MikroTik CRS304-4XG-IN VCF 9.0 Configuration Script

Overview

This script configures a MikroTik CRS304-4XG-IN switch for VMware Cloud Foundation (VCF) 9.0 homelab deployment, based on William Lam’s proven methodology.

Prerequisites

Hardware Requirements

• MikroTik CRS304-4XG-IN (Cloud Router Switch with 4x 10GbE ports)
• RouterOS 7.19.6 (stable) or newer
• SFP+ to RJ45 transceivers (3x for MS-A2 machines)
• 10GbE capable devices (MS-A2 servers, Mac Pro, Synology NAS)

Network Setup

• Internet connection available on ether5
• Lab devices ready for 10GbE connections
• Management access to MikroTik device

Device Port Mapping

Port	Device	Connection Type	Speed	VLANs
ether1	MS-A2 #1	SFP+ with transceiver	10GbE	30,40,50,60,70 (tagged)
ether2	MS-A2 #2	SFP+ with transceiver	10GbE	30,40,50,60,70 (tagged)
ether3	Mac Pro 2013	Direct 10GbE	10GbE	30,40,50,60,70 (tagged)
ether4	Synology DS918+	Direct 10GbE	10GbE	30,40,50,60,70 (tagged)
ether5	Internet Uplink	From existing router	1GbE	30 (untagged)

Network Configuration

VLAN Layout

VLAN	Purpose	Network	Gateway	DHCP Range
30	Management	172.30.0.0/24	172.30.0.1	172.30.0.100-200
40	vMotion	172.30.40.0/24	172.30.40.1	172.30.40.100-200
50	vSAN	172.30.50.0/24	172.30.50.1	172.30.50.100-200
60	TEP (NSX)	172.30.60.0/24	172.30.60.1	172.30.60.100-200
70	T0 Uplink	172.30.70.0/24	172.30.70.1	172.30.70.100-200

Key Features

• Jumbo Frames: 9200 MTU on lab networks (ether1-4)
• Hardware Offloading: Enabled for maximum performance
• DHCP Servers: Configured for all VLANs
• Internet NAT: All VLANs can access internet via ether5
• Firewall: Basic security rules implemented

Pre-Deployment Checklist

✅ Before Running Script

1. Backup Current Configuration (if needed)

   # In RouterOS terminal:
   /export file=backup-before-vcf
   

2. Verify RouterOS Version

   /system resource print
   # Should show RouterOS 7.19.6 or newer
   

3. Check Interface Status

   /interface print
   # Verify all 5 ethernet ports are present
   

4. Plan Password Change

   • Prepare a strong admin password
   • Script includes placeholder for security

Installation Methods

Method 1: Direct Terminal Execution (Recommended)

1. Connect to MikroTik

   # Via SSH (if already configured)
   ssh admin@192.168.88.1
   
   # Or use Winbox GUI
   # Download from: https://mikrotik.com/download
   

2. Upload and Run Script

   # Copy script content and paste into terminal
   # OR upload via Files menu in Winbox
   /import file-name=mikrotik_vcf90_config_ros7_compatible.rsc
   

Method 2: Factory Reset + Script (Clean Slate)

1. Factory Reset (optional, for clean deployment)

   /system reset-configuration no-defaults=yes skip-backup=yes
   # Device will reboot with default config
   

2. Connect and Run Script

   # Connect to 192.168.88.1 (default)
   # Run the script as above
   

Post-Installation Configuration

1. Set Admin Password (CRITICAL)

# Change 'YourStrongPasswordHere' to your actual password
/user set admin password="YourStrongPasswordHere"

2. Verify Configuration

# Check interfaces
/interface print status

# Check bridge configuration
/interface bridge print
/interface bridge port print
/interface bridge vlan print

# Check IP addresses
/ip address print

# Check DHCP servers
/ip dhcp-server print
/ip dhcp-server lease print

# Check firewall
/ip firewall filter print
/ip firewall nat print

3. Test Connectivity

# Test VLAN gateways
/ping 172.30.0.1 count=3
/ping 172.30.40.1 count=3
/ping 172.30.50.1 count=3
/ping 172.30.60.1 count=3
/ping 172.30.70.1 count=3

# Test internet connectivity
/ping 8.8.8.8 count=3

Management Access

After successful configuration, you can access the MikroTik via:

Method	Address	Port	Notes
Web Interface	http://172.30.0.1	80	Basic web GUI
SSH	ssh admin@172.30.0.1	22	Command line access
Winbox	172.30.0.1	8291	Full GUI management

