The Book

User Tools

Site Tools

Trace:
networking:mikrotik:wireless_vlan

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
networking:mikrotik:wireless_vlan [2019/11/26 16:13] rpleckonetworking:mikrotik:wireless_vlan [2020/02/27 06:49] (current) rplecko
Line 1: Line 1:
-===== Mikrotik wireless with dual band / dual SSID =====+===== Mikrotik wireless with dual band / dual SSID / multiple VLANs =====
  
-[[http://wiki.tuturutu.eu/lib/exe/detail.php?id=networking:mikrotik:wireless_vlan&media=networking:mikrotik:vlan_wlan.png|{{  :networking:mikrotik:vlan_wlan.png?1200  }}]]+[[http://wiki.tuturutu.eu/lib/exe/detail.php?id=networking:mikrotik:wireless_vlan&media=networking:mikrotik:vlan_wlan.png|{{  http://wiki.tuturutu.eu/lib/exe/fetch.php/networking/mikrotik/vlan_wlan.png?1200  }}]]
  
-The purpose of this example is to explain how to create dual SSID AP with separated traffic. How to transport the separated traffic to another device via VLAN-s and finaly how to disable trafic between VLAN-s but enable them both to access Internet. We are using two Mikrotik devices. First is "hEX S" (Router_1) which is connected to internet, and taking care of traffic separation, and second is "cAP ac" (AP_1) acting as dual band AP with separated private and public SSID.+The purpose of this example is to explain how to create dual SSID on dual band AP with separated traffic. How to transport the separated traffic to another device via VLAN-s and finaly how to disable trafic between VLAN-s but enable them both to access Internet. We are using two Mikrotik devices. First is "hEX S" (Router_1) which is connected to internet, and taking care of traffic separation, and second is "cAP ac" (AP_1) acting as dual band AP with separated private and public SSID.
  
 We will assume that you already have access to internet via ether4 on Router_1 whether using ADSL or a leased line. We will assume that you already have access to internet via ether4 on Router_1 whether using ADSL or a leased line.
  
 ==== Configuring Router_1 (hEX S) ==== ==== Configuring Router_1 (hEX S) ====
 +
 +{{:networking/mikrotik/router_1.rsc|router_1.rsc file}}
  
 1. Create neccessary bridges (**bridge_VLAN**, **bridge_priv_101** and **bridge pub_201**). 1. Create neccessary bridges (**bridge_VLAN**, **bridge_priv_101** and **bridge pub_201**).
Line 17: Line 19:
 </code> </code>
  
-2. Add neccessary IP addressess. +2. Create VLAN interfaces on **bridge_VLAN**
- +
-<code> +
-/ip address +
-add address=10.100.101.254/24 interface=bridge_priv_101 +
-add address=10.100.201.254/24 interface=bridge_pub_201 +
-</code> +
- +
-3. Create VLAN interfaces on **bridge_VLAN**+
 <code> <code>
 /interface vlan /interface vlan
Line 32: Line 26:
 </code> </code>
  
-4. Add VLAN interfaces to corresponding bridges+3. Add VLAN interfaces to corresponding bridges
  
 <code> <code>
Line 40: Line 34:
 </code> </code>
  
-5. Add trunk port to **bridge_VLAN**+4. Add trunk port (tagged) to **bridge_VLAN**
 <code> <code>
 /interface bridge /interface bridge
Line 46: Line 40:
 </code> </code>
  
-6. Add access port to **bridge_priv_101**+5. Add access port (untagged) to **bridge_priv_101**
 <code> <code>
 /interface bridge /interface bridge
Line 52: Line 46:
 </code> </code>
  
-7. Add DHCP servers to **bridge_priv_101** and **bridge_pub_201**+6. Add neccessary IP addressess.
  
 +<code>
 +/ip address
 +add address=10.100.101.254/24 interface=bridge_priv_101
 +add address=10.100.201.254/24 interface=bridge_pub_201
 +</code>
 +
 +7. Add DHCP servers to **bridge_priv_101** and **bridge_pub_201**
 <code> <code>
 /ip pool /ip pool
Line 63: Line 64:
 </code> </code>
  
-8. Add firewall rule to prohibit access to private network for public users.+  You can also do it by clicking <hi #ed1c24>DHCP setup</hi> button in Winbox (for both IP subnets) 
 + 
 +8. Add firewall rule to prohibit public users to access private network. 
 + 
 +<code> 
 +/ip firewall filter 
 +add action=reject chain=forward dst-address=10.100.101.0/24 reject-with=icmp-admin-prohibited src-address=10.100.201.0/24 
 +</code>
  
 ==== Configuring AP_1 (hAP ac) ==== ==== Configuring AP_1 (hAP ac) ====
 +
 +{{:networking/mikrotik/ap_1.rsc|ap_1.rsc file}}
  
 1. Create neccessary bridges (**bridge_VLAN**, **bridge_priv_101** and **bridge pub_201**). 1. Create neccessary bridges (**bridge_VLAN**, **bridge_priv_101** and **bridge pub_201**).
Line 92: Line 102:
 4. Add trunk port to **bridge_VLAN** 4. Add trunk port to **bridge_VLAN**
 <code> <code>
-interface bridge port add bridge=bridge_VLAN interface=ether1+/interface bridge port 
 +add bridge=bridge_VLAN interface=ether1
 </code> </code>
  
 5. Add access port to **bridge_pub_201**. The purpose of this is to enable to connect a device (e.g. Smart TV) to the AP and restrict it to Internet only. 5. Add access port to **bridge_pub_201**. The purpose of this is to enable to connect a device (e.g. Smart TV) to the AP and restrict it to Internet only.
 <code> <code>
-interface bridge port add bridge=bridge_pub_201 interface=ether2+/interface bridge port 
 +add bridge=bridge_pub_201 interface=ether2
 </code> </code>
  
Line 124: Line 136:
 </code> </code>
  
-to be continued….+Now you have AP with two SSID (**Private** and **Public**) on both bands (2,4 and 5 GHz), for each of them separate security profile is created (**profile_private** and **profile_public**) where the authentication passwords are stored (//private_pass//; //public_pass//). 
 + 
 +<fc #ff0000>Do not forget to change them !!!</fc> 
 + 
 +The traffic from both of them is transported through trunk port to **Router_1** vhere the DHCP server for each subnet is running. Traffic on private wireless is bridged to the **ethernet1** to which the rest of the wired network is connected. Firewall rule prohibits users connected to **Public** SSID to access private network.
  
networking/mikrotik/wireless_vlan.1574784819.txt.gz · Last modified: 2019/11/26 16:13 by rplecko