Thu Apr 15, 2021 8:57 am
Default configuration depends on mikrotik device type, so are necessary steps to be taken.
Most SOHO type devices come with default config which uses ether1 as WAN interface, other wired and wireless interfaces are made part of a bridge (all ports are bridged/switched) which is then used for LAN. If you want to use ports as interfaces for different subnets (either LAN or WAN), then you have to remove needed interfaces from bridge. That can be done under bridge -> ports. After interface is "freed" from bridge, one can proceed by configuring L3 on it (IP address, DHCP server, ...).
Default firewall on these devices comes with "abstraction layer" ... meaning that certain filter rules target interface-lists ... hence if you're using multiple LAN subnets, then only necessary change is to add appropriate interface to LAN interface list (interfaces -> interface list). E.g. if you'd like to use two WAN links (for failover, load sharing, whatever), configured on ether1 (default) and ether4 (your addition), add ether4 to WAN inteface list (after you've set WAN interface details such as running DHCP client or whatever applies) and SRC NAT etc. is already configured for you.
If you want to block traffic between different LAN subnets, then you'll have to add appropriate firewall filter rules.
Beware that default firewall rules allow management access to router from interface list LAN. If you're constructing "untrusted" LAN subnets, don't add those interfaces to LAN interface list.