NAT not working...

Alfista · Tue Jan 19, 2021 10:33 am

Hi,

I have a RB750GL router with 6.47.2 which is completely set and was working in previous WAN connections.
Now I have change the connection to the PPPoE and after that the NAT will not work.

please is possible to tell me where I have the problem?

evince · Tue Jan 19, 2021 11:06 am

Hello, take a look at your masquerade rule, maybe out-interface is wrong.

Alfista · Tue Jan 19, 2021 11:33 am

Hi Evince,

I have set as I have it before and it was working:

add action=masquerade chain=srcnat src-address=10.0.10.0/24

And as I see, this NAT is working and over it are going data.

But this NATs are not working:

add action=dst-nat chain=dstnat comment=DNS dst-port=53 in-interface=\
    "Orange Optic" protocol=tcp to-addresses=10.0.10.241 to-ports=53
add action=dst-nat chain=dstnat comment=DNS dst-port=53 in-interface=\
    "Orange Optic" protocol=udp to-addresses=10.0.10.241 to-ports=53
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface=\
    "Orange Optic" protocol=tcp to-addresses=10.0.10.241 to-ports=5678
add action=dst-nat chain=dstnat comment="HTTP - Synology WEB Access" \
    in-interface="Orange Optic" protocol=tcp src-port=5678 to-addresses=\
    10.0.10.241 to-ports=5678
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface=\
    "Orange Optic" protocol=tcp to-addresses=10.0.10.241 to-ports=5679
add action=dst-nat chain=dstnat comment="HTTPS - Synology Web Access" \
    dst-port=5679 in-interface="Orange Optic" protocol=tcp to-addresses=\
    10.0.10.241 to-ports=5679
add action=dst-nat chain=dstnat comment="Synology Cloud" dst-port=5000-5001 \
    in-interface="Orange Optic" protocol=tcp to-addresses=10.0.10.241 \
    to-ports=5000-5001
add action=dst-nat chain=dstnat comment="Synology Cloud" dst-port=6690 \
    in-interface="Orange Optic" protocol=tcp to-addresses=10.0.10.241 \
    to-ports=6690

and are the same settings as on working old connection.
Only difference is that the old was WAN and the new one is PPoE over the same LAN port.

Thanks.

erlinden · Tue Jan 19, 2021 12:15 pm

I was expecting an masquerade rule with an Out. Interface (List) specified. And I think the src-address can be left empty.
Are you sure you want to have your DNS server publicly available?

Alfista · Tue Jan 19, 2021 12:36 pm

Hi Erlinden,

Ok and what should I choose in the out. Interface (list)? - LAN, Wan, all, dynamic, none and static

The DNS isn't needed to be public, I thing the NAT can I deactivate, but the others are needed to work.

Thanks.

Sob · Tue Jan 19, 2021 12:42 pm

Is "Orange Optic" the old interface or the new one? If it's the old one, it would be clear why it can't work. If it's the new one, are you sure that it still has public address?

Alfista · Tue Jan 19, 2021 12:50 pm

Hi Sob,

the Orange optic is the new one and has a public IP. I use still the same LAN port for connecting to the Orange network as before. Only difference is that now is it over PPPoE and before was a standard WAN. I have asked by the provider for a static one.

Sob · Tue Jan 19, 2021 1:01 pm

Ok, so interface "Orange Optic" is PPPoE interface, that would be correct. If you're sure that you have public address (it's not to underestimate you personally, but it sometimes happens that users get this part wrong), what about counters for these rules? Is there anything or all zeroes? If there's at least something, then there are some incoming connections and problem could be in firewall filter, e.g. if they were previously allowed by original interface. If there's nothing, then are you really sure that you have public address? :)

erlinden · Tue Jan 19, 2021 1:51 pm

Ok and what should I choose in the out. Interface (list)? - LAN, Wan, all, dynamic, none and static

You can choose either the interface "Orange Optic" or the interface list WAN (assuming the interface is added tot the list as WAN).

