Community discussions

MikroTik App
 
fl4co
just joined
Topic Author
Posts: 4
Joined: Sun Jan 22, 2023 3:04 pm

Guest network

Sat Feb 25, 2023 6:55 pm

Hello,

I'd like to know what's the best way to introduce a guest wifi network with a Mikrotik device. I own a hAP ax3.

This is my current setup: I created two slave wifi interfaces, one for the 5GHz radio and one for the 2.4Ghz. Then I created a bridge and added the two newly created wifi interfaces to the bridge. After that I assigned an IP address to the bridge and isolated the new network using the firewall.

Is this a best practice or are there bettere ways to achieve this, maybe without a bridge and involving VLANs?
 
fl4co
just joined
Topic Author
Posts: 4
Joined: Sun Jan 22, 2023 3:04 pm

Re: Guest network

Sun Mar 05, 2023 6:23 pm

Nobody has a guest or IoT separate SSID?
 
infabo
Long time Member
Long time Member
Posts: 621
Joined: Thu Nov 12, 2020 12:07 pm

Re: Guest network

Sun Mar 05, 2023 6:39 pm

you can look what quickset does. iirc quickset configured guest wifi uses bridge filters.
 
User avatar
justinmik
just joined
Posts: 11
Joined: Sat Mar 04, 2023 9:53 pm

Re: Guest network

Mon Mar 06, 2023 9:59 pm

This is my current setup...

Is this a best practice or are there bettere ways to achieve this, maybe without a bridge and involving VLANs?

That's very similar to my configuration on my ax2 (and ac2 before that). I have two slave guest networks (one for 2GHz and one for 5GHz) which share the same security configuration profile. They're in a single guest bridge, which has its own IP, DHCP server, and filter and NAT firewall rules. I put in some forward blocks so that packets can't be routed between it and the other bridges/networks, isolating it entirely. I haven't rigorously tested it but my friends and family are trustworthy...I think...

I have a third slave network, tied off the 2GHz master, dedicated to IoT devices. As posted on another topic, I had to disable the "256" varieties of encryption as some of the IoT devices don't play nicely with them enabled. I have similar filter/NAT rules but there are two devices that I need to access from my primary wired & wireless networks so I've poked a few holes. I'd like to lock the IoT devices down to MAC addresses but it appears the access-list isn't yet functional (or I'm using it wrong) in 7.8.

So far, I'm happy with the setup.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest network

Mon Mar 06, 2023 10:18 pm

The easy method is one bridge for all vlans.
The vlans provide clear separation at layer 2 ---- DONE
Firewall rules provide clear separation at layer 3 ---- DONE.

No need for multiple bridges, no need for any bridge doing dhcp etc.
All vlans all the time, apples to apples, anything else is dumb unless there is a good reason.

VLAN10-HOME - home wired network and wifi on WLAN1 and WLAN2
VLAN20-GUEST used for virtual WLAN on 5ghz (one of your slaves)
VLAN30-IOT used for virtual WLAN on 2ghz (one of your slaves)
 
User avatar
justinmik
just joined
Posts: 11
Joined: Sat Mar 04, 2023 9:53 pm

Re: Guest network

Mon Mar 06, 2023 11:13 pm

VLAN10-HOME - home wired network and wifi on WLAN1 and WLAN2
VLAN20-GUEST used for virtual WLAN on 5ghz (one of your slaves)
VLAN30-IOT used for virtual WLAN on 2ghz (one of your slaves)

I confess I've never personally set up any VLANs but have had to live with a lot of broken VLAN networks set up by other people. I'll consider your setup for a future implementation; thanks for taking the time to post the info!
 
holvoetn
Forum Guru
Forum Guru
Posts: 5413
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: Guest network

Mon Mar 06, 2023 11:21 pm

Don't mess around with half baked solutions.
Do it properly and use vlan.

Time to learn.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19114
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Guest network

Tue Mar 07, 2023 12:55 am

The first step is to loosen your helmet, its clearly on too tight!
 
User avatar
justinmik
just joined
Posts: 11
Joined: Sat Mar 04, 2023 9:53 pm

Re: Guest network

Tue Mar 07, 2023 4:06 am

You guys are a lot of fun! Yes, it's so tight, you can see my face is turning grey.

On a serious note, can you tell me why using a VLAN is superior to using individual bridges? Are there efficiencies or speed differences?

Thanks!
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Guest network

Tue Mar 07, 2023 4:26 am

For start, how many devices are we talking about? Is it separate router and AP(s), or just single device? If it's more than one, then VLANs allow to have centralized config on router and AP can act as dumb transparent device.
 
User avatar
justinmik
just joined
Posts: 11
Joined: Sat Mar 04, 2023 9:53 pm

Re: Guest network

Tue Mar 07, 2023 3:39 pm

For start, how many devices are we talking about? Is it separate router and AP(s), or just single device? If it's more than one, then VLANs allow to have centralized config on router and AP can act as dumb transparent device.

I have a relatively straightforward home office setup. I have a RB4011iGS+ (non-wireless) for my upstream provider (fiber via Xfinity), a backup provider (cellular 5G hardware gateway via Straighttalk/Verizon), NAT, and support for a few local network devices. I then run a single Ethernet cable, providing PoE, to a closet with the hAP ax2. That device is simply bridged to that local LAN (so is part of that primary NAT). The guest/IoT networks are NAT'd again with different ranges (double NAT, as I don't care about performance for those).

Now that I think of it, running VLANs so that the RB4011 is in control of everything and centralizes management is an interesting idea.
 
fl4co
just joined
Topic Author
Posts: 4
Joined: Sun Jan 22, 2023 3:04 pm

Re: Guest network

Sun Mar 12, 2023 1:22 am

I decided take the VLAN route at last. Read the guide on this forum and used the bridge VLAN filtering method. I guess this is the preferred method and I'll be able to easily add more VLAN in the future.

Who is online

Users browsing this forum: synchro and 34 guests