Hi!

I have 3 mikrotik Router connected in a chain:

INET <-> MT1 <-> MT2 <-> MT3 .... WLAN-Client

MT1 is the main router
MT2 is more or less a bridge with all his ports
MT3 is a WLAN-AP for my wireless devices.

I now want to use VLANs for building a private WLAN and a separated guest WLAN, which have only access to the INET, not to the rest of my LAN. Some kind of DMZ.
I have no idea to realise this!

Any idea?

I just finished this at home after I got everything worked out with my private WLAN

I didn't feel like messing with VLANs when I did mine.

1. setup a new wireless security profile
2. create a VirtualAP and name it what you want, apply the new security profile.
3. setup firewall rule in chain forward to block where the dst address is your LAN and the in-interface is your new VirtualAP
(repeat as needed to keep traffic out).
4. add a new address/network in IP/addresses.
5. create a pool to use for DHCP in that network
6. create a DHCP server on your VirtualAP interface and use your guest DHCP pool
7. while in the DHCP server area, add a network with your address, gateway, and dns servers
8. make sure in IP/services that you only allow access to your router from what address/networks you need to.

This got my guest network up in pretty short order. But there are probably better/harder ways to do it. But I can't get to anything I don't want people to have from the guest wireless. I went a bit further and added a couple mangle rules and branches on my queue tree to give the guests a very limited fraction of my total bandwidth.

Next I'm looking into doing a script to turn off my guest WLAN when my primary and secondary internet links go down before I bring up the USB LTE modem.

I'm also using just one RB951G-2HnD at home, so I don't know how this will change when dealing with a chain of RB's

Hotspot for public wifi vlan and seperate vlan for private wifi, which is connected to existing lan bridge at MT1


Example: Vlan 8 public wifi.

MT1:
Create bridge. Add no ports to it yet. Maybe called br-publicwifi. Assign IP.
On interface connected to MT2 - add Vlan 8 and add to br-publicwifi
Create open VirtualAP called e.g. Publicwifi and add to br-publicwifi
Run hotspot setup, but use br-publicwifi as the interface in the wizard.

MT3:
Create bridge br-publicwifi. Do NOT assign IP.
On interface connected to MT2 - add vlan 8 and add to br-publicwifi.
Create virtualap publicwifi and add to br-publicwifi.

No need to configure MT2 as it is bridge.

Example Private VLAN 5;

MT1:
On interface connected to MT2 - add Vlan 5 and add to bridge of LAN.
Create wireless security profile with psk.
Create VirtualAP called e.g. Privatewifi, assign above secuirty profile and add to bridge of LAN


MT3:
Create bridge br-privatewifi. Do NOT assign IP.
On interface connected to MT2 - add vlan 5 and add to br-privatewifi.
Create same wireless security profile as on MT1.
Create virtualap privatewifi, assign above security profile and add to br-privatewifi.

No need to setup MT2 as all ports bridged.

Please let me know if it works for you!

Tony

Sent from my BlackBerry 9900 using Tapatalk

Thanks for both solutions!

I will try to configure my Mikrotiks....

Hi!

I preferred to use VLAN from the wireless entry-point through the whole network till the endpoint router to the internet.

In the main router I set up new firewall rules explicit for the new created VLAN interfaces to control the whole guest-wireless-traffic.

Thanks a lot for the ideas!

Glad you got it sorted. It might of helped if I read your original post more carefully about the only having a single wireless AP!

Sent from my BlackBerry 9900 using Tapatalk