Guest network

Hello,

I’d like to know what’s the best way to introduce a guest wifi network with a Mikrotik device. I own a hAP ax3.

This is my current setup: I created two slave wifi interfaces, one for the 5GHz radio and one for the 2.4Ghz. Then I created a bridge and added the two newly created wifi interfaces to the bridge. After that I assigned an IP address to the bridge and isolated the new network using the firewall.

Is this a best practice or are there bettere ways to achieve this, maybe without a bridge and involving VLANs?

Nobody has a guest or IoT separate SSID?

you can look what quickset does. iirc quickset configured guest wifi uses bridge filters.

That’s very similar to my configuration on my ax2 (and ac2 before that). I have two slave guest networks (one for 2GHz and one for 5GHz) which share the same security configuration profile. They’re in a single guest bridge, which has its own IP, DHCP server, and filter and NAT firewall rules. I put in some forward blocks so that packets can’t be routed between it and the other bridges/networks, isolating it entirely. I haven’t rigorously tested it but my friends and family are trustworthy…I think…

I have a third slave network, tied off the 2GHz master, dedicated to IoT devices. As posted on another topic, I had to disable the “256” varieties of encryption as some of the IoT devices don’t play nicely with them enabled. I have similar filter/NAT rules but there are two devices that I need to access from my primary wired & wireless networks so I’ve poked a few holes. I’d like to lock the IoT devices down to MAC addresses but it appears the access-list isn’t yet functional (or I’m using it wrong) in 7.8.

So far, I’m happy with the setup.

The easy method is one bridge for all vlans.
The vlans provide clear separation at layer 2 ---- DONE
Firewall rules provide clear separation at layer 3 ---- DONE.

No need for multiple bridges, no need for any bridge doing dhcp etc.
All vlans all the time, apples to apples, anything else is dumb unless there is a good reason.

VLAN10-HOME - home wired network and wifi on WLAN1 and WLAN2
VLAN20-GUEST used for virtual WLAN on 5ghz (one of your slaves)
VLAN30-IOT used for virtual WLAN on 2ghz (one of your slaves)

I confess I’ve never personally set up any VLANs but have had to live with a lot of broken VLAN networks set up by other people. I’ll consider your setup for a future implementation; thanks for taking the time to post the info!

Don’t mess around with half baked solutions.
Do it properly and use vlan.

Time to learn.

The first step is to loosen your helmet, its clearly on too tight!

You guys are a lot of fun! Yes, it’s so tight, you can see my face is turning grey.

On a serious note, can you tell me why using a VLAN is superior to using individual bridges? Are there efficiencies or speed differences?

Thanks!

For start, how many devices are we talking about? Is it separate router and AP(s), or just single device? If it’s more than one, then VLANs allow to have centralized config on router and AP can act as dumb transparent device.

I have a relatively straightforward home office setup. I have a RB4011iGS+ (non-wireless) for my upstream provider (fiber via Xfinity), a backup provider (cellular 5G hardware gateway via Straighttalk/Verizon), NAT, and support for a few local network devices. I then run a single Ethernet cable, providing PoE, to a closet with the hAP ax2. That device is simply bridged to that local LAN (so is part of that primary NAT). The guest/IoT networks are NAT’d again with different ranges (double NAT, as I don’t care about performance for those).

Now that I think of it, running VLANs so that the RB4011 is in control of everything and centralizes management is an interesting idea.

I decided take the VLAN route at last. Read the guide on this forum and used the bridge VLAN filtering method. I guess this is the preferred method and I’ll be able to easily add more VLAN in the future.