Community discussions

MikroTik App
 
msachse
just joined
Topic Author
Posts: 8
Joined: Mon Jun 26, 2023 3:46 pm

Use hAP ax3 as AP with guest isolation

Mon Jun 26, 2023 3:50 pm

I am challenged to create a setup where I use two hAP ax3 to cover the building with wireless lan for both internal devices (intranet) as well as the occasional guest (guest) who is isolated from the intranet and other devices but has access to the internet.

In my setup, I am using a ISP provided FritzBox as router to get internet from the ISP, it also runs the DHCP Server and is where my firewall is configured.

I have two hAP ax3 simply setup as access points with a bridge and it’s static ip for management purposes (no default config). This works fine for internal devices, but I am struggling to add guest wireless to the network.

How do I add virtual AP’s for both 2.5 and 5 gHZ frequencies on each hAP that are isolated from the network but have access to the internet? My router’s DHCP server provides IPs in the 192.168.100.x subnet.
You do not have the required permissions to view the files attached to this post.
 
holvoetn
Forum Guru
Forum Guru
Posts: 6139
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Use hAP ax3 as AP with guest isolation

Mon Jun 26, 2023 6:43 pm

Broad lines:
VLAN is the most suggested approach.

If Fritzbox can not handle those, foresee a separate DHCP server and pool on each of the AX devices for the guest interfaces (which will be slave to main interfaces) and use firewall rules to allow only traffic to Fritzbox gateway, nothing to local LAN.
 
go4030
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Wed Oct 28, 2020 3:56 am

Re: Use hAP ax3 as AP with guest isolation

Tue Jun 27, 2023 2:37 am

Check out this post, specifically the section about "Access Point". viewtopic.php?p=1008185#p1008185

It shows you how to setup a wireless access point with different VLANS for different WiFi SSID. Download the script "AccessPoint.rsc" and you can study that. Then open up Winbox on your ax3 and try to mimic the same things. The things from the script may not line up exactly with the settings in the ax3, particularly the wifi radio related things but they will be close. This is how I setup my hAP ac.
 
msachse
just joined
Topic Author
Posts: 8
Joined: Mon Jun 26, 2023 3:46 pm

Re: Use hAP ax3 as AP with guest isolation

Mon Jul 31, 2023 3:00 am

Here is where I am struggling. I've read through the VLAN tutorial (thanks for the reference) but the fritzbox doesn't handle them at all. So instead, I went the route with setting up a seperate DHCP server and pool on the AX devices for the guest interfaces. When I connect to them now, my client device gets a proper address assignment from the pool and the gateway as well as DNS point to the AX device as well (pool I've assigned to the bridge).

Now my problem is how to get my devices to go over the trunk port to reach the internet. In my mind, I am thinking we are missing a static route. Looking at the table, the DHCP setup created a route for all IPs in the pool with the bridge as gateway. What am I missing here?
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20946
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Use hAP ax3 as AP with guest isolation  [SOLVED]

Mon Jul 31, 2023 8:31 pm

 
msachse
just joined
Topic Author
Posts: 8
Joined: Mon Jun 26, 2023 3:46 pm

Re: Use hAP ax3 as AP with guest isolation

Mon Jul 31, 2023 11:59 pm

Now I am one step further into this whole dilemma. I've added a NAT rule to the AX devices (srcnat from https://help.mikrotik.com/docs/display/ROS/NAT to translate the source network address) which allows me to access my management LAN (I call this Intranet). I am unable to access the internet though, thought the issue is my DNS configuration in the DHCP server but even using the actual IP I am unable to access the internet. Feels like I am getting stuck at the fritzbox now, not sure why.

Any thoughts?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20946
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Use hAP ax3 as AP with guest isolation

Tue Aug 01, 2023 12:04 am

I posted the link, this is dirt simple............

The only vlan you need to add to the device is the management VLAN.
The rest merely show up on the interface bridge ports and interface brdige vlans.

Posst your config to see what you are doing incorrectly.
 
msachse
just joined
Topic Author
Posts: 8
Joined: Mon Jun 26, 2023 3:46 pm

Re: Use hAP ax3 as AP with guest isolation

Tue Aug 01, 2023 12:11 am

Thanks for the link. This solved my problem. I needed to correct the DNS assignment I had made on the subnet to match my intranet and voila. Got internet on the guest devices and will now add a firewall rule to prevent them from accessing my intranet.

Thanks for all your help!

Who is online

Users browsing this forum: GerhardB, martinos89 and 31 guests