Hi all,

I'm trying to create a guest network on my new hAp ax². There's plenty of tutorials and resources to be found on the internet (I will not link them, because apparently including links autodeletes posts?), but unfortunately it appears most of them are outdated or at least do not apply to this product.

For example, the first things you have to do are creating a security profile and a new interface. Both by clicking the `+` icon in WinBox and then selecting "Virtual AP". However, this option does not exist on my product. The only possible type is "Wifiwave2".

At first I thought it was a GUI-problem. But when comparing the command options with a hAp ac², I notice that the inner workings are entirely different.

This command for example: Exists on ac², but not on ax². I suspect it has got something to do with the wifiwave2 thingy, but I'm I don't fully understand it enough to know what it is or how it makes a difference.

Could anyone point me in the right direction on how to properly create a guest WiFi on hAp ax²?

Thanks in advance!

Winbox / Wifiwave2
Add new interface
Set master interface to an existing radio, mode ap, that's how you create a slave interface.
Radio related settings will be exact the same as for master.
Security etc you can make different.

It is (sort of) explained here:
https://help.mikrotik.com/docs/display/ ... properties

But I agree the explanation could be a bit more detailed.

It's a bit confusing.

QuickSet also does a good job of creating (and restricting) the Guest VLAN, so if looking for more basic setup that's also an option.

If you already have a config, then the "trick" is when you add the new wifiwave2, you need to select a "parent interface" in the dialog the appears after the (+). And so need do it two, one with "parent" = wifi1, and another one with parent = wifi2 (e.g. the 2.4Ghz and 5Ghz interfaces). Unlike V6, in same dialog you can actually set the authentication/ssid all in one step via the tabs that appear when you add a new interface**.

Note: Any new wifiwave2 interface (w/ parent interface set) also need to get added to the bridge as ports for them work.

**Alternative, you can create "profiles" for any of the configuration from the main wifiwave2 tabs in dialog, that can be used indirectly on new interface. And these "profiles" can be used when creating a new interface by selecting the particular profile from the drop-down on each of the tabs when creating a new interface. But if profile is unset, it will use what configuration is set directly wifiwave2 guest interfaces instead. Either way works (direct on interface, or picking profiles) — just using profile adds more config/complexity to explain here...

Thanks holvoetn and Amm0!
I think I managed to create the guest network.
I created 2 interfaces, each having one of the physical interfaces as master. After that I created 2 VLANs (because apparently you can only have one interface per VLAN, but you can create multiple VLANs with the same VLAN ID?), and lastly I created a bridge to which all of these are added.

Then I created a firewall rule to drop all traffic from the guest-bridge to the regular bridge. I also added a Firewall rule to block all traffic from this guest bridge to 192.168.88.x/24, which is the network on the WAN side of this router.

As expected, hosts connected to the guest network (10.10.10.x) can't ping to a host on the private network (192.168.99.x), and neither can they ping to hosts on the surrounding network (192.168.88.x). But they can still ping hosts on WAN. So that looks good.

The only thing I'm not entirely sure of, is if they're still supposed to be able to ping the routers themselves? 192.168.88.1 and 192.168.99.1 are still accessible to them. I can find reasons why that makes sense (e.g. because traffic needs to be routed through them), but can also think of reasons why this does not make sense (guest network is a separate IP-range, so they don't need to have 192.168.99.1 as a gateway).

Could you guys shed some light on this? Am I done here? Or do I still have to do something to tie up this last loose end?

Thanks!

You can have multiple interfaces on the same VLAN. No problem there.

You need router input to provide router services (DHCP, DNS, ICMP, ...) to those Guest clients.
If it really bothers you, put some accept input rules for the mentioned services.
And then restrict firewall for input to your router coming from that guest range just below those newly create accept rules.

Make sure as well you have a 100% certain guaranteed management port to that router. It's easy to lock yourself out when not paying attention.
Safe mode is your friend here.

You can have multiple interfaces on the same VLAN. No problem there.

Well, it didn't let me. But I guess making to VLANs with the same VLAN ID is functionally the same.

You need router input to provide router services (DHCP, DNS, ICMP, ...) to those Guest clients.
If it really bothers you, put some accept input rules for the mentioned services.

It doesn't bother me. As long as everything is secure. I don't want my guests snooping around on my private network, and definitely not on the network that is behind it (.88 range)

Make sure as well you have a 100% certain guaranteed management port to that router. It's easy to lock yourself out when not paying attention.
Safe mode is your friend here.

