I have a Mikrotik hAP ac2 running RouterOS 6.43.2. I need to create a guest network that cannot access the internal network but I haven’t been able to find any simple straightforward step by step instructions for this. Can anyone assist?
According to the comments this one is outdated. Also I have no option for "Master-interface: ap-private". I have only wlan1 and wlan2.
if you banned in google the best way for you is quickset which allow to setup guest wifi ap.
Sorry I have no idea what you're talking about. A quick setup how to for guest wifi is what I'm looking for but cannot find.
Quick Set - first upper button on left bar in Winbox.
I see this option but I don’t understand how to make it a guest network that can only access the internet and none of the rest of my internal network. In fact it looks like this loads my existing wifi configuration which i do not want to screw with at all.
You can disable connectivity between lan and guest with route rules. For example:
/ip route rule
add action=drop dst-address=lan.network/mask src-address=guest.network/mask
add action=drop dst-address=guest.network/mask src-address=lan.network/mask
Is there not a simple step by step guide that contains all the steps that is also compatible with the current OS? I cannot follow this with one step here, another step there, and some steps that are not compatible with my OS.
Hello,
The URL and examples shown by Baragoon will work. Yes, the URL has some steps that I would not do, such as masquerading the guest network (kind of useless). Otherwise, it’s good. And his firewall filters suggestions are accurate also. They will prevent both subnets from accessing each other.
That’s about as step-by-step as you’ll get.
Les see if this will help resume it:
- create a wireless security profile
- create a VAP, using security profil
- assign IP address to VAP
- create DHCP server for VAP (no bridge required. I’ve done this)
- create firewall filters to restrict traffic flow between local subnets
Cheers,
Just to add: this only works if guest VAP is setup on the device which is also the internet router. If one wants to add guest VAP on an AP device which connects to router via ethernet cable, then there are more steps to be taken.
As far as being “sep by step” the guide is perfect except I get lost at step 15 - I do not have an interface option of “ap-private” for “Master interface:” I only have wlan1 and wlan2.
Ya, since the names can be changed, it can be confusing. Use wlan1 or 2.
Sent from my cell phone. Sorry for the errors.
I have the issue that some of my VAP have internet access. I defined 3 VAP on three bridges and one has internet, next to the normal Wlan1. What did I do wrong?
Post complete configuration (in terminal windows execute /export hide-sensitive and copy-paste output in [ code] … [ /code] environment).
I believe I got down to step 4. No idea how to do step 5. Also my network doesn’t work this way. when I try to connect it says “No internet connection”. No clue where I screwed up, seems pretty straightforward however ever single dialog box has 1,000 options so I don’t know if I missed something critical. I can connect but that’s it.
By default my subnets cannot access each other and the new one cannot access anything.
"such as masquerading the guest network (kind of useless). " I have no idea which steps I can just “skip” and which ones are critical to make it work.
Hello,
For step 5, something along the lines of:
chain=Forward
src address=subnetA/maskA
dst address=subnetB/maskB
action=drop
chain=Forward
src address=subnetB/maskB
dst address=subnetA/maskA
action=drop
This will prevent both LANs from communicating with each other.
For the natting (Masquerade)
Chain=src-nat
action=masquerade
out interface=“WAN_PORT”
There’s no need to specify a subnet as all traffic will (needs to) be masqueraded.
Hope this helps.
Thanks guys.
This article got an update: https://www.marthur.com/networking/mikrotik-setup-guest-vlan-wifi/2582/
This one is working perfect for me on RouterOS 6.4.x
You have some video to get you going here:
https://www.youtube.com/watch?v=6P0MDlYWR_E
https://www.youtube.com/watch?v=lDAG_U7NwxM
As long as guest network are on its own network, then it just to set the correct firewall rules to separate network
Thanks.