Hello, I’m new here and not familiar with “style” and “rules” in this forum. So sorry If I’m asking something obvious.
Let me start with my understanding how Guests Wi-Fi works if you use Quick Set. We simply get a “drop” in bridge filters where In/Out interface is our Guest wireless interface. Simple and easy.
My next thought was: Ok, I should be able to do the same trick with CAPsMAN/CAP. I managed to configure CAPsMAN + 2 remote CAPs. The problem is, that If I add a drop bridge filter based on CAP interface it works well (Hall is my remote CAP interface) till… CAP interface is reinitialized for some reason (reboot/provisioning/etc). If that happens I see “unknown” in Filers’ interfaces and “guest” wifi forwarding is no longer blocked
Guys, I know – there are a lot of ways to isolate ports/traffic at different levels. It’s not the problem. My question is more general:
Is it possible to add “persistent” bridge filter with dynamic interfaces? Is it a feature or bug (I don’t think it’s a bug)?
It would be much easier to just make the guest network be a separate IP network and filter forwarding between the two using an IP firewall rule or two.
Basically, you’d make a second “LAN” bridge, called “guests” or something equally descriptive…
Make the guest APs connect back to that bridge instead of the LAN bridge.
Then use an IP firewall filter rule in the forward chain to block guest → lan access:
chain=forward in-interface=guest out-interface=!wan action=drop
(replace wan with the actual name of your wan interface)
Hello, thank you for the reply. Yes, what you suggest is perfectly fine. But… I want to say that once again:
There are a lot of ways to isolate ports/traffic at different levels. It’s not the problem. My question is not about how to make a guest network.
To cut it short – forget about wifi/guests/etc. Is it possible to add “persistent” bridge filter with dynamic interfaces? Is it a feature or bug (I don’t think it’s a bug)?
I don’t think so. You could probably achieve similar effects with scripts that trigger on events for ppp-type interfaces which have onup/ondown script triggers. I’ve seen nothing like that for WDS interfaces, etc. Granted that’s not the same thing either, but it’s probably the closest you’ll get.
I think the easiest way Mikrotik could implement this is using interface groups. If dynamic interfaces could be added/removed automatically to those, then you could write rules that reference the groups (which are persistent).
