vlan and guest in mode bridge ?

lebphi · May 16, 2019, 5:24pm

hi,

it is possible to create VLAN and guest wifi with separate network when the router is in bridge mode ?

anav · May 16, 2019, 6:12pm

Not sure what you mean but YES, all the settings are available. If you mean give out DHCPs, I believe it has to be in router mode.

Sob · May 16, 2019, 6:38pm

You can combine things any way you want. If you add guest vlan to bridge (see manual about the new bridge vlan filtering), it will be an independent interface, so dhcp for guests (= for this vlan only) is no problem.

lebphi · May 17, 2019, 6:42am

i ask the question because i’ve tried to follow with an hap ac2 router the guide https://www.marthur.com/networking/mikrotik-setup-guest-vlan-wifi/2582/ but it doesn’t works with bridge mode and work with router mode.

For the router mode :
home ap dual
internet = automatic address acquisition (ip = 192.168.1.165) - firewall router
local network = 192.168.88.1 - dhcp server - nat
wireless 2G and 5G
guest as virtual with lan on 2G following the guide ‘marthur’
→ all work ferfectly

for the bridge mode :
wisp ap
bridge mode - automatic address acquisition (ip = 192.168.1.165 - gateway = 192.168.1.1
wireless 2G and 5G
guest as virtual with lan on 2G following the guide ‘marthur’
→ i can connect to the guest but i don’t have access to internet

Sob · May 17, 2019, 12:59pm

I’d guess that you’re probably just missing srcnat/masquerade.

But that guide is a little strange. There’s virtual AP interface with VLAN interface on it. But then both VLAN and its parent interface are bridged together. Maybe it works, but it doesn’t make much sense.

Depending on what exactly you need your guest LAN to be:

a) If only one wireless interface is enough: Create virtual AP and the interface itself is your guest LAN.
b) If you want both 2.4 and 5 GHz wireless: Create virtual APs for each, bridge them together using new bridge and the bridge is your guest LAN.
c) If you want wireless (one or both) and wired VLAN: Create virtual AP(s) and assign VLAN tags to them. Add them to main bridge. Create VLAN interface on bridge. Configure bridge VLAN filtering. VLAN interface is your guest LAN.

Now whatever your guest LAN interface is, add DHCP server to it and configure firewall. You need srcnat and then you must either allow access from guest LAN where it should be allowed, or block it to where it should not (depends on your firewall, if you block or allow forwarding by default).

lebphi · May 17, 2019, 3:10pm

i’ve added a masquerade 10.10.10.0/24 and now it works. Thanks you.