Assignment of one client to 5GHz and other client to 2.4 GHz

albamu · January 30, 2024, 4:46pm

I have been using the cAP ac (3 units) in my home since the beginning of 2019.
Now I want to add IoT and am therefore setting up a completely new setting.
I would like to put the setup together step by step. The cAP ac is only running for test purposes and therefore everything without passwords.

Firmware is: 6.49.12
eth1 is connected to our firewall UTM and it is used to access the Internet.

I got large parts of the setup from another thread in which @anav had given me a lot of helpful tips.

Now, for example, I want to bind the smartphones permanently to wifi2 with 5GHz, but an older tablet permanently to wifi1 with 2.4GHz
wifi 3 + wifi4 are for our children’s guests.
How do I solve this?

# jan/30/2024 17:29:34 by RouterOS 6.49.12
# software id = **ELIDED**
#
# model = RBcAPGi-5acD2nD
# serial number = ***
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] disabled=no mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
/interface list
add comment=*****UTM***** name=WAN
add comment=*****WiFi***** name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add name=profile supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=**ELIDED** master-interface=wlan2 name=\
    wlan3 security-profile=profile ssid="MikroTik's Guests"
add disabled=no mac-address= **ELIDED** master-interface=wlan1 name=\
    wlan4 security-profile=profile ssid="MikroTik's Guests"
/ip pool
add name=dhcp ranges=172.16.99.0/24
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
/interface list member
add comment=*****UTM***** interface=ether1 list=WAN
add comment=*****WiFi***** interface=bridge1 list=LAN
/ip address
add address=192.168.2.15/24 interface=ether1 network=192.168.2.0
add address=172.16.99.1/24 interface=bridge1 network=172.16.99.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=172.16.99.0/24 dns-server=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
    gateway=172.16.99.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow admin access with winbox/www" \
    in-interface-list=WAN src-address=192.168.2.50
add action=accept chain=input comment="defconf: accept DNS" dst-port=53 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=\
    "*************allow internet traffic*********" in-interface-list=LAN \
    out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=drop chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=192.168.2.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.2.0/24
set api disabled=yes
set winbox address=192.168.2.0/24
set api-ssl disabled=yes
/ip ssh
set host-key-size=4096 strong-crypto=yes
/system clock
set time-zone-name=Europe/Berlin
/system logging
add action=echo topics=dns
add action=echo topics=wireless
add action=echo topics=dhcp
add action=echo topics=bridge
add topics=hotspot
add action=echo topics=interface
add action=echo topics=firewall
add action=echo topics=dns
add action=echo topics=wireless
add action=echo topics=dhcp
add action=echo topics=bridge
add topics=hotspot
add action=echo topics=interface
add action=echo topics=firewall
/system ntp client
set enabled=yes primary-ntp=192.168.2.1
/system routerboard settings
set auto-upgrade=yes
/system scheduler
add interval=1d name="Auto-Backup per eMail" on-event="/system backup save nam\
    e=email; \r\
    \n/tool e-mail send to=\"xxx@xyz.de\" subject=([/system\
    \_identity get name] . \"-auto-backup\") file=email.backup body=\"automati\
    sch erstelltes Backup\"; \r\
    \n:log info \"Backup e-mail sent.\";" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/06/2019 start-time=00:00:00
add interval=1d name="Auto Update Firmware" on-event="/system package update\r\
    \ncheck-for-updates once\r\
    \n:delay 3s;\r\
    \n:if ( [get status] = \"New version is available\") do={\r\
    \n install ;\r\
    \n/tool e-mail send to=\"xxx@xyzr.de\" subject=([/system\
    \_identity get name] . \"-neues Update installiert\") body=\"Update vorhan\
    den und installiert\"; \r\
    \n:log info \"Update verfuegbar\"\r\
    \n:delay 30s;\r\
    \n/system reboot\r\
    \n};\r\
    \n:log info \"kein Update verfuegbar\";" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/06/2019 start-time=03:00:00
add interval=1d name="Auto Update Routerboard" on-event=":global Var1\r\
    \n:global Var2\r\
    \n:set Var1 \"\$[/system package get system version]\"\r\
    \n:set Var2 \"\$[/system routerboard get current-firmware]\"\r\
    \n:if (\$Var1>\$Var2) do={system routerboard upgrade;\r\
    \n/tool e-mail send to=\"xxx@xyzr.de\" subject=([/system\
    \_identity get name] . \"-neues Routerboard-Update installiert\") body=\"R\
    outerboard-Update installiert durch Reboot\";\r\
    \n:log info \"Routerboard-Update installiert\"\r\
    \n/system reboot\r\
    \n};\r\
    \n\r\
    \n policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/15/2020 start-time=03:05:00
/system watchdog
set auto-send-supout=yes send-email-to=xxx@xyz.de
/tool e-mail
set address=server.com from=yyy@xyzr.de password= **ELIDED** port=587 start-tls=yes user=xxx
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

mkx · January 30, 2024, 7:21pm

The easiest way is to set different SSIDs to both wireless interfaces (you may keep same PSK for both, but you can set them different as well). Then configure stations to connect to whichever you want them to … and make sure they don’t “remember” the other SSID so that they don’t connect to the other one if they get disconnected from the preferred one.

