Bear with me, as I'm new to RouterOS/Mikrotik.

I currently serve WiFi to a block of 8 apartments. Access Point isolation is in place, so WiFi clients can't talk to each other, but I'm wondering whether I should separate this into 8 VAP's/SSID's to provide a higher level of security to each apartment block. I have two AP's, so it would mean 4 VAP's per AP. I just don't know whether this would be going overboard for security(?). We regularly have geeks staying in the apartments, so the scenario I would like to prevent is a man in the middle attack between apartments because of shared WPA2 credentials... Any thoughts?

Thanks!

I'd just use hotspot, each apartment gets its own username and password, you can allow 10 devices per user account. Mikrotik Hotspot server won't allow clients talk to each other. You may also create a VLAN and a hotspot is running on the VLAN. this way they cannot access your core network. Add IP TVs, Xbox or PC to your bypass list so they don't have to authenticate.

Hi Madumi,
You can use 8 separate SSID with 8 different subnets. So you can configure rules on firewall to block traffic across the subnets.

.....

Solar.........
Using Bridges on LANS blocks at layer 2 (via mac addresses and tables) correct?
VLANS block at layer 2/3? (by inserted headers in packet flow) correct?
FW rules block at layer 3 (IP routing) correct?

How does hotspot block???
a. devices on the same account from seeing each other?
i. wired
ii. wifi

How does hotspot block accounts from seeing each other?

Hmmm, we're in a situation where (at least currently), we need to monitor all traffic from the apartments (data caps are tight where we live), which would mean I would prefer not to give TV's Xbox's etc a free pass on to the network...

Charge tenants more for their own dedicated SSID. Profit.

2.4ghz?? then you need to set your datarates

using many ssid's is mandatory, because when you broadcast an ssid using 1mbit datarate (default setting) you loose 3% of airtime for every ssid in your case 24% only to announce the ssid´s on air, that penalizes your wireless performance

today you can disable all 802.11b data-rates without worry

that is leaving the lowest datarate to be 6mbit/s that way you reduce the airtime used to announce ssid's from 24% to 4%

As for TV, Xbox etc. you can use MAC authentication in hotspot and create user profile for those devices. more control and monitoring when you use hotspot.

what do you use as Access Point in each apartment? there might be more options .

Charge tenants more for their own dedicated SSID. Profit.

Thanks eXS, yes, that's the longer term plan... we're just not currently there yet... by "dedicated SSID" your talking one discreet SSID's for each apartment right... but do you mean all on the one mikrotik solution (I was thinking 2 AP's to take the number of SSID's per AP down to 4)?

that is leaving the lowest datarate to be 6mbit/s that way you reduce the airtime used to announce ssid's from 24% to 4%

Thanks so much chechito. Yes I read that I'd need to change the datarate (it might have been one of your other posts). So, you're agreeing that using discreet SSID's for each apartment is a reasonable idea? (I'm still brainstorming ways to do this... the main part I need to figure out is whether I'm going over the top, or whether it's reasonable for security to ensure each apartment has separate SSID's/WPA2 credentials). Any thoughts on that?

As for TV, Xbox etc. you can use MAC authentication in hotspot and create user profile for those devices. more control and monitoring when you use hotspot.
what do you use as Access Point in each apartment? there might be more options .

I'd prefer not to use MAC authentication... Tenants rotate frequently enough that collecting MAC addresses from them would be a pain.
presently we have two access points, each serving four apartments each (the two access points are placed in a way that is central to those four apartments)

that is leaving the lowest datarate to be 6mbit/s that way you reduce the airtime used to announce ssid's from 24% to 4%

Thanks so much chechito. Yes I read that I'd need to change the datarate (it might have been one of your other posts). So, you're agreeing that using discreet SSID's for each apartment is a reasonable idea? (I'm still brainstorming ways to do this... the main part I need to figure out is whether I'm going over the top, or whether it's reasonable for security to ensure each apartment has separate SSID's/WPA2 credentials). Any thoughts on that?

I think separate SSID's for each apartment its a good idea from viewpoint of practicality to make support tasks easier, for example if a customer has some issue is easier to track them to devices associated to an specific SSID, another advantage, maybe if an access-point is far from certain apartment that access-point don't need to have that apartment SSID configured in fact maybe the best way to go is that specific SSID only be configured on closest access-point to that apartment

if access from public and shared areas is needed you can create a very limited guest ssid to that task

from security viewpoint separate SSID can help to isolate devices from each apartment from sharing traffic, to avoid different apartment devices to share traffic, normally i will suggest to isolate all stations from each other, but in case of apartments today is frequent for people the need of get their own devices communicate between them

the better way to allow communication between wireless devices on same ssid will be isolate them un-cheking default forward option, let the "core" router to manage inter-station communication using local-proxy-arp, that technique has the advantage of make possible to apply traffic control and firewall rules to inter station traffic using rules on the access-point, otherwise any rule makes no effect on inter-station traffic

make sure you have a properly configured and manageable layer 2 infrastructure (wired switches, please use only wired switches to interconnect access-point to the network, anything like mesh or repeaters will get you a very BAD result from performance standpoint) to interconnect access-point to main router

with properly configured i refer to a manageable switch o switches configured with vlan, vlan filtering, dhcp security, arp, security, port isolation, to make the network stable and better in terms of security isolating effectively different SSID traffic across all network

always use only WPA 2 AES security with WPS disable, secure your main router and your accesspoint, very recommended a separate vlan to isolate and filter access to devices management

wireless can be secure, but there are many social engineering hacks to let people to reveal their passwords, so keep that in mind, and encourage your users to use secure VPN services to do sensitive tasks online when connected to the wifi

secure all the network using ACL's, firewall filter or whatever resources equipment have

Do QoS and traffic control on every point of network to manage congestion, that improves performance and service experience a LOT

brilliant, chechito! thanks so very much.

Only part I didn't quite follow was if I set up separate SSID's/WPA2 for each apartment & kept traffic from those SSID's isolated from each other, why would you suggest residents still use a VPN to do sensitive tasks? Is it just to protect them from their own IoT devices using the same SSID?

Network structure is already in place--Cat6 ethernet connecting access points etc... It's just going to be a matter of learning RouterOS. I'll read through https://wiki.mikrotik.com/wiki/Manual:TOC
Any other suggestions for me to get up to speed?

Thanks!

brilliant, chechito! thanks so very much.

Only part I didn't quite follow was if I set up separate SSID's/WPA2 for each apartment & kept traffic from those SSID's isolated from each other, why would you suggest residents still use a VPN to do sensitive tasks?

attack techniques exist to make a client connect to a rogue AP that way the attacker can perform a man in the middle and other other nasty things

attack techniques exist to make a client connect to a rogue AP

Hmmm, interesting... You mean even an access point with unfaimiliar credentials/SSID?