Hi all,
Please advise how to setup Office WiFi
I need one SSID for internal users, and one SSID for guests (isolated one)
How to do that on rOS 6.7?
Thanks
Create Virtual AP if you have only one radio on your router.
Configure each virtual ap as you like.
what routerboard do u use?
Create 2 bridges one for office
Other for guest
On bridge for office give IP-address example 192.168.100.1/24 and configure DHCP-server on it
On bridge for guest give IP-address example 192.168.101.1/24 and configure DHCP-server on it
Nat masquerade between bridge office and WAN
Nat masquerade between bridge guest and WAN
Put ether1 end AP into bridge office this is your office LAN
Make a virtual accesspoint and put these in the bridge guest same with ether2 this is your guest LAN
But i don’t know what routerboard you use
Hi,
Thanks for quick answer, we use
http://routerboard.com/RB2011UiAS-2HnD-IN
at our office.
I have 1 CAT5 cable on Eth1 with 192.168. kind network already, which provides access to internal network and internet. All I want that second VAP users will be able to reach only internet from my internal network, but no other hosts.
I mean that Eth1 is not WAN, but already an internal network with access to WAN (192.168.10.1) ← WAN router address
I hope that you understand the pictures
I’m are verry tired but i will you help you
I made printscreens and see this
This Web site will be deleted
Let me know if you no longer need him
Note the IP addresses may differ with yours
I hope i helpt you
A quick high jack of this topic:
Thanks Plisken, I used your manual. Worked like a charm!
Your welcome no problem
This is the definitive website about virtual access point.
Even clearer without bridge.
http://www.wirelessinfo.be/index.php/mikrotik/pages/vap1
yes, sure, this is working, but I need to isolate people, who use WLAN2 from LAN1, and WLAN1.
So they will be able to use ONLY internet, and I don`t have 0.0.0.0 on Ether1, my gateway is already another device.
This is what you need i think see below firewall settings.
This will cause that both IP ranges cannot communicate with each other
http://www.wirelessinfo.be/index.php/mikrotik/pages/vap1
I hope that i help you
Hello,
I’m trying to do this. Guest WiFi appears, I can connect it, I get an ip address, but internet doesn’t work. On firewall NAT tab no packets are listed on srcnat line..
What could I have done wrong?
Have you setup the firewall nat rule?
I did. The issue was that I specified ether interface, and not the bridge (ether was bridged with other wifi)
Oh by the way, the how-to link posted here also says to add DROP rules to INPUT chain, which did NOT work for me, I had to add them to FORWARD chain.
By the way, the DROP rules are filtered by IP addresses. Is it possible to have them more universal, so to drop ALL traffic between guest and private WiFi, even if they have some other IP addresses set (because this way someone might take local private IP manually and access the network)?
Not the first time already recommend …
/ip route rule add src-address=192.168.0.0/24 dst-address=192.168.10.0/24 action=drop
Yes that is how I have it now.
But what will prevent someone on Guest network changing his IP to 192.168.10.X and getting access to the network?
Use for your guest network bootp support = dynamic and choose arp for Add ARP For a Leases
Hi,
Could you please explain what does this do?
In any case - I’ve simplified my example a bit. In reality we have multiple subnets which need protection, and I would like to have one single rule without needing to remember to update it if we add another subnet. Is that possible? Like dropping everything from one wlan interface to another.
Hi!
My intended WiFi setup is somewhat similar to that of BangBang:
I want to replace my single SSID LINKSYS AP with a Mikrotik wAP and introduce a separate SSID for guests which is isolated from LAN. I want wlan1 interface to relay DHCP from RB750 firewall, however the virtual interface wlan2 might serve a DHCP server for guest clients. I could make a bridge on wAP with ether1 and wlan1. I have no idea how to route the virtual wlan2 to RB750 over ether1.
The http://www.wirelessinfo.be/index.php/mikrotik/pages/vap1 link does not really help.
Any recommendations are welcome!
If the wAP is already acting as a bridge-only device, then it should be easy to add the guest network to this device.
Create a vlan interface on ether1 (guest-vlan) with vlan-id = 100 or whatever number, just not 1.
Create a second bridge interface (guest-bridge)
Create a virtual access-point interface (guest-wlan) and set the SSID / security profile on it that you want to use.
Then in the bridge > ports menu, connect guest-wlan and guest-vlan to guest-bridge.
On the RB750, create a guest-vlan Interface with the same vlan-id as you used in the WAP, and on whichever interface is connected to the WAP (or if you’re using hardware switching, put it on the master interface)
Then put the IP address 192.168.0.1/24 on the guest-vlan interface, and set up DHCP server.
In firewall, add a forward filter:
chain=forward
in-interface=guest-vlan
out-interface=!ether1-gateway (or whatever interface has your public IP address on it)
action=drop
If you’re using multi-wan, you’ll have to change the logic from being the one rule above to three rules:
allow in-interface=guest-vlan out-interface=wan1
allow in-interface=guest-vlan out-interface=wan2
drop in-interface=guest-vlan
Optionally, to protect the Mikrotik itself from the guest vlan, you can add some rules to the input filter that allow bootpc/bootps, icmp, and dns if you’re using the 750G as a dns proxy, followed by a drop all in-interface=guest-vlan.
ZeroByte,
The setup you proposed worked for me as far as I created the VLAN on both vAP and on RB750. I created two bridges on wAP, one for private for ether1 and wlan1-private, another for private for wlan2-public (virtual AP) and VLAN (id=100). I set up DHCP, and I was able to connect to both APs, and get into the internet from both of them.
The difficulty sets in as I continue with the firewall rules to isolate the guest from the local network. With the current setup I can ping from guest into the private network. It seems that the guest gets into the private addresses straight in wAP. Is this correct or am I wrong about that? If so, I tried creating firewall rules, but RouterOS / wAP does not let me create firewall forward rules between wlan2-public and !ether1 – both of these are slaves. It seems I can create firewall rules just between the bridge interfaces, but it does not help as doing so blocks the entire traffic. Any ideas?