Community discussions

MikroTik App
 
ezigo85
just joined
Topic Author
Posts: 3
Joined: Tue Nov 08, 2022 12:07 pm

Help with Network Setup (Cafe - Bar)

Tue Nov 08, 2022 2:34 pm

Hello everyone, first time user of these amazing devices, I am simply amazed by the capabilities!

But also a bit overwhelmed :lol:

Anyhow, I am trying to figure out the setup of my cousin's cafe/bar network and I came up with the scenario of creating 3 VLANs/Multi-SSIDs:

1) one for the staff (let's call it "Staff")
2) one for the software to receive orders via tablets (let's call it "Orders")
3) one for the customers (let's call it "Guest").

Here is the corresponding topology:

Image

Basically I want the top "hap ac Lite" to act as my main router that will create the 3 VLANs/SSIDs. I found this video explaining the whole thing: https://www.youtube.com/watch?v=i-qQo06ow7Y

The only devices that will connect to "Staff" through the main router are the printer and the laptop.

Then, I want to use an ethernet cable to connect my main router with the "hap mini" to extend "Orders". The only devices that will connect to "Orders" are the tablets that receive the orders, either through the main router or through the "hap mini" (whichever is nearer and has the better signal).

Lastly, I want to use an ethernet cable to connect my main router with the second "hap ac Lite" to extend "Guest". As with the other two cases, I want the customer to be able to connect either through the main router or through the second "hap ac Lite".

Oh, the guys from the software company (Orders) suggested that in order for their application to run smoothly, it needs 50% of the total bandwidth.

I want to ask:

1) your opinion about my scenario
2) your help for the configuration of the extensions of "Staff" and "Orders"

Thanks in advance, everyone!
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Help with Network Setup (Cafe - Bar)

Thu Nov 10, 2022 2:01 pm

It's a lot easier to follow and will get you better results if you separate things to
Router
Switch
Wireless

Point of Sales systems often need a wired device or 2. So having dedicated switch ports becomes a necessity. Throw in door access or phone systems or cameras... AND YOU NEED A SWITCH.

I have been burned by Mikrotik wireless too many times. So I choose another vendor for that...

But a Mikrotik hAP AC2 connected to a CRS328-24P+S-RM with a CRS326-24G-S-RM Has been an exceptional solution for a bunch of our bars and restaurants. Even have one of those resort type gyms running off that combo.

I would prefer a RB4011 or RB5009... But I can't even get them over here in the US.

A few VLANs and SSIDs... We have systems that "do their thing" for years at a time, with ZERO SERVICE CALLS.

We have been using Tik for the routing for over a decade. We only switched off UBNT EdgeSwitches recently because they are unavailable and Tik finally has a competitive switch. But now that Mikrotik has fixed that "ports not passing traffic" problem (at least in the 24 ports) we have been switching over to them.
You do not have the required permissions to view the files attached to this post.
 
ezigo85
just joined
Topic Author
Posts: 3
Joined: Tue Nov 08, 2022 12:07 pm

Re: Help with Network Setup (Cafe - Bar)

Thu Nov 10, 2022 6:45 pm

Noted. :)

But for now, the available equipment is the one in the topology.

I managed to configure the main router (I went with hap ac2, btw) according to the video I posted

https://www.youtube.com/watch?v=i-qQo06ow7Y

creating the 3 VLANS/SSIDs, but I'm having trouble with the rest of the configuration.

1) How do I dedicate the ports on the main router to correspond to a specific VLAN? For instance, Port 2 for "Staff", Port 3 for "Orders" and Port 4 for "Guest". Can it be done with the configuration I made following the instructions on the previous video?

2) How do I configure the other 2 devices (hap ac Lite and hap Mini) to operate as regular access points?

Edit: I made a mistake while drawing the original topology, here is the correct one:

Image

The red line indicates wired connection (ethernet cable).

