Setting up RB411 with vlan and DHCP

AndersO · November 4, 2010, 5:50pm

Hi.
I need some help with this setup, folks.

I’ve got an RB411, which means 1 ethernet and 1 Wireless

What I want is one WLAN for the internal LAN with DHCP from an external router in one IP subnet, and one WLAN for the public/guest LAN with DHCP from the rb411 and a different IP subnet with access only to internet (I plan to split these subnets in a firewall)
I’ve got a switch with VLAN capabilities, but i can’t get this to work.

I’ve set this up with the wlan card as the internal wlan, and made a virtual wlan for the guest wlan.
I’ve set up a bridge, and set up ethernet, internal wlan, and guest wlan as ports.
i’ve created 2 vlans with id 1 and 2 and assigned these to internal and guest respectively.

the trouble comes when I set up the DHCP. I want the DHCP to serve only the guest wlan, so I assign it to the guest interface, but as long as the guest interface is a part of the bridge, I cant get the dhcp server to run, and if i disable the guest intrface port to bridge 1, traffic wont flow between the guest interface and the ethernet interface, but the dhcp works tho…

What am i missing here?
Have I got it all backwards?

appreciate our help

AndersO

AndersO · November 5, 2010, 7:21am

I’m guessing that the mikrotik DHCP senses the other DHCP on the Internal LAN when I enable the guest bridge port, and therefore stops serving IP-addresses.
Is there perhaps a firewall rule I could set up to prevent the guest WLAN interface from seeing the external DHCP?

Just a thought.

Anders O

blake · November 5, 2010, 8:36am

A config like this should work.

/interface wireless security-profiles
add name=wpa2-aes mode=dynamic-keys authentication-type=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa-pre-shared-key="secret password"

/interface wireless
set wlan1 mode=ap-bridge ssid="Private WiFi" band=2.4ghz-b/g frequency=2412 default-authentication=yes default-forwarding=yes security-profile=wpa2-aes

add name=wlan2 master-interface=wlan1 ssid="Public WiFi" default-authentication=yes default-forwarding=no disabled=no

/interface vlan
add interface=ether1 disabled=no name=vlan2 vlan-id=2 comment="Private LAN"
add interface=ether1 disabled=no name=vlan3 vlan-id=3 comment="Public LAN"

/interface bridge
add name=bridge1 comment="Private WiFi bridge"

/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=vlan2

/ip address
add interface=wlan2 address=192.0.2.1/24 comment="Public WiFi Network"

/ip pool
add name=public-dhcp ranges=192.0.2.2-192.0.2.254

/ip dhcp-server
add name=dhcp1 interface=wlan2 address-pool=public-dhcp authoritative=yes bootp-support=none disabled=no

/ip dhcp-server network
add address=192.0.2.0/24 gateway=192.0.2.1

/ip firewall filter
add chain=forward action=accept in-interface=wlan2 out-interface=vlan3
add chain=forward action=reject in-interface=wlan2

/ip firewall nat
add chain=srcnat action=masquerade out-interface=vlan3 src-address=192.0.2.0/24

I changed the VLANs from 1 & 2 to 2 & 3 because VLAN 1 is normally used for untagged packets within a managed switch.

You weren’t quite clear as to how Internet traffic for the public WiFi segment would be routed. There are a couple of possible configs. You could use a DHCP client, and use that external IP for management purposes.

/ip dhcp-client
add interface=vlan3 add-default-route=yes use-peer-dns=yes disabled=no

Or assign a static IP (internal or external) on VLAN 3 for the WiFi traffic, and have a separate IP for management purposes.

/ip address
add interface=bridge1 address=192.168.1.2/24 comment="Management IP"
add interface=vlan3 address=12.34.56.2/30 comment="Public WiFi - External IP"

/ip route
add gateway=12.34.56.1 routing-mark=public-wifi comment="Public default route"
add gateway=192.168.1.1 comment="Private default route"

/ip route rule
add src-address=192.0.2.0/24 action=lookup table=public-wifi

You may have to add that management IP to vlan2 instead of bridge1. Not sure. I haven’t tested this to verify it works.

Good luck.

AndersO · November 5, 2010, 8:57pm

Wow, excellent reply.
I’ll sure give that a try come monday.

I can see a few things that you have done differently, and it looks promising

Thx, and have a nice weekend.

Anders O

AndersO · November 8, 2010, 2:17pm

I’ve tried to adapt your config to my scenario, but i hit a snag on the routing-mark. I tried to set up a mangle rule to make a routing-mark, but i’m in way over my head here.
I was planning to run the traffic from the public wlan to a different leg on the firewall, and do the routing there.

Anders O

blake · November 8, 2010, 9:26pm

Will you be using private or public address space to route the traffic from the ‘Public WLAN’ to the upstream firewall?

AndersO · November 8, 2010, 11:04pm

Private address. The customer only has one public IP on the firewall, so both the guest wlan and the internal wlan will be using that.

Anders O