Best practice for using MikroTik RB5009 as core router with OPNsense at the edge?

RouterOS Beginner Basics
1

Hi everyone,

I recently added a MikroTik RB5009 to my network and would like to redesign my topology.

Currently, OPNsense is my edge router connected directly to my ISP (handling WAN, NAT, and firewall). I would like to change the architecture so that:

  • The RB5009 handles:

    • VLAN routing

    • Inter-VLAN routing

    • DHCP for all internal networks

  • OPNsense remains at the edge:

    • WAN connection

    • NAT

    • Firewall filtering

    • Possibly IDS/IPS and VPN

My goal is to have the RB5009 act as the core router while OPNsense continues to filter and NAT traffic to the internet.

My questions are:

  1. Is using a small transit network (e.g., /30) between OPNsense and the RB5009 the recommended approach?

  2. Should I disable NAT entirely on the MikroTik and let OPNsense handle all outbound NAT?

  3. Are static routes on OPNsense pointing to the RB5009 the correct way to route internal VLAN subnets?

  4. Are there any common pitfalls with this design?

I’m aiming for a clean, scalable setup without double NAT.

Thanks!

2

1- I wouldn't worry too much about double NAT
2- why not simply replace Opnsense entirely ? Why are you adding RB5009 into the mix then ?

1 Like
3

What is your topology? Do you have servers? What are these VLANs?

Double-NAT is normally no big deal despite some on the Opnsense forum seeming to have an ideological objection.

4

1).

I understand that double NAT can work in small environments, but I’d prefer to avoid it for a few reasons:

  • I want to keep a single point of NAT at the edge (OPNsense) for cleaner troubleshooting.

  • I run VPNs and may expand to site-to-site tunnels later — double NAT can complicate that.

  • Port forwarding and firewall rule management is simpler with one NAT boundary.

  • I’d like full visibility of internal subnets on OPNsense for logging and IDS/IPS.

Since the RB5009 is capable of pure L3 routing without NAT, it seems cleaner to let it route VLANs internally and let OPNsense handle WAN NAT exclusively.

Would there be any downside to keeping NAT only on the edge firewall?

2).
That’s a fair question.

My goal isn’t to replace OPNsense — I specifically want to keep it as the dedicated edge firewall because of:

  • IDS/IPS capabilities

  • Advanced firewall rule management

  • VPN support

  • Logging and traffic inspection

  • WAN failover flexibility

The RB5009 would act as a high-performance core router handling:

  • Inter-VLAN routing

  • DHCP services

  • Internal network segmentation

I see it as separating roles:

RB5009 = Core router
OPNsense = Edge security appliance

This way inter-VLAN traffic stays local at wire speed, and OPNsense focuses only on WAN-bound traffic and security enforcement.

Does that design make sense from a best-practice standpoint?

5

RB5009 has no Layer 3 hardware acceleration, inter-vlan routing will not be wire-speed. Routing has to be done in CPU.
Only switching (same VLAN/subnet) will be done at wire-speed.

For this reason, I would recommend a much simpler setup: have RB5009 as edge & core router and opnsense as firewall. OPNSense can be put into bridge/L2 firewall mode, where it doesn’t handle anymore any gateways, vlans, NAT or any L3 capability. It just filters the packets going through it according to your firewall rules. Firewall filters & IDS/IPS work just fine when in this mode. You would be using the mikrotik as a router and opnsense as a firewall, instead of having 2 routers, one of which acts as edge router and firewall as well.

My other recommendation would be to just use the RB5009, without opnsense, it can do WAN failover, advanced firewall rules, vpn and logging as well.
It doesn’t have IDS/IPS, but these days, where almost every connection uses some sort of encryption like TLS it’s not that useful anymore.