Thanks in advance, everyone!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with Network Setup (Cafe - Bar)

Thu Nov 10, 2022 11:47 pm

/export file=anynameyouwish (minus device serial numbers and any public WANIP info ),

(for all three devices)
 
ezigo85
just joined
Topic Author
Posts: 3
Joined: Tue Nov 08, 2022 12:07 pm

Re: Help with Network Setup (Cafe - Bar)

Fri Nov 11, 2022 8:52 pm

Ok, this is the export of the ac2 (main router)
/interface bridge
add admin-mac=18:FD:74:45:98:30 auto-mac=no comment=defconf name=bridge
add name=bridge_vlan20
add name=bridge_vlan30
add name=bridge_vlan40
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan1_wifi \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan2_wifi \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest_wifi \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=staff_wifi \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=orders_wifi \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto hide-ssid=yes installation=\
    indoor mode=ap-bridge security-profile=wlan1_wifi ssid=MikroTik-459834 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
    yes installation=indoor mode=ap-bridge security-profile=wlan2_wifi ssid=\
    MikroTik-459835 wireless-protocol=802.11
add disabled=no mac-address=1A:FD:74:45:98:34 master-interface=wlan1 name=\
    Guest_wlan security-profile=guest_wifi ssid=Mosaic_Guest vlan-id=30 \
    vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=1A:FD:74:45:98:36 master-interface=\
    wlan1 name=Orders_wlan security-profile=orders_wifi ssid=Mosaic_Orders \
    vlan-id=40 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=1A:FD:74:45:98:35 master-interface=\
    wlan1 name=Staff_wlan security-profile=staff_wifi ssid=Mosaic_Staff \
    vlan-id=20 vlan-mode=use-tag wds-default-bridge=bridge wps-mode=disabled
/interface vlan
add interface=Staff_wlan name=vlan20 vlan-id=20
add interface=Guest_wlan name=vlan30 vlan-id=30
add interface=Orders_wlan name=vlan40 vlan-id=40
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.20.2-192.168.20.254
add name=dhcp_pool2 ranges=192.168.30.2-192.168.30.254
add name=dhcp_pool3 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
add address-pool=dhcp_pool1 disabled=no interface=bridge_vlan20 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=bridge_vlan30 name=dhcp2
add address-pool=dhcp_pool3 disabled=no interface=bridge_vlan40 name=dhcp3
/interface bridge port
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge_vlan20 interface=Staff_wlan
add bridge=bridge_vlan20 interface=vlan20
add bridge=bridge_vlan20 interface=ether2
add bridge=bridge_vlan30 interface=Guest_wlan
add bridge=bridge_vlan30 interface=vlan30
add bridge=bridge_vlan30 interface=ether3
add bridge=bridge_vlan40 interface=Orders_wlan
add bridge=bridge_vlan40 interface=vlan40
add bridge=bridge_vlan40 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.20.1/24 interface=bridge_vlan20 network=192.168.20.0
add address=192.168.30.1/24 interface=bridge_vlan30 network=192.168.30.0
add address=192.168.40.1/24 interface=bridge_vlan40 network=192.168.40.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.40.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

The other 2 devices don't have any configuration yet, they are still "untouched" :)
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with Network Setup (Cafe - Bar)

Fri Nov 11, 2022 10:25 pm

I would do one bridge all vlans stem from bridge, bridge does no dhcp.
vlans get their pool, dhcp-server, dhcp-server network, ip address

Assign interface bridge ports and interface bridge vlans appropriately (trunk , access or hybrid ports) be they etherports or wlans.

All smart devices get IP on the trusted subnet/vlan or you create a management one for that.

Use default rules wiith drop all at end of input and forward chains ensuring first, all required traffic rules are entered prior to drop rules.

No vlan settiings in wifi, not required.

Question: which vlans do the two main WLANs belong too??

One cannot have vlans as interfaces, interface bridge ports are for etherports/wlans not vlans!!

