Skip to content
/ mikrotik_maxslug Public

Mikrotik configuration files for a moderately complex home network with managed access points, FTTH with authentication, multiple ISPs with failover, secure DNS, and VLANs.

License

CC0-1.0 license
56 stars 17 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

maxslug/mikrotik_maxslug

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
doc
doc
 
 
router-os-6
router-os-6
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
mikro1.rsc
mikro1.rsc
 
 
sw1.rsc
sw1.rsc
 
 
sw2.rsc
sw2.rsc
 
 
wap1.rsc
wap1.rsc
 
 
wap2.rsc
wap2.rsc
 
 
wap3.rsc
wap3.rsc
 
 

Repository files navigation

maxslug's Mikrotik Networking Configuration Files

graph LR
  WAN1[Fiber ONT] ---|DHCP,EAP| Router(Router<br />RB5009UPr+S+IN)
  WAN2[WISP] ---|DHCP| Router
  Router ---|Trunk| WAP2((WAP2<br />cap ac))
  Router ---|Trunk| WAP3((WAP3<br />cap ac))
  Router ---|Trunk| SW1(SW1<br />crs109)
  Router ---|VLAN200| Server
  Router ---|VLAN400| ATA
  SW1 ---|Trunk| WAP1((WAP1<br />cap ac))
  Router ---|Trunk| SW2(SW2<br />crs109)
  SW2 ---|VLAN300| Backup{Backup<br />SSID}
  WAP1 ---|VLAN100| Admin{Admin<br />SSID}
  WAP1 ---|VLAN200| LAN{LAN<br />SSID}
  WAP1 ---|VLAN300| Guest{Guest<br />SSID}
Loading

This repo is to hold my configuration files for a complex home network based on Mikrotik networking gear. Thank you to all the mikrotik forum posters for all this knowledge and hard work, especially pcunite!

To discuss this please join us here : https://forum.mikrotik.com/viewtopic.php?f=13&t=166330

Design Goals

WAN

  • Dual ISPs with auto-failover
  • Complete removal of AT&T router ("residential gateway") from the picture

L1

  • Disaggregation of routing and wifi into separate solutions
  • Switched managed Ethernet
  • Redundancy
  • Power over Ethernet to allow centralized UPS

L2 / L3

  • VLAN separation of Guest, Primary, IOT, Neighbor, and VOIP networks

Wireless

  • Centrally managed access points
  • Roaming / Hand-off imrovements
  • Higher overlapping coverage at lower radio power rates

L4+

  • Port Forwarding over VLAN
  • Secure DNS

Nework Design

These are notes to go along with the config files

Inventory

  • 1 x Mikrotik RB5009UPr+s+IN router using RouterOS 7.15beta8
  • 2 x Mikrotik CRS109-8G-1S-2HnD Router/Switch/APs running RouterOS 7.15beta8
  • 3 x Mikrotik cAP AC (RBcAPGi-5acD2nD) using RouterOS 7.15beta8 and wifi-qcom-ac WiFi 5 Wave2 Driver

VLANs

VLAN IP Usage
100 192.168.100.0/24 Base / Management
200 192.168.120.0/24 Normal LAN / Chromecasts / Printer
300 192.168.130.0/24 Guest / IOT
400 192.168.140.0/24 VOIP
500 192.168.150.0/24 Neighbor
  • For each subnet addresses .1 through .39 are reserved for static IP assignment. .1 is the router.
  • The WAN ports are not on VLANs
  • Once configured, you will need to make a port be on VLAN 100 to use WinBox.

Printing

  • ZeroConf / mDNS / Apple Bonjour (AirPrint) cannot be forwarded across subnets / VLANs.
    • You will only get to auto-discover the printer from one VLAN, I chose guest where the school tablets will be
  • The printer ports for a Lexmark Laser printer are forwarded from the main VLAN to the guest VLAN where the printer is

Router

  • 192.168.100.1

  • The EAP Authentication protocol requires a set system clock. DHCP requires EAP. NTP requies DHCP. This means you can't set the clock over the internet because of a chicken-n-egg problem. Make sure mikro1.rsc is modified with the current time before programming it. Or, if you have a local NTP server, use that.

