GUIDE / LOCAL NETWORK

Local network.

Once the WAN is up and the firewall is sane, you have a LAN-shaped problem: handing out addresses, resolving names, separating traffic into domains. This hub indexes the three per-topic pages plus the cross-cutting context.

The pages

  • DHCP — DHCP server config, static leases, lease times, multi-pool setups.
  • DNS — the router as a recursive resolver, static entries, DNS-over-HTTPS (v7 only), allow-remote-requests, cache behaviour.
  • VLANs — the most common "where do my packets go" question. Substantial v6 vs v7 differences (the bridge model changed).

Common shapes

Three LAN topologies cover ~90% of MikroTik deployments. Pick the one that matches yours, then read the relevant per-topic pages:

Flat LAN

One bridge, one subnet, one DHCP server. All wired + wireless clients on the same broadcast domain. Default for Quick Set. Fine for home / small office.

  • Read DHCP to handle reservations.
  • Read DNS to point clients at the router for resolution.
  • Skip VLANs — you don't need them yet.

Bridged VLANs

One bridge, multiple VLANs riding it. Different subnets per VLAN. Typical for "trusted / IoT / guest" segmentation on a single switch. The current RouterOS bridge model (v6.41+ on v6, all of v7) supports this natively — VLAN filtering on the bridge, port-VLAN membership on each interface.

  • Read VLANs first — the model matters.
  • One DHCP server + one DNS resolver per VLAN.
  • Inter-VLAN routing happens at the router; firewall rules between vlan-trusted and vlan-iot live in the forward chain.

Routed segments

Multiple physical interfaces, each its own subnet, all NATed (or routed) through the same WAN. Less common on consumer gear, useful on CCRs and CHR-as-router setups. No bridge involved.

  • One DHCP server per interface.
  • Routing decisions are explicit — read the firewall section's forward chain page for how to control inter-segment traffic.

Why not bridge everything?

A common new-admin instinct is "bridge everything together so it works". It does — and you end up with one broadcast domain that every IoT vacuum, every guest phone, and every laptop shares. Any one compromised device sees + can reach every other one. Segmenting via VLANs costs an evening of setup and pays back the first time a smart bulb gets pwned.