Community discussions

MikroTik App
 
RavenBlack
just joined
Topic Author
Posts: 20
Joined: Sat Apr 16, 2016 10:17 pm

Guest WiFi with two MikroTik Routers

Sun Apr 10, 2022 1:58 pm

I need your help setting up guest WiFi in home. Bear in mind, I'm not a network engineer, so go easy on me.
My basic network looks like this:
Image
I'm using two MikroTik routers, because one is not enough to provide WiFi coverage.
My "BorderRouter" (the one connected to ISP) is set as "Home AP Dual". The "InternalRouter" is set as "WISP AP". WiFi interfaces on each router are set up with the same SSID and same preshared password. WiFi interfaces are set separately on each router, no CAPsMAN or anything. DHCP is running on BorderRouter. Any device connected to "InternalRouter" (either WiFi or Ethernet cable) get IP from the DHCP. So, network works fine.
However, I want to set up an isolated guest WiFi network on both routers (to provide coverage in home). I can create virtual WiFi interface on "BorderRouter" and create a separate DHCP for those virtual WiFi interfaces and it works fine. However, If I create same setup on "InternalRouter" - those virtual WiFi interfaces are not able to get IP addresses.
I've tried setting up CAPsMAN. Unless I'm missing something, it seems that CAPsMAN cannot manage virtual WiFi interfaces. I've tried VLANs, but is very likely that I did something wrong, so situation was the same - I could see the SSID, but not able get an IP.
I've tried many different tutorials and documentation, but all of were aimed at setting guest WiFi on a single device.
My device configuration is as follows
"BorderRouter":
[***@BorderRouter] > export hide-sensitive 
# apr/10/2022 12:33:47 by RouterOS 7.2
# software id = BFB9-4M0S
#
# model = RouterBOARD 962UiGS-5HacT2HnT

/interface bridge
add admin-mac=E4:8D:8C:6B:4C:45 arp=proxy-arp auto-mac=no comment=defconf \
    fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add comment="allow Mikrotik neighbour discovery (NDP) and CISCO Discovery Protoc\
    ol (CDP) protocols on LAN only" name=localdiscover
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    TheNestWiFi supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=guest \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=*** disabled=no distance=indoors frequency=auto mode=\
    ap-bridge security-profile=TheNestWiFi ssid=2Gwifi station-roaming=\
    enabled wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce \
    country=*** disabled=no distance=indoors frequency=auto mode=\
    ap-bridge security-profile=TheNestWiFi ssid=5Gwifi station-roaming=\
    enabled wireless-protocol=802.11 wps-mode=disabled
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des

