Hi, I am rather new here, so apologies if i post in wrong category.
I have a RB4011, and need to setup a guest network to work with my unifi access point.
(I heard that these 2 rules will prevent the 2 seeing eachother, but that was without vlans)
drop forward src:172.16.10.0/24 dst:172.16.180.0/24
drop forward src:172.16.180.0/24 dst:172.16.10.0/24
INTERFACE:
ether1 (fibre) connected to tp link router for internet
ether2 (LAN) rest of my lan devices, computers, laptops etc
on ether2 we also have a unifi ap managed by a unifi controller
vlan180 - ideally all guests should use this network or vlan
i managed to get my unifi access point guests to work and get dhcp addresses on the 172.16.180.0/24 network.
i added 8.8.8.8 and 1.1.1.1 as DNS servers in the DHCP somewhere, but no dns queries on the guest network is working…
somewhere i have to allow dns queries from the vlan180, or remove vlan180 completely, and somehow seperate these 2 networks using the mikrotik
i have a basic tp-link archer6 router where my internet is connected to - 172.16.10.1, it has some vlan features, but i think its a little primitive for the mikrotik.
could someone please help me through this setup?i mostly use winbox for configurations at this point.
Not at all my field of (little) experience, but if I were you I would start with a default Mikrotik set of firewall settings (and build if needed upon it) as per Rule #8:
optionally adding at the end of the forward chain the allowed things and closing it with a “drop all else” rule.
If you look around on the board you will find many examples of this latter modification, default firewall (for SoHo devices) is here:
In any case it is good practice (for readability, for the helping forum members, but also for you in the future) to group firewall filter rules by chain, rules are applied in top to bottom order within a same chain, it won’t change anything in the functions performed, but it is much more readable if you have first all input rules, then all forward rules, etc.
I am 100% sure that is where i started.
resetted the device a few times, removed all default everything, started from scratch.
I am still battling to remember the difference between input, forward and output, logically to me it does not make sense.
Did not know you can group filter rules in the mikrotik, and it does not affect the function or application order, as if i understand you correctly, it solely applies filter rules from top to bottom.
for now i am just trying to get things working, and then afterwards can sit en neaten it up and group things nicely.
The possible issue when - without enough experience/knowledge - a new user fiddles with firewall rules is that he can (accidentally) leave some big holes in it, hence the suggestion to start from a solid base instead from nothing.
This should help:
and should it also make you understand why rules are processed in the order they appear on each chain separately. (the grouping is only advised for readability, it doesn’t change anything in how the rules are applied).
Thank you for all your suggestions, but i honestly do not have the time or effort to learn the flow chart, or study 1000 things. All i wanted was to get the guest network working, seperated from my normal lan.
i’ll find another router where the learning curve (requirement) is not so immense.
honestly, if i came here asking for advise on how to secure my mikrotik router i would undrstand, but that is not my question or reason for asking anything on the forum.
I am still in need of some help here to get the guest network DNS access, or allow DNS queries over my default router at 172.16.10.1
the details/specifics and added security, and best practices i’ll worry about later, for now i just need to get it working so that i can understand things.
