Depending on the setup, there are various ways to configure a MikroTik’s WiFi for guest access. In this example, I’ll be using the MikroTik RB951G-2Hnd router, which has built-in WiFi. I’ll be using MikroTik’s Virtual AP feature to create a second SSID for guest access. Guests connecting to this SSID will have internet access, but more importantly, guests on the WiFi network will be connected to a separate subnet than those who are connected to the private WiFi. To further elaborate, the environment in this example already has WiFi setup for private use. The private WiFi is on the same subnet (192.168.100.0/24) as the private network. In addition, we’ll set up internet access for guests via WiFi on a different subnet (10.10.10.0/24), while blocking access to devices on the private network.
Step 01: Create a Virtual AP
Creating a Virtual AP will essentially create the new SSID for the guest network, which will later be assigned to 10.10.10.0/24. The Virtual AP is a network interface that will require the configuration of a Seucrity Profile, Virtual AP name, and Wireless settings (SSID, Master Interface, Security Profile assignment).
Step 02: Assign IP to Virtual AP
Step 03: Setup DHCP for Guest Network
The DHCP setup is straightforward. A DHCP server will need to be assigned to the ap-guest interface, along with an IP scope, IP address space, gateway, IP address pool (IP addresses to give out for guests), DNS servers, and lease time. Note that the IP address pool in this example begins with 10.10.10.2, that’s because 10.10.10.1 has already been assigned to the Virtual AP interface.
Step 04: Setup NAT Rules
The NAT rule will be your basic masquerade rule to allow connected guests internet access. In this example, I simply used the subnet for the guest network (10.10.10.0/24). However, if you’d like, you can use an Address List to represent the subnet.
Step 05: Setup Firewall Rules
This firewall rule will only block the guest network from accessing the private network – this is a personal preference. If you’d like, a second rule can be added to block the private network from accessing the guest network. In addition, should you decide to establish bandwidth caps (Queues) for the guest network, ensure that the firewall isn’t using FastPath/FastTrack to route network traffic for the guest network. Queues will ignore all network traffic from devices that are hitting the FastPath/FastTrack firewall/filter rules.