Hey Guys,
i want to configure a guest network. Currently i have a production network with a dns and a dhcp server. i bought 3 cAP ax and using them just fine as an AP. now i wanted to configure a guest network for people to have only an internet connection. I want both networks to be seperated from each other. i read a few possibilities how to do it but i don't know whats the safest/easyest to do. First is a network seperated with VLANs. I really don't like VLANs and i'm not using them in my production network so i think it's not the best way to do it. The other ways was with different bridges and through wireguard to the firewall. I'm new to configurating networks so i'd be happy for suggestions or even guides on how to do it the best way possible. Thanks.
Here is my config of the AP1 (i changed the passwords and names):
i want to configure a guest network. Currently i have a production network with a dns and a dhcp server. i bought 3 cAP ax and using them just fine as an AP. now i wanted to configure a guest network for people to have only an internet connection. I want both networks to be seperated from each other. i read a few possibilities how to do it but i don't know whats the safest/easyest to do. First is a network seperated with VLANs. I really don't like VLANs and i'm not using them in my production network so i think it's not the best way to do it. The other ways was with different bridges and through wireguard to the firewall. I'm new to configurating networks so i'd be happy for suggestions or even guides on how to do it the best way possible. Thanks.
Here is my config of the AP1 (i changed the passwords and names):
Code:
# 2024-03-20 14:10:05 by RouterOS 7.14.1# software id = V4QI-Z9T8## model = cAPGi-5HaxD2HaxD/interface bridgeadd admin-mac=78:9A:18:F5:69:B3 auto-mac=no comment=defconf name=lan_bridge/interface listadd comment=defconf name=WANadd comment=defconf name=LAN/interface wifi configurationadd country=Germany disabled=no mode=ap name=cfg1 \ security.authentication-types=wpa2-psk,wpa3-psk .encryption="" ssid=\ Wifiname1/interface wifiadd configuration=cfg1 configuration.mode=ap disabled=no name=cap-wifi1 \ radio-mac=MACADDRESSadd configuration=cfg1 configuration.mode=ap disabled=no name=cap-wifi2 \ radio-mac=MACADDRESSadd configuration=cfg1 configuration.mode=ap disabled=no name=cap-wifi3 \ radio-mac=MACADDRESSadd configuration=cfg1 configuration.mode=ap disabled=no name=cap-wifi4 \ radio-mac=MACADDRESSset [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \ configuration=cfg1 configuration.mode=ap disabled=no \ security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yesset [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \ configuration=cfg1 configuration.mode=ap disabled=no \ security.authentication-types=wpa2-psk,wpa3-psk .ft=yes .ft-over-ds=yes/interface bridge portadd bridge=lan_bridge comment=defconf interface=ether2add bridge=lan_bridge comment=defconf interface=wifi1add bridge=lan_bridge comment=defconf interface=wifi2add bridge=lan_bridge interface=ether1/ip neighbor discovery-settingsset discover-interface-list=LAN/interface detect-internetset detect-interface-list=all internet-interface-list=all lan-interface-list=\ all wan-interface-list=all/interface list memberadd comment=defconf interface=lan_bridge list=LANadd interface=ether1 list=LAN/interface wifi capset discovery-interfaces=all/interface wifi capsmanset enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\ none/ip dhcp-clientadd comment=defconf interface=lan_bridge/ip dnsset allow-remote-requests=yes/ip dns staticadd address= comment=defconf name=router.lan/ip firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMP" protocol=icmpadd action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LANadd action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsecadd action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsecadd action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yesadd action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN/ip firewall natadd action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \ ipsec-policy=out,none out-interface-list=WAN/ipv6 firewall address-listadd address=::/128 comment="defconf: unspecified address" list=bad_ipv6add address=::1/128 comment="defconf: lo" list=bad_ipv6add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6add address=100::/64 comment="defconf: discard only " list=bad_ipv6add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6/ipv6 firewall filteradd action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalidadd action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=input comment="defconf: accept UDP traceroute" \ dst-port=33434-33534 protocol=udpadd action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udpadd action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LANadd action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untrackedadd action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalidadd action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6add action=accept chain=forward comment="defconf: accept HIP" protocol=139add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udpadd action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ahadd action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-espadd action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsecadd action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN/system clockset time-zone-name=Europe/Berlin/system identityset name=E22AP1/system noteset show-at-login=no/system routerboard mode-buttonset enabled=yes on-event=dark-mode/system scriptadd comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ source="\r\ \n :if ([system leds settings get all-leds-off] = \"never\") do={\r\ \n /system leds settings set all-leds-off=immediate \r\ \n } else={\r\ \n /system leds settings set all-leds-off=never \r\ \n }\r\ \n "/tool mac-serverset allowed-interface-list=LAN/tool mac-server mac-winboxset allowed-interface-list=LANStatistics: Posted by zippogo — Wed Mar 20, 2024 3:53 pm