MikroTik
The Perfect Small Office Router A MikroTik RB750Gr3 Configuration Guide
Complete step-by-step configuration guide for MikroTik RB750Gr3 as a small office router. Includes VLANs, VPN, firewall, and professional network setup.
Raza RehmanNovember 22, 2025
5 min read
214 views
Introduction: Why RB750Gr3 for Small Offices?
The MikroTik RB750Gr3 offers the perfect balance of performance, features, and affordability for small to medium businesses. With five Gigabit ports, hardware acceleration, and full RouterOS capabilities, it can replace expensive enterprise routers at a fraction of the cost.
Office Network Requirements We'll Address:
- Network Segmentation: Separate departments and guest traffic
- Remote Access: Secure VPN for remote workers
- Security: Firewall and content filtering
- Reliability: Stable connectivity for business operations
- Management: Easy monitoring and maintenance
Office Network Architecture
Recommended Office Network Design
Internet → RB750Gr3 → VLANs:
→ VLAN10: Management (192.168.10.0/24)
→ VLAN20: Staff (192.168.20.0/24)
→ VLAN30: Guests (192.168.30.0/24)
→ VLAN40: Servers (192.168.40.0/24)
Port Assignment Plan
- ether1: WAN (Internet Connection)
- ether2: Trunk to Switch (All VLANs)
- ether3: Management Access (VLAN10)
- ether4: Staff WiFi (VLAN20)
- ether5: Guest WiFi (VLAN30)
Initial Router Configuration
Basic System Setup
# Set router identity
/system identity set name=Office-Router
# Set timezone and NTP
/system clock set time-zone-name=Europe/London
/system ntp client set enabled=yes primary-ntp=pool.ntp.org
# Create secure admin account
/user add name=admin group=full password="SecurePass123!"
/user remove admin
Interface Configuration
# Rename interfaces for clarity
/interface ethernet
set ether1 name=WAN comment="Internet Uplink"
set ether2 name=TRUNK comment="Switch Trunk Port"
set ether3 name=MGMT comment="Management Access"
set ether4 name=STAFF-WIFI comment="Staff Wireless"
set ether5 name=GUEST-WIFI comment="Guest Wireless"
VLAN Configuration for Office Segmentation
Create VLAN Interfaces
# Create VLANs on trunk port
/interface vlan
add name=VLAN10 vlan-id=10 interface=TRUNK comment="Management VLAN"
add name=VLAN20 vlan-id=20 interface=TRUNK comment="Staff VLAN"
add name=VLAN30 vlan-id=30 interface=TRUNK comment="Guest VLAN"
add name=VLAN40 vlan-id=40 interface=TRUNK comment="Servers VLAN"
Assign IP Addresses to VLANs
/ip address
add address=192.168.10.1/24 interface=VLAN10 comment="Management Network"
add address=192.168.20.1/24 interface=VLAN20 comment="Staff Network"
add address=192.168.30.1/24 interface=VLAN30 comment="Guest Network"
add address=192.168.40.1/24 interface=VLAN40 comment="Servers Network"
Internet Connectivity & NAT
WAN Configuration
# For static IP (common in business connections)
/ip address add address=203.0.113.100/24 interface=WAN comment="Public IP"
# For DHCP (backup connection)
/ip dhcp-client add interface=WAN disabled=no use-peer-dns=yes
# Add default route
/ip route add gateway=203.0.113.1 distance=1 comment="Primary Gateway"
NAT Configuration
/ip firewall nat
add chain=srcnat out-interface=WAN action=masquerade comment="Masquerade all outgoing traffic"
Site-to-Site VPN Setup
IPsec VPN to Branch Office
# IPsec proposal
/ip ipsec proposal set default auth-algorithms=sha256 enc-algorithms=aes-256-cbc
# IPsec policy for branch office
/ip ipsec policy add src-address=192.168.20.0/24 dst-address=192.168.50.0/24 tunnel=yes proposal=default
# IPsec peer configuration
/ip ipsec peer add address=203.0.113.200 secret=YourSharedSecret exchange-mode=main
Office Firewall Security
Basic Firewall Rules
/ip firewall filter
# Accept established connections
add chain=forward action=accept connection-state=established,related comment="Accept established"
# Block guests from internal networks
add chain=forward action=drop in-interface=VLAN30 out-interface=VLAN10,VLAN20,VLAN40 comment="Block guest from internal"
