Community discussions

MikroTik App
  4. RouterOS
  5. General

Struggling with additional WiFI Subnets

Post Reply
 
jdub88
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Fri Sep 25, 2020 1:35 pm

Struggling with additional WiFI Subnets

Thu Jan 18, 2024 1:18 pm

Hey Folks,

So one thing that has perplexed me for a while now with Mikrotik is being able to easily segment the network.

All I want to achieve is to add a couple of extra SSIDs, with their own subnets and their own DHCP scopes, where I can filter traffic with the Firewall.

I have reviewed the following examples, and while they are useful, they tend to cover more than I need:

https://help.mikrotik.com/docs/display/ ... n+Wireless
viewtopic.php?f=13&t=143620&sid=4745b93 ... 51dd517cd4

I have just a single AX3 for the entire house so I don't really need to worry about trunking.

Ideally, I would like to add a new VLAN for the new SSID without messing with the existing config. I assume that defconf is in VLAN1, even though not explicitly stated. I know VLAN1 isn't best practice, but this is just my house, I'm not too concerned.

I have tried using the Guest Wireless option within Quick Set, but this adds bridge filters and shares IP space, and I'd rather control this with firewall rules and have each SSID associated with it's own /24 with DHCP.

Here is the key config I have now, exluding stuff like firewalls:
Code: Select all
/interface ethernet set [ find default-name=ether1 ] comment=WAN
/interface ethernet set [ find default-name=ether2 ] comment=Switch
/interface ethernet set [ find default-name=ether3 ] comment=Base
/interface wifi set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=HOME disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface wifi set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.mode=ap .ssid=HOME disabled=no security.authentication-types=wpa2-psk,wpa3-psk
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/ip pool add name=dhcp ranges=192.168.1.30-192.168.1.200
/ip dhcp-server add address-pool=dhcp interface=bridge lease-time=23h59m59s name=defconf
/interface bridge port add bridge=bridge comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=wifi1 internal-path-cost=10 path-cost=10
/interface bridge port add bridge=bridge comment=defconf interface=wifi2 internal-path-cost=10 path-cost=10
/interface list member add comment=defconf interface=bridge list=LAN
/interface list member add comment=defconf interface=ether1 list=WAN
/interface list member add interface=pppoe-out1 list=WAN
/ip address add address=192.168.1.254/24 comment=defconf interface=bridge network=192.168.1.0
/ip dhcp-server network add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.2 gateway=192.168.1.254 netmask=24
What is the least disruptive way to add the extra config? The access/physical ports can stay as they are in the native VLAN. I've done this many times with Cisco, HP Enterprise and also Ubiquiti but it's a bit more of a challenge on Mikrotik..but I am determined to solve it :) My knowledge in the area is a little rusty though, and Mikrotik isn't so forgiving.

Losing WiFi access would be a PITA to then resolve so I will be sure to use safe mode..

Thank you!
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19644
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Struggling with additional WiFI Subnets

Thu Jan 18, 2024 6:01 pm

Some advice, quickset --> avoid!

I'm assuming that you have need of multiple SSID/WLANS due to different types of users.
- secure home users
- untrustworthy IOT devices
- vid Cameras
- guest users.

All which may or may not require different subnets. If they are on their own subnet then they probably should be on their own WLAN.
The easy way to do this is via VLANs. ( by the way no need for capsman here, keep life simple ).

Best thread on vlans --> viewtopic.php?t=143620
Hint: Tread WLAN interfaces same as etherportst! ( wireless ports etc.)
Top
 
jdub88
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Fri Sep 25, 2020 1:35 pm

Re: Struggling with additional WiFI Subnets

Thu Jan 18, 2024 7:39 pm

Thanks! Yeah that is a great thread and it's one that I've been referencing.

What I am trying to do though is retrospectively add a VLAN to a non-VLANned config (thinking back, I wish I'd found that thread before I rolled out my router, but the idea of starting again even though its quite a simple config is just undesirable)

So lets consider if I just want to add 1 VLAN, in the example of a single AP in the linked thread there is the mention of Blue VLAN, Green VLAN, etc.

So given the config I supplied above, where there is no mention of VLANs, can I do something like:

Create the SSID:
Code: Select all
/interface wifi add configuration.ssid=GUEST disabled=no  master-interface=wifi1 name=wifi3
/interface wifi add configuration.ssid=GUEST disabled=no  nmaster-interface=wifi2 name=wifi4
Add it to the existing bridge I have with VLAN 10:
Code: Select all
/interface bridge port add bridge=bridge interface=wifi3 pvid=10
/interface bridge port add bridge=bridge interface=wifi4 pvid=10
Interface creation, IP assignment, and DHCP service
Code: Select all
/interface vlan add interface=bridge name=GUEST_VLAN vlan-id=10
/ip address add interface=GUEST_VLAN address=10.0.10.1/24
/ip pool add name=GUEST_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=GUEST_POOL interface=GUEST_VLAN name=GUEST_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
+ firewalling but I am comfortable with that already

Does the above work while letting the current config continue?
Top
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19644
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:
Contact anav

Re: Struggling with additional WiFI Subnets

Thu Jan 18, 2024 7:52 pm

My usual line is once you go vlan, go all vlans and not have the bridge do anything but bridging (no dhcp).
The issue is the bridge is handing out traffic and a LAN and yet you have a vlan doing the same thing on ports you connected to the bridge.
Also you are missing the required /interface bridge vlan settings etc.....

What I would do.....
----> make all vlans and carry on as per the linked document
You can do this incrementally. First take the current LAN and simply make it a vlan.
Modify current bridge settings to vlanXX that you create. ( address, dhcp-server, the pool and dhcp-server network can remain the same )
bridge ports are all etherAB pvid=XX
etc...........
Top
 
jdub88
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Fri Sep 25, 2020 1:35 pm

Re: Struggling with additional WiFI Subnets

Thu Jan 18, 2024 8:15 pm

Thanks, that does sound a better approach.

I have a spare device I can test with.and there is always safe mode!
Top
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1226
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: Struggling with additional WiFI Subnets

Thu Jan 18, 2024 8:18 pm

Or... You can take one port of the bridge, assign it some IP address, add it to LAN interface list and use that for configuration. That was written in great tutorial that is currently unavailable.
Top
 
jdub88
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Fri Sep 25, 2020 1:35 pm

Re: Struggling with additional WiFI Subnets

Tue Jan 23, 2024 6:43 pm

That sounds like a nice solution too. Shame it's unavailable but I'll check back to see if it comes back.
Top
 
jdub88
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Fri Sep 25, 2020 1:35 pm

Re: Struggling with additional WiFI Subnets

Wed Apr 10, 2024 1:23 pm

Coming back to this (as I do from time to time) and I am still struggling since there seems to be so many different suggestions.

If there is one thing that I dearly miss about Ubiquiti, is that I can do exactly what I want here with just a couple of clicks and no risk of downtime.

It would be great to have something in the Mikrotik wiki that strips this use case to its most simple parts for a single device config (ie no trunking off to other switches etc, just a simple SoHo/single wireless router config), with step by step config on creating the VLAN, creating DHCP scope, and a set of firewall rules, and slotting that on top of an existing config (or, guiding how to change the default config to make everything VLANed, or just making the guest wifi quickset option a Layer 3 solution vs simple layer 2 filtering with isolation.

There are lots of tutorials out there but they are often really old and not for ROSv7.x, or exclusively use winbox.

BTW, is it possible to have DoH server per VLAN?
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], Guntis, Lupin, marko982, mrjewel2002, pants6000, patrikg, yinmeout and 56 guests
  4. RouterOS
  5. General