https://www.marthur.com/networking/mikr ... -wifi/201/

https://www.marthur.com/networking/mikr ... -wifi/201/

According to the comments this one is outdated. Also I have no option for "Master-interface: ap-private". I have only wlan1 and wlan2.

if you banned in google the best way for you is quickset which allow to setup guest wifi ap.

if you banned in google the best way for you is quickset which allow to setup guest wifi ap.

Sorry I have no idea what you're talking about. A quick setup how to for guest wifi is what I'm looking for but cannot find.

I see this option but I don't understand how to make it a guest network that can only access the internet and none of the rest of my internal network. In fact it looks like this loads my existing wifi configuration which i do not want to screw with at all.

/ip route rule
add action=drop dst-address=lan.network/mask src-address=guest.network/mask
add action=drop dst-address=guest.network/mask src-address=lan.network/mask

Is there not a simple step by step guide that contains all the steps that is also compatible with the current OS? I cannot follow this with one step here, another step there, and some steps that are not compatible with my OS.

• create a wireless security profile

• create a VAP, using security profil

• assign IP address to VAP

• create DHCP server for VAP (no bridge required. I've done this)

• create firewall filters to restrict traffic flow between local subnets

Is there not a simple step by step guide that contains all the steps that is also compatible with the current OS? I cannot follow this with one step here, another step there, and some steps that are not compatible with my OS.

Hello,

The URL and examples shown by Baragoon will work. Yes, the URL has some steps that I would not do, such as masquerading the guest network (kind of useless). Otherwise, it's good. And his firewall filters suggestions are accurate also. They will prevent both subnets from accessing each other.

That's about as step-by-step as you'll get.

Les see if this will help resume it:

• create a wireless security profile

• create a VAP, using security profil

• assign IP address to VAP

• create DHCP server for VAP (no bridge required. I've done this)

• create firewall filters to restrict traffic flow between local subnets

Cheers,

Is there not a simple step by step guide that contains all the steps that is also compatible with the current OS? I cannot follow this with one step here, another step there, and some steps that are not compatible with my OS.

Hello,

The URL and examples shown by Baragoon will work. Yes, the URL has some steps that I would not do, such as masquerading the guest network (kind of useless). Otherwise, it's good. And his firewall filters suggestions are accurate also. They will prevent both subnets from accessing each other.

That's about as step-by-step as you'll get.

Les see if this will help resume it:

• 1. create a wireless security profile

• 2. create a VAP, using security profil

• 3. assign IP address to VAP

• 4. create DHCP server for VAP (no bridge required. I've done this)

• 5. create firewall filters to restrict traffic flow between local subnets

Cheers,

Is there not a simple step by step guide that contains all the steps that is also compatible with the current OS? I cannot follow this with one step here, another step there, and some steps that are not compatible with my OS.

Hello,

The URL and examples shown by Baragoon will work. Yes, the URL has some steps that I would not do, such as masquerading the guest network (kind of useless). Otherwise, it's good. And his firewall filters suggestions are accurate also. They will prevent both subnets from accessing each other.

That's about as step-by-step as you'll get.

Les see if this will help resume it:

• 1. create a wireless security profile

• 2. create a VAP, using security profil

• 3. assign IP address to VAP

• 4. create DHCP server for VAP (no bridge required. I've done this)

• 5. create firewall filters to restrict traffic flow between local subnets

Cheers,

I believe I got down to step 4. No idea how to do step 5. Also my network doesn't work this way. when I try to connect it says "No internet connection". No clue where I screwed up, seems pretty straightforward however ever single dialog box has 1,000 options so I don't know if I missed something critical. I can connect but that's it.

By default my subnets cannot access each other and the new one cannot access anything.

"such as masquerading the guest network (kind of useless). " I have no idea which steps I can just "skip" and which ones are critical to make it work.

You have some video to get you going here:


https://www.youtube.com/watch?v=6P0MDlYWR_E
https://www.youtube.com/watch?v=lDAG_U7NwxM

As long as guest network are on its own network, then it just to set the correct firewall rules to separate network

Just to add: this only works if guest VAP is setup on the device which is also the internet router. If one wants to add guest VAP on an AP device which connects to router via ethernet cable, then there are more steps to be taken.

Go into firewall address lists.
Make a list for local devices.
Make a list for guest devices.

At the top of the forwarding chain in firewall filters...
/IP firewall filter add chain=forward src-address-list=guest dst-address-list=local action=drop

That's keeps guest from talking to devices on the local network.

If you wanna keep them out of the router...
Add a rule in the INPUT CHAIN to drop things like 21-23,80,443,8291

Go into firewall address lists.
Make a list for local devices.
Make a list for guest devices.

At the top of the forwarding chain in firewall filters...
/IP firewall filter add chain=forward src-address-list=guest dst-address-list=local action=drop

That's keeps guest from talking to devices on the local network.

If you wanna keep them out of the router...
Add a rule in the INPUT CHAIN to drop things like 21-23,80,443,8291

I was thinking of this, but there is a problem with devices with randomized MAC addresses that would not necessarily get the same IP addresses every time.

I was thinking of this, but there is a problem with devices with randomized MAC addresses that would not necessarily get the same IP addresses every time.

In my explanation it assumes 2 different IP scopes.
i.e.
Local = 192.168.88.0/24
Guest = 10.0.0.1/24