Dear Mikrotik forum users, I would like to kindly ask you for help. I am relatively new to Mikrotik. So far, I use it for common tasks and I love it. What I am trying to achieve now is to implement guest WIFI and I want to do it properly, therefore, using VLANs as I understood other topics here. I understand basic concept - trunk port, tagged and untagged ports.
However, when I consider picture below, I am totally confused and lost, I have no idea how to implement it:
The therefore is IMHO a bit too definitive, Guest Wifi can be done also without VLANs (unless you have other requirements actually needing VLANs), JFYI:
@holvoetn thank you very much for sharing the tutorial, it's a shame that I did not find it. I am still digesting it, and digesting is the correct word:-)) So far, I will treat the hAP in my diagram as a switch, because it will act as a switch, all interfaces, including virtual ones for guest wifi, will be part of the bridge, no routing. Therefore, example one from the tutorial is applicable to me. I will come with configuration of both devices soon. Thank you again, I really appreciate it. Petr
Hello there, let me please share configuration of the hAP I have so far:
# 10 = BLUE - LAN
# 20 = GREEN - GUEST WIFI
/interface wifi
set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap .ssid=AKS disabled=no security.authentication-types=wpa2-psk,wpa3-psk .passphrase=changeme
set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap .ssid=AKS disabled=no security.authentication-types=wpa2-psk,wpa3-psk .passphrase=changeme
add configuration.mode=ap .ssid=AKS-guest disabled=no mac-address=4A:A9:8A:DA:B4:51 master-interface=wifi1 name=wifi3 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=changemeaswell
add configuration.mode=ap .ssid=AKS-guest disabled=no mac-address=4A:A9:8A:DA:B4:52 master-interface=wifi2 name=wifi4 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=changemeaswell
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
# ingress behavior
/interface bridge port
# Blue VLAN
add bridge=BR1 interface=ether1 pvid=10
add bridge=BR1 interface=ether2 pvid=10
add bridge=BR1 interface=ether3 pvid=10
add bridge=BR1 interface=ether4 pvid=10
add bridge=BR1 interface=wifi1 pvid=10
add bridge=BR1 interface=wifi2 pvid=10
# Green VLAN
add bridge=BR1 interface=wifi3 pvid=20
add bridge=BR1 interface=wifi4 pvid=20
# Trunk port, leave pvid set to default of 1
add bridge=BR1 interface=ether5
# egress behavior
/interface bridge vlan
add bridge=BR1 tagged=ether5 vlan-ids=10
add bridge=BR1 tagged=ether5 vlan-ids=20
# Only allow ingress packets without tags on Access Ports
/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wifi4]
# Only allow ingress packets WITH tags on Trunk Ports
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-vlan-tagged [find interface=ether5]
/interface bridge set BR1 vlan-filtering=yes
What is unfortunately not clear to me is how to add a IP to the switch. In the example from the link above, you added BASE_VLAN interface with unique VLAN ID and assigned 192.168.0.2/24 to it.
What if I do not want to? What if I want to manage the device simply from LAN? If I put DHCP client on the top of the bridge, how do I tell that I want to use LAN address and not the Guest network?
Thank you, Petr
I would suggest you try this out first, to become familiar with creating slave wireless interfaces implementing the DHCP, routing and firewalling required for a guest network. It works well, does not use vLANs and is done properly, except for one point of criticism. The criticism is that it creates a software bridge for the slave [guest] wireless interfaces rather than using a vLAN as a means to isolate the wireless interfaces together with a DHCP server.
The problem of the software bridge is that it reduces overall performance and it is better to use a vLAN. Don’t let that put you off. I did my first Guest network [on a hap AC lite] using that video and never thought it was sluggish. What I did next, after about a year, was I stripped out the software bridge and replaced it with a vLAN, entirely contained within the access point.
My network is on a slightly bigger scale than yours, but not by much and I have seen the vLAN document posted here many times. It is, as far as I can tell, an excellent document and when people link to it, they mean well. But it is substantially unhelpful for a guest network on the scale which you or I require. The document relates more to Enterprise scale LANs.
I proposed a new forum rule elsewhere today: if you can’t see a need for an Single Broadcast Domain, a vLAN is not going to help you. This is actually the essence of vLANs and key to a Guest Network. The Guest network requires a Single Broadcast Domain to contain Guest user devices and a DHCP server to give them addresses on their own sub net, even though they are using the same ethernet wires as regular users and the non guest DHCP.