Alfista · Tue Jan 19, 2021 3:31 pm

Hi Sob,

the counter for NAT are all 0 only masquerade shows data change.
yes I have the public address I can ping it from outside.
And in the filters I have these:

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input disabled=yes in-interface-list=WAN

What i don't understand, is that this isn't a first change of the provider, and each time was it working after the change with minimal changes on WAN port. But this is the first time what its over PPPoE and this time it will not work :-( and all NAT and other settings are the same.

Alfista · Tue Jan 19, 2021 3:39 pm

Hi Erlinden,

I have change it to the WAN, but no change. Its the same.

erlinden · Tue Jan 19, 2021 3:44 pm

I have change it to the WAN, but no change. Its the same.

Can you please post your configuration here:
/export hide-sensitive file=anythingyoulike

Alfista · Tue Jan 19, 2021 4:00 pm

Hi Erlinden,

so small change with the masquerade on WAN will not work some services over VPN.

The Settings are added.

erlinden · Tue Jan 19, 2021 4:08 pm

Can you change

add action=masquerade chain=srcnat src-address=10.0.10.0/24
add action=masquerade chain=srcnat disabled=yes src-address=10.20.11.0/24

to:

add chain=srcnat action=masquerade out-interface-list=WAN

Sob · Tue Jan 19, 2021 6:01 pm

But in your config, interface "Orange Optic" is ethernet. PPPoE is named "PPPoE-Orange". So you need in-interface=PPPoE-Orange in dstnat rules.

Alfista · Wed Jan 20, 2021 1:29 pm

Can you change

add action=masquerade chain=srcnat src-address=10.0.10.0/24
add action=masquerade chain=srcnat disabled=yes src-address=10.20.11.0/24

to:

add chain=srcnat action=masquerade out-interface-list=WAN

OK have done it.
Will be a problem with the disabled Masquerade? Is needed to delete it or it can be disabled?

Alfista · Wed Jan 20, 2021 1:31 pm

But in your config, interface "Orange Optic" is ethernet. PPPoE is named "PPPoE-Orange". So you need in-interface=PPPoE-Orange in dstnat rules.

Hi Sob,

I was in it that when I use the Orange Optic what is a ethernet port it will be OK as when ok it is working the PPPoE connection.

erlinden · Wed Jan 20, 2021 2:06 pm

OK have done it.
Will be a problem with the disabled Masquerade? Is needed to delete it or it can be disabled?

Disabled is disabled...so it won't interfere.

Is both masquerade and port forwarding working now?

Alfista · Wed Jan 20, 2021 4:06 pm

Hi Erlinden,

yes, now its working after I also changed the NAT interfaces to PPPoE too.
But please can you tell me for what is needed the masquerade and what is the difference between my settings and yours?

Now only have problems with DNS used locally in my environment :-)

Thanks.

erlinden · Wed Jan 20, 2021 5:28 pm

Masquerade is for handling NAT.

Sob · Wed Jan 20, 2021 7:20 pm

When you use PPPoE to access internet, then PPPoE interface is the actual WAN interface. Ethernet interface is just where PPPoE packets go, but everything from/to internet is inside PPPoE.

As for outgoing NAT/masquerade (which is what hides your whole LAN behind one public address), all these variants are just different ways how to do the same thing (mostly):

/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN
add chain=srcnat action=masquerade out-interface=PPPoE-Orange
add chain=srcnat action=masquerade src-address=10.0.10.0/24

First two do exactly same thing, because PPPoE-Orange is member of WAN list. The difference is only when you'd change WAN interface again, with the first one it would be enough to update just WAN list (you can use the same for your dstnat rules, i.e. in-interface-list=WAN instead of in-interface=PPPoE-Orange). Last one will have same effect for connections from LAN to internet, but it also affects other connections, in your case from LAN to VPN clients, which you probably don't want.

One more thing, in the config you posted, your firewall is basically non-existent, it would be good idea to do something with that.

