The Book

There is no cloud, it's just someone else's computer !!!

User Tools

Site Tools


networking:mikrotik:wireless_vlan

Mikrotik wireless with dual band / dual SSID / multiple VLANs

The purpose of this example is to explain how to create dual SSID on dual band AP with separated traffic. How to transport the separated traffic to another device via VLAN-s and finaly how to disable trafic between VLAN-s but enable them both to access Internet. We are using two Mikrotik devices. First is “hEX S” (Router_1) which is connected to internet, and taking care of traffic separation, and second is “cAP ac” (AP_1) acting as dual band AP with separated private and public SSID.

We will assume that you already have access to internet via ether4 on Router_1 whether using ADSL or a leased line.

Configuring Router_1 (hEX S)

router_1.rsc file

1. Create neccessary bridges (bridge_VLAN, bridge_priv_101 and bridge pub_201).

/interface bridge
add name=bridge_VLAN
add name=bridge_priv_101
add name=bridge_pub_201

2. Create VLAN interfaces on bridge_VLAN

/interface vlan
add interface=bridge_VLAN name=vlan_101 vlan-id=101
add interface=bridge_VLAN name=vlan_201 vlan-id=201

3. Add VLAN interfaces to corresponding bridges

/interface bridge
port add bridge=bridge_priv_101 interface=vlan_101
port add bridge=bridge_pub_201 interface=vlan_201

4. Add trunk port (tagged) to bridge_VLAN

/interface bridge
port add bridge=bridge_VLAN interface=ether2

5. Add access port (untagged) to bridge_priv_101

/interface bridge
port add bridge=bridge_priv_101 interface=ether1

6. Add neccessary IP addressess.

/ip address
add address=10.100.101.254/24 interface=bridge_priv_101
add address=10.100.201.254/24 interface=bridge_pub_201

7. Add DHCP servers to bridge_priv_101 and bridge_pub_201

/ip pool
add name=dhcp_pool101 ranges=10.100.101.1-10.100.101.253
add name=dhcp_pool201 ranges=10.100.201.1-10.100.201.253
/ip dhcp-server network
add address=10.100.101.0/24 dns-server=8.8.8.8 gateway=10.100.101.254
add address=10.100.201.0/24 dns-server=8.8.8.8 gateway=10.100.201.254
You can also do it by clicking <hi #ed1c24>DHCP setup</hi> button in Winbox (for both IP subnets)

8. Add firewall rule to prohibit public users to access private network.

/ip firewall filter
add action=reject chain=forward dst-address=10.100.101.0/24 reject-with=icmp-admin-prohibited src-address=10.100.201.0/24

Configuring AP_1 (hAP ac)

ap_1.rsc file

1. Create neccessary bridges (bridge_VLAN, bridge_priv_101 and bridge pub_201).

/interface bridge
add name=bridge_VLAN
add name=bridge_priv_101
add name=bridge_pub_201

2. Create VLAN interfaces on bridge_VLAN

/interface vlan
add interface=bridge_VLAN name=vlan_101 vlan-id=101
add interface=bridge_VLAN name=vlan_201 vlan-id=201

3. Add VLAN interfaces to corresponding bridges

/interface bridge port
add bridge=bridge_priv_101 interface=vlan_101
add bridge=bridge_pub_201 interface=vlan_201

4. Add trunk port to bridge_VLAN

/interface bridge port
add bridge=bridge_VLAN interface=ether1

5. Add access port to bridge_pub_201. The purpose of this is to enable to connect a device (e.g. Smart TV) to the AP and restrict it to Internet only.

/interface bridge port
add bridge=bridge_pub_201 interface=ether2

6. Create and virtual wireless interfaces and security profiles

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile_private supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=private_pass wpa2-pre-shared-key=private_pass
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile_public supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=public_pass wpa2-pre-shared-key=public_pass
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no frequency=2437 mode=ap-bridge name=wlan1_Private security-profile=profile_private ssid=Private vlan-id=101
add disabled=no keepalive-frames=disabled master-interface=wlan1_Private multicast-buffering=disabled name=wlan1_Public security-profile=profile_public ssid=Public vlan-id=201 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=5280 mode=ap-bridge name=wlan2_Private security-profile=profile_private ssid=Private vlan-id=101
add disabled=no keepalive-frames=disabled master-interface=wlan2_Private multicast-buffering=disabled name=wlan2_Public security-profile=profile_public ssid=Public vlan-id=201 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled

7. Add wireless interfaces to corresponding bridges

/interface bridge port
add bridge=bridge_priv_101 interface=wlan1_Private
add bridge=bridge_priv_101 interface=wlan2_Private
add bridge=bridge_pub_201 interface=wlan1_Public
add bridge=bridge_pub_201 interface=wlan2_Public

Now you have AP with two SSID (Private and Public) on both bands (2,4 and 5 GHz), for each of them separate security profile is created (profile_private and profile_public) where the authentication passwords are stored (private_pass; public_pass).

Do not forget to change them !!!

The traffic from both of them is transported through trunk port to Router_1 vhere the DHCP server for each subnet is running. Traffic on private wireless is bridged to the ethernet1 to which the rest of the wired network is connected. Firewall rule prohibits users connected to Public SSID to access private network.

networking/mikrotik/wireless_vlan.txt · Last modified: 2020/02/27 06:49 by SysAdmin