I just purchased a pair of hAP AC and enabled a Guest WiFi network using Quick Set. As far as I can tell the Guests are not isolated using a VLAN, but I can’t ping others on the “real” network when connected to the Guest. How does it all work? I assume it would still be prefered to separate the two using VLANs, how would I achieve that?
You have looked firewall settings? Could you print there your config?
It seems something has changed, I don’t get an IP now. Could you point me in the correct direction as to how to setup a Guest WiFi on hAP?
For Guest Wifi where a client has only 1 Guest AP, I usually do the following.
-
Split out the wifi interface onto it’s own subnet. IE: my staff network will be 192.168.88.0/24 and my wifi network will be 192.168.89.0/24
Bridge > Ports, remove wifi interface from bridge-local
IP > Addresses, assign 10.0.0.1/24 to wlan1
IP > Pool, create a new DHCP IP pool with range 10.0.0.0/24
IP > DHCP Server, create the DHCP Server for wlan1 -
Prevent clients from talking to each other.
Interface > wlan, set default forward to not checked.
This function only works between wifi clients on the same AP. -
Prevent clients from assigning themselves static IPs. They must use DHCP
Interface > wlan, set ARP to read-only -
Prevent clients from communicating to staff network via firewall.
IP > Firewall > Filters, create rule. Chain=forward, dst-address=192.168.88.0/24, in-interface=wlan1, action=drop
IP > Firewall > Filters, create rule. Chain=forward, src-address=192.168.88.0/24, in-interface=wlan1, action=drop
(The second rule is cautionary, in case someone figures out out to send a packet with a src-address of the staff network) -
Prevent clients from accessing winbox, web admin, etc. of the router. But do allow DNS
IP > Firewall > Filters, create rule. Chain=input, in-interface=wlan1, protocol=udp, dst-port=53, action=allow
IP > Firewall > Filters, create rule. Chain=input, in-interface=wlan1, action=drop
Van9018, thank you for your reply. I should have perhaps mentioned that I have two hAP’s.