Help Confiduring my Home Network

RouterOS Beginner Basics
1

Hello. My name is Vasilis, I’m from Greece and this is my first post. :slight_smile:
I would like some help with my Mikrotik devices, in order to configure them properly.

I REALLY, REALLY don’t want to eat-up your time, but I will try to be as precise as possible in describing my situation, as to avoid any confusion.
You can SKIP most of the post. My question is rounded-up in the end in RED !!

- How much do I know ? // (you can skip this)
I’ve setup very general and simple networks before for my Home or sites where I installed IP cameras, but this is my first time using Mikrotik and I’m not a network-guy. I need to state this. (newbie)

- What devices I want to connect together? // (you can skip this)

  1. I have the usual suspects (PCs, Laptops, Phones, Consoles, TVs etc)
  2. I have an unRaid server where I run many dockers for different things, my Home Assistant, and obviously my File NAS.
  3. I have quite a lot of IoT devices, at the momment 100% on WiFi. I plan on upgrading to ZigBee, but everything is still on WiFi. 90% DIY devices using ESPHome.
  4. My Home network, also extends to my Restaurant/Coffee shop using Access Points, where my customers need Wi-Fi access. (20-50 users)

- Which network Devices to I have and plan to use ?

  • My “modem” is an LHG-LTE18 which I LOVE. <3 (I use 4G LTE as my Internet connection due to ultra low DSL speeds in my area) (DSL 4Mbps, LHG achieves 450/90Mbps)
  • As a Router, I’ve JUST bought the RB5009UG+S+IN
  • And for a Switch I got the CSS326-24G-2S+
  • For Access Points I use my old UniFi AC AP LRs

- Some History ! // (you can skip this)
Up till now, I had just the LHG, connected to an old switch, and in turn, to a couple of computers and the Access Points. Everything worked great and I had no problems.
Obviously, the LHG was also on Router-Duty.
Then I also bought the CSS326 and I ran UTP cables to every device I could. Again, followed the guides online, and everything works GREAT.
Then, I cut my land-line all together, since the LHG and my 4G connection seem to be handling everything, even heavy-gaming without a sweat. In order to keep my home’s phone number, I registered with a VoIP provider. And here is the first problem.

- Some Problems !
Problem 1:
My ISP in Greece, (COSMOTE) has two different APNs I can use.

  • “internet” // Gives me full-speed, but I’m sitting behind a CG-NAT apparently.
  • “vpn-internet” // Gives my a Public IP so I can port forward to my server (and I quite need that) but limits my speed to 150/50Mbps. Which is a lot slower than the 450/90Mbps I get normally.

Other than the bandwidth limitations, when I use the “internet” APN, sitting behind the CG-NAT, my VoIP client devices work 20% of the time. :smiley: Switching to ‘vpn-internet’ solves the problem immediately.

Problem 2:
When I use the “internet” APN and I’m sitting behind a CG-NAT, I can’t access my network using normal port-forwarding. I found a work-arround using Cloudflared Tunnels, and nGinx Proxy Manager, but still, that’s not the ultimate solution I’d wish for. Outside (public) access to my Server, is almost PARAMOUNT to me, as I self-host my password managers, media managers, NVR software, cloud storage, home assistant, etc.
(Using VPN was also a solution, up to a point when I decided to share my apps (like my Media Library) with my friends. I can’t setup my VPN for everyone that wants to access my server.)
It needs to be as simple as going to www.mysite123.com. :wink:

I’ve seen a guide, on how to setup SOME devices in my network to use a different APN (simultaneously) giving me the best of both worlds.
But still, I went a step further and bought the RB5009 wishing to achieve something I don’t know how to build or IF POSSIBLE at all yet. :smiley:
The experienced guy from whom I learned the “Dual APN” trick, told me that I can’t use it if I want to use my RB5009 as a Router, and I would have to stay with the LHG only.

