Page 1 of 1

hAP AC guest wireless

Posted: Sat Jan 28, 2017 7:39 pm
by CypherBit
I just purchased a pair of hAP AC and enabled a Guest WiFi network using Quick Set. As far as I can tell the Guests are not isolated using a VLAN, but I can't ping others on the "real" network when connected to the Guest. How does it all work? I assume it would still be prefered to separate the two using VLANs, how would I achieve that?

Re: hAP AC guest wireless

Posted: Sun Jan 29, 2017 12:02 am
by olkitu
You have looked firewall settings? Could you print there your config?

Re: hAP AC guest wireless

Posted: Sun Jan 29, 2017 10:43 am
by CypherBit
It seems something has changed, I don't get an IP now. Could you point me in the correct direction as to how to setup a Guest WiFi on hAP?

Re: hAP AC guest wireless

Posted: Sun Jan 29, 2017 12:32 pm
by Van9018
For Guest Wifi where a client has only 1 Guest AP, I usually do the following.

1. Split out the wifi interface onto it's own subnet. IE: my staff network will be 192.168.88.0/24 and my wifi network will be 192.168.89.0/24
Bridge > Ports, remove wifi interface from bridge-local
IP > Addresses, assign 10.0.0.1/24 to wlan1
IP > Pool, create a new DHCP IP pool with range 10.0.0.0/24
IP > DHCP Server, create the DHCP Server for wlan1

2. Prevent clients from talking to each other.
Interface > wlan, set default forward to not checked.
This function only works between wifi clients on the same AP.

3. Prevent clients from assigning themselves static IPs. They must use DHCP
Interface > wlan, set ARP to read-only

4. Prevent clients from communicating to staff network via firewall.
IP > Firewall > Filters, create rule. Chain=forward, dst-address=192.168.88.0/24, in-interface=wlan1, action=drop
IP > Firewall > Filters, create rule. Chain=forward, src-address=192.168.88.0/24, in-interface=wlan1, action=drop
(The second rule is cautionary, in case someone figures out out to send a packet with a src-address of the staff network)

5. Prevent clients from accessing winbox, web admin, etc. of the router. But do allow DNS
IP > Firewall > Filters, create rule. Chain=input, in-interface=wlan1, protocol=udp, dst-port=53, action=allow
IP > Firewall > Filters, create rule. Chain=input, in-interface=wlan1, action=drop

Re: hAP AC guest wireless

Posted: Sun Jan 29, 2017 11:09 pm
by CypherBit
Van9018, thank you for your reply. I should have perhaps mentioned that I have two hAP's.