Alfista · Fri Jan 22, 2021 9:53 am

Hi All,

I have now find that the VPN in this new setting doesn't work correctly.
I can connect over VPN to the network but have only access to the router and devices which has also an external access.
I don't understand it :-(. When I added back the:

add chain=srcnat action=masquerade src-address=10.0.10.0/24

all is working over VPN as should.
Do you thing that I can both setting mix in one, that there is as WAN and the IP subnet too?

OK if I understand correctly all NAT-ing doesn't work when it doesn't start with the masquerade. And it must be the first one in the NAT table.

Which affects it has on the VPN clients? Its the problem that I actually have?
Also would like to know what is needed to add when I will have access from some other VLANs access to the Internet?

And what you mean that I don't have the firewall? I was in it that the NAT is a part of firewall and its running?
When not, what is needed to do or add that its present and working?

Thanks to all.

Sob · Fri Jan 22, 2021 2:54 pm

You use addresses from LAN subnet also for VPN clients. Problem is that when device sees address from same subnet as it has itself, it expects it to be directly reachable. But it's not true for VPN clients, because they are behind router. The fix for that is to enable proxy ARP on LAN interface, in your case Bridge1 (also the address 10.0.10.1/24 should be on Bridge1 and not on "Local 1").

Your original masquerade rule works around this, because it affects anything passing through router, when the source address is 10.0.10.x, so it covers both directions (LAN->VPN, VPN->LAN). If you check addresses, you'll see that in both cases the target device sees source address of router and not real source address of client.

And the firewall, you have this:

/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input disabled=yes in-interface-list=WAN

The chain=input is only for traffic to router itself, it allows icmp and established connections, and then it allows everything else, because action=accept is default when no other rule matched. So everything is wide open. You limit access to WinBox and others in IP->Services, so it's not that bad. But for example, router is open DNS resolver, which is not good. It's better to close everything that doesn't need to be open. And for traffic passing through router (chain=forward) you don't have anything at all, so everything is allowed.

The basic idea is to have something like:

/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked comment="allow established, related and untracked"
add action=drop chain=forward connection-state=invalid comment="drop invalid"
# things to allow:
add action=accept chain=forward in-interface-list=LAN comment="allow everything from LAN"
add action=accept chain=forward connection-nat-state=dstnat comment="allow forwarded ports"
...
# end of things to allow
add action=log chain=forward comment="log what will be blocked; use before enabling the last reject rule"
add action=reject chain=forward disabled=yes reject-with=icmp-admin-prohibited comment="block everything else"

So allow only known stuff that should be allowed, and block everything else. And similar for chain=input.

Alfista · Fri Jan 22, 2021 4:51 pm

Hi Sob,

VPN - OK if I understand, I need to use another IP pool range for it. This isn't a problem, I have there prepared another Pool which I can use for it. But please can you show it exactly, while I have some trouble to follow you.

Masquarede - When I look on the client I see there two IPs from the pool for VPN. By this when I give it as you tell me, will I be over VPN access the network as I were in the network directly connected?

Firewall - OK I will try to set it as you described it below (your code). Will see it will work and if I will not have any conflicts or other problems.

For understanding - I have this router longer but before it was configured by another guy, but its away so I need now to configure it and Im beginner in it and learn it.

Thanks.

Sob · Fri Jan 22, 2021 5:52 pm

VPN is already not exactly as if you'd be directly connected. And if you use different subnet (which is otherwise fine), it will be even further from that. What I meant is to find interface Bridge1 and change its ARP option from default "enabled" to "proxy-arp". Then you can keep same subnet and it will work.

Alfista · Mon Jan 25, 2021 11:05 am

VPN is already not exactly as if you'd be directly connected. And if you use different subnet (which is otherwise fine), it will be even further from that. What I meant is to find interface Bridge1 and change its ARP option from default "enabled" to "proxy-arp". Then you can keep same subnet and it will work.

