Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Mikrotik Setup Guest (Vlan) Wifi

    Încărcat de

    Khodor Akoum
    180 vizualizări12 pagini
    MIKROTIK SETUP GUEST (VLAN) WIFI

    Titlu original

    MIKROTIK SETUP GUEST (VLAN) WIFI

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    DOCX, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    MIKROTIK SETUP GUEST (VLAN) WIFI

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    180 vizualizări12 pagini

    Mikrotik Setup Guest (Vlan) Wifi

    Încărcat de

    Khodor Akoum
    MIKROTIK SETUP GUEST (VLAN) WIFI

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 12

    MIKROTIK: SETUP GUEST (VLAN) WIFI

    Networking, Security / September 30, 2018 / By Marthur

    It is a common security practice to setup a wireless guest network on a separate VLAN. This allows
    for complete isolation of traffic between your private and guest networks. This guide will only be
    covering how to implement this particular setup on MikroTik routers with built-in WiFi, such as the
    RB951, RB962, etc. Before going forward, I’m assuming that a private wireless network already exists
    and is fully functional. In addition, all screenshots and instructions in this guide are done using
    MikroTik’s WinBox software.

    CREATE THE SECURITY PROFILE AND VIRTUAL AP


    In Winbox, select Wireless on the left-hand side and navigate to the Security Profiles tab. Click the +
    (plus) button to create a new Security Profile. I’ve disabled WPA PSK, leaving only WPA2 PSK
    enabled. Also, ensure that you’ve set a secure/complex password. See screenshot for details:

    Afterwards, navigate to the WiFi Interfaces tab and click the + (plus) button and select “Virtual” from
    the menu. Under the General tab, set the Name for the Virtual AP, something descriptive, such as
    WiFi-Guest. Afterwards, navigate to the Wireless tab and set the SSID, Security Profile, VLAN Mode,
    and VLAN ID. The VLAN ID will match the VLAN interface that we will be creating in the next step.
    See screenshots for further details:
    CREATE THE VLAN INTERFACE
    In Winbox, select Interfaces on the left-hand side and navigate to the VLAN tab. Click the + (plus)
    button to create a new VLAN interface. The VLAN ID is “10” and the Interface is “WiFi-Guest”,
    which are values that were set in the previous step, when creating the Virtual AP. See screenshot for
    details:

    NOTE: The MikroTik may be using “Interface Lists” (Winbox: Interface > Interface List tab) in some
    of the firewall filter rules. If this is the case, you will want to either not use Interface Lists and use just
    interfaces, or make sure to add the new VLAN interface for the guest network to the existing LAN
    Interface List. If the MikroTik is using Interface Lists and you do not add the VLAN inteface for the
    guest network to the existing LAN interface list, then guests will be able to connect to the network, but
    will have no internet access. To be specific, the default MikroTik rule that requires the VLAN for the
    guest network to be added to the LAN Interface List is the following:
    NOTE: The MikroTik may be using “Interface Lists” (Winbox: Interface > Interface List tab) in some
    of the firewall filter rules. If this is the case, you will want to either not use Interface Lists (requires
    firewall filter rule modifications) and use just interfaces, or make sure to add the new VLAN interface
    for the guest network to the existing LAN Interface List (no firewall filter rule modifications needed).
    If the MikroTik is using Interface Lists and you do not add the VLAN inteface for the guest network
    to the existing LAN interface list, then guests will be able to connect to the network, but will have no
    internet access. To be specific, the default MikroTik rule that requires the VLAN for the guest network
    to be added to the LAN Interface List is the following:

    /ip firewall filter


    add action=drop chain=input comment="defconf: drop all not coming from
    LAN" in-interface-list=!LAN
    CREATE A NEW BRIDGE
    In Winbox, select Bridge on the left-hand side and navigate to the Bridge tab. Click the + (plus) button
    to create a new Bridge. Set the bridge Name to “Bridge-VLAN10”. See screenshot for details:
    Afterwards, navigate to the Ports tab and click the + (plus) button to add an interface to a bridge. This
    step will need to be done twice, once for each interface that is added to Bridge-VLAN10. Add interface
    “Wifi-Guest” and “VLAN10” to the “Bridge-VLAN10” bridge. See screenshots for further details:
    ASSIGN A SUBNET TO THE NEW BRIDGE
    In Winbox, select IP on the left-hand side and navigate to Addresses. Click the + (plus) button to create
    a Address/Interface assignment. Set Address to “10.10.10.1/24” and Interface to “Bridge-VLAN10”.
    See screenshot for details:

    CREATE A DHCP SERVER


    In Winbox, select IP on the left-hand side and navigate to DHCP Server. Under the DHCP tab, click
    the “DHCP Setup” button and finish the wizard to create the DHCP server for the guest WiFi. See
    screenshot for details:
    CREATE AND PLACE THE FIREWALL FILTER RULES
    In Winbox, select IP on the left-hand side and navigate to Firewall. Under the Filter Rules tab, click
    the + (plus) button to create a new filter rule. See screenshot below, which shows how to create a
    firewall filter rule to block guest VLAN traffic to the private network ONLY. After creating the new
    firewall filter rule, place the firewall filter rule accordingly in the firewall filters list – order matters. It
    is your IT department/provider’s responsibility to test the security between between the two separate
    networks to ensure that the guest network on VLAN10 (Bridge-VLAN10 interface) cannot
    communicate with devices/clients on the private network.
    If needed, a second rule can be added to block traffic from the private network to the guest VLAN
    network. In order to do this, simply create another rule, but swap the values for the “In. Interface” and
    “Out. Interface”. It is up to your IT department/provider’s security policies on how to implement the
    firewall filter rule. This example uses the network interfaces that were create on the MikroTik to
    separate the two networks, but it can just as easily be done IP address with slash notation (CIDR
    notation) if need be. Again, it is up to your IT department/provider.
    This entire guide has been GUI based, but I’ve decided to include the following commands below,
    which will create both firewall filter rules to block traffic from guest to private and from private to
    guest. The entire command can be pasted in the MirktoTik terminal. Keep in mind that after the filter
    rules are created that they still need to be placed accordingly within the firewall filter rules list.
    /ip firewall filter
    add action=drop chain=forward disabled=yes in-interface=Bridge out-
    interface=Bridge-VLAN10
    add action=drop chain=forward disabled=yes in-interface=Bridge-VLAN10 out-
    interface=Bridge

    S-ar putea să vă placă și