MikroTik RB5009UPr+S+IN + CRS310-8G+2S+IN intital setup

Mustanjeff · May 13, 2026, 3:31pm

All the equipment is in close proximity. I'm using the Mikrotik XS+DA0003 to connect the NAS to the CRS310 and have a XS+DA0001 to connect the CRS310 to the RB5009.

Buckeye · May 13, 2026, 5:04pm

You may want to verify that the ONT supports 2.5Gb and will correctly negotiate with the 2.5Gb RB5009 ether1 port. There have been issues in the past where that didn't work well, but hopefully recent ROS versions have that sorted.

Then you will be able to use the RB5009 ports as @jaclaz first option described in MikroTik RB5009UPr+S+IN + CRS310-8G+2S+IN intital setup - #13 by jaclaz

herrybent · May 13, 2026, 8:14pm

That’s actually a pretty solid setup to start your MikroTik journey with. The RB5009 + CRS310 combo is very powerful once you get comfortable with bridges, VLANs, and routing basics. I’d recommend checking out MikroTik’s official YouTube channel and some beginner RouterOS guides before adding VLAN segmentation and WiFi configs.

Also, planning bandwidth and port usage beforehand really helps in setups like this.

Buckeye · May 13, 2026, 8:46pm

@herrybent what type of router do you have? How did you learn?

Mustanjeff · May 15, 2026, 1:51pm

I have both the RB5009 and CRS310 updated to 7.22.3 and default backups stored.

I finally have all my equipment and cables to tackle my setup. I've been using AI (I know, please don't stone me) as a general guide to see what it spits out which has helped me narrow down how I would like things configured. Please interject if you see something wrong with my logic.

I think 3 VLANS make sense.

Data for trusted equipment (PC's and Phones)
IOT equipment
Guest Network (probably used very little in my situation but might as well set it up)

I'd like to use the default MikroTik IP address scheme of 192.168.88.X

ONT RJ45 to RB5009 Ether1
RB5009 sfp-sfpplus1 --> CRS310 sfp-sfpplus1
U7 Access points --> CRS310 2.5 gig RJ45

Considerations.

I'd like to reserve the CRS310 for 2.5gig devices/Unraid Server and use ether2-ether8 on the RB5009 for 1gig devices. Including the access points, I'll have 5/8 ports on the CRS310 used.

I won't insult anyone intelligence by posting what AI wrote. Sometimes AI mentions router on a stick and sometimes not depending on my wording. I'd like to get it direct from the experts here. Once I am up and running I'll save the configs and then I can actively deep dive into RouterOS at my leisure.

holvoetn · May 15, 2026, 2:12pm

Personally I would not do this.
If, for whatever reason, some MT device in your network has to be reset to default config, guess what range it will use (and what subnet it will mess with).

Same reason why I avoid 192.168.0.x, 192.168.1.x, ...
Too commonly used by other vendors/equipment.

jaclaz · May 15, 2026, 2:12pm

Gemini prompted for "router on a stick" produces a telling image:

anav · May 15, 2026, 2:15pm

Hahahaha, luv it!!

Best way to learn is to dive right in.
First, draw a network diagram labelling the ports and the devices connected to the ports and the vlans that need to go to the devices, through the ports,

That way you will have a decent context start, knowing the traffic flows required.
I have given you good enough examples of the switch that it can be done first before tackling the router.
AKA, you only have to consider the trunk port from the router.

You also need to decide if you will have a dedicated management VLAN or just use the trusted vlan for that purpose. All smart devices should get their IP address from this subnet.
Also, as I have demonstrated, on all MT devices, create an off bridge port and do the config from that location.

GLuck. When you run into troubles, come back and ask for help.

Mustanjeff · May 16, 2026, 12:22pm

Thanks anav, I'll start with what you wrote here for the CRS310.

A coupe points of clarification (dumb questions) on my end.

Should that be /24 instead of /34? add address=192.168.50.2/24 interface=vlan10-mgmt network=192.168.50.0
Ether8 is an emergency access port Should this port only be used for troubleshooting?

/ip address
add address=192.168.50.2/34 interface=vlan10-mgmt network=192.168.50.0
add address=192.168.77.1/30 interface=OffBridge8 network=192.168.77.0

anav:

Otherwise move to this switch setup.

