Differences

This shows you the differences between two versions of the page.

--- networking:mikrotik:wireless_vlan [2019/11/26 16:11] – rplecko
+++ networking:mikrotik:wireless_vlan [2020/02/27 06:49] (current) – rplecko
@@ Line 1: / Line 1: @@
-===== Mikrotik wireless with dual band / dual SSID =====
+===== Mikrotik wireless with dual band / dual SSID / multiple VLANs =====
-[[http://wiki.tuturutu.eu/lib/exe/detail.php?id=networking:mikrotik:wireless_vlan&media=networking:mikrotik:vlan_wlan.png|{{  :networking:mikrotik:vlan_wlan.png?1200  }}]]
+[[http://wiki.tuturutu.eu/lib/exe/detail.php?id=networking:mikrotik:wireless_vlan&media=networking:mikrotik:vlan_wlan.png|{{  http://wiki.tuturutu.eu/lib/exe/fetch.php/networking/mikrotik/vlan_wlan.png?1200  }}]]
-The purpose of this example is to explain how to create dual SSID AP with separated traffic. How to transport the separated traffic to another device via VLAN-s and finaly how to disable trafic between VLAN-s but enable them both to access Internet. We are using two Mikrotik devices. First is "hEX S" (Router_1) which is connected to internet, and taking care of traffic separation, and second is "cAP ac" (AP_1) acting as dual band AP with separated private and public SSID.
+The purpose of this example is to explain how to create dual SSID on dual band AP with separated traffic. How to transport the separated traffic to another device via VLAN-s and finaly how to disable trafic between VLAN-s but enable them both to access Internet. We are using two Mikrotik devices. First is "hEX S" (Router_1) which is connected to internet, and taking care of traffic separation, and second is "cAP ac" (AP_1) acting as dual band AP with separated private and public SSID.
 We will assume that you already have access to internet via ether4 on Router_1 whether using ADSL or a leased line.
 ==== Configuring Router_1 (hEX S) ====
+{{:networking/mikrotik/router_1.rsc|router_1.rsc file}}
 . Create neccessary bridges (**bridge_VLAN**, **bridge_priv_101** and **bridge pub_201**).
@@ Line 17: / Line 19: @@
 </code>
-. Add neccessary IP addressess.
+. Create VLAN interfaces on **bridge_VLAN**
-<code>
-/ip address
-add address=10.100.101.254/24 interface=bridge_priv_101
-add address=10.100.201.254/24 interface=bridge_pub_201
-</code>
-. Create VLAN interfaces on **bridge_VLAN**
 <code>
 /interface vlan
@@ Line 32: / Line 26: @@
 </code>
 . Add VLAN interfaces to corresponding bridges
 <code>
@@ Line 40: / Line 34: @@
 </code>
-. Add trunk port to **bridge_VLAN**
+. Add trunk port (tagged) to **bridge_VLAN**
 <code>
 /interface bridge
@@ Line 46: / Line 40: @@
 </code>
-. Add access port to **bridge_priv_101**
+. Add access port (untagged) to **bridge_priv_101**
 <code>
 /interface bridge
 port add bridge=bridge_priv_101 interface=ether1
+</code>
+. Add neccessary IP addressess.
+<code>
+/ip address
+add address=10.100.101.254/24 interface=bridge_priv_101
+add address=10.100.201.254/24 interface=bridge_pub_201
 </code>
 . Add DHCP servers to **bridge_priv_101** and **bridge_pub_201**
+<code>
+/ip pool
+add name=dhcp_pool101 ranges=10.100.101.1-10.100.101.253
+add name=dhcp_pool201 ranges=10.100.201.1-10.100.201.253
+/ip dhcp-server network
+add address=10.100.101.0/24 dns-server=8.8.8.8 gateway=10.100.101.254
+add address=10.100.201.0/24 dns-server=8.8.8.8 gateway=10.100.201.254
+</code>
-. Add firewall rule to prohibit access to private network for public users.
+  You can also do it by clicking <hi #ed1c24>DHCP setup</hi> button in Winbox (for both IP subnets)
+. Add firewall rule to prohibit public users to access private network.
+<code>
+/ip firewall filter
+add action=reject chain=forward dst-address=10.100.101.0/24 reject-with=icmp-admin-prohibited src-address=10.100.201.0/24
+</code>
 ==== Configuring AP_1 (hAP ac) ====
+{{:networking/mikrotik/ap_1.rsc|ap_1.rsc file}}
 . Create neccessary bridges (**bridge_VLAN**, **bridge_priv_101** and **bridge pub_201**).
@@ Line 83: / Line 102: @@
 . Add trunk port to **bridge_VLAN**
 <code>
-interface bridge port add bridge=bridge_VLAN interface=ether1
+/interface bridge port
+add bridge=bridge_VLAN interface=ether1
 </code>
 . Add access port to **bridge_pub_201**. The purpose of this is to enable to connect a device (e.g. Smart TV) to the AP and restrict it to Internet only.
 <code>
-interface bridge port add bridge=bridge_pub_201 interface=ether2
+/interface bridge port
+add bridge=bridge_pub_201 interface=ether2
 </code>
@@ Line 115: / Line 136: @@
 </code>
-…to be continued….
+Now you have AP with two SSID (**Private** and **Public**) on both bands (2,4 and 5 GHz), for each of them separate security profile is created (**profile_private** and **profile_public**) where the authentication passwords are stored (//private_pass//; //public_pass//).
+<fc #ff0000>Do not forget to change them !!!</fc>
+The traffic from both of them is transported through trunk port to **Router_1** vhere the DHCP server for each subnet is running. Traffic on private wireless is bridged to the **ethernet1** to which the rest of the wired network is connected. Firewall rule prohibits users connected to **Public** SSID to access private network.