The Book

User Tools

Site Tools

Trace:
networking:mikrotik:wireless_vlan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
networking:mikrotik:wireless_vlan [2019/11/26 10:21] rpleckonetworking:mikrotik:wireless_vlan [2020/02/27 06:49] (current) rplecko
Line 1: Line 1:
-===== Mikrotik wireless with dual band / dual SSID =====+===== Mikrotik wireless with dual band / dual SSID / multiple VLANs =====
  
-{{ :networking:mikrotik:vlan_wlan.png?1200 |}}+[[http://wiki.tuturutu.eu/lib/exe/detail.php?id=networking:mikrotik:wireless_vlan&media=networking:mikrotik:vlan_wlan.png|{{  http://wiki.tuturutu.eu/lib/exe/fetch.php/networking/mikrotik/vlan_wlan.png?1200  }}]]
  
-The purpose of this example is to explain how to create dual SSID AP with separated traffic. How to transport the separated traffic to another device via VLAN-s and finaly how to disable trafic between VLAN-s but enable them both to access Internet. +The purpose of this example is to explain how to create dual SSID on dual band AP with separated traffic. How to transport the separated traffic to another device via VLAN-s and finaly how to disable trafic between VLAN-s but enable them both to access Internet. We are using two Mikrotik devices. First is "hEX S" (Router_1) which is connected to internet, and taking care of traffic separation, and second is "cAP ac" (AP_1) acting as dual band AP with separated private and public SSID.
-We are using two Mikrotik devices. First is "hEX S" (Router_1) which is connected to internet, and taking care of traffic separation, and second is "cAP ac" (AP_1) acting as dual band AP with separated private and public SSID.+
  
 We will assume that you already have access to internet via ether4 on Router_1 whether using ADSL or a leased line. We will assume that you already have access to internet via ether4 on Router_1 whether using ADSL or a leased line.
  
-==== Configuring Router_1 (hEX S)====+==== Configuring Router_1 (hEX S) ====
  
 +{{:networking/mikrotik/router_1.rsc|router_1.rsc file}}
  
 1. Create neccessary bridges (**bridge_VLAN**, **bridge_priv_101** and **bridge pub_201**). 1. Create neccessary bridges (**bridge_VLAN**, **bridge_priv_101** and **bridge pub_201**).
 +<code>
 +/interface bridge
 +add name=bridge_VLAN
 +add name=bridge_priv_101
 +add name=bridge_pub_201
 +</code>
  
-  /interface bridge  +2. Create VLAN interfaces on **bridge_VLAN** 
-  add name=bridge_VLAN +<code> 
-  add name=bridge_priv_101 +/interface vlan 
-  add name=bridge_pub_201+add interface=bridge_VLAN name=vlan_101 vlan-id=101 
 +add interface=bridge_VLAN name=vlan_201 vlan-id=201 
 +</code>
  
-2. Add neccessary IP addressess.+3. Add VLAN interfaces to corresponding bridges
  
-  ip address add address=10.100.101.254/24 interface=bridge_priv_101 +<code> 
-  ip address add address=10.100.201.254/24 interface=bridge_pub_201+/interface bridge 
 +port add bridge=bridge_priv_101 interface=vlan_101 
 +port add bridge=bridge_pub_201 interface=vlan_201 
 +</code>
  
-3Create VLAN interfaces on **bridge_VLAN**+4Add trunk port (tagged) to **bridge_VLAN** 
 +<code> 
 +/interface bridge 
 +port add bridge=bridge_VLAN interface=ether2 
 +</code>
  
-  /interface vlan   +5. Add access port (untagged) to **bridge_priv_101** 
-  add interface=bridge_VLAN name=vlan_101 vlan-id=101 +<code> 
-  add interface=bridge_VLAN name=vlan_201 vlan-id=201+/interface bridge 
 +port add bridge=bridge_priv_101 interface=ether1 
 +</code>
  
-4. Add VLAN interfaces to corresponding bridges+6. Add neccessary IP addressess.
  
-  /interface bridge  +<code> 
-  port add bridge=bridge_priv_101 interface=vlan_101 +/ip address 
-  port add bridge=bridge_pub_201 interface=vlan_201 +add address=10.100.101.254/24 interface=bridge_priv_101 
-   +add address=10.100.201.254/24 interface=bridge_pub_201 
-5. Add trunk port to **bridge_VLAN**+</code>
  
-  /interface bridge  +7. Add DHCP servers to **bridge_priv_101** and **bridge_pub_201** 
-  port add bridge=bridge_VLAN interface=ether2+<code> 
 +/ip pool 
 +add name=dhcp_pool101 ranges=10.100.101.1-10.100.101.253 
 +add name=dhcp_pool201 ranges=10.100.201.1-10.100.201.253 
 +/ip dhcp-server network 
 +add address=10.100.101.0/24 dns-server=8.8.8.8 gateway=10.100.101.254 
 +add address=10.100.201.0/24 dns-server=8.8.8.8 gateway=10.100.201.254 
 +</code>
  
-6. Add access port to **bridge_priv_101**+  You can also do it by clicking <hi #ed1c24>DHCP setup</hi> button in Winbox (for both IP subnets)
  
-  /interface bridge  +8. Add firewall rule to prohibit public users to access private network.
-  port add bridge=bridge_priv_101 interface=ether1+
  
-7. Add DHCP servers to **bridge_priv_101** and **bridge_pub_201** +<code> 
- +/ip firewall filter 
-8Add firewall rule to prohibit access to private network for public users.+add action=reject chain=forward dst-address=10.100.101.0/24 reject-with=icmp-admin-prohibited src-address=10.100.201.0/24 
 +</code>
  
