basics: guest WiFi network / no internet access

froszu · November 24, 2022, 1:02pm

I am trying to learn both networking basics and RouterOS.
My hardware:

RB5009 as a Router
cAP XL ac as Acces Point

My current setup is simple home wifi:
Router has one bridge for all ports (except port1 WAN), one 192.168.2.0/24 network and one DHCP server. There are no custom firewall rules except of what was set by default.
Under Port 2 is connected cAP XL and it is given a static lease address 192.168.2.3.
cAP is broadcadsting two SSIDs: miranda + miranda5. All it’s interfaces (ethernet and wireless) are under one bridge, so effectively connecting to WiFi I am in 192.168.2.0 network. There is no DHCP server nor client.
This setup works OK and I assume it is generally correct.

Now my goal is to add another isolated ‘guest’ SSID. I tried following this tutorial: https://xan.manning.io/2015/12/05/creating-guest-network-mikrotik-routeros6.html
The new guest network is created and I can connect to it, however without internet access. This is short summary of extra steps for guest wifi:

add new guest_bridge
add new virtual wireless interface (and set it master) and add it to guest_bridge. Also set SSID and guest_profile
add new IP address for guest_bridge: 172.16.0.1
add DHCP server and new network 172.16.0.0/16 and guest_IP_pool
for above network, set gateway and DNS to 172.16.0.1
add Firewall NAT masquerade

I did not complete network isolation steps from tutorial, since no internet is accessible from guest wifi

Can anybody please take a look and tell me what am I missing?
I attach screenshots and configuartions of both devices.

thanks.

cAP_xl.rsc (1.87 KB)
rb5009.rsc (3.47 KB)

anav · November 24, 2022, 9:17pm

I will have a look later in the meantime..
all you should need to do is add the vlan on the main router as per any other vlan, and this new one specifically pertains to the new SSID. GUEST access etc.
Then you tag that along with other vlans on the trunk port going to the access point.

On the access point you add that vlan to ether1 as another one of the tagged vlans coming in on the trunk port coming in on the Capac.
Then you add the new WLAN as another bridge port with pvid of the new vlan and ensure you also add it to /interface bridge vlans…

https://forum.mikrotik.com/viewtopic.php?t=182276

froszu · November 26, 2022, 2:41pm

Thanks for taking time. I will go into vlans but its too soon for me. I need to do sone reading and learning (great links there).
Before i jump into vlans I’d really like to know why my setup is not working. Walking before running!

Cheers

anav · November 26, 2022, 3:20pm

Sorry as soon as you stated a guest network then you are really talking setting up vlans …

Read PARA C. https://forum.mikrotik.com/viewtopic.php?t=182373

froszu · November 29, 2022, 10:14am

Anyone else have idea what could be wrong with my setup ?

erlinden · November 29, 2022, 12:17pm

Agree with anav: read a bit more about VLAN.
Besides…you only want your router to take care of DHCP, not your accesspoint.

About your wireless settings:

don’t use auto
only choose 20MHz channelwidth on the 2.4GHz radio
don’t use XXXX as extension, choose you control channel manually (like Ceee)
don’t use b/g/n and a/n/ac (unless you really have to), instead use g/n and n/ac

froszu · November 29, 2022, 12:58pm

Got it, thanks.
Can you elaborate a bit on what you mean by "you only want your router to take care of DHCP, not your accesspoint" ? This seems as most simple/straightforward solution to me.
edit: I guess you mean DHCP server (createdon AP) for guest network.

If you know any good/recomended HowTo for this kind of setup - please share. I will do my own search of course too.
edit: will go through this now: https://forum.mikrotik.com/viewtopic.php?t=182276
thanks!

erlinden · November 29, 2022, 1:13pm

Please read this:
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

anav · November 29, 2022, 2:03pm

That is a good link but can be confusing…
Read it then apply it like so…

^^^My advice is not to config/copy pcunite’s formats verbatim from the first link above, its stilted and confusing. Instead simply using winbox, work through the Configuration Steps logically.

Add Bridge (or modify default Bridge as required)
Add VLANS with the parent interface being the Bridge
Create Subnet Structure for each VLAN (and likely modify the default subnet to be one of the VLANs)
Construct /interface bridge ports ( etherports and WLANs as applicable )
Construct /interface bridge vlans ( tagged and untagged **** Should match up with /interface bridge ports as a cross-check )
Make Changes to LAN Interface List ( remove bridge and add all vlans typically)
Add Management/Base Interface List & applicable members (Base Vlan and off bridge etherport for example)
Adjust Firewall Rules as necessary (Base List to Input Chain, LAN List to Input Chain for DNS, etc. ( required router services ))
Go to CLI and run export and see if any errors crop up.
Turn on bridge vlan filtering.