Setting up properly separated guest and main with a mix of wifiwave2 and "legacy" access points

RouterOS Beginner Basics
1

I just discovered that I cannot use CAPsMAN in my network, unless I add another “legacy” router just for the purpose. I need gigabit ethernet, but would still like to have good separation between guest and main networks.

So, here’s what I need:

  1. “main” network. Just for me. There’s a server and main machine on this network, but this main machine is also used by other members of the family. Here, I would almost prefer the server to be isolated from the home network, but would tolerate the main computer to also have direct access to it.
  2. “family” network. Again, the main computer, TV, printer, scanner, mobile phones and everything else needed for everyday life. Technically, the server also hosts all my ripped blu-rays (I don’t have a dedicated blue-ray player), so limited SMB availability towards internal network would also be great.
  3. “guest” network. For everyone else. A different TV + internet only access.

Here’s what I have:

  • hAP ac2 - main router. Was hoped to be the CAPsMAN, but now the smaller access points are just not compatible :frowning:
  • RB260GSP PoE switch (servers power for the two “smaller” access points
  • mAP lite and a hAP lite - the two smaller access points for other sections of the house
  • I also have one mAP lite (RBmAPL-2nD), which was intended for something else, but might also serve a purpose?

“main” network needs to be served only on the main router, the other two on the smaller access points too.

I realise this is a fairly complex scenario. It would have been covered perfectly with the CAPsMAN, but now that’s not an option and I feel quite SOL. But I would still appreciate any advice on how to go about this. I have seen MT devices supporting VLANs and separate subnets, so I expect this is the way to go. But I’m not a networking expert, so, help appreciated, free or paid.

2

For all the devices listed, you can use legacy capsman on each of the listed device (I would use AC2).
So what’s the problem ??

You are aware you are giving conflicting info in that other thread which makes it rather difficult for anyone to give you the correct response ?
Are you or are you not using AX2 in your setup ? If not, it doesn’t make sense to look at wifiwave2.

3

Forget capsman, its not worth the extra config required. Setting an MT device to be switch/AP is dirt simple and there is no need for capsman in 99% of cases.

4

Requirements sound more like VLAN’ning then CAPSMAN’ning, that’s true :laughing:

5

https://forum.mikrotik.com/viewtopic.php?t=182276

6

Indeed, I have now gone the VLAN route. A lot of networking knowledge accumulated in just one week since I bought these routers :smiley:. I actually love RouterOS so much I don’t want to go back, despite some issues I know are not my fault. I’ll just wait for the patches, with the speed MT is releasing new versions, it won’t be long :slight_smile:

Anyway, I have now successfully established a “main” VLAN and a “guest” VLAN. I have also established a rule preventing guest VLAN from accessing the rest of LAN. Configuration below.

However, I’m currently perplexed how it’s possible for my phone to still ping the router itself or resolve DNS via the router given the rules I have set up. I would imagine any DNS queries to be killed by my second firewall rule. But why does it still work? I can both ping and resolve dns queries towards 192.168.254.1 despite second firewall rule “clearly” banning them (clearly obviously being only within my head)

Here’s my current export of the router configuration:

