Community discussions

MikroTik App
 
FarmerBob
just joined
Topic Author
Posts: 5
Joined: Thu Nov 05, 2015 3:05 am

Isolating Guest WifI/wlan2 or wlan1

Thu Nov 05, 2015 6:06 am

Just got an RB2011iAS-2HnD-IN running RouterOS 6.32.3 with great hassle in shipping. UPS sent it on a detour to Puerto Rico on its way to Colorado. Anyway what I need to do is set this up so that it is a stand alone WiFi AP with a straight connection to the Internet and not able to access the Modem/Router Network or anything that is also connected to the Modem. So it can be in HomeAP mode with a Guest WiFi/wlan2 or WISP AP and use the wlan1, I just need Network Isolation. I have been searching through here all day and have found many similar situations, but no answers that will suit mine. Now I know most all the off-the-shelf consumer units that do Guest APs have a check box for Network Isolation. I realize this is a whole different ball game. I have seen many recommendations on this unit as to its great WiFi capability, which I checked out and so far it's a lot better that the billions of other units I have tried and pray it will do the trick. The Modem is a Comcast Business Grade unit that I would rather not touch. My POS, office computers, printers and Jukebox are hardwired to it. That's the reason for needing the network isolation. Although my POS has its own stand alone Redbox Firewall, this access needs to be "separate".

My set up will be:
Hardwire connection from Modem/Router > RB2011iAS-2HnD-IN > Pub Customers

Any assistance will be greatly appreciated.

Thank you.
 
troffasky
Member
Member
Posts: 431
Joined: Wed Mar 26, 2014 4:37 pm

Re: Isolating Guest WifI/wlan2 or wlan1

Thu Nov 05, 2015 11:10 pm

If I understand you right, you just want to use the RB2011 as an AP?

To isolate wireless clients from each other, untick the 'default forward' box on the wireless interface.

To prevent the wireless clients from being able to see anything on the "modem" network, you will need to create a firewall rule that blocks access to that subnet from the WLAN subnet.

The only uncertainty in your post is the comment about wlan1/wlan2. Do you want the Pub customers to be on a separate VAP?
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Isolating Guest WifI/wlan2 or wlan1

Fri Nov 06, 2015 7:40 am

the simplest way is to use a horizon on bridge
 
FarmerBob
just joined
Topic Author
Posts: 5
Joined: Thu Nov 05, 2015 3:05 am

Re: Isolating Guest WifI/wlan2 or wlan1

Sat Nov 07, 2015 10:27 am

Thanks for your replies and help!!
If I understand you right, you just want to use the RB2011 as an AP?

To isolate wireless clients from each other, untick the 'default forward' box on the wireless interface.
Did that. But it's not all that important. I doubt they'll know what to do to get to each other. I'm more worried about them connecting to the modem and what's behind it.
To prevent the wireless clients from being able to see anything on the "modem" network, you will need to create a firewall rule that blocks access to that subnet from the WLAN subnet.

The only uncertainty in your post is the comment about wlan1/wlan2. Do you want the Pub customers to be on a separate VAP?
The wlan1/wlan2 was just saying that either of those are available to work with. wlan2 will only be present when a Guest WiFi is set up. But I am seeing that is not necessary. The wlan1 alone will be just fine if I could just keep users from being able to get to the "back of the house". Although, I doubt any will be sober enough. But it still could happen though. We have a lot of young techies. No need for a VAP for this. The unit will only be used as a AP. It's the only unit that I have found that has good range and stable connectivity.
 
FarmerBob
just joined
Topic Author
Posts: 5
Joined: Thu Nov 05, 2015 3:05 am

Re: Isolating Guest WifI/wlan2 or wlan1

Sat Nov 07, 2015 10:32 am

Thanks for your reply and help!!
the simplest way is to use a horizon on bridge
I've read about this and saw that there were many ways to do this that I got lost. Matter of fact I think it was in a thread that you were a part of. I'm some what savvy, but right now I am so scattered that I am having problems wrapping my head around this. Otherwise, I'd have had this long since done. So any instructions would be greatly appreciated. I'm in down and dirty mode.
 
troffasky
Member
Member
Posts: 431
Joined: Wed Mar 26, 2014 4:37 pm

Re: Isolating Guest WifI/wlan2 or wlan1

Mon Nov 09, 2015 11:44 pm

Absent an appearance from chechito to expand on what he was saying, I'm going to carry on down the firewall rule path.

