VLANs are probably a step further than you need to go at present. There are other ways that are easier to implement on simple networks, e.g. Firewall rules, routing and subnets. Whilst you may feel you just want a simple bridged solution initially, it’s easier to expand a routed solution, bridged solutions don’t size well.
When creating vAPs I leave the wlanX top level config for each wireless card for WDS and then create a vAP under it for each wireless service I want to provide. I find it makes a more logical layout in Winbox config. If you’re not going to use WDS right now then just leave the interface without an SSID and “Default Authenticate” unchecked, if you then find you need WDS later it’s easy to implement it.
I have been creating 6 vAPs per router, give each vAP a different SSID:-
vap1 Private Unencrypted, SSID GBB-Private
vap2 Private WEP Encrypted, SSID GBB-Private-WEP
vap3 Private WPA/WPA2 Encrypted, SSID GBB-Private-WPA
vap4 Public Unencrypted, SSID GBB-Hoptspot
vap5 Public WEP Encrypted, SSID GBB-Hotspot-WEP
vap6 Public WPA/WPA2 Encrypted, SSID GBB-Hotspot-WPA
I then create two bridges vapprivate and vappublic, allocate ports vap1-3 to vapprivate and vap4-6 to vappublic, then allocate IP address ranges to the bridges. I generally use a 22 bit subnet, e.g. 10.0.0.0/22, reserving 10.0.0.1-10.0.0.254 for fixed IP addresses and create an IP pool of 10.0.1.1-10.0.3.254 for DHCP allocated addresses. The second subnet for the Public users would be 10.0.4.0/22, reserving 10.0.4.1 - 10.0.4.254 for fixed IPs and creating an IP pool of 10.0.5.1 - 10.0.7.254 for DHCP. Create DHCP servers for each bridge and create a Hotspot on the vappublic bridge.
For multiple Routers in a WDS cluster I just use higher subnet blocks, e.g. router2 would use 10.0.16.0/22 and 10.0.20.0/22. I allocate a 20bit subnet per router to allow for expansion on other physical interfaces, e.g. a second wireless card or multiple ethernet ports.
I then use the second octet to identify separate WDS clusters linked by a backbone network, e.g. site1 is 10.0.0.0/16, site2 is 10.1.0.0/16. This makes it much easier to implement routing and when tracing IP addresses, to easily identify where they are physically located.
Here’s some pointers to your requirements in the order you list them:-
o let all the office systems connect transparently (e.g., enable MAC login for recognized MACs only);
Add the MAC addresses for all “Allowed” users to the Wireless Access List, you need an entry for each MAC address for each vAP that you want it to be able to access. Then uncheck “Default Authenticate” for each vAP you want to protect.
o let all the office systems communicate with each other;
Personally I use routing and allocate a different subnet to each vAP or bridge if you using the example above and then use Firewall rules to determine which subnets can talk to one another, e.g. bridge vapprivate 10.0.0.0/22, bridge vappublic 10.0.4.0/22, this would give around 1,000 IP addresses per subnet. It’s better to allocate a subnet range at least twice the size you think you need, it much easier to have too many addresses than having to renumber later if you run out.
o run a hotspot on the same radio;
Configure Hotspot on second virtual AP.
o block all non-office systems from seeing/accessing the office machines and each other?
To stop wireless users seeing each other, uncheck the “Default Forward” parameter in the Wireless tab of the vAP’s config.
Implement Firewall rules, this stops Public users seeing Private systems.
Regards
Chris Macneill
Glenkens Broadband Ltd. - Bringing Wireless Broadband to the Glens of South West Scotland.