I recently bought two RouterBOARD 962UiGS-5HacT2HnT. The first one is behind my ISPs modem as a firewall, the second one is connected to the first with a network cable and acts as a switch/access point. No DHCP is configured on it.
Since I wanted to have a separate WiFi network for guests I followed this guide: https://support.fieber.nl/hc/nl/article ... oTik-RB951 and I now have a second SSID in a different subnet, everything works great.
I'm now trying to configure the second AP, so it too would have the additional wifi for guests. While I was able to create a new Wifi Security Profile and the SSID is visible on my devices, I don't get a IP from the DHCP server. Additionally manually setting the IP to the 172.168.0.0./24 network doesn't help either, there's no internet.
How can I add the guest wifi to the AP, so it works in the same way as on the first Mikrotik device?
Re: Guest-wifi
can you share a bit more details? how is the 2nd AP connected?
Re: Guest-wifi
Thank you for your reply.
I just put a CAT6 cable in one of the LAN ports on the firewall and then attached that to one of the LAN ports in the AP. I did so about a month ago, but I might have forgotten some details.
Please let me know what additional information is required, perhaps in the form of commands that I need to run.
I just put a CAT6 cable in one of the LAN ports on the firewall and then attached that to one of the LAN ports in the AP. I did so about a month ago, but I might have forgotten some details.
Please let me know what additional information is required, perhaps in the form of commands that I need to run.
Re: Guest-wifi
just connecting the two boxes is not enough.
as i saw you have different subnet for the guest ssid and your local LAN, and that's ok so.
but as you interconnect the two boxes (assuming both of them are mikrotik) is not goint to provide you isolation.
i guess the other non-guest ssid is bridged together with the ports on the LAN side, so you can have access to the resources in your LAN from the non-guest SSID.
but since all your ports are in the LAN, and the guest ssid is a _separate_ network, the guest ssid in the router and the another guest ssid in the AP are not continuous.
if you want your devices to be able to "roam" between the two wireless guest networks, you need to interconnect them on ethernet level.
you can do this in at least 3 different ways:
#1 use CAPSMAN, but this might be a bit overkill for this sole purpose
#2 configure VLANs on your interconnecting port (one for the LAN, one for the guest ssid) and bridge the respective ones with each other:
router1 (just giving an example)
- ether1 : internet
- ether2-ether4: LAN (ether2 is the master port for ether3 and ether4)
- ether5: interconnect port, with two VLANs (10 for the LAN, 20 for the guest ssid)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP, used for guest SSID
- bridge-lan: connects wlan1, ether2 (and ether3 and ether4) and VLAN10
- bridge-guest: connects wlan2 and VLAN20
all your DHCP, IPaddress settings for the guest SSID must be transferred to the bridge-guest interface
ap:
- ether1-ether4: LAN (ether1 is the master port for ether2,3,4)
- ether5 : interconnected with router1, two VLANs (VLAN10 for LAN, VLAN20 for guest ssid)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP used for the guest SSID
- bridge-lan: connects wlan1, ether1 (and ether2, ether3, ether4) and VLAN10 (has ip address or dhcp-client)
- bridge-guest: connects wlan2 and VLAN20 (has no ip address)
#3 [probably the easiest] configure 1 EOIP tunnel between the router and the AP to be used for guest wlan interconnect
router1 (just giving an example)
- ether1 : internet
- ether2-ether5: LAN (ether2 is the master port for ether3,ether4,ether5)
- AP is connected to whichever ports in the LAN (ether2..ether5)
- eoip1: eoip tunnel between the router and the ip (local address: router's LAN IP, remote-address: AP's IP address)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP, used for guest SSID
- bridge-lan: connects wlan1, ether2 (and ether3 and ether4, ether5)
- bridge-guest: connects wlan2 and eoip1
AP:
- ether1..ether5: LAN, ether1 is the master port.
- one of the ports is interconnected with the router
- eoip1: eoip tunnel between the router and the ip (local address: AP's LAN IP, remote-address: routers's LAN IP address)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP, used for guest SSID
- bridge-LAN: connects wlan1, ether1 (and ether2, ether3 and ether4, ether5) - this interface has IP address from the LAN subnet
- bridge-guest: connects wlan2 and eoip1
as i saw you have different subnet for the guest ssid and your local LAN, and that's ok so.
but as you interconnect the two boxes (assuming both of them are mikrotik) is not goint to provide you isolation.
i guess the other non-guest ssid is bridged together with the ports on the LAN side, so you can have access to the resources in your LAN from the non-guest SSID.
but since all your ports are in the LAN, and the guest ssid is a _separate_ network, the guest ssid in the router and the another guest ssid in the AP are not continuous.
if you want your devices to be able to "roam" between the two wireless guest networks, you need to interconnect them on ethernet level.
