Community discussions

MikroTik App
 
ckonsultor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Nov 21, 2021 7:57 pm

How tro put two Wi-Fi radios on separate subnets

Mon Nov 22, 2021 11:53 pm

Looking at the advanced configuration panels for the Wi-Fi radios in hAP aclilte I can't find a way to put each radio (2 and 5 GHz) on separate subnets. I set up separate security policies for each wlan, with different PSKs. The goal is to provide remote access to a test network using port forwarding from WAN to the 5 GHz radio, isolating it from the enet ports and 3 GHz radio, which would be bridged for all other office uses. First, I want to remove wlan2 from the bridge, but see no method. Suggestions please.
 
spynappels
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Oct 25, 2021 12:32 pm
Location: Northern Ireland
Contact:

Re: How tro put two Wi-Fi radios on separate subnets

Tue Nov 23, 2021 9:39 am

This is normally done through VLANs and setting a different VLAN in the datapath for each radio configuration.

In your case, you'd probably want to have a Management VLAN (e.g. 99) on which the AP would have an IP and then you'd have 2 different VLANs (e.g. 100 and 200) for the two different user subnets.
wlan1 would be set up with it's datapath configuration set to tag the traffic with the VLAN ID (100) for the office subnet.
wlan2 would be set up with it's datapath set to tag traffic with the VLAN ID (200) of your test subnet.

It sounds more complex than it is, and allows you to firewall off access to the AP and router from the general networks too if you need to (generally a good idea).
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How tro put two Wi-Fi radios on separate subnets

Tue Nov 23, 2021 3:50 pm

What is your network design.
Is the device acting as a router and access point, or simply as an access point and if so what router is feeding it?

Please post your config
/export hide-sensitive file=anynameyouwish
 
McSee
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Tue Feb 26, 2019 12:49 pm

Re: How tro put two Wi-Fi radios on separate subnets

Wed Nov 24, 2021 3:08 pm

.... First, I want to remove wlan2 from the bridge, but see no method .....
.
br.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How tro put two Wi-Fi radios on separate subnets

Wed Nov 24, 2021 3:55 pm

I attempted to help by asking pertinent questions, instead, no answer but a NEW question?? use the red X.
Hopefully someone else will have more patience. Good luck.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How tro put two Wi-Fi radios on separate subnets

Wed Nov 24, 2021 4:35 pm

So if your looking for validation: you should be able to remove it from the bridge, with the "-", as shown in your photo - that be the first setup. Since you're just deleting a "reference" to the port in the Bridge>Ports – the interface will still be in Interfaces/Wireless after you remove it.

Once wlan2 is remove from Bridge>Port, wlan2 is just a L3 interface. As such, will need it's own IP address... Assuming you want a NEW subnet, use IP>Address, selecting the wlan2 interface, picking what your need or something like 192.168.99.1/24. You can then add a 2nd IP>DHCP Server for the wlan2 interface, there is a "DHCP Setup" button where you can pick wlan2 that do most of the work for you.

By design, Mikrotik will route between all "connected" subnets, with a connected subnet being created by assigning an interface (here wlan2) an IP address. But, the IP>Firewall>Filter/NAT/Mangle/Raw can restrict that. Mikrotik defaults sometime use the Interface>Address List feature to tag interface as "WAN" and "LAN", those tags are used in the firewall. In theory, assuming defaults, if you DONT add wlan2 as a LAN, the firewall will likely keep your wlan2 isolated from the LAN, but the LAN be able to reach this one (assuming there is a default "drop !LAN" in config somewhere).

The specifics of your firewall config are obviously the key to getting this right. A separate subnet is simple: remove it from the bridge and give it IP address, likely you'd want DHCP server on the wlan.

If none of this makes sense, then you should for sure post the config for more help.
 
ckonsultor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Nov 21, 2021 7:57 pm

Re: How tro put two Wi-Fi radios on separate subnets

Wed Nov 24, 2021 8:00 pm

MyNetToploogyPlan.jpg
This plan is to offer a software developer remote access to the test lab via port forwarding in the WAN router and TeamViewer in the notebook on the 5 GHz Wi-Fi radio . I plan to apply security measures (up the wazoo, as we said in the old neighborhood) with ACL, MAC filtering, etc.--suggestions welcome. The Mikrotik router in the lab connects to devices under development and a VoIP installation.
You do not have the required permissions to view the files attached to this post.
 
