Community discussions

MUM Europe 2020
 
CypherBit
just joined
Topic Author
Posts: 18
Joined: Tue Mar 06, 2012 10:06 am

Guest-wifi

Thu Aug 31, 2017 11:13 pm

I recently bought two RouterBOARD 962UiGS-5HacT2HnT. The first one is behind my ISPs modem as a firewall, the second one is connected to the first with a network cable and acts as a switch/access point. No DHCP is configured on it.

Since I wanted to have a separate WiFi network for guests I followed this guide: https://support.fieber.nl/hc/nl/article ... oTik-RB951 and I now have a second SSID in a different subnet, everything works great.

I'm now trying to configure the second AP, so it too would have the additional wifi for guests. While I was able to create a new Wifi Security Profile and the SSID is visible on my devices, I don't get a IP from the DHCP server. Additionally manually setting the IP to the 172.168.0.0./24 network doesn't help either, there's no internet. 

How can I add the guest wifi to the AP, so it works in the same way as on the first Mikrotik device?
 
User avatar
doneware
Trainer
Trainer
Posts: 540
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Guest-wifi

Fri Sep 01, 2017 12:31 am

can you share a bit more details? how is the 2nd AP connected?
#TR0359
 
CypherBit
just joined
Topic Author
Posts: 18
Joined: Tue Mar 06, 2012 10:06 am

Re: Guest-wifi

Fri Sep 01, 2017 7:50 am

Thank you for your reply.

I just put a CAT6 cable in one of the LAN ports on the firewall and then attached that to one of the LAN ports in the AP. I did so about a month ago, but I might have forgotten some details.


Please let me know what additional information is required, perhaps in the form of commands that I need to run.
 
User avatar
doneware
Trainer
Trainer
Posts: 540
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Guest-wifi

Fri Sep 01, 2017 1:46 pm

just connecting the two boxes is not enough.
as i saw you have different subnet for the guest ssid and your local LAN, and that's ok so.
but as you interconnect the two boxes (assuming both of them are mikrotik) is not goint to provide you isolation.
i guess the other non-guest ssid is bridged together with the ports on the LAN side, so you can have access to the resources in your LAN from the non-guest SSID.
but since all your ports are in the LAN, and the guest ssid is a _separate_ network, the guest ssid in the router and the another guest ssid in the AP are not continuous.
if you want your devices to be able to "roam" between the two wireless guest networks, you need to interconnect them on ethernet level.

you can do this in at least 3 different ways:
#1 use CAPSMAN, but this might be a bit overkill for this sole purpose
#2 configure VLANs on your interconnecting port (one for the LAN, one for the guest ssid) and bridge the respective ones with each other:

router1 (just giving an example)
- ether1 : internet
- ether2-ether4: LAN (ether2 is the master port for ether3 and ether4)
- ether5: interconnect port, with two VLANs (10 for the LAN, 20 for the guest ssid)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP, used for guest SSID
- bridge-lan: connects wlan1, ether2 (and ether3 and ether4) and VLAN10
- bridge-guest: connects wlan2 and VLAN20

all your DHCP, IPaddress settings for the guest SSID must be transferred to the bridge-guest interface

ap:
- ether1-ether4: LAN (ether1 is the master port for ether2,3,4)
- ether5 : interconnected with router1, two VLANs (VLAN10 for LAN, VLAN20 for guest ssid)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP used for the guest SSID
- bridge-lan: connects wlan1, ether1 (and ether2, ether3, ether4) and VLAN10 (has ip address or dhcp-client)
- bridge-guest: connects wlan2 and VLAN20 (has no ip address)

#3 [probably the easiest] configure 1 EOIP tunnel between the router and the AP to be used for guest wlan interconnect

router1 (just giving an example)
- ether1 : internet
- ether2-ether5: LAN (ether2 is the master port for ether3,ether4,ether5)
- AP is connected to whichever ports in the LAN (ether2..ether5)
- eoip1: eoip tunnel between the router and the ip (local address: router's LAN IP, remote-address: AP's IP address)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP, used for guest SSID
- bridge-lan: connects wlan1, ether2 (and ether3 and ether4, ether5)
- bridge-guest: connects wlan2 and eoip1

AP:
- ether1..ether5: LAN, ether1 is the master port.
- one of the ports is interconnected with the router
- eoip1: eoip tunnel between the router and the ip (local address: AP's LAN IP, remote-address: routers's LAN IP address)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP, used for guest SSID
- bridge-LAN: connects wlan1, ether1 (and ether2, ether3 and ether4, ether5) - this interface has IP address from the LAN subnet
- bridge-guest: connects wlan2 and eoip1
#TR0359
 
User avatar
doneware
Trainer
Trainer
Posts: 540
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Guest-wifi

