Community discussions

MikroTik App
 
usovalx5
just joined
Topic Author
Posts: 22
Joined: Sun Mar 15, 2020 8:06 pm

Newbie question -- setting up 2 router network with isolated guest subnet

Sun Mar 15, 2020 8:58 pm

Hello,

I'm trying to set up small network using two mikrotik routers.
So far I think I got the basic setup working -- machines can see each other and wifi is working.

On the first router, one port is designated as WAN (with QuickSet generated firewall), and all other ports are connected together into bridge. It's running DHCP server & DNS for the whole network.
Second router (HAP ac) has all ethernet and wifi interfaces bridged together.
It receives address & dns settings from DHCP, where I had to disable QuickSet generated interface bridge filter rule to make it work.

Are there any particularly silly things I have done so far with this setup?
In particular I'm not sure why QuickSet added DHCP filter rule that I had to disable.


Now for the next step, I want to isolate some of the ethernet ports and guest wifi into guest subnet.
If I understand it correctly, I should be able to do this using VLANs, while retaining most of my bridged setup.
What I'm not sure is how to isolate hosts on the guest VLAN from each other, so they could only access internet?

And final question, is it also possible to isolate guest VLAN (and normal wifi interfaces) from accessing mac-winbox?
I would like to keep mac-winbox enabled (as anti screw-up measure), but only accessible from ethernet.
It seems that due to bridging allowed-interface-list isn't working.
 
usovalx5
just joined
Topic Author
Posts: 22
Joined: Sun Mar 15, 2020 8:06 pm

Re: Newbie question -- setting up 2 router network with isolated guest subnet

Sun Mar 15, 2020 8:59 pm

Adding current setup as separate post, for some reason formatting was glitching:

Router 1 (HEX, bunch of ethernet devices + WAN uplink)
/interface bridge
add name=br1
/ip pool
add name=dhcp ranges=192.168.123.50-192.168.123.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=br1 name=dhcp1
/interface bridge port
add bridge=br1 interface=ether2-xlink
add bridge=br1 interface=ether3
add bridge=br1 interface=ether4
add bridge=br1 interface=ether5
/interface list member
add interface=br1 list=LAN
add interface=ether1-wan list=WAN
/ip address
add address=192.168.123.1/24 interface=ether2-xlink network=192.168.123.0
/ip dhcp-client
add disabled=no interface=ether1-wan
/ip dhcp-server lease
# static lease for wifi AP
add address=192.168.123.2 comment="Wifi AP" mac-address=XXXXX
/ip dhcp-server network
add address=192.168.123.0/24 gateway=192.168.123.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
# default QuickSet rules
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none out-interface-list=WAN
 
usovalx5
just joined
Topic Author
Posts: 22
Joined: Sun Mar 15, 2020 8:06 pm

Re: Newbie question -- setting up 2 router network with isolated guest subnet

Sun Mar 15, 2020 9:00 pm

And second router: Router 2 (HAP wireless AP & some more ethernet devices)
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n mode=ap-bridge
set [ find default-name=wlan2 ] band=5ghz-a/n/ac mode=ap-bridge
/interface bridge
add name=br1
/interface bridge filter
add action=drop chain=input disabled=yes dst-port=68 in-interface=ether1-xlink ip-protocol=udp mac-protocol=ip
/interface bridge port
add bridge=br1 interface=ether1
add bridge=br1 interface=ether2-xlink
add bridge=br1 interface=ether3
add bridge=br1 interface=ether4
add bridge=br1 interface=ether5
add bridge=br1 interface=wlan1
add bridge=br1 interface=wlan2
/ip address
add address=192.168.123.2/24 interface=ether2 network=192.168.123.0
/ip dhcp-client
add disabled=no interface=br1
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 7419
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Newbie question -- setting up 2 router network with isolated guest subnet

Wed Mar 18, 2020 6:45 pm

Overall a diagram would help communicate requirements.
I dont see anything that indicates a separate guest subnet at the moment.

FIrst router error
/ip address
add address=192.168.123.1/24 interface=ether2-xlink network=192.168.123.0

corrected
/ip address
add address=192.168.123.1/24 interface=br1 network=192.168.123.0

Second AP/switch {router}
(1) I would use a different bridge name such as br2 or WifiBridge to differentiate them.

(2) Where did this come from and why??
/interface bridge filter
add action=drop chain=input disabled=yes dst-port=68 in-interface=ether1-xlink ip-protocol=udp mac-protocol=ip

(3) Not sure why you are identifying this here.................. DHCP is from the first router.
/ip address
add address=192.168.123.2/24 interface=ether2 network=192.168.123.0
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
usovalx5
just joined
Topic Author
Posts: 22
Joined: Sun Mar 15, 2020 8:06 pm

Re: Newbie question -- setting up 2 router network with isolated guest subnet

Thu Mar 19, 2020 1:11 pm

Thanks for your reply.

Regarding #2, this "interface bridge filter" rule was generated by one of the QuickSet script. Not sure right now which one it was though.
It was blocking second router from getting the address via DHCP, that's why it had ip address set manually on the xlink interface.

While waiting for the post to be approved, I kept reading through Mikrotik wiki & experimenting with VLAN setup.
So far decided to sent one of the routers (HEX) back to amazon, and ordered RB260GSP and wireless AP instead, but they are still few days away.

In the meantime, I was experimenting with setting up VLAN paritions using "/interface ethernet switch" way.
Got it mostly working so far, but can't figure out few more things.

So my set up so far:
Just one router, HAP ac2.
ether1 is configured as WAN (internet), other ethernet ports are split into three different VLANs.
One of the ethernet ports and wifi are not wrapped into VLAN yet, just in case I lock myself out of it again.

Here's relevant bit from the config:
/interface vlan
add interface=br1 name=v10-home vlan-id=10
add interface=br1 name=v50-guest vlan-id=50
add interface=br1 name=v90-work vlan-id=90

/interface ethernet switch port
set ether2-work default-vlan-id=90 vlan-header=always-strip vlan-mode=secure
set ether1-home default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set ether5-guest default-vlan-id=50 vlan-header=always-strip vlan-mode=secure
set switch1-cpu  vlan-mode=secure

/interface ethernet switch vlan
add independent-learning=no ports=switch1-cpu,ether2-work switch=switch1 vlan-id=90
add independent-learning=no ports=switch1-cpu,ether5-hive switch=switch1 vlan-id=50
add independent-learning=no ports=switch1-cpu,ether3-desk switch=switch1 vlan-id=10

/ip address
add address=192.168.88.1/24 interface=br1 network=192.168.88.0
add address=10.10.90.1/24 interface=v90-work network=10.10.90.0
add address=10.10.50.1/24 interface=v50-guest network=10.10.50.0
add address=10.10.10.1/24 interface=v10-home network=10.10.10.0

# firewall is stock for now, added just one rule to isolate VLANs from each other
/ip firewall filter
add action=drop chain=forward comment="no routing from vlan, it should go OUT" in-interface=all-vlan out-interface=all-vlan
One things I can't figure out so far - "forward drop" rule seems to work, I can't ping machines in other VLANs. However I can still ping other VLAN interfaces on the router.
E.g. from machine in "-home" vlan, I can ping both "10.10.10.1" and "10.10.50.1".
Is there nice(ish) way to block it in the firewall without resorting to blocking explicit IPs, etc.

Who is online

Users browsing this forum: Baidu [Spider] and 57 guests