Here is my network:
ac2 switch (192.168.1.5) has following config:
Code: Select all
# oct/03/2020 13:58:07 by RouterOS 6.47.4
# software id = DKTC-L90I
#
/interface bridge
add fast-forward=no name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto \
mode=ap-bridge ssid=123456789 station-roaming=enabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX frequency=auto installation=indoor mode=ap-bridge ssid=\
123456789 station-roaming=enabled
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip dhcp-client
add disabled=no interface=bridge1
/system clock
set time-zone-name=HIDDENMANUALLY
/system identity
set name=MikroTik-ap
I used "wisp ap" preset for router (192.168.1.4) and added guest wifi following this guide:
https://www.marthur.com/networking/mikr ... wifi/2582/
Here is it's config export:
Code: Select all
# oct/03/2020 13:38:07 by RouterOS 6.47.4
# software id = 8HNZ-7IBV
#
/interface bridge
add admin-mac=48:8F:5A:89:06:FD auto-mac=no comment=defconf name=bridge
add fast-forward=no name=bridge-vlan100
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
service-name=HIDDENMANUALLY use-peer-dns=yes user=HIDDENMANUALLY
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
disabled=no distance=indoors frequency=auto installation=indoor mode=\
ap-bridge ssid=123456789 station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor \
mode=ap-bridge ssid=123456789 station-roaming=enabled wireless-protocol=\
802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
supplicant-identity=""
/interface wireless
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:89:07:01 \
master-interface=wlan1 multicast-buffering=disabled name=987654321 \
security-profile=guest ssid=987654321 vlan-id=100 vlan-mode=use-tag \
wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/interface vlan
add interface=987654321 name=VLAN_987654321 vlan-id=100
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.1.150-192.168.1.254
add name=dhcp_pool1 ranges=192.168.100.150-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=bridge-vlan100 name=dhcp1
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge-vlan100 interface=987654321
add bridge=bridge-vlan100 interface=VLAN_987654321
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.4/24 comment=defconf interface=ether2 network=\
192.168.1.0
add address=192.168.100.1/24 interface=bridge-vlan100 network=192.168.100.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.5 client-id=1:48:8f:5a:89:8:9 mac-address=\
48:8F:5A:89:08:09 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.4 netmask=24
add address=192.168.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.4 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward in-interface=bridge-vlan100 out-interface=\
bridge
add action=drop chain=forward in-interface=bridge out-interface=\
bridge-vlan100
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=HIDDENMANUALLY
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
1. all PCs and laptops connected via ethernet and all wireless clients in wireless network 123456789 to see each other and have access to internet (this already works).
2. all clients in wireless network 987654321 to only see internet, not rest of the network, or each other. (also works, but only on router. I need wireless 987654321 on 192.168.1.5 too)
I created "guest" wireless network 987654321, but I do not know how to add same network to AP and connect it to router's DHCP.
Thanks for help