Community discussions

MikroTik App
 
msachse
just joined
Topic Author
Posts: 8
Joined: Mon Jun 26, 2023 3:46 pm

Guest network isolation

Fri Jul 28, 2023 2:25 am

Hello,
I am challenged to create a setup where I use two hAP ax3 to cover the building with wireless lan for both internal devices (intranet) as well as the occasional guest (guest) who is isolated from the intranet and other devices but has access to the internet.

In my setup, I am using a ISP provided FritzBox as router to get internet from the ISP, it also runs the DHCP Server and is where my firewall is configured.

I have two hAP ax3 simply setup as access points with a bridge and it’s static ip for management purposes (no default config). This works fine for internal devices, but I am struggling to add guest wireless to the network which is isolated.

How do I add virtual AP’s for both 2.5 and 5 gHZ frequencies on each hAP that are isolated from the network but have access to the internet? My router’s DHCP server provides IPs in the 192.168.100.x subnet. Both hAP are connected to my router using one cable only.
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: Guest network isolation

Fri Jul 28, 2023 7:29 am

True isolation is not possible without cooperation from router (Fritz). Ideally router would support VLANs and allow configuring firewall between all networks (WAN, LAN and guests).

You could try to make "almost" good solution by using one of hAPs as router between guest and LAN, running firewall which prevents communication between guests and LAN except for router. In this case you'd have to perform additional NAT on that hAP unless Fritz can be configured with static routing (route towards guests with hAP as gateway). Fritz should then configure ports, connecting both hAPs, as switched ports. You could use VLAN for guest network on hAPs and hope that Fritz (as a switch) doesn't trip over because of that.
 
msachse
just joined
Topic Author
Posts: 8
Joined: Mon Jun 26, 2023 3:46 pm

Re: Guest network isolation

Fri Jul 28, 2023 8:05 pm

Thanks for the quick response. It seems I've already asked the question last month viewtopic.php?p=1009874#p1009874 and it seems I have a path forward.

I have another setup which is similar but different I could use help with on the same topic. My other network has same hAP setup, but this time I have a Mikrotik router (RB5009) connecting to the ISP. You've indicated the use of VLAN for isolation purposes on the guest wireless (as slaves to the main). How would I set this up best (I believe there are different ways for the hAPs) to tag packets with VLAN information?
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 12908
Joined: Thu Mar 03, 2016 10:23 pm

Re: Guest network isolation

Fri Jul 28, 2023 8:45 pm

Not sure about what exactly you're asking with regard to hAPs, but I'd go with the bridge VLAN ... even though hAPs don't offload that to hardware, it probably doesn't matter much if hAPs won't be used as switches between their ethernet ports (HW offload doesn't help much with traffic via wifi as that's handled by CPU anyway).

I'm sure you already read this excelent vlan tutorial, but if you didn't, do do. It explains how it should be done.

Who is online

Users browsing this forum: rahan and 11 guests