Connect clients of virtual Wi-Fi interface

hardtik · September 25, 2021, 7:10pm

Hi guys,

I need your help… with my “hAP ac” device configuration.
I have main wireless interfaces like wlan1 and wlan2 (2.4G & 5G), and each of them has own virtual interface (3,4).
Clients of main interface for example wlan1 can reach each other. But clients of virtual interface are isolated.
It is default behaviour and it is exactly what I needed before (so I do not know how to enable it on virtual interface, I just created it).

Now I have to get more complex configuration. I need one more virtual wireless interface with own SSID, which allows to control LAN resources available for clients.
So each client of that Wi-Fi network will be able to access specific IP/Port of single machine (connected via Ethernet port) and still not be able to connect each other.

Is it doable with RouterOS?

ConnyMercier · September 25, 2021, 8:17pm

Just create a new virtual-Interface , identical to your previous Vitural and Isolated Wifi-Interface.
Via the Firewall you can Accept and Block the access between your networks.

hardtik · September 25, 2021, 9:45pm

OK, thanks, I will check.

Though it is not clear for me which firewall rule (defcon) is responsible for accepting connection for default interface.

ConnyMercier · September 25, 2021, 9:57pm

if I am not mistaken, the “defcon” Firewall will not block any traffic between local Networks.
So you will have to add new rules unter “/ip firewall filter”

Give us a heads up if you need help with it !

bpwl · September 25, 2021, 10:06pm

You will have to check some things …

\

Some WLAN interfaces with “Default forward” enabled (clients can see each other) or not
“Access list” can overrule “Default forward” set in WLAN interface
WLAN interface connected to a bridge or not.
bridge or unconnected interface member of some interface lists . “LAN” and “WAN” are default (defcon) interface list names that are used in the default firewall rules.
bridged interfaces traffic does not pass the firewall, if not forced to use “Use IP firewall” in bridge “Settings” menu.

hardtik · September 25, 2021, 10:29pm

Yes, some example will be helpful to be sure that I do all correctly.

hardtik · September 26, 2021, 12:12am

Some WLAN interfaces with “Default forward” enabled (clients can see each other) or not

Both has “Default forward” enabled, but works different.

“Access list” can overrule “Default forward” set in WLAN interface

Nothing is specified in lists.

bridge or unconnected interface member of some interface lists . “LAN” and “WAN” are default (defcon) interface list names that are used in the default firewall rules.

Not sure I understand well, all ports are connected to Bridge (some of them has Role disabled, probably cause not connected).

bridged interfaces traffic does not pass the firewall, if not forced to use “Use IP firewall” in bridge “Settings” menu.

Yes it is unchecked.

But probably I have found the reason. It has Filters tab there.
So 4 rules for drop forward in/out… wlan3 and wlan4.
That was the reason.

I guess setup rules there is better than in Firewall from point of view of performance. I have found the way to enable IP section there.

But unfortunately it does not work (MAC-Protocol-Num and port “800 (ip)”).