Right, so I managed to get it working, no thanks to anyone on this forum…
for the other people like me, that dont know, here is my working config
created a vlan, added vlan to the lanbridge, added dhcp to vlan, added some firewall rules to ensure the guests network cant access the normal lan and visa versa
still need to connect a laptop to see if i can bypass any measures in place though. but very happy that it works 100%
# 2025-08-04 08:24:55 by RouterOS 7.19.3
# software id = 8TNG-A64A
#
# model = RB4011iGS+
# serial number = ######
/interface bridge
add name=LAN-BRIDGE
add name=containers
/interface ethernet
set [ find default-name=ether1 ] loop-protect=on name="ether1 (FIBRE)" \
rx-flow-control=on tx-flow-control=on
set [ find default-name=ether2 ] loop-protect=on name="ether2 (LAN)" \
rx-flow-control=on tx-flow-control=on
set [ find default-name=ether3 ] name="ether3(WIFI_TRUNK)"
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes loop-protect=on name=\
"ether10 " poe-out=off rx-flow-control=on tx-flow-control=on
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes interface="ether1 (FIBRE)" name="AXXESS 50/50" \
use-peer-dns=yes user=######
/interface veth
add address=172.17.0.20/24 gateway=172.17.0.1 gateway6="" name=veth1-adguard
/interface wireguard
add listen-port=13233 mtu=1420 name="######"
/interface vlan
add interface=LAN-BRIDGE loop-protect=on name=vlan180_guest vlan-id=180
/ip pool
add name=LAN ranges=172.16.10.101-172.16.10.240
add name=DHCP_GUEST ranges=172.16.180.80-172.16.180.254
/ip dhcp-server
add add-arp=yes address-pool=DHCP_GUEST interface=vlan180_guest lease-time=\
17h30m name=Guest_DHCP
/port
set 0 name=serial0
set 1 name=serial1
/certificate settings
set builtin-trust-anchors=not-trusted
/container
add envlist=base_envs interface=veth1-adguard logging=yes name=\
e996620b-c1d9-4ec7-89dd-02a06f24601a root-dir=\
e996620b-c1d9-4ec7-89dd-02a06f24601a start-on-boot=yes workdir=\
/opt/adguardhome/work
/container config
set registry-url=https://registry-1.docker.io
/container envs
add key=TZ name=base_envs value=Africa/Johannesburg
/interface bridge port
add bridge=containers interface=veth1-adguard
add bridge=LAN-BRIDGE interface="ether3(WIFI_TRUNK)" trusted=yes
add bridge=LAN-BRIDGE interface="ether2 (LAN)" trusted=yes
add bridge=LAN-BRIDGE interface=ether4 trusted=yes
/interface wireguard peers
add allowed-address=######,###### endpoint-address=\
###### endpoint-port=13233 interface="######" \
name="######" public-key=\
"########################"
/ip address
add address=172.16.10.2/24 interface="ether2 (LAN)" network=172.16.10.0
add address=172.17.0.1/24 interface=containers network=172.17.0.0
add address=###### interface="######" network=\
######
add address=172.16.180.1/24 interface=vlan180_guest network=172.16.180.0
/ip dhcp-server network
add address=172.16.180.0/24 gateway=172.16.180.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=fasttrack-connection chain=forward hw-offload=yes
add action=accept chain=input comment="Allow DHCP for Guest VLAN" dst-port=\
67,68 in-interface=vlan180_guest protocol=udp
add action=accept chain=input comment="Allow WireGuard" dst-port=13233 log=\
yes log-prefix=WG-Input protocol=udp
add action=accept chain=forward dst-port=53 protocol=udp
add action=accept chain=input in-interface="######" protocol=\
icmp
add action=accept chain=forward comment=\
"Accept FORWARDED established and related packets" connection-state=\
established,related
add action=accept chain=forward comment="Allow Guest to UniFi Controller" \
dst-address-list=###### dst-port=8443 protocol=tcp src-address=\
172.16.180.0/24
add action=accept chain=forward comment="Allow Guest DNS UDP" dst-port=53 \
protocol=udp src-address=172.16.180.0/24
add action=accept chain=forward comment="Allow Guest DNS TCP" dst-port=53 \
protocol=tcp src-address=172.16.180.0/24
add action=accept chain=forward comment="Allow Guest HTTP/S for portal" \
dst-port=80,443 protocol=tcp src-address=172.16.180.0/24
add action=accept chain=forward comment="Allow Guest Internet Access" \
src-address=172.16.180.0/24
add action=drop chain=forward comment="Block Guest to Main LAN" dst-address=\
172.16.10.0/24 src-address=172.16.180.0/24
add action=drop chain=forward comment="Block Main LAN to Guest" dst-address=\
172.16.180.0/24 src-address=172.16.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="General Internet NAT via TP-Link" \
out-interface=LAN-BRIDGE src-address=172.16.0.0/16
add action=masquerade chain=srcnat src-address=172.17.0.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.16.10.1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=###### gateway=###### \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set winbox address=######,######,######
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=######
/system routerboard settings
set enter-setup-on=delete-key
/tool sniffer
set filter-interface=vlan180_guest filter-port=bootps
Please remember that it’s a MT’s users’ forum where people like you and us try to share their problems/solutions and help each other if only we can. We do not have same configurations, equipments or possibilities to test MT against TP-Link, D-Link, CISCO, Unifi etc. brands and their caveats/tricks. You should remeber that it’s our time we share for free … why? It’s a good question.
