Hello! – I am trying to replace two old access points on two physically separate networks with a single hAP AC unit hosting two SSIDs. One network is our internal net (I’ll call it corenet) and one is our guest network (I’ll call it guestnet). I have our corenet plugged into ether2 on the hAP AC and guestnet plugged into ether3.
I thought I could isolate the networks by removing ether3 from the default bridge, creating a new bridge (called bridge-guest) and creating a virtual WLAN interface (called wlan3) with the guest network SSID and adding both wlan3 and ether3 to bridge-guest. Clearly I’m missing something here because it doesn’t work the way I expected:
- clients on the main network can ping the guest network, clients on the guest network can ping the main network. The two networks are not isolated.
- DHCP clients on the main network SSID receive IP addresses, but DHCP clients on the guest network SSID do not unless I create a DHCP relay from ether3 to wlan3
(there are two separate DHCP servers, one on corenet and one on guestnet)
So my question is probably a best practice one, how to I host the two SSIDs for two networks wired separately on the hAP AC while keeping them isolated from each other.
Some additional notes – I do eventually intend to move to VLANs with single physical connections to the hAP AC, but for now the internal network isn’t completely set up for that so that’s a future project. I created a ‘wlan3’ rather than dedicating one of the two radios to the guest SSID because I wanted both 2ghz and 5ghz available for corenet clients.
Thanks & Best Regards,
Mitch
Remove DHCP relay, and make sure your guest DHCP server is on the bridge-guest (and not on the wlan3 or ether3). In case DHCP server still does not work for your guest network, please post the output of the /ip address export and /ip dhcp-server export commands.
As to the network isolation, that has to be setup manually in the /ip firewall filter.
Thanks for your note! – the DHCP servers in both cases are further back in the network and not on the hAP AC itself. Not sure why one is able to respond to clients through ether2<->default bridge<->wlan(1,2) where as the other is not able to respond to clients through ether3<->bridge-guest<->wlan3 without a DHCP Relay being in place.
Thanks for the note on the firewall filter – that answers my question about isolating the networks!
I’ll setup the configuration with an appropriate filter and then troubleshoot the DHCP issue.
quick follow up question – given that the network isolation has to be done through the firewall rules is there really any point to having separate bridges for the two networks – clearly I am not fully understanding the purpose of a bridge!
Well I got it working, my mistake was not making the ether3 port that was slaved to ether2 its own master, then the bridging through bridge-guest worked fine and properly isolated the networks. The DHCP server issue resolved itself (I guess that was user error) after I reset and reconfigured everything. No firewall rules were needed to isolate traffic.
Just make sure no IP addresses are assigned to your bridge interfaces (or at least to the guest one). Otherwise your isolation might easily be circumvented by just manually installing a static route on a client device.
I will definitely check on that, thanks!