Hi,

I recently purchased a MikroTik Chateau LTE18 ax for a remote site of ours. Nobody lives at the site and I only visit 2 or 3 times a month for an overnight trip. There are 2 staff members who go home every day between 4 and 5 PM.

Other than my phone + laptop and the smartphones for both the staff members, I don't want anybody to be able to connect to our network. The WiFi password seems to have been leaked by one of the staff members and now teenagers and kids in the area often sit outside the exterior wall of the office and use free WiFi. Since the remote site doesn't have high data usage, I have a limited LTE data plan with a 100GB monthly cap. This has been exceeded twice now resulting in additional charges.

I want to create the following:

1) A WiFi network that is password protected but only whitelisted devices can connect. This way even if the password is leaked again, they won't be able to connect unless they're on the whitelist.

2) A guest WiFi network that is off by default, and I would only turn it on if there are actually visitors at the site. This would also be password protected, but this SSID would be disabled most of the time so not really a concern if the password gets leaked. No whitelist or blacklist is required for this network since it would only run for a few hours at best.

What is the most effective way to implement this? Keeping in mind I also have additional (non-MikroTik) access points at the remote site. For the main WiFi network, I'd like to have the same SSID across all APs (including the LTE18ax), so I suppose the whitelist would have to be on the DHCP server (which is my MikroTik device) and not on the wireless interface, because that would require me to maintain 3 separate whitelists across all 3 APs which seems too cumbersome.

Secondly, for the second guest network, what's the way forward there? How can I create an additional network on the MikroTik device for a guest network that is also functional on both my non-MikroTik access points? VLANs or some other method?

I'm familiar with networking in general, but new to RouterOS which seems full of functionality, but with a very steep learning curve, so I'd appreciate some advice from the RouterOS veterans here.

Thanks

It depends on what your other APs can do.
I am using WiFi with MAC authentication using RADIUS (and user-manager running on my main router).
That allows access only for MAC addresses listed in the router (for the main SSID).
When your other APs support that (i.e. they are not toys) you can combine them in the same setup.

For your guest network you can setup a second VLAN and disable/enable that using a scheduled script.
In a MikroTik AP you can also disable/enable the virtual network interface for the guest VLAN instead.

It depends on what your other APs can do.
I am using WiFi with MAC authentication using RADIUS (and user-manager running on my main router).
That allows access only for MAC addresses listed in the router (for the main SSID).
When your other APs support that (i.e. they are not toys) you can combine them in the same setup.

For your guest network you can setup a second VLAN and disable/enable that using a scheduled script.
In a MikroTik AP you can also disable/enable the virtual network interface for the guest VLAN instead.

One is an old Linksys router running OpenWrt and the other is a TP Link EAP225 outdoor AP. Both are VLAN capable.

But are they MAC-authentication / RADIUS capable?

The EAP225 does https://support.omadanetworks.com/us/document/13321/, it also supports PPSK with RADIUS and WPA/2/3-Enterprise.

OpenWrt support per-MAC-address PSK (https://openwrt.org/docs/guide-user/net ... a_psk_file) as well as WPA/2/3-Enterprise (https://openwrt.org/docs/guide-user/net ... cess_point).

1. Change the WIFI password and remind staff that they will lose their jobs if they give out the wifi password.
2. Shut down WIFI by script after hours ( thus ensuring you only keep wireguard or VPN access, wired after hours)

These are the easy steps.
In terms of shutting down wifi, will let the experts here give details.
thoughts
- disable ports leading to APs at 1710
- enable ports leading to APs at 10 minutes prior to work starting.

The other recommended solutions add part of the burden to the user, I try to avoid that as much as possible.
Opinions will differ!!

But are they MAC-authentication / RADIUS capable?

They are, but that seems too complex and time consuming to setup.

Are there any downsides to just allowing only certain MACs to be whitelisted for the DHCP server that handles the main WiFi network?

1. Change the WIFI password and remind staff that they will lose their jobs if they give out the wifi password.
2. Shut down WIFI by script after hours ( thus ensuring you only keep wireguard or VPN access, wired after hours)

These are the easy steps.
In terms of shutting down wifi, will let the experts here give details.
thoughts
- disable ports leading to APs at 1710
- enable ports leading to APs at 10 minutes prior to work starting.

The other recommended solutions add part of the burden to the user, I try to avoid that as much as possible.
Opinions will differ!!