/interface bridge
add admin-mac=48:A9:8A:91:9E:BF auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=88:D7:F6:6C:EF:98
/interface vlan
add interface=bridge name=guest-vlan vlan-id=10
add interface=bridge name=main-vlan vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 channel
add band=5ghz-ax comment="5GHz default" disabled=no name=5GHz
add band=2ghz-ax comment="2.4GHz default" disabled=no name=2.4GHz
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk comment=guest disabled=no name=guest
add comment=main disabled=no name=main
/interface wifiwave2 configuration
add channel=5GHz comment="guest 5GHz" datapath.vlan-id=10 disabled=no mode=ap name=guest5 security=guest ssid=velis_guest
add comment="guest 2.4GHz" datapath.bridge=bridge .vlan-id=10 disabled=no mode=ap name=guest2.4 security=guest ssid=velis_guest
add channel=5GHz comment=main-5 country=Slovenia disabled=no mode=ap name=main-5 security=main ssid=velis
add channel=2.4GHz comment=main-2.4 disabled=no mode=ap name=main-2.4 security=main ssid=velis
/interface wifiwave2
set [ find default-name=wifi2 ] configuration=main-2.4 configuration.mode=ap disabled=no name=main-2.4
set [ find default-name=wifi1 ] channel=5GHz configuration=main-5 configuration.mode=ap disabled=no name=main-5 security=main
add channel=2.4GHz configuration=guest2.4 configuration.mode=ap disabled=no mac-address=4A:A9:8A:91:9E:C4 master-interface=main-2.4 name=\
    guest-2.4 security=guest
add channel=5GHz configuration=guest5 configuration.mode=ap disabled=no mac-address=4A:A9:8A:91:9E:C3 master-interface=main-5 name=guest-5 \
    security=guest
/ip pool
add name=dhcp ranges=192.168.254.50-192.168.254.199
add name=guest-pool ranges=192.168.210.50-192.168.210.199
add name=main-pool ranges=192.168.220.50-192.168.220.199
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=guest-pool interface=guest-vlan name=guest-dhcp
add address-pool=main-pool interface=main-vlan name=main-dhcp
/interface bridge filter
add action=drop chain=forward in-interface=guest-5
add action=drop chain=forward out-interface=guest-5
add action=drop chain=forward in-interface=guest-2.4
add action=drop chain=forward out-interface=guest-2.4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=main-5
add bridge=bridge comment=defconf interface=main-2.4
add bridge=bridge interface=guest-5
add bridge=bridge interface=guest-2.4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=guest-vlan list=LAN
add interface=main-vlan list=LAN
/interface wifiwave2 capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge package-path="" require-peer-certificate=no upgrade-policy=\
    suggest-same-version
/interface wifiwave2 provisioning
add action=create-dynamic-enabled comment="guest 2.4" disabled=no master-configuration=guest2.4
add action=create-dynamic-enabled comment="guest 5" common-name-regexp="" disabled=no master-configuration=guest5
/ip address
add address=192.168.254.1/24 comment=defconf interface=bridge network=192.168.254.0
add address=192.168.210.1/24 interface=guest-vlan network=192.168.210.0
add address=192.168.220.1/24 interface=main-vlan network=192.168.220.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.254.2 comment="AP hodnik" mac-address=48:A9:8A:48:56:41
add address=192.168.254.3 comment="AP garaza" mac-address=48:A9:8A:5A:93:0F
add address=192.168.254.31 comment=scanner mac-address=5C:F3:70:BE:27:50
add address=192.168.254.10 comment=velis mac-address=00:D8:61:FC:1F:A9
add address=192.168.254.20 comment="backup server" mac-address=E0:D5:5E:6E:51:4D
add address=192.168.254.9 comment="PoE switch" mac-address=48:A9:8A:72:DF:5D
add address=192.168.254.40 comment="Televizija dnevna" mac-address=38:18:4C:5D:EE:CF
add address=192.168.254.32 comment=printer mac-address=F8:89:D2:FD:AA:7D
/ip dhcp-server network
add address=192.168.210.0/24 comment=guest dns-server=192.168.254.1 domain=velis.guest gateway=192.168.210.1
add address=192.168.220.0/24 comment=main dns-server=192.168.254.1 domain=velis.main gateway=192.168.220.1
add address=192.168.254.0/24 comment=defconf dns-server=192.168.254.1 domain=velis.home gateway=192.168.254.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.254.1 comment=router name=router
add address=192.168.254.20 name=nextcloud.velis.si
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="guest VLAN" out-interface-list=WAN src-address=192.168.210.0/24
add action=drop chain=forward comment="guest VLAN" dst-address=!192.168.210.0/24 src-address=192.168.210.0/24
add action=accept chain=input dst-port=80 protocol=tcp
add action=accept chain=input dst-port=22 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT hairpin" dst-address=192.168.254.0/24 log=yes src-address=192.168.254.0/24
add action=masquerade chain=srcnat comment="VLAN guest Masquerade" out-interface-list=WAN src-address=192.168.210.0/24
add action=masquerade chain=srcnat comment="VLAN main Masquerade" out-interface-list=WAN src-address=192.168.220.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="SSH server" dst-port=2022 in-interface=ether1 protocol=tcp to-addresses=192.168.254.20 to-ports=22
add action=dst-nat chain=dstnat comment=Nextcloud dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.254.20 to-ports=80
add action=dst-nat chain=dstnat comment=Nextcloud dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.254.20 to-ports=443
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Ljubljana
/system note
set show-at-login=no
7

One of early things router does on reception of a packet is to check if destination IP address is one of own addresses. And if it is (and is not subject to dst-nat), then packet goes via chain=input (regardless the destination IP address). So if you want to block communication between a LAN machine and “non native” router’s IP address, then you have to set up a few drop-rules in chain=input. But this is purely cosmetics, it does nothing security-wise.
If, OTOH, packet’s destination IP address is not one of router’s own addresses, then packet goes via chain=forward.

So your second firewall rule doesn’t affect packets, targeting router (regardless the destination IP address and ingress interface).

