The place where I currently live has multi-gigabit WAN connections in the bedrooms. I needed the router to be near our servers which happen to be elsewhere. To help with this I decided to get a managed switch to forward the WAN connection and other devices over a fiber patch cord. The SFP (fiber) port and WAN port are untagged on VLAN 1 and all other ports on the switch are untagged for other VLANs and tagged on the SFP. My router defaults untagged connections to VLAN 1 when bridge VLAN filtering is on, but I’ve read it’s different on other mikrotik devices (VLAN 0?). This setup was done using one bridge to take advantage of hardware acceleration. This is meant as a reference for anyone attempting to run strange multi-gig setups on a budget.
Here is my config:
/interface bridge
add admin-mac=74:4D:28:C6:FE:04 auto-mac=no comment=defconf name=Ponte vlan-filtering=yes
/interface wifiwave2
set [ find default-name=wifi1 ] channel.band=5ghz-ac .skip-dfs-channels=10min-cac .width=20/40/80+80mhz configuration.mode=ap .ssid=MikroTik-C6FE0E
/interface vlan
add interface=Ponte name=Devices vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=10.0.0.10-10.0.0.254
add name=dhcp_pool2 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=Ponte name=dhcp1
add address-pool=dhcp_pool2 interface=Devices name=dhcp2
/port
set 0 name=serial0
set 1 name=serial1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 port=9993
/interface bridge port
add bridge=Ponte comment=defconf interface=ether2 pvid=10
add bridge=Ponte comment=defconf interface=ether3 pvid=10
add bridge=Ponte comment=defconf interface=ether4 pvid=10
add bridge=Ponte comment=defconf interface=ether5 pvid=10
add bridge=Ponte comment=defconf interface=ether6 pvid=10
add bridge=Ponte comment=defconf interface=ether7 pvid=10
add bridge=Ponte comment=defconf interface=ether8 pvid=10
add bridge=Ponte comment=defconf interface=ether9 pvid=10
add bridge=Ponte comment=defconf interface=ether10 pvid=10
add bridge=Ponte comment=defconf interface=sfp-sfpplus1
add bridge=Ponte comment=defconf interface=wifi1 pvid=10
add bridge=Ponte comment="WAN to LAN" interface=ether1 pvid=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=Ponte tagged=sfp-sfpplus1,Ponte untagged=ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,wifi1 vlan-ids=10
/interface list member
add comment=defconf interface=Ponte list=LAN
add comment=defconf interface=Ponte list=WAN
add interface=Servers list=LAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=Devices network=192.168.88.0
add address=10.0.0.1/24 interface=Ponte network=10.0.0.0
/ip dhcp-client
add comment=defconf interface=Ponte
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=88
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=America/Los_Angeles
/system routerboard settings
set auto-upgrade=yes enter-setup-on=delete-key
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN