i want to configure a guest network. Currently i have a production network with a dns and a dhcp server. i bought 3 cAP ax and using them just fine as an AP. now i wanted to configure a guest network for people to have only an internet connection. I want both networks to be seperated from each other. i read a few possibilities how to do it but i don't know whats the safest/easyest to do. First is a network seperated with VLANs. I really don't like VLANs and i'm not using them in my production network so i think it's not the best way to do it. The other ways was with different bridges and through wireguard to the firewall. I'm new to configurating networks so i'd be happy for suggestions or even guides on how to do it the best way possible. Thanks.
Here is my config of the AP1 (i changed the passwords and names):
Code: Select all
# 2024-03-20 14:10:05 by RouterOS 7.14.1
# software id = V4QI-Z9T8
#
# model = cAPGi-5HaxD2HaxD
/interface bridge
add admin-mac=78:9A:18:F5:69:B3 auto-mac=no comment=defconf name=lan_bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi configuration
add country=Germany disabled=no mode=ap name=cfg1 \
security.authentication-types=wpa2-psk,wpa3-psk .encryption="" ssid=\
Wifiname1
/interface wifi
add configuration=cfg1 configuration.mode=ap disabled=no name=cap-wifi1 \
radio-mac=MACADDRESS
add configuration=cfg1 configuration.mode=ap disabled=no name=cap-wifi2 \
radio-mac=MACADDRESS
add configuration=cfg1 configuration.mode=ap disabled=no name=cap-wifi3 \
radio-mac=MACADDRESS
add configuration=cfg1 configuration.mode=ap disabled=no name=cap-wifi4 \
radio-mac=MACADDRESS
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
configuration=cfg1 configuration.mode=ap disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
configuration=cfg1 configuration.mode=ap disabled=no \
security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes
/interface bridge port
add bridge=lan_bridge comment=defconf interface=ether2
add bridge=lan_bridge comment=defconf interface=wifi1
add bridge=lan_bridge comment=defconf interface=wifi2
add bridge=lan_bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
all wan-interface-list=all
/interface list member
add comment=defconf interface=lan_bridge list=LAN
add interface=ether1 list=LAN
/interface wifi cap
set discovery-interfaces=all
/interface wifi capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\
none
/ip dhcp-client
add comment=defconf interface=lan_bridge
/ip dns
set allow-remote-requests=yes
/ip dns static
add address= comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" \
dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=E22AP1
/system note
set show-at-login=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
