after using a RB2011 for several years I just received my new L009UiGS-2HaxD-IN (L009). I did not started it for thew first time but my Question would be: Can I update to the latest ROS Version or should I update in several steps - regarding to the factory installed Version?
Second Question would be: The L009 has 8 Ports, the RB2011 has 10. What would be the best Way to connect both Routers to expand my Network?
The 2011 has not really-really 10 ports, it has two sets of ports, 5 Gigabit and 5 100 Mbit, check the block diagram:
so it depends on how your network is cabled, if everything is 100 Mbit any would do, if it is 1 Gbit you will need to choose which ports to use.
Then it depends on which device will act as router (the other will necessarily be setup as switch) and which kind of internet you have.
Of the two the L009 is a bit faster as router, so it makes sense to use it as router.
If your internet is delivered through ethernet, you could consider using a DAC to connect the two devices through the SFP cages.
About updating the RouterOS, it depends on which factory version you have, if it is below 7.12.1, you need to first upgrade to 7.12.1, and then update further to the wanted release (but the update tool should tell you that automatically).
The doubt is more if you want to update to latest/latest, currently 7.20.2 as there are reports about it having still some rough edges, very likely not affecting "normal" configurations, but in any case check the release thread before:
jaclaz - thanks a lot. that helped me out and I will try to get all to work! I already read about different problems with the current version. Seems different users are using 7.16
If everything went smooth I will give a short feedback.
Concur, the L1009, although a lightweight in routing, is still better than the older 2011.
Mipsbe compared to newer ARM, and the RAM on the L1009 is I believe double. Thus you have more capacity and the ability to tap into more of RoS functionality. The question becomes how to turn RB2011 into a switch I guess?
FWIW I'm a fan of starting with latest stable for a new device, unless you have specific information something is broken that effect. The release threads are always populated with issues, so it bit unrepresentative on the number of successful upgrades since it's only problems that appear in threads. Another reason is MikroTik isn't always transparent about security fixes, and those are not back ported so only choice is to use stable. And if you do happen run into what appears to be a bug in 7.16, the first step be upgrade anyway.
I forgot to say that there are whole classes of devices that don't need 1 Gbit, they will be just fine on 100 Mbit ports (printers, cameras, IOT devices) and use the faster ones for PC's, NAS, etc..
@Amm0
Yep, hence the "doubt" the matter is debatable, what you probably are not taking into consideration is that - should an update be catastrophic, and I am not saying that 7.20.2 is particularly "bad" - you would probably need to netinstall, something that you can probably do blindfolded and with one hand tied behind your back, but that an unexperienced user may find daunting.
Okay - here is what I already did: Exported and imported several configurations from RB2011 to L009 and everything seems to alright since now. I am not finished yet. ROS factory-installed is 7.16.1. I decided to use the RB2011 as a Backup Router. I am running 3 Pi ās (XMPP, PiHole, Asterisk PBX), 1 Linux Box and probably 1 Win10 to use my Affinity Suite. Eventually I would buy another mikrotik-Box to expand to a second Network. I read this post: Connecting 2 separate LAN's - #11 by CGGXANNX
So I managed to setup the L009 so far, but I am in trouble, setting up WIFI. The Wifi-Interface is part of my LAN-Bridge, Security is set to WPA2 PSK & WPA3 PSK. Clients canĀ“t connect - after trying to connect this message is coming up:āVerbindung wird aufgebautā which would be in english: āConnection is being establishedā Thats it, nothing happens. Might that be a DNS failure?
Amm0 - It looks like my Smartphone is not able to get an IP. Message is like: regrieving an IP-Address. So here is the output for āInterface wifi connection printā:
Disable what?
The WPA3?
Sure, at least for the test.
Only for the record (and not a critique, only a note) if you have BOTH:
WPA2
and
WPA3
enabled.
you have no added security whatever when compared to having ONLY:
WPA2
Clients using WPA2 will be able to connect to the network in both cases, and clients that may use WPA3 will use WPA2.
I may be wrong, but no client exists that can do only WPA3, all of them support both WPA2 and WPA3, so if you have ALL clients capable of doing WPA3, then you can use WPA3 only (and thus network access will be more protected).
