VLAN on WiFi Only

RouterOS Beginner Basics
1

Hello,

I have a Mikrotik connected to VLAN capable AP. I enabled Wifi on both devices tand everything works as expected. The AP is connected to the of the Mikrotik’s ports. The ports on the Mikrotik are as follows:

  • WAN


  • Switch that only has internal devices connected


  • AP

I would like to be able to have two SSIDs presented. The Internal SSID would route to the Swtich and to the WAN port. The Guest SSID would only direct traffic to the WAN port

Is this possible and if yes can someone guide me to a source that will allow me to do this please?

Thanks

2

It’s possible. I do something very similar where internet of things and guest devices are separated from the local network using VLAN and only have access to WAN. You’ll need to assign VLANs to your SSIDs in the AP, create the VLANs in RouterOS and assign them to the AP’s port as tagged, and then use firewall rules to prevent guest traffic from being routed to the LAN and vice versa.

Don’t forget that everything you did to get the AP working (DHCP servers, networks, gateways, etc.) will need to be done for the VLAN interfaces. You may also need to assign any local network ports to the non-guest VLAN as untagged if you don’t have managed switches and need the non-guest traffic in the same VLAN in RouterOS.

3

Thanks for the update.

Any tutorial I could follow please?

4

I don’t know any tutorials off the top of my head, but I know they’re out there. There’s a posted guide somewhere in the forums, because I recall stumbling across it when I was trying to figure out how to set up VLANs. Example #1 in the wiki is also related in concept to what you’re trying to do. The below code is far from complete, but it should give you an idea of what’s needed to at least get the VLANs set up along with some basic firewall rules. They’re pretty crude and for example only. You’ll definitely want to put more thought into that. Remember, you’ll need to set up a DHCP server for each VLAN interface (main_vlan and guest_vlan in the example), assign gateway addresses, etc. just like you would (and probably did) if you weren’t using VLANs, and you’d probably want different subnets for each VLAN.

I suggest you use a dedicated port with its own gateway, etc. while figuring it out and make sure you know how to reset in case you screw up the VLAN setup. It’s not hard to mess up and lock yourself out in the process.

/interface ethernet
set [ find default-name=ether1 ] name=internet
set [ find default-name=ether2 ] name=local_network
set [ find default-name=ether3 ] name=access_point
/interface bridge
add name=bridge vlan-filtering=yes
/interface vlan
add interface=bridge name=local_vlan vlan-id=10
add interface=bridge name=guest_vlan vlan-id=20
/interface bridge port
add bridge=bridge interface=local_network pvid=10
add bridge=bridge interface=access_point
/interface bridge vlan
add bridge=bridge tagged=bridge,access_point untagged=local_network vlan-id=10
Add bridge=bridge tagged=bridge,access_point vlan_id=20
/ip firewall filter
add action=fasttrack-connection chain=forward comment=“Fasttrack related/tracked LAN connections” connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept in-interface=local_network out-interface=local_network
add action=accept out-interface=internet
add action=drop chain=forward