I just have a quick question and was wondering is someone can point me in the right direction. Here is what I have going on and here is what I want. I have 2 access point (upstairs/downstairs) and the mikrotik router with wireless enabled on the main floor. I want to use the downstairs access point (which is connected via Ethernet) as a gust network keeping them isolated from the rest of the network. Is the best way to go about that the hotspot? If so how to I specify that interface etc.
Thanks for your help.
Depends on what you want to happen. The best thing for keeping the two separate is to have two routed interfaces for the LAN running and have a different subnet on each. Then have a firewall setup to block communication between the routed interfaces. Hotspot will not gain you that, it will only require people that come in to go through a login process before accessing the internet.
Ah! I got that now, the hotspot simply creates the login page. What I want is a VLAN to separate the guests from the rest of the network. I’ve been trying my best to figure it out. But I seem to be hung up. Right now my router is setup basically in the default configuration with the “Bridge-Local”, ether 2 as the master, ether 1 as gateway the rest as slaves.
My understanding of what I need to do in theory is for example say ether-5 leads to the AP I want to be in the guest VLAN, in addition I want a virtual AP to be included in the guest VLAN. My understanding would be I need to “unslave” ether5 and then create a bridge between the virtual ap and ether5. Once I’ve done that I need to create the vlan specify the interface as the guest bridge and then add address and a DHCP server the the VLAN. My problem is…it does not work. I must be doing something wrong because when I plug a device into ether5 it doesn’t take an IP address.
Let me know if there is any info you need. I would really appreciate some help! Thank you!
You really don’t need VLANs for your setup. VLANs are great, when used in appropriate situations, for a small network like yours, there’s no need for them, unless you wanted to have the management interface of the access points on a separate routed interface for security, but that requires your access points supporting that.
1.) Yes, remove the master-port setting from ether5 in your example, and if you wanted to have the router broadcasting a guest SSID as well as an admin one, make a virtual AP. Bridge ether5 and the virtual AP together.
2.) Setup the IP address, DHCP server, etc on the bridge you just created, along with the NAT rules to allow it to get online.
3.) In the firewall setup a couple of rules that will drop traffic from coming in on the new bridge and old bridge on the forward chain.
Thanks for the reply!
I followed your directions and understand all but the following:
-
What NAT rules would be required to allow the different subnet to get out to the internet
-
What firewall rules do I need to keep packets from getting from one network to the other. Or basically from my Guest to Admin network.
Thanks!
For example for NAT:
/ip firewall nat
add action=masquerade out-interface=ether1
You can make more specific rules if you had multiple public IP addresses, or wanted something different.
For the firewall
/ip firewall filter
add action=drop chain=forward in-interface=Admin out-interface=Guest
add action=drop chain=forward in-interface=Guest out-interface=Admin