/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.40
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge name=\
    HomeLAN
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
add comment="access to enable / disable firewall rules" name=blocker policy="rea\
    d,write,winbox,web,rest-api,!local,!telnet,!ssh,!ftp,!reboot,!policy,!test,!\
    password,!sniff,!sensitive,!api,!romon,!dude" skin=rc
/interface bridge filter
# no interface
add action=drop chain=forward in-interface=*A
# no interface
add action=drop chain=forward out-interface=*A
# no interface
add action=drop chain=forward in-interface=*B
# no interface
add action=drop chain=forward out-interface=*B
# no interface
add action=drop chain=forward in-interface=*A
# no interface
add action=drop chain=forward out-interface=*A
# no interface
add action=drop chain=forward in-interface=*B
# no interface
add action=drop chain=forward out-interface=*B
# no interface
add action=drop chain=forward in-interface=*A
# no interface
add action=drop chain=forward out-interface=*A
# no interface
add action=drop chain=forward in-interface=*B
# no interface
add action=drop chain=forward out-interface=*B
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-master
add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add interface=*E
add interface=*F
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set max-neighbor-entries=8192 rp-filter=strict
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=default max-mru=1460 max-mtu=1460 \
    use-ipsec=yes
/interface list member
add disabled=yes interface=wlan1 list=discover
add disabled=yes interface=ether2-master list=discover
add disabled=yes interface=ether3 list=discover
add disabled=yes interface=ether4 list=discover
add disabled=yes interface=ether5 list=discover
add disabled=yes interface=sfp1 list=discover
add disabled=yes interface=wlan2 list=discover
add disabled=yes interface=bridge list=discover
add disabled=yes interface=ether2-master list=mactel
add disabled=yes interface=sfp1 list=mactel
add disabled=yes interface=ether2-master list=mac-winbox
add disabled=yes interface=wlan2 list=mactel
add disabled=yes interface=sfp1 list=mac-winbox
add disabled=yes interface=wlan1 list=mactel
add disabled=yes interface=wlan2 list=mac-winbox
add disabled=yes list=mactel
add disabled=yes interface=wlan1 list=mac-winbox
add disabled=yes list=mactel
add disabled=yes list=mac-winbox
add disabled=yes list=mac-winbox
add comment="This should limit dicovery on LAN I believe" interface=bridge \
    list=localdiscover
add interface=bridge list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1-WAN use-peer-dns=no
/ip dhcp-server network
add
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set servers=8.8.4.4,8.8.8.8
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" jump-target=\
    kid-control
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
    connection-state="" in-interface=ether1-WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1-WAN
add action=accept chain=forward
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
    ether1-WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set www-ssl address=192.168.1.0/24
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set forwarding-enabled=remote strong-crypto=yes
/ppp secret
add name=migratorybird profile=openvpn-profile
/system clock
set time-zone-name=***
/system identity
set name=BorderRouter
/system leds
set 1 interface=wlan2
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
"InternalRouter":
[***@InternalRouter] > export hide-sensitive 
# apr/10/2022 12:35:39 by RouterOS 7.2
# software id = 4CPN-5PIX
#
# model = RouterBOARD 962UiGS-5HacT2HnT

/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=*** disabled=no \
    mode=ap-bridge ssid=2Gwifi station-roaming=enabled wps-mode=disabled
set [ find default-name=wlan2 ] country=*** disabled=no mode=ap-bridge \
    ssid=5Gwifi station-roaming=enabled wireless-protocol=802.11 wps-mode=\
    disabled
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,rest-api"
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether1
add bridge=bridge1 ingress-filtering=no interface=ether2
add bridge=bridge1 ingress-filtering=no interface=ether3
add bridge=bridge1 ingress-filtering=no interface=ether4
add bridge=bridge1 ingress-filtering=no interface=ether5
add bridge=bridge1 ingress-filtering=no interface=sfp1
add bridge=bridge1 ingress-filtering=no interface=wlan2
add bridge=bridge1 ingress-filtering=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.1.2/24 interface=ether2 network=192.168.1.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1
/ip ssh
set forwarding-enabled=remote
/system clock
set time-zone-name=***
/system identity
set name=InternalRouter
If anyone can point me to a good tutorial for my case or explain the concept of how to set it up, I'd appreciate. Once again - I'm not a network engineer and I have only a passing familiarity with RouterOS.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest WiFi with two MikroTik Routers

Sun Apr 10, 2022 6:26 pm

Well I am no fan of capsman at all but for those keen on making their lives more complex then necessary, I at least suggest setting up the network WITHOUT capsman and then migrating to it later after tons of reading the many threads as few manage to do it without losing their hair. :-) No worries if you are jada...... (oops hope will is not around).

So the easy path, there may be others is two create one bridge on each device.
Figure out how many subnets you want and then create that number of vlans.
vlan10-home (wired and wifi)
vlan20-guest (wifi)
vlan30-media (media devices)
vlan40-camera (door bells, cameras etc)
vlan50-iot devices (anything else "smart")

These are all created on teh first edge router and all have interface bridge.
They all get IP address, dhpc server, dhpc server-network IP pool.
all vlans belong to LAN interface.
Vlan10-home being the TRUSTED interface is the only member of the an interface called Trusted
Neighbours discovery interface should be identifed to Trusted
ip tools mac server WINMAC SERVER interface should be identified to Trusted.
All smart devices should get their IP address from the vlan10-home network.