Hi Sob,

OK and should I by these settings use the Pool for VPN in another range as that I have for the whole network?

I have tried it, but when I have used the another Pool (L2TP Pool), then I wasn't able to connect to nothing in local network. Only when I use the Pool in the same subnet so I'm able to connect. Even I have set the ARP to "proxy-arp"
When I use the VPN Pool all is working, only I have problems with the printer, which I hoped it solve me.

Thanks.

Sob · Tue Jan 26, 2021 2:42 pm

If you have same subnet, you need proxy ARP. If you have different subnets, you don't need proxy ARP.

Problems with different subnets are elsewhere, they can be on both client and server side. If client doesn't use VPN as default gateway, you have to add route to remote LAN, it doesn't happen automatically. And when you're connecting to remote LAN from client, device in LAN sees packets from different, non-local subnet. And some systems (Windows for example) don't allow connections from other subnets by default. So if it should work, you'd have to allow access from VPN client's subnet on each device in LAN. Because of this, using same subnet can be easier.

Alfista · Thu Jan 28, 2021 2:47 pm

Hi Sob,

Please can you help me to set the VPN ( I use IPSEC over L2TP) that i work, while I can connect to VPN but after the last improvements you have suggest me, I can't connect to anything on the network.
And is possible to set it so that I can print over VPN to the printer in the local network?

I attach the actual config that you can see all settings.

Also would like to know if is possible to set the the Input filter which logs blocked connection can be saved to the file, while I can see now only about last 50 records over the log menu.

Thanks.

RoutreSettings2.rsc

Sob · Thu Jan 28, 2021 6:11 pm

Think about it a little bit, it's not difficult. Don't just copy and paste something you don't understand.

Rules are evaluated from top to bottom and first matching rule is used. So you have:

1) allow established, related and untracked - standard rule to allow packets for existing connections
2) drop invalid - standard rule to block packets with invalid state
-- from this point, the only connection state is "new", all others are handled by previous rules --
3) allow everything from LAN - LAN->internet, LAN->VPN, ... in short, LAN->anywhere
4) allow forwarded ports
5) log what will be blocked
6) block everything else

If you want to connect from VPN clients to LAN, and it doesn't work, it should be obvious what's missing. Yes, it's a rule that will allow it:

/ip firewall filter
add chain=forward in-interface=all-ppp out-interface-list=LAN action=accept

And it must be placed correctly. Anywhere before #6 would work, but best place is probably between #3 and #4.

Another thing, now you have firewall in forward chain, that's for packets passing through router. But still nothing for router itself. And you want that too. For example this would be a starting point:

/ip firewall filter
add action=accept chain=input comment="allow established, related and untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow everything from LAN" in-interface-list=LAN
add action=accept chain=input comment="allow IPSec (IKE)" protocol=udp dst-port=500,4500 action=accept
add action=accept chain=input comment="allow IPSec (ESP)" protocol=ipsec-esp action=accept
add action=accept chain=input comment="allow L2TP" ipsec-policy=in,ipsec protocol=udp dst-port=1701 action=accept
# ... add other allowed things here
add action=log chain=input comment="log what will be blocked; use before enabling the last reject rule"
add action=drop chain=input disabled=yes comment="block everything else"

With this it's really important to make sure that you're able to connect to router (new connection), before you enable the last rule, otherwise you can lock yourself out.

Other things:

- Yes, printing should work if correctly configured, which means that you can't use any kind of autodiscovery that works only in LAN, VPN clients need to connect directly to printer's address.
- You can save logs to disk (it's configured in System->Logging), but you probably don't want that, because you'll end up with tons of useless info. Even logging that stuff to memory is useless most of the time. It's mainly useful when you're trying to debug something and watching it.

Alfista · Fri Jan 29, 2021 10:58 am

Hi Sob,

thanks for help. You have right, I have copied it while i'm new in programming Microtik but with your help I have learned many much.

