internet LTE backup

RouterOS Beginner Basics
1

Hi,

I currently have a network with a RB1100AHx4 router and CRS328 switch.
Router has a WAN connection on eth3 to the internet.
Switch is connected to the router with a trunk port with multiple vlans.

Since my internet has been going down regularly I am looking to add a backup LTE internet connection.

I am looking for advice on how to best configure this.
The LTE kit would be connected to the switch to use PoE.

Option 1:
Use LTE kit as a router and configure RB1100AHx4 eth1 with DHCP client.

Downside I see here is that I would like the RB1100AHx4 to do all the firewall rules.
In this setup the LTE kit would be responsible to mascarade the trafiic.

Option 2:
Use LTE kit in passthrough mode (if the kit supports it)
https://help.mikrotik.com/docs/spaces/ROS/pages/30146563/LTE#LTE-PassthroughExample
I am looking for help how I could configure this.
Is it just as easy as configuring a new vlan on CRS328 eth1, eth2 + RB1100AHx4 eth1?

Can anyone point me in the direction of some documentation (of other forum post) on how to achieve this?

Thanks in advance!
lte.png

2

The Wap LTE kit is discontinued:
https://mikrotik.com/product/wap_lte_kit

The successor is the 2024 version:
https://mikrotik.com/product/wap_lte_kit_2024
which however still has 16 Mb of storage (that has been found as “tight” for Ros 7.x)

For the same money, and depending on what other features you need, the Ax Lite Lte6 is a better bang for the buck:
https://mikrotik.com/product/hap_ax_lite_lte6
since it has 128 Mb (it is also faster on the LTE side and is wi-fi 6, even if only 2.4 GHz)

Personally (but this is not necessarily good advice) I would setup it in such a way that for all that matters it is a self-standing router, i.e. a sort of black box that you configure once and then just leave alone, as if it was a media converter, all you need to know once this is done is its IP address and set that as gateway on the “main” router as failover, your RB1100AHx4.
I wouldn’t even complicate the setup with a DHCP server and client on the RB1100AHx4, just set a couple of static /30 addresses and be done with it.
About firewall, I would keep on the LTE device the standard input chain (to make life more difficult for attackers looking for the Mikrotik LTE device), remove the forward ones and let the RB1100AHx4 deal with those, as if it was a third party router/adapter.
It is true that with such a setup you will have double NAT, but (in my perverted mind) this is not a real issue.

3

Hey

Option two is definitely an option. I’m doing it myself…

Not that hard either:

  • configure vlan on LTE kit
  • configure LTE with passthrough
#for v6:
/interface vlan
add interface=ether1 name=vXXX vlan-id=XXX
/interface lte apn
set [ find default=yes ] apn=<apn> authentication=pap passthrough-interface=vXXX passthrough-mac=auto password=<pass> user=<user>
  • on CRS switch you propagte that vlan to firewall
  • on firewall you create a vlan interface with dhcp client on it
  • firewall / routing / …
4

IMO both routing (option 1) and passthrough (option 2) are valid. Now speeds should be similar regardless, since LTE6 theoretical max speed is well within the routing limits of even 16MB wAP or hAP. The benefit of option 1 (routing) is the LTE backup can actually function independently via it’s Wi-Fi if needed or be a VRRP backup router for VLANs, which in some cases is handy. But option 2 (passthrough) is in many ways simpler and centralizes firewall in one place.