Trunk port 5 on edge router feeds trunk port 1 on wisp AP device.
To setup up main router.
check item C here - viewtopic.php?t=182373
(this example fits for the edge router - Router-Switch-AP (all in one))

To setup wisp AP check out item D the example there is very close.......
 
RavenBlack
just joined
Topic Author
Posts: 20
Joined: Sat Apr 16, 2016 10:17 pm

Re: Guest WiFi with two MikroTik Routers

Sun Apr 10, 2022 8:57 pm

Thank you @anav,

looks like a bit of reading and quite a bit more of understanding to do. I did read some of the linked resources already but the understanding isn't there yet.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest WiFi with two MikroTik Routers

Sun Apr 10, 2022 9:25 pm

Awesome, I have all the time in the world for someone that makes a real effort on their own to go through the material first, just post your configs when ready for review.
No animals will be hurt in my analysis. :-)
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Guest WiFi with two MikroTik Routers

Tue Apr 12, 2022 1:30 pm

Anav may have "all the time in world"

But as he has often accused me of being overly pragmatic...

I have accepted and understood...
"It's like trying to win the Indy 500 ridding a llama."
 
RavenBlack
just joined
Topic Author
Posts: 20
Joined: Sat Apr 16, 2016 10:17 pm

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 10:03 am

I think I’ve got the hang of the concept. Let me know If my thinking is correct.

What I need to do on the basic level is this:

Ether5 on BorderRouter and Ether1 on InternalRouter will be tagged ports (say I will user VLAN20 for guest Wi-Fi) creating a trunk. Both ports will be tagged with VLAN ID 20.

Then on InternalRouter I need to create virtual wlan interface and set VLAN mode to “use tag” and give it ID of 20. So this will be my access or untaged port.

In theory, packets coming into virtual wlan on InternalRouter will get tagged with VLAN ID 20 and carried over the trunk to BorderRouter and NAT rules permitting - to the Internet.

Did I get it right?
 
AllexRo
Frequent Visitor
Frequent Visitor
Posts: 77
Joined: Fri Nov 22, 2019 4:24 pm
Location: Bucharest, RO

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 3:27 pm

As I'm really not that confident that I'd setup VLANs properly, I used the #3 solution from here, the one with EOIP tunnels.
 
RavenBlack
just joined
Topic Author
Posts: 20
Joined: Sat Apr 16, 2016 10:17 pm

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 3:51 pm

As I'm really not that confident that I'd setup VLANs properly, I used the #3 solution from here, the one with EOIP tunnels.
Thank you for the link. EoIP sound conceptually simpler option. But If I understand correctly, EoIP is MikroTik proprietary protocol, so it has less value to me. I've already invested significant time in understanding how MikroTik does VLANs. I think I'll try to get VLAN set up first and then will give EoIP a try. After all, VLANs are everywhere, so, getting a better understanding of VLANs has a greater value.

I'm also a bit concerned that EoIP is going to operate on layer 3, while VLANs operate on layer 2. In theory, VLAN should be more resource efficient, right?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 6:47 pm

Ravenblack,
The short answer is no..........

Create all the vlans on the main router. (every subnet is a vlan)
all the vlans have interface bridge

Ports connecting smart devices are trunk ports and all applicable vlans including trusted subnet (for which all smarte devices get their IP from) go through the tunnel.
At the first (main) router if you have vlans going to dumb devices on its local ports...... then this is reflected on /interface bridge ports and /interface bridge vlans.
There is no assignment of vlans within wireless setting!

The tie in is what you assign at the /interface bridge port and /interface bridge vlan settings!!
Remember WLANs are bridge ports.
 
RavenBlack
just joined
Topic Author
Posts: 20
Joined: Sat Apr 16, 2016 10:17 pm

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 7:24 pm

There is no assignment of vlans within wireless setting!
So these settings when creating virtual wlan interface do nothing?
Image
The tie in is what you assign at the /interface bridge port and /interface bridge vlan settings!!
Remember WLANs are bridge ports.
Yeah... I'm trying to conceptualize this in my head... ports are interfaces, VLAN is "logical" entity, but is also an interface and bridge can also be an interface too?.. and from experience I've already figured out that configuring bridges incorrectly can crew things up royally.
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 8:13 pm

Those settings do effectively handle vlan on wireless.
 
tangent
Forum Guru
Forum Guru
Posts: 1351
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 8:20 pm

EoIP is MikroTik proprietary protocol

Not entirely .