If separation on the wired part of your LAN is not your goal, then you just keep the rest of config as is now. If OTOH you’d like to separate both wireless networks and control communication of one subset of drvices, then you’d have to redesign your whole LAN.

albamu · January 30, 2024, 10:01pm

Many thx for your quick answer.

Different SSIDs is a way - but I cant get this way because e.g. I want to connect with my smartphone at 5GHz to one IoT at 2.4 GHz and this is not possible to connect with two different SSIDs.
I think but not know.

I had read this thread at the last minutes: http://forum.mikrotik.com/t/band-steering-priority-to-5ghz/151993/1
and have learnt it’s not possible at the moment. The devices do the decision.

I’m not sure that I can your comment translated correct - sorry.
The wired devices at 192.168.2.0/24 have no “contact” to the wireless devices connected to the cAP’s at 172.16.99.0/24

What is OTOH? Maybe IoT?
If so - yes I want to isolate all IoT at a separate Sub-Net - that’s my next step. And only connect from my smartphone at 172.16.99.0/24 allowed to the IoT at the new Sub-Net.
But at the moment I dont know how to to this.
Any hints for me please?

infabo · January 30, 2024, 11:08pm

you can google for abbreviations you don’t know. OTOH means “on the other hand”

mkx · January 31, 2024, 6:50am

If you want to connect to IoT devices using your wireless gadget, then these two don’t have to be connected to same SSID. It’s all about network layout and there are many ways to skin the sheep. Which way is most optimal is up to (high level) requirements and we don’t know your requirements so that we could help you.

albamu · January 31, 2024, 10:59am

I want to connect to the IoT by IP in a separate Subnet and not by BT,MQTT or something else.
In my configuration are the guests in the same Subnet but “separated” by bridge port filtering
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4

I want to built now a new Subnet 172.16.60.0/24 only for a new wifi Interface 2.4GHz. No WAN for this Subnet, unless I allow it for a firmware update.
But I need “contact” from 172.16.99.0/24 to 172.16.60.0/24 to switch on/off the light. Not more.

Can you show me the way? Thx.

mkx · January 31, 2024, 12:19pm

First thing to find out is to see if IoT communications can pass over router. There are two aspects:

can you manually set IP address of IoT controller (or individual devices, whatever applies to your IoT swarm) in smart phone app. Or does it insist on auto-discovery instead? Autodiscovery generally doesn’t work across router (unless router runs some helper application).
are IoT devices able to use gateway for communication outside their own subnet? Quite likely they can (at least to update their software and to connect to producer’s cloud), but it’s not certain.

If answer to both questions is a yes, then you could set up 2.4GHz radio as separate subnet (with separate addressing, DHCP server, whatnot) and 5GHz radio member of usual LAN (so essentially adding 5GHz wifi interface as port to LAN bridge). After that it’s up to routing/firewall to control what kind of communication can pass in each of 6 directions (IoT->LAN, IoT->internet, LAN->IoT, LAN->internet, internet->IoT, internet->LAN).

The problem you’re facing is that you have 3 2.4GHz radios and you want to make them member of same subnet. And that’s where VLANs come into the play. Only central router(UTM) will control traffic between the 3 networks (internet, LAN and IoT), so you’ll set up rules centrally.

If you don’t know much about VLANs, then I suggest you to search around internet and learn about concepts of VLAN. After you get a good idea about VLAN, then go through tutorial about VLANs in RouterOS to implement them. Beware that your LAN will almost certainly be inoperable for a while (in part or the whole of it) when you’ll reconfigure devices into VLAN.

albamu · January 31, 2024, 4:50pm

I can already see that my new configuration is not coherent. In my old config, I have two different address pools for two different wifi networks.
With the new one, I am unable to create a functioning second DHCP pool.

I think I have to go back to the beginning.

Mesquite · January 31, 2024, 8:19pm

I would consider holding off on bridge filters as they are normally not required.
Do read the link provided for vlans above.
Create vlans for every unique subnet you wish to build.
Firewall rules will keep them isolated from each other.
If you want to acccess an IOT device you have two options off the bat.

join the same ssid with your smartphone and you are in the same subnet
create a firewall rule or rules such that a list of source IPs (your phone and/or pc on trusted subnets ) can access a list of IOT devices.

sroattle · November 28, 2025, 12:52pm

I was looking for the same solution (bind specific devices to one band) and stumbled upon this post.

Finally I solved it very easily by going to WiFi > Access List: filled in the MAC of my device, Interface I DONT want it to connect to and Action: reject

mkx · November 28, 2025, 2:20pm

This kind of solution relies on station (client) to be willing to try to connect to another BSSID (AP, band) of same SSID from which it was already rejected. Not all stations are equally forgiving (to rejects), some decide to ignore whole SSID network when rejected (by one of BSSIDs).