I rebuilt my router from a clean slate. The goal was simple: make the config easy to reason about, lock down what should be private, and keep latency low. Here is what each part does and why it matters. The reason why I got a Mikrotik router in the first place was to learn so this was a good learning experience.

Initial hardening

Start safe so you do not fight ghosts later.

• Set a clear device name to make logs, alerts, and backups easy to identify
• Create your own admin user and disable the default one to remove a common brute‑force target
• Turn off unused services like telnet and ftp to shrink the attack surface and keep access encrypted
• Limit MAC based tools to a dedicated management port so layer‑2 management never appears on user ports
• Enable NTP so logs and certificates use correct time for audits and TLS

Interfaces and bridge

Put all LAN switching on a single bridge and define intent up front.

• Create interface lists for WAN and LAN so firewall and NAT target roles instead of specific ports
• Put the primary uplink in the WAN list so NAT and default routes apply to the right interface
• Create one bridge for all internal switching to keep hardware offload simple and consistent
• Add the trunk uplink to the core switch into the bridge to carry all tagged VLANs end to end
• Keep a dedicated management access port in the bridge to preserve a break‑glass path during changes

VLANs on the bridge

Define the segments you actually use.

• Create one VLAN interface per segment on the bridge to provide the layer‑3 gateway for each network
• Give each a gateway and subnet size that fits the role to keep capacity planning clear
• In the bridge VLAN table tag trunks and leave access ports untagged for their VLAN to avoid mis‑tagging
• Set PVID on access ports to match their untagged VLAN so untagged ingress lands correctly
• Keep a management port untagged on the management VLAN to preserve access if tagging breaks

DHCP servers and leases

Automate addressing and keep critical gear fixed.

• Create a DHCP pool and server per VLAN so scopes never overlap across segments
• Hand out the right DNS for each VLAN so clients get internal or public resolvers based on role
• Add static leases for core gear like the switch, servers, and controllers so firewall rules and monitoring stay stable

DNS and NAT

Keep name resolution simple and NAT broad.

• Point the router at trusted recursive resolvers for faster, consistent lookups and cleaner logs
• Use one masquerade rule for internet bound traffic which is simple and correct for most homes

Firewall model

Keep it readable and layered.

• Use address lists for each VLAN and special device groups so rules target groups instead of individual addresses
• Accept established and related first, drop invalid to save CPU and block garbage early
• Fast‑path LAN to LAN only so QoS can shape WAN traffic while keeping internal transfers fast
• Add specific allows for real needs like clients to servers and monitoring to infrastructure to maintain least privilege
• Isolate IoT (no internet, no initiating to internal) and keep Guest/Work internet only to reduce risk from untrusted devices
• End with a final drop so the default is deny and intent stays explicit

Final activation of VLAN filtering

Enable VLAN filtering on the bridge only after all ports, VLANs, and DHCP are in place to avoid lockouts.

Selective VPN routing

Route only one service through a VPN without moving the whole network.

• Create a separate routing table for that service to keep policy scoped and readable
• Add a WireGuard interface and peer from your provider for a secure, low‑overhead tunnel
• Add narrow routes for the service endpoints into that table so only that app uses the tunnel
• Mark packets for that table with a simple mangle rule to steer only what you intend

Monitoring and SNMP

Turn on SNMP if you plan to monitor the router.

• Allow SNMP only from a servers VLAN to keep management traffic private
• Keep the SNMP port closed to the internet and other VLANs to avoid exposing inventory and metrics

Verification habits

Check the basics after each change.

• Export the running config for a snapshot to make rollback and audits easy
• Print the bridge, bridge VLANs, and VLAN interfaces to confirm tags and membership
• Verify IP addresses, routes, and DHCP status to catch addressing or route drift fast
• Check firewall counters to see which rules hit and validate policy with data
• Ping a public resolver and a known hostname for a quick end‑to‑end reachability test

MikroTik rule ordering gotcha

If you grew up on Cisco style ACLs, MikroTik can feel inverted.

• Filters are default allow until you add the final drop
• Rules are first match, so specific allows must sit above isolation drops
• Use input for traffic to the router and forward for traffic through the router to avoid mixing management with transit

That is the shape I run today. It stays readable and it behaves under load without constant tweaks.

Related

• QoS and bufferbloat: /blog/qos-for-bufferbloat-in-a-home-network
• WAN failover on MikroTik: /blog/wan-failover-on-mikrotik-with-a-travel-router