I want to setup an hAPlite RB941-2nD as a 4 port switch with wlan1 as part of the switch.

Like this, switch includes: ether1 + ether2 + ether3 + ether4 + wlan1

I started with a blank device and did the following, /export below:

1. Create bridge1 and add ether1, ether2, ether3, ether4, wlan1
2. Setup wlan1 with SSID and password

It seems to work like I want, but is there anything else I need to do? Did I miss anything? Thanks


/export

jan/02/1970 00:17:38 by RouterOS 7.9.2

software id = HHEE-SI84

model = RB941-2nD

/interface bridge
add name=bridge1

/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=hapl_1

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik

/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether2

/ip neighbor discovery-settings
set discover-interface-list=!dynamic

/system note
set show-at-login=no

I wanted to add some more about my setup. I don’t think I need to give the Mikrotik device an IP address in this setup?
I’m just looking for some input on if I did anything glaringly wrong or stupid from a function and security perspective.

• PFSense Firewall/Router * <-------10.11.11.1 subnet (no VLANs) ------------------------------>* Mikrotic hAPLite as switch w/ Wireless AP *
• w/DHCP Server *

You have done just fine.

MT device in your case needs IP address for three reasons (but you decude if these apply):

1. if you want to manage device using WebFig or CLI via SSH. Without IP address you have to use winbox (or MAC telnet)
2. if you want to set device as NTP client so that log entries contain valid timestamp
3. if you want to use RIS built-in mechanisms to perform upgrades