Community discussions

MikroTik App
  4. RouterOS
  5. General

Looking for instrction to isolate guest wifi networks

Post Reply
 
zhouck
just joined
Topic Author
Posts: 12
Joined: Wed Sep 06, 2023 2:45 pm

Looking for instrction to isolate guest wifi networks

Fri Oct 04, 2024 9:27 pm

After upgrade to 7.15 old instruction not working due to packages separation for wifi

My goal is to have guest wifi networks completely unreachable in both ways and guest wifi have internet access only. Also, prevent to set static IP on guest networks.

The best is to have some instruction for this case
Top
 
Cl3an
just joined
Posts: 19
Joined: Wed Dec 01, 2021 12:08 am

Re: Looking for instrction to isolate guest wifi networks

Fri Oct 04, 2024 10:37 pm

I’m also interested. All the guides, tutorials, and instructions are for the “old” wireless interface and not for WiFi. (wifi-qcom-ac // wifi-qcom)
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 2638
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: Looking for instrction to isolate guest wifi networks

Fri Oct 04, 2024 10:43 pm

Friend @tangent wrote a complete blog post:
https://tangentsoft.com/mikrotik/wiki?n ... ns%20VLANs
Top
 
optio
Forum Veteran
Forum Veteran
Posts: 945
Joined: Mon Dec 26, 2022 2:57 pm

Re: Looking for instrction to isolate guest wifi networks

Fri Oct 04, 2024 10:50 pm

Follow this guide for setting guest VLAN for AP: viewtopic.php?t=143620#p706999.
Commands for WiFi setup shouldn't differ much from old WiFi package or use Winbox for setup it, VLAN setup is not directly related to WiFi setup except knowing which wifi intarfece needs to be part of which network.
Last edited by optio on Sat Oct 05, 2024 12:36 am, edited 1 time in total.
Top
 
Cl3an
just joined
Posts: 19
Joined: Wed Dec 01, 2021 12:08 am

Re: Looking for instrction to isolate guest wifi networks

Fri Oct 04, 2024 11:09 pm

Friend @tangent wrote a complete blog post:
https://tangentsoft.com/mikrotik/wiki?n ... ns%20VLANs
Looks promising. Thank you
Top
 
Josephny
Forum Veteran
Forum Veteran
Posts: 768
Joined: Tue Sep 20, 2022 12:11 am
Location: New York, USA

Re: Looking for instrction to isolate guest wifi networks

Sat Oct 05, 2024 12:08 am

While I'd love to master VLANS, it seems to be beyond me.

@tangent solution works for me (thank you @tangent!).

These are the config entries I used (I'm sure you'll want to customize to your environment):
Code: Select all
/interface wifi configuration add datapath.client-isolation=yes disabled=no name=guestcfg security.authentication-types=wpa2-psk .passphrase=blueberry ssid=GuestWifi

/interface wifi add configuration=guestcfg configuration.mode=ap disabled=no  master-interface=wifi2 name=Guest2g

/interface wifi add configuration=guestcfg configuration.mode=ap disabled=no master-interface=wifi1 name=Guest5g

/ip pool add name=pool-guest ranges=10.0.0.10-10.0.0.252

/ip address add address=10.0.0.1/24 interface=Guest2g network=10.0.0.0

/ip address add address=10.0.0.1/24 interface=Guest5g network=10.0.0.0

/ip dhcp-server add address-pool=pool-guest interface=Guest2g name=dhcp-guest2g

/ip dhcp-server add address-pool=pool-guest interface=Guest5g name=dhcp-guest5g

/ip dhcp-server network add address=10.0.0.0/24 dns-server=1.1.1.1 gateway=10.0.0.1

/ip dns static add address=10.0.0.1 comment=defconf name=router.lan

/ip firewall address-list add address=10.0.0.2-10.0.0.254 list="Guest WiFi"

/ip firewall filter add action=accept chain=input comment="allow 67 68 to 10.0.0.1" dst-address=10.0.0.1 dst-port=67,68 log=yes log-prefix="allow 67 68 to 10.0.0.1" protocol=udp

/ip firewall filter add action=drop chain=input comment="drop all to 10.0.0.1" dst-address=10.0.0.1 in-interface=!lo log=yes log-prefix="drop all to 10.0.0.1"

