Hi,
I need build a guest wifi in our company. We have one main router 951G-2HnD with DNS, DHCP server and FW. Now we bought 3x AP RBcAPGi-5acD2nD (they are connected using non manageable switches)
I created a virtual WLAN with guest configuration on each AP (on physical WLAN I have a private wifi). I can connect with laptop, but I am getting default IP from LAN subnet on guest wifi.
It's because a DHCP requests from APs are sends over LAN to main router on port 3 and there is a LAN DHCP. I tried to create a VLAN on port3, but without a success.
Is it possible to use VLAN on our three APs and a main router with ordinary network switches (no VLAN support) ?
I don't want to have a multiple DHCPs (I mean on each APs), I want to have just one centralized DHCP server on our main router.
I succesfully created a guest wifi on our main router. I created a virtual WLAN for guests and put a DHCP server with its IP pool on wlan2 interface and it's works like a charm. But the range of wifi is poor. So I need to connect another APs to extend the wifi range. But now I stock and I have no idea howto do it.
A private wifi is working as I expected. I have troubles with guest wifi only.
Thanks for any advice.
Re: Guest wifi on multiple APs
It is possible if those switches support MTU of 1508 bytes (plain ordinary ethernet is 1500 bytes).Is it possible to use VLAN on our three APs and a main router with ordinary network switches (no VLAN support) ?
I succesfully created a guest wifi on our main router. I created a virtual WLAN for guests and put a DHCP server with its IP pool on wlan2 interface and it's works like a charm. But the range of wifi is poor. So I need to connect another APs to extend the wifi range. But now I stock and I have no idea howto do it.
You'll have to configure all devices (main router as well as APs) with the VLAN of choice. I suggest you to post configuration of main router as well as of one of APs and we'll suggest necessary changes. You can get full config using command "/export hide-sensitive" ... redact public addresses and post it here inside [ code ] environment for better visibility.
Re: Guest wifi on multiple APs
Hi there I have very much the same setup in my house.
I have my main mikrotik router (previously a hex router and now the RB450Gx4).
It is connected to a managed 24 port switch from one port which connects to one capac and another managed switch in an entertainment area.
The Router is also connected on another port to a managed switch in the basement which then connects to another capAC.
Since the capAC is capable of recognizing and tagging frames, I don't think it will be an issue to have unmanaged switches between the main router and your cap acs.
The problem is that the vlans will be sent out every port on the unmanaged switch but if physical security is not a concern then there is no risk.
As per MKXs comments, there may be limitations on the unmanaged switch but that is beyond my scope of knowledge.
As for setup my capacs have three networks
a. smartdevices on 2.4ghz chain
b. private wifi on 5ghz chain
c. guest wifi virtual on 5ghz chain
I have vlan11 for private wifi
I have vlan 10 for guest wifi
I have vlan20 for smart devices
(all my traffic is on vlans).
Setting up your network and router for all vlans using bridge vlans is the easiest method to setting up your network and highly recommend using this resource as your primary go to source!! Basically any port on the router or the capac going to your unmanaged switches would be a trunk port.
viewtopic.php?f=13&t=143620
There is also a MT wiki source that is not too bad and you may find useful.
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
Especially if you do not want to use a vlan for your main network and therefore you will have to pay close attention to diagram #4 which shows ether3 as a hybrid port (which would be required to send to your unmanaged switches).
Lastly, suggest you provide a diagram which helps clarify the intent of your network.
When you do have your router config and capac config advanced to the point of being useful for us to analyze please do so!
/export hide-sensitive file=yourconfigjun26
I have my main mikrotik router (previously a hex router and now the RB450Gx4).
It is connected to a managed 24 port switch from one port which connects to one capac and another managed switch in an entertainment area.
The Router is also connected on another port to a managed switch in the basement which then connects to another capAC.
Since the capAC is capable of recognizing and tagging frames, I don't think it will be an issue to have unmanaged switches between the main router and your cap acs.
The problem is that the vlans will be sent out every port on the unmanaged switch but if physical security is not a concern then there is no risk.
As per MKXs comments, there may be limitations on the unmanaged switch but that is beyond my scope of knowledge.
As for setup my capacs have three networks
a. smartdevices on 2.4ghz chain
b. private wifi on 5ghz chain
c. guest wifi virtual on 5ghz chain
I have vlan11 for private wifi
I have vlan 10 for guest wifi
I have vlan20 for smart devices
(all my traffic is on vlans).
Setting up your network and router for all vlans using bridge vlans is the easiest method to setting up your network and highly recommend using this resource as your primary go to source!! Basically any port on the router or the capac going to your unmanaged switches would be a trunk port.
viewtopic.php?f=13&t=143620
There is also a MT wiki source that is not too bad and you may find useful.
https://wiki.mikrotik.com/wiki/Manual:Bridge_VLAN_Table
Especially if you do not want to use a vlan for your main network and therefore you will have to pay close attention to diagram #4 which shows ether3 as a hybrid port (which would be required to send to your unmanaged switches).
