ACTUALIZADO A 14/09/2017
Probado en un RB3011, en RB750GL y en un RB951G-2HnD de
@FerK con el que he estado haciendo las pruebas. Al final se ha resuelto creando un Bridge y separando del mismo el puerto que se va a utilizar para dar internet al Livebox (en este caso el 5).
Con esta configuración se puede poner el livebox como switch, ATA y Acces Point y además permite usar la utilidad proxy sip del livebox, de forma que conectandonos a una VPN del mikrotik y usando apps como CsipSimple o Zoiper podamos usar el fijo en el móvil sin que se quede sin registro el fijo de casa.
Recordemos que el cable de la ONT va al puerto 1 del mikrotik, del puerto 5 del mikrotik sacamos un cable a la conexión WAN del livebox y posteriormente conectamos otro cable desde el mikrotik al livebox en cualquiera de los puertos libres.
En el livebox en el apartado básica--lan seleccionamos la ip desde la que vamos a acceder al livebox, en este caso como lo vamos a poner como switch y queremos que sea accesible desde cualquier equipo de mi red le damos una ip del rango 192.168.10.X (esto cada uno lo puede modificar a su gusto). Además desactivamos la opicón DHCP

Yo también he desmarcado la opción firewall y NAT. Todo eso lo va a manejar el mikrotik y así va más ligero el livebox.
Este es el código
/interface bridge
add arp=proxy-arp auto-mac=no fast-forward=no \
name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/interface vlan
add interface=ether1-gateway name=vlan1 vlan-id=832
add interface=ether5-slave-local name=vlan1_livebox vlan-id=832
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
lifetime=0s pfs-group=none
/ip pool
add name=dhcp ranges=192.168.10.2-192.168.10.150
add name=poolvoip ranges=192.168.2.100-192.168.2.105
add name=VPN ranges=192.168.10.151-192.168.10.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp authoritative=after-2sec-delay disabled=no \
interface=bridge1 name=default
add add-arp=yes address-pool=poolvoip disabled=no interface=vlan1_livebox \
name=voip
/ppp profile
add change-tcp-mss=yes local-address=VPN name=MisVPN remote-address=VPN \
use-encryption=required use-upnp=yes
set *FFFFFFFE dns-server=192.168.10.1,62.36.225.150 local-address=dhcp \
remote-address=dhcp use-encryption=required use-upnp=yes
/interface bridge port
add bridge=bridge1 interface=ether2-master-local
add bridge=bridge1 interface=ether3-slave-local
add bridge=bridge1 interface=ether4-slave-local
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 default-profile=MisVPN \
enabled=yes ipsec-secret=XXXXXXXX keepalive-timeout=60 max-mru=1460 \
max-mtu=1460 use-ipsec=yes
/interface pptp-server server
set default-profile=default enabled=yes keepalive-timeout=3600 max-mru=1460 \
max-mtu=1460
/ip address
add address=192.168.10.1/24 comment="default configuration" interface=bridge1 \
network=192.168.10.0
add address=192.168.2.1/24 comment="IP publica Livebox" interface=\
vlan1_livebox network=192.168.2.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=vlan1
add dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.2.0/24 comment=VOIP gateway=192.168.2.1
add address=192.168.10.0/24 comment="default configuration" gateway=\
192.168.10.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-udp-packet-size=512 \
servers=62.36.225.150,63.37.228.20
/ip dns static
add address=192.168.10.1 name=router
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default Configuration" \
connection-state=established,related
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related
add action=accept chain=forward comment="default configuration" \
connection-state=established,related
add action=accept chain=input comment=webfig dst-port=81 in-interface=vlan1 \
protocol=tcp
add action=accept chain=input comment="Winbox Remoto" dst-port=8291 \
in-interface=vlan1 protocol=tcp
add action=accept chain=input comment="SERVIDOR L2TP" dst-port=500 \
in-interface=vlan1 protocol=udp
add action=accept chain=input comment="SERVIDOR L2TP" dst-port=1701 \
in-interface=vlan1 protocol=udp
add action=accept chain=input comment="SERVIDOR L2TP" dst-port=4500 \
in-interface=vlan1 protocol=udp
add action=accept chain=input comment="SERVIDOR L2TP" in-interface=vlan1 \
protocol=ipsec-esp
add action=accept chain=input comment="SERVIDOR L2TP" in-interface=vlan1 \
protocol=ipsec-ah
add action=accept chain=input comment=VPN dst-port=1723 in-interface=vlan1 \
protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=\
vlan1
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add action=drop chain=forward comment="default configuration" \
connection-nat-state=!dstnat connection-state=new in-interface=vlan1
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=vlan1
/ip service
set www port=81
set www-ssl disabled=no
set api disabled=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=vlan1 type=external
add interface=ether1-gateway type=external
add interface=bridge1 type=internal
add interface=ether5-slave-local type=internal
/ppp secret
add name=XXXXXXXX password=XXXXXXXX[/color] profile=MisVPN service=pptp
add name=XXXXXXXX password=XXXXXXXX [/color]profile=MisVPN service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system logging
set 3 action=memory
add action=disk topics=info
add action=disk topics=error
add action=disk disabled=yes topics=info
add action=disk disabled=yes topics=error
add action=disk disabled=yes topics=info
add action=disk disabled=yes topics=error
/system ntp client
set enabled=yes primary-ntp=129.6.15.28 secondary-ntp=129.6.15.29
/system package update
set channel=release-candidate
/system scheduler
add disabled=yes interval=1m name="dynDNS scheduler" on-event=\
"/system script run dynDNS\r\
\n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
start-date=dec/01/2012 start-time=22:56:55
add interval=1m name="no-ip scheduler" on-event="/system script run no-ip" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
start-time=startup
/system script
add name=dynDNS owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="# Set n\
eeded variables\r\
\n:local username \"XXXXXXXX\"\r\
\n:local password \"XXXXXXXX\"\r\
\n:local hostname \"XXXXXXXX.dyndns\"\r\
\n\r\
\n:global dyndnsForce\r\
\n:global previousIP \r\
\n\r\
\n# print some debug info\r\
\n:log info (\"UpdateDynDNS: username = \$username\")\r\
\n:log info (\"UpdateDynDNS: password = \$password\")\r\
\n:log info (\"UpdateDynDNS: hostname = \$hostname\")\r\
\n:log info (\"UpdateDynDNS: previousIP = \$previousIP\")\r\
\n\r\
\n# get the current IP address from the internet (in case of double-nat)\r\
\n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-\
path=\"/dyndns.checkip.html\"\r\
\n:delay 1\r\
\n:local result [/file get dyndns.checkip.html contents]\r\
\n\r\
\n# parse the current IP result\r\
\n:local resultLen [:len \$result]\r\
\n:local startLoc [:find \$result \": \" -1]\r\
\n:set startLoc (\$startLoc + 2)\r\
\n:local endLoc [:find \$result \"</body>\" -1]\r\
\n:local currentIP [:pick \$result \$startLoc \$endLoc]\r\
\n:log info \"UpdateDynDNS: currentIP = \$currentIP\"\r\
\n\r\
\n# Remove the # on next line to force an update every single time - usefu\
l for debugging,\r\
\n# but you could end up getting blacklisted by DynDNS!\r\
\n\r\
\n#:set dyndnsForce true\r\
\n\r\
\n# Determine if dyndns update is needed\r\
\n# more dyndns updater request details http://www.dyndns.com/developers/s\
pecs/syntax.html\r\
\n\r\
\n:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\r\
\n :set dyndnsForce false\r\
\n :set previousIP \$currentIP\r\
\n :log info \"\$currentIP or \$previousIP\"\r\
\n /tool fetch user=\$username password=\$password mode=http address=\"m\
embers.dyndns.org\" \\\r\
\n src-path=\"nic/update\?system=dyndns&hostname=\$hostname&myip=\$cu\
rrentIP&wildcard=no\" \\\r\
\n dst-path=\"/dyndns.txt\"\r\
\n :delay 1\r\
\n :local result [/file get dyndns.txt contents]\r\
\n :log info (\"UpdateDynDNS: Dyndns update needed\")\r\
\n :log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\r\
\n :put (\"Dyndns Update Result: \".\$result)\r\
\n} else={\r\
\n :log info (\"UpdateDynDNS: No dyndns update needed\")\r\
\n}"
add name=no-ip owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="#######\
#######Script Settings##################\r\
\n\r\
\n:local NOIPUser \"XXXXXXXX\"\r\
\n:local NOIPPass \"XXXXXXXX\"\r\
\n:local NOIPDomain \"XXXXXXXX.noip\"\r\
\n\r\
\n###############################################\r\
\n\r\
\n:local WANInter \"vlan1\"\r\
\n:local IpCurrent [/ip address get [find interface=\$WANInter] address];\
\r\
\n:for i from=( [:len \$IpCurrent] - 1) to=0 do={ \r\
\n :if ( [:pick \$IpCurrent \$i] = \"/\") do={ \r\
\n :local NewIP [:pick \$IpCurrent 0 \$i];\r\
\n :if ([:resolve \$NOIPDomain] != \$NewIP) do={\r\
\n /tool fetch mode=http user=\$NOIPUser password=\$NOIPPass url=\"ht\
tp://dynupdate.no-ip.com/nic/update\\3Fhostname=\$NOIPDomain&myip=\$NewIP\
\" keep-result=no\r\
\n :log info \"NO-IP Update: \$NOIPDomain - \$NewIP\"\r\
\n }\r\
\n } \r\
\n}"
/tool graphing interface
add
add
/tool graphing queue
add
add
/tool graphing resource
add
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
Varias cosas:
Van configuradas dos VPNs, una PPTP y otra L2TP, tendréis que suitituir las
XXXXXXXX por los users y passwords que consideréis oportunos.
También van configurados dos scripts para renovar las direcciones Noip y Dyndns de forma automática. También tendréis que sustituir las
XXXXXXXX por los users y passwords de vuestras propias cuentas.
Espero que os sirva