- How I would like things to be:

  • I want to use the RB5009 as my main Router.
  • I want to use the LHG-LTE18 as a “Modem-only”. I don’t want it to do routing or DHCP or anything else.
  • If DUAL APNs isn’t possible with a seperate router, I was thinking if it’s possible using a USB 4G Modem on the RB5009, with the “vpn-internet” APN, so I can have outside access to my network using port forwarding. (I currently use Cloudflare Tunnels)
  • I also want my VoIP phone to work all the time, so I have to use that “vpn-internet” APN somehow but without sacrificing my speed. (same as above)
  • I want to buy another LHG in the possibly near-future (if the wife agrees :smiley: ) to do some load balancing or replace the USB Modem all-together. Load Balancing is something I want to dive into. :slight_smile:
  • I would like my Server to have a 2.5G (or 10G in the future) connection to my computer. But most importantly, I want to be able to access my network and especially this server from the outside.
  • If I could somehow get advantage of the high-speed “internet” APNs, and the public-ip properties of the “vpn-internet” that would be great.

So, without (sorry for the expression) busting your balls any more, is there a way to achieve “Dual APNs” on the LHG, still use the RB5009 as a router, or use a second LTE modem on USB ?
Or both ? Or what would you suggest.
And How do I setup the LHG as a modem only, using “Passthrough Mode” ? I’ve read here on the forum that I have to enable VLANS for management, but I’m really confused and don’t want to break something on my lovely devices. :frowning:

PS. If someone wants to take the time, to solve my issue, as I am aware that time isn’t free, I would be willing to buy you a coffee. <3
Thanks in advance, and I’m sorry for the long post.

PS2. I KNOW I could buy UniFi devices, or TP-Link devices, since I am quite the noob, and I would have better luck with setting up those, but I REALLY want to learn RouterOS, at least on a basic level, cause not only does it seem interesting to me, but also I’d like to use Mikrotik devices from now on, when I’m setting up NVRs and cameras, for friends. (I do this as a Hobby)
That being said, I don’t think the others have the power that RouterOS has from what I’ve seen up till now.

Please feel free to ask me anything. <3 May you have a good day !

2

Hi Vasilus

It seems that you have more network knowledge/experience than you give yourself credit for!:wink:

Without going into too much detail on how to do what on your MT devices I would like to give you some general advise based on my experience:

  • Yes, the MT routers and switches and ROS are very powerful and really the best for your money you can find!
  • You will have to go through a quite steep learning curve before you can master them beyond ‘basic’ though…
  • Your selection of router and switch is excellent! You’ll be able to configure whatever you need and it will handle it w/o any problem
  • Keep only ONE router in your solution, so put your LHG-LTE18 in modem mode! You should have your public IP on the WAN port of your MT router <= check this via IP / Adresses
  • Use your router for routing (L3) and your switch(s) for switching (L2) <= ALL your clients should be connected to your switch and only your switch to your router. If you have multiple switches, and unless you have a powerful router (which you do by the way…), select one of them as the master/core switch and connect all other switches to the master/core. Only the master/core switch is then to be connected to the router. If your router is powerful enough it can act as the master/core switch. Uplinks of your switche(s) (to the master/core switch or router) should have larger bandwidth than your client links <= e.g. when your clients are connected with 1G (or 100M <= some clients, often IoT devices are limited to 100M) the uplink of the switch should be multiple (minimal 2) 1G (via LACP <= Trunks on switches, Bonding on router) or via 10G/25G/100G ports (<= both your router and your switch have SFP+ ports with 10G bandwidth, so I would use these. Buy a 10G DAC cable to connect them iso 2 x SFP+ transceivers with FO cable!
  • Segregate your network with VLANs such that you can control which user group has access to what. E.g. a separate VLAN for IoT and management and guests (with corresponding SSIDs on your WiFi APs)
  • Use a VPN to access your server iso port forwarding and make sure it is secure <= e.g. an IKEv2 or L2TP with IPSec (do NOT use PPTP or SSTP as these are not secure enough). These work with most of the built in VPN clients (MS Windows, MacOS, Android,…). OpenVPN is a good alternative but requires dedicated client agent to be installed on endpoint.
  • You don’t need a fixed public IP to easily connect to your server (via VPN or port forwarding)! Use a DynDNS service <= there’s a built-in service on your MT router. It will provide you with a personal ‘domain name’ that you can use to always connect to your router regardless of the actual public IP address. So use the service with the highest bandwidth and useDynDNS.
  • Ubiquiti APs are easy to configure (easier than MT) but more difficult to configure on the switch when you use multiple SSIDs and VLANs as they require hybrid ports on the switch side (managment traffic needs to arrive untagged on the Ubiquiti AP)
  • Use the correct way to configure VLANs <= this is different depending on the MT device! <= I already found 3 different ways so far…
  • Use a “specify what to accept and drop everything else” iso an “specify what to drop and accept everything else” (= the default on MT!) approach on your FW! Be careful not to lock yourself out when you activate the ‘drop all’ rule (see last 2 lines!)
  • Try not to copy entire configs from others but instead work through your own config step by step
  • Use an “off bridge management port” such that you can always access your MT even if you screwed up (and you will from time to time, believe me…)
  • Make regular backups of you config during configuration and use the Safe Mode