Could you elaborate on this? I'm not sure I understand what you mean?

You can have multiple interfaces on the same VLAN. No problem there.

Well, it didn't let me. But I guess making to VLANs with the same VLAN ID is functionally the same.

You only need on VLAN interface. And when you add the any guest or additional Wi-Fi interface to /interface/bridge/ports (Bridge>Ports in winbox), you need to make sure the pvid= is set to match the VLAN and frame-types= is set to "admit-only-untagged-and-priority-tagged". But only one /interface/vlan is needed.

If you don't already have VLANs and associated firewall rules for a guest network... you can just add additional guest wifiwave2 interface to the default bridge as port, and restrict the traffic inside the bridge (e.g. if the bridge is NOT using vlan-filtering=yes): The above will only all traffic to the internet, since local traffic is covered by the "forward" rule.

Way too easy to lock yourself out when setting up vlans.
A separate mgmt port, not on bridge, or safe mode can be life savers.

You only need on VLAN interface. And when you add the any guest or additional Wi-Fi interface to /interface/bridge/ports (Bridge>Ports in winbox), you need to make sure the pvid= is set to match the VLAN and frame-types= is set to "admit-only-untagged-and-priority-tagged". But only one /interface/vlan is needed.

That's indeed what I wanted to say.

Way too easy to lock yourself out when setting up vlans.
A separate mgmt port, not on bridge, or safe mode can be life savers.

VLANs and management port... @pcunite guide describe the concept: viewtopic.php?t=143620

or safe mode can be life savers.

Safe mode: https://help.mikrotik.com/docs/display/ ... e-SafeMode

Useful information, thanks!

But I'm assuming a full factory reset would also get me out of a fully locked box, right?

I will also be using the Safe mode a lot more from now on. I didn't know that was what it was for. Thanks!

But I'm assuming a full factory reset would also get me out of a fully locked box, right?

Sure.
But then you need to redo everything unless you made sure to backup (possibly with wrong config ) or export of config so you can reapply required bits.

Safe mode is quite helpful for such mishaps.

Hi folks!

I would like to jump on this topic as I am doing exactly the same thing and having trouble to get the guest wifi working.

My setup is a RB4011 as a central router and a hAP ax^2 as an access point.

Everything works except the guest wifi. I had the same issue some years ago and at that time I simply created the guest wifi on my RB4011 predecessor which had wifi as well but my current setup does only offer wifi on my hAP ax^2. So In need to get also the guest wifi working on it.

I am using the same configuration which did work on my setup before - the only difference is that the hAP ax^2 hasn't got its own WAN access but needs the RB4011. However, as it is working for my "normal" wifi it seems that it is rather a routing issue - but I don't know why. I am sure that my firewall settings are not blocking my guest wifi!

In a nutshell:
On my hAP ax^2 I have my RB4011 connected on Interface 2 which is bridged with all other interfaces, including wifi1+wifi 2, expect my wifi3.
My wifi3 is a simple virtual wifi on with wifi1 as master. I am not using any VLAN in this configuration, only the virtual wifi3.
To be able to run a DHCP I created a second bridge which only covers my wifi3. Nothing else is in there, as all others are on bridge1 and I am not using any VLAN.
DHCP is setup and working. My guests get an own IP in the range I did specify and the google DNS.
So, everything looks great. But: The guest wifi can't connect to anything although the firewall is widely open for testing (and my RB4011 is the main gateway).
I simply don't know why. This configuration seems to work if the system has its own WAN port running but doesn't work if WAN comes from a different router. However, the wifi1+2 is working. DHCP in this case comes from my RB4011.

Any ideas what I am doing wrong?

Thanks!

In the VAP configuration, you should have the option to assign the security profile you created earlier. This ensures that your guest network has the desired security settings.

It's a bit confusing.

Bit of an understatement. Supporting and managing RouterOS is definitely in the expert. I class there are three types of networking equipment:

1. Beginner: TP-Link like consumer kit that is reasonably easy to configure but if you hit the limits, it's a hard wall.
2. Professional: UBNT like kit that requires a bit more knowledge, configuration and planning.
3. Export: Mikrotik and, I assume, CISCO where you have to invest in the knowledge.

If you're self-taught, then it's a steep climb but once there, the flexibility of RouterOS is wonderful. I too am switching from RouterOS 6 to 7 at the same time of using AX/Wave2. Another small hill...