Tag Archives: wifi

Mikrotik RB4011 Vlan Guest Wifi (IOT) devices

See inline comments:

# Add vlan bridge
/interface bridge
add name=bridge_vlan5

# add security profile for wifi
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=iot supplicant-identity=""

# add virtual wifi to 2.4G and 5G APs
/interface wireless
set [ find default-name=wlan2 ] band=2ghz-g/n country=netherlands disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge security-profile=xxxxxxxxxxx ssid=MYSSID station-roaming=enabled wireless-protocol=802.11 wps-mode=\
    disabled
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce country=netherlands disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge name=wlan5 security-profile=xxxxxxxxxxxxx skip-dfs-channels=all ssid=\
    MYSSID station-roaming=enabled wireless-protocol=802.11 wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:48:A4:69 master-interface=wlan2 multicast-buffering=disabled name=wlan_iot2 security-profile=iot ssid=IOT vlan-id=5 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:80:CE:1D master-interface=wlan5 multicast-buffering=disabled name=wlan_iot5 security-profile=iot ssid=IOT vlan-id=5 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled

# Add vlans to virtual Wifi
/interface vlan
add interface=wlan_iot2 name=vlan5_iot-2 vlan-id=5
add interface=wlan_iot5 name=vlan5_iot-5 vlan-id=5

# add ip range for dhcp
/ip pool
add name=dhcp_pool5_iot ranges=10.5.0.2-10.5.0.200

# add dhcp server with above range
/ip dhcp-server
add address-pool=dhcp_pool5_iot interface=bridge_vlan5 name=dhcpiot

# add vlans and interfaces to vlan  bridge
/interface bridge port
add bridge=bridge interface=wlan_iot2
add bridge=bridge interface=wlan_iot5
add bridge=bridge_vlan5 interface=vlan5_iot-5
add bridge=bridge_vlan5 interface=vlan5_iot-2

# add vlan to existing bridge (Not really needed) is for inter vlan traffic
/interface bridge vlan
add bridge=bridge_vlan5 vlan-ids=5

# add interfaces to LAN list (firewall needs this)
/interface list member
add interface=vlan5_iot-2 list=LAN
add interface=bridge_vlan5 list=LAN
add interface=vlan5_iot-5 list=LAN

# Add gateway/dhcpserver ip address
/ip address
add address=10.5.0.254/24 comment="IOT (vlan5)" interface=bridge_vlan5 network=10.5.0.0

# dhcp server network
/ip dhcp-server network
add address=10.5.0.0/24 dns-server=1.1.1.1 gateway=10.5.0.254 netmask=24

# generic NAT rule
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Mikrotik todo

My work document for my Mikrotiks
(Also for my friend Vincent, with a similar setup.)

I’m going to collect information on this page for below changes.

WIFI

  • Access list connections only
  • Default forward – only certain clients
  • Guest network – better setup.
    I’ve got a folkband guest network right now and
    a captive portal AP on my internet router. (Outside my network)
    This is for colleagues of Coline.
  • Vlan for certain clients

Zerotier

  • Network routing
  • Security

IOT

Move all clients to own vlan
New or better VLAN setup

  • Redo Guest network
  • IOT Vlan
  • Manage Vlan better setup
  • Lab – a redo because of changes in DMZ

Info

YT : https://www.youtube.com/watch?v=Hqu8JlieSq4

Mikrotik

Switches and access-points

Today i got my RB4011 ! Wooot!

Total tally

  • MikroTik CRS305-1G-4S+IN – Lab
  • MikroTik RB2011UiAS-RM – Office
  • MikroTik hAP AC2 – Studio
  • MikroTik CRS109-8G-1S-2HnD-IN – Attic
  • MikroTik RB4011iGS+5HacQ2HnD-IN – Livingroom
  • NEW (2022-04-02) crs125-24g-1s-in (2022-04-02)

To replace .. 4 SLM2008 and a TPLink switch 🙂

How much fun is this! .. A display on a switch!

I’ll be posting something about connecting an arduino to the serial console using a tcp server later.

Mikrotiks are all you can eat .. And there is a lot of functionality. One of the main features (besides being switches and routers)

  • Openvpn server
  • DIY display connect
  • Proxy
  • Today Vincent mentioned Mqtt plugin (2022-apr-6)
  • https://help.mikrotik.com/docs/display/ROS/Packet+Sniffer sounds interesting also

Installing extra packages

  • Download correct package zip from ( https://mikrotik.com/download )
  • Extract and use file upload
  • Reboot your mikrotik

Mikrotik Guest Network

I’ve got several AccessPoints in my network.
Using a roaming setup, clients can connect to strongest AP.

For our Folkband i’ve setup same.
With the exception of those clients only being able to connect to the Internet, and not the rest of my Network

  • Virtual Access Point
  • Own subnet
  • dhcp server only for this access point
  • NAT and Firewall rules for access limitation
/interface bridge 
add name=bridgeguest
/interface wireless security-profiles 
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=guest supplicant-identity=MikroTikHAP wpa2-pre-shared-key=guestkey
/interface wireless
add disabled=no mac-address=MACADDRESS master-interface=wlan1 name=guest security-profile=guest ssid=guest station-roaming=enabled wds-default-bridge=bridge wps-mode=disabled
/ip pool
add name=guest ranges=10.5.0.2-10.5.0.250
/ip dhcp-server
add address-pool=guest disabled=no interface=bridgeguest name=dhcpserverguest
/interface bridge port
add bridge=bridgenb interface=guest
/ip address
add address=10.1.0.5/24 comment=defconf interface=ether2 network=10.1.0.0
add address=10.5.0.1/24 interface=bridgeguest network=10.5.0.0
/ip dhcp-client
/ip dhcp-server network
add address=10.5.0.0/24 dns-server=1.1.1.1 gateway=10.5.0.1
/ip dns static
add address=10.1.0.5 name=router.lan type=A
/ip firewall filter
add action=drop chain=input dst-address=10.1.0.5 dst-port=22,80,443,8291,21,23 protocol=tcp src-address=10.5.0.1-10.5.0.254
add action=drop chain=input dst-address=MYNETWORKSHERE/16 src-address=10.5.0.2-10.5.0.250
add action=drop chain=forward dst-address=MYNETWORKSHERE/16 src-address=10.5.0.2-10.5.0.250
add action=drop chain=forward dst-address=MYNETWORKSHERE/16 src-address=10.5.0.2-10.5.0.250
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat src-address=10.5.0.0/24