So if I understand, there is very needed to follow the order, otherwise it will not work?
OK I will addf the 3 new rules at the exact place.

There isn't a problem with auto discovery I thing it will not be needed. I try to set all directly over IP's.

About the log, I understand it. Isn't there any parameter that it will ne save only to one file with limited size to prevent to fullfill the disk?

Thanks.

Sob · Fri Jan 29, 2021 3:53 pm

Order of rules is important. As I wrote, they are processed from top to bottom. For example, if you'd move the last blocking rule to top, it would block everything and no other rule would be ever used. If you'd move the first rule (accept established & etc) to bottom, but still before the blocking rule, it would work, but it wouldn't be efficient, because router would have to check every packet against all preceeding rules. And you don't want that, because it's too much unnecessary work for router. You want most used rules at the top.

Logging is configured in System->Logging. You can add new rule for "firewall" and some selected prefix, which you'd also use in logging rules. And logging to disk can be configured in Actions. But I still think that you probably don't want it. In forward there shouldn't be too many things anyway. And input would log tons on robots trying to find open ports on your router, which is useless info for you. And even if it doesn't fill the flash, it wears it out unnecessarily.

Alfista · Sat Jan 30, 2021 6:46 pm

Hi Sob,

thanks for all, with your help all is now working and I have many learned from you.
I have added the codes:

add action=accept chain=input comment="allow IPSec (IKE)" protocol=udp dst-port=500,4500 action=accept
add action=accept chain=input comment="allow IPSec (ESP)" protocol=ipsec-esp action=accept
add action=accept chain=input comment="allow L2TP" ipsec-policy=in,ipsec protocol=udp dst-port=1701 action=accept

but I have two question to it:
- Why are there two action=accept (one on beginning and one on end).
- Why the "allow IPSec (ESP)" and "allow L2TP" have the same order number 4.

Thanks.

Alfista · Mon Feb 01, 2021 1:19 pm

Hi Sob,

I have tried today connect over VPN, but it doesn't work.
When I wrote you I have tried to connect when I was in local environment and used connection over mobile internet to test it and it works, but today when I tried to connect from other place where it works before, now it doesn't work. I connect to VPn but can't access any device in the local environment except the router.

I have from ping the answer:

Request timeout for icmp_seq 42
92 bytes from 10.0.10.101: Communication prohibited by filter
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 bb06   0 0000  3f  01 973a 10.0.10.120  10.0.10.241

And also when I go to the Interfaces-L2TP interface and put the torch button then I see there that I don't have there any IP addresses (even Dst or Src) and in PC I have IP but I miss there the Mask, the Router Ip is the same as my IP and in the DNS is the first DNS Ip from the Pool range which I have set for the VPN (VPN Pool).

Please can you help me and tell me where can be the problem?
I'm very frustrated from it :-( and need it to work.

I have also attached actual settings. Hope it helps.

RoutreSettings3.rsc

Thanks.

Alfista · Sat Feb 06, 2021 4:50 pm

Hi Sob,

I have one last question to the settings.
When I have look on the router settings I found there this:

/interface ethernet
set [ find default-name=ether2 ] l2mtu=1520 mac-address=00:0C:42:BE:92:E5 \
    name="Local 1" speed=100Mbps
set [ find default-name=ether3 ] l2mtu=1520 mac-address=00:0C:42:BE:92:E6 \
    name="Local 2" speed=100Mbps
set [ find default-name=ether4 ] l2mtu=1520 mac-address=00:0C:42:BE:92:E7 \
    name="Local 3" speed=100Mbps
set [ find default-name=ether5 ] l2mtu=1520 mac-address=00:0C:42:BE:92:E8 \
    name="Local 4" speed=100Mbps
set [ find default-name=ether1 ] l2mtu=1520 mac-address=00:0C:42:BE:92:E4 \
    name="Orange Optic" speed=100Mbps

All network ports have set 100Mbps even they are 1Gbps and when I looked at the actual connecting speed which is also !gbps.

