I have a hAP ac router, which I currently use to connect a cable modem to a small network (via ether1), but will probably switch to gigabit fiber in a few months.
I used the Quick Set “Home Dual AP” mode with a guest network (and in general, have decided to try to keep myself from customizing more than necessary). The Quick Set created 4 WiFi interfaces (2.4/5 GHz private on wifi1/wifi2, 2.4/5 GHz guest on wifi3/wifi4 which are virtual ones) and a bridge connecting everything: ether2-master (which is the master port for ether3-5), sfp1, and the 4 wifi networks. It also created bridge filters in the forward chain dropping everything with an in-interface or out-interface of wlan3 or wlan4 to isolate the guest wlan, and the following firewall config:
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=\
new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
I’m a bit surprised by this - I would have expected some sort of VLAN- or bridging-based separation of the guest network with a separate DHCP range for the latter. Is there some specific advantage of this that I’m missing? Does this expose my main network to nasty tricks the guests could play, like ARP spoofing, sending fake DHCP traffic to the router, …? I’ve also noticed that the guests can reach the router’s admin interface, which I’d like to avoid (but I have to keep DHCP and DNS available). Is there a better way than creating bridge filter rules to allow DHCP and DNS to the router and drop all other IP traffic to the router’s IP? (Aside from redoing all the config in a fundamentally different way, of course).
Also, default forwarding was enabled on both wlan3 and wlan4, allowing clients on the same WiFi interface to communicate with each other. Is disabling this (together with the bridge filters mentioned above) enough to achieve reliable guest-to-guest isolation on WiFi?
Do any of the decisions I’ve made so far come with performance penalties I may want to be aware of? Once I have Gigabit fiber, I’d love to be able to actually push 1 Gbps through it (from wired), and at that point I may also want to isolate a DMZ. Anything specific I need to be aware of?