ckonsultor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Nov 21, 2021 7:57 pm

Re: How tro put two Wi-Fi radios on separate subnets

Wed Nov 24, 2021 8:06 pm

Ping: anav
Sorry for the slow reply. Just posted the network topology.
Regards,
 
ckonsultor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Nov 21, 2021 7:57 pm

Re: How tro put two Wi-Fi radios on separate subnets

Tue Nov 30, 2021 11:05 pm

Thanks Amm0, your info moved me along considerably. Only the 2.4 GHz radio connects from the LAN bridge to the notebook. The 5 GHz radio in the MikroTik is not on the bridge but otherwise configured the same, including the "Mode" in "Advanced Mode" set to "AP bridge," with the exception of an additional (blank) field for wlan2: Secondary Channel. I hope that is not the same bridge for both radios :-0 ScreenCap attached. If this is not the configuration you asked for please advise.
The notebook either can't find the 5 GHz radio on the MikroTik or the IP configuration is not available (on separate attempts to connect).
You do not have the required permissions to view the files attached to this post.
 
ckonsultor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Nov 21, 2021 7:57 pm

Re: How tro put two Wi-Fi radios on separate subnets

Tue Nov 30, 2021 11:06 pm

And another thank you to McSee for how to remove wlan2 from bridge.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How tro put two Wi-Fi radios on separate subnets

Wed Dec 01, 2021 12:44 am

Basically if the 5Ghz interface is not in the list on Bridge>Ports, it is not in any bridge. That setting (Wi-Fi "Bridge Mode") effects how the wifi radio deals with the fact it may be in a bridge, but it doesn't put in one.

On those Wi-Fi settings... We run into a lot of Apple devices, so I try to follow Apple's Wi-Fi guidelines, as best I can on a Mikrotik:
https://support.apple.com/en-us/HT202068

In your case, that means turning on "WMM Support" on both interfaces, and using g/n on the 2.4Ghz, are Apple's recommendations. I ignore Apple on using channel=auto, since it's generally better to pick one on a Mikrotik (and ideally look at the RF). I also ignore Apple on the 5Ghz using 80Mhz channels, unless you really have a clean channel that wide – most people don't. (And WPA3 nor Wi-Fi 6 are not support by Mikrotik, today, so ignore those too)

BUT, I'm not the Mikrotik Wi-Fi expert, those have worked well enough for me. But the forums, and using the freq. scanner, may have better answers/clues if you need to tweak the Wi-Fi settings for devices.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How tro put two Wi-Fi radios on separate subnets

Wed Dec 01, 2021 12:58 am

BTW "ap bridge" is what you want in both cases.

Also:
You'd also want to confirm if the client Wi-Fi device is connected. If connected, and just not getting an IP address (e.g. or it gets 169.254.x.x), that points to a DHCP Server issue. Using winbox while on the %ghz/"lab" interface, with show the router in "neighbors", along with IP. If it shows your router but 0.0.0.0, you didn't set an IP address on wlan2.

OR, if it the Wi-Fi just doesn't connect in the first place. You might try enabling that "Bridge Mode" on the 5Ghz interface, it certainly won't put in the bridge, but the Mikrotik may need it to provide DHCP etc – not the expert on the particulars of that setting AND never changed it before (e.g. just always left it on if using "ap bridge", even when the wifi interface was NOT using the bridge interface).
 
ckonsultor
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 50
Joined: Sun Nov 21, 2021 7:57 pm

Re: How tro put two Wi-Fi radios on separate subnets

Thu Dec 02, 2021 5:06 am

Have configured wlan2 with a separate security profile. When creating a separate DHCP server instance for wlan2 that line in the table appears in red: invalid. "RouterOS by Example" (2nd Ed., p. 25) states that an interface placed on or removed from a bridge makes the DHCP server for that interface invalid. Is the Mode selection of "AP Bridge" invalidating the DHCP server? Is the order of setting up various windows critical? Of the modes in the drop down menu in the "Interface <wlan2>" window there isn't an obvious choice for a mode to set up a wi-fi radio on its own subnet. What am I missing?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: How tro put two Wi-Fi radios on separate subnets

Thu Dec 02, 2021 10:51 pm

how to setup the router is easily accomplished with VLANS as per this article which has an example for your case.
viewtopic.php?t=143620

one bridge,
ethernet ports and wlans on bridge
proper bridge vlan config.
Pretty much done!
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How tro put two Wi-Fi radios on separate subnets

