It was once necessary to divide the MikroTik RB2011iLS-IN into two separate routers in order to connect two users, while the uplink was one with two different IPs.
I solved this problem by throwing two VLANs to MikroTik, in each I assigned IP and configured two masquerades, and divided the ports with two bridges.
Actually, I will show below what settings I made.
I renamed the standard bridge to bridge1 and added a second bridge:
/interface bridge add name=bridge2
I have SFP as an uplink, changed its name (the other ports were simply renamed as ether1, ether2, etc.):
/interface ethernet set [ find default-name=sfp1 ] name=sfp1-Gateway
Added VLANs:
/interface vlan add interface=sfp1-Gateway name=vlan1 vlan-id=228 add interface=sfp1-Gateway name=vlan2 vlan-id=226
Specified IP address ranges for DHCP servers:
/ip pool add name=dhcp-192-168-88-0 ranges=192.168.88.10-192.168.88.254 add name=dhcp-192-168-0-0 ranges=192.168.0.2-192.168.0.254
Configured two DHCP servers:
/ip dhcp-server add address-pool=dhcp-192-168-88-0 disabled=no interface=bridge1 name=serever-192-168-88-0 add address-pool=dhcp-192-168-0-0 disabled=no interface=bridge2 name=server-192-168-0-0
Ports 3 through 5 and 7 through 10 removed the specified master ports. Tied ports to two different bridges:
/interface bridge port add bridge=bridge1 interface=ether1 add bridge=bridge1 interface=ether2 add bridge=bridge1 interface=ether3 add bridge=bridge1 interface=ether4 add bridge=bridge1 interface=ether5 add bridge=bridge2 interface=ether6 add bridge=bridge2 interface=ether7 add bridge=bridge2 interface=ether8 add bridge=bridge2 interface=ether9 add bridge=bridge2 interface=ether10
I registered IP addresses for internal networks and the Internet (I did not use DHCP Client, especially since two IPs looking at the Internet will have the same MAC address):
/ip address add address=192.168.88.1/24 comment=RDA interface=bridge1 network=192.168.88.0 add address=192.168.0.1/24 comment=Arhitekturnoe interface=bridge2 network=192.168.0.0 add address=172.16.4.81/18 interface=vlan2 network=172.16.0.0 add address=172.18.2.134/16 interface=vlan1 network=172.18.0.0
Specified networks for DHCP:
/ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.1 add address=192.168.88.0/24 comment="default configuration" gateway=192.168.88.1
Specified DNS addresses:
/ip dns set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1 /ip dns static add address=192.168.88.1 name=router add address=192.168.0.1 name=router
The firewall rules that I prescribed and standard:
/ip firewall filter add chain=input comment="default configuration" protocol=icmp add chain=input dst-port=80 protocol=tcp add chain=input comment="default configuration" connection-state=established,related add action=drop chain=input comment="default configuration" in-interface=sfp1-Gateway add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related add chain=forward comment="default configuration" connection-state=established,related add action=drop chain=forward comment="default configuration" connection-state=invalid add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=sfp1-Gateway
Rules for labeling packages:
/ip firewall mangle add action=mark-connection chain=forward in-interface=vlan1 new-connection-mark=ID4635-RDA add action=mark-connection chain=forward in-interface=vlan2 new-connection-mark=ID5357-Arhitekturnoe add action=mark-routing chain=prerouting connection-mark=ID4635-RDA new-routing-mark=ID4635-RDA-rt src-address=192.168.88.0/24 add action=mark-routing chain=prerouting connection-mark=ID5357-Arhitekturnoe new-routing-mark=ID5357-Arhitekturnoe-rt src-address=192.168.0.0/24
Two masquerades:
/ip firewall nat add action=masquerade chain=srcnat comment="default configuration" out-interface=vlan1 add action=masquerade chain=srcnat out-interface=vlan2
Routes:
/ip route add distance=1 gateway=172.18.0.1 routing-mark=ID4635-RDA-rt add distance=1 gateway=172.16.0.1 routing-mark=ID5357-Arhitekturnoe-rt /ip route rule add src-address=192.168.0.0/24 table=ID5357-Arhitekturnoe-rt add src-address=192.168.88.0/24 table=ID4635-RDA-rt
This completes the setup, the device will work as two separate routers with different IP addresses.
See also my article:
Configuring MikroTik in half as a router and a switch