I’m wanting to use my device as a switch. I already have a router with DHCP, DNS, firewall, etc. The default configuration seems to work until I connect my router to the MT switch. It seems to note that the Internet is available there and doesn’t let it communicate with the other ports. If I instead connect my router to another switch, then connect that switch to the MT switch, it all works (slowly, as the other switch is only 1GBE).
The docs seem to assume you want to set up a WAN router, and so aren’t too useful for my configuration. Is there a way to set the MT up as 'just' a switch?
Here is the current configuration:
# 2025-11-23 22:12:52 by RouterOS 7.20.4
# software id = F9C3-JSFH
#
# model = CRS304-4XG
# serial number = xxxxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add name=WAN
add name=LAN
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/interface list member
add interface=ether5 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
/interface ovpn-server server
add mac-address=xx:xx:xx:xx:xx:xx name=ovpn-server1
/ip address
add address=10.0.0.3/24 comment=defconf interface=ether1 network=10.0.0.0
/ip dns
set servers=10.0.0.1,1.1.1.1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Australia/Perth
/system swos
set address-acquisition-mode=static static-ip-address=10.0.0.3
The CRS line devices are meant to be just (managed) switches. The additional router features are available, but the devices are not meant for (or capable of) handling much traffic using them.
I don't know what the default configuration on them is, but you want one where
The categorization of ports as LAN or WAN is unneeded (but it is not used by anything, so it is exactly as it wasn't there at all).
You have all ports added to the bridge.
You miss giving an IP address to the bridge (if you want it static) or adding a DHCP client to it, as the ip address assigned to ether1 is not doing anything since ether1 has been added to bridge.
Also, that DNS setup becomes cursed the moment the LAN server has local-only static addresses. The rule is that you configure multiple DNS server addresses only when all return the same result for all queries. Depending on the client resolver implementation, that setup will either work 50/50 for local lookups or it will ping-pong between working 100% and failing 100% for same.
The proper way to handle LAN DNS failover is to stand up a sllave DNS server on the LAN and point to that and the master, both of which you configure to act as recursive resolvers via 1.1.1.1, in your scheme.
Alternately, set up scripting to cut over hard from LAN-only to temporary WAN-only DNS service switching when the LAN DNS server goes MIA, then back as soon as it reappears. (This, perhaps is what you thought your current config does, but no; resolvers aren’t psychic.)
Personally, I wouldn’t bother with any of that cleverness. If the LAN server is MIA, the same cause is likely to prevent you from talking to 1.1.1.1, too.
The "proper" way is applying your management ip address to bridge instead of ether1.
See this thread IP address in bridge or etherX which the original poster said both work. But in general you should be applying Layer 3 ip address to an interface, and once a port has been added to the bridge, it should no longer be treated as an interface; that function has been transferred to the bridge interface.
What you have may appear to work when something is plugged into ether1, but you probably won't be able to connect to 10.0.0.3 when a device isn't connected to ether1 and its link is up. However, this is only conjecture, I haven't tried and verified this myself. It is only a guess. If someone does know please speak up. I can find multiple posts where it is advised to apply ip address to interface and not a bridge port (and this makes the most sense to me), but I can't find a definitive case listed where applying to the bridge port will not work. My guess is that if that specific port is "down" then access to to ip address for other bridge members will be lost. But not verified...
What I dont understand is using the mT switch when there is only one subnet. Just use an unmanaged switch. Otherwise you should be using vlans. Is the router upstream capable of assigning vlans??
Can you elaborate? What does "It" in "It seems to note..." refer to? The MT switch? The "my router"?
If the MT is configured with all ports in the bridge, and no vlan-filtering configured, it should be transparent to L2. However, since the switch has no default route set, the switch itself will only be able to communicate with other devices in the same subnet (10.0.0.0/24) using ARP and mac addresses.
Also, it would be helpful if you could post a diagram of how things are configured, even a photo of a hand drawn sketch with interfaces used, ip addresses, etc. Also provide what's in this list Please follow the standard litany when giving a problem report.
Thanks everyone for the quick responses with pointers to further information. I will go through these and respond to your messages.
I should have also said that this configuration is the default configuration, with one change. I set a static IP in my subnet to ease the process of connecting with Winbox, in the quickset section. The only other changes I have made at this point are to update to the latest Routeros, and to set a password.
Hi @gssdu, I too have this switch in switch-only mode at present. I ran your config against mine in my config comparator to find these as the only potentially relevant differences. That is, all else is the same except for things like serials, addresses, time zone, and fripperies like device name.
In my config, not in yours (ignore the line numbers, left column shows the section, right is config text)
Hi @anav,
Re: just use an unmanaged switch- if you know of any unmanaged 10GbE capable switches at the same pricepoint as the Mikrotik I'd be happy to look at them.
