Separate into multiple networks

RouterOS Beginner Basics
1

Hi,

I’ve had my RouterBoard RB2011UAS-2HnD-IN for a few weeks and I love it! I’m currently just using it as a wireless station but in the summer I will be moving into shared accommodation where I would like to use it, I just want to check that what I plan to do is possible and if so, get some rough pointers of what I should do.

The flat will have a single 100mbps cable connection, what I want is to connect the modem to the RouterBoard and then “split” the connection so that each person in the flat (3 of us) has their own Wireless network and pair of Ethernet ports. I would like to have it so each person has their own IP range (assigned over DHCP) and so that each person’s network can’t talk to any other person’s network (So for example trying to connect to a network device on one network isn’t possible from another network). I would also ideally like to be able to do all this with my single RouterBoard.

As an added bonus I would love if it were possible to set up a fourth network that could be used to connect a networked printer so that each person can print to the printer from within their own network while maintaining the inability to communicate between personal networks.

I hope this makes sense. I won’t be doing this for a while so I don’t need any concrete explanation on what to do (Although that would be great!) but it would be great to know if this is possible, get a rough idea on how to do it as well as any other hardware that I may need (Hopefully none!).

Thanks in advance,
Cameron

2

Virtual Access Points will let you have multiple SSIDs on the same channels and each VAP can be bridged to a different local LAN segment.

The filters in the forward chain determine which forwarding is permitted so that is where you would control access among the LAN segments.

It all sounds possible on the unit you already have.

3

That’s great!

So I would create a VAP for each person, then bridge each access point with each person’s Ethernet ports along with the WAN port? Then in order to prevent the bridges “talking” I would then do something under the filters tab on the “Bridges” page?

4

Not completely.
You bridge the designated ether ports and one vap per person.
Bound an individual DHCP to each bridge, and an IP address inside the same network.
The wan port should have your shared public ip.
On the up firewall filter, allow and deny traffic as desired.
By default all traffic is routed if destination is known. Each DHCP should serve it’s ip as default gateway

5

Thanks, that’s brilliant, really helps me understand what to do!

I’m sure I’ll be back when the time comes to set it up! :stuck_out_tongue:

6

Edit: I think I’ve sorted this stage - Needed to assign an address range to the bridge under IP → Addresses
I hope it’s okay brining up this old thread.

I have finally got around to start setting all this up, making a bit progress but now stuck.

What I have so far:

  • 3 Virtual Access Points (Created and can connect to them)
  • 3 Bridges with one VAP each (Will add LAN ports later)

So the stage I am at now is “Bound an individual DHCP to each bridge, and an IP address inside the same network.” How do I do this? I have tried the following:

  • Go into IP → DHCP Server
  • Click DHCP Setup
  • Pick the bridge name
  • Enter an address space (e.g. 192.168.51.0/24)
  • Enter the gateway address (e.g. 192.168.51.1)
  • Press the arrow to clear DHCP Relay
  • Adjust IPs to give out so that IPs below x.x.x.100 are not given out (Reserved for static stuff)
  • Leave DNS servers as default
  • Leave Lease Time as default

Once this is done the DHCP servers all show up in the list, but when connecting to one of the virtual APs, I am not given an IP address.

Any help would be greatly appreciated!

7

I think you should also manually configure the gateway address as the IP address of your bridge interface.
AFAIK this is not done by the DHCP-setup process.

8

You would probably be better to upload the current config - output from /export compact so we can get an overview.

9

Sorry, forgot to follow up!

Just to let you know that everything works perfectly, went much better than expected!

If anyone does want the config out of interest, I’d be happy to share it.

10

I would like a copy of the config file if you don’t mind.

11

Dear Camerongray,

Thanks for sharing the info with us,i would like to have a copy of the script too please?

should i send you my email id?

12

Sorry for the delay, here’s the config below!

