5 Port Router?

Since a Mikrotik (example being a 750GL) is a true 5 port router and not just a consumer-grade router (which is actually a router with 4 port switch), you can set them up to run multiple networks, use multiple ISPs for WAN failover, and more.  Why you would want to do any of these things is beyond the scope of this post, but this will show you how to do it.

Let’s take an RB750GL and have it run 4 internal networks instead of one.  Like this:

showing subnets

Master Port

Out of the box, the 750 is set up for ether1 to be the WAN port and ether2, ether3, ether4, and ether5 to be your LAN port. The reason these 4 ports all work together is because ether2 has all of the LAN settings and DHCP server, then ether3, 4, and 5 are all “slaves” of ether2. In Mikrotik terms, ether3, 4, and 5 have their Master Port set to ether2. The ports are even “name” as such, and there is an “S” in the left column showing which ports are “slaves”:

interface listIf we want ether3-5 to run separate networks, we need to set them to have NO Master Port. It’s important to note that the “Name” of the interface will not change based on your settings. If you change ether3 from a Slave to a Master, the name will not update on its own. It’s just a name. You could call it “Port 3” or “Fred” or “I have my NAS plugged in here.” It doesn’t really matter to the functionality of the router… Don’t get confused by the port names when you start making changes.

Change the Master Port on ether3, 4, and 5 like this (and change the interface’s name if you like):

ether2_master_port

When you’ve set up ether3-5 to have no Master Port, none of the ports should show an “S” in the left column.

all_ports_master

Now, for a port to run its own network, it needs a few things:

  • IP Address
  • DHCP Server
  • Route

IP Addresses

To give each port its own IP address, go into IP, then Addresses.  Click the +, type in the Address you want to give the port, type in the Network you want to assign to the port, and select the port from the Interface drop-down menu. To set up the 192.168.3.xyz subnet on ether3, it would look like this:

ether3_192.168.3.1-2

When all 4 subnets are set up, your Address List screen should look similar to this (ether3, 4, and 5 are in italics because there is nothing plugged into them):

all_address_list_2

DHCP Servers & IP Pools

Next is to set up a DHCP server for each port. It’s the same concept as changing the default DHCP range, but you’re just adding additional DHCP servers and IP Pools for your network to use.

First set up the additional IP Pools you’re going to use for each server. You’ll want to do this first so that when you’re setting up the new DHCP Server you can just select the new IP Pool from the drop-down instead of having to close it, go back and create the new Pool, then go back to creating the new DHCP server.

Go to IP / Pool and click the +. Name the Pool whatever you want (like pool1 for the .1 subnet, pool2 for the .2 subnet, or whatever you find easy to remember). Then enter the Addresses as the DHCP range you want to use for that port – so for the .3 subnet you may want something like 192.168.3.50-192.168.3.100.

ip_pool3

Do this for each port and your Pool screen should look something like this (I have a VPN pool set up as well, and my default-dhcp was already set up and I didn’t want to change it just for these screenshots):all_IP_pools

At this point those IP Pools aren’t being used by anything. You have to set up new DHCP Servers to use them.

Go to IP / DHCP Server / DHCP and click the +. Name the new server whatever you like, set the Interface to the port you want to have use this server, and set the Address Pool you want this Server to draw from. In other words…

dhcp_server3-4

Do this for each port and your DHCP Server screen should look something like this:

all_DHCP_servers-2

Next you have to set up your DHCP Networks, so that each DHCP Client will receive the correct DHCP information like what its Gateway and DNS servers are. For example:

ether5_dhcp_network

After you do this for all 3 new DHCP servers (not counting the one that was already set up on ether2), your DHCP Server / Networks screen should look like this:

all_DHCP_server_Networks

At this point, if you plug your laptop into ether3, it will grab an IP address in the 192.168.3.xyz range. If you unplug it and plug it into ether5, it will grab an IP address in the 192.168.5.xyz range.

Routes

Last step, which isn’t really a ‘step’ but you need to know about it, is what Routes are set up for these new networks you’ve set up. Look at this screenshot.

Route_ListI did NOT enter any of these myself. The “D” in the left column means that each Route was added Dynamically. When you set the IP Addresses for each port, as soon as you added a new Address, the router added a dynamically created Route for that network for you. In this simple scenario you just need to be aware of this, you don’t need to do anything with it. Note – the screenshot shows “unreachable” on the ports that don’t have anything plugged into them.