/ip firewall filter add action=drop chain=forward comment="drop all 10.0.0.0/24 to not-WAN" log-prefix=drop-all-10-0-0-0-24-to-not-WAN out-interface-list=!WAN src-address=10.0.0.0/24

/ip firewall filter add action=drop chain=forward comment="drop guest to 192.168.0.0/16" dst-address=192.168.0.0/16 dst-port=!53,68,68 log=yes log-prefix=drop-guest-to-192-168-0-0-16 protocol=udp src-ad
dress-list="Guest WiFi"


#Move firewall rules to correct position number
Top
 
Cl3an
just joined
Posts: 19
Joined: Wed Dec 01, 2021 12:08 am

Re: Looking for instrction to isolate guest wifi networks

Sat Oct 05, 2024 12:30 am

Quick Set
Code: Select all
/interface wifi add … master-interface=wifi2 name=wifi2g …
/interface bridge filter add action=drop chain=forward in-interface=wifi2g
/interface bridge filter add action=drop chain=forward out-interface=wifi2g
/interface bridge port add bridge=bridge interface=wifi2g
Can someone explain the missing part with “…” (two places)
Top
 
optio
Forum Veteran
Forum Veteran
Posts: 945
Joined: Mon Dec 26, 2022 2:57 pm

Re: Looking for instrction to isolate guest wifi networks

Sat Oct 05, 2024 12:49 am

Can someone explain the missing part with “…” (two places)
To replace it with properties related to wifi slave configuration, in that tutorial there is add configuration example /interface wifi configuration add ... same properties can be added to wifi add command. Difference is when you have separate configuration it can be reused for other wifi interfaces if needed.
Top
 
zhouck
just joined
Topic Author
Posts: 12
Joined: Wed Sep 06, 2023 2:45 pm

Re: Looking for instrction to isolate guest wifi networks

Mon Oct 07, 2024 12:08 pm

Thanks for instruction.

It almost works - however, while 2g guest network works fine (tested by IoT devices and smartphone), 5g guest network rejects WAN request, so smartphone could not connect to internet. Mikrotik hap AC^2, 7.15.3
Top
 
Josephny
Forum Veteran
Forum Veteran
Posts: 768
Joined: Tue Sep 20, 2022 12:11 am
Location: New York, USA

Re: Looking for instrction to isolate guest wifi networks

Mon Oct 07, 2024 12:24 pm

Thanks for instruction.

It almost works - however, while 2g guest network works fine (tested by IoT devices and smartphone), 5g guest network rejects WAN request, so smartphone could not connect to internet. Mikrotik hap AC^2, 7.15.3
I'm far from an expert, but I'll try to help.

First step is to post your entire sanitized export.
Top
 
User avatar
tangent
Forum Guru
Forum Guru
Posts: 1659
Joined: Thu Jul 01, 2021 3:15 pm
Contact:
Contact tangent

Re: Looking for instrction to isolate guest wifi networks

Mon Oct 07, 2024 2:45 pm

5g guest network rejects WAN request, so smartphone could not connect to internet. Mikrotik hap AC^2, 7.15.3

That’s a documented feature of my scheme: guests do not get full-service WiFi.

I have no desire to prototype an alternative that lifts that restriction for you, but it would involve creating a “wifi5g” slave parallel to the article’s existing wifi2g, then bridging them together.
Top
 
User avatar
tangent
Forum Guru
Forum Guru
Posts: 1659
Joined: Thu Jul 01, 2021 3:15 pm
Contact:
Contact tangent

Re: Looking for instrction to isolate guest wifi networks

Mon Oct 07, 2024 3:03 pm

Can someone explain the missing part with “…” (two places)
To replace it with properties related to wifi slave configuration…

Also local details like country settings, SSID, PSK… Things I don’t want to reveal about my local config and cannot predict for yours. Fill in the blanks.
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 21949
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Looking for instrction to isolate guest wifi networks

Mon Oct 07, 2024 8:49 pm

Prior to using capsman, it was quite easy to setup up vlan per SSID or vlan per USER group (and assign both SSIDS to same VLAN) and have them fully separated at layer2 by vlans, at layer 3 by firewall rules and then through wifi settings decide whether or not wifi users should be able to see others on the same WIFI vlan. ( with only internet access of course )

With capsman, no clue, nor interested as the config blows up with all capsman entries and 3X the level of complication for no real gain IMHO.
Top
Post Reply

Who is online

Users browsing this forum: Fogga and 31 guests
  4. RouterOS
  5. General