Connect FWA modem to Mikrotik router

Due to issues outside of my control (probably the issue is Italy) I can’t get FTTH Internet connection.
The best I can have for now is FWA (Fixed Wireless Access). 300 Mbps. Nowhere close to fiber speed, but I’m not complaining.

For FWA plans, the ISP usually sells you (there’s no choice because fuck you) their shitty router and the “5G antenna” which is a PoE modem plus the antenna.

zyxel1

modem

I’m fine with using their modem but using their WiFi router is just stupid. I want to get rid of it and connect the modem directly to my Mikrotik router.

Info gathering

In my case the router is a Zyxel device, so not the worst shit you might get from an ISP.
It exposes a web UI that offers a decent level of customization. At least enough for me to understand what’s going on between the two devices.

zyxel2

It has a bunch of interfaces already configured, most of them are useless. “FWA_data” is obviously the one I need to replicate on my Mikrotik. Let’s have a look at its details.

zyxel3

  • “Encapsulation” is set to IPoE. So it expects common IP packets, nothing more complicated such as PPPoE with credentials. Makes sense, auth should be handled by the 5G modem, where you install the SIM card.
  • “Obtain an IP Address Automatically”. OK, it clearly has a DHCP client on this interface.
  • VLAN 802.1q is enabled, and it says “10”. Clearly this interface expects tagged frames with VLAN ID 10.
  • “NAT” is enabled. OK, I guess we’ll add a masquerade rule.

These are the interesting parts of config I have to port to the Mikrotik.

Mikrotik setup

I have a hAP ax³. Info.
I’ll connect the modem to ether1.
Well, there is a PoE injection in the middle, but nothing to worry about. By the way, ether1 offers PoE out, so I tried to power the modem without the injector, but it wasn’t enough. Enough what? I don’t know, I didn’t investigate. I guess voltage too low. The hAP didn’t even detected the modem as a PoE device.

mikrotik1

I’m on RouterOS 7.20.1.

First I attached a DHCP client to ether1, just to see if I get an IP.
Make sure to remove ether1 from bridges before attaching a DHCP client to it.

/ip dhcp-client
add add-default-route=no default-route-tables=main interface=ether1 use-peer-dns=no use-peer-ntp=no

And the modem really gave me an IP. I’m not sure it’s useful for anything, since the modem won’t work as gateway on this network. Maybe it’s exposing some management interface here though. But I didn’t look for it yet.

[fmac@MikroTik_hAP_ax3] > /ip/dhcp-client/print where interface=ether1
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE  USE-PEER-DNS  ADD-DEFAULT-ROUTE  STATUS  ADDRESS           
0 ether1     no            no                 bound   192.168.252.150/24

Now I know for sure that VLAN 10 is required. So let’s create VLAN10 on ether1.

/interface vlan
add comment="windtre FWA" interface=ether1 name=VLAN10 vlan-id=10

Then another DHCP client to beg for an address on VLAN 10.

/ip dhcp-client
add add-default-route=yes allow-reconfigure=no check-gateway=none comment="windtre FWA" \
    default-route-distance=1 default-route-tables=main dhcp-options=hostname,clientid disabled=no \
    interface=VLAN10 use-broadcast=both use-peer-dns=no use-peer-ntp=no

Good, we got an IP.

[fmac@MikroTik_hAP_ax3] > /ip/address/print where interface=VLAN10
Flags: D - DYNAMIC
Columns: ADDRESS, NETWORK, INTERFACE
 #   ADDRESS            NETWORK         INTERFACE
10 D 100.RE.DAC.TED/29  100.RE.DAC.TED  VLAN10

Finally add a NAT rule to masquerade.
In my case I have to make sure VLAN10 is in the WAN list.

/ip firewall nat
add action=masquerade chain=srcnat comment="WAN masquerade" out-interface-list=WAN

Test

And it works!

[fmac@MikroTik_hAP_ax3] > /tool/ping address=9.9.9.9
  SEQ HOST                                     SIZE TTL TIME       STATUS                                
    0 9.9.9.9                                    56  53 32ms468us

fast