System Administration & Network Administration
nat switch dhcp-server mikrotik
Updated Fri, 30 Sep 2022 18:49:02 GMT

How to configure a MikroTik hAP ac lite router as a Layer 2 switch?

Here is an overview of the network topology: network topology Both the Fritz!Box 7340 and MikroTik hAP ac lite router currently act as DHCP servers, effectively splitting the network in two LANs. The MikroTik router was also configured as a bridge for the LAN.

In order to avoid the trouble of double NAT, I would like to reconfigure the MikroTik hAP ac lite as a Layer 2 switch. There are advantages of doing so over double NATing.

All DHCP and NAT should be handled exclusively by the Fritz!Box. Furthermore, the MikroTik hAP ac lite should have a static IP address in the same local IP address range so it can still be managed over its web interface.

The Fritz!Box configuration is not an issue. However, I am an utter newbie managing MikroTik's RouterOS and I found no instructions on the web concerning this specific problem. Hence, my question:

What are the (detailed) steps to configure a MikroTik hAP ac lite as a Layer 2 switch, removing its DHCP server whilst keeping a static IP address for management?

By the way, I am on GNU/Linux, so using Winbox is not an option for me.

MikroTik support pages

On the MikroTik support pages, I came across an article about how to configure a DHCP relay. However, it is not clear to me whether a DHCP relay is the same thing as a Layer 2 switch or just a part of it?

DHCP Relay

Crosslink to the MikroTik forum


# mar/05/2017 00:49:46 by RouterOS 6.34.2
# software id = XXXX-XXXX
/interface bridge
add admin-mac=6C:3B:::: auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=WLAN1 supplicant-identity="" wpa2-pre-shared-key=\
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=WLAN2 supplicant-identity="" wpa2-pre-shared-key=\
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=belgium disabled=no distance=indoors frequency=auto mode=ap-bridge \
    security-profile=WLAN1 ssid=WLAN1 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n channel-width=20/40mhz-Ce \
    country=belgium disabled=no distance=indoors frequency=auto mode=\
    station-pseudobridge security-profile=WLAN2 ssid=WLAN2 \
/ip pool
add name=default-dhcp ranges=
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip address
add address= comment=defconf interface=bridge network=\
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
/ip dhcp-server network
add address= comment=defconf gateway=
/ip dns
set allow-remote-requests=yes
/ip dns static
add address= name=router
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" \
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=\
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
add chain=forward comment="defconf: accept established,related" \
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
add action=masquerade chain=srcnat out-interface=bridge
/system clock
set time-zone-name=Europe/Brussels
/system routerboard settings
set cpu-frequency=650MHz protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge


Just bridge every interface on hAP and it will act essentially as a switch.
That's it pretty much.

Then remove or disable any dhcp-server instances on IP > DHCP-Server.

Since you do not provide any configuration exports it's impossible to provide you with any commands on how to do the above since every mikrotik installation is kind of unique. You could have implemented your current setup in many different ways. We need to know your current configuration to be able to provide you with any commands.

DHCP relay has nothing to do with what you ask so don't confuse yourself with that.

Also, winbox works fine on Linux using Wine. That's the official way of running Winbox on non-windows machines.

Without winbox it just makes the whole procedure that much more difficult since you might lose access to mikrotik in order to change its IP to the FritzBox subnet (Winbox can find and connect to a mikrotik router even if it's not accessible via IP). If you don't understand what you are doing (blindly copying/pasting commands) you may end up having to reset the whole configuration to gain access again.

IMHO you should configure the FritzBox to act as a PPPoE bridge and use Mikrotik to dial (pppoe-client) to the ISP to establish the internet connection.

This way FritzBox will act as a modem and nothing more. And hAP will act as a powerful router. Having Mikrotik obtain the public IP you avoid double NATs and most importantly you can take advantage of all mikrotik's features. You can create very advanced configurations that I highly doubt that FritzBox (or any other consumer dsl modem for that matter) can do.

Comments (3)

  • +1 – You can export the configuration by running /export on mikrotik's terminal. Make sure to hide any sensitive information before posting (ie: passwords). I am not familiar with FritzBox so I don't have any advice regarding the voip part. — Feb 08, 2017 at 10:43  
  • +0 – Did you disable all the firewall rules? You don't need a firewall for the configuration you are trying to implement. You simply want to make the RouterBoard act as a dumb switch. Disable the firewall, dhcp and everything else and simply bridge all the ports together. Ethernet and wlan. — Mar 05, 2017 at 14:06  
  • +0 – I updated the firmware, which resulted in a better Winbox experience. On the handy CPE menu screen, I saw the bridge had no IP address. I deleted the DHCP server and everything started to work as intended. There was no need to delete any firewall rules. — Aug 08, 2017 at 22:17