<!--
title: Configuring a Mikrotik Router
date: 2025-04-15
-->

# Configuring a Mikrotik Router

Experiments have been made on a hEX S, RB760iGS, in the final deployment a CCR2004-1G-12S+2XS will be used.

Setup is
- FTTH connection
- Several VLANs for
    - Intranet (highly protected, for laptops, mobile phones, printer, scanner, NAS, ..., access from here to more or less everywhere, no access at all into this network)
    - Guest net (just access to the Internet, no access into this network)
    - IoT network (all IoT devices are here, no access to the Internet (to avoid calling-home of devices), access from Intranet is allowed)
    - TV network (TVs, Alexas, ..., access to the Internet)
    - Network for Kubernetes cluster hosting several public and private services, restricted access from the Internet)
    - Network for time servers, restricted access from the Internet)

## First Challenge: Internet Connection using FTTH

I'm using a GPON module, plugged into the SFP cage.

First step, to establish an "Ethernet" connection to the provider:

```
/interface/vlan
add comment="2. Layer for Telekom FTTH" interface=sfp1 name=telekom-layer2 vlan-id=7
```

Important: the serial number of the GPON module shall be communicated to the provider (here: Telekom). It will be used as a first authentication layer. Wrong serial number: no connection.

Second step, PPPoE:

```
/interface/pppoe-client
add comment="3. Layer for Telekom FTTH" interface=telekom-layer2 name=telekom-layer3 user=XXX password=YYY
```

Here, the earlier created VLAN interface `telekom-layer2` to used.

The username is the concatenation of _Anschlusskennung_, _Zugangsnummer_, _Mitbenutzernummer_ and `@t-online.de`.

The password is the _Persönliches Kennwort_.

The configuration establishes the connection to the provider. You can check it in `/ip/address`, here you should see a dynamically assigned address to the interface `telekom-layer3`.

However, this is just the connection, to get to the Internet via this connection a route, in particular a default route is required.

```
add dst-address=0.0.0.0/0 gateway=telekom-layer3
```

Additional a masquarading rule in the firewall configuration is required:

```
add action=masquerade chain=srcnat comment="nat on wan" log-prefix=masq out-interface=telekom-layer3
```

And finally a DNS server (I was a bit surprised that it was not configured dynamically.):

```
add dns-servers=8.8.8.8 name=default
```