MikroTik

Dear community,

I am writing because would need help for setting up a guest wifi.

Technical Setup: Currently I have one network as my private environment. Some other devices in it, i.e. smartphones, nas, printer, set top box, etc.
Above is wired environment, all connected with 1 gbit/s.

I want to give guest access to the internet via a seperate guest wifi. They must not access the private environment and must not use the running dhcp server in private environment. However, they have to use the same cable to the Speedport router. But I cannot get things working.

What I did so far:
1) created a vap on both hAP
2) created an ip adress for the vap on both hAP (192.168.150.2 and 192.168.150.3)
3) set up a dhcp server running on the vap (192.168.150.3) and a dhcp relay running on the other vap (192.168.150.2)

But what is next? If i connect to the guest wifi with my smartphone I optain an ip-adress. But only if I connect to the vap with running dhcp server. The relay on the other vap is not working, it cannot connect to the dhcp server. How to connect those and how to get it to the default gateway (192.168.15.1)

Any advice for me? I am totally lost. To be honest I am kind of a greenhorn.... I made to run my private environment smoothly, but that guest wifi thing really troubles me

This is my first post in forum, so please be patient
Hope to get some feedback from your. Thanks in advance!
empy

Technical Setup:

Code: Select all

Speedport W724V | // 192.168.15.1, internet gateway, dhcp server
                |- managed switch | // 192.168.15.8
                                  |-hAP ac           // 192.168.15.2, home wifi
                                  |-hAP ac           // 192.168.15.3, home wifi

Currently I have one network as my private environment. Some other devices in it, i.e. smartphones, nas, printer, set top box, etc.
Above is wired environment, all connected with 1 gbit/s.

I want to give guest access to the internet via a seperate guest wifi. They must not access the private environment and must not use the running dhcp server in private environment. However, they have to use the same cable to the Speedport router. But I cannot get things working.

Hi,

You need to take another interface on your speedport and configure it for 192.168.150.0/24 network routing, then create a vlan for your guest wireless and have the hAP AC's trunk both the guest wireless VLAN and your main connection back to the speedport.

However, I suspect your speedport cannot do this, if it is a standard home gateway device. Those generally only allow you to have one internal interface and one external, and would not allow VLAN trunking.

However, I suspect your speedport cannot do this, if it is a standard home gateway device. Those generally only allow you to have one internal interface and one external, and would not allow VLAN trunking.

You're right, that speedport doesn't support this. My switch does support VLAN, but I suppose I do not get it routed to my speedport. I am going to give that a try. Besides that, any other ideas?
Can you explain where my brain stops? Would things work, if I would run a dhcp server on both vaps with different networks, e.g. 192.168.150.0/24 and 192.168.250.0/24 and do some srcnat with masquerading stuff only to the gateway ip-address? Could that bring things to work? Whats your opinion?

You're right, that speedport doesn't support this. My switch does support VLAN, but I suppose I do not get it routed to my speedport. I am going to give that a try. Besides that, any other ideas?
Can you explain where my brain stops? Would things work, if I would run a dhcp server on both vaps with different networks, e.g. 192.168.150.0/24 and 192.168.250.0/24 and do some srcnat with masquerading stuff only to the gateway ip-address? Could that bring things to work? Whats your opinion?

Yes, with two different guest networks, one for each AP, you could probably do this. Then you would basically be using each AP for routing of its guest network. You could either add a static route on the speedport, or do NAT, and firewall rules to block the users from accessing all internal stuff except for the speedport's IP. It should work.

thank you a lot mducharme,

this works! issue solved therefore!
it felt very good to change thoughts with someone.

You could have one hAP ac, route, nat, firewall, DHCP on the guest vap, and the other one just have a vap.

Two vaps would then be connected to(via) their own VLAN on the managed switch, either by wireless vaps having a VLAN id, or by having them live on a same bridge as a VLAN interface.

If this is an unsecured network, consider securing the broadcast traffic to prevent DHCP spoofing etc

You could have one hAP ac, route, nat, firewall, DHCP on the guest vap, and the other one just have a vap.

Two vaps would then be connected to(via) their own VLAN on the managed switch, either by wireless vaps having a VLAN id, or by having them live on a same bridge as a VLAN interface.

If this is an unsecured network, consider securing the broadcast traffic to prevent DHCP spoofing etc

So the advantage of that is to have just one dhcp pool, isn't it? In my latest test environment I now have two ranges...
I will give that a try! Thanks a lot!

So the advantage of that is to have just one dhcp pool, isn't it? In my latest test environment I now have two ranges...
I will give that a try! Thanks a lot!

You'd have one extended vlan/dhcp pool/guest network for guest stuff, and one extended vlan/dhcp pool/private network for your stuff.

Also a good possibility! I have set this up for testing! if this is going to work for me the next week, I think that will be my productive environment! Thanks for all who helped me out!

hi risk,

very thanks for four ideas! i have testet it and it works like a charm. with that solution one hotspot also is not a problem. with the old solution clients had to login again into the hotspot once they roamed to the different up guest-wifi (and ip adress changing of course, causing some extra delay). no i have just one dhcp and one hotspot.

perfect solution for me!
Thank you a lot for helping me out!