I have 10 years experience in the network but haven’t touch Mikrotik yet so maybe my question is a joke for you guys:).
I bought a Mikrotik(RB951Ui) for test and need to setup that. we have a simple network here without vlan, DMZ and etc. Our Gateway is a Comcast modem(10.0.0.1) and everybody directly connected to the same network and use 10.0.0.1 as Gateway. I have a scenario in my mind but I’m not sure how should I configure the Mikrotik to work in that way. I want to connect the Mikrotik directly to the network and add a wifi network as a bridge for our employees and add a virtual AP as a router for our guests but I don’t know how to add both of theses bridge and router together. Also, If I add the Mikrotik as a Router to my network, people have different IP mask but still can have access to anything on my network. Is it possible to say to Mikrotik, hey, just connect these virtual AP to that Gateway and don’t let them connect to anything else in my network? I mean without tagging and VLAN.
Use firewall rules to your guest network.
Thank you pietroscherer, but would you please explain a little bit more or direct me to the right link because as I see in winbox, firewall has a lot of tabs, a lot of fields and options and reading all documents about the firewall takes a long time.
Start with blank config. Switch all ethernet ports (set master-port=ether1 for all except ether1). Create a bridge and add ether1 and wlan1 as its ports. Configure wlan1 as you want (set SSID, password, …). And this is all what’s needed for transparent AP for employees.
Add an IP address for management and also for later routing use. The simplest way is to use DHCP client on bridge, or you can configure everything (address, default route and DNS) manually.
For guests, add and configure virtual AP interface and lets name it e.g. wlan2. Add some address to it and configure DHCP server. Add some basic config:
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge1
Now you can connect to guest AP, be in different network and have access to internet. But also to you main network.
The fix is simple. First make sure that guests can’t connect to your main network:
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward dst-address=!10.0.0.0/8 in-interface=wlan2
add action=reject chain=forward reject-with=icmp-admin-prohibited
And then also protect router itself (allow only ping and access to DNS resolver from wlan2):
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input in-interface=bridge1
add action=accept chain=input in-interface=wlan2 protocol=icmp
add action=accept chain=input in-interface=wlan2 dst-port=53 protocol=tcp
add action=accept chain=input in-interface=wlan2 dst-port=53 protocol=udp
add action=reject chain=input reject-with=icmp-admin-prohibited
Simple and complete. Thanks Sob!
Thank you so much but as I said I’m really novice:) I think I’m missing a part. I followed the steps but after creating the virtual ap, dhcp server and your basic config I can ping the network but can’t ping any ip in Internet. I have iternet in wlan1 so I think I’m missing a route or nat or something like that. Would you please explain the first part a little bit more?
I’m not sure what could be wrong. NAT is there (second rule), default route should come from dhcp, … It’s probably something small, but rather than guessing, run this in Terminal (it’s in WinBox/WebFig) and post the output here:
/export hide-sensitive
Sorry for the delay, last week was hectic. I found some time today and tried the configuration again. By default Mikrotik chooses Etherenet2 as master when I was working with wizards so I tried Ethernet2 instead of Ethernet1 as the master in config process and wallah, it’s working. I’m not sure what’s the difference but the point is it’s working now. I have another question too, guys. If you don’t mind to help me with that too. Sometimes customers wanna send some prints job to our printer, is it possible to add an IP to the firewall rules so people from Wlan2 could send print to 10.0.0.5 but still not have access to other parts of the main network?
Hello,
I think that I can help you.
Add this line on the terminal:
/ip firewall filter add action=accept chain=forward dst-address=10.0.0.5 in-interface=wlan2
Using Winbox, move this rule (using drag n’ drop) to above the rule:
/ip firewall filter add action=accept chain=forward dst-address=!10.0.0.0/8 in-interface=wlan2
It will permit the access from all coming in wlan2, to the host 10.0.0.5 only.
Thank you!
Thak you guys, appreciate that.
I put this device besides the old one and gave the password to some people and it was working or at least I was thinking that it’s working. So, I turned off the old one and everybody started using the Mikrotik but people started claiming about the speed and disconnecting so I checked the log and they were right. It continuously says wlan1: data from unknown device xxxxxxxxxxxxx: sent deauth or disconnected, extensive data loss or unicast key exchange timed out and some other logs that don’t seem good. Any suggestion?
It sounds like they may be too far away from the AP.
No, they are pretty close, almost 3-4 meters.