It was once necessary to divide the MikroTik RB2011iLS-IN into two separate routers in order to connect two users, while the uplink was one with two different IPs.
I solved this problem by throwing two VLANs to MikroTik, in each I assigned IP and configured two masquerades, and divided the ports with two bridges.
Actually, I will show below what settings I made.
I renamed the standard bridge to bridge1 and added a second bridge:
/interface bridge add name=bridge2
I have SFP as an uplink, changed its name (the other ports were simply renamed as ether1, ether2, etc.):
/interface ethernet set [ find default-name=sfp1 ] name=sfp1-Gateway
Added VLANs:
/interface vlan
add interface=sfp1-Gateway name=vlan1 vlan-id=228
add interface=sfp1-Gateway name=vlan2 vlan-id=226
Specified IP address ranges for DHCP servers:
/ip pool
add name=dhcp-192-168-88-0 ranges=192.168.88.10-192.168.88.254
add name=dhcp-192-168-0-0 ranges=192.168.0.2-192.168.0.254
Configured two DHCP servers:
/ip dhcp-server
add address-pool=dhcp-192-168-88-0 disabled=no interface=bridge1 name=serever-192-168-88-0
add address-pool=dhcp-192-168-0-0 disabled=no interface=bridge2 name=server-192-168-0-0
Ports 3 through 5 and 7 through 10 removed the specified master ports. Tied ports to two different bridges:
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge2 interface=ether6
add bridge=bridge2 interface=ether7
add bridge=bridge2 interface=ether8
add bridge=bridge2 interface=ether9
add bridge=bridge2 interface=ether10
I registered IP addresses for internal networks and the Internet (I did not use DHCP Client, especially since two IPs looking at the Internet will have the same MAC address):
/ip address
add address=192.168.88.1/24 comment=RDA interface=bridge1 network=192.168.88.0
add address=192.168.0.1/24 comment=Arhitekturnoe interface=bridge2 network=192.168.0.0
add address=172.16.4.81/18 interface=vlan2 network=172.16.0.0
add address=172.18.2.134/16 interface=vlan1 network=172.18.0.0
Specified networks for DHCP:
/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1
add address=192.168.88.0/24 comment="default configuration" gateway=192.168.88.1
Specified DNS addresses:
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip dns static
add address=192.168.88.1 name=router
add address=192.168.0.1 name=router
The firewall rules that I prescribed and standard:
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input dst-port=80 protocol=tcp
add chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=sfp1-Gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=sfp1-Gateway
Rules for labeling packages:
/ip firewall mangle
add action=mark-connection chain=forward in-interface=vlan1 new-connection-mark=ID4635-RDA
add action=mark-connection chain=forward in-interface=vlan2 new-connection-mark=ID5357-Arhitekturnoe
add action=mark-routing chain=prerouting connection-mark=ID4635-RDA new-routing-mark=ID4635-RDA-rt src-address=192.168.88.0/24
add action=mark-routing chain=prerouting connection-mark=ID5357-Arhitekturnoe new-routing-mark=ID5357-Arhitekturnoe-rt src-address=192.168.0.0/24
Two masquerades:
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan1
add action=masquerade chain=srcnat out-interface=vlan2
Routes:
/ip route
add distance=1 gateway=172.18.0.1 routing-mark=ID4635-RDA-rt
add distance=1 gateway=172.16.0.1 routing-mark=ID5357-Arhitekturnoe-rt
/ip route rule
add src-address=192.168.0.0/24 table=ID5357-Arhitekturnoe-rt
add src-address=192.168.88.0/24 table=ID4635-RDA-rt
This completes the setup, the device will work as two separate routers with different IP addresses.
See also my article:
Configuring MikroTik in half as a router and a switch