So there we have it, the key insight. CAT5 TV in their example achieve the Single Broadcast Domain by creating a software bridge in the access point. I did the same with a vLAN within a single router, and the vLAN allows the Single Broadcast Domain to include Guest Wireless interfaces across many Access points in a CAPsMAN installation.
So looking at your network, you have a need for a Single Broadcast Domain for IP addressing on Guest Wireless Interfaces. But you have no other need. Unless you can positively identify another need for a Single Broadcast Domain, don’t do it, because it will cause more problems [ie 1] than it solves [ie 0]. You and I only have a functional requirement for the one vLAN to achieve segregated addressing for a Guest network.
I have gone through this learning curve and last week completed a CAPsMAN network with a controller and a Guest network across a router and 2 Access points. It differs from the Mikrotik example, because it only uses the 1 vLAN. I can’t think of a need for another vLAN on my system, so I have not got one. That, to me, is doing it properly.
I have notes on my vLAN on a single router example and a 13 page pdf of my CAPsMAN system. I would be happy to share either or both if they would help and if you can think of how to share them.
Hello, thank you very much for posting the reply, but.... I still feel lost:-( Let me explain.
The video from CAT5 (and similar others) I already saw even before posting my original post above. And if I could, I would implement the guest wifi that way (without vLANs) because if it works, it works.
However, I do not have one device - one router connected to the internet with ethernet and wifi interfaces. Unfortunately, I have to have two devices as described in the picture. The reason is how the place is constructed etc... However, in any case, I have to have two devices and that is why my understanding is that the vLANs is the only option for me.
Without vLANs, I could imagine that:
put all physical interfaces (including wifi) in the hAP into one bridge
put 2 virtual wifi interfaces for guest network in the hAP into second bridge
I can assign the IP addresses to the bridges or use DHCP
But what next? Than I need to connect the hAP by one ethernet cable to the main router and I need to handle two broadcast domains. I this case, the ether2 in the hEX would need to have 2 IPs which is, as far as I understand, definitely not a correct/standard configuration. That is why we have trunk ports, right?
Thank you, Petr
OK, if you have seen the CAT5 video, it is absolutely the best for your situation. Your setup is exactly like mine was until last week, with the main internet connection on one device and the wireless on another. And I used the CAT5 setup for at least a year, before I stripped out the Guest network bridge and put in a vLAN entirely within the router
Correct. It is the master wifi interfaces which go on the main bridge on the hAP. The virtual or slave wifi interfaces go on the second bridge. You then either assign IP addresses or use a single DHCP Server on the hEX bridge for your main LAN. If you connect this to the hAP by ethernet without a vLAN, the Single Broadcast Domain extends to everything on the single bridge of the hEX and the main bridge of the hAP.
You then have a second Single Broadcast Domain on the new bridge of the hAP and on the slave wireless interfaces. The CAT 5 video shows you how to set up a DHCP server on that new bridge. It must have an entirely different subnet from the first subnet on the hEX. I like to use a /24 subnet of 10.0.0.0/8 for the main Single Broadcast Domain and a /24 subnet of 172.16.0.0/16 for the guest network. It makes it easier to tell what belongs where. If all your addresses begin 192.168~ on both networks it just adds to the confusion.
So we will say your guest network is on IP 172.~/24 and your main network is on 10.~/24 going forward
You are right about the cable, but wrong about the IP address. The hEX is a router. Any traffic coming its way on ether2 from the guest network will come from 172.~. Not a problem. The hEX is a router, so it looks where traffic is going NOT where it has come from. It can route traffic from 10.~ down the WAN port using the route it knows for 0.0.0.0/0. The same rule is adequate for traffic from 172.~, because the rule applies according to where the traffic is going, not where it has come from.
So now we come to the firewall. The hEX will naturally want to route anything from 172.~ with a destination of 10.~ on to the hEX main bridge, so it will already know the route to 10.~ is to put the traffic on its bridge. This is undesirable behaviour because it allows anything on the Guest network to interact with devices on your main network. So you need a firewall rule, which can go first in the Forward Chain
Comment = Drop all from GN for 10.0.0.0/8
Chain = Forward
Source = 172.16.0.0/16
Destination = 10.0.0.0/8
Action = Drop
On outward traffic, the hAP will already know to forward anything to anywhere other than 10.~ to ether1 using the route for 0.0.0.0/0. Routers always move that traffic closer to the door, which is the WAN. But you will require to implement the same firewall rule for the same reason.
Now we come to inbound traffic for the Guest network. It arrives at the WAN port of the hEX and NAT will resolve its destination address as 172.~. This is where you need to add a route on the hEX for destination 172.~ which will be ether2.
