Looking for instrction to isolate guest wifi networks

zhouck · October 4, 2024, 6:27pm

After upgrade to 7.15 old instruction not working due to packages separation for wifi

My goal is to have guest wifi networks completely unreachable in both ways and guest wifi have internet access only. Also, prevent to set static IP on guest networks.

The best is to have some instruction for this case

Cl3an · October 4, 2024, 7:37pm

I’m also interested. All the guides, tutorials, and instructions are for the “old” wireless interface and not for WiFi. (wifi-qcom-ac // wifi-qcom)

erlinden · October 4, 2024, 7:43pm

Friend @tangent wrote a complete blog post:
https://tangentsoft.com/mikrotik/wiki?name=Isolated%20Guest%20WiFi%20Sans%20VLANs

optio · October 4, 2024, 7:50pm

Follow this guide for setting guest VLAN for AP: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Commands for WiFi setup shouldn’t differ much from old WiFi package or use Winbox for setup it, VLAN setup is not directly related to WiFi setup except knowing which wifi intarfece needs to be part of which network.

Cl3an · October 4, 2024, 8:09pm

Looks promising. Thank you

Josephny · October 4, 2024, 9:08pm

While I’d love to master VLANS, it seems to be beyond me.

@tangent solution works for me (thank you @tangent!).

These are the config entries I used (I’m sure you’ll want to customize to your environment):

/interface wifi configuration add datapath.client-isolation=yes disabled=no name=guestcfg security.authentication-types=wpa2-psk .passphrase=blueberry ssid=GuestWifi

/interface wifi add configuration=guestcfg configuration.mode=ap disabled=no  master-interface=wifi2 name=Guest2g

/interface wifi add configuration=guestcfg configuration.mode=ap disabled=no master-interface=wifi1 name=Guest5g

/ip pool add name=pool-guest ranges=10.0.0.10-10.0.0.252

/ip address add address=10.0.0.1/24 interface=Guest2g network=10.0.0.0

/ip address add address=10.0.0.1/24 interface=Guest5g network=10.0.0.0

/ip dhcp-server add address-pool=pool-guest interface=Guest2g name=dhcp-guest2g

/ip dhcp-server add address-pool=pool-guest interface=Guest5g name=dhcp-guest5g

/ip dhcp-server network add address=10.0.0.0/24 dns-server=1.1.1.1 gateway=10.0.0.1

/ip dns static add address=10.0.0.1 comment=defconf name=router.lan

/ip firewall address-list add address=10.0.0.2-10.0.0.254 list="Guest WiFi"

/ip firewall filter add action=accept chain=input comment="allow 67 68 to 10.0.0.1" dst-address=10.0.0.1 dst-port=67,68 log=yes log-prefix="allow 67 68 to 10.0.0.1" protocol=udp

/ip firewall filter add action=drop chain=input comment="drop all to 10.0.0.1" dst-address=10.0.0.1 in-interface=!lo log=yes log-prefix="drop all to 10.0.0.1"

/ip firewall filter add action=drop chain=forward comment="drop all 10.0.0.0/24 to not-WAN" log-prefix=drop-all-10-0-0-0-24-to-not-WAN out-interface-list=!WAN src-address=10.0.0.0/24

/ip firewall filter add action=drop chain=forward comment="drop guest to 192.168.0.0/16" dst-address=192.168.0.0/16 dst-port=!53,68,68 log=yes log-prefix=drop-guest-to-192-168-0-0-16 protocol=udp src-ad
dress-list="Guest WiFi"


#Move firewall rules to correct position number

Cl3an · October 4, 2024, 9:30pm

Quick Set

/interface wifi add … master-interface=wifi2 name=wifi2g …
/interface bridge filter add action=drop chain=forward in-interface=wifi2g
/interface bridge filter add action=drop chain=forward out-interface=wifi2g
/interface bridge port add bridge=bridge interface=wifi2g

Can someone explain the missing part with “…” (two places)

optio · October 4, 2024, 9:49pm

To replace it with properties related to wifi slave configuration, in that tutorial there is add configuration example /interface wifi configuration add … same properties can be added to wifi add command. Difference is when you have separate configuration it can be reused for other wifi interfaces if needed.

zhouck · October 7, 2024, 9:08am

Thanks for instruction.

It almost works - however, while 2g guest network works fine (tested by IoT devices and smartphone), 5g guest network rejects WAN request, so smartphone could not connect to internet. Mikrotik hap AC^2, 7.15.3

Josephny · October 7, 2024, 9:24am

I’m far from an expert, but I’ll try to help.

First step is to post your entire sanitized export.

tangent · October 7, 2024, 11:45am

That’s a documented feature of my scheme: guests do not get full-service WiFi.

I have no desire to prototype an alternative that lifts that restriction for you, but it would involve creating a “wifi5g” slave parallel to the article’s existing wifi2g, then bridging them together.

tangent · October 7, 2024, 12:03pm

Also local details like country settings, SSID, PSK… Things I don’t want to reveal about my local config and cannot predict for yours. Fill in the blanks.

anav · October 7, 2024, 5:49pm

Prior to using capsman, it was quite easy to setup up vlan per SSID or vlan per USER group (and assign both SSIDS to same VLAN) and have them fully separated at layer2 by vlans, at layer 3 by firewall rules and then through wifi settings decide whether or not wifi users should be able to see others on the same WIFI vlan. ( with only internet access of course )

With capsman, no clue, nor interested as the config blows up with all capsman entries and 3X the level of complication for no real gain IMHO.