I am challenged to create a setup where I use two hAP ax3 to cover the building with wireless lan for both internal devices (intranet) as well as the occasional guest (guest) who is isolated from the intranet and other devices but has access to the internet.
In my setup, I am using a ISP provided FritzBox as router to get internet from the ISP, it also runs the DHCP Server and is where my firewall is configured.
I have two hAP ax3 simply setup as access points with a bridge and it’s static ip for management purposes (no default config). This works fine for internal devices, but I am struggling to add guest wireless to the network.
How do I add virtual AP’s for both 2.5 and 5 gHZ frequencies on each hAP that are isolated from the network but have access to the internet? My router’s DHCP server provides IPs in the 192.168.100.x subnet.
If Fritzbox can not handle those, foresee a separate DHCP server and pool on each of the AX devices for the guest interfaces (which will be slave to main interfaces) and use firewall rules to allow only traffic to Fritzbox gateway, nothing to local LAN.
It shows you how to setup a wireless access point with different VLANS for different WiFi SSID. Download the script “AccessPoint.rsc” and you can study that. Then open up Winbox on your ax3 and try to mimic the same things. The things from the script may not line up exactly with the settings in the ax3, particularly the wifi radio related things but they will be close. This is how I setup my hAP ac.
Here is where I am struggling. I’ve read through the VLAN tutorial (thanks for the reference) but the fritzbox doesn’t handle them at all. So instead, I went the route with setting up a seperate DHCP server and pool on the AX devices for the guest interfaces. When I connect to them now, my client device gets a proper address assignment from the pool and the gateway as well as DNS point to the AX device as well (pool I’ve assigned to the bridge).
Now my problem is how to get my devices to go over the trunk port to reach the internet. In my mind, I am thinking we are missing a static route. Looking at the table, the DHCP setup created a route for all IPs in the pool with the bridge as gateway. What am I missing here?
Now I am one step further into this whole dilemma. I’ve added a NAT rule to the AX devices (srcnat from https://help.mikrotik.com/docs/display/ROS/NAT to translate the source network address) which allows me to access my management LAN (I call this Intranet). I am unable to access the internet though, thought the issue is my DNS configuration in the DHCP server but even using the actual IP I am unable to access the internet. Feels like I am getting stuck at the fritzbox now, not sure why.
Thanks for the link. This solved my problem. I needed to correct the DNS assignment I had made on the subnet to match my intranet and voila. Got internet on the guest devices and will now add a firewall rule to prevent them from accessing my intranet.
