Hotspot with multiple "isolated" subnets

aleksanderm · July 5, 2019, 2:12pm

SCENARIO:
We have one physical network (simple switches without ability to create vlans) and two
user categories.
a) students
b) (hotel) guests
the rooms are “shared”, so today the room can be occupied by a student and tomorrow the room might be occupied by
guest. Both groups should be isolated and under different set rules (e.g. connection speed, etc.)

Ethernet Interfaces:

NAME MTU MAC-ADDRESS ARP

0 R lan 1500 00:15:5D:60:02:07 enabled
1 R wan 1500 00:15:5D:60:02:06 enabled
IP Addresses:

ADDRESS NETWORK INTERFACE

0 192.168.69.10/24 192.168.69.0 wan
1 192.168.100.1/24 192.168.100.0 lan
2 192.168.101.1/24 192.168.101.0 lan
3 192.168.102.1/24 192.168.102.0 lanIP Pools:

NAME RANGES

0 DHCP 192.168.100.10-192.168.100.254
1 Student 192.168.101.10-192.168.101.254
2 Guest 192.168.102.10-192.168.102.254
Routes:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 192.168.69.1 1
1 ADC 192.168.69.0/24 192.168.69.10 wan 0
2 ADC 192.168.100.0/24 192.168.100.1 lan 0
3 ADC 192.168.101.0/24 192.168.101.1 lan 0
4 ADC 192.168.102.0/24 192.168.102.1 lan 0
Firewall:
Standard Mikrotik hostspot generated rules + srcnat masquarades on addreses 192.168.101.0/24 and 192.168.102.0/24

The DHCP server listens on the lan interface and leases addresses from the DHCP IP Pools

There are two hotspot user profiles
0 * name=“student” address-pool=Student idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 add-mac-cookie=yes mac-cookie-timeout=52w1d address-list=“”
transparent-proxy=no

1 name=“hotel” address-pool=Hotel idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 add-mac-cookie=yes mac-cookie-timeout=3d address-list=“” transparent-proxy=yes
open-status-page=always advertise=noThe hotspot ip address is 192.168.100.1

To this point everything works as expected: When I log in as a hotel user i get an address (one-to-one) from the Hotel pool. Same thing for student. Of course from the DHCP point of everybody has IP address from the DHCP pool.

My first questions is how to “isolate” users from both subnets. For instance I don’t want a STUDENT to be able ping a GUEST computer or share files with her?

My second question is related to the old article: https://mikrotik.com/documentation/manual_2.6/IP/Hotspot.html. Obviously the hotspot setup was a bit different back then.
The document refers to the dhcp-server hotspot parameter:
/ip hotspot server add name=hs_dhcp dhcp-server=hs_temp address-pool=hspot
netmask=255.255.255.0 gateway=10.5.50.1
If client has obtained temporary address, its lease is shown as:
[admin@HotSpot_GW] > ip dhcp-server lease print
Flags: X - disabled, D - dynamic, H - hotspot

ADDRESS MAC-ADDRESS EXPIRES-A… SERVER STATUS

0 D 192.168.0.254 00:40:96:13:B3:47 8s hs_temp bound
[admin@HotSpot_GW] >

After successful authentication its DHCP address is changed, and it is listed under active hotspot users:
[admin@HotSpot_GW] > ip dhcp-server lease print
Flags: X - disabled, D - dynamic, H - hotspot

ADDRESS MAC-ADDRESS EXPIRES-A… SERVER STATUS

0 DH 10.5.50.2 00:40:96:13:B3:47 56s hs_temp bound
[admin@HotSpot_GW] > ip hotspot active print

USER ADDRESS UPTIME SESSION-TIMEOUT IDLE-TIMEOUT

0 ax 10.5.50.2 2m25s
[admin@HotSpot_GW] > /ip hotspot active print stats

USER UPTIME BYTES-IN BYTES-OUT PACKETS-IN PACKETS-OUT

0 ax 13m26s 145268 264282 475 494
[admin@HotSpot_GW] >

So back then it was possible to just “force” the hotspot to smoothly change lease after login. Is it still possible?
Correct me if I’m wrong, but at the first glance it looks like better solution then nat-to-nat translation.