Hey all, I’ve been pouring through the documentation and can find steps to accomplish 1 thing but not a document that explains things well enough. I’ve reached the limit of many home routers (they lag and choke) and talked to a guy that does long wifi backhauls for our local baseball diamond (Go Flying Squirrels!) and he recommended Routerboard.
I have a 433AH with a R52nM intended to be used with 25/25 Fios and beaten to death with torrents, netflix, uploading large files as backup and eventually VPN use for me from work.
So far the steps I was able to put together are:
1 update RouterOS (currently on 4.11) UPDATED, now on 5.4
2 enable ether1 to be DHCP client to get IP and DNS from verizon fios i set dhcp client on ether1
3 give gateway ip 192.168.1.1 in ip address list (in which section should i do this?)
4 bridge ether2 ether3 and wifi (is this right?)
5 enable DHCP server to give out addresses on pool 192.168.1.1/24 to bridge?
6 enable NAT with masquerading on bridge?
So what else am I missing? I figure if I can get enough detail I can piece together a good post with every step so people like me can set this thing up for basic use and only post with decent questions.
You will likely want to configure the firewall to at least protect the router, there are several user submitted Wiki’s on how to do this.
QoS is a nice feature, but it is a very complex one as well. It would not be very easy to cover it in a few posts. It’s better to read the documentation on it, watch videos and presentations, and once you have a basic understanding to ask questions.
As for your other questions:
3.) Assign it to the router under ip-> address. Since you want to bridge ether2 and ether3 together, then assign the IP to the bridge.
5.) Make an ip->pool with your addresses you want handed out by DHCP. Make a DHCP server on the bridge and assign it the pool. Set up DHCP Server Network as well.
6.) Set up the appropriate Firewall NAT rules for the private subnet to the public internet.
I just went through this whole exercise for my own home LAN.
Things you might consider adding:
IPv6, including an IPv6 firewall. You can get a free tunnel from several places. I use tunnelbroker.net. If you have a dynamic IP on your WAN side, there’s a script you can run on the wiki that will update the tunnel when your WAN IPv4 changes.
There’s a script that will write static DNS entries in a fake top level DNS domain for the DHCP client IDs. So you can ping local hosts by name rather than having to remember their addresses.
L2TP VPN. What wasn’t documented was what you had to configure in the firewall for it to work. I had to pass UDP ports 500, 1701, 4500 and protocol 50 (ipsec-esp) in the ‘input’ chain. Other than that, the advice in the wiki worked. Works beautifully with my Macs and iOS devices. If I had had this up a few weeks ago, I’d have been able to use Netflix instant watching while I was in Ottawa.
It was pointed out to me in a neighboring thread that the default firewall rules don’t have anything in the ‘forward’ chain. Relying on NAT alone for security is probably not for the best. You’d probably do well to copy the input chain rules present by default to the forward chain. You’d certainly need to do this for IPv6, where there is no NAT to “protect” you.
