Attempting to move to MikroTik

Good time of the day, Community.

In advance, I apologize for the eyebleed of some of my further statements. I am moving away from a “gaming” router.

I have just now ordered a hAP AX3, which I plan to install for my home use.

Although I am a software engineer for quite a few years, networking will be a new area for me (not switching to SA, but do like to understand what is going on inside my network).

I am trying to grasp everything at the same time, but understand how big the topic is, so I wish to go from something small (and reliable), and in time deep dive into separate topics.

My questions would be - is there some tutorial resource, where I could get some guidance on how to make the configuration (I did see in some yt videos that WinBox has “setup wizard” like options, but I would generally wish to avoid “premade” steps, losing the opportunity to understand “what” and “why”). And yes, I do realize that people invented Google… but it feels better to ask for some trusted resource on a specific forum like this.

And here is what I wish to achieve:

1. PPPoE client (eth1)
   1.1. I want to make a slow shift, so at first I wish to connect the new router to my existing one, bridging the internet. I did find quite a few “how to setup PPPoE”, but have troubles formulating the right wording for just bridging the connection (guess people will say “bridge!”).
2. Make eth 2,3,5 into vlan-1.
3. eth4 is a working station, so I only need internet to it.
4. Two wireless vlans - one ‘general’ for the IoT, and one ‘trusted’. I guess I can have multiple vlan’s inside 2.4/5.
   4.1. Plot twist. There is one device, eth5, which I need to be visible/accessible from all vlan’s (hosts a MQTT server… and basically is a small sbc, where I have non-dockerized apps, which are accessed from my arduino and other projects). Is it possible to have one device, accessible from different vlan’s?
5. Theoretically, I do feel that this should be possible, but I would like to have several DHCP’s for each vlan (I do feel like this is a “duh!” question).
6. Firewall. Do I need to do some additional configurations (besides VLANs and “NAT → masquerade”) to have my network safe from external intrusion?

Thanks in advance.

Everything you’re saying sounds quite reasonable and can be achieved with your selected device.

I would urge you however to abandon the slow/gradual changeover part, it makes things more difficult than they need to be. I would instead attempt a full drastic change, keeping an eye on retaining the possibility to simply plug the old device back in. This way if you get stuck or simply don’t finish in the time you have allocated for this, you have a chance to resume it at your convenience.

Anyway, you’re probably in for quite a journey. Even with all the resources setting up a Mikrotik for the first time is a steep process. Maybe for your first go at the task simply try to replicate your current config without separate networks/vlans and then go from there once you’re a bit more familiar with what you’re dealing with?

Read the resources, and people here are generally happy to help. Good luck!

VLAN’s are the hardest to understand (at least, for me and from reading your requirements). But…it all starts here:

Make sure to understand all…then you will do just fine.

Next…as you are referring to YouTube…check all videos on the MikroTik channel. They are absolutely great!

And last (but not least), learn CLI (as far as you haven’t already). It is a great way to understand more about settings. First command:

/export (will export nearly everything)
/export file=anynameyoulike (will write the above export to file)

Not 1, please.

Better to dive-in? Well, I was considering this option. But the IoT smart device and such is a hassle with going through every device and setting new IPs for MQTT (and for low level stuff, I would need to flash a new firmware with the updated ips).

From here I hoped that I would simply connect AX3 to a port, while keeping the existing router as ISP. And plug my main pc into it, so I could start configuring and still be able to use the internet.

Already good news. Hope it doesn’t take advanced knowledge to accomplish such a feat

I like this idea (and the lazy person in me reaaally likes this idea). But from day one of me buying IoT and stuff, and working from home, I had quite a fear (although I consulted with admins in regards of proper firewall setup for Linux) from the fact that my smartplugs could see the network (and to top it all, I was testing out an rgb strip as an additional light source for the closet… and even that damn chinese thing wants an internet->wifi connection).

So, unless this is something complex, I would wish to configure it from the beginning.

Thanks!

In time
I generally have a like for the terminal, but first I want to go through the basics (which is UI).

Thank you for the article!

Maybe I wasn’t entirely clear. My suggestion would be to replicate your current setup, with the only change being that it’s done on your Mikrotik. This would mean retaining the SSID and password, so it wouldn’t involve reflashing. It would also mean retaining the flat network layout and addressing.

Then, when you’re ready to segment the network you can decide to use the current network as the segregated one and transition the other (more easily configured) devices to the new one you add. This way no reconfig is necessary on the old devices at all.

As for vlans, the others are correct that this is usually what causes the most frustration for new users. Just a remark: as long as you don’t have a requirement to extend more than one network on a single port or on a singe ssid, actually vlans are not strictly necessary. I would advise you to tackle the problem head-on anyway, but again: it’s not strictly necessary.

I like this idea. Guess it will be a good starting point just to see if anything additional goes wrong.

