Then post back here between [__code] [/__code] quotes.

All sage advice, especially on using wireguard.
As an experienced IT specialist, one should know that AI is nowhere ready to replace knowledge for equipment programming.
Further, how on earth could you know that the unit does 5ghz.???
Next time do your research and also lite maybe actually means, no frills and less than ‘normal’

The title of this thread should be: Re: “VERY Frustrated with Myself”
…

yes and yes
https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi

https://help.mikrotik.com/docs/spaces/ROS/pages/328134/Command+Line+Interface#CommandLineInterface-QuickTyping

P.s. this doesn’t mean “the device is too complicated” if you didn’t check the manual.
And quite frankly, chatgpt is TERRIBLE with configuration advice.

I use the same model for the backup connection over a year!
Currently i have set the device with the following VPNs :
Permanent - OpenVPN with server and client certificates. Additional - Wireguard/BTH/ and Zerotier!
The radio use for country Australia for best coverage!

Thank you very much, guys!

Please do not bash me for the 5 GHz. I was even assuming there are no 5 GHz. I don’t care about that, for now.
I did not only ask ChatGPT, but also Microsoft copilot. Yes, they are terrible for many things. But this is probably
good news for us.
Anyone able to tell me how to change the SSID via command line ?
I FORGOT to post - when I opened mt.com/ug I didn’t find my model there!

My use case is: Insert a SIM card. Make a wi-fi network at home. Everything that connects to that wi-fi network
should get the VPN connection.

@holvoetn - thanks a lot for your post!

1- remove ether1 from bridge. Add it to WAN list. Add DHCP client to ether1. That should be it.
Ether1 should be a WAN port now.

It would be very nice if you let me know how to do that step by step (or command by command)

Thank you, everybody! I am delighted by how quick I get support here! Cheers!

Good news indeed

Depending on if you applied the config directly on the interface:

/interface/wifi/set wifi1 configuration.ssid=blablabla

or if you’re using a configuration profile it:

/interface/wifi/configuration/set conf_1 ssid=blablabla

In sequence:
/interface bridge port remove [ find default-name=ether1 ]
/interface list member add list=WAN interface=ether1
/ip dhcp-client add interface=ether1

Maybe a general explanation is needed.
“Professional” Mikrotik devices come with no configuration at all.
“Soho” Mikrotik devices come with a default configuration (the relative settings are usually commented as “defconf”)

This default configuration is (slightly) different on each device as it usually reflects what is the “intended” use of the device.

Typically the lower numbered interface (ether1) is self-standing and it is WAN, all the other interfaces are put together in a bridge that is LAN.

In the case of your LTE devices, the LTE modem/interface is WAN and all other interfaces are put together in a bridge that is LAN.

Potentially each and every interface on Mikrotik devices can be added or removed to/from a bridge and be categorized as either WAN or LAN.

Device configuration can be managed by:

1. browser (Webfig)
2. Winbox (Mikrotik proprietary tool) that can connect BOTH to the IP of the device and through a special protocol to its MAC address (i.e. even if the device has no IP on any port)
3. SSH, telnet, etc.

The “best” tool (IMHO) is Winbox (there are two versions of it, the “old” 3.x version (that is simple and clear, but runs only on windows or under WIne) and the 4.x version, which is new, experimental, cool, dandy, has dark mode, runs on almost anything but is almost as unreadable/unusable as webfig (which can sometimes be confusing).
Besides, WInbox allows you to (size of your screen permitting) open multiple windows so that you can see the effects of a changed setting in another section of the config.

Inside both Webfig and Winbox there is the terminal, a CLI that is usually much more powerful that the GUI, but some tasks are much easier to do in the GUI.

The three commands holvoeth just posted, as an example, are only a few clicks/choices in drop down lists, but you can copy and paste them in terminal as they are, which is even more handy.

When you open terminal, if you press F1 you get the general help (and useful hotkeys), when you are typing commands, there is an extremely handy [TAB] autocompletion.

