ETHER2=HOTSPOT - ETHER3 FOR SEPARATE NETWORK - NOOB

RouterOS Beginner Basics
1

Howsit

Its my first time on here, my first Mikrotik Router (though I have played with one before), my first post. Please bear with me, I’m a noob.
(I suppose this is where most okes leave :laughing: )

I’ll keep it simple and short.

I want to connect wan (ether1) to a radio which receive my 5Ghz Signal. I have gathered that I should just configure this port for automatic ip acquisition, so that one is cool. And my radio does dish out ip’s via dhcp, so sorted.

Here’s what I am having a little bit of trouble with:

I want to configure ether2 as a hotspot, which I can do successfully with the normal pitfalls of no login page on https, etc. Not too difficult.
Ether3 I want to configure as a completely separate and firewalled network. I have a client who is using the same 5Ghz radio for service for himself, so I don’t want my hotspot clients to be able to reach him at all.
Lastly, I want to limit the speed on ether2 or it’s ip range to a certain speed as not to take anything away from the speed allocated to ether3.
Both the hotspot and client on ether3 should get internet access from the radio receiving signal.

I have been going over quite some forum posts, read quite a few guides, so I’ve had to put together a process for myself. I’m rather hoping there is someone out there with a complete understanding of how to do this properly as to me fiddling and hitting a wall until I finally THINK I have it right and hope for the best.

2

What you want to do is very basic and simple to accomplish. The first thing to remember is that each port on a Mikrotik can be it’s own routed port, with whatever services you want running on top of it. So here are some basic steps to take.

1.) Disable the master port or bridge settings if any on the router. This will make sure each port is an independent routed port.
2.) Setup the hotspot on Ether2 as desired.
3.) Setup the IP range, DHCP server, etc on Ether3
4.) Setup a stateful firewall on the forward chain. Something like this.

/ip firewall filter
add chain=forward action=accept connection-state=established comment="Accept established"
add chain=forward action=accept connection-state=related comment="Accept related"
add chain=forward action=drop connection-state=invalid comment="Drop invalid"
add chain=forward action=accept in-interface=ether2 out-interface=ether1 comment="Accept LAN to WAN communication"
add chain=forward action=accept in-interface=ether3 out-interface=ether1 comment="Accept LAN to WAN communication"
add chain=forward action=drop comment="drop everything else"

All communication from the LAN ports to the WAN port will be accepted. Everything else will be dropped.