I can't shut off WiFi as there are some IoT devices that are WiFi only so I can't have them hard wired to the switch.

The others have given some ideas and they're solid.

The problem you have is not unique, it's encountered all over in its various forms. There really is no silver bullet. However there are definitely things that you can do that will alleviate the problem - hopefully to a level that is to your satisfaction.
* You mention that you have IoT devices. Transfer these to their own SSID. Select a password that you don't reveal to anyone.
* Throttle WiFi users using queues, PCQ queuing with limit per source address is just what you want. If your wifi is indeed illicitly used, this will limit the amount of "damage" and make your network a less enticing target.
* Use some sort of time-based scripting to either fully turn off the employee SSID or adjust the queue limits much lower than during the day.
* I would deploy PPSK - each employee gets their own password.
* MAC-based auth: the access list can be used to allow/block devices based on their MAC

These are all imperfect - but sadly the evil bit (as per RFC3514) is not yet widely deployed.

I hope that applying some or all of these will allow you to curb the misuse to a tolerable level.

But are they MAC-authentication / RADIUS capable?

They are, but that seems too complex and time consuming to setup.

Are there any downsides to just allowing only certain MACs to be whitelisted for the DHCP server that handles the main WiFi network?

Setting up a user-manager service in RouterOS is piece-of-cake. And the admin of it is just as inconvenient as having a whitelist in the DHCP server.
When you want to do that, setup DHCP (on that VLAN) without any pool and make only static reservations.
You can have a pool with a couple of addresses near the end of (or beginning of) the network, have a new device obtain a lease from that, then use "make static" and change the IP to outside that pool area, and when you are done you disable the pool.
But similar is possible using user-manager: copy the MAC of the refused device from the log to a new entry in user-manager.

WPA/2/3-Enterprise is a valid solution as well (combined with user-manager), you can assign the username/password beforehand, but unfortunately IoT devices usually do not support it.

You can have a pool with a couple of addresses near the end of (or beginning of) the network, have a new device obtain a lease from that, then use "make static" and change the IP to outside that pool area, and when you are done you disable the pool.

Make sure your legit users understand that they need to set the network on their phone to NOT randomize the MAC. How they need to do that depends on the phone, but any of the phones that can randomize the MAC have the ability to disable that on a given network.

When you want to do that, setup DHCP (on that VLAN) without any pool and make only static reservations.
You can have a pool with a couple of addresses near the end of (or beginning of) the network, have a new device obtain a lease from that, then use "make static" and change the IP to outside that pool area, and when you are done you disable the pool.

And after this configuration is done, Add ARP For Leases should be turned on for the DHCP server and the ARP mode of the interface (bridge or VLAN) should be changed to reply-only.

Make sure your legit users understand that they need to set the network on their phone to NOT randomize the MAC. How they need to do that depends on the phone, but any of the phones that can randomize the MAC have the ability to disable that on a given network.

This is a reason why for my WiFi networks phones/tablets/laptops are put on SSIDs (only one needed per site) with WPA2-Enterprise/WPA3-Enterprise with their individual login accounts. The MAC address is no longer important, as restrictions are per account, including placing the device with the account in specific VLAN and any limitation is configured on that VLAN. This works for both IPv4 and IPv6 (Android is only capable of SLAAC, limitation per individual IPv6 address is useless), and is great when all your kids already know how to turn on MAC randomization on their devices.

Other devices only capable of PSK (which include most IoT devices) can also share another single SSID with PPSK and can be assigned to different VLANs too. But this restricts the security to WPA2. You'll need multiple SSIDs if WPA3 is a requirement.

Is there any way I can practice configuring this stuff in ROS without actually making changes on the only MikroTik device that I have?

Not sure how much is configurable through ROS's atrocious and extremely unintuitive GUI or if I'll have to use CLI which will take additional time to figure out.

When you want to practice RouterOS configuration you can download a CHR version of RouterOS and run it in a virtualization program.

When you want to practice RouterOS configuration you can download a CHR version of RouterOS and run it in a virtualization program.

But CHR has not *anything* wireless AFAIK, so while testing in - say GNS3[1] - is extremely useful for routing, firewall, etc. it is not for anything wireless related.




[1] IF you can manage to have it installed and working without losing or prematurely whiten your hair. Given the kind of PITA it may be, if you get an used little device on e-bay, like a Ax Lite , you will be short of some 50 bucks or so but you won't risk your sanity.