I have a MikroTik AP connected to my main internet router. The internet router is a DHCP server for my LAN. I have two VAPs ("public" and "private"). I'd like to be able to get an IP address from the DHCP on my main internet router from both VAPs, but I'd like to make it so my "public" VAP can only access the internet and not my LAN.
If I assign the "public" VAP interface its own IP address on a different subnet, I know how to restrict LAN access through firewall rules on the MikroTik, but then the "public" VAP will no longer find an IP address from my main router's DHCP.
Is there a way I can keep ether1, VAP1 (public), VAP2 (private) all bridged so they can all get DHCP from my main router but then restrict all VAP1 traffic to internet only?
-
-
blougaville
newbie
- Posts: 34
- Joined:
SOLVED Restrict one VAP to internet access only
Last edited by blougaville on Fri Jul 20, 2012 7:21 pm, edited 1 time in total.
-
-
cieplik206
Trainer
- Posts: 290
- Joined:
- Contact:
Re: Restrict one VAP to internet access only
Hi
You can use either IP/Firewall for bridged interfaces but you must to enable this feature in bridge settings.
Or.
Try to use Bridge/Filter.
You can use either IP/Firewall for bridged interfaces but you must to enable this feature in bridge settings.
Or.
Try to use Bridge/Filter.
-
-
blougaville
newbie
- Posts: 34
- Joined:
Re: Restrict one VAP to internet access only
Thanks for the response!
I did try both of those things already and couldn't figure out the settings to make it work. Could you please give me a little more information on what types of rules to create?
Thank you very much!
I did try both of those things already and couldn't figure out the settings to make it work. Could you please give me a little more information on what types of rules to create?
Thank you very much!
-
-
CelticComms
Forum Guru
- Posts: 1765
- Joined:
Re: Restrict one VAP to internet access only
You could use VLANs if the internet router supports them.
Create 2 VLAN interfaces on the AP and 2 bridges. Assign one VLAN & 1 VAP to each bridge. Get the router to provide DHCP service to both VLANs and use either the interface or IP range to restrict access.
Create 2 VLAN interfaces on the AP and 2 bridges. Assign one VLAN & 1 VAP to each bridge. Get the router to provide DHCP service to both VLANs and use either the interface or IP range to restrict access.
-
-
blougaville
newbie
- Posts: 34
- Joined:
Re: Restrict one VAP to internet access only
The VLAN option is good to know for the future, but in my case, it would be much easier if I could restrict each MikroTik device using firewall or bridge filter rules on each device. Can anyone post more specific instructions on how this would work?
-
-
blougaville
newbie
- Posts: 34
- Joined:
SOLVED Restrict one VAP to internet access only
I was able to get this working by following up on cieplik206's advice.
I enabled Use IP Firewall on the bridge interface.
Then, I created a firewall filter for dst. address: 192.168.1.0/24, and on advanced tab, bridge in interface: publicVAP, action: reject.
Now clients get an IP from my DHCP server on my other router if they connect to either VAP, but if they connect to the publicVAP, they can only get on the internet and not access the local network.
Thanks for your help!
I enabled Use IP Firewall on the bridge interface.
Then, I created a firewall filter for dst. address: 192.168.1.0/24, and on advanced tab, bridge in interface: publicVAP, action: reject.
Now clients get an IP from my DHCP server on my other router if they connect to either VAP, but if they connect to the publicVAP, they can only get on the internet and not access the local network.
Thanks for your help!