Configuring MikroTik in half as a router and a switch

Here is an example of setting up MikroTik as two different devices, a switch (switch) and a router (router).
Ports 1-5 and sfp1 will work as a switch, as a router there will be ports: LAN 6-9 and wlan1, WAN – 10.
The Internet will come via two cables, the first in the switch to sfp1, the second to 10 port, if the Internet cable is only one – we will connect the patch cord 10 of the router’s port to any ports of the switch.

We make two bridges:

/interface bridge
add name=bridge-router
add name=bridge-switch

Let’s configure the ports:

/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] name=ether10-Gataway
set [ find default-name=sfp1 ] name=sfp1-toNetwork1
set [ find default-name=ether1 ] master-port=ether2-master

Add ports to the bridges:

/interface bridge port
add bridge=bridge-switch interface=ether2-master
add bridge=bridge-switch interface=sfp1-toNetwork1
add bridge=bridge-router interface=wlan1
add bridge=bridge-router interface=ether6-master

Let’s configure the wireless network:

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=WiFi tx-power=30 tx-power-mode=all-rates-fixed wireless-protocol=802.11

Configure the address range for the DHCP server:

/ip pool
add name=dhcp ranges=

Let’s configure the DHCP server:

/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-router name=dhcp
/ip dhcp-server network
add address= dns-server=, gateway= netmask=24

Let’s assign an internal IP router:

/ip address
add address= interface=bridge-router network=

Enable DHCP client WAN port router:

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether10-Gataway

Let’s configure DNS:

/ip dns
set allow-remote-requests=yes
/ip dns static
add address= name=router

Enable NAT router:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether10-Gataway
We will configure the standard Firewall rules, allow ping and access to the web from outside:
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether10-Gataway
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether10-Gataway
add chain=input dst-port=80 protocol=tcp


Подписаться на IT Blog (RU) по Email
Subscribe to IT Blog (EN) by Email

Did my article help you? How about buying me a cup of coffee as an encouragement? Buy me a coffe.

Leave a Reply