hAP^2 how extract firewall rules from an unencrypted backup?

Hello.
I’ve upgraded the firmware from 6.43 to 6.48 on my hAP^2. And my /ip firewall fliter become totally empty. Every other configuration remains on its place.
I have a backup, quite an old one, but I know it contains every firewall filter rules. I’ve tried to backup my current config with a blank firewall and then restore from an old backup in order to copy firewall config - and no luck. The router just reboots, and config remains the same.

Is is possible to extract firewall configuration from an unencrypted backup file and convert it to terminal commands?
I see some understandable ASCII-strings within the backup file, but it all surrounded by some binary data.

My workaround would be … make and save backup … downgrade ROS … restore the backup with firewall … “export” as terminal command … upgrade ROS … restore saved backup

The default firewall rules are available on the internet, but they are also in the default config of the hAP ac2 and can be extracted from that config. Or import your config on top of the default config.

I feel pretty insecure about doing these actions. It happens that we’re using this router in our remote office, and I will have really hard time if the router will brick or reset its config during some of these steps. Free flash memory is about 2 MB now (hAP^2 have only 16MB) and I’m afraid that I won’t be able to upgrade the firmware again due to such low flash memory capacity (I had to delete all my backups from the router itself in order to upgrade it to 6.48, and the new firmware consumed all the memory previously taken by backups).
I hope there’s some tool that just converts a backup to config.

The clue is … use export/import for major upgrades. With no action or backup/restore use smaller upgrade steps.

Only SMIPS devices have memory problems AFAIK. There has been a patch to mitigate that problem. http://forum.mikrotik.com/t/v6-47-10-long-term-is-released/149500/1

If it is the default set of firewall rules …

VERSION 6.44.5

]/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment=" drop all coming from WAN" in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

VERSION 6.48.3

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

You can try running x86 ROS in VM (make sure it’s same version) and restore backup to it.
Backup files are very much platform specific, but some stuff is common and you have nothing to lose (it’s just VM).
I have tried restoring backups across devices before and it somewhat worked. Common stuff (like firewall rules) was restored while platform specific settings (switch,interfaces,wifi) wasn’t. Even if you get partial or half broken ROS after restore, as long as you can access it with console to dump your precious firewall rules it’s fine…