i just ordered a Hap ax³ and i am looking for some help.
The Hap will be connected to VDSL2 modem. The ISP is 1&1 Versatel. They use ppp0e with vlan7.
So here are my questions:
1.How do i setup ppp0e with vlan7 correctly? Can i use the Quick Set?
1.1Is the default firewall set up working with this vlan7 or do i have to tweak?
1.3 I am considering using only IPv4, but maybe will need IPv6 only for Xbox.
I would like to use Vlans to seperate traffic for :
Pc using ethernet
Xbox A using ethernet
A managment port using a Laptop with ethernet.
2.1 seperate Wifi with vlans for:
Laptop A
-Laptop B
-Xbox B using Wifi6
Firestick
Pi
Pixel phone A
-Pixel phone B
a guestnetwork
Iot`s ( is it a good idea to use a seperate vlan for every device?)
Will Nat be a problem for Xbox?
3.1 How do i tweak for low latency.
In general i would like to seperate the devices in the network as much as possible, so if you have a tip on how to do achieve this, feel free to give some tips besides the vlan.
Thank you very much for your time. Hope i can return the favour in the future.
I tried to use the doc to solve my questions on my own, but i really struggle. I know it may be silly questions, but i would really appreciate the support.
When you have the device, without touch anything, first upgrade to latest “stable” routeros 7.17.2, then reset to defaults on system.
Do not touch quickset.
IPv6 must supported from your ISP.
Default firewall is perfect.
NAT work perfectly with UPnP for XBOX, if hAP is the router.
VDSL2 modem must be correctly cofigured as bridge for use hAP for authentication.
If is not done correctly, you have double NAT and all other relative problems.
First make hAP working, then think about IPv6, VLANs & Co.
first of all , thank you for your reply and your time.
I got dual stack, so IPv6 is supported. I got a dynamic puplic IPv4 address( which was a true fight to get), when i used IPv6 for testing my isp downgraded me to ds-lite instantly. So i’m not sure if i am willing to risk to activate IPv6 again. To be honest, i just have the idea that i will have less latency and more stable syncing while gaming with Xbox on IPv6. Xbox live uses Teredo, when IPv4 is used and i really don´t like the idea of tunneling thru my firewall.
Honestly, i don´t have a lot of time for gaming, so i’m not willing to deal with connection issues.I would like to game without lags and delay. But it’s not a top priority. Xbox networks statistics give me 13ms ping and 0% packetloss, so it should be possible.
The modem is in bridge mode.
You recommended using upnp, i often read to avoid using upnp, because it is considered a huge security risk. If it`s neccessary, is it possible to bind it only to the xbox, maybe with vlan?
Thanks again.
Here is what i did:
Switched off POE on Eth1
ran terminal prompt from rextended
filled in ppp0e-wan username and pw
had to configure DNS, because of resolve error when trying to update
upgraded to 7.17.2
reseted configuration
Switched off POE on Eth1
Disabled Ipv6
Disabled IPv6 Forward
Changed User+ pw
Disabled services : -api; api-ssl;ftp;ssh,telnet,www,www-ssl
Changed Wifi name,ssid and pw
ran terminal prompt from rextended
filled in ppp0e-wan username and pw
configured DNS
Not sure if i had to disable POE but was afraid to damage the modem.
Three things. One will help the other with an Overall PLAN which is required.
Detail the requirements as you understand them
a. identify all user(s)/device(s) ( internal and external and admin)
b. identify all the traffic they need
You have a single WAN pppoe, so that is known…
Do you have any VPN to the Router, or doing any port forwarding?
If so ensure you detail it above in 1 a., b.
Draw a network diagram that shows the ports and subnets/vlans going out ports or WLANs
Create and post your config once done.
/export file=anynameyouwish (minus router serial number, any public WANIP information, or user name etc. )
In terms of firewall rules, stick to the defaults at least in the input chain for now. Keep chains together all input and all forward, order within chains is also important.
In the forward chain take the confusing default rule and remove it and then replace with three rules for now aka ready for future vlan usage.
From: add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
TO: add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable it if required or later remove }
******************* → Place any other needed traffic rules here, like vlan to vlan, shared printer etc… ← ***************************
add action=drop chain=forward comment=“drop all else”
Before you start configuring anything, suggest take one port OFF the default bridge and we will set it up so you can access the config off the bridge, from a safe location. /interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/ip address
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0
/interface list member
add interface=OffBridge5 list=LAN
With this in place, now plug your laptop into ether5 on the router. Change the IPV4 settings on the laptop to 192.168.77.2 and then use winbox entering usual username and password and you shouild have access to the config but off the bridge. This faciliates adding vlans to the bridge and going away from the default 192.168.88 subnet etc… Also helpful when changing vlan-filtering to yes on the bridge.