Good luck!

Greetz,

Bruno

3

Hello there !
Thanks a lot for the info !

I will have to look for the specifics now, to set this up.

I already bought a 10G DAC Cable and connected the Router to the Switch directly.
I have every other client connected on the Switch. Nothing else on the Router.

That being said, when I tried the above, (with the RB5009) I used my mobile phone tethered to the Router as an Internet Connection.
I haven’t tried using the LHG, as I don’t know how to put it in “Modem Only Mode” or “Passthrough Mode” as people call it online, without locking myself out of management.
Also, I don’t know If I can achieve “Passthrough” with Dual APNs. That seems harder if not impossible.

So I reverted back to using the LHG as the main Router, and currently on standby with the RB5009. I don’t use it until I figure out HOW to use it. :smiley:

Using my very limited knowledge, could it be possible to have traffic of the TWO different APNs routed through 2 Different VLANS (+1 for management) so the RB5009 gets the 3 VLANS and distributes them into the corresponding clients ? That sounds reasonable to do. But I don’t know if it works, and if it does, how to set it up. :smiley:

Lastly, I know about DynDNS. I was using “DuckDNS” up till now with my slow DSL connection.
But DuckDNS just points you to your PUBLIC IP.
If you are sitting behind your ISP’s NAT, then DuckDNS or any other Dynamic DNS service, will just point you to your ISP’s Router IP. And YOUR ISP should do the port forward to your “local” IP inside their network. Which will never happen. :smiley:

This is why I use Cloudflared Tunnels, to bypass all that, but my VoIP phone, can’t use those tunnels sadly. :frowning:
And my server has a hard time with SSL Certificates anyway, so SOME services (like Home Assistant) refuse to cooperate. :frowning:

4

Sorting out the ISP situation is probably your key to success.
For optimal configuring it would be very good to have one ISP where you have access to a public IP, be it direct or at least the device in front can port forward to the RB5009.

Wireguard an easy VPn requires that minimal connectivity.
One should also consider zerotier which does not depend on having direct connectivity whatsoever ( think creating a virtual switch where all devices are connected ).
One should consider zerotrust cloudflare tunnel, perfectly designed to establish servers without exposing public IP and I believe also does not require any direct connectivity.

Caveats.
a. WG can be setup on any MT device
b. Zerotier requires an arm device
c. Zerotrust requires arm device and container functionality loaded.

Understanding the possibilities of those three capabilities will probably be best due to the complex nature of your NAS and server situation.
Otherwise, just use vlans to separate everything.

5

Hello !
And thanks for your info !

Well as I already said, the ONLY option right now, is 4G LTE.
The ONLY ISP, is the one I already use, and they provide two options in terms of APNs !

One option gives me full-speed but no Public Address, and the other option gives me the public address but a Speed Limit !!