You cannot have vlans as /interface bridge ports, its for etherports or wlans !!

Okay so somewhere along the line you have a fourth subnet, arggg probably attached to a bridge, im feeling queasy......

We wil call it vlan 11 (trusted)
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Help with Network Setup (Cafe - Bar)

Sat Nov 12, 2022 12:34 am

ANAV

The F--ked up thing... Its pretty easy to do this in caps-man. Did a bunch of times before I came to my senses.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with Network Setup (Cafe - Bar)

Sat Nov 12, 2022 12:47 am

interface bridge
add admin-mac=18:FD:74:45:98:30 auto-mac=no comment=defconf name=br-cafe
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Manage
add name=Internet
add name=Printer
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan1_wifi \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=wlan2_wifi \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest_wifi \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=staff_wifi \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=orders_wifi \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto hide-ssid=yes installation=\
    indoor mode=ap-bridge security-profile=wlan1_wifi ssid=MikroTik-459834 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto hide-ssid=\
    yes installation=indoor mode=ap-bridge security-profile=wlan2_wifi ssid=\
    MikroTik-459835 wireless-protocol=802.11
add disabled=no mac-address=1A:FD:74:45:98:34 master-interface=wlan1 name=\
    Guest_wlan security-profile=guest_wifi ssid=Mosaic_Guest  \
     wds-default-bridge=bridge wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=1A:FD:74:45:98:36 master-interface=\
    wlan1 name=Orders_wlan security-profile=orders_wifi ssid=Mosaic_Orders \
     wds-default-bridge=bridge wps-mode=disabled
add disabled=no hide-ssid=yes mac-address=1A:FD:74:45:98:35 master-interface=\
    wlan1 name=Staff_wlan security-profile=staff_wifi ssid=Mosaic_Staff \
     wds-default-bridge=bridge wps-mode=disabled
/interface vlan
add interface=br-cafe name=vStaff20 vlan-id=20
add interface=br-cafe name=vGuests30 vlan-id=30
add interface=br-cafe name=vOrders40 vlan-id=40
add interface=br-cafe name=vTrusted11 vlan-ids=11
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=trusted-dhcp ranges=192.168.88.10-192.168.88.254
add name=staff_pool1 ranges=192.168.20.2-192.168.20.254
add name=guests_pool2 ranges=192.168.30.2-192.168.30.254
add name=orders_pool3 ranges=192.168.40.2-192.168.40.254
/ip dhcp-server
add address-pool=trusted-dhcp disabled=no interface=vTrusted11 name=trusted
add address-pool=staff_pool1 disabled=no interface=vStaff20 name=staff
add address-pool=guests_pool2 disabled=no interface=vGuests30 name=guests
add address-pool=orders_pool3 disabled=no interface=vOrders40 name=orders
/interface bridge port
add bridge=br-cafe comment=defconf interface=ether5  pvid=11  frame-types=admit-priority-and-untagged ingress-filtering=yes
add bridge=br-cafe comment=defconf interface=wlan1 pvid=11  frame-types=admit-priority-and-untagged ingress-filtering=yes
add bridge=br-cafe comment=defconf interface=wlan2  pvid=11 frame-types=admit-priority-and-untagged ingress-filtering=yes
add bridge=br-cafe interface=Staff_wlan pvid=20 frame-types=admit-priority-and-untagged ingress-filtering=yes 
add bridge=br-cafe interface=Guest_wlan pvid=30 frame-types=admit-priority-and-untagged ingress-filtering=yes 
add bridge=br-cafe interface=Orders_wlan pvid=40 frame-types=admit-priority-and-untagged ingress-filtering=yes 
add bridge=br-cafe interface=ether2 pvid=20 frame-types=admit-priority-and-untagged ingress-filtering=yes  {assuming wired port for staff}
add bridge=br-cafe interface=ether3 pvid=30 frame-types=admit-priority-and-untagged ingress-filtering=yes  {assuming for guest haplite}
add bridge=br-cafe interface=ether4 pvid=40 frame-types=admit-priority-and-untagged ingress-filtering=yes  {assuming for orders hapmini
/ip neighbor discovery-settings
set discover-interface-list=Manage
/interface list member
add interface=vTrusted11 list=LAN
add interface=vStaff20 list=LAN
add interface=vGuests30 list=LAN
add interface=vOrders40 list=LAN
add interface=vTrusted11 list=Manage
add comment=defconf interface=ether1 list=WAN
add interface=vTrusted11 list=Internet
add interface=vStaff20 list=Internet
add interface=vGuests30 list=Internet
add interface=vStaff20 list=Printer
add interface=vOrders40 list=Printer
/ip address
add address=192.168.88.1/24 comment=defconf interface=vTrusted11 network=\
    192.168.88.0
add address=192.168.20.1/24 interface=vStaff20 network=192.168.20.0
add address=192.168.30.1/24 interface=vGuests30 network=192.168.30.0
add address=192.168.40.1/24 interface=vOrders40 network=192.168.40.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.40.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow trusted" in-interface-list=Manage
add action=accept chain=input dst-port=53 protocol=tcp  in-interface-list=LAN
add action=accept chain=input dst-port=53 protocol=udp  in-interface-list=LAN
add action=drop chain=input comment="drop all else"
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward in-interface=vTrusted11 out-interface-list=LAN src-address=192.168.88.XX \
   comment="allow admin to all vlans"
add action=accept chain=forward in-interface-list=Internet out-interface-list=WAN \
   comment="allow Internet access to trusted/staff/guests"
add action=accetp chain=forward in-interface-list=Printer out-interface=vTrusted11 dst-address=192.168.88.YY \
   comment="allow Staff and Orders to printer"
add action=accept chain=forward connection-nat-state=dstnat comment="allow port forwarding"  {Disable if not required}
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=NONE {insecure so nothing should use this}
/tool mac-server mac-winbox
set allowed-interface-list=Manage
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with Network Setup (Cafe - Bar)

