Hey guys! I’m new to the MikroTik world, and would love some guidance with this.
I want to split the ethernet ports on my router into two separate networks.
e.g 2-5 as the staff network with IPs of 192.168.88.1, and 6-10 as the guest network ports with IPs of 192.168.2.1 (etc).
I’d like the staff to be able to access stuff from the Guest network, however I don’t want guests having ANY access to the staff network.
What would be the best way of doing this?
Thanks guys!
Reset routerboard without default gateway.
Go to new terminal
copy and past this script in new terminal
/interface bridge
add mtu=1500 name=bridge-guest
add admin-mac=D4:CA:6D:A1:03:24 auto-mac=no mtu=1500 name=bridge-staff
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-staff1
set [ find default-name=ether3 ] name=ether3-staff2
set [ find default-name=ether4 ] name=ether4-staff3
set [ find default-name=ether5 ] name=ether5-staff4
set [ find default-name=ether6 ] name=ether6-guest1
set [ find default-name=ether7 ] name=ether7-guest2
set [ find default-name=ether8 ] name=ether8-guest3
set [ find default-name=ether9 ] name=ether9-guest4
set [ find default-name=ether10 ] name=ether10-guest5
/ip neighbor discovery
set ether1-gateway discover=no
/ip pool
add name=dhcp-staff ranges=192.168.88.10-192.168.88.254
add name=dhcp-guest ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp-staff disabled=no interface=bridge-staff name=default
add address-pool=dhcp-guest disabled=no interface=bridge-guest lease-time=3d
name=dhcp1
/port
set 0 name=serial0
/system logging action
set 2 remember=yes
/interface bridge port
add bridge=bridge-staff interface=ether2-staff1
add bridge=bridge-staff interface=ether3-staff2
add bridge=bridge-staff interface=ether4-staff3
add bridge=bridge-staff interface=ether5-staff4
add bridge=bridge-guest interface=ether6-guest1
add bridge=bridge-guest interface=ether7-guest2
add bridge=bridge-guest interface=ether8-guest3
add bridge=bridge-guest interface=ether9-guest4
add bridge=bridge-guest interface=ether10-guest5
/ip address
add address=192.168.88.1/24 comment=range-staff interface=bridge-staff
network=192.168.88.0
add address=192.168.2.1/24 comment=range-guest interface=bridge-guest
network=192.168.2.0
/ip dhcp-client
add comment=“default configuration” dhcp-options=hostname,clientid disabled=
no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.88.1,8.8.8.8,8.8.4.4 gateway=
192.168.2.1
add address=192.168.88.0/24 comment=“default configuration” dns-server=
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment=“default configuration” protocol=icmp
add chain=input comment=“default configuration” connection-state=established
add chain=input comment=“default configuration” connection-state=related
add action=drop chain=input comment=“default configuration” in-interface=
ether1-gateway
add chain=forward comment=“default configuration” connection-state=
established
add chain=forward comment=“default configuration” connection-state=related
add action=drop chain=forward comment=“default configuration”
connection-state=invalid
add action=drop chain=input dst-address=192.168.88.0/24 src-address=
192.168.2.0/24
add chain=input dst-address=192.168.2.0/24 src-address=192.168.88.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway
add action=masquerade chain=srcnat out-interface=ether1-gateway src-address=
192.168.2.0/24
/ip upnp
set allow-disable-external-interface=no
/snmp
set trap-community=public
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set bridge-staff disabled=yes display-time=5s
set bridge-guest disabled=yes display-time=5s
set sfp1 disabled=yes display-time=5s
set ether1-gateway disabled=yes display-time=5s
set ether2-staff1 disabled=yes display-time=5s
set ether3-staff2 disabled=yes display-time=5s
set ether4-staff3 disabled=yes display-time=5s
set ether5-staff4 disabled=yes display-time=5s
set ether6-guest1 disabled=yes display-time=5s
set ether7-guest2 disabled=yes display-time=5s
set ether8-guest3 disabled=yes display-time=5s
set ether9-guest4 disabled=yes display-time=5s
set ether10-guest5 disabled=yes display-time=5s
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-staff1
add interface=ether3-staff2
add interface=ether4-staff3
add interface=ether5-staff4
add interface=ether6-guest1
add interface=ether7-guest2
add interface=ether8-guest3
add interface=ether9-guest4
add interface=ether10-guest5
add interface=sfp1
add interface=bridge-staff
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-staff1
add interface=ether3-staff2
add interface=ether4-staff3
add interface=ether5-staff4
add interface=ether6-guest1
add interface=ether7-guest2
add interface=ether8-guest3
add interface=ether9-guest4
add interface=ether10-guest5
add interface=sfp1
add interface=bridge-staff
/tool user-manager database
set db-path=user-manager
Thank you so much!
Now if I want WiFi, and plug in a standard wifi router, how do I get all the wifi clients to be apart of the Mikrotik 192.168.2.x network and show up inside the DHCP address pool, etc?
Use a wireless accesspoint.
Configure this as wireless bridge
Not as wireless router.
I have this not tested yet but see this as accesspoint
http://routerboard.com/RBcAP2n
@SATABOT
Thanks for giving me karma my friend.
I hope everything is ok
I appresiate this.
Yes, everything works perfectly. 
You helped set me on the right path, and now I am a happy MikroTik user! Thanks so much again for your help and the script.