Hi guys i am a happy owner of a new routeros device and i must say that i am in love with it 
really big love there
i did setup the device to act as a normal router and build a basic firewall for it. The issue is that on the wifi i need to create “guest” network(192.168.10.0/24) that has ZERO connectivity with my main lan(192.168.0.0/24).
I did that by creating 2 pools and set up 2 dhcp server on each pool. Also created 2 bridges and assigned 5 ports on the switch (main lan) and created a second switch with the wlan assigned to it for the guest network and nothing else .
I also created firewall rules on the forward chain to block communications between the 2 subnets as you can see in my config dump.
The problem is that while devices canot ping themselves between subnets, i can ping 192.168.0.1 from my 192.168.10.0/24 subnet !
I need complete separation between the 2 . I need to block all router config acess from guest (for now i configured my admin account so it that connects only from my main lan)
Here is a dump of my config with personal info greyed out.
Do you guys see any problems with the security or do you have any ameliorations you can sugest me ? Thanks in advance
jun/16/2014 03:01:46 by RouterOS 6.14
/interface bridge
add comment=“MAIN BRIDGE” l2mtu=1598 name=bridge1
add comment=“GUEST BRIDGE” l2mtu=2290 name=bridge2
/interface ethernet
set [ find default-name=ether1 ] comment=“MAIN LAN Ports 1-5 are switched togheder”
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether10 ] comment=WAN
/ip neighbor discovery
set ether1 comment=“MAIN LAN Ports 1-5 are switched togheder”
set ether10 comment=WAN
set bridge1 comment=“MAIN BRIDGE”
set bridge2 comment=“GUEST BRIDGE”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods=“” management-protection=allowed mode=dynamic-keys name=WPA2 supplicant-identity=“” wpa-pre-shared-key=
"" wpa2-pre-shared-key=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n dfs-mode=no-radar-detect disabled=no l2mtu=2290 mode=ap-bridge security-profile=WPA2 ssid=*****
wireless-protocol=802.11
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=bridge2 name=guest_dhcp
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge2 interface=wlan1
/ip address
add address=192.168.0.1/24 comment=“LAN IP SUBNET” interface=bridge1 network=192.168.0.0
add address=192.168.10.1/24 interface=bridge2 network=192.168.10.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether10
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.0.0/24 comment=“MY LOCAL MAIN LAN” list=LOCAL_LAN
add address=192.168.10.0/24 comment=“GUEST NETWORK ON WIFI ONLY” list=GUEST_LAN
/ip firewall filter
add action=drop chain=forward comment=“Drop invalid connections” connection-state=invalid
add action=drop chain=forward comment=“drop connectivity between guest and lan” dst-address-list=LOCAL_LAN src-address-list=GUEST_LAN
add action=drop chain=forward comment=“drop connectivity between lan and guest” dst-address-list=GUEST_LAN src-address-list=LOCAL_LAN
add chain=forward comment=“All new conection from lan accepted” connection-state=new in-interface=bridge1 src-address-list=“”
add chain=forward comment=“All new conection from guest accepted” connection-state=new in-interface=bridge2 src-address-list=“”
add chain=forward comment=“Allow established connection from lan” connection-state=established
add chain=forward comment=“Allow releted connections” connection-state=related
add action=drop chain=forward comment=“Drop all other trafic trough the router”
add action=drop chain=input comment=“Drop invalid packets to the router” connection-state=invalid
add chain=input comment=“Allow acess to the router from LAN (adress list)” src-address-list=LOCAL_LAN
add chain=input comment=“Allow acess to the router from GUEST LAN (adress list)” src-address-list=GUEST_LAN
add chain=input comment=“Allow established connection to the router” connection-state=established src-address-list=“”
add chain=input comment=“Allow related connection to the router” connection-state=related src-address-list=“”
add action=drop chain=input comment=“Drop evrithing else to the router”
add action=drop chain=forward comment=“Drop invalid connections” connection-state=invalid
add action=drop chain=forward comment=“drop connectivity between guest and lan” dst-address-list=LOCAL_LAN src-address-list=GUEST_LAN
add action=drop chain=forward comment=“drop connectivity between lan and guest” dst-address-list=GUEST_LAN src-address-list=LOCAL_LAN
add chain=forward comment=“All new conection from lan accepted” connection-state=new in-interface=bridge1 src-address-list=“”
add chain=forward comment=“All new conection from guest accepted” connection-state=new in-interface=bridge2 src-address-list=“”
add chain=forward comment=“Allow established connection from lan” connection-state=established
add chain=forward comment=“Allow releted connections” connection-state=related
add action=drop chain=forward comment=“Drop all other trafic trough the router”
add action=drop chain=input comment=“Drop invalid packets to the router” connection-state=invalid
add chain=input comment=“Allow acess to the router from LAN (adress list)” src-address-list=LOCAL_LAN
add chain=input comment=“Allow acess to the router from GUEST LAN (adress list)” src-address-list=GUEST_LAN
add chain=input comment=“Allow established connection to the router” connection-state=established src-address-list=“”
add chain=input comment=“Allow related connection to the router” connection-state=related src-address-list=“”
add action=drop chain=input comment=“Drop evrithing else to the router”
add action=drop chain=forward comment=“Drop invalid connections” connection-state=invalid
add action=drop chain=forward comment=“drop connectivity between guest and lan” dst-address-list=LOCAL_LAN src-address-list=GUEST_LAN
add action=drop chain=forward comment=“drop connectivity between lan and guest” dst-address-list=GUEST_LAN src-address-list=LOCAL_LAN
add chain=forward comment=“All new conection from lan accepted” connection-state=new in-interface=bridge1 src-address-list=“”
add chain=forward comment=“All new conection from guest accepted” connection-state=new in-interface=bridge2 src-address-list=“”
add chain=forward comment=“Allow established connection from lan” connection-state=established
add chain=forward comment=“Allow releted connections” connection-state=related
add action=drop chain=forward comment=“Drop all other trafic trough the router”
add action=drop chain=input comment=“Drop invalid packets to the router” connection-state=invalid
add chain=input comment=“Allow acess to the router from LAN (adress list)” src-address-list=LOCAL_LAN
add chain=input comment=“Allow acess to the router from GUEST LAN (adress list)” src-address-list=GUEST_LAN
add chain=input comment=“Allow established connection to the router” connection-state=established src-address-list=“”
add chain=input comment=“Allow related connection to the router” connection-state=related src-address-list=“”
add action=drop chain=input comment=“Drop evrithing else to the router”
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether10
/ip upnp
set allow-disable-external-interface=no
/lcd
set backlight-timeout=never default-screen=stats
/lcd pin
set pin-number=****
/lcd interface
set sfp1 interface=sfp1
set ether1 interface=ether1
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6 interface=ether6
set ether7 interface=ether7
set ether8 interface=ether8
set ether9 interface=ether9
set ether10 interface=ether10
set wlan1 interface=wlan1
/system clock
set time-zone-name=********/*******
/system identity
set name=“*************”
/system ntp client
set enabled=yes primary-ntp=50.22.155.163 secondary-ntp=208.80.96.96