VLANs are everywhere, so, getting a better understanding of VLANs has a greater value.

Certainly so.

EoIP is going to operate on layer 3, while VLANs operate on layer 2. In theory, VLAN should be more resource efficient, right?

VLANs can be hardware-offloaded.

VLANs don’t swap layers in the OSI stack, potentially leading to bad outcomes due to mismatched expectations.

VLANs are standard, thus stable.

I’d want a really strong reason to choose EoIP for any case where a standard alternative exists.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 8:47 pm

Yes, those setting are one way of doing it, I dont use it and thus if you want assistance in that way, @holvoetn will take over.
I use this method. - viewtopic.php?t=143620
and if its a requirement to use Capsman, probably why its not in the cards for me.
I will help elsewhere. Gluck
 
holvoetn
Forum Guru
Forum Guru
Posts: 5403
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 9:13 pm

It's no rocket science.
Use the vlan settings on those wireless config (I use it for a Guest network).
On router handling capsman define virtual VLAN interface connected to bridge.
Define DHCP server on that virtual interface.
Define firewall rules as needed.
Done.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 9:44 pm

Excellent, again, wont be doing that for the next million years. I stick to what I know, so Holvoet's advice is super!!!
 
RavenBlack
just joined
Topic Author
Posts: 20
Joined: Sat Apr 16, 2016 10:17 pm

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 10:25 pm

It's no rocket science.
Use the vlan settings on those wireless config (I use it for a Guest network).
On router handling capsman define virtual VLAN interface connected to bridge.
Define DHCP server on that virtual interface.
Define firewall rules as needed.
Done.
I think I've got it working... sort of...
Devices connected to a virtual wlan interface on an InternalRouter do get an IP address from a correct range from a DHCP running on the BorderRouter. However, traffic is not contained within a VLAN. I mean, I've connected to a virtual wlan interface, I've receive an IP assigned to VLAN20 (10.10.20.2), but I can reach any resource on my LAN (192.168.1.1/24 range).
Am I missing something? Isn't traffic supposed to be "automagicaly" contained within a VLAN? Sure, I can setup firewall rules, but shouldn't it be all handled on layer 2?
By the way, I didn't bother with the CAPsMAN. I also didn't enable tagging on virtual wlan.
Image
Enabling tagging for some reason prevents DHCP from working.
I'm happy to post my config, If that will make things easier.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest WiFi with two MikroTik Routers

Wed Apr 13, 2022 10:38 pm

okay, BUT you are NOT following the link I provided for an example of using ROS for Ap or switch only........
viewtopic.php?t=182276

Do not mix apples and oranges. WIFI SETTINGS ARE FOR WIFI SETTINGS.
The vlans are assigned via /interface bridge port and /inteface bridge vlan settings!!!
This is where we link vlans to bridge ports and remember bridge ports are ETHERPORTS and WLANS ( Wlans include virtual WLANS)

So remove any vlan settings you may have entered into the wireless settings.........
 
RavenBlack
just joined
Topic Author
Posts: 20
Joined: Sat Apr 16, 2016 10:17 pm

Re: Guest WiFi with two MikroTik Routers

Thu Apr 14, 2022 8:14 am

@anav

I came across some article that explained at least 3 different ways to configure VLANs on MikroTik.
I think I know what you mean. There is a way to set up VLANs by creating a bridge for each VLAN and then tagging and untagging interfaces on bridge ports.
I think I'll look more into that. It seems to have more "moving" parts, but final configuration may be more elegant, since all VLANs would be managed in a single place.

I'm still a bit fuzzy on how ports are interfaces and VLANs are interfaces, but not interfaces are created equal; and interfaces go into bridges, but bridges are also interfaces...
Anyhow - there is a bit more of reading in my immediate future :)

Thank you for your support and guidance.
 