  • You will need to coax your authentication keys out of your AT&T gateway so you can run in supplicant mode.

  • DNS is setup to use DNS over HTTP (DOH) which requires some certificates and hurdles.

Switches

I was really only interested in an 8-port managed GigE switch, but for the same price these units include a 2G WiFi radio.

  • 192.168.100.2

  • 192.168.100.3 (config not included)

  • The radio in the switches are not part of CapsMAN

  • I create a "backup" SSID out of these that should work if I need to hookup the old router, or if for some other reason CapsMAN fails.

  • One of the APs is chained off of sw1 due to physical topology

Access Points

  • 192.168.100.11 wap1
  • 192.168.100.12 wap2
  • 192.168.100.13 wap3

Despite what the Mikrotik documentation says, you cannot fully remotely provision these. You will need to create a config file and add it to the AP. After that, the wireless definitions will be automatic, but not the base config and security!

  • /system reset-configuration run-after-reset=wap.rsc does not always work. I still had to manually load the file after reset
  • Resetting into CAP mode (hold reset button till it gets to it's second mode after blinking) is a better starting point
  • Certificates will be auto-provisioned by CapsMAN
  • I scripted the mode button so that it will toggle the LEDs between "always on" and "turn off after 1h"

802.11ac Band Planning

5G Bands for 802.11ac

Here is a diagram I put together to understand the 802.11ac channel assignment

  • DFS is the middle part of the spectral sandwich which requires fancy driver support and regulatory signoff. This is now supported with the wifi-qcom-ac drivers.
  • 802.11ac requires 80MHz channels, made up of 4 x 20MHz channels
  • For any given 80 MHz chunk, there are 4 possible assignments, depending on which one you make the control channel
    • This is what gives you the Ceee eCee eeCe eeeC "walking ones" pattern. I tried to depict this above
    • I only defined the channels that worked for my region
  • I use WiFi analyzer (Windows, Android) to do a survey of least-busy bands at each AP physical location

cAP AP Wireless Features

cAP (and other Mikrotik Qualcomm-based 802.11ac products) recently (as of 2024) got full support for WiFi 5 Wave 2! YOU ROCK MIKROTIK! Thanks for improving an existing product instead of just moving on. They now support software-based features like MIMO, DFS, Beam Forming, Handoff Protocols, Spectral Scan etc. However in order to use these features, and to make them compatible with 802.1ax devices, you need to run a new driver, and a new capsman. The new driver is called wifi-qcom-ac and the new capsman is in /interface wifi capsman and /interface wifi.

One hiccup I did find is that the new CapsMAN does not play nice with the older capAC devices when it comes to VLANs. You have to statically config some things, and it's all a bit kludgy. I could not get three SSIDs on three VLANs working like I had in RouterOS 6.x. So instead I removed one and settled for two with the work-arounds.

Please see router-os-6/ for scripts using the older driver.

Software

This install required 3 versions of RouterOS:

  • arm64 - RB5009 Router. No wireless driver
  • arm - capAC WAP. wifi-qcom-ac driver
  • mips - crs109. wireless driver

winbox from MacOS

I like this way of using / installing it better than the suggested:

brew tap homebrew/cask-versions
brew install --cask --no-quarantine wine-devel
killall wineserver
wine64 winbox64.exe

References

These are not in any particular order, but all my knowledge came from these, so Thank You!!

config

Security

CAPSman and wifi-qcom-ac - New (802.11ac/.ax)

CAPSman - Old

Wifi Channel Planning / 802.11ac / CapsMAN

802.11ac Channels

802.11ac Spectrum

802.11ac 20MHz different Center channels

AC1200 Definition

802.11ac Modulations

band steering

vlans

EAP auth

Bridging

failover / balancing

secure DNS

Printer sharing

port forwarding

About

Mikrotik configuration files for a moderately complex home network with managed access points, FTTH with authentication, multiple ISPs with failover, secure DNS, and VLANs.

Topics

mikrotik routeros mikrotik-routeros-script mikrotik-router routeros-scripts 80211ac

Resources

Readme

License

CC0-1.0 license
Activity

Stars

56 stars

Watchers

6 watching

Forks

17 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages