diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index b8a2cf1..9afbd25 100644
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -1,5 +1,6 @@
 [defaults]
 inventory = inventory/hosts.yml
+roles_path = roles
 host_key_checking = False
 retry_files_enabled = False
 result_format = yaml
diff --git a/ansible/playbooks/routeros.yml b/ansible/playbooks/routeros.yml
index 5a9075d..8d577c0 100644
--- a/ansible/playbooks/routeros.yml
+++ b/ansible/playbooks/routeros.yml
@@ -4,9 +4,6 @@
   gather_facts: false
   connection: local
 
-  vars_files:
-    - ../vars/routeros-secrets.yml
-
   pre_tasks:
     - name: Load router secrets from OpenBao
       ansible.builtin.set_fact:
@@ -63,30 +60,5 @@
       force_no_cert: true
       encoding: UTF-8
 
-  tasks:
-    - name: Preflight checks
-      ansible.builtin.import_tasks: ../tasks/preflight.yml
-
-    - name: Base network configuration
-      ansible.builtin.import_tasks: ../tasks/base.yml
-
-    - name: WAN and tunnel interfaces
-      ansible.builtin.import_tasks: ../tasks/wan.yml
-
-    - name: Hardware and platform tuning
-      ansible.builtin.import_tasks: ../tasks/hardware.yml
-
-    - name: RouterOS container configuration
-      ansible.builtin.import_tasks: ../tasks/containers.yml
-
-    - name: Addressing configuration
-      ansible.builtin.import_tasks: ../tasks/addressing.yml
-
-    - name: Firewall configuration
-      ansible.builtin.import_tasks: ../tasks/firewall.yml
-
-    - name: Routing configuration
-      ansible.builtin.import_tasks: ../tasks/routing.yml
-
-    - name: System configuration
-      ansible.builtin.import_tasks: ../tasks/system.yml
+  roles:
+    - role: routeros
diff --git a/ansible/tasks/addressing.yml b/ansible/roles/routeros/tasks/addressing.yml
similarity index 100%
rename from ansible/tasks/addressing.yml
rename to ansible/roles/routeros/tasks/addressing.yml
diff --git a/ansible/tasks/base.yml b/ansible/roles/routeros/tasks/base.yml
similarity index 97%
rename from ansible/tasks/base.yml
rename to ansible/roles/routeros/tasks/base.yml
index 7fdfa71..32013ff 100644
--- a/ansible/tasks/base.yml
+++ b/ansible/roles/routeros/tasks/base.yml
@@ -67,6 +67,9 @@
       - bridge: bridge1
         interface: ether2
         pvid: 2
+      - bridge: bridge1
+        interface: ether3
+        comment: OpenWrt AP (dlink)
       - bridge: bridge1
         interface: ether8
         pvid: 4
@@ -89,7 +92,7 @@
     path: interface bridge vlan
     data:
       - bridge: bridge1
-        tagged: sfp-sfpplus2
+        tagged: sfp-sfpplus2,ether3
         untagged: ether1,ether2,ether9
         vlan-ids: 2
       - bridge: bridge1
diff --git a/ansible/tasks/containers.yml b/ansible/roles/routeros/tasks/containers.yml
similarity index 100%
rename from ansible/tasks/containers.yml
rename to ansible/roles/routeros/tasks/containers.yml
diff --git a/ansible/tasks/firewall.yml b/ansible/roles/routeros/tasks/firewall.yml
similarity index 100%
rename from ansible/tasks/firewall.yml
rename to ansible/roles/routeros/tasks/firewall.yml
diff --git a/ansible/tasks/hardware.yml b/ansible/roles/routeros/tasks/hardware.yml
similarity index 97%
rename from ansible/tasks/hardware.yml
rename to ansible/roles/routeros/tasks/hardware.yml
index bb9f89a..788f66a 100644
--- a/ansible/tasks/hardware.yml
+++ b/ansible/roles/routeros/tasks/hardware.yml
@@ -13,6 +13,9 @@
     - default_name: ether2
       config:
         comment: Wifi środek
+    - default_name: ether3
+      config:
+        comment: OpenWrt AP (dlink)
     - default_name: ether8
       config:
         comment: Serwer
diff --git a/ansible/roles/routeros/tasks/main.yml b/ansible/roles/routeros/tasks/main.yml
new file mode 100644
index 0000000..7505254
--- /dev/null
+++ b/ansible/roles/routeros/tasks/main.yml
@@ -0,0 +1,27 @@
+---
+- name: Preflight checks
+  ansible.builtin.import_tasks: preflight.yml
+
+- name: Base network configuration
+  ansible.builtin.import_tasks: base.yml
+
+- name: WAN and tunnel interfaces
+  ansible.builtin.import_tasks: wan.yml
+
+- name: Hardware and platform tuning
+  ansible.builtin.import_tasks: hardware.yml
+
+- name: RouterOS container configuration
+  ansible.builtin.import_tasks: containers.yml
+
+- name: Addressing configuration
+  ansible.builtin.import_tasks: addressing.yml
+
+- name: Firewall configuration
+  ansible.builtin.import_tasks: firewall.yml
+
+- name: Routing configuration
+  ansible.builtin.import_tasks: routing.yml
+
+- name: System configuration
+  ansible.builtin.import_tasks: system.yml
diff --git a/ansible/tasks/preflight.yml b/ansible/roles/routeros/tasks/preflight.yml
similarity index 100%
rename from ansible/tasks/preflight.yml
rename to ansible/roles/routeros/tasks/preflight.yml
diff --git a/ansible/tasks/routing.yml b/ansible/roles/routeros/tasks/routing.yml
similarity index 100%
rename from ansible/tasks/routing.yml
rename to ansible/roles/routeros/tasks/routing.yml
diff --git a/ansible/tasks/system.yml b/ansible/roles/routeros/tasks/system.yml
similarity index 100%
rename from ansible/tasks/system.yml
rename to ansible/roles/routeros/tasks/system.yml
diff --git a/ansible/tasks/wan.yml b/ansible/roles/routeros/tasks/wan.yml
similarity index 100%
rename from ansible/tasks/wan.yml
rename to ansible/roles/routeros/tasks/wan.yml
diff --git a/ansible/vars/routeros-secrets.yml b/ansible/roles/routeros/vars/main.yml
similarity index 100%
rename from ansible/vars/routeros-secrets.yml
rename to ansible/roles/routeros/vars/main.yml