Adding a guest network to access point/switch

robmaltsystems · August 7, 2020, 5:29pm

This one has got me stumped… sorry for the detail. Not sure how to ask the question here simply.

I’ve gone through (and mainly understand) the process here of adding guest Wi-Fi to a hAP lite configured in router mode:

https://www.youtube.com/watch?v=6P0MDlYWR_E

Out of the box configuration as a router where ether1 is the uplink with DCHP address and ether2-5 & wi-fi ports form a switch on the bridge with a dhcp server in 192.168.81.x
Virtual guest Wi-Fi added as a slave of the master 2G Wi-Fi interface
Second guest bridge added with IP 10.10.10.1/24, guest dhcp-server added in same subnet and guest Wi-Fi port added to guest bridge

This works fine - devices connecting to the guest network are on their own network (10.10.10.x) and routing to the internet is okay.

But in this particular instance, the hAP lite is not running as a router with firewall and NAT. Instead it’s configured as an access point with switched ports. To achieve this, this is the basic config I do:

System/Reset Configuration: Reset router with no default configuration
Add new bridge and add port for each ethernet & wireless interface
Configure Wi-Fi as required

So there is no firewall or DHCP server. It’s a switch with Wi-Fi access point. DHCP is handled by an upstream server elsewhere.

If I go through the same process of adding a second bridge with virtual Wi-Fi guest network, own subnet and DHCP server as described above, devices can connect to the guest network but it reports “No internet”, i.e. it’s not able to route to the internet.

This is beyond my understanding of networking. I suspect it’s something to do with routing…

I’ll post the configuration separately…

robmaltsystems · August 7, 2020, 5:32pm

# aug/07/2020 18:13:07 by RouterOS 6.47.1
# software id = CQ0X-HGUZ
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 924C098FF96B
/interface bridge
add name=bridge-private
add name=bridge-public
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=private supplicant-identity="" \
    wpa2-pre-shared-key=underhill2020
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="united kingdom" disabled=no frequency=auto mode=ap-bridge name=\
    private-2g security-profile=private ssid=private-2g wireless-protocol=\
    802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="united kingdom" disabled=no frequency=auto \
    mode=ap-bridge name=private-5g security-profile=private ssid=private-5g
add disabled=no keepalive-frames=disabled mac-address=BA:69:F4:4A:BC:4B \
    master-interface=private-2g multicast-buffering=disabled name=public-2g \
    ssid=public-2g wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip pool
add name=public ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=public disabled=no interface=bridge-public name=public
/interface bridge port
add bridge=bridge-private interface=ether1
add bridge=bridge-private interface=ether2
add bridge=bridge-private interface=ether3
add bridge=bridge-private interface=ether4
add bridge=bridge-private interface=ether5
add bridge=bridge-private interface=private-2g
add bridge=bridge-private interface=private-5g
add bridge=bridge-public interface=public-2g
/ip address
add address=10.10.10.1/24 interface=bridge-public network=10.10.10.0
/ip dhcp-client
add disabled=no interface=bridge-private
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
/system clock
set time-zone-name=Europe/London

sutrus · August 7, 2020, 6:10pm

/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1

Change the gateway address to the router IP address.

robmaltsystems · August 7, 2020, 6:19pm

Sir you are a gentleman and a scholar! Such an easy fix…

Ohh hang on, spoke too soon - my mobile had fallen over to the private Wi-Fi not the guest…but maybe starting to bark up the right tree…

Sob · August 7, 2020, 8:42pm

You first need to decide what should handle guest network:

a) Upstream router. In that case just set vlan-mode=use-tag vlan-id= for virtual AP interface, add it to common bridge, and it’s all you need to do on this router. The rest will be handled by upstream router, which will need interface to access VLAN , add DHCP server to it, handle routing and everything.

b) This router. If guests should have only one virtual AP, bridge is not needed and you can work with virtual wifi interface directly. But if you keep the bridge, it’s ok too. Config seems ok, but you need correct routing. Either upstream router must have route to 10.10.10.0/24, where gateway is this router (whatever IP address it gets from DHCP on ether1). Or you need to hide this subnet using srcnat/masquerade. You’ll also need to configure firewall to prevent guest from accessing private network.

I like a), because it allows to keep AP as simple transparent device. But it depends on upstream router, if it can be configured for it.

robmaltsystems · August 9, 2020, 9:14am

Thanks Sob - very useful. Your first comment rings true as whilst my detailed knowledge of all things routing and switching is certainly full of holes, I get the general idea and as a programmer, I can just about grasp how it all works. So yes, it dawned on me too that the upstream router has no idea what to do with the 10.10.10.x packets. At the moment, the upstream router is a ISP supplied device which probably can’t handle this requirement. However, we’re about to replace it with a RouterOS device so option (a) will become available.

But (b) is also an option as there is only one AP. I knew it would be something to do with routing and yes, I get what you’re saying about srcnat/masquerade. Need routing functionality between the guest network 10.10.10.0 and the internet.

The phrase “all the gear, no idea” is very true here but I’ll get there