Hello,
I have a small home office whit two routers, one is my Home Router (a Synology RT2600ac) where I have created a VLAN which connects to a small switch; the other is my Test Router (Mikrotik) and each router does have it’s own independent internet access, so far so good.
Because when I want to do some configuration to my Test Router, now I have to disconnect the ethernet cable from my Home Router and connect it to the Lab Router with is a pain. So I would like also to access locally from my desktop computer connected by ethernet to the Home Router, the Mikrotik Test Router as I can do whit all the devices I have already connected to this switch.
Pls let me know how I can achieve this at the Lab Router. Attached the diagram of my network and the configuration of my Mikrotik Lab Router.
# 2026-01-30 20:21:48 by RouterOS 7.20.2
# software id = X7GS-A6BH
#
# model = RB5009UG+S+
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=local
/interface ethernet
set [ find default-name=ether2 ] comment=C&W_Modem-L2l_Jeseni name=\
"ether2[WAN1]"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port= mtu=1420 name=WG_ALL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.11-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=local name=dhcp1
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=local auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=local interface=ether1
add bridge=local comment=defconf interface=ether4
add bridge=local comment=defconf interface=ether5
add bridge=local comment=defconf interface=ether6
add bridge=local comment=defconf interface=ether7
add bridge=local comment=defconf interface=ether8
add bridge=local comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defcon interface="ether2[WAN1]" list=WAN
add comment=defcon interface=local list=LAN
/interface ovpn-server server
add mac-address=FE:29:BF:6D:56:78 name=ovpn-server1
/interface wireguard peers
/ip address
add address=192.168.88.1/24 comment=LAN interface=local network=192.168.88.0
add address=000.000.000.11/29 comment=C&W_Modem-L2_StaticIP interface=\
"ether2[WAN1]" network=000.000.000.8
add address=192.168.100.1/24 comment="Wireguard full lan access" interface=\
WG_ALL network=000.000.100.0
add address=000.000.000.1/24 comment="Wireguard G24A1" interface=WG_ALL \
network=000.000.000.0
add address=000.000.000.1/24 comment="Wireguard G24A02" interface=WG_ALL \
network=000.000.000.0
/ip dhcp-client
add add-default-route=no default-route-tables=main interface=ether3 \
use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.2 address-lists=192.168.88.0/24 client-id=\
comment="NAS OfidataLab" mac-address=\
server=dhcp1 use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=192.168.88.2 comment="Ofidatalab local domain" match-subdomain=\
yes name=local.ofidatalab.com type=A
add address=192.168.88.1 comment="router MK RB5009 2025" name=\
routerofidatalab.lan type=A
/ip firewall filter
add action=accept chain=forward comment=\
"accept established,related, untracked (MK Forum 2023-04-12 ANAV)" \
connection-state=established,related,untracked
add action=drop chain=input comment="Block Port Scanners" src-address-list=\
PORT-SCANNERS
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=add-src-to-address-list address-list=PORT-SCANNERS \
address-list-timeout=3d chain=input comment="Port Scanner Detector" log=\
yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Bloqueo consulta DNS desde afuera - TCP" \
dst-port=53 in-interface="ether2[WAN1]" protocol=tcp
add action=drop chain=input comment=\
"Bloqueo consultas DNS desde afuera - UDP" dst-port=53 in-interface=\
"ether2[WAN1]" protocol=udp
add action=drop chain=forward comment=\
"drop invalid (MK Forum 2023-04-12 ANAV)" connection-state=invalid
add action=fasttrack-connection chain=forward comment=\
"fasttrack (MK Forum 2023-04-12 ANAV)" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"allow internet traffic (MK Forum 2023-04-12 ANAV)" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment=\
"allow port forwarding dstnat (ANAV 2023-11-17)" connection-nat-state=\
dstnat
add action=accept chain=forward comment=\
"WG Administracion (MK Forum 2024-04-12 ANAV)" in-interface=WG_ALL \
out-interface-list=LAN src-address=000.000.000.0/24
add action=accept chain=forward comment="WG-U24AA (MK Forum 2024-04-12 ANAV)" \
dst-address=192.168.88.2 in-interface=WG_ALL src-address=000.000.000.0/24
add action=accept chain=forward comment="WG-U24AB (MK Forum 2024-04-12 ANAV)" \
dst-address=192.168.88.2 in-interface=WG_ALL src-address=000.000.000.0/24
add action=drop chain=forward comment=\
"drop all else (MK Forum 2024-11-17 ANAV)"
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"defconf: masquerade (MK Forum 2023-04-12 ANAV)" ipsec-policy=out,none \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="DstNat DS723+ https" dst-address=\
000.000.000.11 dst-address-list="" dst-address-type=local dst-port=443 \
protocol=tcp src-address-list="" to-addresses=192.168.88.2 to-ports=443
add action=redirect chain=dstnat comment=\
"from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik " \
dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=\
"from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik " \
dst-port=53 protocol=udp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=000.000.000.9 routing-table=main \
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www address=
set ssh address=
set winbox address=
max-sessions=3
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
/system clock
set time-zone-name=America/Panama
/system identity
set name=LAB_ROUTER
/system note
set note=.com show-at-cli-login=yes
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/user settings
set minimum-password-length=
Tks in advance!