# jan/02/1970 13:09:43 by RouterOS 6.1
# software id = ZWNL-G3EA
#
/interface bridge
add l2mtu=1598 name=bridge-cameron
add name=bridge-daniel
add name=bridge-guest
add name=bridge-jamie
add l2mtu=1598 name=bridge-shared
/interface wireless
set 4 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=\
    indoors hide-ssid=yes ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=\
    ap-bridge ssid=MikroTik_Admin
/interface ethernet
set 0 name=A_1
set 1 name=A_2
set 2 name=A_3
set 3 name=A_4
set 4 name=B_1
set 5 name=B_2
set 6 name=B_3
set 7 name=B_4
set 8 name=B_5
set 9 name=WAN
set 10 name=sfp1-gateway
/ip neighbor discovery
set WAN discover=no
set sfp1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods=\
    passthrough mode=dynamic-keys wpa-pre-shared-key=\
    "XXXXXXXXXXXX" \
    wpa2-pre-shared-key=\
    "XXXXXXXXXXXX"
add authentication-types=wpa-psk,wpa2-psk eap-methods=passthrough \
    management-protection=allowed mode=dynamic-keys name=security-cameron \
    supplicant-identity="" wpa-pre-shared-key=XXXXXXXXXXXX \
    wpa2-pre-shared-key=XXXXXXXXXXXX
add authentication-types=wpa-psk,wpa2-psk eap-methods=passthrough \
    management-protection=allowed mode=dynamic-keys name=security-daniel \
    supplicant-identity="" wpa-pre-shared-key=XXXXXXXXXXXX \
    wpa2-pre-shared-key=XXXXXXXXXXXX
add authentication-types=wpa-psk,wpa2-psk eap-methods=passthrough \
    management-protection=allowed mode=dynamic-keys name=security-jamie \
    supplicant-identity="" wpa-pre-shared-key=XXXXXXXXXXXX \
    wpa2-pre-shared-key=XXXXXXXXXXXX
add authentication-types=wpa-psk,wpa2-psk eap-methods=passthrough \
    management-protection=allowed mode=dynamic-keys name=security-guest \
    supplicant-identity="" wpa-pre-shared-key=XXXXXXXXXXXX \
    wpa2-pre-shared-key=XXXXXXXXXXXX
/interface wireless
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:97:25:C8 master-interface=\
    wlan1 name=vap-cameron security-profile=security-cameron ssid=\
    MikroTik_Cameron wds-cost-range=0 wds-default-cost=0
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:97:25:C9 master-interface=\
    wlan1 name=vap-daniel security-profile=security-daniel ssid=\
    MikroTik_Daniel wds-cost-range=0 wds-default-cost=0
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:97:25:CB master-interface=\
    wlan1 name=vap-guest security-profile=security-guest ssid=MikroTik_Guest \
    wds-cost-range=0 wds-default-cost=0
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:97:25:CA master-interface=\
    wlan1 name=vap-jamie security-profile=security-jamie ssid=MikroTik_Jamie \
    wds-cost-range=0 wds-default-cost=0
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool6 ranges=10.1.2.100-10.1.2.254
add name=dhcp_pool7 ranges=10.1.3.100-10.1.3.254
add name=dhcp_pool8 ranges=10.1.4.100-10.1.4.254
add name=dhcp_pool9 ranges=10.1.1.100-10.1.1.254
add name=dhcp_pool10 ranges=10.1.0.100-10.1.0.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no name=default
add address-pool=dhcp_pool6 disabled=no interface=bridge-daniel name=\
    dhcp-daniel
add address-pool=dhcp_pool7 disabled=no interface=bridge-jamie name=\
    dhcp-jamie
add address-pool=dhcp_pool8 disabled=no interface=bridge-guest name=\
    dhcp-guest
add address-pool=dhcp_pool9 disabled=no interface=bridge-cameron name=\
    dhcp-cameron
add address-pool=dhcp_pool10 disabled=no interface=bridge-shared name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-shared interface=A_1
add bridge=bridge-cameron interface=A_2
add bridge=bridge-cameron interface=B_2
add bridge=bridge-daniel interface=A_3
add bridge=bridge-daniel interface=B_3
add bridge=bridge-jamie interface=A_4
add bridge=bridge-jamie interface=B_4
add bridge=bridge-guest interface=B_5
add bridge=bridge-shared interface=B_1
add bridge=bridge-cameron interface=vap-cameron
add bridge=bridge-daniel interface=vap-daniel
add bridge=bridge-jamie interface=vap-jamie
add bridge=bridge-guest interface=vap-guest
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" network=\
    192.168.88.0
add address=10.1.0.1/24 interface=bridge-shared network=10.1.0.0
add address=10.1.1.1/24 interface=bridge-cameron network=10.1.1.0
add address=10.1.2.1/24 interface=bridge-daniel network=10.1.2.0
add address=10.1.3.1/24 interface=bridge-jamie network=10.1.3.0
add address=10.1.4.1/24 interface=bridge-guest network=10.1.4.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=WAN
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.0.1
add address=10.1.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.1.1
add address=10.1.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.2.1
add address=10.1.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.3.1
add address=10.1.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.4.1
add address=192.168.50.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.50.1
add address=192.168.51.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.51.1
add address=192.168.52.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.52.1
add address=192.168.53.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.53.1
add address=192.168.54.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.54.1
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=reject chain=forward in-interface=bridge-guest out-interface=!WAN
add chain=forward out-interface=bridge-shared
add action=reject chain=forward in-interface=bridge-cameron out-interface=\
    !WAN
add action=reject chain=forward in-interface=bridge-daniel out-interface=!WAN
add action=reject chain=forward in-interface=bridge-jamie out-interface=!WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=WAN to-addresses=0.0.0.0
/ip service
set api disabled=yes
/lcd
set backlight-timeout=never current-interface=WAN
/tool graphing interface
add interface=WAN
add interface=bridge-cameron
add interface=bridge-daniel
add interface=bridge-guest
add interface=bridge-jamie
add interface=bridge-shared
/tool graphing resource
add
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=A_1
add interface=A_2
add interface=A_3
add interface=A_4
add interface=B_1
add interface=B_2
add interface=B_3
add interface=B_4
add interface=wlan1
add
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=A_1
add interface=A_2
add interface=A_3
add interface=A_4
add interface=B_1
add interface=B_2
add interface=B_3
add interface=B_4
add interface=wlan1
add
13

Is looking nice.
Actually I would’ve done the fire-walling a little different, but I think yours will work too.
I also would suggest to remove all the unnecessary default config entries from your config. Just to make it more neat.