From router + AP to switch + AP

Hello!!
After having some problems [(http://forum.mikrotik.com/t/problems-with-checkmk-and-proxmox-backup-server/177320/1) with the current configuration of my network, I have decided to change its design to another one that also works for me. I want to use the MikroTik as a switch while maintaining its functionality as a Wi-Fi access point. This is my running config:

[admin@MikroTik] > export
# 2024-07-20 15:16:17 by RouterOS 7.14.3
# software id = NG5D-KBSU
#
# model = C52iG-5HaxD2HaxD
#
/interface bridge
add comment=LAN name=LAN port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=LAN
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN

/interface wifi
set [ find default-name=wifi1 ] channel.skip-dfs-channels=disabled configuration.country=Spain .mode=ap .ssid=Area51 disabled=no security.authentication-types=wpa2-psk .connect-priority=0/1 .disable-pmkid=yes .encryption="" \
    .management-protection=disabled .wps=disable
set [ find default-name=wifi2 ] configuration.country=Spain .mode=ap .ssid=HOME2022-24

/interface list
add name=WAN

/ip pool
add name=dhcp_pool0 ranges=192.168.3.25-192.168.3.240

/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=server1

/interface bridge port
add bridge=LAN interface=ether2 internal-path-cost=10 path-cost=10
add bridge=LAN interface=ether3 internal-path-cost=10 path-cost=10
add bridge=LAN interface=ether4 internal-path-cost=10 path-cost=10
add bridge=LAN interface=ether5 internal-path-cost=10 path-cost=10
add bridge=LAN interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=LAN interface=wifi2 internal-path-cost=10 path-cost=10

/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN wan-interface-list=WAN

/interface list member
add interface=ether1 list=WAN
add interface=LAN list=*FFFFFFFF

/ip address
add address=192.168.3.1/24 comment=LAN interface=LAN network=192.168.3.0
add address=192.168.2.2/24 comment=WAN interface=ether1 network=192.168.2.0

/ip dhcp-client
add disabled=yes interface=ether1

/ip dhcp-server lease
add address=192.168.3.21 mac-address=D8:8C:79:6A:82:B3 server=server1

/ip dhcp-server network
add address=192.168.3.0/24 dns-server=192.168.3.3,208.67.222.222 gateway=192.168.3.1 netmask=24

/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.222.220

/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow dst-nat connections from WAN" connection-nat-state=dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="drop anything else from WAN" in-interface=ether1

/ip firewall nat
add action=masquerade chain=srcnat comment=Sortida out-interface=ether1
add action=dst-nat chain=dstnat comment=Checkmk disabled=yes dst-address=192.168.2.2 dst-port=161 in-interface=ether1 protocol=udp to-addresses=192.168.3.5 to-ports=161
add action=dst-nat chain=dstnat comment=PBS-2 disabled=yes dst-address=192.168.2.2 dst-port=8007 in-interface=ether1 protocol=tcp to-addresses=192.168.3.8 to-ports=8007
add action=dst-nat chain=dstnat comment=Checkmk_2 disabled=yes dst-address=192.168.2.2 dst-port=162 in-interface=ether1 protocol=udp to-addresses=192.168.3.5 to-ports=162

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10

I have been looking for information to carry out this procedure, and I think I have it more or less clear. These are the steps I should follow without having to do a factory reset:
1.- interface → interface list → Delete/Disable the entry with ether1 interface
2.- IP → dhcp-server: Delete/Disable the DHCP server
3.- IP → addresses: Delete/Disable the entry with 192.168.2.0/24
4.- IP → dhcp-client: Add New
5.- Bridge → ports: Add New and attach port ether1 to bridge.
6.- IP → Firewall: Delete/Disable Filter Rules and NAT.

Do you think that maybe I’m missing something? Suggestions are really welcomed and appreciated…

Kind regards!!

Don’t forget to assign the DHCP client on the bridge and not on ether1 or better yet, assign the address that is currently on ether1 on the bridge and don’t add a DHCP client and:

7. Delete or disable all default routes if there are such existent

Hi!!
My English is not very good, so to be sure: You mean that it’s better to not config a dhcp client, and, assign an IP to the bridge for management purposes. Is this correct?

Thank you very much!!

Hola Tarragona,

To confirm, you have no guest network or IOT network or media subnet either?
Just one flat subnet for all users?

In that case its very simple.
lets say your subnet is 192.168.3.0/24

The device gets its address from this subnet lets give it one of 192.168.3.2/24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The first thing I would do is NOT call my bridge LAN. The word LAN is already used entity in RoS, and
its confusing to readers and to existing router rules to do so. Most call it Bridge or Bridge-LAN etc…

Why not call it PUENTE !!
Will assume two things
A. the connection to the main router comes in ether1
B. the address assigned to the AP/Switch is 192.168.3.2/24


/interface bridge
add comment=bridge name=PUENTE LAN port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] comment=MainRouter
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=LAN
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN

/interface wifi
as required

/interface list
add name=MANAGE

/interface bridge port
add bridge=PUENTE interface=ether1 internal-path-cost=10 path-cost=10 comment=“from main router”
add bridge=PUENTE interface=ether2 internal-path-cost=10 path-cost=10
add bridge=PUENTE interface=ether3 internal-path-cost=10 path-cost=10
add bridge=PUENTE interface=ether4 internal-path-cost=10 path-cost=10
add bridge=PUENTE interface=ether5 internal-path-cost=10 path-cost=10
add bridge=PUENTE interface=wifi1 internal-path-cost=10 path-cost=10
add bridge=PUENTE interface=wifi2 internal-path-cost=10 path-cost=10

/interface list member
add interface=PUENTE list=MANAGE

/ip neighbor discovery-settings
set discover-interface-list=MANAGE

/ip address
add address=192.168.3.2/24 comment=LAN interface=PUENTE network=192.168.3.0

/ip dns
set servers=192.168.3.1

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.3.1
/system ntp client { only if required }
set enabled=yes
/system ntp client servers
add address=192.168.3.1

/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MANAGE

Just one question - is a default route to the gateway needed? As the AP de facto acts as a switch, shouldn’t routing be handled by the gateway?

Probably not needed but it ensures anyone local on the router such as my emergency or config access on ether5, not on any of the vlans, gets routing etc..

Hi @anav!!
One million thanks for your help and suggestions, I really appreciate!!

Yes, you’re right, there aren’t any IOT nor guest network. I’ve already changed the bridge name, from LAN to CAMPUS…

I take note of your config suggested.

Again, thank you very much and best regards!!

Which emergency access?
You just posted a configuration where ether5 is part of the Puente bridge, like ether1/2/3/4.

Yes, but for example if later the OP wants to change ether5 to off the bridge and give ether5 its own IP address, he can access the device by adjusting ipv4 on laptop settings etc.
In this case, he can do without that particular config line but i dont see it causing any harm LOL

Hi @anav!!
Just another question… About the DHCP, I understand that I have to disable the DHCP server, and the DHCP client it’s not necessary. Is this correct?

Thank you very much!!

Correct

Understood!!

Thank you very much!!