What these networks are? Are you sure that addresses are OK?
These are REALLY strange
I suggest to reset router to defaults, connect it to VLAN100 on a switch and try to connect to it from any other VLAN100 based place in your network. If port on a switch properly removes VLAN100 tag on egress then your 5009 should get IP on that network on ETH1.
Hello,
On the sent config I changed my real addresses whit this fake 000.000.000.X address.
The MK 5009 lab router is working so I just need to find out how I can set up a ethernet port on this router to be accessible by WinBox from the Home Router. At this moment if I want to make some config to the Lab Router I have to disconnect the ethernet cable that connects the Home Router to my desktop computer and connect from the desktop computer to the Lab Router which is a pain to do so each time back and forth.
So that is why I suggest turning on Neigherhood discovery + torch on the WAN inerface to watch what kind of packets are visible. Tagged, untagged, what IPs ... any information that could help configure 5009 to talk via switch to or maybe the switch is misconfigured and that is why you can't reach 5009.
Did you enable access to 5009 with it's interface faced to switch? Firewall? Winbox server? Webfig?
1 Like
jaclaz
January 31, 2026, 7:25pm
5
Well, it is not like it is actually sensitive data, but - in case - you could use the subnet allowed for "examples", such as:
Documentation and Testing (Reserved):
192.0.2.0/24 (TEST-NET-1)198.51.100.0/24 (TEST-NET-2)203.0.113.0/24 (TEST-NET-3)
1 Like
Hi,
Here my Mikrotik Lab Router config updated. Pls note that on it at the -ether3- port I have a DHCP client set up to receive IP from the Home router which gives me an ip from the Home Router (192.168.5.245), but if I put this ip on the WinBox and try to access the Lab Router I’m receiving a “Connection refused”, so I think that the issue might be whit the Mikrotik firewall.
# 2026-01-30 20:21:48 by RouterOS 7.20.2
# software id = X7GS-A6BH
#
# model = RB5009UG+S+
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=local
/interface ethernet
set [ find default-name=ether2 ] comment=C&W_Modem-L2l_Jeseni name=\
"ether2[WAN1]"
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface wireguard
add listen-port=22222 mtu=1420 name=WG_ALL
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.11-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=local name=dhcp1
/certificate settings
set builtin-trust-anchors=not-trusted
/disk settings
set auto-media-interface=local auto-media-sharing=yes auto-smb-sharing=yes
/interface bridge port
add bridge=local interface=ether1
add bridge=local comment=defconf interface=ether4
add bridge=local comment=defconf interface=ether5
add bridge=local comment=defconf interface=ether6
add bridge=local comment=defconf interface=ether7
add bridge=local comment=defconf interface=ether8
add bridge=local comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=none
/interface list member
add comment=defcon interface="ether2[WAN1]" list=WAN
add comment=defcon interface=local list=LAN
/interface ovpn-server server
add mac-address= name=ovpn-server1
/interface wireguard peers
/ip address
add address=192.168.88.1/24 comment=LAN interface=local network=192.168.88.0
add address=201.100.100.100/29 comment=C&W_Modem-L2_StaticIP interface=\
"ether2[WAN1]" network=201.100.100.1
add address=192.168.100.1/24 comment="Wireguard full lan access" interface=\
WG_ALL network=192.168.100.0
add address=192.168.101.1/24 comment="Wireguard G24A1" interface=WG_ALL \
network=192.168.101.0
add address=192.168.102.1/24 comment="Wireguard G24A02" interface=WG_ALL \
network=192.168.102.0
/ip dhcp-client
add add-default-route=no default-route-tables=main interface=ether3 \
use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.88.2 address-lists=192.168.88.0/24 client-id=\
comment="NAS OfidataLab" mac-address=\
server=dhcp1 use-src-mac=yes
