Access managed switch behind MikroTik router

Hi, I have the following setup:

ISP cable – My Switch – My MikroTik router – My Lan (via wifi or via cable, etc)
My router is MikroTik: rb4011igs+5hacq2hnd-in
RouterOS v7.3.1

My issue is that: I would like to access My Switch management console (running on something like 192.168.1.3 via http) from My Lan. (This currently does not work).

I have seen some threads with similar issues like mine but I am quite new to configuring MikroTik and I couldn’t figure out what’s needed. My setup is pretty much stock without specific customizations for the ethernet.

What I’ve tried so far is:

/ip/address add address=192.168.1.4/24 comment="Switch Network" interface=ether1 network=192.168.1.0

This allowed me to ping my switch from MikroTik console. However I am still unable to reach it from My Lan.

Here are my /ip settings:

/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=192.168.1.4/24 comment="Switch Network" interface=ether1 network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Would you please advise how can I resolve my issue. I am curious of various options (routing to the address, or mapping to some specific port on the mikrotik IP, or something else).

Question why is the switch between you and the ISP modem (assuming its a modem and the RB4000 gets a public facing IP address)???

For your MySwitch to be accessible from MyLAN client devices, it is the same as for accessing internet from MyLan.

The RB4011 interface connected to MySwitch should be in the “WAN interface list”, so that the IP firewall NAT rule srcnat/masquerade will apply.

MySwitch should have an address in the “ISP-MyMikrotikRouter subnet”, If not getting a free IP address from the ISP? Give the RB4011 a second IP address and subnet on that WAN facing port, so it forms a second subnet with nodes MySwitch and MyMikrotikRouter(second address).

Yes, it’s a valid question. It is a temporary solution. The switch is just a switch (not a modem) which lets me plug the mikrotik router in a physical place providing better wifi coverage. (If I plug the RB4000 directly to ISP, it is too far away and wifi is weak where I need it).
I plan further expansion with more or stronger wifi access points in future, but meanwhile I am curious to be able tweak a bit and tighten the settings of my switch. Also to get more familiar with mikrotik configuration.

Thank you! Above sounds exactly what I did - I have added a second static IP to ether1 (this port is the RB4011 Wan facing connection):
Code: Select all

/ip/address add address=192.168.1.4/24 comment="Switch Network" interface=ether1 network=192.168.1.0

ISP does provide IP via dhcp but it's a separate network. The switch doesn't provide dhcp and demands address from 192.168.1.0/24 subnet.

Now I realize that it is accessible. Yesterday I was trying accessing it with laptop having own weird firewalls. Now I managed connect via my smartphone. It all works fine. Thank you!