Mikrotik Router device switch ports

Hi Community,
there is another question coming up....you may notice i am not an expert.

My Setup: DSL-> Zyxel Modem -> Mikrotik router (pppoe) -> client

i have an config port on the zyxel which i would like to get connected through the LAN.

Like having one specific client which is able to connect to this zyxel config port.

The wiring is clear and i plan to use one port on the mikrotik and isolate this to connect to the zyxel config port. Then with firewall and routing config i allow one client from lan to connect there.

Is it possible to "unconfigure" one of the mikrotik switch ports to have it as a single port only for this purpose?


Does that mean that you'll lay down a second cable from the Zyxel to the Mikrotik and you want to create a bridge between the uplink to the Zyxel and the downlink to the PC?

Not really.
On the zyxel is an Management port from which i can reach the manegement website of the zyxel. It the only port.
And though connecting this to a free port of my mikrotik which runs openwrt. Then to reach the Management ui - just for convenience and interest if this is soemthing feasible

Yes, that is possible. I have something similar with my ZTE MF286D running in a bridge mode. I have one port/cable for data and another port/cable for management.

did you use an openwrt router? and how did you confiure

Then you only need to configure one of the Mikrotik interfaces to be in a new network which is in the same subnet as the management of Zyxel. Add it in wan zone, connect the second cable, and you are good.

oh, thx. thats it. An the router knows then if i try to connect from the lan to this ip thtat it is to find on the specific port?
There is no specific routing te setup for that?

Here is an example that is inline with what @trendy just said:

config interface 'mgmt'
        option proto 'dhcp'
        option device 'lan4'
        option defaultroute '0'
        option peerdns '0'
        option delegate '0'

The port used above was detached from the bridge:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

On top of that I have a redirect rule that allows me to access the modem ( through http://{router address/hostname}:3333

config redirect
        option dest 'wan'
        option target 'DNAT'
        list proto 'tcp'
        option src 'lan'
        option src_dport '3333'
        option dest_ip ''
        option dest_port '80'
        option name 'Modem access'
        option family 'ipv4'
1 Like

ah, yes very cool. thats easy. thx.
And i may filter the traffic from lan to that port with a firewall rule.

i try to set it up

so did the config but with static ip.
interface on the configured lan port was coming up. but from a lan client i can not reach. But i will check some things

You need to add masquerade on the new interface, the zyxel doesn't know about the lan network behind the mikrotik.

Was the port assigned to the WAN zone (where masquerading is already enabled)?

yeah thats it. i wasnt sure about this. But now it works

trying to restrict the access only to my laptop but actually it doenst work with firewall rules...maybe iĺl do it later

It can be restricted with a firewall rule. If in doubt post here the firewall config uci export firewall

This is my rule:
the 100 is the zyxel and the 1. the lan.

config rule
	option name 'ManagementZyxel'
	list proto 'tcp'
	option src 'lan'
	list src_ip ''
	option dest 'wan'
	list dest_ip ''
	option target 'ACCEPT'

there is maybe an deny missing :wink:

Delete the other rule and add this

uci add firewall rule
uci set firewall.@rule[-1].name='Zyxel Mgmt'
uci add_list firewall.@rule[-1].proto='tcp'
uci set firewall.@rule[-1].src='lan'
uci add_list firewall.@rule[-1].src_ip='!'
uci set firewall.@rule[-1].dest='wan'
uci add_list firewall.@rule[-1].dest_ip=''
uci set firewall.@rule[-1].target='DROP'
uci commit firewall
service firewall restart
1 Like

ok, thanks. :slight_smile:
i will try

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.