User Tools
Table of Contents
Mikrotik wireless with dual band / dual SSID / multiple VLANs
The purpose of this example is to explain how to create dual SSID on dual band AP with separated traffic. How to transport the separated traffic to another device via VLAN-s and finaly how to disable trafic between VLAN-s but enable them both to access Internet. We are using two Mikrotik devices. First is “hEX S” (Router_1) which is connected to internet, and taking care of traffic separation, and second is “cAP ac” (AP_1) acting as dual band AP with separated private and public SSID.
We will assume that you already have access to internet via ether4 on Router_1 whether using ADSL or a leased line.
Configuring Router_1 (hEX S)
1. Create neccessary bridges (bridge_VLAN, bridge_priv_101 and bridge pub_201).
/interface bridge add name=bridge_VLAN add name=bridge_priv_101 add name=bridge_pub_201
2. Create VLAN interfaces on bridge_VLAN
/interface vlan add interface=bridge_VLAN name=vlan_101 vlan-id=101 add interface=bridge_VLAN name=vlan_201 vlan-id=201
3. Add VLAN interfaces to corresponding bridges
/interface bridge port add bridge=bridge_priv_101 interface=vlan_101 port add bridge=bridge_pub_201 interface=vlan_201
4. Add trunk port (tagged) to bridge_VLAN
/interface bridge port add bridge=bridge_VLAN interface=ether2
5. Add access port (untagged) to bridge_priv_101
/interface bridge port add bridge=bridge_priv_101 interface=ether1
6. Add neccessary IP addressess.
/ip address add address=10.100.101.254/24 interface=bridge_priv_101 add address=10.100.201.254/24 interface=bridge_pub_201
7. Add DHCP servers to bridge_priv_101 and bridge_pub_201
/ip pool add name=dhcp_pool101 ranges=10.100.101.1-10.100.101.253 add name=dhcp_pool201 ranges=10.100.201.1-10.100.201.253 /ip dhcp-server network add address=10.100.101.0/24 dns-server=8.8.8.8 gateway=10.100.101.254 add address=10.100.201.0/24 dns-server=8.8.8.8 gateway=10.100.201.254
You can also do it by clicking <hi #ed1c24>DHCP setup</hi> button in Winbox (for both IP subnets)
8. Add firewall rule to prohibit public users to access private network.
/ip firewall filter add action=reject chain=forward dst-address=10.100.101.0/24 reject-with=icmp-admin-prohibited src-address=10.100.201.0/24
Configuring AP_1 (hAP ac)
1. Create neccessary bridges (bridge_VLAN, bridge_priv_101 and bridge pub_201).
/interface bridge add name=bridge_VLAN add name=bridge_priv_101 add name=bridge_pub_201
2. Create VLAN interfaces on bridge_VLAN
/interface vlan add interface=bridge_VLAN name=vlan_101 vlan-id=101 add interface=bridge_VLAN name=vlan_201 vlan-id=201
3. Add VLAN interfaces to corresponding bridges
/interface bridge port add bridge=bridge_priv_101 interface=vlan_101 add bridge=bridge_pub_201 interface=vlan_201
4. Add trunk port to bridge_VLAN
/interface bridge port add bridge=bridge_VLAN interface=ether1
5. Add access port to bridge_pub_201. The purpose of this is to enable to connect a device (e.g. Smart TV) to the AP and restrict it to Internet only.
/interface bridge port add bridge=bridge_pub_201 interface=ether2
6. Create and virtual wireless interfaces and security profiles
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile_private supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=private_pass wpa2-pre-shared-key=private_pass add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm mode=dynamic-keys name=profile_public supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=public_pass wpa2-pre-shared-key=public_pass /interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no frequency=2437 mode=ap-bridge name=wlan1_Private security-profile=profile_private ssid=Private vlan-id=101 add disabled=no keepalive-frames=disabled master-interface=wlan1_Private multicast-buffering=disabled name=wlan1_Public security-profile=profile_public ssid=Public vlan-id=201 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled set [ find default-name=wlan2 ] band=5ghz-a/n/ac disabled=no frequency=5280 mode=ap-bridge name=wlan2_Private security-profile=profile_private ssid=Private vlan-id=101 add disabled=no keepalive-frames=disabled master-interface=wlan2_Private multicast-buffering=disabled name=wlan2_Public security-profile=profile_public ssid=Public vlan-id=201 wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
7. Add wireless interfaces to corresponding bridges
/interface bridge port add bridge=bridge_priv_101 interface=wlan1_Private add bridge=bridge_priv_101 interface=wlan2_Private add bridge=bridge_pub_201 interface=wlan1_Public add bridge=bridge_pub_201 interface=wlan2_Public
Now you have AP with two SSID (Private and Public) on both bands (2,4 and 5 GHz), for each of them separate security profile is created (profile_private and profile_public) where the authentication passwords are stored (private_pass; public_pass).
Do not forget to change them !!!
The traffic from both of them is transported through trunk port to Router_1 vhere the DHCP server for each subnet is running. Traffic on private wireless is bridged to the ethernet1 to which the rest of the wired network is connected. Firewall rule prohibits users connected to Public SSID to access private network.
