Awesome, pcunite when complete and functioning, can you post the config of both please!
Here you go. While creating this example, I also noticed some areas that might be confusing in my other VLAN examples. So, I'll be updating those to better show how the
BASE_VLAN should be implemented, as I do here.
Hotspot with a separate router:
When using the Hotspot service (a captive portal), it should be noted that this feature is similar to what a Rogue router might do. You now have
two routers on your network to reason about. It adds some tricky rules to both the Firewall and NAT tables. For this reason, I prefer the
Hotspot service to be on a separate physical device and safely VLAN'd away. I hope that in the future, the network community comes up with a better way to accomplish
showing a website on demand when accessing the network for the first time.
Overview:
There is probably several ways to accomplish this. Here, I illustrate several VLANs. The BLUE vlan is your standard corporate network. The BASE vlan is what I use as a management network and also for device to device communication. The HOTSPOT vlans are what make this method unique. They allow both the Hotspot server itself and clients to be segmented and blocked off from the rest of your network. HOTSPOT_GUEST is where the actual guests live, and HOTSPOT_ROUTE is a way to get packets in and out without touching anything else. Of special note: don't use the
address-pool option under the
ip hotspot menu. I believe it caused me issues with iPhones.
Main Router:
###############################################################################
# Topic: Using RouterOS to VLAN your network
# Example: Hotspot with a separate router
# Web: https://forum.mikrotik.com/viewtopic.php?t=143620
# RouterOS: 6.43.12
# Date: Mar 14, 2019
# Notes: Start with a reset (/system reset-configuration)
# Author: pcunite
###############################################################################
#######################################
# VLAN Overview
#######################################
# 10 = BLUE (CORP MAIN)
# 20 = HOTSPOT_ROUTE
# 30 = HOTSPOT_GUEST
# 99 = BASE (MGMT) Layer
#######################################
# Naming
#######################################
/system identity set name=Router
#######################################
# Bridge
#######################################
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1, enable port security features
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4
# egress behavior
/interface bridge vlan
# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=99
#######################################
# IP Addressing & Routing
#######################################
# LAN facing router's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN
# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"
# Yellow WAN facing port with IP Address provided by ISP
/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0
# router's gateway provided by ISP
/ip route add distance=1 gateway=b.b.b.b
#######################################
# IP Services
#######################################
# BLUE (CORP MAIN) VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.0.10.1/24
/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
# HOTSPOT_ROUTE VLAN interface creation, and IP assignment
/interface vlan add interface=BR1 name=HOTSPOT_ROUTE_VLAN vlan-id=20
/ip address add interface=HOTSPOT_ROUTE_VLAN address=10.0.20.1/24
# HOTSPOT_GUEST VLAN interface creation, and IP assignment
/interface vlan add interface=BR1 name=HOTSPOT_GUEST_VLAN vlan-id=30
/ip address add interface=HOTSPOT_GUEST_VLAN address=10.0.30.1/24
# Optional
# Make BASE_VLAN interface IP, and DHCP instance
#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=BASE
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=HOTSPOT_ROUTE_VLAN list=VLAN
add interface=HOTSPOT_GUEST_VLAN list=VLAN
# VLAN aware firewall. Order is important.
/ip firewall filter
##################
# INPUT CHAIN
##################
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related
# Allow VLANs to access router DNS services
add action=accept chain=input comment="Allow VLAN DNS Services" dst-port=53 in-interface-list=VLAN protocol=udp