Fri Dec 03, 2021 5:45 am

When creating a separate DHCP server instance for wlan2 that line in the table appears in red: invalid. "RouterOS by Example" (2nd Ed., p. 25) states that an interface placed on or removed from a bridge makes the DHCP server for that interface invalid. Is the Mode selection of "AP Bridge" invalidating the DHCP server? Is the order of setting up various windows critical? Of the modes in the drop down menu in the "Interface <wlan2>" window there isn't an obvious choice for a mode to set up a wi-fi radio on its own subnet. What am I missing?
I think the reason why you're having trouble with the DHCP Server is because "wlan2" is still in listed in RouterOS's Bridge>bridge1>Ports — "wlan2" (assuming that the "lab wifi") should NOT be a port in what I describe. Pretty sure you want "AP Bridge" – there, the word bridge in name refers to the fact it handles multiple wireless clients (which is was APs do: they "bridge" all connected wireless devices, but on that interface only). With "station mode" is the reverse of "ap bridge" - that's a single connection to another Wi-Fi AP, and you'd typically have a DHCP Client on a "station" to pull an address from another network/subnet. With all the other Wi-Fi modes to deal stuff in-between.

To bridge a wi-fi interface, with other ethernet ports/tunnels/etc, that requires the wifi being listed as a "port member" of a RouterOS bridge. And, a wi-fi interface is a "separate subnet" automatically, unless it's it's in bridge. (e.g. "/interface bridge ports print" should NOT show wlan2 here).

I'd recommend you post your config, easier for everyone to comment on your actual config. Pretty sure you're a few lines away from your diagram. "/export hide-sensitive" is the command to get a config, without passwords.
how to setup the router is easily accomplished with VLANS as per this article which has an example for your case.
viewtopic.php?t=143620

one bridge,
ethernet ports and wlans on bridge
proper bridge vlan config.
Pretty much done!
To be fair, "easily accomplished with VLANS", may be over-selling ;). But @anav has a point, if you're familar with cisco-style switch config, and want to do a deep-dive into Mikrotik's bridging @pcunite's VLAN guide is great. It's a bit complex, so not for everyone. In the cisco/@avnu/@pcunite scheme, your wlan2 should be a bridge port, as should all your interface. Instead of assigning an IP address directly to the wlan2 interface, you'd use a new VLAN to do that, still likely need a DHCP Server too.

e.g. in the viewtopic.php?t=143620 scheme, you create a VLAN interface for the 192.168.200.0/24 network, and use say vlan-id=200 – then use Bridge>bridge1>VLANs to assign wlan2 to the VLAN 200. More complex than that, but that's the gist of the different approach. Since all interfaces use the bridge, it could be slower depending on the exact config/device since "hardware offloading"/"fast path" support varies.

To some people, this is more natural approach & to others, it adds an unnecessary level of indirection and make the config unnecessary complex. My opinion is if you're familiar with VLAN, this approach makes sense & if VLANs are mystery, there is an additional learning curve.

The nice part about Mikrotik is the a lot ways to do stuff & the bad part is there a lot of ways to do stuff.
 
spynappels
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Oct 25, 2021 12:32 pm
Location: Northern Ireland
Contact:

Re: How tro put two Wi-Fi radios on separate subnets

Fri Dec 03, 2021 8:42 pm

how to setup the router is easily accomplished with VLANS as per this article which has an example for your case.
viewtopic.php?t=143620
Yep, I suggested VLANs and datapath config in the very first response :-)
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: How tro put two Wi-Fi radios on separate subnets

Fri Dec 03, 2021 11:21 pm

@spynappels, sorry, didn't mean to leave you out. I kinda see creating a Layer-3 subnet on physical interface like wi-fi as a pre-prerequisite for using vlan-filtering=yes is all. If the OP described he already had VLANs for stuff, certainly vlan-filtering=yes as first suggestion be a good one. While @pcunite's VLAN manifesto is great – it just doesn't start someone at the beginning of the story of IP subnetting, which should be the first course on Mikrotik ;). Also, I don't know how recent the OP's book, RouterOS by Example is, so didn't want to vary too much to what was likely in his book...

OP's problem with DHCP Server doesn't change regardless if using virtual or physical interface. Well see what the OP comes up with. This is can be pretty straightforward either way.

A config file clarify a lot.

Who is online

Users browsing this forum: Maknz and 25 guests