# Allow staff to servers
add chain=forward action=accept in-interface=VLAN20 out-interface=VLAN40 comment="Staff to servers"
# Allow management from staff network only
add chain=input action=accept in-interface=VLAN20 protocol=tcp dst-port=8291,22 comment="Management from staff"
add chain=input action=drop in-interface=VLAN30 protocol=tcp dst-port=8291,22 comment="Block guest management"
Advanced Threat Protection
# Block brute force attacks
/ip firewall filter
add chain=input protocol=tcp dst-port=22,8291 src-address-list=blacklist action=drop comment="Block blacklisted IPs"
add chain=input protocol=tcp dst-port=22,8291 connection-limit=3,32 action=add-src-to-address-list address-list=blacklist address-list-timeout=1h comment="Detect brute force"
DHCP Services for Office Networks
Staff Network DHCP
/ip pool add name=staff-pool ranges=192.168.20.100-192.168.20.200
/ip dhcp-server add name=staff-dhcp interface=VLAN20 address-pool=staff-pool disabled=no
/ip dhcp-server network add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=192.168.20.1,8.8.8.8
Guest Network DHCP
/ip pool add name=guest-pool ranges=192.168.30.100-192.168.30.200
/ip dhcp-server add name=guest-dhcp interface=VLAN30 address-pool=guest-pool disabled=no
/ip dhcp-server network add address=192.168.30.0/24 gateway=192.168.30.1 dns-server=1.1.1.1,8.8.8.8
DNS & Content Filtering
Local DNS Configuration
/ip dns set servers=1.1.1.1,8.8.8.8 allow-remote-requests=yes cache-size=4096KiB
# Local domain records
/ip dns static add name=fileserver.local address=192.168.40.10
/ip dns static add name=printer.local address=192.168.40.20
Workplace Content Filtering
# Block social media during work hours
/ip firewall address-list add list=social-media address=facebook.com
/ip firewall address-list add list=social-media address=twitter.com
/ip firewall address-list add list=social-media address=instagram.com
/ip firewall filter add chain=forward dst-address-list=social-media time=9:00-17:00 action=drop comment="Block social media during work"
Bandwidth Management
Quality of Service (QoS)
# Prioritize business applications
/queue simple
add name=VoIP-Priority target=192.168.20.0/24 dst-port=5060,10000-20000 priority=1 max-limit=10M/10M
add name=Guest-Limit target=192.168.30.0/24 priority=8 max-limit=5M/2M
add name=Backup-Limit target=192.168.40.10 max-limit=20M/5M comment="Limit backup server"
Monitoring & Maintenance
System Monitoring
# Enable logging
/system logging add action=memory topics=firewall,info
# Resource monitoring
/system resource monitor
Automated Backups
# Weekly configuration backup
/system scheduler add name="weekly-backup" interval=7d on-event="/system backup save name=config-backup-[/system clock get date]"
Update Management
# Check for updates monthly
/system scheduler add name="update-check" interval=30d on-event="/system package update check-for-updates"
Troubleshooting Common Office Issues
Internet Connectivity Problems
- Check WAN interface status
- Verify DNS resolution
- Test gateway connectivity
- Check for ISP outages
Inter-VLAN Communication Issues
- Verify firewall rules
- Check VLAN assignments
- Test routing between subnets
- Review NAT configurations
VPN Connection Problems
- Verify peer configurations
- Check firewall rules for VPN traffic
- Confirm routing through tunnel
- Review security associations
Performance Optimization
Enable FastTrack
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related comment="FastTrack established"
Hardware Offloading
# Check if hardware offloading is available
/system resource print
# Enable if supported (varies by model)
/interface ethernet set ether2 l2mtu=1600
Follow for more business networking solutions: Connect on LinkedIn | Join our WhatsApp Channel
mikrotik rb750gr3
small office router
office network
site-to-site vpn
mikrotik configuration
