Community discussions

MUM Europe 2020
 
Kapetan
just joined
Topic Author
Posts: 13
Joined: Wed Dec 31, 2014 3:02 pm

VLAN setup for WiFi AP guest SSID separation - step-by-step

Sun Jan 11, 2015 2:17 pm

I have an RB201 1iL-RM switch/router. Port 1 is the WAN interface (PPPoE ADSL). Several wired devices (PC, printer, camera) are connected to various ports. To port 10 I connected a Unifi AP. It works perfectly without using any VLAN. I would like to do the following: on the Unifi AP I want to have two SSIDs. SSID1 is our home network, it should be able to see all other IP addresses on the LAN. This SSID is untagged (no VLAN). (This part already works) . For guests I would like to have a separate SSID: guest. The guest SSID will have VLAN tag 2. How to set-up the router, that this SSID (VLAN 2) have only access tot the public internet and will not seen (and will not be seen) from the LAN? Obviously, DHCP shall work on that SSID as well.

Please give me step-by-step instructions because I have no VLAN experience and a newbie to RouterOS.
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: VLAN setup for WiFi AP guest SSID separation - step-by-s

Sun Jan 11, 2015 6:15 pm

I use a similar setup except there's a switch in between.
So Winbox is your friend here...
- In interfaces select eth10 and add a VLAN interface on ether10, with the proper vlan id, let's say called vlan-guest
(From here on, that interface is treated like any other network interface)
- Give it an IP address outside any other subnets, e.g 172.16.0.1/24
- Create a IP pool that will be used for guest access, lets say pool_guests, holding e.g. 172.16.0.100-172.16.0.200
- Create a new DHCP server on interface vlan-guest using pool_guests
- Add a new DHCP network with address 172.16.0.0/24, gateway 172.16.0.1 and DNS 172.16.0.1

At this point, you may test the setup. The client connected to the Guest SSID should get an DHCP address from that pool, with the proper gateway and dns server.

Next you need to enable forwarding and masquerading for this subnet, while maintaining isolation.

1. Forward: Accept established+related from pppoe to vlan-guest
2. Forward: Accept everything from vlan-guest to pppoe
3. Forward: Drop everything else from and to vlan-guest
4. Input: Accept ICMP from vlan-guest (for debug purposes)
5. Input: Accept UDP port 53 (DNS) from vlan-guest
6. Input: Drop everything else from vlan-guest

Masquerading on WAN needs no change if it is already set up.

This should do it.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
Rudios
Forum Veteran
Forum Veteran
Posts: 966
Joined: Mon Mar 11, 2013 12:58 pm
Location: The Netherlands

Re: VLAN setup for WiFi AP guest SSID separation - step-by-s

Tue Jan 13, 2015 3:37 pm

I use a similar setup except there's a switch in between.
[...]

Masquerading on WAN needs no change if it is already set up.

This should do it.
If masquerading rule also has src-address specified, it needs to be changed/duplicated
Testing setup with: 2 x RB750UP | 2 x RB750GL | 1 x RB951G-2HnD | 1 x RB2011UiAS-IN
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: VLAN setup for WiFi AP guest SSID separation - step-by-s

Tue Jan 13, 2015 4:38 pm

Good point... Tnx.
So replace that with the statement from Rudios.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
Kapetan
just joined
Topic Author
Posts: 13
Joined: Wed Dec 31, 2014 3:02 pm

Re: VLAN setup for WiFi AP guest SSID separation - step-by-s

Sun Jan 18, 2015 1:34 pm

I am trying to set-it up. So far it is not working. I have the feeling, that the clients are not getting IP addresses.

Here is what I did...
-Created a new interface (vlan-guest) on ether10-slave-local, with vlan id 2.
-Gave IP address to this interface: 192.168.2.1/24 (the IP address of the rest of the LAN 192.168.1.1/24).
- Created a DHCP server with pool 192.168.2.100-200
I did the rest of the configuration, but I would like to proceed step-by-step...
You do not have the required permissions to view the files attached to this post.
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: VLAN setup for WiFi AP guest SSID separation - step-by-s

Sun Jan 18, 2015 10:54 pm

Try to set up a device with a static IP for the wifi connection, let's say 192.168.2.2 and gateway and dns 192.168.2.1.
It should be possible to connect to 'guest' and ping the router.
Do you see any traffic on the vlan interface?
Do any DHCP leases show up under IP->DHCP Server->Leases?

You could also try to put your vlan interface into a "guest" bridge and set the IP and dhcp server to that bridge (this is actually my setup, since I have also a LAN connection for guest access).
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
sejtam
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Sun Dec 14, 2014 4:23 pm

Re: VLAN setup for WiFi AP guest SSID separation - step-by-s

Sat Feb 07, 2015 6:32 am

I use a similar setup except there's a switch in between.

5. Input: Accept UDP port 53 (DNS) from vlan-guest
Don't you also have to allow DHCP (UDP port 67) from vlan-guest
to allow it to reachteh DHCP server?
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1220
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: VLAN setup for WiFi AP guest SSID separation - step-by-step

Sat Feb 07, 2015 11:24 am

That could be possible, but I think that activating a DHCP server on an interface will open that port automatically (I am guessing here...).
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
sejtam
Frequent Visitor
Frequent Visitor
Posts: 66
Joined: Sun Dec 14, 2014 4:23 pm

Sat Feb 07, 2015 12:42 pm

I'll have to try but it fits the OP's symptom of the clients not getting addresses
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Re: VLAN setup for WiFi AP guest SSID separation - step-by-step

Fri Jan 29, 2016 3:31 pm

remove master port from ether10 interface.

check this article it is very good written and helpful.

http://www.manitonetworks.com/mikrotik- ... d-routing/
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: VLAN setup for WiFi AP guest SSID separation - step-by-step

Fri Jan 29, 2016 6:24 pm

remove master port from ether10 interface.

check this article it is very good written and helpful.

http://www.manitonetworks.com/mikrotik- ... d-routing/
This suggestion would break the main VLAN and break access to the UniFi AP.

The correct solution is to move the VLAN interface off of ether10 and onto the bridge-local interface.
This also has the advantage of allowing more UniFi APs to be connected without any further modification to the Mikrotik's configuration.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
freemannnn
Long time Member
Long time Member
Posts: 669
Joined: Sun Oct 13, 2013 7:29 pm

Re: VLAN setup for WiFi AP guest SSID separation - step-by-step

Fri Jan 29, 2016 7:19 pm

zerobyte is right. i am playing these days with vlan in my rb2011.
taken from the article i post above these are the lines you need...
my unifi ap is connected to ether10 and is working as expected.
2 SSID
ssid "private" no vlan. my devices when connect takes ip from my private pool 192.168.88.0/24
ssid "guest" vlan id 175 my devices when connect takes ip from pool 192.168.175.0/24
/interface vlan
add comment=Guests interface=bridge-local name="VLAN 175 - Guests" vlan-id=175

/ip address
add address=192.168.175.1/24 comment="Guests Gateway" interface="VLAN 175 - Guests" network=192.168.175.0

/ip pool
add name=Guests ranges=192.168.175.2-192.168.175.254

/ip dhcp-server network
add address=192.168.175.0/24 comment="Guest Network" dns-server=8.8.8.8,8.8.4.4 gateway=192.168.175.1

/ip dhcp-server
add address-pool=Guests disabled=no interface="VLAN 175 - Guests" name=Guests

Who is online

Users browsing this forum: MSN [Bot] and 27 guests