Separate guest network setup questions

RouterOS Beginner Basics
1

Hi

I want to have a separate guest WLAN on my hAP AC Lite that shares the internet connection but has a different DHCP address range (not necessarily a different subnet). I think I have completed most of it but I am struggling with getting internet access from the guest network.

Here’s what I have so far:

  • Internet connection on eth1
  • PPTP VPN connection running
  • eth2, wlan1, wlan2 bridged on 192.168.88.0/24 with router on 192.168.88.1 and DHCP server running
  • the appropriate NAT and mangle rules
  • all traffic from the subnet routed thru VPN

The above works great. I also set up

  • wlan3, wlan4 bridged on 192.168.89.0/24 with router on 192.168.89.1 and DHCP server running
  • all traffic from the subnet should NOT be routed thru VPN

Where I am struggling now is with setting up the rules so that the second subnet can reach the Internet while still being isolated from the first. Can anyone help?
export.txt (4.92 KB)

2

You need to add some firewall filters, because currently you allow forwarding from almost any source to any destination. There are two basic approaches:

  1. Whitelist. Add unconditional drop or reject rule at the end of forward chain in /ip firewall filter, so that by default no forwarding will be allowed. And put your exceptions before that. Allow traffic from normal LAN interface to everywhere (or just to WAN, if you don’t want to access devices in guest LAN), then traffic from guest LAN interface to WAN. Traffic from guest LAN to anywhere else won’t be covered by these allow rules and will be dropped or rejected by the last one.

  2. Blacklist. Add drop or reject rule for traffic from guest LAN to interfaces other than WAN.