Re: you should be using vlans- yes, I should, and I intend to get there eventually. I'm just starting with the Mikrotik, and wanted to start with emulating an unmanaged switch as a first step. Thanks for the pointer to the VLAN article in your earlier response. I will work my way through it.
Re: Is the router upstream capable of assigning vlans?- yes, it theory. I've never tried it, as I haven't had a vlan-capable switch until now.
Hi @tangent, thanks for the sample configuration, will model mine after it.
Also thanks for the DNS pointers, of course you are correct, not sure what I was thinking there. And yes, "If the LAN server is MIA, the same cause is likely to prevent you from talking to 1.1.1.1, too."
Hi @Buckeye,
What you see in the config for the IP address is the result of using Quick Set in WinBox, which doesn't seem like it's too smart. It was enough to let me use WinBox more easily though.
I will try moving the IP address to the bridge, that does make more sense.
From the block diagram, ether5 is connected directly to the cpu.
It is really only for management.
ether5 shouldn't be in the bridge, it should be a standalone management port.
(or maybe a low speed routed port)
The cpu (not super powerful) has to process all traffic coming to/from ether5.
And when it is in the bridge, this likely includes most broadcast/multicast traffic coming from 4 * 10G interfaces.
@Buckeye , thanks for the suggestion to build a diagram. It was while going through the details of this process that the issue showed up.
The problem was that using WinBox Quick Set to set IP Address in the Internet section put the IP address on ether1, disabling that port. When I plugged the ethernet cable to my router in that port, nothing else could see the router.
So I've followed the clean-up suggestions posted by everyone, including the crucial 'move the IP to the bridge, not the port' and now everything is working.
Here is my current configuration. There do still seem to be some extraneous things (compared to @tangent's sample configuration for a switch), put there by the default configuration. I may experiment later with trimming things out, but for now, it's working well.
# 2025-11-25 17:05:18 by RouterOS 7.20.4
# software id = F9C3-JSFH
#
# model = CRS304-4XG
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface list
add name=WAN
add name=LAN
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/interface list member
add interface=ether5 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
/interface ovpn-server server
add mac-address=xx:xx:xx:xx:xx:xx name=ovpn-server1
/ip address
add address=10.0.0.3/24 comment=defconf interface=bridge network=10.0.0.0
/ip dhcp-client
add disabled=yes interface=bridge
/ip dns
set servers=10.0.0.1
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Australia/Perth
/system swos
set address-acquisition-mode=static static-ip-address=10.0.0.3
If ether1-ether4 are already member of the bridge bridge, then don't put those interfaces in the LAN interface list. Instead, only put bridge in the LAN list.
Although currently not doing that has no effects, because nothing in the configuration uses interface list at the moment.
Yes, to be more specific, these lines:
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether5 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
do the following:
let's create two different categories, LAN and WAN
let's attribute each single interface to the one or the other category
BUT:
the ether2-ether4 do not "exist" anymore as they have been put into the bridge, so the only interfaces that can actually be "seen" are ether5 (which remains self-standing) and bridge.
no other parts of the configuration make use of this categorization
So they can all be removed OR, if you want to keep them ready for future use, they should be changed to:
/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether5 list=WAN
add interface=bridge list=LAN
I would approach it differently not necessarily any better, but IMHO, here is nothing WAN or LAN about a switch.
All ports except, if one wants, an OFFBRIDGE access port to manage the router, should be on the bridge.
The only requirement is that the bridge is assigned the IP address on the subnet that is being passed on from the router. In this case one flat subnet. The switch is merely an extension of the subnet.
Which means everyone and his dog, technically has access to change switch settings, but we can attempt to make it more secure....
# model = CRS304-4XG
# serial number = XXXXXXXXXXX
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge5
/interface list
add name=ACCESS
/interface list members
add interface=OffBridge5 list=ACCESS
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
/ip address
add address=10.0.0.3/24 comment=defconf interface=bridge network=10.0.0.0
add address=192.168.55.1/30 interface=OffBridge5 network=192.168.55.0
/ip dhcp-client
add disabled=yes interface=bridge
/ip neighbor discovery-settings
set discover-interface-list=ACCESS disabled=yes { enable last }
/ip dns
set servers=10.0.0.1
/ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.1
/ip service
set winbox address=192.168.55.2 port=XXXXX disabled=yes {enable last }
/system clock
set time-zone-name=Australia/Perth
/tool mac-server
set allowed-interface-list=none disabled=yes { enable last }
/tool mac-server mac-winbox
set allowed-interface-list=ACCESS disabled=yes {enable last }
Plug in laptop to ether5, change IPV4 settings to 192.16.55.2 and with username and password, you should be in.
First I would make the changes above except for the following to ensure I can access the router from ether5 as described. When good, then add these last 4 rules.
/ip service
/tool mac-server
/tool mac-server mac-winbox
/ip neighbor discovery