The initial impression on the above (before and besides the complexities of the configuration settings) may be outputting, but after a little bit of playing with the Winbox and Terminal you will find how everything (or almost everything) is quite logically organized and the CLI is not that much different from the command line of WIndows or of Linux, each section of the configuration is essentially a path/folder/directory, i.e. a one liner like:
/interface bridge port remove [ find default-name=ether1 ]
can be executed also as:
/interface bridge port ← change to the appropriate path
remove [ find default-name=ether1 ] ← run the command there
the prompt always shows the current directory you are in.

Some (hopefully useful AND shameless plug ) references (things to do or not to do for beginners), once you have got the hang of the GUI and CLI interfaces:
http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1
http://forum.mikrotik.com/t/gp-csa-for-mikrotik-devices/182176/1

Thank you very much, guys!

Yes, the command line is fine. I already have some experience from OpenWRT where I couldn’t do some things with Lucy, since I am running a bit outdated version.
But OpenWRT at least on the first glance was easier, as several things there were the same as in Linux.
Here for example I have a bit hard time with the / in front. Is it a path or a kind of command or what is the meaning behind it ?
I will try again, but I think I tried the tab key in the command line and it didn’t seem to be doing something. I guess I’m gonna try this Winbox. I count on the fact that
this is quite a powerful platform and I will manage to configure whatever I need, even though it’s not the quick way with a Web GUI, but you guys are so amazingly
helpful and you are answering so quick, it’s really pleasant to witness the vibrant community here Makes me believe I didn’t make a mistake that I bought a Mikrotik…

Sweet post jaclaz!!

Hello, this command:

/interface/wifi/set wifi1 configuration.ssid=blablabla

seems to have killed it. My laptop doesn’t connect to the router anymore. My phone does connect, but cannot open the webpage (192.168.88.1).
Going for a factory reset now…

You really should be using winbox…

Yes, I just downloaded it. I managed to change the SSID and the password !! FIRST THING WORKED !!! OK, second thing. First thing that worked was the factory reset.
I got a big scared, as 2 guys complain that they were unable to reset their devices :-/

Now I am thinking how to remove the first ethernet port from the bridge and add it to WAN. Winbox says that I cannot delete an ethernet device.
I guess I’m gonna try the commands that were advised to me earlier in this thread. I hope I won’t need to do another reset.

@holvoetn - this command killed it again:

/interface bridge port remove [ find default-name=ether1 ]

so, going for a second reset (( Obviously Winbox knows why it says that the device cannot be deleted…

No, there Is something else.
Once you will have regained access to the device via Winbox, open a new terminal, issue only:
/interface bridge port
[ENTER]
the above will only change the current path of the CLI, the prompt should now include that path.

Then issue just the command:
export
[ENTER]

Then issue just the command:
print
[ENTER]

Copy and paste the output of these commands in your next post.

One can argue that the AX Lite LTE doesn’t really need (low-range) 5GHz Wi-Fi as you’re unlikely to be getting much more than 100Mbps on LTE6 and with a Wi-Fi 6 network adapter, 2.4GHz AX can reach this speed. It did surprise me a little when researching it but having used one now in the field (literally) several times, it’s more than adequate for its target use.

Hello guys,

it seems like I am through with my setup! In the end it looks like it took less time than I was afraid!
PLEASE I have one last request:

I really need that in case the VPN connection would go down for whatever reason, all connections should go into the nirvana and no connection without VPN would be allowed.
This is a link to the guide which I followed by the letter and it worked like a charm:

https://support.nordvpn.com/hc/en-us/articles/20398642652561-MikroTik-IKEv2-setup-with-NordVPN

Does it already provide this functionality or you would advise me some additional commands ? Many thanks!
I really appreciate your help! Thank you

Follow this:
http://forum.mikrotik.com/t/forum-rules/173010/1
and post your configuration, so that It can be checked.

You will need to post also the output of:
/ip address print
and of:
/ip route print
so that also Dynamic entries (coming from the LTE DHCP) can be checked.

Up to 400Mb even. Really.
(tested with AX Lite connected as station to AX3)