Depending on the setup, there are various ways to configure a MikroTik’s Wi-Fi for guest access. In this example, I will be using the MikroTik hAP ac2 router, which has built-in Wi-Fi. I will be using MikroTik’s Virtual AP feature to create a second SSID for guest access.
Guests connection to this SSID will have internet access, but more importantly, guests on the Wi-Fi network will be connected to a separate subnet that those who are connected to the private Wi-Fi.
To further elaborate, the environment in this example alreary has Wi-Fi setup for private use www.kuro-kainos.lt (2) and www.kuro-kainos.lt (5).
The private Wi-Fi is on the same subnet (192.168.88.0/24) as the private network. In additional we will set up internet access for guests via Wi-Fi on a different subnet (10.10.10.0/24), while blocking access to devices on the private network.
Step 1: Create a virtual AP
Creating a Virtual AP will essentially create the new SSID for the guest network, which will later be assigned to 10.10.10.0/24. The Virtual AP is a network interface that will require the configuration of a Security Profile, Virtual AP name, and Wireless settings (SSID, Master Interface, Security Profile assignment).
Step 2: Assign IP to virtual AP
Step 3: Setup DHCP for guest network
The DHCP setup is straightforward. A DHCP server will need to be assigned to the ap-guest interface, along with an IP scope, IP address space, gateway, IP address pool (IP addresses to give out for guests), DNS servers, and lease time. Note that the IP address pool in this example begins with 10.10.10.2, that’s because 10.10.10.1 has already been assigned to the Virtual AP interface.
Step 4: Setup NAT rules
The NAT rule will be your basic masquerade rule to allow connected guests internet access. In this example, I simply used the subnet for the guest network (10.10.10.0/24). However, if you’d like, you can use an Address List to represent the subnet.
Step 5: Setup firewall rules
This firewall rule will block the guest network from accessing the private network. Second rule will block the private network from accessing the guest network.