You can safely update your L009 directly to the latest ROS version ā no need for step-by-step upgrades unless itās running a really old factory build. Iād still recommend backing up your config before proceeding.
As for expanding your network, connecting the RB2011 as a secondary device works great if youāre experimenting or need additional LAN ports. You can set it up as a switch or access point depending on how you plan to route traffic.
Iāve done similar setups when testing custom firmware builds and hardware integrations ā works quite smoothly once you disable DHCP on the secondary router.
So after trying for ours I found out that not the wifi-interface is the problem: When a client tries to connect there is traffic shown on the wifi-interface. I am pretty sure that the dhcp-server does not assign ip-adresses to new clients. How did I found out: All my clients use static ip-addresses. I set my Linux Lenovo Box to DHCP, deleted all old entrys, saved and rebooted. It did not get a new ip-address.
In the DHCP-Setup Wizzard there is no option for setting up IP-Ranges. I would be glad if someone could find a possible solution. Please excuse my possibly dumb questions - Iām in the late 60thās, those things a getting harder to solveā¦
Here is the output of āip/dhcp-server/exportā:
You probably saw no prompt for the address pool range in the wizard because your IP subnet is specified as /32. Is that intended for the bridge br_lan?
If not, and if what you wanted was /24, then modify the /ip address entry for br_lan to have 192.168.179.3/24 as address (instead of just 192.168.179.3).
Next you can remove the existing DHCP server and DHCP server network entries and rerun the DHCP Server wizard.
If, instead, you don't want to rerun the wizard, then don't remove the items, but do the following steps:
Create a pool with the desired address range:
/ip pool
add name=dhcp_br_lan ranges=192.168.179.100-192.168.179.254
Modify the DHCP Server Network entry, so that it has address=192.168.179.0/24.
Modify the DHCP Server server1 entry, so that it uses the pool dhcp_br_lan above.
CGGXANNX - you helped me out. DHCP Server is assigning Addresses, but I donĀ“t have access to the internet, probably of a missing filter rule. For now I only assigned some basic rules for securing the router.
Here is the export:
/ip firewall filter
add action=add-dst-to-address-list address-list=PORT-SCANNER \
address-list-timeout=1d chain=input comment="PORT SCANNER DETECTOR" \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="BLOCK PORT SCANNERS" src-address-list=\
PORT-SCANNER
add action=accept chain=input comment="Allow SSH from LAN" in-interface=\
br_lan protocol=tcp src-port=22
add action=accept chain=input comment="Allow WinBox from LAN" in-interface=\
br_lan protocol=tcp src-port=8291
add action=accept chain=input comment="ACCEPT New" connection-state=new
add action=accept chain=input comment="ACCEPT Established and Related" \
connection-state=established,related
add action=accept chain=input comment="ICMP Request from LAN" icmp-options=\
8:0-255 in-interface=br_lan protocol=icmp
add action=accept chain=input comment="ACCEPT DNS -UDP" in-interface=br_lan \
protocol=udp src-port=53
add action=accept chain=input comment="ACCEPT DNS -TCP" in-interface=br_lan \
protocol=tcp src-port=53
add action=drop chain=input comment="DROP everything else"
add action=log chain=input disabled=yes
Hope you can help me out one fore time. For now "thank you a lot!!"
If that's all what you have under /ip firewall, which means you have nothing in the NAT table /ip firewall nat, then it's normal that you cannot access the internet (missing NAT masquerade rule).
Also, the filter table that you posted above is unfortunately insecure, due to the presence of this rule:
It pretty much doesn't protect your router from incoming connections from the internet at all. For now you should remove ALL those firewall rules above, and use the default firewall configuration from MikroTik instead.
After having removed the rules above, look at the section "MikroTik RouterOS 7.18 default firewall rules" from this post:
and apply the content from there, both for IPv4 and IPv6. Please note that there some change to be made with these commands:
/interface list member
add list=WAN interface=ether1 comment=defconf
add list=LAN interface=bridge comment=defconf
You need to make adjustment if ether1 is not your WAN interface. Also your bridge is not named bridge but (as above) br_lan, so adjust interface=bridge to interface=br_lan.
Once you have done the changes CGGXANNX, please post your COMPLETE configuration (anonymized if needed) for review, going by snippets is more complicated and often unproductive.
Thank you for the help.