This topic is helpful for customers who use Powerlynx and Splynx at the same time and want to configure the same MikroTik NAS device to work with both platforms simultaneously.

Warning: You should ensure that your device has enough resources and can properly handle multiple types of connections before implementing this configuration.

Moreover, you must be aware that it’s easy to set up an incorrect configuration, which can cause multiple network issues for both you and your customers.

If you’re confident that this setup is feasible in your environment, here are a few practical recommendations to help you build a stable and functional system.

---

1. VPN Configuration

This is one of the most essential steps. A correct VPN configuration helps avoid potential issues like misrouted packets and RADIUS server communication failures.

Both Powerlynx and Splynx allow you to establish VPN connections (WireGuard or OpenVPN) with your MikroTik NAS. However, there’s a key difference:

• Powerlynx does not allow customization of the WireGuard or OpenVPN subnets—it uses fixed internal IP ranges.
• Splynx allows you to change the internal VPN subnets.

So, when using both services on the same router, it’s important to assign different subnets and possibly different ports for each VPN connection to avoid conflicts.

Powerlynx VPN Details

OpenVPN Configuration:

Powerlynx uses the 10.112.0.0/16 range for its OpenVPN tunnel.

WireGuard Configuration:

Powerlynx uses the 172.16.0.0/12 range for its WireGuard tunnel.

Splynx VPN Configuration

When setting up Splynx, make sure to choose VPN IP ranges different from those used by Powerlynx. For example, for WireGuard, do not use 172.16.0.0/12.

Additionally, Powerlynx uses port 443 for both OpenVPN and WireGuard, but in Splynx, you can configure different ports—such as the default 51820 for WireGuard.

You can configure Splynx VPN ports under:

Config > Tools > VPN > WireGuard > Configuration

Example Screenshots

Splynx WireGuard Settings

MikroTik WireGuard Endpoints

---

2. RADIUS Configuration

Different VPN IPs and routing rules help avoid packet misrouting, but you also need to be very careful with the RADIUS service settings on the MikroTik NAS.

Important Note: RouterOS allows you to configure multiple RADIUS clients. However, if you assign the same service (e.g., hotspot) to multiple RADIUS servers, MikroTik will use the one with the lowest ID, while the others will be used as failovers.

This means that if both Powerlynx and Splynx are configured to handle hotspot, only one will actually receive requests—usually not the one you intended.

Best Practice

• For Powerlynx, set the service to hotspot only.
• For Splynx, use other available services (such as ppp, login, or dhcp) based on your actual deployment type.

This avoids traffic routing conflicts between the two RADIUS servers.

Example: MikroTik RADIUS Configuration

If you need to use multiple RADIUS profiles with a hotspot service on the same MikroTik NAS, please refer to this guide for instructions:
Multi-Location Configuration for a Single MikroTik NAS with Powerlynx

---

3. Firewall Configuration

Make sure your MikroTik firewall allows traffic to and from both Powerlynx and Splynx services.

If your router has active drop rules, you need to explicitly allow:

• VPN connections (WireGuard/OpenVPN)
• RADIUS server IPs
• Management IPs (if needed)

Refer to this detailed article for more help:
Recommended MikroTik Firewall Configuration

---

4. Separate Interfaces for Powerlynx and Splynx

To prevent conflicts, do not use the same physical or virtual (VLAN) interfaces for both Splynx and Powerlynx client connections.

For example:

• If your hotspot users (managed by Powerlynx) are connected via bridge or VLAN1,
• Then configure your Splynx users (IPoE, DHCP, PPPoE, etc.) on a separate interface or VLAN.

This separation helps avoid ARP issues, DHCP conflicts, or queue mismatches.

You can also separate Powerlynx clients at Layer 2 using VLANs. More on this below:

Useful References

• MikroTik Hotspot Controller with Access Point Device (Simple Setup)
• MikroTik Controller with AP Connected via VLAN Interface

Hybrid Network Configuration: Simultaneous Splynx PPPoE & Powerlynx Hotspot

This guide details the implementation of a network topology where a MikroTik NAS serves both standard ISP subscribers via PPPoE (managed by Splynx) and temporary/guest access via a Hotspot (managed by Powerlynx) on the same physical link.

Use Case: A CPE device normally connects via PPPoE for permanent internet access. However, specific interfaces (e.g., a Guest WiFi SSID) or the device itself during a PPPoE outage can redirect traffic to a Powerlynx Captive Portal via a dedicated VLAN.

Warning: Not all vendors support such network configuration, so be cautious with the device’s choice. We recommend discussing it with your dedicated network engineers.

Network Topology & Roles

…

Note: This setup acts as a baseline example. It can be improved and adapted to your specific network topology as you wish. You are encouraged to implement your own network configuration or enhance this one by adding other L2/L3 devices to the topology.

NAS Device (MikroTik AC3)

Acts as the Service Gateway.

• Services: PPPoE Server (Splynx RADIUS), Hotspot Server (Powerlynx RADIUS), DHCP Server.

• Uplink: WireGuard tunnels to management platforms.

• Downlink: ether2 connects to the CPE.

CPE Device (MikroTik hap lite)

Acts as the Client Gateway.

• Uplink: ether1 connects to the NAS.

• Services: PPPoE Client (for primary internet), L2 Bridge with VLAN filtering (for Hotspot redirection).

Warning: This configuration relies on Bridge VLAN Filtering. Ensure your MikroTik hardware switch chip supports this feature efficiently to avoid CPU bottlenecks.

---

Part 1: MikroTik NAS Configuration (AC3)

The NAS is configured to handle two distinct traffic flows on the same physical interface (ether2): untagged traffic for PPPoE discovery and tagged traffic (VLAN 101) for Hotspot access.

1. Management & Connectivity

Establish WireGuard tunnels for Splynx and Powerlynx communication.

Code example:

/interface wireguard

add listen-port=45696 mtu=1420 name=powerlynx-wg

add listen-port=14723 mtu=1420 name=wg-splynx-mikrotik_ac3

/interface wireguard peers

# Powerlynx Peer

add allowed-address=172.16.0.1/12 endpoint-address=vpn.powerlynx.app \

endpoint-port=443 interface=powerlynx-wg name=peer2 persistent-keepalive=15s \

public-key="POWERLYNX_PUB_KEY"

# Splynx Peer

add allowed-address=1.1.1.1/32 endpoint-address=splynx_wireguard_server \

endpoint-port=51820 interface=wg-splynx-mikrotik_ac3 name=peer3 \

persistent-keepalive=1m public-key="YOUR_SPLYNX_PUB_KEY"

/ip address

add address=172.16.17.249/12 interface=powerlynx-wg network=172.16.0.0

add address=YOUR_WG_IP interface=wg-splynx-mikrotik_ac3 network=YOUR_SPLYNX_WG_NETWORK

2. Splynx (PPPoE) Configuration

This configuration sets up the PPPoE server on ether2. It utilizes Splynx for AAA (Authentication, Authorization, Accounting).

Code example:

/ppp profile

add change-tcp-mss=yes local-address=10.10.10.1 name=splynx-profile use-ipv6=no

/interface pppoe-server server

add default-profile=splynx-profile disabled=no interface=ether2 service-name=splynx-server

/radius

add address=SPLYNX_WG_IP comment="Splynx Radius" require-message-auth=no \

service=ppp src-address=YOUR_WG_IP timeout=3s

3. Powerlynx (Hotspot) Configuration

The Hotspot is isolated inside VLAN 101. The NAS listens for tagged frames on ether2.

Code example:

# VLAN Interface for Hotspot

/interface vlan

add interface=ether2 name=vlan101 vlan-id=101

# IP Addressing & DHCP

/ip address

add address=10.36.30.1/23 interface=vlan101 network=10.36.30.0

/ip pool

add name=dhcp_pool5 ranges=10.36.30.2-10.36.31.254

/ip dhcp-server

add address-pool=dhcp_pool5 interface=vlan101 name=dhcp2

/ip dhcp-server network

add address=10.36.30.0/23 dns-server=8.8.8.8,1.1.1.1 gateway=10.36.30.1

# Hotspot Setup

/ip hotspot profile

add dns-name=local.hotspot hotspot-address=10.36.30.1 login-by=mac,http-chap \

mac-auth-mode=mac-as-username-and-password name=hsprof1 nas-port-type=ethernet \

use-radius=yes

/ip hotspot

add address-pool=dhcp_pool5 addresses-per-mac=1 disabled=no idle-timeout=2m \

interface=vlan101 keepalive-timeout=30m name=test_environment profile=hsprof1

# RADIUS for Powerlynx

/radius

add address=172.16.0.1 comment="Powerlynx Radius" require-message-auth=no \

service=hotspot src-address=172.16.17.249 timeout=6s

# Walled Garden (Allow access to splash page assets)

/ip hotspot walled-garden

add dst-host=*.digitaloceanspaces.com

add dst-host=your_powerlynx_domain

4. Firewall & NAT

Ensure RADIUS traffic is permitted and customer traffic is masqueraded.

Code example:

/ip firewall filter

add action=accept chain=input comment="Powerlynx RADIUS incoming accept" \

dst-port=3799 protocol=udp src-address=Powerlynx_ADDR

/ip firewall nat

add action=masquerade chain=srcnat comment="Masquerade Hotspot Network" \

src-address=10.36.30.0/23

---

Part 2: MikroTik CPE Configuration (hap lite)

The CPE uses a Bridge with VLAN Filtering.

• PPPoE Traffic: Flows untagged from the PPPoE client interface through the physical port.

• Hotspot Traffic: Traffic from specific local interfaces (e.g., wlan2) is tagged with VLAN 101 and sent to the NAS.

1. Bridge Configuration

Create a dedicated bridge (“Common-Bridge”) to manage the uplink traffic flow.

Code example:

/interface bridge

add name=Common-Bridge vlan-filtering=yes

# Define the VLAN

/interface vlan

add interface=Common-Bridge name=vlan.101 vlan-id=101

2. Interface Assignment (Ports)

Here we define how traffic enters and leaves the bridge.

• ether1 (Uplink): Trunk port. Carries tagged VLAN 101 and allows untagged traffic.

• wlan2 (Hotspot WiFi): Access port. Traffic entering here is assigned PVID 101.

Code example:

/interface bridge port

# Add the uplink (Trunk)

add bridge=Common-Bridge interface=ether1

# Add the Guest/Hotspot WiFi (Access Port)

add bridge=Common-Bridge interface=wlan2 pvid=101

3. VLAN Filtering Rules

Configure the bridge to tag traffic leaving ether1 and untag traffic leaving wlan2.

Code example:

/interface bridge vlan

add bridge=Common-Bridge tagged=Common-Bridge,ether1 untagged=wlan2 vlan-ids=101

4. PPPoE Client Setup

The PPPoE client runs on the Common-Bridge interface. Since no PVID was specified for the bridge interface itself, it operates on the default VLAN (untagged/native), allowing it to discover the Splynx PPPoE server on the NAS.

/interface pppoe-client

add add-default-route=yes disabled=no interface=Common-Bridge name=pppoe-out1 \

user=YOUR_SPLYNX_USER password=YOUR_PASSWORD

5. LAN Side (Standard Home Network)

Standard configuration for the customer’s private devices (using bridge and wlan1).

Code example:

/interface bridge

add name=bridge

/interface bridge port

add bridge=bridge interface=ether2

add bridge=bridge interface=ether3

add bridge=bridge interface=ether4

add bridge=bridge interface=ether5

add bridge=bridge interface=wlan1

/ip address

add address=192.168.88.1/24 interface=bridge network=192.168.88.0

/ip dhcp-server

add address-pool=default-dhcp interface=bridge name=defconf

---

Part 3: Operational Logic & Fallback Scenarios

This topology allows for dynamic service switching based on the interface the user connects to, or the state of the network.

Scenario A: Simultaneous Use

• Private User: Connects to wlan1 (Private Bridge). Traffic is routed via pppoe-out1. Internet access is controlled by Splynx.

• Hotspot User: Connects to wlan2. Traffic is tagged VLAN 101, sent to NAS, and intercepted by the Powerlynx Hotspot.

Scenario B: Automated Failover (Scripting)

You can implement a script (via Netwatch or Scheduler) on the CPE to automatically direct users to the Hotspot if the PPPoE subscription expires or the connection fails.

Logic:

1. Monitor pppoe-out1 status.

2. If PPPoE is Down: Enable wlan2 (or move wlan1 to Common-Bridge with PVID 101). The user is redirected to the Powerlynx portal (e.g., to pay a bill or log in as a guest).

3. If PPPoE is Up: Disable wlan2 or restore wlan1 to the private bridge.

Netwatch script example:

down

:local interface "pppoe-out1"

:log warning "No PPPoE-connection. $interface unavailable. Enabling Hotspot..."

:foreach port in=[/interface/bridge/port find interface=wlan2] do={

/interface/bridge/port enable $port

}

:if ([/interface/wireless/get wlan2 disabled] = true) do={

/interface/wireless/enable wlan2

:log info "Hotspot (wlan2) has been enabled"

}

up

:local interface "pppoe-out1"

:log warning "PPPoE-connection $interface is UP. Disabling Hotspot..."

:foreach wlan in=[/interface/bridge/port find interface=wlan2] do={

/interface/bridge/port disable $wlan

}

/interface/wireless/disable wlan2

This ensures that even when the primary ISP connection is down, the device maintains L2 connectivity to the provider’s management network (Hotspot/VLAN 101).