Segregate guest and corporate access on separate AP hardware using VLANs

While I have dabbled in SoHo-Routing for quite some time, this is the first time I’m trying to use VLANs. Thanks for your patience if something shouldn’t be immediately clear to me. Having said that, I have done some extensive research before asking this question. I read through the various official documents in the Mikrotik Wiki, and I consulted several forum conversations on very similar topics. These conversations, however, were always cut short and no solution was presented, or at least not in any detail.

Here is how my network looks at the moment. I have one SoHo Router (Mikrotik RB4011, 10.2.0.1, dhcp router) that connects my LAN with network 10.2.0.0/23 to the internet (on ether1). One Mikrotik CSS106 Switch is connected to the router at ether9, one TP Link switch is connected to the Mikrotik Switch. Connected to the TP Link using PoE is a Mikrotik wAP in Wisp AP mode, getting IP dynamically.

All of this works perfectly fine. What I’m trying to achieve now is to offer guest wifi access through the wAP, without losing the possibility of accessing my LAN. In other words, I need two SIDs, one routing straight and without detour to the internet, the other connecting me to my LAN.

I understand that this is possible with VLAN and I understand the general theory behind it but I’m truly lost at how to configure this. I’ll tell you what I have so far and maybe someone will be willing to show me the rest.

1. I created a new VLAN on the local bridge interface with the name “guest-vlan” and the VLAN ID 3.
2. I added a new IP address 192.168.6.1/24, attached to the interface “guest-vlan”
3. I registered a new dhcp server on interface guest-vlan, with the address pool offering IPs from the range 192.168.6.10-100.

That’s all I have on my router so far. I’m particularly not clear if and why I’d need VLAN bridge filtering. I’m also not clear if it is even possible to just add one new, special purpose VLAN without changing anything else.

Now, I understand that even if my configuration so far is correct, that’s just one side of the coin, I need to do the same on my wAP.

1. I created a new VLAN on the local bridge (comprising eth1, wlan1, wlan2) called “guest-vlan” with vlan ID 3
2. I created a new security profile for the guest WiFi, called “guestprofile”
3. I created a new virtual AP named “guest-wlan”, in ap bridge mode, using “guestprofile”, with VLAN mode “use tag” and VLAN ID “3”

Clearly, this is not yet sufficient. I can connect to guest-wlan and my password is accepted, but I don’t have any network access.

Here is one of the (many) things I’m not clear on: Do I have to configure anything on the two switches between the wAP and the router? I would have assumed that if nothing is set, they will not discriminate if a packet has VLAN or not and only the final recipient, i.e. the router or the wAP will actually care about this.

Mind you, at this point of this experiment, it’s really not about additional security VLAN can give for my network in general. I understand that this is one of the main motivations for VLAN and I will do a lot more research and testing on this. At this moment, I really just wish to segregate guest users entirely.

Your help is much appreciated.

Vic

For wAP:

4. Add “guest-wlan” as new port to existing bridge

To test connectivity between wAP and main router with minimal config and no other devices, add e.g. 192.168.6.2/24 to “guest-vlan” and try to ping 192.168.6.1 (or .2 from main router). Dumb switches should be transparent for VLAN packets. Managed ones will probably need tagged VLAN 3 on ports connected to main router and wAP and also between switches.

When it works, you can remove .2 address and whole “guest-vlan” interface from wAP.

Thank you, sob, for the very welcome nudge.

I followed your instructions and no traffic would pass between the router and the wAP. So I disconnected my wAP from the TP Link Switch and attached it to the Mikrotik switch. Now, pings would work in both directions. Clearly, the second switch was the problem.

The TP-Link SG 108PE has 4 different pages for VLAN configuration:

• MTU VLAN (disabled by default)
• Port based VLAN (enabled by default)
• 802.1Q VLAN (disabled by default)
• 802.1Q PVID Setting (empty)

It is not possible to disable everything, one setting must be enabled. In the course of my testing, I enabled 802.1Q VLAN without making any configuration changes. It seems that was enough to not let through any traffic other than VLAN ID 1. I disabled it again, thereby enabling back the port based VLAN, now VLAN packets are switched transparently.

So, the guest-wlan works fine now. I’m noticing, however, that guests still seem to have full access to my internal network. I assume this is to be expected seeing as how the guest-vlan interface is part of the bridge. So I assume that all that’s left to do is to create a rule to drop forwarded traffic from 192.168.6.0/24 to 10.2.0.0/23.

I was expecting to get layer 2 segregation using VLANs, so I’m trying to wrap my head around this. Since I have to associate a VLAN with an existing interface on my router, isolating a VLAN does not seem possible without in effect isolating said interface, i.e. making it a designated trunk port. But unless that port is part of the local bridge, I wouldn’t be able to transparently switch local packets. By associating the VLAN with the local bridge, I can use any of the physical ports to transport packets with ID 3 but I have to add rules on layer 3 to actually segregate the networks.

Is this about the right conclusion? Or is there a smarter way of doing all of this?

Router is made to route, so if there’s VLAN interface with one subnet and another interface with different subnet, router will happily route between them. If you don’t want it, you need to prevent it using firewall filter.

You can either add a blocking rule(s), or you can create the firewall in a way that everything not explicitly enabled is blocked (using unconditional drop/reject rule at the end of chain).