you can do this in at least 3 different ways:
#1 use CAPSMAN, but this might be a bit overkill for this sole purpose
#2 configure VLANs on your interconnecting port (one for the LAN, one for the guest ssid) and bridge the respective ones with each other:
router1 (just giving an example)
- ether1 : internet
- ether2-ether4: LAN (ether2 is the master port for ether3 and ether4)
- ether5: interconnect port, with two VLANs (10 for the LAN, 20 for the guest ssid)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP, used for guest SSID
- bridge-lan: connects wlan1, ether2 (and ether3 and ether4) and VLAN10
- bridge-guest: connects wlan2 and VLAN20
all your DHCP, IPaddress settings for the guest SSID must be transferred to the bridge-guest interface
ap:
- ether1-ether4: LAN (ether1 is the master port for ether2,3,4)
- ether5 : interconnected with router1, two VLANs (VLAN10 for LAN, VLAN20 for guest ssid)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP used for the guest SSID
- bridge-lan: connects wlan1, ether1 (and ether2, ether3, ether4) and VLAN10 (has ip address or dhcp-client)
- bridge-guest: connects wlan2 and VLAN20 (has no ip address)
#3 [probably the easiest] configure 1 EOIP tunnel between the router and the AP to be used for guest wlan interconnect
router1 (just giving an example)
- ether1 : internet
- ether2-ether5: LAN (ether2 is the master port for ether3,ether4,ether5)
- AP is connected to whichever ports in the LAN (ether2..ether5)
- eoip1: eoip tunnel between the router and the ip (local address: router's LAN IP, remote-address: AP's IP address)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP, used for guest SSID
- bridge-lan: connects wlan1, ether2 (and ether3 and ether4, ether5)
- bridge-guest: connects wlan2 and eoip1
AP:
- ether1..ether5: LAN, ether1 is the master port.
- one of the ports is interconnected with the router
- eoip1: eoip tunnel between the router and the ip (local address: AP's LAN IP, remote-address: routers's LAN IP address)
- wlan1: main wireless interface used for LAN
- wlan2: virtual AP, used for guest SSID
- bridge-LAN: connects wlan1, ether1 (and ether2, ether3 and ether4, ether5) - this interface has IP address from the LAN subnet
- bridge-guest: connects wlan2 and eoip1
Re: Guest-wifi
i created a quick overview of options #2 and #3.
i will do a detailed guide on the capsman version, as it might seem a bit complex for the first glance, but maybe easier to control/manage.
i'll post it on my blog and drop a link here.
i will also include the configuration as well (probably for options #2 and #3 as well)
i will do a detailed guide on the capsman version, as it might seem a bit complex for the first glance, but maybe easier to control/manage.
i'll post it on my blog and drop a link here.
i will also include the configuration as well (probably for options #2 and #3 as well)
You do not have the required permissions to view the files attached to this post.
Re: Guest-wifi
Wow, thank you so much for spending that much time on this, I really appreciate it. I tried to follow the 3rd option as much as I could, but the clients are still not getting an IP from the DHCP server (on router1).
I'm providing screenshots of the entire configuration, if that might help in assisting me (I think we're quite close):
- router1:
- AP There are no DHCP settings on the AP, and there's only the 192.168.1.0/24 network.
Please let me know if anything else might be required?
I'm providing screenshots of the entire configuration, if that might help in assisting me (I think we're quite close):
- router1:
- AP There are no DHCP settings on the AP, and there's only the 192.168.1.0/24 network.
Please let me know if anything else might be required?
You do not have the required permissions to view the files attached to this post.
Re: Guest-wifi
What tool are you using to draw diagrams? This is nice.i created a quick overview of options #2 and #3.
i will do a detailed guide on the capsman version, as it might seem a bit complex for the first glance, but maybe easier to control/manage.
i'll post it on my blog and drop a link here.
i will also include the configuration as well (probably for options #2 and #3 as well)
Re: Guest-wifi
Excellent diagram! Very helpful.I've created a quick overview of options #2.
Using option #2 (VLAN) as a guide, I put together the following example. It seems to work well for me. Do you think it is a good implementation? Any gotchas?
Some things left out for brevity (like firewall setup, nat, etc.)
First configure router:
Code: Select all
# RouterOS 6.38.7
#
# Configure the Router hardware
#
# Create two bridges. One for LAN. One for Guests
/interface bridge
add name=bridge-LAN protocol-mode=none
add name=bridge-VLAN protocol-mode=none
# Ensure you have a port set aside for Trunk duties. We'll use ether5
/interface ethernet
set [ find default-name=ether1 ] name=ether-WAN
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port="none"
# Create the VLAN on ether5
/interface vlan
add interface=ether5 name=vLAN10 vlan-id=10
# Make each bridge aware of the other by adding ports between them
/interface bridge port
add bridge=bridge-LAN interface=ether2
add bridge=bridge-LAN interface=vLAN10
add bridge=bridge-VLAN interface=ether5
# Assign IP Address to the bridges
/ip address
add interface=bridge-LAN address=192.168.0.1/24
add interface=bridge-VLAN address=192.168.10.1/24
# Setup a seperate DHCP server for Guest VLAN
/ip pool
add name=dhcp_guest ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_guest interface=bridge-VLAN name=dhcp-vlan10
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8 domain=guest.local gateway=192.168.10.1
Code: Select all
# RouterOS 6.38.7
#
# Configure the WiFi AP hardware
#
# Create two bridges. One for LAN. One for Guests
/interface bridge
add name=bridge-LAN protocol-mode=none
add name=bridge-VLAN protocol-mode=none
# Ensure you have a port set aside for Trunk duties. We'll use ether1 for an AP
/interface ethernet
set [ find default-name=ether1 ] master-port="none"
set [ find default-name=ether3 ] master-port=ether2
set [ find default-name=ether4 ] master-port=ether2
set [ find default-name=ether5 ] master-port=ether2
# Create the VLAN on ether1 using the same ID as the router's Trunk port
/interface vlan
add interface=ether1 name=vLAN10 vlan-id=10
# Make each bridge aware of the other by adding ports between them
/interface bridge port
add bridge=bridge-LAN interface=ether2
add bridge=bridge-LAN interface=vLAN10
add bridge=bridge-VLAN interface=ether1
# Also add the WiFi interface to VLAN bridge. An extra step
add bridge=bridge-VLAN interface=wlan1
# Assign IP Address to the bridges
/ip address
add interface=bridge-LAN address=192.168.0.2/24
add interface=bridge-VLAN address=192.168.10.2/24