You now have 4 LAN networks running on your Mikrotik. Since they are all on different subnets, you will not get any “broadcast” traffic between them. You can, however, reach from one subnet to another by going to a specific IP. For example, with Control4, when you open their programming software it picks up a broadcast that the Control4 processor sends out. If you are on a different subnet you will not see it and the processor will never populate in the software. But, you can manually add the IP address of the processor and it will work fine, even if it’s on a different subnet. (this isn’t a suggestion of how to do it, just an example). Same goes for things like Airplay and other streaming protocols. Many of them rely on broadcasting to tell ‘everyone’ that they are there and waiting for you to send them a music stream. This can get rather complicated when you start trying to segment off different parts of your networks.

This post isn’t about WHY you would segment everything, just how you could do it.  :)

network devices

Last updated: August 27, 2013 at 18:01 pm

  • HZ

    Hi, i just do it exactly as you presented here, DHCP is Ok, i get the IP, but there is no internet connection on the networks.
    Where did i messed up?

    • Andrew

      I’m having the same issue. Not sure what I’ve done wrong!

      My config:
      ether1 = gateway
      ether2 = lan
      ether3 = wifi

      ether 2 gets net just fine, ether 3 gets no net but dhcp is running right etc.

      Not sure if this is a routing issue?
      NAT issue?

      Please help :(

      • admin

        First, check in IP / Routes and make sure there is a route showing for each network you have set up. There should be one for 0.0.0.0, one for the subnet you have on ether2, and one for the subnet on ether3.

        • Andrew

          Thanks for the response.

          All the routes seem to exist. I’ve attempted to recreate the DHCP server on ether 3 etc just to make sure I feel as though I am understanding everything correctly.

          It seems that there is intermittant traffic through my WIFI ap connected on ether 3. I’m not sure why that is happening. It seems like net access is there, then it isnt, then there, then not etc. It seems as well that there is constant Rx on the interface but no Tx…

          Could you help me out further? Appreciate it!

          • David

            Please the NAT under firewall.Thats what he forgot to include.Otherwise the rest is ok

  • Jason

    Is there really a difference between this and a basic VLAN? Does this route offer traffic segmentation so a network doesn’t get bogged down but still allow communication between them?

  • Greg

    So If I wanted to set up a Static IP for ONE particular computer that may move from ONE network to another, all I would do is set a Lease for EACH subnet — I’d pick the IP that I would like for THAT machine on each subnet, and instead of selecting “ALL” for the server when setting up the lease, I’d select the DHCP Server (that has been assigned to that port ) and is handling that internal network .

    Is that correct?

    Also, if I wanted to make sure that traffic could NOT travel from one internal network to another, how would one set up the firewall rule?

    Lastly, I’d love to see how you’d set up bandwidth tracking/throttling on a per IP or MAC basis — and if possible how you’d use it with THIS configuration.

    These articles are the best explanation of how to use the MikroTik routers adn Winbox I have come across. I find the MicroTik site to be utterly useless when it comes to using Winbox as they do everything in Terminal. They really need to get a grip on that!

    • admin

      Well… you can click the little triangle next to “Server:” in the DHCP Lease window and it will assign your IP based on one of those servers…so… if you had a different DHCP server assigned to different ports, then I would think it would see that MAC address show up on port X so it would pull an IP from DHCP server X. Might work. I might have to test that out, but I can’t really see how I would use it in the real world.

      To block traffic in the firewall, you would want to set up a ‘drop’ rule. For example you can say “for any traffic coming from 192.168.123.0 that is destined for 192.168.234.0, DROP it.” You can also do it by address lists, depending on your situation.

      Bandwidth throttling/queues are on the list for some future posts……..

  • http://www.ronek.com Eric

    Nice article. How different is it to program 2 different WAN ports – not for load balancing but for specific applications? WAN 1 = general Internet use, WAN 2 = VoIP only. When I do it, the 2nd WAN port does not work.
    Thanks

    • admin

      Unfortunately I haven’t had any first hand experience with dual WAN setup, and nowhere to test it out… I do know dual WAN with failover can work well on Mikrotik, so I would assume there would be a way to do what you are looking for…

  • bbbbb

    So with a firewall rule someone can isolate the traffic ? If i connect to port 1 the wan a cable from my modem router is it going to work ? or it is double nat ?