 +==== Configuring AP_1 (hAP ac) ====
  
-==== Configuring AP_1 (hAP ac)====+{{:networking/mikrotik/ap_1.rsc|ap_1.rsc file}}
  
 1. Create neccessary bridges (**bridge_VLAN**, **bridge_priv_101** and **bridge pub_201**). 1. Create neccessary bridges (**bridge_VLAN**, **bridge_priv_101** and **bridge pub_201**).
- +<code> 
-  /interface bridge  +/interface bridge 
-  add name=bridge_VLAN +add name=bridge_VLAN 
-  add name=bridge_priv_101 +add name=bridge_priv_101 
-  add name=bridge_pub_201+add name=bridge_pub_201 
 +</code>
  
 2. Create VLAN interfaces on **bridge_VLAN** 2. Create VLAN interfaces on **bridge_VLAN**
- +<code> 
-  /interface vlan   +/interface vlan 
-  add interface=bridge_VLAN name=vlan_101 vlan-id=101 +add interface=bridge_VLAN name=vlan_101 vlan-id=101 
-  add interface=bridge_VLAN name=vlan_201 vlan-id=201+add interface=bridge_VLAN name=vlan_201 vlan-id=201 
 +</code>
  
 3. Add VLAN interfaces to corresponding bridges 3. Add VLAN interfaces to corresponding bridges
  
-  /interface bridge port  +<code> 
-  add bridge=bridge_priv_101 interface=vlan_101 +/interface bridge port 
-  add bridge=bridge_pub_201 interface=vlan_201 +add bridge=bridge_priv_101 interface=vlan_101 
-  +add bridge=bridge_pub_201 interface=vlan_201 
 +</code> 
 4. Add trunk port to **bridge_VLAN** 4. Add trunk port to **bridge_VLAN**
 +<code>
 +/interface bridge port
 +add bridge=bridge_VLAN interface=ether1
 +</code>
  
-  interface bridge port add bridge=bridge_VLAN interface=ether1+5. Add access port to **bridge_pub_201**. The purpose of this is to enable to connect a device (e.g. Smart TV) to the AP and restrict it to Internet only. 
 +<code> 
 +/interface bridge port 
 +add bridge=bridge_pub_201 interface=ether2 
 +</code>
  
-5. Add access port to **bridge_pub_201**. The purpose of this is to enable to connect a device (e.g. Smart TV) to the AP and restrict it to Internet only.  
- 
-  interface bridge port add bridge=bridge_pub_201 interface=ether2 
-   
 6. Create and virtual wireless interfaces and security profiles 6. Create and virtual wireless interfaces and security profiles
  
Line 85: Line 118:
 set [ find default=yes ] supplicant-identity=MikroTik set [ find default=yes ] supplicant-identity=MikroTik
 add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile_private supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=private_pass wpa2-pre-shared-key=private_pass add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile_private supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=private_pass wpa2-pre-shared-key=private_pass
-add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile_public supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=public_pass wpa2-pre-shared-key=public_pass +add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile_public supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=public_pass wpa2-pre-shared-key=public_pass
 /interface wireless /interface wireless
 set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no frequency=2437 mode=ap-bridge name=wlan1_Private security-profile=profile_private ssid=Private vlan-id=101 set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no frequency=2437 mode=ap-bridge name=wlan1_Private security-profile=profile_private ssid=Private vlan-id=101
Line 91: Line 124:
 set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=5280 mode=ap-bridge name=wlan2_Private security-profile=profile_private ssid=Private vlan-id=101 set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=5280 mode=ap-bridge name=wlan2_Private security-profile=profile_private ssid=Private vlan-id=101
 add disabled=no keepalive-frames=disabled master-interface=wlan2_Private multicast-buffering=disabled name=wlan2_Public security-profile=profile_public ssid=Public vlan-id=201 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled add disabled=no keepalive-frames=disabled master-interface=wlan2_Private multicast-buffering=disabled name=wlan2_Public security-profile=profile_public ssid=Public vlan-id=201 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
- 
 </code> </code>
  
 7. Add wireless interfaces to corresponding bridges 7. Add wireless interfaces to corresponding bridges
  
-  /interface bridge port  +<code> 
-  add bridge=bridge_priv_101 interface=wlan1_Private +/interface bridge port 
-  add bridge=bridge_priv_101 interface=wlan2_Private +add bridge=bridge_priv_101 interface=wlan1_Private 
-  add bridge=bridge_pub_201 interface=wlan1_Public +add bridge=bridge_priv_101 interface=wlan2_Private 
-  add bridge=bridge_pub_201 interface=wlan2_Public+add bridge=bridge_pub_201 interface=wlan1_Public 
 +add bridge=bridge_pub_201 interface=wlan2_Public 
 +</code> 
 + 
 +Now you have AP with two SSID (**Private** and **Public**) on both bands (2,4 and 5 GHz), for each of them separate security profile is created (**profile_private** and **profile_public**) where the authentication passwords are stored (//private_pass//; //public_pass//). 
 + 
 +<fc #ff0000>Do not forget to change them !!!</fc>
  
 +The traffic from both of them is transported through trunk port to **Router_1** vhere the DHCP server for each subnet is running. Traffic on private wireless is bridged to the **ethernet1** to which the rest of the wired network is connected. Firewall rule prohibits users connected to **Public** SSID to access private network.
  
-...to be continued.... 
networking/mikrotik/wireless_vlan.1574763661.txt.gz · Last modified: 2019/11/26 10:21 by rplecko