Please can you tell why its there and if its needed to set it correctly and how.

Thanks.

mkx · Sat Feb 06, 2021 5:26 pm

Usual execution of export command only shows settings different than bare minimum default. For ethernet ports current default (export verbose) is

set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=enabled arp-timeout=auto \
    auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 \
    loop-protect=default loop-protect-disable-time=5m loop-protect-send-interval=5s mac-address=\
    B8:69:F4:20:A5:49 mtu=1500 name=ether1 orig-mac-address=B8:69:F4:20:A5:49 \
    rx-flow-control=off speed=1Gbps tx-flow-control=off

So if your port has setting speed=100Mbps (which used to be default up to ROS version around 6.42), it will be shown in usual export. However, that setting is only relevant when auto-negotiation=no ... which in your case is not or else it would be shown in export.

BTW, decreasing l2mtu from default 1598 probably doesn't make any sense, potentially can cause problems.

Alfista · Mon Feb 08, 2021 10:25 am

Hi MKX,

in the settings over the Winbox or Web I have set all up to 1000M-full, so then its OK, without any problems?
I have set the auto-negotiation=yes.
I have the version 6.47.2 but thing about to upgrade it to the latest actual version.

I doesn't change the MTU, but it may be was done by previous colleague and I learn this system only. You thing that I should change it back to default?

Thanks.

mkx · Mon Feb 08, 2021 1:54 pm

I think your settings (auto-negotiation enabled and advertised all speeds) are fine. Also l2mtu of 1520 should be just fine for now. Just keep in mind to check all ethernet settings if something breaks ...

The thing about ROS versions I mentioned: when upgrading ROS version, settings are not changed (to new defaults), only if there's some radical change in ROS architecture. So your ethernet settings (with speed=100M) is either left-over from distant past (if your current setup originates from that age) or somebody was trying to achieve something and did not revert to defaults after seeing it doesn't work. Anyway, current defaults are applied only if one performs reset with factory defaults which is not something one does just like that.

Alfista · Sat Feb 13, 2021 2:55 pm

Hi MKX,

I thing I should have somewhere a problem, while I have 1Gbps Internet connection but can get from it only 200Mbps from router when I tested the speed over the bandwidth test in router and 120Mbps when I tested it over speediest.net.

I have the RB750GL with ROS 6.47.2. Should I also upgrade to the latest one?

When I have change the l2mtu to 1598 on the network port for internet connection - Orange optic, where is the PPPoE then the PPPoE wasn't able to connect.

Please is possible to help me what I need to check and set that I can get from it 1Gbps as I should?

Thanks.

mkx · Sat Feb 13, 2021 3:39 pm

The router you have is old and slow. Check official test results ... the most real-life numbers are usually under "Routing - 25 ip filter rules - 512 byte [packet size]".

As you have 1Gbps internet connection, you'll need a newer and faster device. Search for one through product pages and verify test results. Device with pretty good price/performance ratio and can just route at 1Gbps (give or take) is hAP ac2. A bit pricier but even faster router is RB4011 (it comes in both wired and wireless versions). Another candidate would be RB450Gx4 (it's a decent router board, you need to add case), its routing speed is same as hAP ac2, but has larger storage and RAM (both come handy in certain use cases).

Alfista · Sat Feb 13, 2021 4:09 pm

Hi MKX,

Ok understand, so the speed doesn't depends on connection type or protocol, but only on the CPU, RAM and its processing capabilities.
I have seen the test results of the my and was terrible less then 200Mbps :-(.

OK then I need to look on the new one. And is possible to import there my actual settings without any problems?
Can restore from .rcs file or is possible only from the .backup file?

Can I ask you something? Is possible to look at my settings and tell me what is needed to improve or remove that I can then use it in the new one without lowering its speed?

Thanks.

anav · Sat Feb 13, 2021 5:13 pm

There is no point considering the hapac2, as it has wifi of the old ilk.
Reading the tea leaves, the hapac3 however has the capacity to receive the wifi of the new ilk (catching up to the rest of the worlds old stuff).
Better specs all the way round. Most importantly it should easily handle 1gib connection.

