This is an old revision of the document!
Table of Contents
Mikrotik wireless with dual band / dual SSID
The purpose of this example is to explain how to create dual SSID AP with separated traffic. How to transport the separated traffic to another device via VLAN-s and finaly how to disable trafic between VLAN-s but enable them both to access Internet. We are using two Mikrotik devices. First is “hEX S” (Router_1) which is connected to internet, and taking care of traffic separation, and second is “cAP ac” (AP_1) acting as dual band AP with separated private and public SSID.
We will assume that you already have access to internet via ether4 on Router_1 whether using ADSL or a leased line.
Configuring Router_1 (hEX S)
1. Create neccessary bridges (bridge_VLAN, bridge_priv_101 and bridge pub_201).
/interface bridge add name=bridge_VLAN add name=bridge_priv_101 add name=bridge_pub_201
2. Add neccessary IP addressess.
/ip address add address=10.100.101.254/24 interface=bridge_priv_101 add address=10.100.201.254/24 interface=bridge_pub_201
3. Create VLAN interfaces on bridge_VLAN
/interface vlan add interface=bridge_VLAN name=vlan_101 vlan-id=101 add interface=bridge_VLAN name=vlan_201 vlan-id=201
4. Add VLAN interfaces to corresponding bridges
/interface bridge port add bridge=bridge_priv_101 interface=vlan_101 port add bridge=bridge_pub_201 interface=vlan_201
5. Add trunk port to bridge_VLAN
/interface bridge port add bridge=bridge_VLAN interface=ether2
6. Add access port to bridge_priv_101
/interface bridge port add bridge=bridge_priv_101 interface=ether1
7. Add DHCP servers to bridge_priv_101 and bridge_pub_201
/ip pool add name=dhcp_pool101 ranges=10.100.101.1-10.100.101.253 add name=dhcp_pool201 ranges=10.100.201.1-10.100.201.253 /ip dhcp-server network add address=10.100.101.0/24 dns-server=8.8.8.8 gateway=10.100.101.254 add address=10.100.201.0/24 dns-server=8.8.8.8 gateway=10.100.201.254
8. Add firewall rule to prohibit public users to access private network.
/ip firewall filter add action=reject chain=forward dst-address=10.100.101.0/24 reject-with=icmp-admin-prohibited src-address=10.100.201.0/24
Configuring AP_1 (hAP ac)
1. Create neccessary bridges (bridge_VLAN, bridge_priv_101 and bridge pub_201).
/interface bridge add name=bridge_VLAN add name=bridge_priv_101 add name=bridge_pub_201
2. Create VLAN interfaces on bridge_VLAN
/interface vlan add interface=bridge_VLAN name=vlan_101 vlan-id=101 add interface=bridge_VLAN name=vlan_201 vlan-id=201
3. Add VLAN interfaces to corresponding bridges
/interface bridge port add bridge=bridge_priv_101 interface=vlan_101 add bridge=bridge_pub_201 interface=vlan_201
4. Add trunk port to bridge_VLAN
/interface bridge port add bridge=bridge_VLAN interface=ether1
5. Add access port to bridge_pub_201. The purpose of this is to enable to connect a device (e.g. Smart TV) to the AP and restrict it to Internet only.
interface bridge port add bridge=bridge_pub_201 interface=ether2
6. Create and virtual wireless interfaces and security profiles
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile_private supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=private_pass wpa2-pre-shared-key=private_pass add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile_public supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=public_pass wpa2-pre-shared-key=public_pass /interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no frequency=2437 mode=ap-bridge name=wlan1_Private security-profile=profile_private ssid=Private vlan-id=101 add disabled=no keepalive-frames=disabled master-interface=wlan1_Private multicast-buffering=disabled name=wlan1_Public security-profile=profile_public ssid=Public vlan-id=201 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=5280 mode=ap-bridge name=wlan2_Private security-profile=profile_private ssid=Private vlan-id=101 add disabled=no keepalive-frames=disabled master-interface=wlan2_Private multicast-buffering=disabled name=wlan2_Public security-profile=profile_public ssid=Public vlan-id=201 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
7. Add wireless interfaces to corresponding bridges
/interface bridge port add bridge=bridge_priv_101 interface=wlan1_Private add bridge=bridge_priv_101 interface=wlan2_Private add bridge=bridge_pub_201 interface=wlan1_Public add bridge=bridge_pub_201 interface=wlan2_Public
…to be continued….