Hello forum folks,
i just ordered a Hap ax³ and i am looking for some help.
The Hap will be connected to VDSL2 modem. The ISP is 1&1 Versatel. They use ppp0e with vlan7.
So here are my questions:
1.How do i setup ppp0e with vlan7 correctly? Can i use the Quick Set?
1.1Is the default firewall set up working with this vlan7 or do i have to tweak?
1.3 I am considering using only IPv4, but maybe will need IPv6 only for Xbox.
2. I would like to use Vlans to seperate traffic for :
- Pc using ethernet
- Xbox A using ethernet
- A managment port using a Laptop with ethernet.
2.1 seperate Wifi with vlans for:
- Laptop A
-Laptop B
-Xbox B using Wifi6
- Firestick
- Pi
- Pixel phone A
-Pixel phone B
- a guestnetwork
- Iot`s ( is it a good idea to use a seperate vlan for every device?)
3. Will Nat be a problem for Xbox?
3.1 How do i tweak for low latency.
In general i would like to seperate the devices in the network as much as possible, so if you have a tip on how to do achieve this, feel free to give some tips besides the vlan.
Thank you very much for your time. Hope i can return the favour in the future.
Re: First time configuration
I tried to use the doc to solve my questions on my own, but i really struggle. I know it may be silly questions, but i would really appreciate the support.
Re: First time configuration
When you have the device, without touch anything, first upgrade to latest "stable" routeros 7.17.2, then reset to defaults on system.
Do not touch quickset.
IPv6 must supported from your ISP.
Default firewall is perfect.
NAT work perfectly with UPnP for XBOX, if hAP is the router.
VDSL2 modem must be correctly cofigured as bridge for use hAP for authentication.
If is not done correctly, you have double NAT and all other relative problems.
First make hAP working, then think about IPv6, VLANs & Co.
Paste this on terminal for start:
Do not touch quickset.
IPv6 must supported from your ISP.
Default firewall is perfect.
NAT work perfectly with UPnP for XBOX, if hAP is the router.
VDSL2 modem must be correctly cofigured as bridge for use hAP for authentication.
If is not done correctly, you have double NAT and all other relative problems.
First make hAP working, then think about IPv6, VLANs & Co.
Paste this on terminal for start:
Code: Select all
/ip dhcp-client
set [find] default-route-distance=20
/interface vlan
add interface=ether1 name=vlan-WAN vlan-id=7
/interface pppoe-client
add add-default-route=yes default-route-distance=10 disabled=no interface=vlan-WAN name=pppoe-WAN user=username
/interface list member
add interface=vlan-WAN list=WAN
add interface=pppoe-WAN list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=pppoe-WAN type=external
add interface=bridge type=internal
Re: First time configuration
Hi Hi rextended,
first of all , thank you for your reply and your time.
I got dual stack, so IPv6 is supported. I got a dynamic puplic IPv4 address( which was a true fight to get), when i used IPv6 for testing my isp downgraded me to ds-lite instantly. So i'm not sure if i am willing to risk to activate IPv6 again. To be honest, i just have the idea that i will have less latency and more stable syncing while gaming with Xbox on IPv6. Xbox live uses Teredo, when IPv4 is used and i really don´t like the idea of tunneling thru my firewall.
Honestly, i don´t have a lot of time for gaming, so i'm not willing to deal with connection issues.I would like to game without lags and delay. But it's not a top priority. Xbox networks statistics give me 13ms ping and 0% packetloss, so it should be possible.
The modem is in bridge mode.
You recommended using upnp, i often read to avoid using upnp, because it is considered a huge security risk. If it`s neccessary, is it possible to bind it only to the xbox, maybe with vlan?
Thanks again.
first of all , thank you for your reply and your time.
I got dual stack, so IPv6 is supported. I got a dynamic puplic IPv4 address( which was a true fight to get), when i used IPv6 for testing my isp downgraded me to ds-lite instantly. So i'm not sure if i am willing to risk to activate IPv6 again. To be honest, i just have the idea that i will have less latency and more stable syncing while gaming with Xbox on IPv6. Xbox live uses Teredo, when IPv4 is used and i really don´t like the idea of tunneling thru my firewall.
Honestly, i don´t have a lot of time for gaming, so i'm not willing to deal with connection issues.I would like to game without lags and delay. But it's not a top priority. Xbox networks statistics give me 13ms ping and 0% packetloss, so it should be possible.
The modem is in bridge mode.
You recommended using upnp, i often read to avoid using upnp, because it is considered a huge security risk. If it`s neccessary, is it possible to bind it only to the xbox, maybe with vlan?
Thanks again.
Re: First time configuration
Is why I have wrote:
As for UPnP, it is used to dynamically open ports for games when they need them.
It has the same level of security as making manual rules.
First you have to run everything with the default firewall turned on, then check the rest.First make hAP working, then think about IPv6, VLANs & Co.
As for UPnP, it is used to dynamically open ports for games when they need them.