And that is it. This is routing. It is basic networking and you should understand this before you ever think about vLANs. RouterOS is actually quite good at recognising what routes it can generate automatically and if everything is working right, I think the only manual route you need to add is on the hEX for destination 172.~
Please forget about vLANs for the time being and get this working the old fashioned way! Particularly because the CAT5 video is the clearest explanation out there, but it just isn’t compatible with vLANs.
Once you have done that and understood it, get yourself a cheap hAP off ebay, plug it into ether3 on the hEX and try doing a Guest network as a vLAN through to the hEX. And remember that you only need the vLAN for the Guest network, it solves nothing for the main network and just adds more problems. Or to put it another way, your Main network is already vLAN1, so if you do anything other than give another vLAN id to the whole main network, you are just breaking something which already works.
Hello:-) thank you for providing so rigorous description.
Let me rephrase it to have kind of cook book.
hEX:
ether1 is PPPoE connected to the ISP
ether2 - ether5 are bridged
the main LAN bridge has a static IP 10.0.0.1/24 assigned
there is main LAN DHCP server which provides IPs from pool 10.~/24 as suggested
we need FW rule to prevent guest address space accessing the main LAN space
finally, a route is needed for the guest network
hAP:
all physical ports (ether and wifi) are bridged together
IP of the main bridge is obtained from the main LAN DHCP server (sitting in the hEX)
there are 2 virtual wifi interfaces bridged to the new "guest bridge"
the guest bridge has a IP 172.16.0.1/24 statically assigned
there is new "guest DHCP server" for "guest bridge", the pool is 172.~/24 as suggested
the same FW rule in the forward chain
If this is correct I am perfectly fine with that.
However, let me repeat the sentence you stated: " The hEX is a router, so it looks where traffic is going NOT where it has come from."
This is exactly where my confusion comes from. I was somehow convinced that I need to configure the hEX "to be aware" of the guest network subnet. Something like I put a IP to the bridge as the default gateway for the devices in the subnet. As I said, the configuration above is ok for me, but I need to understand much better how the routing really works.
Thank you, Petr
Yes, I think you have it there. The place to look in WebFig is [IP → Routes] on both routers and mentally trace a packet coming off the Guest network for the Internet and similarly trace one coming back to the Guest network. [Pretend that NAT is not happening] - the internet sends back a packet to 172.~. I think you will find that most of the paths are already defined and the hAP will already know to send stuff for the internet to the hEX and it is only the path from the hEX to 172.~ you need to add manually.
Just looked back at what I wrote and the Firewall rule Action is Drop, of course. I’ll edit that
Hello @DuctView , it works! Haleluja!
In order to make it actually work, I adjusted the static route for guest network, the Gateway is the IP of LAN bridge in the hAP (next hop).
Therefore, I made also following changes in configuration of the hAP:
Removed DHCP client and created static IP for the LAN bridge (used in the hEX in the static route definition)
Created static route for 0.0.0.0/0, the Gateway is the IP of the bridge in the hEX (again, next hop)
I am not done with the FW yet, but that should be ok. So far, I am switching between the main and the guest wifi and cannot believe that I am still connected:-)
Thank you very much for guiding me to this point!
Regards, Petr
Now if you want to do it by vLAN, I have had a think and you don’t need to get another hAP. You just put another slave interface on the main wireless interface and set up a vlan. This leaves you with a working installation while you play with vLANs. Just make sure the ports between the hAP and the hEX are PVid=1 and tagged to the new vLAN to allow your main and guest network traffic to pass as well as the vLAN
This will be another Single Broadcast Domain, so you need another subnet and DHCP. You just connect the new slaves to the new vLAN and do the ‘plumbing’ to get the vLAN to the hEX. Doing it this way, you can put the new DHCP server on the hEX, but working on the vLAN and you can see all the DHCP leases across your network in [IP → DHCP Server → Leases] on the hEX. If you put an IP address on the vLAN on the hEX, the hEX should work out for itself the return route to the hAP.
Or perhaps you are just satisfied to reach the point where you are now? I am fairly new to vLANs and I can see some advantages, but I wouldn’t want to go there without being confident about routing.
Hi @DuctView , yes, exactly, now I am satisfied at this point, because it is working solution. I will finish VPN, FW and hardening. However, the vLAN topic is unfinished and in general, I hate unfinished topics in my life. I will digest what I have just learned and come to the topic again. And of course, the goal is to build solution as good as possible. But it is also fair to say that I am not skilled enough to do it right now.
Thank you for supporting me! Petr
