Mikrotik Guest Network

Last Updated or created 2022-04-01

I’ve got several AccessPoints in my network.
Using a roaming setup, clients can connect to strongest AP.

For our Folkband i’ve setup same.
With the exception of those clients only being able to connect to the Internet, and not the rest of my Network

  • Virtual Access Point
  • Own subnet
  • dhcp server only for this access point
  • NAT and Firewall rules for access limitation
/interface bridge 
add name=bridgeguest
/interface wireless security-profiles 
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=guest supplicant-identity=MikroTikHAP wpa2-pre-shared-key=guestkey
/interface wireless
add disabled=no mac-address=MACADDRESS master-interface=wlan1 name=guest security-profile=guest ssid=guest station-roaming=enabled wds-default-bridge=bridge wps-mode=disabled
/ip pool
add name=guest ranges=10.5.0.2-10.5.0.250
/ip dhcp-server
add address-pool=guest disabled=no interface=bridgeguest name=dhcpserverguest
/interface bridge port
add bridge=bridgenb interface=guest
/ip address
add address=10.1.0.5/24 comment=defconf interface=ether2 network=10.1.0.0
add address=10.5.0.1/24 interface=bridgeguest network=10.5.0.0
/ip dhcp-client
/ip dhcp-server network
add address=10.5.0.0/24 dns-server=1.1.1.1 gateway=10.5.0.1
/ip dns static
add address=10.1.0.5 name=router.lan type=A
/ip firewall filter
add action=drop chain=input dst-address=10.1.0.5 dst-port=22,80,443,8291,21,23 protocol=tcp src-address=10.5.0.1-10.5.0.254
add action=drop chain=input dst-address=MYNETWORKSHERE/16 src-address=10.5.0.2-10.5.0.250
add action=drop chain=forward dst-address=MYNETWORKSHERE/16 src-address=10.5.0.2-10.5.0.250
add action=drop chain=forward dst-address=MYNETWORKSHERE/16 src-address=10.5.0.2-10.5.0.250
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat src-address=10.5.0.0/24