Kindly note that I had configured for my company a WIFI Hotspot through Mikrotik Routeros V.5 License level 6
The Server has two NIC ..
1 - WAN
2 - HOTSPOT
All our Access Points connected through a Switch .. and this switch up-link is coming to HOTSPOT NIC ..
WAN Subnet is 10.51.0.0/16 , which is our internal Subnet ..
HOTSPOT is 10.10.10.0/24 , which is the Hotspot Subnet ..
Radius is Enabled to IAS Server which enable users to Authenticate through our Domain Controller ..
currently I have two types of Users ..
1 - Company users .
2 - Guest Users.
My Requirement is
1 - that I need Guest Users to have access to internet only without having access to any of the network resources ..
and Company users ( Radius Authenticated ) .. to have access to 10.51.0.0/16 Resources ..
2 - I need DHCP Server to have two DHCP Pools , and release IP’s depending on Criteria ..
Example .. I have a list of 200 Laptop MAC’s addresses.. i want them once they connect to have a different sub-net ..
and once guests ( Uknown Mac’s ) to connect to different Sub-net..
If you want to have people separated like that, you are going to need two separate routed interfaces with two separate layer2 networks.
This requirement here in particular requires two different subnets:
1 - that I need Guest Users to have access to internet only without having access to any of the network resources ..
and Company users ( Radius Authenticated ) .. to have access to 10.51.0.0/16 Resources ..
The hotspot functionality is designed for people without any configuration to come in and be able to get online while requiring them to sign into the network and get online. It is not designed to secure a layer2 network at that level, and it cannot do so.
Now there are a couple of ways of going about it. The most traditional and best way would be to have 2 SSIDs on the access points, one secured and encrypted, and each SSID would have a different VLAN to keep them logically separated. Then on the switches you would have the same two VLANs, one that will have hosts and access on the 10.51.0.0/16 subnet and another that would just have access to the LAN port of the router. The MikroTik would then have two VLAN interfaces assigned to it with different subnets, and services running like DHCP, Hotspot, etc.
If your access points/switches do not support VLANs or the ability to do this, then you are kind of stuck. If you have MikroTik access points, you could potentially have two tunnels built between the access points and the head router, and bridge the two SSIDs to that. Or use a bridge firewall with an address list assigned via a Radius profile to filter access to certain hosts/resources.
It all comes down to, you need to make some design decisions and see what your hardware is capable of before anyone can be of much help and give you specifics on how to do this.
You cannot do what you want to with just the hotspot functionality and one layer2 network. TCP/IP does not work like that, no router can do what you are asking of it in your current situation. In order to control what a client can see on any layer2 network, you need to control their connection from the edge of the network all the way to the layer3 hop. This means switches and access points that the guests connect to that will support your networking goals with things like VLANs or port/client isolation. A MikroTik, just like any other router/firewall can only control traffic that goes over it, in a layer2 network hosts on the same subnet do not need to use a router to communicate to each other directly, therefore they don’t.
If you wanted to do something with PPPoE instead, then you will likely be able to get closer to what you want by using one subnet, though in that case, I would still recommend having your IP pool being in a different subnet as your equipment and servers to make fire-walling easier. But then you loose the ease of a hotspot setup and not needing to have each client specifically configure a connection. You also have nothing to prevent a guest user from scanning the network and see that you have servers on a certain subnet, and change their static settings accordingly to try and access your hardware directly.
An additional point is that your wifi traffic is not encrypted in this way. You can solve this with Kerberos. But when you connect with non Kerberos connection you wireless traffic is easily sniffed and in the open.
