I am setting up my MikroTik Cap ac right now, but are running into troubles with setting up my Guest Wifis. All guides I found are for a different setup and thus I will explain mine:
I am running two separate VLANs. VLAN 10 (192.168.5.0/24) and VLAN 20 (192.168.2.0/24). Both have an internet connection and needs to be separated, since we have two separate units here and they have a separate internet connection as well.
I have setup vlan interfaces (both on ether1) vlan10 and vlan20.
I have setup two bridges:
bridge-vlan10 containing interface vlan10 and a virtual wifi for regular usage WIFI1
bridge-vlan20 containing interface vlan20 and a virtual wifi for regular usage WIFI2
Now, I need to setup at least one (better two) additional wifis for guest-usage GUEST1 (and GUEST2): One needs to be routed via 192.168.5.0/24 to gateway/router 192.168.5.1 and the other one to 192.168.2.0/24.
Of course I want to isolate them from the regular-usage wifis.
I started with setting up the first one, and will tell you what I already tried:
I setup the wifi GUEST1 and a separate/dedicated bridge (including dhcp server…). Of course there is no internet access, since this bridge is not aware of the router at 192.168.5.1 and even with routing it is not that easy, since this separate bridge is not in vlan10. I also played around with NAT (many different settings) but I always missed the point how to get this separate bridge into vlan10 to be able to provide access to 192.168.5.1.
I hope I described my problem in away you understand and may can help me
meanwhile I managed to set it up and want to share my solution here.
I set up two guest wifis.
I set up two additional bridges for the guest wifis, then two additional vlan interfaces for 10 and 20 - bind to bridge device - and then add the vlan interfaces to the new bridges. I set a fixed ip to both bridges and define two separate dhcp servers for both bridge devices.
Then I set up two NAT in Firewall for GUEST1 and GUEST2 ip-range, chain src-nat, action masquerade.
To make sure the guest wifis get routed through the right network I set up in Firewall I set up two mangles with pre-routing source address GUEST1 and GUEST2 ip-range , action mark-routing routing mark vlan10 and vlan20. In routing I define a route to 0.0.0.0/24 for GUEST1 via 192.168.5.1 routing mark vlan10 and a route to 0.0.0.0/24 for GUEST2 via 192.168.2.1 routing mark vlan20.
To forbid all other access for guest wifis I set in Firewall chain forward, action drop src addr 192.168.0.0/16, dst addr GUEST1 and GUEST 2 ip-range.
I guess that’s it. I hope it helps somebody
/Markus
That’s not proper way of doing it. Proper way is to use single bridge with vlan-filtering=yes, with appropriate pvid set for individual ports (e.g. wlan2, wlan4, …), bridge set as tagged member of appropriate VLANs and /interface vlan anchored to bridge. Then IP stuff (address, DHCP server, …) is bound to appropriate VLAN interface.
I am not sure how to do it with vlan-filtering, since I need for my “regular wifi” on vlan 10 no dhcp server at all, but for my “guest wifi” which needs to be run on (or at least through) vlan 10 as well. May you can describe it a bit more detailed? Or maybe I need to describe my problem more detailed?
Your description of your requirement is also not clear to me, all I can think of what you maybe want when saying “running through vlan 10” is possibly what is called qinq vlans, i.e. Tunneling a vlan inside another vlan
I have two existing VLANs VLAN 10 (192.168.5.0/24) and VLAN 20 (192.168.2.0/24). Both with a separate internet connection via 192.168.5.1 and 192.168.2.1
Both VLANs get tagged into MikroTik Cap ac via ether1.
Now I want to have four WiFis:
WiFi-10 with full access to VLAN 10 and internet access routed via 192.168.5.1. A DHCP Server is running on 192.168.5.1.
WiFi-20 with full access to VLAN 20 and internet access routed via 192.168.2.1. A DHCP Server is running on 192.168.2.1.
WiFi-10-Guest with internet access routed via 192.168.5.1. DHCP Server needed!
WiFi-20-Guest with internet access routed via 192.168.2.1. DHCP Server needed!
Of course traffic between WiFi-10, WiFi-20, WiFi-10-Guest,WiFi-20-Guest and the corresponding vlans/networks behind should be (kept) isolated
Can’t you just make two additional VLAN’s for the Guest network?
With four VLAN’s you will be able to separate (or share) any combination of sharing/blocking you like.
Nope all vlans have to be on vlan10 remember. .....................................
When one creates requirements based on the config and NOT on user requirements, one falls into such config traps LOL.
Of course the obvious answer is to run separate vlans for guest wifi........................
Agree, but then I would need (in my special setup) an additional pieces of hardware “combining” vlan 10 and guest-vlan for internet access… I tried to avoid it and with my setup described in second post I was able to do so