This is why I was wondering if it’s possible to use Dual APNs on the LHG, and instead of choosing the specific APN for a specific local IP (for my Server’s IP and my VoIP for example), if I could choose a VLAN or something.

So VLAN 1 goes out through APN1 and VLAN2 goes out through APN2.
Would something like that be possible ?

I know about VPNs, but since I am not the ONLY one who will be using my server, I don’t want my friends to setup complex apps on their devices just to have access to my media library.
They can access it using a link with my domain name !
I have this exact thing setup now, but instead of pointing my domain, to my Public IP, I point it to my Cloudflared Tunnel.

6

Hello Bonamin.

I’m sorry I won’t be able to help with your questions. I am just starting out with Mikrotik products and learning.
But I notice that you have an LHG and wanted to ask you a question about it if you don’t mind?

Did you have any troubles or specific config required to allow you to access the LHG (either winbox or webGUI or even shell) after it’s initial set up?
I am assuming that you had to connect directly to it on the factory default .188 subnet initially… but once you connected the LHG into your existing network, did you need to do anything to still be able to connect to it?

I’m having trouble opening a connection to mine and can’t figure it out.


Cheers,
RB

7

Hello there !

No, I haven’t done anything else ! Actually, even the factory “default configuration” worked fine.
I only had to put my SIM’s PIN, and everything worked.

That being said, I followed a guide online, and reset my device completely, and started from scratch, using the settings I wanted.

I’ve set my own preferred network, and I’ve set my own DHCP Pool so that I have some IPs reserved for manual assignments. And several other tiny changes that make my life easier.

But, as for management no. Nothing else. Winbox seems to always discover and connect to my device.

Even if I have my computer on a different subnet, I can STILL access my LHG using the MAC address. I don’t know how Winbox doss that, but it does ! :smiley:

I hope I helped !

8

Yes and no! lol

At least I know it should be possible somehow and for me to keep trying. :slight_smile:
I had some success yesterday and can access via IP now.

9

Hi Vasilis,

Let’s take it step by step…

If you can’t configure your LHG-LTE18 in modem/passthrough mode you should at least be able to configure port forwarding, right? If so we’ll use that to get access to certain servers behind the RB5009UG+S+IN router and to certain services (e.g. VPN server) on the RB5009UG+S+IN router. With port forwarding configured on your LHG-LTE18 it becomes “transparant” on the related ports and your router becomes accessible as if it was connected directly to the WAN. You will be stuck with double NATing but that shouldn’t be a major problem (it will just add an additional “HOP” in the routing that’s all).
If your RB5009UG+S+IN router comes pre-configured out of the box that should already be a good starting point to start with. If not (my CCR1016-12G comes completely ‘empty’ out of the box, but most smaller routers do have a default config that includes a WAN, LAN, DHCP client for WAN, DHCP server for LAN, NATing and basic Firewall rules pre-installed) you’ll have to do the basic configuring yourself. If however the router is pre-configured it should already work correctly behind your LHG-LTE18 (just make sure you use the correct WAN port!).
If not, here’s step by step how you can configure your RB5009UG+S+IN router for BARE ESSENTIALS config that gives you:

  • A WAN port with a fixed (WAN) IP address <= needs to be from the subnet on the LAN side of your LHG-LTE18!
  • A Flat LAN (w/o any VLANs or other advanced L2./L3 features) just to allow you to get the basic stuff up and and running like:
  • L2 communication between all the devices connected to the LAN ports
    • DHCP service to distribute IP addresses and DNS references for non-server clients
    • Internet access via standard NATing
  • A basic Firewal Rule Set based on the ‘Define what is allowed and drop all the rest’ approach
  • Port forwarding
  • An “Off Bridge Management Port” that allows you to connect to your router if you somehow locked yourself out after making some error in the config <= via the port’s MAC address

