I changed the configuration to use it as a wifi hotspot for my home devices with WAN connected to my Mikrotik 52 Metal (which works as WiFi booster) and the WAN port on ether5 as opposed to the default configuration ether1 (to power 52 Metal via POE). I also set up the router to have 192.168.98.1 IP address and DHCP server on LAN and to obtain the IP address automatically from WAN. This worked well for a few years but I recently acquired Starlink, which I am able to power from the POE injector and want to use as a primary WAN source leaving Mikrotik 52 Metal extender for failover (my current WAN provider is quite flaky). I want the priority to go to Starlink which I plan to connect to ether4.
What changes do I have to make to the router configuration?
My current working configuration is below:
Code: Select all
# jun/27/2022 16:51:46 by RouterOS 6.49.6
# software id = KRZN-YWXP
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 8A7D**A72F*A
/interface bridge
add admin-mac=CC:2D:E0:E0:13:7F auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] auto-negotiation=no speed=100Mbps
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed mode=dynamic-keys name=Lastochka \
supplicant-identity="" wpa-pre-shared-key=5163613392 wpa2-pre-shared-key=\
5*************2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto mode=ap-bridge \
security-profile=Lastochka ssid=Lastochka_2G station-roaming=enabled \
wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=\
ap-bridge security-profile=Lastochka ssid=Lastochka_5G station-roaming=\
enabled wireless-protocol=802.11
/ip pool
add name=dhcp ranges=192.168.98.10-192.168.98.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether5 list=WAN
/ip address
add address=192.168.98.1/24 comment=defconf interface=bridge network=\
192.168.98.0
/ip dhcp-client
add disabled=no interface=ether5
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf gateway=192.168.98.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.98.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add check-gateway=arp distance=1 dst-address=192.168.100.1/32 gateway=ether5 \
pref-src=0.0.0.0
/system clock
set time-zone-name=America/New_York
/system identity
set name=MikroTik-Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN