Guest wireless without VLANs
Posted: Fri Oct 01, 2021 12:52 pm
Hi, I'm fairly new to mikrotik and have some concepts I still don't understand quite. I have a simple set up with one router (CCR1036) acting as a capsman and 2 APs (cap lite). I have them connected and the internal wifi network set up and I would like to add a guest network. I configured separate bridge for guest network with a separate dhcp,pool,addresses etc. Also in capsman I defined a separate datapath (with a guest bridge) and a separate provisioning. That didn't work (ssid for guest not showing) which made sense to me because I added only bridge-local to the interfaces pointing to ap-s (eth8 and eth9). I can't add those ports again in the bridge-guest because it would mean they are all in the same broadcast domain, right? After that I found some posts here on forum stating I can just make guest wifi configuration and set it as a slave configuration to my internal wifi configuration. This is what I have now:
Will this work? I'm not at the location right now and have nobody to test. I have seen solutions with creating VLANs and then just adding them both to those eth interfaces which I assume would work. But I'm more interested how this part works and are there any big differences in approaches. From security standpoint for this setup I simply have a firewall rule blocking access from IP addresses in guest network to everything except wan.
Code: Select all
/caps-man channel add band=2ghz-b/g/n control-channel-width=20mhz frequency=2442 name=channel7 add band=2ghz-onlyn control-channel-width=20mhz frequency=2452 name=channel9 /caps-man datapath add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=no name=datapath-local add bridge=bridge-guest client-to-client-forwarding=yes local-forwarding=no name=datapath-guest /caps-man security add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=company passphrase=123 add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=guest_security passphrase=123 /caps-man configuration add channel=channel9 country=xy datapath=datapath-local datapath.bridge=bridge-local installation=indoor mode=ap name=office-local security=company ssid="company Internal" add channel=channel7 country=xy datapath=datapath-guest datapath.bridge=bridge-guest installation=indoor mode=ap name=office-guest security=guest_security ssid="company Guest" /caps-man manager set ca-certificate=auto certificate=auto enabled=yes package-path=/pub require-peer-certificate=yes upgrade-policy=suggest-same-version /caps-man provisioning add action=create-dynamic-enabled master-configuration=office-local slave-configurations=office-guest /interface bridge add name=bridge-guest protocol-mode=none add fast-forward=no name=bridge-iptv protocol-mode=none add admin-mac=B8:69:F4:03:86:63 auto-mac=no fast-forward=no name=bridge-local protocol-mode=none /interface bridge port add bridge=bridge-local interface=ether3-lan add bridge=bridge-iptv interface=ether4-iptv add bridge=bridge-iptv interface=ether5-iptv add bridge=bridge-iptv interface=vlan-iptv add bridge=bridge-iptv interface=ether6-iptv add bridge=bridge-local interface=ether10-voip add bridge=bridge-local interface=ether8-ap1 add bridge=bridge-local interface=ether9-ap2