Enabling a secondary subnet on a simple network setup

Hello folks!

I’m pretty new to Mikrotik and RouterOS. I have a very simple setup. Almost the default config that comes with RouterOS7 on a hEX Lite.

I’ve a single IP address range 10.30.0.1/24 assigned to the bridge that bridges across all the LAN interfaces (ether2-5).

/interface bridge
add auto-mac=no comment=defconf name=bridge
/ip pool
add name=dhcp-pool ranges=10.30.0.21-10.30.0.254
/ip dhcp-server
add address-pool=dhcp-pool interface=bridge name=dhcp-pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip address
add address=10.30.0.1/24 comment="Office Network" interface=bridge network=10.30.0.0

I have a device (an appliance, so I don’t get much control over its network settings) that doesn’t have a DHCP server, and ONLY can be assigned static IPs in the 192.168.42.0/24 range. This appliance has to be connected to the hEX Lite and other devices on the 10.30.0.0/24 network need to be able to access the appliance.

I understand these requirements are esoteric and break many best practices for setting up networks. Is it possible to configure the hEX Lite/RouterOS to enable this? I tried setting up static routes and firewall rules, but I wasn’t able to get anything to work.

There’s nothing special about it. If it’s connected directly to RB, then remove the used port from bridge, assign 192.168.42.1/24 to this port (assuming that the device uses 192.168.42.1 as gateway) and you’re almost there, only allow it through firewall if it isn’t already. If it’s not connected directly and it’s behind another switch, then add 192.168.42.1/24 as second address to bridge. If the device doesn’t have any default gateway (which would be kind of weird), you’d need to add srcnat rule like:

/ip firewall nat
add chain=srcnat dst-address=192.168.42.X action=masquerade