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 verify-doh-cert=yes
/ip dns static
add address=104.16.248.249 name=cloudflare-dns.com type=A
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=192.168.88.2 comment="Ofidatalab local domain" match-subdomain=\
yes name=local.ofidatalab.com type=A
add address=192.168.88.1 comment="router MK RB5009 2025" name=\
routerofidatalab.lan type=A
/ip firewall filter
add action=accept chain=forward comment=\
"accept established,related, untracked (MK Forum 2023-04-12 ANAV)" \
connection-state=established,related,untracked
add action=drop chain=input comment="Block Port Scanners" src-address-list=\
PORT-SCANNERS
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=add-src-to-address-list address-list=PORT-SCANNERS \
address-list-timeout=3d chain=input comment="Port Scanner Detector" log=\
yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Bloqueo consulta DNS desde afuera - TCP" \
dst-port=53 in-interface="ether2[WAN1]" protocol=tcp
add action=drop chain=input comment=\
"Bloqueo consultas DNS desde afuera - UDP" dst-port=53 in-interface=\
"ether2[WAN1]" protocol=udp
add action=drop chain=forward comment=\
"drop invalid (MK Forum 2023-04-12 ANAV)" connection-state=invalid
add action=fasttrack-connection chain=forward comment=\
"fasttrack (MK Forum 2023-04-12 ANAV)" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment=\
"allow internet traffic (MK Forum 2023-04-12 ANAV)" in-interface-list=\
LAN out-interface-list=WAN
add action=accept chain=forward comment=\
"allow port forwarding dstnat (ANAV 2023-11-17)" connection-nat-state=\
dstnat
add action=accept chain=forward comment=\
"WG Administracion (MK Forum 2024-04-12 ANAV)" in-interface=WG_ALL \
out-interface-list=LAN src-address=192.168.100.0/24
add action=accept chain=forward comment="WG-U24AA (MK Forum 2024-04-12 ANAV)" \
dst-address=192.168.88.2 in-interface=WG_ALL src-address=192.168.101.0/24
add action=accept chain=forward comment="WG-U24AB (MK Forum 2024-04-12 ANAV)" \
dst-address=192.168.88.2 in-interface=WG_ALL src-address=192.168.102.0/24
add action=drop chain=forward comment=\
"drop all else (MK Forum 2024-11-17 ANAV)"
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"defconf: masquerade (MK Forum 2023-04-12 ANAV)" ipsec-policy=out,none \
out-interface-list=WAN
add action=dst-nat chain=dstnat comment="DstNat DS723+ https" dst-address=\
201.100.100.100 dst-address-list="" dst-address-type=local dst-port=443 \
protocol=tcp src-address-list="" to-addresses=192.168.88.2 to-ports=443
add action=redirect chain=dstnat comment=\
"from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik " \
dst-port=53 protocol=tcp
add action=redirect chain=dstnat comment=\
"from YouTube (Mikrotik channel) Encrypt your DNS request with MikroTik " \
dst-port=53 protocol=udp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=201.100.100.1 routing-table=main \
suppress-hw-offload=no
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www address=192.168.88.0/24,192.168.100.0/24,192.168.5.0/24 port=
set ssh address=192.168.88.0/24,192.168.100.0/24 port=
set winbox address=192.168.88.0/24,192.168.100.0/24,192.168.5.0/24 \
max-sessions=3
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 firewall address-list
/ipv6 firewall filter
/system clock
set time-zone-name=America/Panama
/system identity
set name=LAB_ROUTER
/system note
set note=enricosm@jeseni.com show-at-cli-login=yes
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/user settings
set minimum-password-length=12
Hello everybody,
Well I found solution myself and now I’m able to connect to my TEST Router from my Desktop PC (connected to the Home Router - see network topology above)
I just have to add to the TEST Router configuration included above this:
add disabled=no dst-address=192.168.1.0/24 gateway=192.168.5.1 routing-table=
Now I can access using WinBox on my Desktop PC the TEST Router.
Anyway any comment will be gladly received.
