I have an RB201 1iL-RM switch/router. Port 1 is the WAN interface (PPPoE ADSL). Several wired devices (PC, printer, camera) are connected to various ports. To port 10 I connected a Unifi AP. It works perfectly without using any VLAN. I would like to do the following: on the Unifi AP I want to have two SSIDs. SSID1 is our home network, it should be able to see all other IP addresses on the LAN. This SSID is untagged (no VLAN). (This part already works) . For guests I would like to have a separate SSID: guest. The guest SSID will have VLAN tag 2. How to set-up the router, that this SSID (VLAN 2) have only access tot the public internet and will not seen (and will not be seen) from the LAN? Obviously, DHCP shall work on that SSID as well.
Please give me step-by-step instructions because I have no VLAN experience and a newbie to RouterOS.
I use a similar setup except there’s a switch in between.
So Winbox is your friend here…
In interfaces select eth10 and add a VLAN interface on ether10, with the proper vlan id, let’s say called vlan-guest
(From here on, that interface is treated like any other network interface)
Give it an IP address outside any other subnets, e.g 172.16.0.1/24
Create a IP pool that will be used for guest access, lets say pool_guests, holding e.g. 172.16.0.100-172.16.0.200
Create a new DHCP server on interface vlan-guest using pool_guests
Add a new DHCP network with address 172.16.0.0/24, gateway 172.16.0.1 and DNS 172.16.0.1
At this point, you may test the setup. The client connected to the Guest SSID should get an DHCP address from that pool, with the proper gateway and dns server.
Next you need to enable forwarding and masquerading for this subnet, while maintaining isolation.
Forward: Accept established+related from pppoe to vlan-guest
Forward: Accept everything from vlan-guest to pppoe
Forward: Drop everything else from and to vlan-guest
Input: Accept ICMP from vlan-guest (for debug purposes)
Input: Accept UDP port 53 (DNS) from vlan-guest
Input: Drop everything else from vlan-guest
Masquerading on WAN needs no change if it is already set up.
I am trying to set-it up. So far it is not working. I have the feeling, that the clients are not getting IP addresses.
Here is what I did…
-Created a new interface (vlan-guest) on ether10-slave-local, with vlan id 2.
-Gave IP address to this interface: 192.168.2.1/24 (the IP address of the rest of the LAN 192.168.1.1/24).
Created a DHCP server with pool 192.168.2.100-200
I did the rest of the configuration, but I would like to proceed step-by-step…
Try to set up a device with a static IP for the wifi connection, let’s say 192.168.2.2 and gateway and dns 192.168.2.1.
It should be possible to connect to ‘guest’ and ping the router.
Do you see any traffic on the vlan interface?
Do any DHCP leases show up under IP->DHCP Server->Leases?
You could also try to put your vlan interface into a “guest” bridge and set the IP and dhcp server to that bridge (this is actually my setup, since I have also a LAN connection for guest access).
This suggestion would break the main VLAN and break access to the UniFi AP.
The correct solution is to move the VLAN interface off of ether10 and onto the bridge-local interface.
This also has the advantage of allowing more UniFi APs to be connected without any further modification to the Mikrotik’s configuration.
zerobyte is right. i am playing these days with vlan in my rb2011.
taken from the article i post above these are the lines you need…
my unifi ap is connected to ether10 and is working as expected.
2 SSID
ssid “private” no vlan. my devices when connect takes ip from my private pool 192.168.88.0/24
ssid “guest” vlan id 175 my devices when connect takes ip from pool 192.168.175.0/24