I used the following configuration on a MT CCR1036-12G-4S behind my regular MT CCR1016-12G to simulate your situation (router behind a router). The subnet behind the first router is 192.168.88.0/24 so I choose for a 10.0.1.0/24 LAN subnet behind the second router. I also choose to use a fixed IP address on the WAN port of the 2nd router, such that this one never changes, This is needed in order to allow ‘fixed’ port forwarding on the first router (=LHG-LTE18 in your case). It’s also possible to configure a DHCP client on the WAN port (of the 2nd router) and normally this should result in always receiving the same IP address, which is (theoretically) as good as a fixed IP address <= the 'dynamic IP address will be linked with the MAC address of the WAN port of the 2nd router and should remain unchanged (unless you change the LHG-LTE18 into something else, replace it with a new one, update the firmware(?)… <= so there’s always a risk that it would change). This would actually be easier to configure compared to a real fixed IP address, as the latter requires extra config on different locations: besides configuring a fixed IP address on the WAN port you also need to add DNS references on the DHCP server for the LAN and an explicit route pointing to the Default Gateway of the subnet between the two routers (= 192.168.88.1) for 0.0.0.0/0 <= all this is done automatically when using a DHCP client on the WAN port…

Step 1: Define the WAN, LAN and (Off Bridge) Management Ports. It’s good practice to change the name of the eth/sfp(+) ports such that it’s clear:

  • How the port is configured
  • What device is attached to it
  • With which port (on that device) it connects

In my example below I choose as follows:

  • sfp1 = WAN port <= I suggest you use ether8 on your RB5009UG+S+IN router
  • sfp2-4 = NOT USED <= N/A on your RB5009UG+S+IN router
  • ether1-11 = LAN ports <= I suggest you use sfp1 and ether1-6 on your RB5009UG+S+IN router
  • ether12 = Off Bridge Management Port <= I suggest you use ether7 on your RB5009UG+S+IN router


/interface ethernet
set [ find default-name=ether1 ] l2mtu=1590 name="Ether 01 - LAN Port 01 | NAS - Port 1"
set [ find default-name=ether2 ] l2mtu=1590 name="Ether 02 - LAN Port 02 | Server XYZ - LAN 2"
set [ find default-name=ether3 ] l2mtu=1590 name="Ether 03 - LAN Port 03 | My Notebook - Ethernet Port"
set [ find default-name=ether4 ] l2mtu=1590 name="Ether 04 - LAN Port 04 | WiFi Acces Point \"Living Room\" - Eth 01"
set [ find default-name=ether5 ] l2mtu=1590 name="Ether 05 - LAN Port 05 | "
set [ find default-name=ether6 ] l2mtu=1590 name="Ether 06 - LAN Port 06 | "
set [ find default-name=ether7 ] l2mtu=1590 name="Ether 07 - LAN Port 07 | "
set [ find default-name=ether8 ] l2mtu=1590 name="Ether 08 - LAN Port 08 | "
set [ find default-name=ether9 ] l2mtu=1590 name="Ether 09 - LAN Port 09 | "
set [ find default-name=ether10 ] l2mtu=1590 name="Ether 10 - LAN Port 10 | "
set [ find default-name=ether11 ] l2mtu=1590 name="Ether 11 - LAN Port 11 | "
set [ find default-name=ether12 ] l2mtu=1590 name="Ether 12 - Off Bridge Management Port 01 |  Management PC - Ethernet Port"
set [ find default-name=sfp1 ] advertise=10M-full,100M-full,1000M-full l2mtu=1590 name="SFP 01 - WAN Port 01 | LHG-LTE18 - LAN Port 1"
set [ find default-name=sfp2 ] advertise=10M-full,100M-full,1000M-full disabled=yes l2mtu=1590 name="SFP 02 - NOT USED"
set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1000M-full disabled=yes l2mtu=1590 name="SFP 03 - NOT USED"
set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1000M-full disabled=yes l2mtu=1590 name="SFP 04 - NOT USED"

Step 2: Create a LAN Bridge, add all the LAN ports and create a WAN and LAN Interface List (we will use them in the FW rules)

