Reconfigure / Netinstall RB4011 w/ WiFi

I’m trying to re‑configure my RB4011iGS+5HacQ2HnD‑IN. It was running RouterOS 6.4x, then powered off for 4–5 years, and I recently upgraded it to the latest 6.x LTS. The old config (below) is several years old and probably messy.

I’d appreciate help understanding what the old config actually did, and how to rebuild it properly—ideally on RouterOS v7—with a secure, locked‑down setup.

Questions

1. Should I upgrade to RouterOS v7?
I mainly need stable, secure Wi‑Fi (2.4 GHz + 5 GHz). I’ve read about the new wireless packages and want reliability over features.

2. If upgrading to v7:

• 2.1 Should I use the latest stable release or the LTS branch?

• 2.2 Is a simple netinstall of the default v7 package enough, or do I need additional packages during installation?

Old configuration

3.1 What exactly did my old config do?
I remember having:

• Two radios

• Three networks (including a virtual WLAN for home‑office traffic routed through Pi‑hole)

• WAN‑side packet were dropped

• Pihole instance filtering the non virtual wlan ssid traffic

• Local services (SSH, etc.) restricted to W/LAN only

I want to recreate this securely albeit lock it more down (e.g. +services, ssh etc only via phy ether).

4. Can someone help rebuild/clean this config for RouterOS v7 with:

• No inbound WAN access

• All services restricted to physical LAN ports

• Same WLAN setup:

  • One SSID #1 on both 2.4 GHz + 5 GHz

  • One virtual WLAN with SSID #2 (preferably on both radios, or at least 5 GHz)

  • A pihole instance for filtering the SSID #1 traffic

Old config is below.

# jun/14/2022 05:49:29 by RouterOS 6.47.9

# software id = -removed-

#

# model = RB4011iGS+5HacQ2HnD

# serial number = -removed-

/interface bridge

add admin-mac=mac_removed auto-mac=no comment=defconf name=bridge

/interface wireless

set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=\

20/40/80mhz-XXXX country=country_removed disabled=no distance=indoors frequency=\\

auto installation=indoor mode=ap-bridge secondary-channel=auto ssid=\\

WLAN_SSID_1 wireless-protocol=802.11 wmm-support=enabled

set [ find default-name=wlan2 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \

country=germany disabled=no distance=indoors frequency=auto installation=\\

indoor mode=ap-bridge ssid= WLAN_SSID_1 wireless-protocol=802.11

/interface ethernet switch port

set 0 default-vlan-id=0

set 1 default-vlan-id=0

set 2 default-vlan-id=0

set 3 default-vlan-id=0

set 4 default-vlan-id=0

set 5 default-vlan-id=0

set 6 default-vlan-id=0

set 7 default-vlan-id=0

set 8 default-vlan-id=0

set 9 default-vlan-id=0

set 10 default-vlan-id=0

set 11 default-vlan-id=0

/interface list

add comment=defconf name=WAN

add comment=defconf name=LAN

/interface wireless security-profiles

set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes \

mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\\

-removed- wpa2-pre-shared-key=-removed-

add authentication-types=wpa2-psk management-protection=allowed mode=\

dynamic-keys name= VWLAN_SSID_2 supplicant-identity=MikroTik \\

wpa2-pre-shared-key=-removed-

/interface wireless

add disabled=no mac-address=mac_removed_2 master-interface=wlan1 name=\

VWLAN_SSID_2 security-profile=VWLAN_SSID_2 ssid=VWLAN_SSID_2 wps-mode=\\

disabled

/ip dhcp-server option

add code=6 name=option1_dns_external value="'8.8.8.8'"