    • Radek

      If you have only cable modem, modem probably does not NAT. If your modem is also router and router is switched on, you have double NAT.

  • Talha Ahmad

    Hi,

    I am facing problem with my RB 750 GL. I am using 3 connection with my router. Two connection are PTCL and one connection is Worlcall. Due to fail of power failure the world call goes down after every hour. When world call is down. My RB 750 not working properly. I got noting from the RB 750 for five or ten minutes. After then ten mins my RB start working properly. Can you please guide me in this matter

  • Rio

    i’ve used same rb 750 gl, and 3 different network..
    WAN
    |
    eth0 — eth1 — eth2 — eth3 — eth4
    LAN| SlaveLAN |Hotspot AP

    eth1 & eth2 >> poolA 192.168.10.25-254, eth2: static linux/server 192.168.10.111
    eth4 >> poolB 192.168.20.25-254

    both pool, had been successfully setup as hotspot.

    But, the problem is, how can I make a client on poolA IP (Access Point) can discover another client computer’s (shared folder on network) resources on poolB (local) and vice versa. and also note, that icmp service either direct network explore “\\ip_address” between them is work fine.
    thx for your help..

    • admin

      Having them on different subnets means that the broadcasts aren’t going to travel between them… you can access the other machines, but the broadcasts aren’t transmitted.

      You may want to try just giving the poolB a range in the same subnet (192.168.10.xxx) if you can.

  • Andy

    Hi,

    I have a little problem.

    I tried doing that on my router.

    Configuration is simple, DHCP on eth2 subnet 192.168.141.0/24 with address 192.168.141.254 and gateway 192.168.141.254 and DHCP on eth3 subnet 192.168.142.0/24 with address 192.168.142.254 and gateway 192.168.142.254

    Starting from here, everything is working “fine”, i get one dhcp on one interface, and the other dhcp on the other interface.

    My problem ? if i m on a computer on the 141 network, i can’t ping one that is on the 142 ?

    I got no firewall rules set… so if i m right, it’s full accept by defaut ?

    Anyone could help me with that please? :)

    Thanks a lot!

    • admin

      I’ve had a couple issues with this as well but have been busy and haven’t tracked down what’s going on. On others it’s fine. It’s on routers that are already set up and don’t “need” the 2nd subnet, it’s usually just me testing something and I just do without. I need to take a ‘stock’ 750GL and retry everything one step at a time…

    • Radek

      Andy, what is your main requirement – connect networks 141.x to 142.x or divide them?

  • Dave

    All worked well but can’t for the life of me find “Routes List” on the RB750.

    Am now looking at trying to Bridge to of the lans.

  • Dave

    Found Routes List under IP

    Still working on joining two lans, ports 3&4.

  • DAMIEN

    I have a mikrotik V5.12, how is the configuration to get the internet comes from the modem iDirect onto the switch

    • admin

      The default configuration works out of the box for internet access without doing any manual setup. What model routerboard is it?

  • Gendra

    I have exact same network scenario. so, how can I configure the port forwarding for my DVR in exact same network scenario?

  • http://www.technicalsupport.co.nz diako

    IF you want to connect to the internet than you need to set up Nat, so all your private ip address are translated to a 1 public ip address.

    • admin

      Good point, I need to revisit that.

  • Eric

    Hi,

    Thank you for this smart manual. I want to discover and ping from subnet A to subnet B, but from subnet B to subnet A not. Is this possible? If yes, how? Thanks

    • admin

      You should be able to do this in firewall rules, might have to get creative though. You can tell it to not allow traffic from subnet a to subnet b, for example, but you may find some issues with replies from one subnet to the other.

  • Eric

    Hi,
    I have RB751 and I want to make ether1 to ether5 and wlan1 in Bridge mode and wlan2 in Router mode (another subnet). Ether1 is connected to previous router where is working DHCP server for this ether1 to ether5 and wlan1. Any idea? Thanks

  • laxmi
  • ocular

    Mikrotik gurus seem to say that setting up subnets as above should allow pings between machines on different subnets. My practical testing on a RB750GL 5.24 to allow access between subnets says this is not so, you need to proceed as above (either from default configuration or no configuration + wan/ether1 setup either with pppoe or dhcp client) and then after adding pools, addresses, dhcp servers to interfaces add
    /ip firewall nat
    add action=masquerade chain=srcnat disabled=no out-interface=!ether2 src-address=192.168.0.0/24
    add action=masquerade chain=srcnat disabled=no out-interface=!ether3 src-address=192.168.3.0/24
    add action=masquerade chain=srcnat disabled=no out-interface=!ether4 src-address=192.168.4.0/24
    add action=masquerade chain=srcnat disabled=no out-interface=!ether5 src-address=192.168.5.0/24

    and then one more nat rule to allow access to internet
    /ip firewall nat
    add action=masquerade chain=srcnat comment=”default configuration” disabled=no out-interface=ether1 (-or pppoe-out)

    At last can ping between subnets (no broadcasts). Firewall rules then will need to be set for security

  • Hamish Lockhart

    Really nice article. I was confused that I couldn’t ping a machine on a different network. Turns out I didn’t have the default gateway setup on the receiving machine.

  • Beastly Bee

    Nice article, I’ve been researching the last part which is to make the different networks talk but no luck. I’m testing two networks they can ping each interface ip but no the computer connect to those interfaces. Any suggestions?

    • Russell Bach

      The article suggests from the picture of the winbox interface list that the default RB750GL configuration has been loaded. If you then make changes as suggested from the out of the box default configuration the subnets will not see each other(as you seemed to have experienced). You need to do a reset configuration and tick no-default and reboot and then rebuild with winbox as per above.

      Otherwise if you have made changes from the out of the box default configuration you will need to add to ip firewall nat

      add action=masquerade chain=srcnat comment=”to allow ping to subnet” out-interface=!ether2-master-local src-address=192.168.2.0/24
      add action=masquerade chain=srcnat comment=”to allow ping to subnet” out-interface=!ether3-slave-local src-address=192.168.3.0/24
      and so on for each ether port and subnet
      and then should be able to ping each subnet. I did document this previously but the other 33 posts to this thread have vanished.

      • Sean Scarfo

        Russel,

        Why does one have to reset the configuration? What setting is causing the routes not to communicate across one another?

        I just became MTCNA certified and you might imagine, the instructors didn’t go over multiple networks on a single router like this. (They did go over static routes for multiple routers)

        Any suggestions?

  • Sean Scarfo

    Russel,

    Why does one have to reset the configuration? What setting is causing the routes not to communicate across one another?

    I just became MTCNA certified and you might imagine, the instructors didn’t go over multiple networks on a single router like this. (They did go over static routes for multiple routers)

  • Alvin Yort

    How to set up speed internet for each LAN?

  • Jay

    Thanks, you’re the best, it works perfect!!!

  • Håkan Söderbom

    Many thanks for the article! I’ve just taken the plunge and ordered a RB951G hoping to achieve something similar as you describe above. My main question is still how the router “behaves” together with the modem. In a common consumer setup there is one modem and one router, but you say early on this technique can be used for WAN failover, implying multiple routers can be connected to the router. Correct? Can it also be used to completely isolate the networks from each other, while they still have internet access through one modem? I am trying to isolate my home automation and IP camera network from the main house network… Appreciate any thoughts and guidance!

    • JMJr49

      Maybe I can help…
      You asked: “how the router “behaves” together with the modem?.”
      The configuration used in this article was just like a common consumer setup with port1 connected to the internet modem, and the other 4 ports connected to the LAN. The only difference was that you will have 4 different separate LANs instead of just one.

      You asked: …” for WAN failover, implying multiple routers can be connected to the router. Correct?”…
      When the author mentioned WAN failover, he just gave an example of which possibilities this nice device offers. If you want to have a WAN failover, you could connect WAN1 to port1 and WAN2 to port2 for example, and set the proper configuration for that. Then there would be only 3 ports resting for you to build up to 3 LAN subnets. Than you’d have 2 modems, but still just one router device. For each of the 3 subnets you can add cheaper switches or Access points. Not necessarily you will need routers for that.

      You asked: …” Can it also be used to completely isolate the networks from each other, while they still have internet access through one modem?”
      Yes, the intention here was exactly this.

  • JMJr49

    Nice article! My question is: No changes are needed in the Firewall? Are all 4 subnets still protected?