Let's say your "modem" network is 192.168.1.0/24 and your "pub customers" network is 192.168.2.0/24, your RB2011 lives in each network and does NAT between them. A rule that blocks traffic from 192.168.2.0/24 to 192.168.1.0/24 will prevent your pub customers from seeing the modem network, but won't prevent them from getting to the internet.
 
deanMKD1
Member
Member
Posts: 366
Joined: Fri Dec 12, 2014 12:06 am
Location: Macedonia
Contact:

Re: Isolating Guest WifI/wlan2 or wlan1

Mon Nov 09, 2015 11:44 pm

Just got an RB2011iAS-2HnD-IN running RouterOS 6.32.3 with great hassle in shipping. UPS sent it on a detour to Puerto Rico on its way to Colorado. Anyway what I need to do is set this up so that it is a stand alone WiFi AP with a straight connection to the Internet and not able to access the Modem/Router Network or anything that is also connected to the Modem. So it can be in HomeAP mode with a Guest WiFi/wlan2 or WISP AP and use the wlan1, I just need Network Isolation. I have been searching through here all day and have found many similar situations, but no answers that will suit mine. Now I know most all the off-the-shelf consumer units that do Guest APs have a check box for Network Isolation. I realize this is a whole different ball game. I have seen many recommendations on this unit as to its great WiFi capability, which I checked out and so far it's a lot better that the billions of other units I have tried and pray it will do the trick. The Modem is a Comcast Business Grade unit that I would rather not touch. My POS, office computers, printers and Jukebox are hardwired to it. That's the reason for needing the network isolation. Although my POS has its own stand alone Redbox Firewall, this access needs to be "separate".

My set up will be:
Hardwire connection from Modem/Router > RB2011iAS-2HnD-IN > Pub Customers

Any assistance will be greatly appreciated.

Thank you.
This is exactly what you need. In this tut. i make two wireless networks (Home(wlan1) and Guest(wlan2)) and separate them to different DHCP Pool, using firewall NAT and rules.

Follow images from tutorial: http://www.mikrotikmacedonia.net/index. ... ,43.0.html
 
FarmerBob
just joined
Topic Author
Posts: 5
Joined: Thu Nov 05, 2015 3:05 am

Re: Isolating Guest WifI/wlan2 or wlan1

Tue Nov 10, 2015 12:24 am

This is exactly what you need. In this tut. i make two wireless networks (Home(wlan1) and Guest(wlan2)) and separate them to different DHCP Pool, using firewall NAT and rules.

Follow images from tutorial: http://www.mikrotikmacedonia.net/index. ... ,43.0.html
Thank you. The Macedonian translation is a trip. But now before I proceed, I am taking the unit in to see if the power of the WiFi is what it is professed to be and be of use to me. Which I should have done before posting here, but I was hoping to set the unit up before I take the thing in and be done. Although, I did know better, good things are not that easy and I knew that when I bought this.

So thank you for the suggestion. I read through it and wondered if it could be revamped to just block the main/one network from the source/modem. I really don't need two networks or access from this spot to the "back of the house"/modem.

Thanks again!
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2990
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Isolating Guest WifI/wlan2 or wlan1

Tue Nov 10, 2015 3:13 am

using horizon you can isolate wired lan from wlan1 and from wlan2 and vice-versa sharing dhcp and lan addressing
example.jpg
the problem with horizon is wlan users get isolated from wired lan users some times you dont want that :(
You do not have the required permissions to view the files attached to this post.
 
FarmerBob
just joined
Topic Author
Posts: 5
Joined: Thu Nov 05, 2015 3:05 am

Re: Isolating Guest WifI/wlan2 or wlan1

Tue Nov 10, 2015 3:54 am

using horizon you can isolate wired lan from wlan1 and from wlan2 and vice-versa sharing dhcp and lan addressing the problem with horizon is wlan users get isolated from wired lan users some times you dont want that :(
Isolation from everything will be just fine. There will be no wired users and even if there were, isolation would be just fine and wanted. So I would do it on wlan1, since that's all there really needs to be. So how do I use/do "horizon"?

Thanks!

Who is online

Users browsing this forum: BartoszP and 47 guests