If you solely want a wired router, this is still a decent option, turn wifi off, for $99us.
The RB450Gx4 is a board (need to buy case) that also fits the throughput requirement also at $99
The main difference besides not wireless is more CPU memory

hapac3
Ram - 256mb
Storage - 128mb

RB450g
Ram - 1gig
storage -512Mb

The step up as noted is the RB4011 which can easily handle throughput for whats after 1gig, which is in the fiber world probably 2.5 gig
However its $199US. RAM 1gig, Storage 512Mb

Personally since you like to use a router for a long time and just let it do its thing, the RB4011 would be a decent longer term investment, IMHO
If you need wifi, until mt gets its wifi act together, I use and recommend the TPlink eap245 as equivalent to the promised improvement to AC1200 wifi of the hapac3 except the tp links work now!
They have faster units which I havent tried yet but are the newer wifi6 generation eap620 and eap660.

mkx · Sat Feb 13, 2021 6:24 pm

Backups are not portable between devices. Not really between devices of same model, much less between different models. Importing exported config is more likely to succeed, but it's not recomended either. The recomended approach seems to be to export config from the old device, then open it in text editor as a reminder while (manually) setting up the new device. It is possible to copy-paste a few lines, but more likely there will be tiny details to correct.

As to suggestions for new type of hardware: you can see it's much by personal preferences. @anav likes to suggest his own setup to everybody else (which includes splitting home LAN to gazzillion of VLANs) while I try to suggest minimum changes to existing setup. As @anav noted, hAP ac2 has wireless as well, but if you have tight budget then hAP ac2 makes a decent router for its price and would well be worth every cent even if it didn't have wireless (you can disable it if it bothers you). But as you'll have to get yourself a new router, you may want to consider some other changes in your LAN setup while you're at it.

Alfista · Mon Feb 15, 2021 11:52 am

Hi All,

thanks for explanation.
I don't need the WiFi in the Mikrotik, while its only in wired part. The suggestion to the WiFi TP-link is great, I will check it. It looks great and its PoE.

So if I understand correctly I need to export the whole settings in the .rsc format, that I have the it complete and then after some correction based on the new router HW to put it back, but over command line, that I can have control over it.
Looks as more work as only restore from backup, but i thing its a good way and easier as do it from scratch.
The suggestion to the RB4011 looks also good, as it should work for a long time. This router works for many years (about 8~10) and thing its needed to replace it.

Is possible to tell me which changes do you suggest on the network by the new configuration?
I planed to do some VLANs but on the L3 switch which I have.

Thanks for help.

mkx · Mon Feb 15, 2021 12:25 pm

Is possible to tell me which changes do you suggest on the network by the new configuration?

I didn't have anything in particular on my mind. Nowdays it's common to have a few IoT gadgets in the household and generally its good practice to keep those in separate (V)LAN heavily firewalled in all directions. The other thing is WiFi guest access which should reside in separate (V)LAN as well. So while replacing router you may want to consider those things. You may want to replace APs with 5GHz ones just to increase wireless throughput. Etc. Use your imagination ;-)

Alfista · Thu Feb 18, 2021 8:57 am

Hi MKX,

I have now planed VLANs for main network, monitoring, security, but OK will add it to the guest WiFi network too :-) Its a good idea, even some WiFi routers do it self.
But would like to know if its better to do it here on touter or on a L2 switch?

If its better to do it on a router, please is possible to help me and tell me:
- how should I set here a VLAN
- how should I set routing for:
- access only to internet (as for guest WiFi)
- access to other part of the network (as for the monitoring network, or other parts)
-hot set the lan port to trunk for connecting with the L2 switch

Thanks.

anav · Thu Feb 18, 2021 2:41 pm

Read and understand this document it contains really good information.
viewtopic.php?t=143620

Who is online