MikroTik

Hi all,

Please advise how to setup Office WiFi
I need one SSID for internal users, and one SSID for guests (isolated one)
How to do that on rOS 6.7?

Thanks

Create Virtual AP if you have only one radio on your router.

Configure each virtual ap as you like.

what routerboard do u use?


Create 2 bridges one for office
Other for guest

On bridge for office give IP-address example 192.168.100.1/24 and configure DHCP-server on it
On bridge for guest give IP-address example 192.168.101.1/24 and configure DHCP-server on it

Nat masquerade between bridge office and WAN
Nat masquerade between bridge guest and WAN

Put ether1 end AP into bridge office this is your office LAN

Make a virtual accesspoint and put these in the bridge guest same with ether2 this is your guest LAN

But i don't know what routerboard you use

what routerboard do u use?

Hi,
Thanks for quick answer, we use
http://routerboard.com/RB2011UiAS-2HnD-IN
at our office.

I have 1 CAT5 cable on Eth1 with 192.168. kind network already, which provides access to internal network and internet. All I want that second VAP users will be able to reach only internet from my internal network, but no other hosts.
I mean that Eth1 is not WAN, but already an internal network with access to WAN (192.168.10.1) <-- WAN router address

I hope that you understand the pictures

I'm are verry tired but i will you help you

I made printscreens and see this

This Web site will be deleted
Let me know if you no longer need him
Note the IP addresses may differ with yours
I hope i helpt you

http://www.wirelessinfo.be/index.php/mi ... pages/vap2

I hope that you understand the pictures

I'm are verry tired but i will you help you

I made printscreens and see this

This Web site will be deleted
Let me know if you no longer need him
Note the IP addresses may differ with yours
I hope i helpt you

http://www.wirelessinfo.be/index.php/mi ... pages/vap2

A quick high jack of this topic:
Thanks Plisken, I used your manual. Worked like a charm!

Your welcome no problem

This is the definitive website about virtual access point.
Even clearer without bridge.
http://www.wirelessinfo.be/index.php/mi ... pages/vap1

yes, sure, this is working, but I need to isolate people, who use WLAN2 from LAN1, and WLAN1.
So they will be able to use ONLY internet, and I don`t have 0.0.0.0 on Ether1, my gateway is already another device.

This is what you need i think see below firewall settings.

This will cause that both IP ranges cannot communicate with each other

http://www.wirelessinfo.be/index.php/mi ... pages/vap1

I hope that i help you

Hello,

I'm trying to do this. Guest WiFi appears, I can connect it, I get an ip address, but internet doesn't work. On firewall NAT tab no packets are listed on srcnat line..

What could I have done wrong?

Have you setup the firewall nat rule?

I did. The issue was that I specified ether interface, and not the bridge (ether was bridged with other wifi)

Oh by the way, the how-to link posted here also says to add DROP rules to INPUT chain, which did NOT work for me, I had to add them to FORWARD chain.

By the way, the DROP rules are filtered by IP addresses. Is it possible to have them more universal, so to drop ALL traffic between guest and private WiFi, even if they have some other IP addresses set (because this way someone might take local private IP manually and access the network)?

Not the first time already recommend ...

Yes that is how I have it now.

But what will prevent someone on Guest network changing his IP to 192.168.10.X and getting access to the network?

Use for your guest network bootp support = dynamic and choose arp for Add ARP For a Leases

Hi,

Could you please explain what does this do?

In any case - I've simplified my example a bit. In reality we have multiple subnets which need protection, and I would like to have one single rule without needing to remember to update it if we add another subnet. Is that possible? Like dropping everything from one wlan interface to another.

Hi!

My intended WiFi setup is somewhat similar to that of BangBang:


I want to replace my single SSID LINKSYS AP with a Mikrotik wAP and introduce a separate SSID for guests which is isolated from LAN. I want wlan1 interface to relay DHCP from RB750 firewall, however the virtual interface wlan2 might serve a DHCP server for guest clients. I could make a bridge on wAP with ether1 and wlan1. I have no idea how to route the virtual wlan2 to RB750 over ether1.

The http://www.wirelessinfo.be/index.php/mi ... pages/vap1 link does not really help.

Any recommendations are welcome!

I want to replace my single SSID LINKSYS AP with a Mikrotik wAP and introduce a separate SSID for guests which is isolated from LAN. I want wlan1 interface to relay DHCP from RB750 firewall, however the virtual interface wlan2 might serve a DHCP server for guest clients. I could make a bridge on wAP with ether1 and wlan1. I have no idea how to route the virtual wlan2 to RB750 over ether1.

If the wAP is already acting as a bridge-only device, then it should be easy to add the guest network to this device.
Create a vlan interface on ether1 (guest-vlan) with vlan-id = 100 or whatever number, just not 1.
Create a second bridge interface (guest-bridge)
Create a virtual access-point interface (guest-wlan) and set the SSID / security profile on it that you want to use.
Then in the bridge > ports menu, connect guest-wlan and guest-vlan to guest-bridge.

