Hi,
I managed to create multiple SSID in my house. One of the SSID is for my children and their friends (9 years old).
The idea of having multiple ssid was to be able to control the content on the kids wifi using OpenDNS.
So far, I haven’t managed to figure out how to set dns per ssid so that my main (work ssid) is not affected.
Could anyone please help me to understand how to set a secondary DNS for the kids ssid?
Thank you
Do you also have different DHCP server for each SSID?Because you can simple specify DNS server for each DHCP inside ip/dhcp/networks.
If not you may try something like this
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.1.0/24 to-addresses=8.8.8.8 to-ports=53
Where u just change src to your range and google dns to which one you want.
HI,
I haven’t got a different DHCP server for each SSID because I couldn’t create one.
Couldn't add New DHCP server - can not run on slave interface (6)
Sorry to be dum but this is my debut with routerboard OS.
I think that having a different DHCP server for each SSID is the way I’ll like to go forward.. Any chance you could help me on that error message?
I use RB2011UiAS-2HnD-IN
You are getting that error as you have added the kids SSID to your LAN bridge. You will need to create a separate bridge for the kids (or remove the wlan2 interface from your bridge1) and then give it a different IP address, DHCP, NAT masquerade rule just like you are creating a “normal” LAN.
Create new bridge and put that virtual interface into that new bridge, also assign IP to bridge and than u can use DHCP setup wizard to create pools, specify DNS etc..
U will also need to masquerade it to work
You might simply wait, to buy a router with your requested features. Time to wait depends upon your location, as I am doing a commercial product based on openwrt
implementing your request 
MT is not the best platform for such a device. Because too closed.
This is what I do, working perfectly:
/ip dhcp-server lease
add address=10.0.0.xx comment="FamilyShield" mac-address=xx:xx:xx:xx:xx:xx server="DHCP server"
/ip firewall address-list
add address=10.0.0.xx comment="FamilyShield" list=FamilyShield
/ip firewall nat
add action=dst-nat chain=dstnat comment="FamilyShield" dst-port=53 protocol=udp src-address=10.0.0.0/24 src-address-list=FamilyShield to-addresses=208.67.222.123
add action=dst-nat chain=dstnat comment="FamilyShield" dst-port=53 protocol=tcp src-address=10.0.0.0/24 src-address-list=FamilyShield to-addresses=208.67.222.123
Perfectly within the realms of a MikroTik, just not a beginner user.
Yes, you are correct, to match the basic requirements of the thread starter.
However, in case of more demanding functionality, MT not usable any more
for commercial product.
Why is the MT not usable? It will do perfectly fine. Even in more demanding applications simply buying a better model will work perfectly well.
Sorry, but publishing more details about a future commercial product goes too far.
Wait, and you’ll see.
As a good comparison, for hotspots with special requirements, MT also is not properly suited,
because closed.
No problem to install squid or nginx on openwrt, for eample, if required for special functionality.
The bright side: I get development contracts for such special developments, to make my living
You know what goes too far? Breaking in on a topic about configuring a MikroTik router with an announcement of an unrelated commercial product.
That would normally get your posting removed if not your account banned.
We all know that there already exist “clickety click” products that implement functionality like this without having to understand networking.
MikroTik is not in that market. Maybe they would like to be, but that is not for forum users to decide.
When you have your own router product, please setup a webpage and forum for it yourself and discuss it there.
The problem with this solution is the “and their friends” part of the question.
Sure it is possible to make some rules for certain devices that you have identified previously, but you would have to set static addresses for all those friends, and when new friends come in that you have not registered in your system yet, they are unprotected by default.
(unless you reverse your system and do the familyshield by default and make some exceptions for your own equipment that should go around it)
I think the solution presented by Steveocee is better. Make a separate bridge for the SSID and setup the DHCP on there with the correct nameservers.
Add it to the LAN interface list and it should work OK w.r.t. NAT routing without other changes.
You should try and make your contracts needs using MT, once you learn to use the product properly you will find there is less development and faster deployment.
For reference, I have 2 separate networks deployed on my connection each on separate VLAN and 1 utilising the OpenDNS safe DNS servers. I have even used dst-nat redirects so the DNS filtering can’t be circumnavigated. Not the most secure solution but far easier controlling my 3 kids usage then a full on hotspot.
@OP I will try and find my “old” guest network script and see how applicable it is for you, you may be able to pick through it and apply parts to achieve your goal.
Found it, it was pre 6.41 but was made so it could be “drag-drop-imported” onto an RB951Ui
It creates a guest bridge, duplicates existing SSID and appends -Guest onto the new one, creates simple queue to limit speeds, creates firewall rules to stop networks talking to one another, uses separate DNS servers (**note doesn’t have the dst-nat redirects though). If it helps you then great. Probably better than waiting for a non-existent product to emerge 
/interface bridge
add name=bridge2_GUESTS
/interface wireless
add disabled=no keepalive-frames=disabled master-interface=wlan1_LAN multicast-buffering=disabled name=wlan2_GUESTS ssid="Guest-Network" wds-cost-range=0 wds-default-cost=0
/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=guests supplicant-identity="" wpa2-pre-shared-key=guestchangeme
/ip pool
add name=dhcp_pool2 ranges=192.168.254.2-192.168.254.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=bridge2_GUESTS lease-time=1d name=dhcp2
/queue simple
add max-limit=512K/5M name=guest_control target=bridge2_GUESTS
/interface bridge port
add bridge=bridge2_GUESTS interface=wlan2_GUESTS
/ip address
add address=192.168.254.1/24 interface=bridge2_GUESTS network=192.168.254.0
/ip dhcp-server network
add address=192.168.254.0/24 dns-server=208.67.222.123,208.67.220.123 gateway=192.168.254.1
/ip firewall filter
add chain=forward comment="stop lan>guests" dst-address=192.168.254.0/24 src-address=192.168.1.0/24
add chain=forward comment="stop guests>lan" dst-address=192.168.1.0/24 src-address=192.168.254.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=Guests-NAT out-interface=pppoe-out1 src-address=192.168.254.0/24
#generate SSID based on existing ssid
{
:local original [/interface wireless get 0 ssid]
/interface wireless print
/interface wireless set ssid="$original-Guest" numbers=1
}
#Successful completion of script import
{
:log info message="Router has guest network"
:beep frequency=500 length=500ms
:delay 0.2
:beep frequency=750 length=500ms
:delay 0.2
:beep frequency=1000 length=200ms
}