Sat Nov 12, 2022 12:48 am

ANAV

The F--ked up thing... Its pretty easy to do this in caps-man. Did a bunch of times before I came to my senses.
Disagree simple easy to do with vlans..................
I even use a port off the bridge for any configuration or emergency backup because if anything is going to burp its the bridge.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with Network Setup (Cafe - Bar)

Sat Nov 12, 2022 12:49 am

Post the haplite and the hapmini and will fix those to match.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: Help with Network Setup (Cafe - Bar)

Sat Nov 12, 2022 12:59 am

ANAV

The F--ked up thing... Its pretty easy to do this in caps-man. Did a bunch of times before I came to my senses.
Disagree simple easy to do with vlans..................
I even use a port off the bridge for any configuration or emergency backup because if anything is going to burp its the bridge.
I mean the caps-man config for the VLANS on your router pushed to the caps... its pretty straight forward.

Build your VLANs on the bridge. Set up the configs for the SSIDs with the VLANS... Pres and hold reset while booting... or connect to the waps and select RESET CONFIGURATION + caps-Mode. I had some pretty decent systems online in minutes. Then I could look at the router and quickly select a radio and change channels or bandwidth or whatever.

Script up a netwatch like tool to Cut of the Guest network when the bar fell back to the cellular back up.
Add per device passwords for MAC addresses. And tag the device to move to another VLAN on the same SSID.
Make Queues

IT WAS SWEET!

Until all the Point of Sales devices and credit care readers couldn't connect anymore...
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19099
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Help with Network Setup (Cafe - Bar)

Sat Nov 12, 2022 5:48 pm

:-)

Sounds like something you could easily show me with some beers and a hapax3.
Will let you know when mine arrives and perhaps we can skype or something LOL

Who is online

Users browsing this forum: Speedr and 31 guests