# Allow BASE_VLAN full access router, Winbox, etc.
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN
add action=drop chain=input comment=Drop
##################
# FORWARD CHAIN
##################
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related
# Allow all VLANs to access the Internet only, NOT each other
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN comment="Allow port forwards"
add action=drop chain=forward comment=Drop
##################
# NAT
##################
/ip firewall nat
# Standard masquerade
add action=masquerade chain=srcnat out-interface-list=WAN comment=masquerade
# Force DNS for BLUE_VLAN
add action=dst-nat chain=dstnat dst-port=53 in-interface=BR1 protocol=tcp to-addresses=192.168.2.1 to-ports=53 comment="Force DNS"
add action=dst-nat chain=dstnat dst-port=53 in-interface=BR1 protocol=udp to-addresses=192.168.2.1 to-ports=53
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, our MGMT layer
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=none
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes
Hotspot Router:
###############################################################################
# Topic: Using RouterOS to VLAN your network
# Example: Hotspot with a separate router
# Web: https://forum.mikrotik.com/viewtopic.php?t=143620
# RouterOS: 6.43.12
# Date: Apr 18, 2019
# Notes: Start with a reset (/system reset-configuration)
# Author: pcunite
###############################################################################
#######################################
# VLAN Overview
#######################################
# 10 = BLUE (CORP MAIN)
# 20 = HOTSPOT_ROUTE
# 30 = HOTSPOT_GUEST
# 99 = BASE (MGMT) Layer
#######################################
# Naming
#######################################
/system identity set name=HotspotRouter
#######################################
# Bridge
#######################################
# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no
#######################################
#
# -- Trunk Ports --
#
#######################################
# ingress behavior
/interface bridge port
# Purple Trunk. Leave pvid set to default of 1, enable port security features
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
# egress behavior
/interface bridge vlan
# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether1 vlan-ids=20
add bridge=BR1 tagged=BR1,ether1 vlan-ids=30
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99
#######################################
# IP Addressing & Routing
#######################################
# LAN facing Router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.2/24 interface=BASE_VLAN
# IP address to access HOTSPOT_ROUTE VLAN
/interface vlan add interface=BR1 name=HOTSPOT_ROUTE vlan-id=20
/ip address add address=10.0.20.2/24 interface=HOTSPOT_ROUTE
# IP address for Hotspot user services, DNS, DHCP, etc.
/interface vlan add interface=BR1 name=HOTSPOT_GUEST vlan-id=30
/ip address add address=10.0.30.2/24 interface=HOTSPOT_GUEST
# Routing:
# The Router's IP we use. We route over the HOTSPOT_ROUTE VLAN
/ip route add distance=1 gateway=10.0.20.1
#######################################
# Hotspot Router Settings
#######################################
# Use DNS supplied from HOTSPOT_ROUTE VLAN
/ip dns set allow-remote-requests=yes servers=10.0.20.1
# DHCP settings for the HOTSPOT_GUEST VLAN.
/ip pool add name=Hotspot_POOL ranges=10.0.30.10-10.0.30.254
/ip dhcp-server add address-pool=Hotspot_POOL disabled=no interface=HOTSPOT_GUEST name=Hotspot_DHCP
/ip dhcp-server network add address=10.0.30.0/24 dns-server=10.0.30.2 gateway=10.0.30.2
# We share a single user to over 200. Customize as you see fit
/ip hotspot user add name=userhotspot password=userhotspot
/ip hotspot user profile set [ find default=yes ] shared-users=200
# Other settings. Don't use the HotSpot 'address-pool' option. It is a NAT helper and may cause issues with iPhones.
/ip hotspot profile set [ find default=yes ] dns-name=MyHotspot.lan hotspot-address=10.0.30.2 html-directory=flash/hotspot
/ip hotspot add interface=HOTSPOT_GUEST name=Hotspot1 disabled=no
/ip hotspot service-port set ftp disabled=yes
#######################################
# Firewalling & NAT
# A Hotspot is basically a Rouge
# router. So we are careful with what
# we allow it to do.
#######################################
# Use MikroTik's "list" feature for easy rule matchmaking.
/interface list add name=BASE
/interface list member
add interface=BASE_VLAN list=BASE
# VLAN aware firewall. Order is important.
/ip firewall filter
##################
# INPUT CHAIN
##################
add action=accept chain=input connection-state=established,related comment="Allow Estab & Related"
# Allow BASE_VLAN full access
add action=accept chain=input in-interface=BASE_VLAN comment="Allow Base_Vlan to MikroTik"
# Optional: Allow Winbox from other VLANs. Naturally, you SHOULD make it more granular.
add action=accept chain=input in-interface=HOTSPOT_ROUTE comment="Allow HOTSPOT_ROUTE to MikroTik"
add action=drop chain=input comment=Drop
##################
# FORWARD CHAIN
##################
add action=accept chain=forward connection-state=established,related comment="Allow Estab & Related"
# Allow HOTSPOT_GUEST access the Internet only
add action=accept chain=forward connection-state=new in-interface=HOTSPOT_GUEST out-interface=HOTSPOT_ROUTE comment="Allow VLAN Internet Access"
add action=drop chain=forward comment=Drop
##################
# NAT
##################
/ip firewall nat add action=masquerade chain=srcnat src-address=10.0.30.0/24 comment="masquerade"
#######################################
# MAC Server settings
#######################################
# Ensure only visibility and availability from BASE_VLAN, our MGMT layer
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=none
#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes