Mikrotik RouterBoard Configuration Optimization for Secure Hotel Network

by Turab Gilani | Oct 16, 2025

Client Challenge: Bridging Public Access with Private Security

A small hotel client required a critical upgrade to their network infrastructure to securely integrate both guest-facing and administrative systems using a limited block of assigned public IP addresses.

The client was using a Mikrotik RouterBoard (R1) as their edge device, successfully providing general internet access via a single public WAN IP. The challenge was to assign two specific public IP addresses from their small /29 subnet (50.146.26.82 – 50.146.26.86) to key systems:

1. Guest WiFi Router (R2): The third-party vendor required a dedicated public IP address on their WAN interface for remote management, bypassing the need for complex NAT/Port Forwarding.
2. CCTV/NVR System: The property owner required a dedicated public IP for remote, direct monitoring.

Crucially, the solution needed to maintain strict network segregation, ensuring guest devices connected to R2 had absolutely no access to the hotel’s internal administrative computers or the CCTV system.

The dgtel Consulting Solution: Strategic IP Segmentation and Firewall Policy

Our expert consultant, quickly assessed the client’s architecture and proposed an optimal solution that prioritized security, public IP conservation, and simplified remote access.

Initial Strategy: IP Segmentation (Option 2)

The initial proposal was to split the single /29 public IP block into two separate /30 subnets. This ensured distinct, dedicated network segments for the CCTV and Guest WiFi systems. While this approach is typically straightforward, it consumes more IP addresses (e.g., losing the first and last address in each new subnet).

Refined Strategy: Maximizing IP Utilization with Bridging and Static Mapping

After further discussion, a more efficient and elegant solution was adopted to conserve the limited public IP addresses: Utilizing a single Layer 2 bridge interface on R1 for the LAN and using static IP assignments for public-facing devices.

This approach allowed the hotel’s administrative computers, printers, and other internal devices to remain on the existing Private DHCP subnet (connected via a switch on a designated port) while simultaneously enabling the public-facing devices to receive their static public addresses.

Key Implementation Steps:

1. Unified LAN Bridge: All internal ports intended for the hotel’s LAN (including the switch for Admin PCs and the ports connecting to R2 and the NVR) were grouped into a single Mikrotik Bridge Interface on R1.
2. Private DHCP Coexistence: The existing Private IP DHCP Server remained active on the bridge, ensuring the Admin computers and printers continued to receive their internal, private IP addresses automatically.
3. Static Public IP Assignment:
   • The Guest WiFi Router (R2) WAN port was manually configured with a specific, usable Public IP from the /29 block.
   • The CCTV/NVR System was manually configured with its own specific, usable Public IP from the /29 block.
4. Security Layer: Critical IP > Firewall rules were implemented on R1 to enforce the security requirement. These rules specifically blocked all traffic originating from the subnet of the Guest WiFi Router (R2) from accessing the IP ranges of the Admin computers and the CCTV system, achieving complete network segregation.

Outcome and Impact

By leveraging advanced MikroTik configuration techniques, dgtel consulting successfully delivered a network that was both functional and fundamentally secure.

The solution provided the required remote manageability for the third-party Guest WiFi provider and the property owner, all while preserving the internal network’s security and conserving the client’s limited public IP resources.

This project exemplifies dgtel consulting’s ability to translate complex business needs into precise, robust, and elegant network architecture solutions.