Struggling with additional WiFI Subnets

Hey Folks,

So one thing that has perplexed me for a while now with Mikrotik is being able to easily segment the network.

All I want to achieve is to add a couple of extra SSIDs, with their own subnets and their own DHCP scopes, where I can filter traffic with the Firewall.

I have reviewed the following examples, and while they are useful, they tend to cover more than I need:

https://help.mikrotik.com/docs/display/ROS/VLANs+on+Wireless
http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

I have just a single AX3 for the entire house so I don’t really need to worry about trunking.

Ideally, I would like to add a new VLAN for the new SSID without messing with the existing config. I assume that defconf is in VLAN1, even though not explicitly stated. I know VLAN1 isn’t best practice, but this is just my house, I’m not too concerned.

I have tried using the Guest Wireless option within Quick Set, but this adds bridge filters and shares IP space, and I’d rather control this with firewall rules and have each SSID associated with it’s own /24 with DHCP.

Here is the key config I have now, exluding stuff like firewalls:

/interface ethernet set [ find default-name=ether1 ] comment=WAN
/interface ethernet set [ find default-name=ether2 ] comment=Switch
/interface ethernet set [ find default-name=ether3 ] comment=Base
/interface wifi set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=HOME disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wifi set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=HOME disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/ip pool add name=dhcp ranges=192.168.1.30-192.168.1.200
/ip dhcp-server add address-pool=dhcp interface=bridge lease-time=23h59m59s name=defconf
/interface bridge port add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 path-cost=10
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=pppoe-out1 list=WAN
/ip address add address=192.168.1.254/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-server network add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.2 gateway=192.168.1.254 netmask=24

What is the least disruptive way to add the extra config? The access/physical ports can stay as they are in the native VLAN. I’ve done this many times with Cisco, HP Enterprise and also Ubiquiti but it’s a bit more of a challenge on Mikrotik..but I am determined to solve it My knowledge in the area is a little rusty though, and Mikrotik isn’t so forgiving.

Losing WiFi access would be a PITA to then resolve so I will be sure to use safe mode..

Thank you!

Some advice, quickset → avoid!

I’m assuming that you have need of multiple SSID/WLANS due to different types of users.

• secure home users
• untrustworthy IOT devices
• vid Cameras
• guest users.

All which may or may not require different subnets. If they are on their own subnet then they probably should be on their own WLAN.
The easy way to do this is via VLANs. ( by the way no need for capsman here, keep life simple ).

Best thread on vlans → http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1
Hint: Tread WLAN interfaces same as etherportst! ( wireless ports etc.)

Thanks! Yeah that is a great thread and it’s one that I’ve been referencing.

What I am trying to do though is retrospectively add a VLAN to a non-VLANned config (thinking back, I wish I’d found that thread before I rolled out my router, but the idea of starting again even though its quite a simple config is just undesirable)

So lets consider if I just want to add 1 VLAN, in the example of a single AP in the linked thread there is the mention of Blue VLAN, Green VLAN, etc.

So given the config I supplied above, where there is no mention of VLANs, can I do something like:

Create the SSID:

/interface wifi add configuration.ssid=GUEST disabled=no  master-interface=wifi1 name=wifi3
/interface wifi add configuration.ssid=GUEST disabled=no  nmaster-interface=wifi2 name=wifi4

Add it to the existing bridge I have with VLAN 10:

/interface bridge port add bridge=bridge interface=wifi3 pvid=10
/interface bridge port add bridge=bridge interface=wifi4 pvid=10

Interface creation, IP assignment, and DHCP service

/interface vlan add interface=bridge name=GUEST_VLAN vlan-id=10
/ip address add interface=GUEST_VLAN address=10.0.10.1/24
/ip pool add name=GUEST_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1

• firewalling but I am comfortable with that already

Does the above work while letting the current config continue?

My usual line is once you go vlan, go all vlans and not have the bridge do anything but bridging (no dhcp).
The issue is the bridge is handing out traffic and a LAN and yet you have a vlan doing the same thing on ports you connected to the bridge.
Also you are missing the required /interface bridge vlan settings etc…

What I would do…
----> make all vlans and carry on as per the linked document
You can do this incrementally. First take the current LAN and simply make it a vlan.
Modify current bridge settings to vlanXX that you create. ( address, dhcp-server, the pool and dhcp-server network can remain the same )
bridge ports are all etherAB pvid=XX
etc…

Thanks, that does sound a better approach.

I have a spare device I can test with.and there is always safe mode!

Or… You can take one port of the bridge, assign it some IP address, add it to LAN interface list and use that for configuration. That was written in great tutorial that is currently unavailable.