It has the same level of security as making manual rules.
Re: First time configuration
Ok, i will do that first. Thank you!
Re: First time configuration
Ok, i'm online.
Here is what i did:
Switched off POE on Eth1
ran terminal prompt from rextended
filled in ppp0e-wan username and pw
had to configure DNS, because of resolve error when trying to update
upgraded to 7.17.2
reseted configuration
Switched off POE on Eth1
Disabled Ipv6
Disabled IPv6 Forward
Changed User+ pw
Disabled services : -api; api-ssl;ftp;ssh,telnet,www,www-ssl
Changed Wifi name,ssid and pw
ran terminal prompt from rextended
filled in ppp0e-wan username and pw
configured DNS
Not sure if i had to disable POE but was afraid to damage the modem.
Whats next to do ?
Here is what i did:
Switched off POE on Eth1
ran terminal prompt from rextended
filled in ppp0e-wan username and pw
had to configure DNS, because of resolve error when trying to update
upgraded to 7.17.2
reseted configuration
Switched off POE on Eth1
Disabled Ipv6
Disabled IPv6 Forward
Changed User+ pw
Disabled services : -api; api-ssl;ftp;ssh,telnet,www,www-ssl
Changed Wifi name,ssid and pw
ran terminal prompt from rextended
filled in ppp0e-wan username and pw
configured DNS
Not sure if i had to disable POE but was afraid to damage the modem.
Whats next to do ?
Re: First time configuration
Three things. One will help the other with an Overall PLAN which is required.
1. Detail the requirements as you understand them
a. identify all user(s)/device(s) ( internal and external and admin)
b. identify all the traffic they need
2. You have a single WAN pppoe, so that is known................
Do you have any VPN to the Router, or doing any port forwarding?
If so ensure you detail it above in 1 a., b.
3. Draw a network diagram that shows the ports and subnets/vlans going out ports or WLANs
4. Read this article for vlans --> viewtopic.php?t=143620
5. Create and post your config once done.
/export file=anynameyouwish (minus router serial number, any public WANIP information, or user name etc. )
6. In terms of firewall rules, stick to the defaults at least in the input chain for now. Keep chains together all input and all forward, order within chains is also important.
In the forward chain take the confusing default rule and remove it and then replace with three rules for now aka ready for future vlan usage.
From: add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable it if required or later remove }
******************* --> Place any other needed traffic rules here, like vlan to vlan, shared printer etc..... <-- ***************************
add action=drop chain=forward comment="drop all else"
7. Before you start configuring anything, suggest take one port OFF the default bridge and we will set it up so you can access the config off the bridge, from a safe location.
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/ip address
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0
/interface list member
add interface=OffBridge5 list=LAN
With this in place, now plug your laptop into ether5 on the router. Change the IPV4 settings on the laptop to 192.168.77.2 and then use winbox entering usual username and password and you shouild have access to the config but off the bridge. This faciliates adding vlans to the bridge and going away from the default 192.168.88 subnet etc........... Also helpful when changing vlan-filtering to yes on the bridge.
1. Detail the requirements as you understand them
a. identify all user(s)/device(s) ( internal and external and admin)
b. identify all the traffic they need
2. You have a single WAN pppoe, so that is known................
Do you have any VPN to the Router, or doing any port forwarding?
If so ensure you detail it above in 1 a., b.
3. Draw a network diagram that shows the ports and subnets/vlans going out ports or WLANs
4. Read this article for vlans --> viewtopic.php?t=143620
5. Create and post your config once done.
/export file=anynameyouwish (minus router serial number, any public WANIP information, or user name etc. )
6. In terms of firewall rules, stick to the defaults at least in the input chain for now. Keep chains together all input and all forward, order within chains is also important.
In the forward chain take the confusing default rule and remove it and then replace with three rules for now aka ready for future vlan usage.
From: add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
TO:
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat disabled=yes { enable it if required or later remove }
******************* --> Place any other needed traffic rules here, like vlan to vlan, shared printer etc..... <-- ***************************
add action=drop chain=forward comment="drop all else"
7. Before you start configuring anything, suggest take one port OFF the default bridge and we will set it up so you can access the config off the bridge, from a safe location.
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/ip address
add address=192.168.77.1/30 interface=OffBridge5 network=192.168.77.0
/interface list member
add interface=OffBridge5 list=LAN
With this in place, now plug your laptop into ether5 on the router. Change the IPV4 settings on the laptop to 192.168.77.2 and then use winbox entering usual username and password and you shouild have access to the config but off the bridge. This faciliates adding vlans to the bridge and going away from the default 192.168.88 subnet etc........... Also helpful when changing vlan-filtering to yes on the bridge.
Re: First time configuration
Hi Hi anav,
thank you for your time and detailed hints. I will work thru them.
Wish all of you a nice weekend.
thank you for your time and detailed hints. I will work thru them.
Wish all of you a nice weekend.