8

Firewall info…
Most of us here once past defaults move to an allow only traffic and block anything else by default.
Makes life much easier, including vlans..

https://forum.mikrotik.com/viewtopic.php?t=180838

9

I am making steady progress, so big thanks guys for pointing me to all the guides. So, now I have everything set up on the main router, and it works. Then I have also se up the first AP (mAP lite - RBmAPL-2nD)

However, I am facing two issues:

  1. I am seeing the same SSID twice (once from main router, then again for the AP). password re-entry not required by my phone, but they show as two distinct SSIDs (with the same name)
  2. When connecting to the AP SSID, my phone does not get an IP assigned

AP configuration:

/interface bridge
add admin-mac=48:A9:8A:48:56:41 auto-mac=no comment=defconf name=bridgeLocal
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=slovenia disabled=no frequency=auto hide-ssid=yes mode=ap-bridge ssid=MikroTik5672
/interface vlan
add interface=bridgeLocal name=guest-vlan vlan-id=10
add interface=bridgeLocal name=main-vlan vlan-id=20
/interface wireless
add disabled=no mac-address=4A:A9:8A:48:56:43 master-interface=wlan1 name=guest-2.4 ssid=velis_guest vlan-id=10 vlan-mode=use-tag
add disabled=no mac-address=4A:A9:8A:48:56:44 master-interface=wlan1 name=main-2.4 ssid=velis vlan-id=20 vlan-mode=use-tag
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal interface=wlan1
/interface list member
add interface=ether1 list=WAN
add interface=wlan1 list=LAN
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=bridgeLocal interfaces=wlan1
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip dhcp-relay
add dhcp-server=192.168.210.1 disabled=no interface=guest-vlan name="guest DHCP"
add dhcp-server=192.168.220.1 disabled=no interface=main-vlan name="main DHCP"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="guest VLAN" out-interface-list=WAN src-address=192.168.210.0/24
add action=drop chain=forward comment="guest VLAN" dst-address=!192.168.210.0/24 src-address=192.168.210.0/24
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name="AP Hodnik"
/system note
set show-at-login=no

Basically I duplicated VLANs and SSIDs from the main router (to the extent possible given the radio differences between the units). I have also set up DHCP relays for my VLAN networks.

Any ideas what I’m doing wrong here?

10

I have gathered captures and it looks like almost nothing from the phone even gets through to the access point: I only see two packets and they are both ICMPv6. For two attempts at getting an IP address by the phone, a pretty meager result.

Like the wireless interface was a (almost) complete dead end.

11

I got it working!!! Yay!!! The guide. My current AP configuration:

/interface bridge
add admin-mac=48:A9:8A:48:56:41 auto-mac=no comment=defconf fast-forward=no name=bridgeLocal vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=slovenia disabled=no frequency=auto hide-ssid=yes mode=ap-bridge ssid=MikroTik5672 \
    vlan-mode=use-tag
/interface vlan
add interface=bridgeLocal name=guest-vlan vlan-id=10
add interface=bridgeLocal name=main-vlan vlan-id=20
/interface wireless
add disabled=no mac-address=4A:A9:8A:48:56:44 master-interface=wlan1 name=main-2.4 ssid=velis vlan-id=20 vlan-mode=use-tag
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=guest supplicant-identity=MikroTik
/interface wireless
add disabled=no mac-address=4A:A9:8A:48:56:43 master-interface=wlan1 name=guest-2.4 security-profile=guest ssid=velis_guest1 vlan-id=10 \
    vlan-mode=use-tag
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal interface=wlan1
add bridge=bridgeLocal interface=guest-2.4
add bridge=bridgeLocal interface=main-2.4
/interface bridge vlan
add bridge=bridgeLocal tagged=ether1,guest-2.4 vlan-ids=10
add bridge=bridgeLocal tagged=ether1,main-2.4 vlan-ids=20
/interface list member
add interface=ether1 list=WAN
add interface=wlan1 list=LAN
/interface wireless cap
set bridge=bridgeLocal discovery-interfaces=bridgeLocal interfaces=wlan1
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/ip dhcp-relay
add dhcp-server=192.168.210.1 disabled=no interface=guest-vlan name="guest DHCP"
add dhcp-server=192.168.220.1 disabled=no interface=main-vlan name="main DHCP"
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="guest VLAN" out-interface-list=WAN src-address=192.168.210.0/24
add action=drop chain=forward comment="guest VLAN" dst-address=!192.168.210.0/24 src-address=192.168.210.0/24
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name="AP Hodnik"
/system note
set show-at-login=no
/tool sniffer
set file-limit=10KiB file-name=traffic.pcap filter-interface=all
Setting up CAPsMAN for the first time