That sounds like a nice solution too. Shame it’s unavailable but I’ll check back to see if it comes back.

Coming back to this (as I do from time to time) and I am still struggling since there seems to be so many different suggestions.

If there is one thing that I dearly miss about Ubiquiti, is that I can do exactly what I want here with just a couple of clicks and no risk of downtime.

It would be great to have something in the Mikrotik wiki that strips this use case to its most simple parts for a single device config (ie no trunking off to other switches etc, just a simple SoHo/single wireless router config), with step by step config on creating the VLAN, creating DHCP scope, and a set of firewall rules, and slotting that on top of an existing config (or, guiding how to change the default config to make everything VLANed, or just making the guest wifi quickset option a Layer 3 solution vs simple layer 2 filtering with isolation.

There are lots of tutorials out there but they are often really old and not for ROSv7.x, or exclusively use winbox.

BTW, is it possible to have DoH server per VLAN?

Can anyone tell me if there is any major drawback or problem with using a multi-bridge approach, with SSID/Wifi interface associated with that bridge, along with DHCP, etc?

ChatGPT gave me this:

/interface wifi add configuration.mode=ap .ssid=GUEST master-interface=wifi1 name=wifi3 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=xxxxx disabled=no
/interface wifi add configuration.mode=ap .ssid=GUEST master-interface=wifi2 name=wifi4 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=xxxxx disabled=no
/interface bridge add name=bridge-guest
/interface bridge port add bridge=bridge-guest interface=wifi3
/interface bridge port add bridge=bridge-guest interface=wifi4
/ip pool add name=dhcp-guest ranges=192.168.2.30-192.168.2.200
/ip dhcp-server add address-pool=dhcp-guest interface=bridge-guest lease-time=23h59m59s name=dhcp-guest
/ip dhcp-server network add address=192.168.2.0/24 gateway=192.168.2.1 dns-server=1.1.1.1,8.8.8.8
/ip address add address=192.168.2.1/24 interface=bridge-guest network=192.168.2.0
/ip firewall filter add action=accept chain=forward in-interface=bridge-guest out-interface-list=WAN
/ip firewall filter add action=accept chain=forward in-interface-list=WAN out-interface=bridge-guest connection-state=established,related
/ip firewall filter add action=drop chain=forward in-interface=bridge-guest out-interface=bridge
/ip firewall filter add action=drop chain=forward in-interface=bridge out-interface=bridge-guest
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.2.0/24

In safe mode, the config applied just fine..it works and seems to do what I need, with appropriate firewalling preventing access to other subnets while allowing internet, and it seems I can just add more configs for more SSID…

The above was based on me providing my existing configuration, hence referencing the WAN list etc.

But this seems too simple - whats the drawback? This is just home use, so I am not worried about bigger implications, I am simply looking for the most straightforward way to have other SSIDs that do not use the built in layer 2 guest option from quickset.

Thanks

I can suggest you to check TheNetworkBerg videos on topic of VLANs. He covered that area, and his explanations are great.

Don’t follow multi bridge advice, one bridge is enough.

Try with his videos and come back here then. Few advices, when messing with VLANs, create one off bridge port for configuration, so you don’t lock yourself out.

Use single bridge only, and if you go VLANs, you go VLANs all the way, so no default vlan 1.

Sometimes they come back:
https://web.archive.org/web/20231216022654/https://forum.mikrotik.com/viewtopic.php?t=182373

Thanks for the extra tips, I will review.

I totally get the trend of multi vlan; however I’ve yet to understand why I should not use multi bridge. It seems to work and is very simple to implement. If the function exists to do it, I assume it must be for a reason (of course my Cisco experience tells me you can also do things really wrong on that logic!) - I am just interested to understand why I cannot solve this with multi bridge and a few lines of config that ultimately gets me the same outcome, ie separate L3 subnets with firewall rules and their own SSID. Indeed, the very first paragraph of ‘bridge in a nutshell’ from the linked web archive post doesn’t suggest to me that there is anything wrong with this..

I hate to labour the point but, as I noted before, this seems far too esoteric on Mikrotik vs $anyoneelse, and one of the first comments on the linked thread was along the lines of ‘why are there so many ways to do the same thing’

Tik team - I really do think you need to make this easier

Because it’s not efficient, you lose HW offloading and you are adding complexity to your configuration. Why would you like to do that. There are probably very specific areas where multiple bridges are recommend but I highly doubt that’s the case with you.