RavenBlack
just joined
Topic Author
Posts: 20
Joined: Sat Apr 16, 2016 10:17 pm

Re: Guest WiFi with two MikroTik Routers

Sat Apr 16, 2022 5:08 pm

I'm getting a feeling that I'm doing things wrong, i.e. my current setup is not right for VLAN's.
My InternalRouter is set us a router. It has statically applied IP address on ether1. And BorderRouter is defined a router for InternalRouter. So I effectively have two routers on the network.
Also, if I create a bridge on InternalRouter and try to add ether1 to the new bridge (I gather I need to do that, since ether1 on InternalRouter is what connects it to BorderRouter and I have to make it a tagged interface) I'm getting an error "Couldn't add New Bridge Port - device already added as bridge port (6)". I guess that makes sense, since ether1 is part of the "default" bridge. I can remove ether1 from the "default" bridge, but since it has statically applied IP, doing so results in me loosing access to the InternalRouter as well as any other device connected to the Internal router.
I've been trying to create a VLAN for a guest Wi-Fi. I.e. create virtual wlan interfaces and add only those virtual wlan interfaces to VLAN without changing the rest of the network settings.
Bu the more I look into this, the more it looks that I need to reset my MikroTiks to default settings and start from scratch by "turn" my InternalRouter into a switch first. Am I right?
Also, it seems that virtual wlan is not the same as physical wlan interface. I.e. virtual wlan has different setting options to physical wlan.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest WiFi with two MikroTik Routers

Sat Apr 16, 2022 7:07 pm

Draw a network diagram to assist, much better than words often!!
 
RavenBlack
just joined
Topic Author
Posts: 20
Joined: Sat Apr 16, 2016 10:17 pm

Re: Guest WiFi with two MikroTik Routers

Sat Apr 16, 2022 8:02 pm

Of course. I've updated my initial diagram. If more details are needed, I'm happy to add them to the diagram. Config of my both routers is also posted in my original post.
Image
Here is InternalRouter Quick Set options:
Image
And InternalRouter routing table:
Image
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest WiFi with two MikroTik Routers

Sat Apr 16, 2022 9:31 pm

Yeah, so here is the scoop,
Why does your bridge have an IP address in both cases.
Remember its far simpler to keep everything vlans so every subnet should be a vlan.
What subnet does your bridge provide........
What other vlans do you have.

vlanX=home
vlanY=Guest
what is bridge subnet user for??

or do I have this wrong and you only have one subnet for everything??
 
RavenBlack
just joined
Topic Author
Posts: 20
Joined: Sat Apr 16, 2016 10:17 pm

Re: Guest WiFi with two MikroTik Routers

Sat Apr 16, 2022 9:39 pm

Its a home network, so it's just one flat /24 network.
My bridge has an IP, because otherwise I was not able to connect to it and if I remember correctly it was not getting IPs from BorderRouter DHCP server. It was set up this way long time ago. It was working, so it was good enough.
There are no other VLANs, no other subnets.
I want to create guest Wi-Fi at home, so that is way I embarked on this "odyssey" :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest WiFi with two MikroTik Routers

Sat Apr 16, 2022 10:49 pm

Well a guest wifi usually means a wifi that you want isolated from the rest of the network.
Unless your AP can create a guest wifi and futher that its isolated from:
a. wifi users on the regular WLAN (not the guest one)
b. all wired users on the same subnet.

You will need two things.
a. an access point that can handle vlans OR
b. extra access points, one for home and one for guests.

I am not familiar enough with MT wifi to know how to accomplish the isolation as required.
But adding a vlan for guests to both MT is relatively simple and will accomplish what you desire.

Which brings us back to the original conversation, how many subnets do you want.
a. one for home wired and wireless
b. one for guests wifi
c. any for video cameras
d. any for media
e. any for iot devices (thermostats etc..)

Who is online

Users browsing this forum: cyrq, Guntis, jerogabe, neki, vkp and 24 guests