Separating an AP from the LAN

RouterOS Beginner Basics
1

Hi,

I’m new to Mikrotik and I’d like to ask for some help. My setup: Mikrotik HAPac2 router with ether1 as WAN and a wireless AP (Ubiquity) with a wired connection on ether2 through DHCP. The whole network is running fine however I would like to isolate the AP from the rest of the network. Since there is nothing else on ether2 but the AP itself it made sense to me to set the firewall rules for the ether2 interface itself in order to drop everything on the LAN but allow WAN (web) access. Unfortunately I’m receiving an error message saying that the ether2 is a ‘slave’ so setting the firewall rules is not possible. I understand that it is related to the bridge (bridge setup attached) however I’m fully lost as honestly this whole bridge concept is something I dont really understand. Could someone please explain how should I make the LAN isolation happen and let the AP clients reaching only the internet? Thanks :slight_smile:
mikrotik.jpg

2

Please
/export hide-sensitive file=anynameyouwish

to see what is going on.

3

A bridge is effectively a network switch, and in its basic form traffic can pass between all ports/interfaces.

There are various ways of separating the traffic - separate networks / VLANs, port isolation, bridge filtering. If you have a single LAN the simplest way with UniFi APs to prevent access to the LAN is to tick the Guest Policy box when editing the network under Settings > Wireless Networks, even with no guest portal configured the setting prevents wireless clients communicating with devices on the LAN. If you configured the AP with the UniFi app rather than through a UniFi controller I don’t know if this option is available.