VLANs are easy to implement on single bridge also… Give it a try

Thanks, noted. I guess it’s easy when you know how! But trying to sift through mountains of information for all manner of use cases is tricky, especially given how much Wifi has changed on Mikrotik, even within v7 versions. Alot of the tutorials use Winbox which I don’t have easy access to, and I also need to configure everything over Wifi (safe mode is great, though). I am running 7.15.3

I set up this (for now I just want to add a VLAN, not modify the existing setup…though maybe that in itself is the problem?)

/interface wifi add configuration.mode=ap .ssid=GUEST master-interface=wifi1 name=wifi3 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=12345678 disabled=no
/interface wifi add configuration.mode=ap .ssid=GUEST master-interface=wifi2 name=wifi4 security.authentication-types=wpa2-psk,wpa3-psk .passphrase=12345678 disabled=no

/interface vlan add name=GUEST vlan-id=10 interface=bridge
/interface bridge port add bridge=bridge interface=GUEST 

/ip address add address=192.168.100.1/24 interface=GUEST
/ip pool add name=DHCP-POOL-GUEST ranges=192.168.100.10-192.168.100.100
/ip dhcp-server add name=DHCP-GUEST interface=GUEST address-pool=DHCP-POOL-GUEST lease-time=10m
/ip dhcp-server network add address=192.168.100.0/24 gateway=192.168.100.1 dns-server=1.1.1.1

/ip firewall filter
add chain=forward in-interface=GUEST action=accept
add chain=forward out-interface=GUEST action=accept
add chain=input protocol=udp port=67,68 action=accept

/interface bridge set [find name=bridge] vlan-filtering=yes

I see the GUEST SSID broadcast and I can connect, but that’s where things stop - I don’t get a DHCP lease, and no traffic passes when I set a manual IP.

I did wonder how the GUEST SSID was being associated with VLAN10. I have seen some command examples where you can specify vlan-id in the /interface wifi command but I can’t do that on my router, presumably as I am on a later version of ROS7. After some digging, I understand that you now do that via the interface bridge vlan, so then I found I should do this:

/interface bridge vlan
add bridge=bridge vlan-ids=10 tagged=bridge

However this still doesn’t work. I am using ChatGPT to try and help, but I think it’s blending different flavours every time I ask.

I feel like I am nearly there. I literally want the most basic virtual access point configuration, and I don’t mind if I still have VLAN1!

OK so it seems I forgot to add wifi3 and wifi4 to the bridge port

When I reapply as follows, it works

/interface vlan add name=GUEST vlan-id=10 interface=bridge
/interface bridge port add bridge=bridge interface=GUEST pvid=10
/interface bridge port add bridge=bridge interface=wifi3 pvid=10
/interface bridge port add bridge=bridge interface=wifi4 pvid=10

So, now I will wait to be told why this is a bad idea

Not bad but better

/interface vlan add name=GUEST vlan-id=10 interface=bridge
/interface bridge port add bridge=bridge  ingress-filtering=yes frame-types=admit-priority-and-untagged  interface=GUEST pvid=10
/interface bridge port add bridge=bridge  ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi3 pvid=10
/interface bridge port add bridge=bridge  ingress-filtering=yes frame-types=admit-priority-and-untagged interface=wifi4 pvid=10

Thanks for that, I had seen that as part of the VLAN doc, however I wonder if it’s down to the later version but that option for frame-types is not available:

[me@MikroTik] <SAFE> /interface bridge port add bridge=bridge  ingress-filtering=yes frame-types=admit-
admit-all     admit-only-untagged-and-priority-tagged     admit-only-vlan-tagged

In the linked VLAN doc for a single device, the suggested action which appears the equivalent is:

/interface bridge port
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether2]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether3]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether4]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=ether5]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan1]
set bridge=BR1 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged [find interface=wlan2]

I note the following adaption of your suggestion was accepted by the CLI:

/interface bridge port add bridge=bridge  ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged interface=wifi4 pvid=10

Is there anything about such a config as above that would create wireless instability on the network running on wifi1 and wifi2?

I’ve been able to repeatedly get the same result…

• Add the config as above
• It’s OK for a few minutes
• Connectivity starts to stutter
• My connection drops and safe mode backs out the changes
• I reconnect, all is well

Yeah my wording may not be 100 accurate as I do it from the top of my head but its close enough to get you there.
I dont comment on issues unless I see the whole config

/export file=anynameyouwish (minus router serial number, any public WANIP information, keys, long lease lists etc.)

Ah, my apologies, I have been battling with subtle syntax differences between versions today Thanks for your assitance.

I think the above was just coincidence, I will monitor. I seem to have boiled down the basic extra VLAN/SSID quite well now.

So, I will come back with questions because I am determined to get to the happy state you suggested; ie converting the existing base config to be VLANned.