Solid network security in RouterOS

SecureInsect · November 13, 2023, 7:57pm

Hello,

Currently, I have two TP-Link Deco M4 routers operating in Mesh mode, but unjustified connection loss and bandwidth drops occur from time to time, so I decided to switch to MikroTik hAP ax3 and use the above routers as AP.

It’s true that I have never used RouterOS software before, but since I decided to do so, I would like to ask for tips on how to best secure the network.

My initial assumptions.

Create a core network and set the same IP addressing as currently, but there was no need to re-pair IoT devices. 2.4GHz Wi-Fi.
Create a guest network with a separate IP pool and a separate Wi-Fi network.

Main question - What is the best way to configure Firewall?

Thank you in advance

anav · November 13, 2023, 9:26pm

No need for capsman controller for wifi as your other APs are not MT.
One bridge, as many vlans as you need for isolated networks.
Best reference for vlan setup - http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Firewall advice → https://forum.mikrotik.com/viewtopic.php?t=180838
Configuring safely off bridge → https://forum.mikrotik.com/viewtopic.php?t=181718

Assuming the other APs cannot read vlans, then all you do is attach them to /interface bridge interface etherports (access port pvid=)
IF they can read vlan tags, smart APs, then attach them to /interface bridge interface etherports (trunk)
etc…

SecureInsect · November 14, 2023, 4:43pm

Thank you for your tips.

As I understand it, a better solution would be to sell the TP-Link APs and buy, for example, MT RBCAP2ND. Would this have a noticeable impact on security and stability?

Ultimately, I want to create a network on MikroTik hAP ax3, but for the duration of testing, can I develop a ready-made configuration in MT RB941-2nD and then copy it to ax3? This difference in models will not affect the integrity of the configuration copy?

anav · November 14, 2023, 5:32pm

No you cannot configure one based on the other at least NEVER using backup, you can try to copy chunks of script across.

Nothing wrong with the TP links depending upon model… there business APs read vlan tags just fine. I have EAP245, EAP660HD and EAP610 myself and they all work fine with vlans.

If they are dumb APs, then yes suggest upgrading but dont wast your time on those CAPs.
They are not really roaming capable and you should stick to the AX series to make the most out of your investment.

look at these instead → https://mikrotik.com/product/cap_ax

anav · November 14, 2023, 5:46pm

I hope MT skips any notion of 6E and goes straight to 7.
Cap BE LOL… On a few android phones and coming to apple phones in 2024.

gigabyte091 · November 14, 2023, 6:34pm

And WiFi 7 is coming to Mikrotik in 2030

anav · November 14, 2023, 7:00pm

TP Link / Zyxel etc… 2024 LOL

SecureInsect · November 21, 2023, 2:30pm

If I use my current TP-Link Deco M4 routers as APs for MikroTik hAP ax3, will I be able to use the “Default Authenticate” and “Default Forward” options in WLAN?

anav · November 21, 2023, 7:00pm

Nope! The MT has not wifi controls over non-MT wifi appliances. It can firewall, queue, etc like any other vlan.

SecureInsect · November 21, 2023, 7:55pm

It’s a pity because I really wanted it. Cheaper MT APs, e.g. RBCAP2ND or RBcAPGi-5acD2nD-XL, will not provide such an option?

If I set up 3 networks in the router:

Home 2.4
Guest 2.4
Guest 5.0

will these TP-Link Deco M4 routers continue to duplicate all these networks?

anav · November 21, 2023, 9:56pm

The MT router will only provide one subnet to the APs. That subnet can be used for the main HOMELAN wifi and the two guest WLANS will be made by the APs.

To make use of the Roaming capability of wifiwave2, you will need these APs → https://mikrotik.com/product/cap_ax
They are NOT mesh. Each needs to be connected via ethernet cable to the main router either directly or switches etc…
.