2 VAPs with different subnets and no visibility between them

theopulus · June 4, 2013, 11:39pm

Hi everyone,

I’ve recently purchased a RB951G-2HnD as I have the need of create 2 different networks in my house, each of them accesible by 1 different SSID and with no visibility between them although they will share internet connection. One of the networks will also be accesible by ethernet

I don’t know RouterOS at all and messing with WinBox I’ve managed to create 2 different Virtual APs, each of them with different subnets and 2 different DHCP servers (each with its own pool).

So far I don’t know how to make the second DHCP to work as the first one is attached to the eth-bridge and I think is serving all the interfaces.

How can I do to separate these 2 networks? USing VLAN?

I appreciate your help.
Thanks!

huntah · June 5, 2013, 3:16pm

Hi,

firstly you must understand that each VAP (Virtual AP) is a separate interface.

So if you use bridge and assign both VAP to same bridge the you cannot have separate DHCP servers…

I would do this in the following way:

Create a bridge - Bridge-Local
Add ports to Bridge Local (LAN interfaces and VAP1)
Create a second Virtual AP (VAP2)
Create DHCP_LAN server and assign interface Bridge-local (configure it as you wish)
Create second DHCP Server and assign interface wlan2 (VAP2) and configure it as you wish (different subnet)

Now you have separate networks but because RoS is a router it will route between them so you have to use IP - Firewall - Filter and add rules to prohibit (DROP) packets form subnet A to subnet B.
Example of Firewall Filter

/ip firewall filter
add action=drop chain=forward comment="Drop Everything from Hotspot to localnet" disabled=no dst-address=192.168.0.0/16 \
    src-address=10.5.50.0/24

Dont forget to change the above filter rule to your network and if you dont want access from localnet to hotspot add additional rule..

Thats it..

theopulus · June 5, 2013, 8:46pm

Thanks a lot! I’ll try that as soon as I get home

theopulus · June 5, 2013, 9:36pm

It works like a charm! This device is so amazing!

One more question:

I assume that if a user decides to use static ips instead of dhcp I provide, he will bypass this firewall rule as he will be inside the other subnet (the forbidden one)

Can I make a subnet the only one ‘valid’ for a specific WLAN?

Thanks in advance!

zljk · October 15, 2013, 7:27am

I have somewhat different issue… I did all this, everything works like a charm, but I didn’t add the firewall rule. However, in spite of missing rule, traffic doesn’t go between Virtual AP and main AP ?

huntah:

Now you have separate networks but because RoS is a router it will route between them so you have to use IP - Firewall - Filter and add rules to prohibit (DROP) packets form subnet A to subnet B.
Example of Firewall Filter
/ip firewall filter
add action=drop chain=forward comment="Drop Everything from Hotspot to localnet" disabled=no dst-address=192.168.0.0/16 \
    src-address=10.5.50.0/24
Dont forget to change the above filter rule to your network and if you dont want access from localnet to hotspot add additional rule..

Thats it..