I'm trying to set up small network using two mikrotik routers.
So far I think I got the basic setup working -- machines can see each other and wifi is working.
On the first router, one port is designated as WAN (with QuickSet generated firewall), and all other ports are connected together into bridge. It's running DHCP server & DNS for the whole network.
Second router (HAP ac) has all ethernet and wifi interfaces bridged together.
It receives address & dns settings from DHCP, where I had to disable QuickSet generated interface bridge filter rule to make it work.
Are there any particularly silly things I have done so far with this setup?
In particular I'm not sure why QuickSet added DHCP filter rule that I had to disable.
Now for the next step, I want to isolate some of the ethernet ports and guest wifi into guest subnet.
If I understand it correctly, I should be able to do this using VLANs, while retaining most of my bridged setup.
What I'm not sure is how to isolate hosts on the guest VLAN from each other, so they could only access internet?
And final question, is it also possible to isolate guest VLAN (and normal wifi interfaces) from accessing mac-winbox?
I would like to keep mac-winbox enabled (as anti screw-up measure), but only accessible from ethernet.
It seems that due to bridging allowed-interface-list isn't working.