/interface bridge
add name="Bridge 01 - LAN"
/interface bridge port
add bridge="Bridge 01 - LAN" hw=no interface="Ether 01 - LAN Port 01 | NAS - Port 1"
add bridge="Bridge 01 - LAN" hw=no interface="Ether 02 - LAN Port 02 | Server XYZ - LAN 2"
add bridge="Bridge 01 - LAN" hw=no interface="Ether 03 - LAN Port 03 | My Notebook - Ethernet Port"
add bridge="Bridge 01 - LAN" hw=no interface="Ether 04 - LAN Port 04 | WiFi Acces Point \"Living Room\" - Eth 01"
add bridge="Bridge 01 - LAN" hw=no interface="Ether 05 - LAN Port 05 | "
add bridge="Bridge 01 - LAN" hw=no interface="Ether 06 - LAN Port 06 | "
add bridge="Bridge 01 - LAN" hw=no interface="Ether 07 - LAN Port 07 | "
add bridge="Bridge 01 - LAN" hw=no interface="Ether 08 - LAN Port 08 | "
add bridge="Bridge 01 - LAN" hw=no interface="Ether 09 - LAN Port 09 | "
add bridge="Bridge 01 - LAN" hw=no interface="Ether 10 - LAN Port 10 | "
add bridge="Bridge 01 - LAN" hw=no interface="Ether 11 - LAN Port 11 | "
add bridge=*12 interface="Ether 12 - Off Bridge Management Port 01 |  Management PC - Ethernet Port"
/interface list
add name=WAN
add name=LAN
/interface list member
add interface="Bridge 01 - LAN" list=LAN
add interface="SFP 01 - WAN Port 01 | LHG-LTE18 - LAN Port 1" list=WAN

Step 3: Add IP addresses on the bridge (= LAN Default Gateway address) and the WAN Port:

  • LAN Default Gateway address = 10.0.1.1 <= choose according to your preference, but keep it different from the LAN subnet of your LHG-LTE18!
  • WAN Port address = 192.168.88.50 <= needs to be from the LAN subnet of your LHG-LTE18! <= change accordingly!


/ip address
add address=10.0.1.1/24 comment=LAN interface="Bridge 01 - LAN" network=10.0.1.0
add address=192.168.88.50/24 comment=WAN interface="SFP 01 - WAN Port 01 | LHG-LTE18 - LAN Port 1" network=192.168.88.0

Step 4: Add DHCP for LAN (<= change according to your preference for LAN subnet AND the actual DNS servers from your provider!)
I specified following DNS server addresses:

  • 10.0.1.1 <= the Default Gateway of the LAN subnet
  • 192.168.88.1 <= The Default Gateway for the WAN subnet (= the Default Gateway for the LAN of the LHG-LTE18)
  • 195.130.130.4 <= DNS Server #1 of my Internet Provider <= change according to yours!
  • 195.130.131.4 <= DNS Server #2 of my Internet Provider <= change according to yours!


/ip pool
add name="DHCP Pool 01 - LAN" ranges=10.0.1.64/27
/ip dhcp-server
add address-pool="DHCP Pool 01 - LAN" interface="Bridge 01 - LAN" lease-time=1d name="DHCP Server 01 - LAN"
/ip dhcp-server network
add address=10.0.1.0/24 comment=LAN dns-server=10.0.1.1,192.168.88.1,195.130.130.4,195.130.131.4 gateway=10.0.1.1 netmask=24

Step 5: Configure Firewall according to the ‘Define what is allowed and drop all the rest’ approach

/ip firewall address-list
add address=10.0.1.0/24 list=LAN
/ip firewall filter
add action=accept chain=input comment="MikroTik Default Firewall Configuration - Allow Input for \"established\", \"related\" and \"untracked\" traffic" connection-state=established,related,untracked
add action=drop chain=input comment="MikroTik Default Firewall Configuration - Drop Input for \"invalid\" traffic" connection-state=invalid
add action=accept chain=input comment="MikroTik Default Firewall Configuration - Accept ICMP (Ping)" protocol=icmp
add action=accept chain=input comment="Allow access to any services from router like DNS and NTP" in-interface-list=LAN
add action=drop chain=input comment="Drop anything else..." log-prefix=DROP_INPUT
add action=fasttrack-connection chain=forward comment="MikroTik Default Firewall Configuration - Fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="MikroTik Default Firewall Configuration - Allow Forward for \"established\", \"related\" and \"untracked\" traffic" connection-state=established,related,untracked
add action=drop chain=forward comment="MikroTik Default Firewall Configuration - Drop Forward for \"invalid\" traffic" connection-state=invalid
add action=accept chain=forward comment="Allow Internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="Drop anything else..." log-prefix=DROP_FORWARD

Step 6: add NAT and an example for port forwarding <= change according to your needs

/ip firewall nat
add action=masquerade chain=srcnat comment="MikroTik Default Firewall Configuration - Masquerade" out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Example of Port Forwarding for FTP Server on IP Address 10.0.1.100" dst-port=989 in-interface="Ether 12 - Off Bridge Management Port 01 |  Management PC - Ethernet Port" protocol=tcp to-addresses=10.0.1.100 to-ports=989

Step 7: add a default route that points to the Default Gateway of the LHG-LTE18 LAN subnet! <= modify accordingly!

/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 routing-table=main suppress-hw-offload=no

Here’s a copy of such a basic router config on my CCR1016. You can use it as a reference to create yours.
Basic Router - Bare Essentials.rsc (6.9 KB)
Do not connect the switch yet, just connect some clients to the bridged Ethernet ports on the router (<= we will configure the switch in the next steps)
Once you have Internet working behind your router on a normal PC that gets its IP and DNS addresses via DHCP from the router let me know and we’ll go to the next steps.

Please also configure some port forwarding on BOTH your LHG-LTE18 AND your RB5009UG+S+IN router and check if you can reach your server (behind the RB5009UG+S+IN router) <= that should theoretically work w/o any problem. In the final solution I propose to use a VPN that terminates on the RB5009UG+S+IN router via port forwarding on the LHG-LTE18 <= this will require some other ports to be forwarded, but the principle remains the same. <= this will allow you to use DynDNS and connect a ‘management VPN’ from your remote location, “through” the port forwarded LHG-LTE18, AND terminates on your RB5009UG+S+IN router. From there you will be able to access any VLAN that is configured on the router (via FW rule that allows access to ALL VLAN). You can then configure a different VPN for your friends that puts them in a different VLAN compared to your ‘management VPN’ for which you can limit access to only certain VLANs (and corresponding devices) and even certain destination ports…

I checked out what possibilities there are on the LHG-LTE18 and according to https://help.mikrotik.com/docs/display/ROS/LTE#LTE-PassthroughExample it should be possible to configure it in Passthrough on ether1 and use ether2 to retain access via a second link to your router. The connecting port on your B5009UG+S+IN router for the passthrough should then be configured as DHCP client and will receive the actual public IP on it, resulting in the ideal config! I would think it should also be possible to inject the passthrough on a VLAN interface (on ether1). It shouldthen be possible to add additionnal VLANs for a second passtrough from a second APN and a Management link. As I don’t have an LHG-LTE18 I can’t configure / test it though…

Here is a YouTube video https://www.youtube.com/watch?v=cij5d42232w&ab_channel=MikrotikIndonesia-Citraweb where they explain how you can re-gain access to your LHG-LTE18 (for management/configuration) from WinBox AFTER you have enabled/configured passthrough on the LHG-LTE18. There are actually 3 posibilities:

  • Connect to the LHG-LTE18 via the 2nd ether2 port <= this is unpractical as it will require a second ethernet cable/port on your B5009UG+S+IN or access to your LHG-LTE18 if you connect directly with your PC…
  • Using the RoMON tool (you need to activate it on both the LHG-LTE18 AND the B5009UG+S+IN router <= works good, but requires some extra steps to connect
  • Using a dedicated (Management) VLAN <= looks like the best option!

Good luck!

Bruno