Lastly, suggest you provide a diagram which helps clarify the intent of your network.
When you do have your router config and capac config advanced to the point of being useful for us to analyze please do so!
/export hide-sensitive file=yourconfigjun26
Re: Guest wifi on multiple APs
I tried to make my scenario so simple as possible, without CAPSMan, VPN, FW, etc. So I started over with a plain config.
So I have main router 951G-2HnD connected to the internet (public static ip) on ether1, ether3 is connected to my LAN (192.168.10.0/24), ether5 si connected to RBcAPGi-5acD2nD, on ether5 are two VLAN (7 is guest, 10 is staff). On AP I have connection to Router on ether1 (with VLAN7 and VLAN10 on it), also I have there wlan2(GHz) and wlan5(GHz) with wlan2g(guest) and wlan5g(guest).
I created two bridges on AP: bridge-staff with ports vlan10, wlan2 and wlan5 & bridge-guest with ports vlan7, wlan2g and wlan5g.
On router I created dhcp-staff on vlan10 with pool 192.168.12.100-150 and dhcp-guest.on vlan7 with pool 192.168.7.100-150.
Everything looks good on first sight, when someone connected to guest wifi gets subnet from guest and internet works, when someone connected to wlan2 or wlan5 gets subnet from staff dhcp.
The first weird thing is: I tried to connect from guest vlan to lan or staff subnet and it WORKS. I am able to connect everywhere from guest. It is not OK.
The second weird thing is: when I tried to torch any interfaces and search for VLAN ID, I don't see any ID at all. Is it OK ?
So basicaly I am able to separate guest wifi on its own subnet and then I can drop packets from that subnets to everywhere except the internet GW. But I thought that VLAN works in better way. Maybe it did and I made some terrible misunderstanding or something else.
I made it with this howto https://www.youtube.com/watch?v=fc61fkQnoW4
configs
So I have main router 951G-2HnD connected to the internet (public static ip) on ether1, ether3 is connected to my LAN (192.168.10.0/24), ether5 si connected to RBcAPGi-5acD2nD, on ether5 are two VLAN (7 is guest, 10 is staff). On AP I have connection to Router on ether1 (with VLAN7 and VLAN10 on it), also I have there wlan2(GHz) and wlan5(GHz) with wlan2g(guest) and wlan5g(guest).
I created two bridges on AP: bridge-staff with ports vlan10, wlan2 and wlan5 & bridge-guest with ports vlan7, wlan2g and wlan5g.
On router I created dhcp-staff on vlan10 with pool 192.168.12.100-150 and dhcp-guest.on vlan7 with pool 192.168.7.100-150.
Everything looks good on first sight, when someone connected to guest wifi gets subnet from guest and internet works, when someone connected to wlan2 or wlan5 gets subnet from staff dhcp.
The first weird thing is: I tried to connect from guest vlan to lan or staff subnet and it WORKS. I am able to connect everywhere from guest. It is not OK.
The second weird thing is: when I tried to torch any interfaces and search for VLAN ID, I don't see any ID at all. Is it OK ?
So basicaly I am able to separate guest wifi on its own subnet and then I can drop packets from that subnets to everywhere except the internet GW. But I thought that VLAN works in better way. Maybe it did and I made some terrible misunderstanding or something else.
