Mikrotik Guest Wireless Network

Mikrotik Guest Wireless Network

If you’ve got a Mikrotik router with wireless or a Mikrotik Wireless Access Point and desire to setup WiFi with a Guest Network — you’re in the right place!

This guide will assume the most common setup scenario — Guest Wireless and Private Wireless share the same internet connection, but cannot talk to each other- your guest devices only need internet access and do not need to interact with any other devices.

 

Note that the Mikrotik QuickSet feature now includes all of these steps in a single interface. The lower left of QuickSet has a section for “Guest Wireless Network”.

This guide will explain the details of how it is operating.

mikrotik-wireless-16

 

Interface SSIDs

A SSID is the name of a wireless network. For Mikrotik, you can have a single SSID bound to each interface. If you only have one antenna interface, like many routers/WAPs, you will need to create a virtual AP interface and assign it an SSID as well.

Use Winbox to login to your Mikrotik router, by default IP 192.168.88.1

On the left page: Wireless > Double-Click Interface (wlan1 usually) > Wireless Tab.

mikrotik-wireless-1

Here you can configure your AP Bridge, which means “Access Point, bridge to wired network.” You can also change the SSID.

Security Profile (Password)

To change the password: Wireless > Security Profiles > Double-Click Entry > WPA and WPA2 Pre-Shared Key (PSK). These are usually the same password.

mikrotik-wireless-2

Adding the Guest Interface (Virtual Access Point)

Create a new Security Profile (password) for what will become our guest wireless network.

Wireless > Security Profiles Tab > Click Plus Symbol (+) > Name, WPA and WPA2 Pre-Shared Key.

mikrotik-wireless-7

Wireless > Interfaces > Blue Plus (+) Symbol > Virtual

mikrotik-wireless-4

You can name the interface however you would like, but generally giving them a number is best. wlan1 means Wireless LAN 1. So to follow naming you may use wlan2 or wlan3 for your 2nd and 3rd SSIDs.

mikrotik-wireless-5

Click the Wireless Tab to decide the SSID for this new AP Bridge, and give it a fun name. You can also select the Security Profile (password) to use for this interface.

mikrotik-wireless-8

Guest IP Addresses and DHCP Server

Let’s start by assigning your new Virtual AP Interface a Static IP address. Choose a different subnet. So if you are currently say, 10.10.10.1/24, we might use 10.10.100.1/24

IP > Addresses > Plus (+) > Address/Subnet > Interface (Virtual AP Interface, like wlan2)

mikrotik-wireless-9

To add a DHCP Server: IP > DHCP Server > DHCP Setup > Select Virtual AP Interface (wlan2)

Follow the prompts, it should auto-populate the fields for you.

mikrotik-wireless-10

Bridging

As a switch is to ethernet cable, so a bridge is to network interfaces — it connects them together. To have your physical wireless interface (antenna) send and receive traffic through your wired interface (RJ-45 port on ETH2), they need to know to talk to one another, and bridges make this happen. You do not need to also bridge your Virtual AP wireless interface (guest) because wlan1 is it’s master port. This entry is just in case you don’t have any bridge between wlan1 and ethernet. Don’t worry, we will isolate them from your private devices via a firewall rule. You could also isolate the wlan2 (guest) interface traffic to a separate ethernet plug (say, ether5, while ether2-4 is private traffic and ether1-gateway is your WAN).

mikrotik-wireless-3

Allow NAT Translation (Masquerade for Internet Access)

You likely already have NAT translation enabled, but if you don’t, enabled a masquarade rule that allows srcnat traffic to go out through your WAN interface (usually gateway or ETH1). This goes for all interfaces, including your existing local ports, existing wireless interface and new wireless virtual AP interface. You can specific Source Address if you want to, but if you leave the field blank Mikrotik assumes all sources are valid.

mikrotik-wireless-11

Block Guest Interface From Communicating with Private with Firewall Rule

You’ll want to make a firewall rule, forward chain, action will be DROP. This blocks traffic from the source network (10.10.100.0/24, in this case, Guest Wireless), from communicating with the destination network (10.10.10.0/24, in this case, Private Wireless).

mikrotik-wireless-12

 

I hope that helped you out a bit, enjoy!

One thought on “Mikrotik Guest Wireless Network

  1. You may also want:

    /ip firewall filter
    add action=drop chain=input comment=”Drop traffic from guest to router” src-address=10.10.100.0/24

    And if you’re really concerned(paranoid):

    /ip neighbor discovery
    set wlan2 discover=no

    And if you want to make sure your guests aren’t using up all your bandwidth:

    /queue simple
    add burst-limit=3M/7M burst-threshold=1M/3M burst-time=15s/12s max-limit=2M/5M name=”Limit Guest Clients” target=10.0.0.0/24

Leave a Reply

Your email address will not be published. Required fields are marked *