/interface ethernet
set [ find default-name=ether8 ] name=OffBridge8 comment=”emergency access and optimal config location avoids getting locked out for any bridge issues”
/interface vlan
add interface=bridge1 name=vlan10-mgmt vlan-id=10
comment=”only management vlan needs to be identified”
/interface bridge
add name=bridge1
/interface list
add name=MGMT
/interface bridge port
add bridge=bridge1 frame-types{as required} interface=ether1 {pvid=if required}
add bridge=bridge1 frame-types{as required} interface=ether2 {pvid=if required}
add bridge=bridge1 frame-types{as required} interface=ether3 {pvid=if required}
add bridge=bridge1 frame-types{as required} interface=ether4 {pvid=if required}
add bridge=bridge1 frame-types{as required} interface=ether5 {pvid=if required}
add bridge=bridge1 frame-types{as required} interface=ether6 {pvid=if required}
add bridge=bridge1 frame-types{as required} interface=ether7 {pvid=if required}
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus1
comment=”Trunk to/fro ROUTER”
add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=sfp-sfpplus2
comment=”Trunk to/fro UNRAID server”
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/interface list member
add interface=OffBridge8 list=MGMT
add interface=vlan10-mgmt list=MGMT
/interface bridge vlan
add bridge=bridge tagged=bridge,ether1,sfpplus1,sfpplus2,??? vlan-id=10
comment=”management vlan needs to go to all smart devices”
add bridge=bridge tagged=sfpplus1,??? untagged=??? vlan-id=???
comment=”add all the vlans required to be passed between router and switch and switch ports”
/ip address
add address=192.168.50.2/34 interface=vlan10-mgmt network=192.168.50.0
add address=192.168.77.1/30 interface=OffBridge8 network=192.168.77.0
/ip dns
set servers=192.168.50.1
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.50.1
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=MGMT

anav · May 16, 2026, 1:00pm

Yes LOL, I am the typo king! Correct it should be /24

jaclaz · May 16, 2026, 2:06pm

Just in case:
Once and for all COMPLETE Offbridge Port setup

anav · May 16, 2026, 2:25pm

already included/discussed........ the other 11 rules may be useful for the router side though.

Mustanjeff · May 16, 2026, 4:25pm

Is there any reason the Offbridge port setup is done on the switch instead of the router? In my mind,I'm least likely to fill the 1g ports on the router. Or does the offbridge port only have access to the device it is setup on (setup on router, no access to switch and vice versa).

jaclaz · May 16, 2026, 4:55pm

Yep, there should be an offbridge port on the switch and an offbridge port on the router.

Or if you prefer, an offbridge port for any device that has a risk of locking you out when (if) you make a teeny-tiny mistake in your configuration (more often this happens when learning to implement and experimenting with VLANs, but also firewall filter rules and interface categorization can lead to this).

Now "real" (professional) devices usually have a "console" port, so in the worst case you only need a RS232 port on your PC (or a USB<->RS232 serial converter) and a suitable cable.

For the RB5009 and CRS310 specifically, this can be in most cases replaced by a second RS232<>USB adapter (since the USB access is post-boot it is slightly less useful than a real console port that gives connection to the bootloader also, but it can still resolve the "lockouts" from mis-configurations), so if you have this stuff (cable/adapters) available you don't really-really need an offbridge port.

Usually however you also don't really-really need to use all ethernet ports on these devices, and IF you actually do you can setup the offbridge port only temporarily and, once you have a working configuration, re-add it to the bridge.

It takes - what? - five minutes to setup an offbridge port and another five minutes to reset it to "normal", so it is worth it.

anav · May 16, 2026, 5:01pm

Yup all MT devices, an offbridge port is recommended. Less of a mystery to put on the router, now that you have the example for the switch.

Mustanjeff · May 17, 2026, 1:35am

The bad news is that my wife and I work from home and can't be without a working network for very long. Add to that our daughter will go through convulsions without wifi during waking hours.

The good news is that I didnt try to save a few bucks by utilizing our current ASUS routers as access points. I work in medical IT and we we always have a rollback plan when things go sideways. until things are settled all i need to do is swap a few cables around.

I got the U7 access point updating. We'll see how much I can accomplish tomorrow.

Buckeye · May 17, 2026, 6:10am

As long as your current ASUS router isn't using either of the two LAN addresses you plan to use on the RB5009, you can just treat your ASUS as the ISP connection for your RB5009. This will allow you to continue to use the ASUS as is for the family, while you are configuring the RB5009 and verifying that things work (including the firewall, which you can verify by attempting to connect from the current home LAN to both the RB5009 (which should be blocked from the "internet connection"). From the LAN on the RB5009, you should have internet access, so you can still get updates etc.

Then when you are satisfied that things are working, you can then replace the ASUS with little downtime, and the added assurance that the firewall is working.

anav · May 17, 2026, 11:45am

Excellent idea buckeye.... treat the router as a router getting a private IP on the LAN of the asus during setup. Make the switch when everyone has gone to bed LOL.

If you want 'live help session' if you get stuck, let me know.