Page 1 of 1

Guest wireless without VLANs

Posted: Fri Oct 01, 2021 12:52 pm
by socios
Hi, I'm fairly new to mikrotik and have some concepts I still don't understand quite. I have a simple set up with one router (CCR1036) acting as a capsman and 2 APs (cap lite). I have them connected and the internal wifi network set up and I would like to add a guest network. I configured separate bridge for guest network with a separate dhcp,pool,addresses etc. Also in capsman I defined a separate datapath (with a guest bridge) and a separate provisioning. That didn't work (ssid for guest not showing) which made sense to me because I added only bridge-local to the interfaces pointing to ap-s (eth8 and eth9). I can't add those ports again in the bridge-guest because it would mean they are all in the same broadcast domain, right? After that I found some posts here on forum stating I can just make guest wifi configuration and set it as a slave configuration to my internal wifi configuration. This is what I have now:
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2442 name=channel7
add band=2ghz-onlyn control-channel-width=20mhz frequency=2452 name=channel9
/caps-man datapath
add bridge=bridge-local client-to-client-forwarding=yes local-forwarding=no name=datapath-local
add bridge=bridge-guest client-to-client-forwarding=yes local-forwarding=no name=datapath-guest
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=company passphrase=123
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=guest_security passphrase=123
/caps-man configuration
add channel=channel9 country=xy datapath=datapath-local datapath.bridge=bridge-local installation=indoor mode=ap name=office-local security=company ssid="company Internal"
add channel=channel7 country=xy datapath=datapath-guest datapath.bridge=bridge-guest installation=indoor mode=ap name=office-guest security=guest_security ssid="company Guest"
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes package-path=/pub require-peer-certificate=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=office-local slave-configurations=office-guest

/interface bridge
add name=bridge-guest protocol-mode=none
add fast-forward=no name=bridge-iptv protocol-mode=none
add admin-mac=B8:69:F4:03:86:63 auto-mac=no fast-forward=no name=bridge-local protocol-mode=none
/interface bridge port
add bridge=bridge-local interface=ether3-lan
add bridge=bridge-iptv interface=ether4-iptv
add bridge=bridge-iptv interface=ether5-iptv
add bridge=bridge-iptv interface=vlan-iptv
add bridge=bridge-iptv interface=ether6-iptv
add bridge=bridge-local interface=ether10-voip
add bridge=bridge-local interface=ether8-ap1
add bridge=bridge-local interface=ether9-ap2
Will this work? I'm not at the location right now and have nobody to test. I have seen solutions with creating VLANs and then just adding them both to those eth interfaces which I assume would work. But I'm more interested how this part works and are there any big differences in approaches. From security standpoint for this setup I simply have a firewall rule blocking access from IP addresses in guest network to everything except wan.

Re: Guest wireless without VLANs

Posted: Mon Oct 11, 2021 10:18 am
by Clément
To me, it will works because I am using the same setup.
To make it works, in Capsman make /provisionning as you do, with Master and slave. Dynamic enable on.
Create then two differents /configuration.
One for your main and your slave, setup only the ssid, security and datapath.
From other section in Capsman, radio, datapath,... ; leave them empty.
Dynamic assingment should do all for you.

Then when you run it, if you do not see still any ssid check your logs and look for fail certificates handshake if you are using this feature.
Without, each caps should appear in each of your bridge.
If you want to not allow them to communicate, create a new rule in your firewall filter.