Page 1 of 1
Looking for instrction to isolate guest wifi networks
Posted: Fri Oct 04, 2024 9:27 pm
by zhouck
After upgrade to 7.15 old instruction not working due to packages separation for wifi
My goal is to have guest wifi networks completely unreachable in both ways and guest wifi have internet access only. Also, prevent to set static IP on guest networks.
The best is to have some instruction for this case
Re: Looking for instrction to isolate guest wifi networks
Posted: Fri Oct 04, 2024 10:37 pm
by Cl3an
I’m also interested. All the guides, tutorials, and instructions are for the “old” wireless interface and not for WiFi. (wifi-qcom-ac // wifi-qcom)
Re: Looking for instrction to isolate guest wifi networks
Posted: Fri Oct 04, 2024 10:43 pm
by erlinden
Re: Looking for instrction to isolate guest wifi networks
Posted: Fri Oct 04, 2024 10:50 pm
by optio
Follow this guide for setting guest VLAN for AP:
viewtopic.php?t=143620#p706999.
Commands for WiFi setup shouldn't differ much from old WiFi package or use Winbox for setup it, VLAN setup is not directly related to WiFi setup except knowing which
wifi intarfece needs to be part of which network.
Re: Looking for instrction to isolate guest wifi networks
Posted: Fri Oct 04, 2024 11:09 pm
by Cl3an
Looks promising. Thank you
Re: Looking for instrction to isolate guest wifi networks
Posted: Sat Oct 05, 2024 12:08 am
by Josephny
While I'd love to master VLANS, it seems to be beyond me.
@tangent solution works for me (thank you @tangent!).
These are the config entries I used (I'm sure you'll want to customize to your environment):
/interface wifi configuration add datapath.client-isolation=yes disabled=no name=guestcfg security.authentication-types=wpa2-psk .passphrase=blueberry ssid=GuestWifi
/interface wifi add configuration=guestcfg configuration.mode=ap disabled=no master-interface=wifi2 name=Guest2g
/interface wifi add configuration=guestcfg configuration.mode=ap disabled=no master-interface=wifi1 name=Guest5g
/ip pool add name=pool-guest ranges=10.0.0.10-10.0.0.252
/ip address add address=10.0.0.1/24 interface=Guest2g network=10.0.0.0
/ip address add address=10.0.0.1/24 interface=Guest5g network=10.0.0.0
/ip dhcp-server add address-pool=pool-guest interface=Guest2g name=dhcp-guest2g
/ip dhcp-server add address-pool=pool-guest interface=Guest5g name=dhcp-guest5g
/ip dhcp-server network add address=10.0.0.0/24 dns-server=1.1.1.1 gateway=10.0.0.1
/ip dns static add address=10.0.0.1 comment=defconf name=router.lan
/ip firewall address-list add address=10.0.0.2-10.0.0.254 list="Guest WiFi"
/ip firewall filter add action=accept chain=input comment="allow 67 68 to 10.0.0.1" dst-address=10.0.0.1 dst-port=67,68 log=yes log-prefix="allow 67 68 to 10.0.0.1" protocol=udp
/ip firewall filter add action=drop chain=input comment="drop all to 10.0.0.1" dst-address=10.0.0.1 in-interface=!lo log=yes log-prefix="drop all to 10.0.0.1"
/ip firewall filter add action=drop chain=forward comment="drop all 10.0.0.0/24 to not-WAN" log-prefix=drop-all-10-0-0-0-24-to-not-WAN out-interface-list=!WAN src-address=10.0.0.0/24
/ip firewall filter add action=drop chain=forward comment="drop guest to 192.168.0.0/16" dst-address=192.168.0.0/16 dst-port=!53,68,68 log=yes log-prefix=drop-guest-to-192-168-0-0-16 protocol=udp src-ad
dress-list="Guest WiFi"
#Move firewall rules to correct position number
Re: Looking for instrction to isolate guest wifi networks
Posted: Sat Oct 05, 2024 12:30 am
by Cl3an
Quick Set
/interface wifi add … master-interface=wifi2 name=wifi2g …
/interface bridge filter add action=drop chain=forward in-interface=wifi2g
/interface bridge filter add action=drop chain=forward out-interface=wifi2g
/interface bridge port add bridge=bridge interface=wifi2g
Can someone explain the missing part with “…” (two places)
Re: Looking for instrction to isolate guest wifi networks
Posted: Sat Oct 05, 2024 12:49 am
by optio
Can someone explain the missing part with “…” (two places)
To replace it with properties related to wifi slave configuration, in that tutorial there is add configuration example
/interface wifi configuration add ... same properties can be added to wifi add command. Difference is when you have separate configuration it can be reused for other wifi interfaces if needed.
Re: Looking for instrction to isolate guest wifi networks
Posted: Mon Oct 07, 2024 12:08 pm
by zhouck
Thanks for instruction.
It almost works - however, while 2g guest network works fine (tested by IoT devices and smartphone), 5g guest network rejects WAN request, so smartphone could not connect to internet. Mikrotik hap AC^2, 7.15.3
Re: Looking for instrction to isolate guest wifi networks
Posted: Mon Oct 07, 2024 12:24 pm
by Josephny
Thanks for instruction.
It almost works - however, while 2g guest network works fine (tested by IoT devices and smartphone), 5g guest network rejects WAN request, so smartphone could not connect to internet. Mikrotik hap AC^2, 7.15.3
I'm far from an expert, but I'll try to help.
First step is to post your entire sanitized export.
Re: Looking for instrction to isolate guest wifi networks
Posted: Mon Oct 07, 2024 2:45 pm
by tangent
5g guest network rejects WAN request, so smartphone could not connect to internet. Mikrotik hap AC^2, 7.15.3
That’s a documented feature of my scheme: guests do not get full-service WiFi.
I have no desire to prototype an alternative that lifts that restriction for you, but it would involve creating a “wifi5g” slave parallel to the article’s existing wifi2g, then bridging them together.
Re: Looking for instrction to isolate guest wifi networks
Posted: Mon Oct 07, 2024 3:03 pm
by tangent
Can someone explain the missing part with “…” (two places)
To replace it with properties related to wifi slave configuration…
Also local details like country settings, SSID, PSK… Things I don’t want to reveal about my local config and cannot predict for yours. Fill in the blanks.
Re: Looking for instrction to isolate guest wifi networks
Posted: Mon Oct 07, 2024 8:49 pm
by anav
Prior to using capsman, it was quite easy to setup up vlan per SSID or vlan per USER group (and assign both SSIDS to same VLAN) and have them fully separated at layer2 by vlans, at layer 3 by firewall rules and then through wifi settings decide whether or not wifi users should be able to see others on the same WIFI vlan. ( with only internet access of course )
With capsman, no clue, nor interested as the config blows up with all capsman entries and 3X the level of complication for no real gain IMHO.