/ip pool

add name=dhcp ranges=192.168.86.10-192.168.86.254

add name=pool-VWLAN_SSID_2 ranges=10.46.2.64-10.46.2.254

/ip dhcp-server

add address-pool=dhcp disabled=no interface=bridge name=defconf

add address-pool=pool-VWLAN_SSID_2 disabled=no interface=VWLAN_SSID_2 name=\

server-VWLAN_SSID_2

/interface bridge port

add bridge=bridge comment=defconf interface=ether2

add bridge=bridge comment=defconf interface=ether3

add bridge=bridge comment=defconf interface=ether4

add bridge=bridge comment=defconf interface=ether5

add bridge=bridge comment=defconf interface=ether6

add bridge=bridge comment=defconf interface=ether7

add bridge=bridge comment=defconf interface=ether8

add bridge=bridge comment=defconf interface=ether9

add bridge=bridge comment=defconf interface=ether10

add bridge=bridge comment=defconf interface=sfp-sfpplus1

add bridge=bridge comment=defconf interface=wlan1

add bridge=bridge comment=defconf interface=wlan2

/ip neighbor discovery-settings

set discover-interface-list=LAN

/interface detect-internet

set detect-interface-list=all

/interface list member

add comment=defconf interface=bridge list=LAN

add comment=defconf interface=ether1 list=WAN

/ip address

add address=192.168.86.1/24 comment=defconf interface=ether2 network=\

192.168.86.0

add address=10.46.2.1/24 interface=VWLAN_SSID_2 network=10.46.2.0

/ip dhcp-client

add comment=defconf disabled=no interface=ether1 use-peer-dns=no

/ip dhcp-server lease

add address=192.168.86.186 client-id=1:mac_removed_3 dhcp-option=\

option1_dns_external mac-address=mac_removed_3 server=defconf

add address=192.168.86.86 client-id=1:mac_removed_4 dhcp-option=\

option1_dns_external mac-address=mac_removed_4 server=defconf

add address=192.168.86.96 client-id=1:mac_removed_5 dhcp-option=\

option1_dns_external mac-address=mac_removed_5 server=defconf

/ip dhcp-server network

add address=10.46.2.0/24 dns-server=192.168.86.86 gateway=10.46.2.1 netmask=\

24

add address=192.168.86.0/24 comment=defconf dns-server=192.168.86.86 gateway=\

192.168.86.1 netmask=24

/ip dns

set servers=192.168.86.1

/ip dns static

add address=192.168.86.1 name=router.lan

/ip firewall address-list

add address=10.46.2.0/24 list=VWLAN_SSID_2

/ip firewall filter

add action=accept chain=input comment=\

"defconf: accept established,related,untracked" connection-state=\\

established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=\

invalid

add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \

protocol=icmp

add action=accept chain=input comment=\

"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

add action=drop chain=input comment="defconf: drop all not coming from LAN" \

in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept in ipsec policy" \

ipsec-policy=in,ipsec

add action=accept chain=forward comment="defconf: accept out ipsec policy" \

ipsec-policy=out,ipsec

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \

connection-state=established,related

add action=accept chain=forward comment=\

"defconf: accept established,related, untracked" connection-state=\\

established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" \

connection-state=invalid

add action=drop chain=forward comment=\

"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \\

connection-state=new in-interface-list=WAN

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" \

ipsec-policy=out,none out-interface-list=WAN

add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=\

WAN log=yes protocol=tcp to-addresses=192.168.86.96 to-ports=443

add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=\

WAN log=yes protocol=tcp to-addresses=192.168.86.96 to-ports=80

add action=masquerade chain=srcnat out-interface=VWLAN_SSID_2 \

out-interface-list=WAN src-address-list=VWLAN_SSID_2

/system clock

set time-zone-name=timezone_removed

/system leds

add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\

d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength

add interface=wlan2 leds=wlan2_tx-led type=interface-transmit

add interface=wlan2 leds=wlan2_rx-led type=interface-receive

/tool mac-server

set allowed-interface-list=LAN

/tool mac-server mac-winbox

set allowed-interface-list=LAN

TIA!

The 4011 is a peculiar device, see:

You need to use the "old" wireless driver to have both radios (2.4 GHz and 5 GHz) working, the "new" wifi driver ( wifi-qcom-ac) will only work with the 5 GHz radio.

If you remain with the same "old" wireless driver you don't need to change anything if you upgrade to 7.x, the upgrade process will normally keep your current configuration work as before.

If I were you I would do this in two steps.
First update to latest v6 version.
See that everything works as you wish (or post if you have issues).
Then think a bit about what advantages (if any) v7 might bring to your setup.
If none, you can stay on v6 for the moment.

Thanks for the reply!

Yes I am aware of the packages and have already upgraded to 6.49.19 LTS as I mentioned in my post.

But I suppose routeros v.7 lineup patched a lot more CVS than v.6.x, atleast from the changelogs ?

In all respects, making the RB4011 float on v.6 LTS a bit longer is also an option instead of outright moving over to routeros v.7.

Would appreciate help regarding the routeros configuration though.

From 6.49.19 to v7.x the configuration (or at least most configurations) would be upgraded automatically, but of course it depends whether you have a fairly "normal" configuration or you have one of those crazy ones with everything and the contrary of it (and the kitchen sink) that are sometimes posted on the forum.

The above does not cover an eventual change from /wireless to /wifi, but it shouldn't be that much an issue to convert manually the settings, and this can - if wanted - be done later.

If you have scripts, very likely they need to be - if not rewritten - adapted, as quite a few things have changed (BTW some changes are also within different v7 versions).

The real (good?) question is WHICH RouterOS version you want/need.

Latest-latest are a no-no as they are not (yet) fully-fully stable (IMHO).

You could want to go for LT which right now is 7.21.4, but (personally) I would instead go for one that - while recent enough - has been reported as giving no particular issues (7.19.6 or LT 7.20.8).

There are not AFAICR particularly relevant fixes in more recent versions (while they do have added functionalities for some non-common AFAICT parts, and has to be seen if these are compatible with the RB4011, i.e. Arm 32 bit, as many are more aimed at Arm64 architecture).

Btw why not 7.21.4 LTS though ?

It is just too new for my personal tastes.

And it has been reported as having a few quirks (maybe they won't affect your setup, maybe they will), you need to judge for yourself:
V7.21.4 [long-term] is released!