Multiple WIFI

RouterOS Beginner Basics
1

Hi I have latest router OS 7.14 and model RB951Ui-2Hnd

My first step was to use router OS as
WIFI as client
WIFI as repeater
LAN connected to element.

More or i have followed some tutorial .
wireless in station pseudobridge
added a virtual wifi
added all security config

created a bridge added all wifi and lan under the bridge .
i have followed this https://www.youtube.com/watch?v=LNiNd4-a3xs

It works.

Now i like to do a different thing with RB951.

I like to

  1. Router as wifi client with dhcp Clinent (this is the source of internet connection)

  2. 3 Wifi
    2.1)one for normal pc connection call HOME
    2.2)one for mobile phones call PHONE
    2.3)one for IOT call IOT

  3. Keep them isolated each other and dispatch IP
    But all need to acces to Internet

  4. connect the lan mainly to HOME but i like to switch it if i need without too complication LAN3 joined to PHONE

  5. make in future a possible traffic shaping (Privilege Home over Phone ) and firewalling (different rules on each area HOME/PHONE/IOT/)

what is the best solution ?

vlan
nat
different bridge

some tutorial or help page
I like to move on traffic shaping in future
https://mum.mikrotik.com/presentations/US19/presentation_6425_1554933623.pdf
https://mum.mikrotik.com/presentations/IT14/touw.pdf

2

Could you export your working config and post it here?

export file=anynameyouwish (minus sensitive infromation)

3

I have empty config ihave empty router

to isolate the virtual wifi i think that bridge is the right solution or i should use 1 bridge an multiple vlan?

4

VLAN would be easier for isolating the networks. I’ll post an example config and further explain the steps:

/interface dhcp-client add interface=wifi1

/interface list
add name=WAN
add name=VLAN

/interface bridge add name=bridge

/interface bridge port
add bridge=bridge interface=ether1 pvid=10
add bridge=bridge interface=ether2 pvid=10
add bridge=bridge interface=ether3 pvid=10
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10

/interface vlan
add interface=bridge name=HOME vlan-id=10
add interface=bridge name=PHONE vlan-id=20
add interface=bridge name=IOT vlan-id=30

/interface list member
add list=WAN interface=wifi1
add list=VLAN interface=HOME
add list=VLAN interface=PHONE
add list=VLAN interface=IOT

/ip address
add address=10.10.10.1/24 network=10.10.10.0 interface=HOME
add address=10.10.20.1/24 network=10.10.20.0 interface=HOME
add address=10.10.30.1/24 network=10.10.30.0 interface=HOME

/ip pool
add ranges=10.10.10.2-10.10.10.254 name=pool_HOME
add ranges=10.10.20.2-10.10.20.254 name=pool_PHONE
add ranges=10.10.30.2-10.10.30.254 name=pool_IOT

/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8 gateway=10.10.10.1
add address=10.10.20.0/24 dns-server=8.8.8.8 gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=8.8.8.8 gateway=10.10.30.1

/ip dhcp-server
add address-pool=pool_HOME interface=HOME name=dhcp_HOME
add address-pool=pool_PHONE interface=PHONE name=dhcp_PHONE
add address-pool=pool_IOT interface=IOT name=dhcp_IOT

/interface wifi
set [ find name=wifi1 ] disabled=no configuration.mode=station .ssid=WIFI_CLIENT security.authentication-types=wpa2-psk .passphrase="password"
set [ find name=wifi2 ] disabled=no configuration.mode=ap .ssid=HOME datapath.bridge=bridge .vlan-id=10 security.authentication-types=wpa2-psk,wpa3-psk .passphrase="password1"
add master-interface=wifi2 name=wifi3 configuration.mode=ap .ssid=PHONE datapath.bridge=bridge .vlan-id=20 security.authentication-types=wpa2-psk,wpa3-psk .passphrase="password2"
add master-interface=wifi2 name=wifi4 configuration.mode=ap .ssid=IOT datapath.bridge=bridge .vlan-id=30 security.authentication-types=wpa2-psk,wpa3-psk .passphrase="password3"

/interface bridge vlan
add bridge=bridge tagged=bridge,wifi2 vlan-ids=10
add bridge=bridge tagged=bridge,wifi3 vlan-ids=20
add bridge=bridge tagged=bridge,wifi4 vlan-ids=30

/ip firewall filter
add action=accept chain=input protocol=tcp dst-port=80,8291 in-interface=!IOT comment="Allow access to Winbox and WebFig except IOT"
add action=drop chain=input "Drop everything else"
add action=accept chain=forward protocol=tcp dst-port=80,443,8080,53 in-interface-list=WAN out-interface-list=VLAN comment="Allow internet access"
add action=accept chain=forward protocol=udp dst-port=53 in-interface-list=WAN out-interface-list=VLAN comment="Allow internet access"
add action=accept chain=forward protocol=icmp in-interface-list=WAN out-interface-list=VLAN comment="Allow ping"
add action=accept chain=forward in-interface=PHONE out-interface=IOT comment="Allow access to IOT from PHONE"
add action=drop chain=forward comment="Drop everything else"

/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN

/interface bridge set bridge vlan-filtering=yes

The steps:

  1. Added wifi1 as DHCP client
  2. Created interface lists for easier management purposes
  3. Added a LAN bridge and assigned all ethernet ports to it while adding pvid to them for the VLAN
  4. Created VLAN interfaces for the L3 part of the setup
  5. Added the interfaces to their respective interface list
  6. Set up DHCP servers for the different VLANs
  7. Set up wifi1 as client, wifi2 as the LAN WiFi and created wifi3 and wifi4 for phones and IoT devices
  8. Added bridge VLAN table entries
  9. Created some simple firewall rules and added masquerading to the WAN
  10. Enabled VLAN filtering on the bridge