I recently started changing the configuration of my hAP ax3 router. I have two bridges set up: one standard and the other created specifically for a Guest WiFi network.
While browsing the internet, I found a post where someone mentioned that having more than one bridge on a MikroTik router is not recommended. Additionally, most guides on setting up Guest WiFi on MikroTik use VLANs rather than a separate bridge.
These made me thinking whether my configuration is optimal and if there are any best practices regarding the preferred method for setting up a Guest WiFi network.
The usual advice to have one bridge with VLAN filtering enabled is solid, and is the preferred approach. So this is what I will suggest.
Especially for the first time, configuring VLAN filtering can be daunting, and configuring it wrong can easily lead to a loss of access to your device, so your only choice may be to reset the router’s configuration and try again, which is obviously frustrating. The usual suggestion is to select a port and leave it outside of your bridge, and then use this port for configuring your router. This way, even is you make an error, you can correct it.
As to your question. For guest/iot/etc. separate wifi network, VLANs are definitely the way to go. In general you have several APs spread out and generally they support using different vlans to separate the traffic to their individual SSIDs. (This is true for both Mikrotik, and other TP-Link, etc. devices.)
I gather from your question that you don’t have external APs, only the single ax3. I don’t know if I’m correct - and even if I am currently, you may plan to extend this in the future. As long as you have the single device, you will experience no downside to your multiple bridge arrangement (other than having to adapt what is written in tutorials )
vlan-filtering one bridge can be daunting for the new user as one is adding vlans and eventually drop DCHP and address from the bridge as one should ( bridge subnet simply becomes another data vlan etc.)
reference to read: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
To facilitate a painless experience recommend take a port off the bridge temporarily if you have no spares to modify the config.
remove port from /interface bridge ports
Define the ethernet port to be clear ( let use ether5) /ethernet interface
set ( interface=ether5) name=OffBridge5
Define the address /ip address
add address=192.168.70.1/30
Ensure the interface is part of the LAN interface list ( AND ) any Trusted Interface list /interface list member
add interface=OffBridge5 list=LAN
add interface=OffBridge5 list=TRUSTED
Now all you have to do is plug your laptop into ether5, change IPV4 settings to 192.168.70**.2** and you should be able to access the config, from a SAFE spot!!!
Now, I’m wondering—since I’m only using this router as “single unit”, don’t have any additional switches and I only want to separate all devices connected to this ap - are there any reasons to use VLANs or any other more complicated config than simple filtering.
By the way is there any difference between making such filtering in /interface bridge filter instead of using /ip firewall filter
Your funeral to go off on tangents, and no bridge filters are for advanced users only, I dont touch them being an intermediate user.
Quickset should have been name quicksand
MikroTik recommends that you either use Quick Set for everything and don’t touch other settings, or don’t use Quick Set at all. With regards to using bridge filters to segment off guest WiFi—yes, you can use that for your scenario. It works by dropping all forwarded Ethernet frames from/out the specified wireless interfaces. Since the WAN interface (eth1) is not a member of the bridge, WAN traffic between eth1 and wireless interfaces is not subjected to these filters.
Many consumer routers use the same approach with ebtables (L2 bridge firewall) for their guest WiFi functionality. I know some Asus routers do.
You also don’t have to use Quick Set to use these filters. Now that you know what they are, you can just manually add them to your custom configuration.
You would still want to lock down access to the router itself with IP firewall, unless you are OK with it being accessible from the guest network. The most secure approach is to allow only DHCP (UDP 67) and DNS (UDP and TCP 53) from the guest network to the router (input chain).
The IP firewall part still applies if you go with VLAN approach. Default firewall rules don’t block any access to the router from the LAN side.
One thing to keep in mind is that bridge filters are quite demanding on CPU. I used the same bridge filters for guest WiFi on hAP ac2 and found out it limits the maximum throughput on WiFi. See http://forum.mikrotik.com/t/vlans-with-wifi-qcom-ac/182887/17
This may not apply to you since hAP ax3 has a bit more powerful CPU (but not by much), as seen on the official test results. This limitation may not mean anything in practical sense if your WiFi traffic doesn’t need to exceed 400Mbps.
Thank you for your answers. I think I’ll leave it as it is for now and set up VLANs in the future.
Bridge works at OSI layer 2 (MAC addresses), IP firewall works at layers 3 and above (IP addresses, TCP/UDP ports and so on).
Yes exactly, bridge operates at Layer 2 of the OSI model and that filters should also work at this level. However, I asked about the difference between the filters because if a bridge, as we’ve established, operates at Layer 2 of the OSI model, then what the heck are IP-based filters doing there ?
Remember, these OSI layers are like onion peel or Russian doll. L2 is the outermost before it gets to physical layer, so if you have the L2 frame, you can unwrap it and look inside.
)
?