I understand this. And thank you for stopping me on things, that may become a frustration. I am now reading up on the VLAN article shared above(I really like this topic), and my router will arrive only next week (pairing with the fact, that I decided to make this jump, aligning with my vacation). Although I do feel that this would be similar to my first Linux book I’ve read - “This thing? Cool! This thing? Nice!..”, going through 200 pages or something, and only after installing the VM with my first Linux, and actually experiencing what it is on practice (had to re-read those 200 pages a few times to get the real understanding).

You could always do “dry” training by using network emulators like EVE-NG or PNETLab. That way you could get familiar with the UI and try simulating different scenarios like VLANs in your case

Just a few minutes ago I started questioning the topic of “is there a demo or something” (found the http://demo2.mt.lv/ from the winbox download page, but realized it’s RO).

Thank you for this (although I really don’t like setting up a VM on my win pc… just had a fresh windows install a few weeks ago, and trying to keep things “tidy”). Will see where this leads me.

You might get value from my article on the default configuration, then.

Two wireless vlans

If it’s just those two, you don’t need VLANs at all.

One DHCP server per subnet, irrespective of VLANs, yes. “Several” servers on a single subnet, tricky but possible, yet wanting an explanation why to go to the hassle.

Its more of an “I am interested in configuring this” versus a “I need it”

One thing I forgot to mention (may not be related to VLAN) is that I want to configure QoS (I do game, and I do torrent… and I don’t want to shut down the second while I’m doing the first).

More of a green/blue/red scenario. I want to have my ethernet connected devices (home use ones) having IP’s like 10.1-…, my working equipment - 20.1-…, my trusted wireless stuff - 30.1, my IoT and wireless stuff I’m familiar with (but only to a point, where they would connect one device from 10.X to flush data) - 40.1, and everything else… that I want to clearly see as 90.1-…

Just for the ease of readability and fewer steps in the thought process of realizing that 192.168.90.5 is something, that somehow connected to my network (call it “paranoia”), and I should assume that something isn’t right with my security… or just a new device, that I will move to a “known” vlan.

UPD. If to think of it, I want to have an additional vlan for ‘lab’. Can be seen by other networks, but (if it’s possible) - doesn’t see other networks (basically a buffer, which holds containers and stuff - you can write to it/call services, but devices from that network will not see home, work and such).

I want to configure QoS

That’s becoming increasingly difficult in the modern HTTPS-everything Internet, where it is impractical to tag flows based on destination port, content, etc.

What does work is a basic CAKE config, because it limits itself to a much lower level goal: fair queueing.

green/blue/red scenario

Then it’s one DHCP server per subnet, and the only question is whether you do that with VLANs or — as I have tried to encourage — independently routed wireless SSIDs.

2+ DHCP servers on the same subnet fight unless you go out of your way to force them to cooperate.

call it “paranoia”

You aren’t paranoid if they really are out to get you, but looking at IPs on the LAN isn’t a good way to determine this. Malefactors can pull a valid DHCP address unless you go well out of your way to prevent it, and even then, they can fake one simply by looking at the IPs of the traffic flowing past. Once they’re on the WiFi, it’s game over. It’s a shared medium; you can’t keep a malefactor from seeing valid IPs at that point.

Ah, so VLAN isn’t the only tool for this? Sorry, my brain for now is hooking up new words (“I’ve heard that on TV!”) and tries to apply every problem to that specific tool.

I did get a few notes in regards of QoS not being the only solution from a different forum I used to consult on the general “I want to move away from the whole ‘baked solutions’”. Thank you. Will see what it is (once I finish with my current microtik reading queue:) ).

Guess my abstract understanding of the architecture is still pretty far from being “not that bad”.

This may sound stupid. And a bit silly. But imagine exposing a wireless network in an apartment, surrounded by others.

And, as to recall one gag from the era ISP’s providing a feature of “lan across the whole town” (can’t quite recall how it was named back then… but the idea was to share games, software and stuff… without downloading it in an era, where it would take a week). A friend (school years) wrote me in qip, saying that he found a printer without password on the network… and has been spamming it with … pictures.

And now we actually have internet (and kids have access to smartphones and pcs). I can easily imagine (why imagine… I have a few MAC’s blacklisted in my TV’s BT connection list…which tried pairing when I enabled pairing mode to connect a keyboard) someone deciding to try out a hacking tool to get into a neighbor’s(mine, for instance) network.

I did work with wireshark, and cisco packet tracker at some point. So, yeah, I do understand that a network packet can be reverse-engineered and tailored to mask as someone else.

You’re right. This can hardly be called a security measure. But I do like the idea of having a separate IP set for “guests”.

my abstract understanding of the architecture is still pretty far from being “not that bad”.

Beware discounting the value of another specialization. “Hey, it’s just network engineering; how hard could it be? I’m a software developer, after all! I could write your damn network if I wanted!” Any time you give a group of humans a few decades to develop a specialization, you will inevitably find that they make it complicated enough that it takes an entire career to acquire a measure of expertise.

Look around. Where else do you see professions that require only a few years to fully master? Nowhere, that’s where.

Whether it needs to be this complicated is a separate matter. What should concern you now is that network engineering can be surprisingly complicated to one whose prior experience is “plug the Eero in and walk through the 4-page setup wizard on your smartphone.”