Fri Sep 01, 2017 2:04 pm

i created a quick overview of options #2 and #3.
i will do a detailed guide on the capsman version, as it might seem a bit complex for the first glance, but maybe easier to control/manage.
i'll post it on my blog and drop a link here.
i will also include the configuration as well (probably for options #2 and #3 as well)
You do not have the required permissions to view the files attached to this post.
#TR0359
 
CypherBit
just joined
Topic Author
Posts: 18
Joined: Tue Mar 06, 2012 10:06 am

Re: Guest-wifi

Sat Sep 02, 2017 12:48 pm

Wow, thank you so much for spending that much time on this, I really appreciate it. I tried to follow the 3rd option as much as I could, but the clients are still not getting an IP from the DHCP server (on router1).

I'm providing screenshots of the entire configuration, if that might help in assisting me (I think we're quite close):

- router1:
01_router_interfaces.png
02_router_bridge.png
03_router_ports.png
04_router_sec_profiles.png
05_router_pool.png
06_router_DHCP_server.png
07_router_networks.png

- AP
08_AP_interfaces.png
09_AP_bridge.png
10_AP_ports.png
11_AP_sec_profiles.png
There are no DHCP settings on the AP, and there's only the 192.168.1.0/24 network.

Please let me know if anything else might be required?
You do not have the required permissions to view the files attached to this post.
 
User avatar
acruhl
Member
Member
Posts: 359
Joined: Fri Jul 03, 2015 7:22 pm

Re: Guest-wifi

Mon Sep 04, 2017 7:56 pm

i created a quick overview of options #2 and #3.
i will do a detailed guide on the capsman version, as it might seem a bit complex for the first glance, but maybe easier to control/manage.
i'll post it on my blog and drop a link here.
i will also include the configuration as well (probably for options #2 and #3 as well)
What tool are you using to draw diagrams? This is nice.
Stuff.
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 945
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Guest-wifi

Thu Sep 07, 2017 5:26 am

I've created a quick overview of options #2.
Excellent diagram! Very helpful.

Using option #2 (VLAN) as a guide, I put together the following example. It seems to work well for me. Do you think it is a good implementation? Any gotchas?

Some things left out for brevity (like firewall setup, nat, etc.)

First configure router:
# RouterOS 6.38.7
#
# Configure the Router hardware
#

# Create two bridges. One for LAN. One for Guests
/interface bridge
add name=bridge-LAN  protocol-mode=none
add name=bridge-VLAN protocol-mode=none

# Ensure you have a port set aside for Trunk duties. We'll use ether5
/interface ethernet
set [ find default-name=ether1 ] name=ether-WAN
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port="none"

# Create the VLAN on ether5
/interface vlan
add interface=ether5 name=vLAN10 vlan-id=10

# Make each bridge aware of the other by adding ports between them
/interface bridge port
add bridge=bridge-LAN  interface=ether2
add bridge=bridge-LAN  interface=vLAN10
add bridge=bridge-VLAN interface=ether5

# Assign IP Address to the bridges
/ip address
add interface=bridge-LAN  address=192.168.0.1/24
add interface=bridge-VLAN address=192.168.10.1/24

# Setup a seperate DHCP server for Guest VLAN
/ip pool
add name=dhcp_guest ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_guest interface=bridge-VLAN name=dhcp-vlan10
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 domain=guest.local gateway=192.168.10.1
Next configure the Wifi AP:
# RouterOS 6.38.7
#
# Configure the WiFi AP hardware
#

# Create two bridges. One for LAN. One for Guests
/interface bridge
add name=bridge-LAN  protocol-mode=none
add name=bridge-VLAN protocol-mode=none

# Ensure you have a port set aside for Trunk duties. We'll use ether1 for an AP
/interface ethernet
set [ find default-name=ether1 ] master-port="none"
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2

# Create the VLAN on ether1 using the same ID as the router's Trunk port
/interface vlan
add interface=ether1 name=vLAN10 vlan-id=10

# Make each bridge aware of the other by adding ports between them
/interface bridge port
add bridge=bridge-LAN interface=ether2
add bridge=bridge-LAN interface=vLAN10
add bridge=bridge-VLAN interface=ether1

# Also add the WiFi interface to VLAN bridge. An extra step
add bridge=bridge-VLAN interface=wlan1

# Assign IP Address to the bridges
/ip address
add interface=bridge-LAN  address=192.168.0.2/24
add interface=bridge-VLAN address=192.168.10.2/24
 
hero1900
just joined
Posts: 15
Joined: Mon Mar 26, 2018 8:50 pm

Re: Guest-wifi

Thu Apr 19, 2018 3:57 pm

thx for the info really beneficial

Who is online

Users browsing this forum: No registered users and 33 guests