I made it with this howto https://www.youtube.com/watch?v=fc61fkQnoW4
configs
Code: Select all
Router
/interface ethernet
set [ find default-name=ether1 ] name=ether1-inet
set [ find default-name=ether3 ] name=ether3-lan
set [ find default-name=ether5 ] name=ether5-tocAP
/ip neighbor discovery
set ether1-inet discover=no
/interface vlan
add interface=ether5-tocAP name=vlan7 vlan-id=7
add interface=ether5-tocAP name=vlan10 vlan-id=10
/ip pool
add name=pool-7 ranges=192.168.7.100-192.168.7.150
add name=pool12 ranges=192.168.12.100-192.168.12.150
/ip dhcp-server
add address-pool=pool-7 disabled=no interface=vlan7 name=dhcp-guest
add address-pool=pool12 disabled=no interface=vlan10 name=dhcp-staff
/interface bridge port
add interface=ether3-lan
add interface=vlan10
/ip address
add address=X.X.X.X/29 interface=ether1-inet network=X.X.X.X
add address=192.168.10.1/24 interface=ether3-lan network=192.168.10.0
add address=192.168.7.1/24 interface=vlan7 network=192.168.7.0
add address=192.168.12.1/24 interface=vlan10 network=192.168.12.0
/ip dhcp-server network
add address=192.168.7.0/24 dns-server=192.168.7.1,1.1.1.1,8.8.8.8 gateway=192.168.7.1 netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8 gateway=192.168.10.1 netmask=24
add address=192.168.12.0/24 dns-server=192.168.12.1,8.8.8.8 gateway=192.168.12.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-inet
/ip route
add distance=1 gateway=X.X.X.X
/system routerboard settings
set init-delay=0s
/system identity
set name=Router
/tool romon
set enabled=yes
***********************************************
AP
/interface bridge
add name=bridge-guest
add name=bridge-staff
/interface ethernet
set [ find default-name=ether1 ] name=ether1-toRouter
set [ find default-name=ether2 ] disabled=yes
/interface vlan
add interface=ether1-toRouter name=vlan7 vlan-id=7
add interface=ether1-toRouter name=vlan10 vlan-id=10
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=guest supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=staff supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge name=wlan2 security-profile=staff ssid=wlan2
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:86:D5:E5 master-interface=wlan2 multicast-buffering=disabled name=wlan2g security-profile=guest ssid=wlan2g wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
set [ find default-name=wlan2 ] disabled=no mode=ap-bridge name=wlan5 security-profile=staff ssid=wlan5
add disabled=no keepalive-frames=disabled mac-address=76:4D:28:86:D5:E6 master-interface=wlan5 multicast-buffering=disabled name=wlan5g security-profile=guest ssid=wlan5g wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge-guest interface=vlan7
add bridge=bridge-guest interface=wlan2g
add bridge=bridge-guest interface=wlan5g
add bridge=bridge-staff interface=wlan2
add bridge=bridge-staff interface=wlan5
add bridge=bridge-staff interface=vlan10
/system identity
set name=AP
/tool romon
set enabled=yes
Re: Guest wifi on multiple APs
If the published config for your router is complete, then your router is probably already hacked because you don't have any firewall protection. I suggest you to start from default firewall filter list, it is a decent starting point.
Anyhow, MT routers perform two (very) distinct tasks: routing and firewalling. Your router right now does the routing between all of its interfaces which have IP addresses set, VLANs included. What your device is not doing right now is firewalling - essentially that's blocking unwanted (forbidden) connections which might include all connections between e.g. VLAN 7 and VLAN 10. So you'll have to construct some appropriate chain=forward action=drop rules.
After you grt that sorted out, you can go back to configuring VLANs on your AP ... the way you have it now is overly complicated. I suggest you to study this thread, it makes a very nice tutorial.
You could convert config of router as well, but this one is not that ugly
Anyhow, MT routers perform two (very) distinct tasks: routing and firewalling. Your router right now does the routing between all of its interfaces which have IP addresses set, VLANs included. What your device is not doing right now is firewalling - essentially that's blocking unwanted (forbidden) connections which might include all connections between e.g. VLAN 7 and VLAN 10. So you'll have to construct some appropriate chain=forward action=drop rules.
After you grt that sorted out, you can go back to configuring VLANs on your AP ... the way you have it now is overly complicated. I suggest you to study this thread, it makes a very nice tutorial.
You could convert config of router as well, but this one is not that ugly
Re: Guest wifi on multiple APs
Well, my config is missing a FW rules, cos I don't have any FW issues to deal with. I am dealing with VLAN only.
As I wrote I am able to create some FW drop rules to manage "my VLANs", but I thought that VLAN is working independently to FW.
So You have absolutely right that my router right now does the routing between all of its interfaces which have IP addresses set, VLANs included and that's the core of my problem.
As I wrote I am able to create some FW drop rules to manage "my VLANs", but I thought that VLAN is working independently to FW.
So You have absolutely right that my router right now does the routing between all of its interfaces which have IP addresses set, VLANs included and that's the core of my problem.
Re: Guest wifi on multiple APs
So your router is not connected directly to a modem?
Re: Guest wifi on multiple APs
I don't have a modem, I have an ehternet cable, but it doesn't matter. On ether1 is connected internet with public static IP on it.
It is temporary connected to another internet connection for testing only, it's not a permanent solution.
I don't want to mess up with our main router, so I made a second independent network for testing VLAN for guests and staff. When all VLANs will be working I will put necessary configs to our main router.
It is temporary connected to another internet connection for testing only, it's not a permanent solution.
I don't want to mess up with our main router, so I made a second independent network for testing VLAN for guests and staff. When all VLANs will be working I will put necessary configs to our main router.
Re: Guest wifi on multiple APs
So You have absolutely right that my router right now does the routing between all of its interfaces which have IP addresses set, VLANs included and that's the core of my problem.
As I already wrote: you can't prevent router from routing between its interfaces other than by using firewall filters.
Re: Guest wifi on multiple APs
Of course you have a modem, in this case a Cable modem. A router does not work independent of a modem either by landline or wisp.
But understand your test router is really just being used for testing setup planning.
But understand your test router is really just being used for testing setup planning.
Who is online
Users browsing this forum: erlinden and 23 guests