Guest wireless without VLANs
Posted: Fri Oct 01, 2021 12:52 pm
Hi, I'm fairly new to mikrotik and have some concepts I still don't understand quite. I have a simple set up with one router (CCR1036) acting as a capsman and 2 APs (cap lite). I have them connected and the internal wifi network set up and I would like to add a guest network. I configured separate bridge for guest network with a separate dhcp,pool,addresses etc. Also in capsman I defined a separate datapath (with a guest bridge) and a separate provisioning. That didn't work (ssid for guest not showing) which made sense to me because I added only bridge-local to the interfaces pointing to ap-s (eth8 and eth9). I can't add those ports again in the bridge-guest because it would mean they are all in the same broadcast domain, right? After that I found some posts here on forum stating I can just make guest wifi configuration and set it as a slave configuration to my internal wifi configuration. This is what I have now:
Will this work? I'm not at the location right now and have nobody to test. I have seen solutions with creating VLANs and then just adding them both to those eth interfaces which I assume would work. But I'm more interested how this part works and are there any big differences in approaches. From security standpoint for this setup I simply have a firewall rule blocking access from IP addresses in guest network to everything except wan.
Code: Select all
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2442 name=channel7
add band=2ghz-onlyn control-channel-width=20mhz frequency=2452 name=channel9
/caps-man datapath
add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=no name=datapath-local
add bridge=bridge-guest client-to-client-forwarding=yes local-forwarding=no name=datapath-guest
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=company passphrase=123
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=guest_security passphrase=123
/caps-man configuration
add channel=channel9 country=xy datapath=datapath-local datapath.bridge=bridge-local installation=indoor mode=ap name=office-local security=company ssid="company Internal"
add channel=channel7 country=xy datapath=datapath-guest datapath.bridge=bridge-guest installation=indoor mode=ap name=office-guest security=guest_security ssid="company Guest"
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/pub require-peer-certificate=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=office-local slave-configurations=office-guest
/interface bridge
add name=bridge-guest protocol-mode=none
add fast-forward=no name=bridge-iptv protocol-mode=none
add admin-mac=B8:69:F4:03:86:63 auto-mac=no fast-forward=no name=bridge-local protocol-mode=none
/interface bridge port
add bridge=bridge-local interface=ether3-lan
add bridge=bridge-iptv interface=ether4-iptv
add bridge=bridge-iptv interface=ether5-iptv
add bridge=bridge-iptv interface=vlan-iptv
add bridge=bridge-iptv interface=ether6-iptv
add bridge=bridge-local interface=ether10-voip
add bridge=bridge-local interface=ether8-ap1
add bridge=bridge-local interface=ether9-ap2