Quick setup “Home AP Dual” question

Bpmcgee · May 9, 2023, 2:55am

Hi,

New RB4011 setup here. I want to allow a guest network with only internet access. Setting up both private and guest networks is fine, but I notice that the guest network has access to WebFig on the router. This seems like a security gap?

What’s the best way to eliminate this?

B

normis · May 9, 2023, 9:03am

Quickset does not provide such security differentiation options. The Guest network is just another wireless name with the only difference that you don’t have to tell the guests your WiFi password. There are no other security mechanisms in place. For that you have to manually set up other settings.

Bpmcgee · May 9, 2023, 10:58am

Understood,

What are those steps?

h1ghrise · May 9, 2023, 8:24pm

Adjust firewall rules appropriately:

Allow only defined devices/subnets access to router services (input chain)
block everything else (whitelist approach)

→ https://forum.mikrotik.com/viewtopic.php?t=180838

normis · May 10, 2023, 8:08am

That’s a good thread, but a bit broad for this question.

Maybe somebody else can suggest another thread, but you could set up two DHCP Pools, one for the main AP, other for the Guest AP, then use firewall to separate the IP subnets like this:
https://help.mikrotik.com/docs/display/ROS/VLANs+on+Wireless

Good idea for a MikroTik Youtube channel video. Will make it.

Bpmcgee · May 10, 2023, 1:23pm

@normis,

Thanks! If the purpose of “QuickFig” is to help out those of us not as comfortable with RouterOS config, I have a suggestion. Right now configuring a guest network with no shared key has the silent side-effect of making your private network more vulnerable. A checkbox like “Limit Guest Network to Internet” or “Allow Guest Network to Access Private Network” would make it more clear to newbs like myself that there’s a decision to be made, and could automate this process.

I’ll visit your thread and try to work through it,

Brian

normis · May 10, 2023, 1:53pm

One thing I did not write correctly, Guest mode right now denies communication between connected Wireless users. So there is at least that level of security.

BrianHiggins · May 10, 2023, 2:27pm

I believe what he was saying is that Guest mode should include a rule that denies all traffic !out-interface=wan, and also in-interface=lan & out-interface=guest so that the guest network is unable to access the LAN side of the customer network.

Also something that I would appreciate seeing implemented as I recently had an issue where someone tried to enable the guest network and realized that it didn’t restrict access to the LAN.