Help please with guest wlan

RouterOS General
1

Hello,

I’m failing to set up a guest wlan in this scenario. Hope here I can find help.

I have a lan. 192.168.8.0/24. I put an mAP with only all bridge in that lan (eth1), this way I have free port as before (now eth2) for a PC and a wireless AP for connecting a wireless printer on that point. The DHCP server is already present on this lan, here all bridged.

I want to set up a guest (isolated) AP on this mAP and I 'm having a lot of probles because cant run DHCP on slave interfaces, filter bridges (as quickset) doesn’t run if mAP is full bridged, VLan attempst doesn’t gives me wan access…

Can anyone give an example with ROS 7.15?

Thanks in advance.

2

The solution would be to create the Virtual AP as you probably did, add it to a second bridge and after that continue configuring DHCP (the bridge will be the interface on which it should be running), firewall rules, etc.

3

This was the solution I found. DHCP server shows in red until some client gets IP from, not know why, but runs fine:

2024-09-23 09:56:57 by RouterOS 7.16rc4

software id = JU87-GNM6

model = RBmAP2nD

serial number =

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=spain disabled=no frequency=auto mode=ap-bridge ssid=Andine-invitados wireless-protocol=802.11 wps-mode=disabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=privado supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=D6:01:C3:42:E2:08 master-interface=wlan1 multicast-buffering=disabled name=wlan2 security-profile=privado ssid=AND_hall wps-mode=disabled
/ip pool
add name=dhcp_pool1 ranges=10.20.30.2-10.20.30.254
/ip dhcp-server
add address-pool=dhcp_pool1 interface=wlan1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan2
/ip address
add address=10.20.30.1/24 interface=wlan1 network=10.20.30.0
/ip dhcp-client
add interface=bridge1
/ip dhcp-server network
add address=10.20.30.0/24 dns-server=10.20.30.1 gateway=10.20.30.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat src-address=10.20.30.0/24
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Recepcion
/system note
set show-at-login=no



Sure now its good parctice isolate main bridge from guest wireless network. Can you post me some examples?

Thank you in advance.

Sin título.jpg
Sin título.jpg691×669 135 KB

4

This would be done with the help of firewall rules, of course:

/ip firewall filter
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward in-interface=bridge1 out-interface=wlan1
add action=accept chain=forward protocol=tcp dst-port=80,443 in-interface=wlan1 out-interface=bridge1
add action=drop chain=forward in-interface=wlan1 out-interface=bridge1

The second rule acts as an exception for internet access from the wlan interface

5

Implement separate VLAN for LAN and guest and assign DHCP servers per VLAN. Adjust firewall accordingly. This will fix your problems, including red dhcp (which is red because wlan interface is considered disabled until at least single client is connected, and dhcp on disabled interface is red indeed).

6

For such a simple setup VLANs would be a pushover in my opinion. Appropriate firewall rules and assigning the wlan1 interface to a bridge to be used for DHCP so that it doesn’t show red should be enough

7

There’s not much of configuration related to VLANs in this setup. Bridge filter, two interfaces, move IP from bridge to lan vlan, appropriate datapath per wlan. Then what you said: firewall and so on.

Your solution works too tho, it’s fine. It’s just my opinion that it should be configured this way

8

I’d like to configure it with VLANs but tried a lot with no succes. Can you post a basic scritp for testing?

Thank you all. Love MT and MTcomunity.

9

Yes, here it is

/interface bridge port
add bridge=bridge interface=wifi-5ghz
/interface bridge vlan
add bridge=bridge tagged=bridge,wifi-5ghz-guest vlan-ids=10
add bridge=bridge tagged=bridge,wifi-5ghz vlan-ids=100
add bridge=bridge tagged=bridge vlan-ids=50

/interface vlan
add arp=reply-only interface=bridge name=guest vlan-id=10
add arp=reply-only interface=bridge name=iot vlan-id=50
add interface=bridge name=lan vlan-id=100

/ip dhcp-server
add add-arp=yes address-pool=lan interface=lan name=lan
add add-arp=yes address-pool=guest interface=guest name=guest
add add-arp=yes address-pool=iot interface=iot name=iot
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
add address=192.168.50.0/24 dns-server=8.8.8.8 gateway=192.168.50.1
add address=192.168.100.0/24 dns-server=192.168.100.1 gateway=192.168.100.1

/ip address
add address=192.168.100.1/24 interface=lan network=192.168.100.0
add address=192.168.10.1/24 interface=guest network=192.168.10.0
add address=192.168.50.1/24 interface=iot network=192.168.50.0

/interface wifi datapath
add bridge=bridge disabled=no name=home-private-datapath vlan-id=100
add bridge=bridge disabled=no name=home-guest-datapath vlan-id=10
add bridge=bridge disabled=no name=iot-datapath vlan-id=50

/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes // you may don't want only-vlan-tagged if you will have untagged traffic flowing in bridge still

You can probably don’t mess with adding bridge port manually and setting wireless as tagged, but you should set bridge as tagged on required vlans, rest will do datapath for you. This config works on my ax3 fine. Remember to configure firewall so VLANs have internet access and can’t access each other.