Community discussions

MikroTik App
 
d412s
just joined
Topic Author
Posts: 17
Joined: Fri May 08, 2020 1:32 pm
Location: Ukraine

Guest DHCP server for new leases if usage of separate wifi AP

Mon Nov 14, 2022 12:11 am

Hi!
Short explanation: I have RB5009 and for wifi I use unifi access point which connected by cable to router on either3 port.
I already have 20 devices in leases list of DHCP server with statis IP addresses and I know that any new device will be guest.

Is it possible to create guest dhcp server and assign new devices to it?
I don't want to give access to my LAN for guests (I have NAS with my private information), for example if my guests want to connect to my wifi - give them my password to SSID and be sure that they can just connect to the internet without accessing to my LAN.

My thoughts how to do that - I already have default-dhcp pool (10.10.10.10-10.10.10.30 ), in this case all new devices will not be connected to my wifi and in log I will see next message:
defconf: failed to give out IP address: pool <default-dhcp> is empty
But how to do that these new devices should be connected to custom Guest DHCP with Guest-pool 192.168.50.2-192.168.50.10 without be able to get access to my LAN devices?

Maybe I can solve it via firewall rules? Maybe possible to create rule with regex that any ip which similar to mask 10.10.10.3* will be dropped? Or it is wrong solution?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19102
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest DHCP server for new leases if usage of separate wifi AP

Mon Nov 14, 2022 1:45 am

One bridge,
three vlans.

a. home wifi and home wired vlan10
b. guest wifi - vlan 20
c. management vlan - 99

each vlan is identified to bridge
each vlan gets ip pool, dhcp-server, dhcp-server network

assign etherports in /interface bridge ports as part of bridge identified as either trunk, access or hybrid port.
assign vlans accordingly in /interface bridge vlans

Since Unifi APs by default seem to want the management vlan untagged and the rest of the vlans tagged its will require a hybrid port.

RB5009
ether1 - wan
ether2- UNK
ether3 - hybrid port to unifi (untagged vlan 99, tagged, 10,20 - assuming you want the unifi to provide two wlans )
ether3- UNK

if any ether ports are going to a managed switch they will be trunk ports, carrying at least vlan99 and likely vlan10
The rest of the etherports if used for LAN will be access ports untagged for vlan10.

All smart devices attached to router (aps, managed switches get their IP address from managment vlan).

Just hand out password for guest SSID to guests.........
Via firewall rules one allows guests to only go to the internet (forward chain).

+++++++++++++++
ex.
/interface bridge ports
add bridge=bridge interface=ether2  pvid=10  ingress-filtering=yes  frame-types=admit-priority-and-untagged
add bridge=bridge interface=ether3  pvid=20 
add bridge=bridge interface=ether4  pvid=10  ingress-filtering=yes  frame-types=admit-priority-and-untagged
add bridge=bridge interface=ether5  pvid=10  ingress-filtering=yes  frame-types=admit-priority-and-untagged
add bridge=bridge interface=ether6  pvid=99  ingress-filtering=yes  frame-types=admit-priority-and-untagged

/interface bridge vlans
add bridge=bridge tagged=bridge,ether3 untagged=ether2,ether4,ether5  vlan-id=10
add bridge=bridge tagged=bridge,ether3  vlan-ids=20
add bridge=bridge tagged=bridge untagged=ether3,ether6 vlan-id=99
.....

The idea here is that ether2,4-6 are access ports which can have one untagged vlan. Ether3 is a hybrid port allowing one untagged vlan and as many tagged vlans as necessary.
I added an access port on ether6 in case you wanted a separate port on the router to login as admin directly on management port.
Its not really required as you can always allow yourself , on the trusted LAN to access the managment LAN.

Instead I recommend taking an unused port like ether7 and simply assign an IP address to it thats all, and ensure it is NOT identified as being part of the bridge.
like 192.68.5.1/24 and nothing else. You will be able to access the router in an emergency or simply configure the router at all times by plugging your laptop into this port and setting your ipv4 nic card to an IP of 192.168.5.5 for example.
viewtopic.php?t=181718

As for firewall rules something like

/
ip firewall filter
{Input Chain}
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input in-interface-list=Manage src-address=adminPC  { or src-address-list = all admin devices:desktop,laptop,ipad,smartphone, off bridge IP }
add action=accept chain=input dst-port=53 protocol=tcp in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=udp in-interface-list=LAN
add action=drop chain=input comment="drop all else
{forward chain}
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat
add action=drop chain=forward
............

Where
/interface list
add name=WAN
add name=LAN
add name=Manage
/interface list members
add interface=ether1 list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan99 list=LAN
add interface=vlan10 list=Manage
add interface=vlan99 list=Manage

Who is online

Users browsing this forum: davidhirka, jamesperks and 82 guests