I have a MikroTik AP connected to my main internet router. The internet router is a DHCP server for my LAN. I have two VAPs (“public” and “private”). I’d like to be able to get an IP address from the DHCP on my main internet router from both VAPs, but I’d like to make it so my “public” VAP can only access the internet and not my LAN.
If I assign the “public” VAP interface its own IP address on a different subnet, I know how to restrict LAN access through firewall rules on the MikroTik, but then the “public” VAP will no longer find an IP address from my main router’s DHCP.
Is there a way I can keep ether1, VAP1 (public), VAP2 (private) all bridged so they can all get DHCP from my main router but then restrict all VAP1 traffic to internet only?
Hi
You can use either IP/Firewall for bridged interfaces but you must to enable this feature in bridge settings.
Or.
Try to use Bridge/Filter.
Thanks for the response!
I did try both of those things already and couldn’t figure out the settings to make it work. Could you please give me a little more information on what types of rules to create?
Thank you very much!
You could use VLANs if the internet router supports them.
Create 2 VLAN interfaces on the AP and 2 bridges. Assign one VLAN & 1 VAP to each bridge. Get the router to provide DHCP service to both VLANs and use either the interface or IP range to restrict access.
The VLAN option is good to know for the future, but in my case, it would be much easier if I could restrict each MikroTik device using firewall or bridge filter rules on each device. Can anyone post more specific instructions on how this would work?
I was able to get this working by following up on cieplik206’s advice.
I enabled Use IP Firewall on the bridge interface.
Then, I created a firewall filter for dst. address: 192.168.1.0/24, and on advanced tab, bridge in interface: publicVAP, action: reject.
Now clients get an IP from my DHCP server on my other router if they connect to either VAP, but if they connect to the publicVAP, they can only get on the internet and not access the local network.
Thanks for your help!