Community discussions

MikroTik App
 
massinia
Member Candidate
Member Candidate
Topic Author
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

VLAN or firewall rules for guest WiFi network

Sat Jan 14, 2023 8:37 pm

Sorry for the banal question, I'm not an expert... :D

I have seen many guides that explain how to create a wireless network for guests, it is not clear to me what the best solution is.

Someone use a VLAN for the bridge guest others instead create a rule in the firewall for isolate the main bridge from that used for the guest network.

In your opinion, what is the best solution and which it occupies less CPU.

VLAN or a firewall rule?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN or firewall rules for guest WiFi network

Sat Jan 14, 2023 9:03 pm

Depends,
Provide your network diagram and config.
Is your router an MT router with wifi or are you talking about an AP or a router being used as a switch and AP.

Personally vlans and multiple wlans go well together.
 
massinia
Member Candidate
Member Candidate
Topic Author
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: VLAN or firewall rules for guest WiFi network

Sun Jan 15, 2023 1:23 pm

Thanks for the reply :D

I have only one hAP ac 2.

I've used a VLAN and everything works, I was just wondering if it was better to do everything with a simple rule in the firewall.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: VLAN or firewall rules for guest WiFi network

Sun Jan 15, 2023 1:54 pm

Actually you need both VLAN and firewall rules. V in VLAN stands for "virtual" meaning it's a separate LAN but sharing physical infrastructure with other VLANs. But when it comes to routing, router (with this I mean routing function of the device) treats all networks equally ... it doesn't know that 192.168.1.0/24 is any different than x.y.z.w/16. And by default router gladly forwards packets, received through one interface, to another interface depending on routing tables. And VLANs for routers are yet another interfaces. Router only cares about IP addresses, it doesn't care about protocols etc.
So using VLANs indeed separates devices on same LAN infrastructure (AP, switch, ...), but when those packets arrive to router, VLANs stop being relevant.

Luckily ROS offers another function (apart from routing) on all devices: firewalling. Which sits between ingress interface and routing engine. So firewall can inspect packet (in more detail than router does: it also cares about protocols and ports, etc.) and discard it if some rule requests so.
If you want to block traffic between guest LAN and "owner's" LAN, you have to add rule in firewall which will block such traffic.

You can block traffic between certain IP subnrts using routing filters. These are much more resource friendly than firewall. However they generally lack flexibility which only stateful firewall can provide.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: VLAN or firewall rules for guest WiFi network

Sun Jan 15, 2023 3:17 pm

Or simply ( on a router )
vlans separate users at layer 2, mac address
firewall rules separate users at layer 3, ip addresses ( needed because a router knowing all local interfaces will route requests between subnets or vlans if not told otherwise )
 
massinia
Member Candidate
Member Candidate
Topic Author
Posts: 159
Joined: Thu Jun 09, 2022 7:20 pm

Re: VLAN or firewall rules for guest WiFi network

Mon Jan 16, 2023 9:24 am

Thanks everyone :wink:

Who is online

Users browsing this forum: f008600 and 28 guests