Hardware Connection Guide

SFP+ Transceivers for MS-A2 Machines

1. Install Transceivers
   • Insert SFP+ to RJ45 transceivers into MS-A2 SFP+ ports
   • Connect Cat6A cables from transceivers to ether1/ether2

2. Verify Link Status

   /interface monitor-traffic ether1,ether2
   # Should show 10Gbps link speed
   

Direct 10GbE Connections

1. Mac Pro 2013: Connect directly to ether3
2. Synology DS918+: Install E10G18-T1 card, connect to ether4
3. Internet: Connect existing router to ether5

ESXi Host Configuration

VLAN Configuration on ESXi Hosts

1. Create vSphere Standard Switch

   # In ESXi host configuration
   # Add virtual switch with VLAN tagging enabled
   

2. Configure Port Groups
   • Management Network: VLAN 30
   • vMotion Network: VLAN 40
   • vSAN Network: VLAN 50
   • VM Network: VLAN 70 (or as needed)

3. VMkernel Adapters

   # Create VMkernel adapters for each service
   # Assign appropriate VLAN IDs
   # Enable services (Management, vMotion, vSAN)
   

Troubleshooting

Common Issues

1. No Link on 10GbE Ports

# Check interface status
/interface ethernet print

# Verify SFP+ transceivers are properly seated
# Try different Cat6A cables
# Check ESXi NIC configuration

2. VLAN Not Working

# Verify bridge VLAN configuration
/interface bridge vlan print

# Check port PVID settings
/interface bridge port print detail

# Verify ESXi VLAN tagging

3. No Internet Access

# Check DHCP client on ether5
/ip dhcp-client print

# Verify NAT rule
/ip firewall nat print

# Check default route
/ip route print

4. DHCP Not Working

# Check DHCP server status
/ip dhcp-server print

# Verify DHCP networks
/ip dhcp-server network print

# Check for DHCP conflicts
/ip dhcp-server lease print

Performance Verification

Test 10GbE Performance

# From ESXi host or other 10GbE device
iperf3 -c 172.30.0.1 -t 30
# Should achieve 8+ Gbps with proper 10GbE setup

Script Features

✅ Idempotent Design

• Safe to run multiple times
• Updates existing configuration without duplicates
• Handles both fresh and existing deployments

✅ RouterOS 7.19.6 Compatible

• Stable syntax only
• CRS304-specific optimizations
• Proven in homelab environments

✅ Security Features

• Firewall rules for basic protection
• Service hardening (disabled unnecessary services)
• Management VLAN access control

Advanced Configuration

Optional Customizations

Change Network Addressing

# Modify IP ranges in script before running
# Update VLAN gateway addresses
# Adjust DHCP pools as needed

Add Additional VLANs

# Add new VLAN interfaces
/interface vlan add name=vlan80-custom vlan-id=80 interface=bridge-vcf

# Add to bridge VLAN table
/interface bridge vlan add bridge=bridge-vcf vlan-ids=80 tagged=ether1,ether2,ether3,ether4,bridge-vcf

# Configure IP and DHCP as needed

Hardware Monitoring

# Monitor interface statistics
/interface monitor-traffic ether1

# Check system resources
/system resource print

# Monitor temperatures (if supported)
/system health print

Support and References

Documentation

• William Lam’s Guide: Initial MikroTik Configuration for VCF 9.0
• MikroTik RouterOS Manual: https://help.mikrotik.com/docs/
• VMware VCF Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/

Community Resources

• MikroTik Forum: https://forum.mikrotik.com/
• William Lam’s Blog: https://williamlam.com/
• VMware Homelab Community: r/homelab

Changelog

Version 1.0 (RouterOS 7.19.6 Compatible)

• Initial release based on William Lam’s methodology
• Full VCF 9.0 VLAN configuration
• Idempotent script design
• CRS304-4XG-IN optimizations
• Comprehensive documentation

---

Quick Start Summary

1. Backup existing config (if needed)
2. Connect to MikroTik via SSH/Winbox
3. Run the script: /import file-name=mikrotik_vcf90_config_ros7_compatible.rsc
4. Set admin password: /user set admin password="YourPassword"
5. Connect devices to ether1-5
6. Configure ESXi with VLAN tagging
7. Test connectivity and performance

Management Access: http://172.30.0.1 or ssh admin@172.30.0.1

🎉 Your 10GbE VCF 9.0 lab is ready!