…imagine exposing a wireless network in an apartment, surrounded by others…

All of that is why WiFi now has strong encryption. If you can’t get authenticated, you can play any amount of games with MACs and IPs, and it won’t matter.

I do like the idea of having a separate IP set for “guests”.

Study my guest WiFi configuration, even if you think you’ll go with VLANs in the end. You still need to understand subnetting and routing with VLANs, and the way I’ve designed it should be instructive regardless.

There is quite a bit of information floating around here that is very easy to misunderstand. Let me clear some things up and put them in plain terms.

First, QoS. The traditional way to do this was to attempt to identify traffic, whether it is file sharing or gaming. Due to many factors - the principal one being that everything became HTTP and in that HTTPS, so encrypted - this can’t be done really effectively. What emerged instead are schemes where different streams are divided into subqueues (e.g. one subqueue per device, sub-subqueues per connection, etc.). These are called “fair queueing” of fq methods. These ensure that low bandwidth but latency sensitive things essentially receive priority. It tends to work remarkably well, and spares the trouble of trying to identify exactly the traffic - in this becoming much easier to set up and also becoming resistant to changes in protocol and usage. This is QoS, just not the traditional kind.

About isolation. Separation of traffic is created by having multiple networks, between which traffic may only pass by being routed by the router, and is therefore subject to the firewall. These networks can be fully isolated or accessible to each other in any combination. It is also possible for one network to be able to initiate connections into another, but not the reverse.

This separation is realized by having the networks as separate L2 (ethernet) domains. This is possible by simply assigning different ports to different networks.

When WLANs broadcast more than one SSID, those are represented as different interfaces, so they can be part of different isolated networks, just as ethernet ports can be. Separate SSIDs are fully separate “ports”, that is, traffic doesn’t pass between them in some inherent way - not even when sniffing frames.

WLAN APs - even on the same SSID - negotiate different encryption keys with each client, therefore they are not able to decode each other’s traffic. (The exception being broadcast frames, which are encrypted with a “group key” that is the same for each device on the same SSID.) If a device wants to send a packet to another device on the same SSID, that is encrypted with its own key, sent to the AP, which then has to decrypt and re-encrypt it, this time with the destination device’s key. Most APs do this automatically, but there is actually an option to disable this behavior. Mikrotik exposes this setting.

You can now see that even without VLANs, separation is totally possible. Where VLANs come into play is when you want to transit more than one such network on the same (with some exceptions) wired link. In this case the VLAN tag is used to mark, for each individual packet, to which network it belongs to.

From all of this it follows that the usual setup is to have several DHCP servers, one serving each network. Two DHCP servers on a single network are unusual and unnecessary in most settings.

Sorry for the wall of text, but I hope it helps a bit.

Yes, we all fix toasters and microwaves here .

To be honest, I always tended to stay away from the folk that see themselves as “man among mice”. Have come across quite a few of those. One being a group of C++ devs in a team, where I started of as a AQA. “Remember kids, AQA are actually those folk that check your ego of a developer against a problem you fixed, or a solution you made. They can tell how much of a sh…y developer you really are”.

The second one was an architect with mathematical degree. I can literally quote the guy on statements like “If that guy doesn’t have a math degree, I do not treat him as an individual”. The fun part here being that I saw that guy’s “vision”, with a microservice architecture done so terribly wrong, it literally held operational by spit and pray.

As for me, I never counted my work more than others, with devops and network admins having their own realm of complexity, which isn’t learned by just watching a youtube video(or two…three maybe?).

Zero doubts about that. And this is why I decided to go here, and ask for advice on both how to do it, and how hard it is to implement.

About that. I did see config files attached to posts like Using RouterOS to VLAN your network - #3 by pcunite. I am getting an impression that I somehow can view it through WinBox or something. Any advice on that?

somehow can view it through WinBox

Screenshot 2025-07-04 at 10.59.36298×1368 59.4 KB

Now say “/export”.

Or, enable SSH and log in that way.

By this, you mean a full import of a configuration (I don’t know if it wipes the previous one), right? And there is no possibility just to view a config by itself (highlighting parts, which are defined in this config)

Also I need a connection to a MicroTik device in order to even try importing/exporting a config? I did see the suggestion about RouterOS on a VM, but need to figure out how to download it (without megadrive standalone app… and with speed above 100kb/s).

I see; you’re hoping to use Winbox as a “viewer” of these config files.

The primary problem with that concept is that importing some random config file found on the Internet is likely to prevent the RouterOS box from talking to your Winbox client, at which point it closes the window, and you’re done.

Instead, you are meant to read such exports as-is — in text — until you understand them, then apply their advice piecemeal, within the context of the rest of your configuration.

If you want syntax highlighting during the reading and understanding stages, several major text editors have RSC syntax sets available. Vim and VSCode, to name two.

RouterOS…VM…megadrive

Stop stop stop stop!

I don’t know how you got down that particular dark alley of the Internet, but back out slowly and resolve to never return.

Now go to the MikroTik download page, and scroll down to Cloud Hosted Router. Install it into your VMM
of choice.