Hi everyone,

I have an incoming internet connection with 16 ip addresses I can use. Previously I had this going directly into one router, but I've decided to set up another independent LAN for several of the ips. Since I only have one incoming connection, I plan on using a portion of a CRS317 switch to break it out to 3 separate ports.
I want to use sfp ports 1-4 for breaking out the WAN connection, and ports 5-16 for the LAN side. As such I put each of those two sets of ports on their own bridge. The switches dhcp has been set to use the LAN side. Eventually the LAN side will be configured with the various needed VLANs.
My questions are as follows:
1. Is this the right approach?
2. Is it secure? What concerns me is that winbox still sees the switch even on the WAN connection, even though I have the winbox service disabled. I hope I can set this up without firewall rules.
3. Can this run at wire speed, or will setting up securely disable hardware acceleration?

Basic configuration is attached.

1. Probably not. The CRS3xx only supports hardware-offload on a single bridge, you can use a VLAN to segregate the 'WAN' ports.
2. As configured the MAC Winbox/telnet services only respond to the LAN interfaces. If the IP Winbox service is disabled it can't be accessed, if you do enable it you can use IP firewall rules to restrict access from an internal management VLAN. You can see the Mikrotik in Winbox because discovery is enabled on all interfaces, you could use the 'LAN' interface instead of the default.
3. No, see comment above.

Way, Way, Way back before I started using Mikrotik routers, I was in a similar situation. I had eight public static IPs from my ISP, and I needed those to go to different devices. I put a dumb switch between the ISP modem and several consumer grade routers. Each router used one public IP and created a totally independent LAN (what wanted / needed). In my case, speed was not an issue since my Internet service was DSL.
Simple, but it worked fine.

That was the original plan, but I’d have to pay way too much for a low quality unmanaged switch with sfp ports when I already have a fully capable switch. Going the VLAN route makes sense. I’ll have to play with it and figure things out.