On the RB750, create a guest-vlan Interface with the same vlan-id as you used in the WAP, and on whichever interface is connected to the WAP (or if you're using hardware switching, put it on the master interface)

Then put the IP address 192.168.0.1/24 on the guest-vlan interface, and set up DHCP server.

In firewall, add a forward filter:
chain=forward
in-interface=guest-vlan
out-interface=!ether1-gateway (or whatever interface has your public IP address on it)
action=drop

If you're using multi-wan, you'll have to change the logic from being the one rule above to three rules:
allow in-interface=guest-vlan out-interface=wan1
allow in-interface=guest-vlan out-interface=wan2
drop in-interface=guest-vlan

Optionally, to protect the Mikrotik itself from the guest vlan, you can add some rules to the input filter that allow bootpc/bootps, icmp, and dns if you're using the 750G as a dns proxy, followed by a drop all in-interface=guest-vlan.

ZeroByte,

The setup you proposed worked for me as far as I created the VLAN on both vAP and on RB750. I created two bridges on wAP, one for private for ether1 and wlan1-private, another for private for wlan2-public (virtual AP) and VLAN (id=100). I set up DHCP, and I was able to connect to both APs, and get into the internet from both of them.

The difficulty sets in as I continue with the firewall rules to isolate the guest from the local network. With the current setup I can ping from guest into the private network. It seems that the guest gets into the private addresses straight in wAP. Is this correct or am I wrong about that? If so, I tried creating firewall rules, but RouterOS / wAP does not let me create firewall forward rules between wlan2-public and !ether1 -- both of these are slaves. It seems I can create firewall rules just between the bridge interfaces, but it does not help as doing so blocks the entire traffic. Any ideas?

The difficulty sets in as I continue with the firewall rules to isolate the guest from the local network. With the current setup I can ping from guest into the private network. It seems that the guest gets into the private addresses straight in wAP. Is this correct or am I wrong about that? If so, I tried creating firewall rules, but RouterOS / wAP does not let me create firewall forward rules between wlan2-public and !ether1 -- both of these are slaves. It seems I can create firewall rules just between the bridge interfaces, but it does not help as doing so blocks the entire traffic. Any ideas?

Firstly, no the traffic must go to the 750G in order to get from one vlan to the other, especially if there's no IP address in the WAP on the public bridge.

When you say you can ping from guest into the private network, are you testing this by pinging the 750G's private-lan IP? If so, then this is not a valid test because traffic to the Mikrotik itself (regardless of the ingress interface) goes through the INPUT chain, not the FORWARD chain. Find a host on the private LAN that will respond to pings, and be sure that's the host you're trying to ping from the private network.

If you can ping the pingable private host from the public network, then there's a rule somewhere in the forward chain which is allowing the traffic before it gets to the filter rules you added (if you followed everything in my previous post). There could be an "allow all ICMP" rule, or else a rule that states "allow in-interface=!wan" or something similar.

Barring any server ports you've created NAT pinholes for, your firewall forward chain should resemble this logic:
1: fasttrack-connection where connection-state=established,related
2: accept where connection-state=established,related
3: accept where out-interface=wan
4: accept where connection-nat-state=dstnat
5: drop all packets

My previously-posted recommended firewall rules would work in most any firewall configuration as long as they're placed at the right spot in the chain.

This chain I just mentioned will give complete isolation regardless of IP, etc, and only allow new connections that are going out to the Internet, and will also accept any server ports you've made NAT pinholes for.

ZeroByte,

Thank you for your detailed guidance. It did work. The initial steps were sufficient.
With your permission I shall recommend this type of setup to Mikrotik as a VirtualAP example.
Although I use Mikrotik solutions for >10 years, the setup of virtual interfaces and bridges was not trivial and obvious without an example.

Your welcome no problem

This is the definitive website about virtual access point.
Even clearer without bridge.
http://www.wirelessinfo.be/index.php/mi ... pages/vap1

Thank you @plisken for the link. It works like a charm. But... i want to make another thing and i have some difficulties. Here is the scenario.
I have two networks as above. The main network that it is only wired, with static ip. This is the 192.168.1.0/24. The second one is the WiFi network, 192.168.100.0/24. A member of the WiFi network is a SmartTV which is playing some shared videos from a PC which is member of the wired network. How can i accomplished that ?
I made two firewall rules:
1) Chain: forward, Src.Address: 192.168.1.11 (the PC), Dst.Address: 192.168.100.2 (the TV)
2) Chain: forward, Src.Address: 192.168.100.2 (the TV), Dst.Address: 192.168.1.11 (the PC)

From TV i can ping the PC. I cannot ping from PC back to the TV. I think that if i can ping back so there is a complete communication back and forth through the PC and SmartTV. Do you have any idea ?