Community discussions
L
R
hAP AC guest wireless
I just purchased a pair of hAP AC and enabled a Guest WiFi network using Quick Set. As far as I can tell the Guests are not isolated using a VLAN, but I can't ping others on the "real" network when connected to the Guest. How does it all work? I assume it would still be prefered to separate the two using VLANs, how would I achieve that?
Re: hAP AC guest wireless
You have looked firewall settings? Could you print there your config?
Network Specialist
Need know where is cellular tower? Try CellMapper to get know where is cellular tower:
https://www.cellmapper.net/map
Need know where is cellular tower? Try CellMapper to get know where is cellular tower:
https://www.cellmapper.net/map
Re: hAP AC guest wireless
It seems something has changed, I don't get an IP now. Could you point me in the correct direction as to how to setup a Guest WiFi on hAP?
Re: hAP AC guest wireless
For Guest Wifi where a client has only 1 Guest AP, I usually do the following.
1. Split out the wifi interface onto it's own subnet. IE: my staff network will be 192.168.88.0/24 and my wifi network will be 192.168.89.0/24
Bridge > Ports, remove wifi interface from bridge-local
IP > Addresses, assign 10.0.0.1/24 to wlan1
IP > Pool, create a new DHCP IP pool with range 10.0.0.0/24
IP > DHCP Server, create the DHCP Server for wlan1
2. Prevent clients from talking to each other.
Interface > wlan, set default forward to not checked.
This function only works between wifi clients on the same AP.
3. Prevent clients from assigning themselves static IPs. They must use DHCP
Interface > wlan, set ARP to read-only
4. Prevent clients from communicating to staff network via firewall.
IP > Firewall > Filters, create rule. Chain=forward, dst-address=192.168.88.0/24, in-interface=wlan1, action=drop
IP > Firewall > Filters, create rule. Chain=forward, src-address=192.168.88.0/24, in-interface=wlan1, action=drop
(The second rule is cautionary, in case someone figures out out to send a packet with a src-address of the staff network)
5. Prevent clients from accessing winbox, web admin, etc. of the router. But do allow DNS
IP > Firewall > Filters, create rule. Chain=input, in-interface=wlan1, protocol=udp, dst-port=53, action=allow
IP > Firewall > Filters, create rule. Chain=input, in-interface=wlan1, action=drop
1. Split out the wifi interface onto it's own subnet. IE: my staff network will be 192.168.88.0/24 and my wifi network will be 192.168.89.0/24
Bridge > Ports, remove wifi interface from bridge-local
IP > Addresses, assign 10.0.0.1/24 to wlan1
IP > Pool, create a new DHCP IP pool with range 10.0.0.0/24
IP > DHCP Server, create the DHCP Server for wlan1
2. Prevent clients from talking to each other.
Interface > wlan, set default forward to not checked.
This function only works between wifi clients on the same AP.
3. Prevent clients from assigning themselves static IPs. They must use DHCP
Interface > wlan, set ARP to read-only
4. Prevent clients from communicating to staff network via firewall.
IP > Firewall > Filters, create rule. Chain=forward, dst-address=192.168.88.0/24, in-interface=wlan1, action=drop
IP > Firewall > Filters, create rule. Chain=forward, src-address=192.168.88.0/24, in-interface=wlan1, action=drop
(The second rule is cautionary, in case someone figures out out to send a packet with a src-address of the staff network)
5. Prevent clients from accessing winbox, web admin, etc. of the router. But do allow DNS
IP > Firewall > Filters, create rule. Chain=input, in-interface=wlan1, protocol=udp, dst-port=53, action=allow
IP > Firewall > Filters, create rule. Chain=input, in-interface=wlan1, action=drop
Re: hAP AC guest wireless
Van9018, thank you for your reply. I should have perhaps mentioned that I have two hAP's.
Who is online
Users browsing this forum: No registered users and 40 guests