Need help securing your MikroTik routers? An extended copy of our MikroTik Router Hardening Guide complete with a checklist, links to STIGs, and more in-depth discussions of best practices than will fit in a blog post is now available. Check out the Amazon Kindle version or see the printable version on our website.
Most routers act as just that - routers. Each interface acting as the gateway for a distinct network, or as a trunk for VLANs that represent distinct networks. But for some routers this isn't always the case, particularly in the SOHO or branch office environment at the edge of the network. For those routers often one interface acts as the gateway, with all the others working together in a switched capacity to connect workstations, printers, APs, and other devices. This contrasts with routers in or near the core of the network that strictly handle routed traffic, or are handling MPLS traffic.
The first step to setting up one of these edge routers with a switching group of ports is to determine how many switch chips are present in this particular model of router. In the lab for this exercise I'm using an RB751U-2HnD which has one Atheros switch chip. Other models like the RB1100AH and the RB2011 have two switch chips.
To determine how many switch chips you have and what kind:
Only ports wired to the same switch chip can actually be switched together. Also, note that ether1 is conspicuously missing from switch1 - it isn't wired to the switch chip. Therefore it can't be switched with ether2-ether5, unless a bridge port is manually configured (and considering ether1 is used as the WAN gateway that would be a terrible idea). On routers like the RB2100 that have two switch chips, with half the physical ports wired to each, the only way to switch ALL the ports together across both switch chips is to create a software bridge between two ports, one on each of the switch chips. This isn't a very efficient solution, and if more than just a few switched ports are needed it would be prudent to purchase a Mikrotik CRS.
Ether1 is being used for the WAN gateway, but ether2 - ether5 in this scenario need to be switched together to create a LAN. Two computers, a printer, and a NAS all need to be part of this LAN. This configuration isn't taking into account VLANs, but if you want to learn how to use VLANs then look at the Mikrotik VLAN tutorial.
The next step is determining which port out of all the switched ports will be the "Master" - I chose ether2. The rest of the ports, ether3 - ether5 will be set as slaves to ether2. Here is ether2's configuration:
As you can see ether2 has be set as the Master port, therefore it has no Master Port configuration chosen. Ether3 - ether5 look very different though:
Ether3 has been configured with ether2 as the Master port. This tells RouterOS that these ports are running in a switched configuration. The same change needs to be made for the other switched ports:
Ether1 has no Master port because it's acting as our WAN gateway, and is a separate routed interface. Ether2 has no Master port because it is the Master port for this switch chip. Ether3 - ether5 are set with Ether2 as their Master port, which tells RouterOS to switch all those ports (ether2 - ether5) together.
The last step is to assign an IP address to ether2, which acts as the gateway address for all the hosts plugged into ether2 - ether5. If the network is utilizing DHCP then the DHCP server would be set to run on ether2, and because all the other ports (except ether1) are switched together the hosts would be able to receive dynamic addresses.