VLAN for wireless clients to isolate virtual machines

Hello,

I have a Windows PC with and some Hyper V virtual machines configured. The PC is connected to Mikrotik with wireless connection.

The Hyper V machines are connected to the wireless NIC to be able to access the internet. Are on the same subnet as the PC. I would like to isolate virtual machines but have access to the internet.

Hyper V manager can assign VLAN IDs to the clients. I can solve the issue by creating two subnets, one for the Hyper V machines with tagged packets and the other subnet untagged. I need to have an untagged subnet for the other devices such as mobiles.

Is there a way to use one SSID with one untagged and one tagged subnet.

Standard 802.11 (a.k.a. WiFi) doesn’t foresee using VLAN tags over radio. Mikrotik does support sending those headers (with some smart configuration). It also supports delivering frames of different SSIDs (i.e. virtual WLANs) into different VLANs.

But then there’s the other end: windows machine with its wireless drivers and the whole HyperV machinery. And windows is known to make some things harder than they need to be.

You can do that with an ACL. But you have to know the MAC address of anything that you want to tag outside of the default VLAN on the SSID.

Thanks @gotsprings

The access can be limited with Hyper V access list, can be used either IPs or MAC addresses. Below is an example.

Show the configured ACL rules

Get-VMNetworkAdapterExtendedAcl

Allow access to public IPs and block access to subnet 192.168.0.0/16.

Add-VMNetworkAdapterExtendedAcl -VMName "Windows" -Action Allow -Direction Outbound -RemoteIPAddress 192.168.1.1 -Protocol "UDP" -RemotePort "53" -Weight 90
Add-VMNetworkAdapterExtendedAcl -VMName "Windows" -Action Deny -Direction Outbound -RemoteIPAddress 192.168.0.0/16 -Weight 80

Remove the ACL rules

Remove-VMNetworkAdapterExtendedAcl -VMName "Windows" -Direction Outbound -Weight 90
Remove-VMNetworkAdapterExtendedAcl -VMName "Windows" -Direction Outbound -Weight 80