I tried setting up a guest network on my MikroTik RB2011UiAS-2HnD-IN but a simple task as it may sound, it is not. My first attempt was to make sure the guest network could not connect to my primary network using vlans but I kept failing at getting this right. Eventually I found a way to do this using bridges. Every port on the MikroTik is by default connected to bridge-local, not only the physical ports on the router but also your default wlan device (wlan1).
First off I started adding a new bridge for my guest network, aptly named “bridge-guest”;
/interface bridge add name=bridge-guest
Once your new bridge is created you have to define a new VirtualAP, create a security profile for it and attach it to your new guest bridge.
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=guest wpa2-pre-shared-key=somepassphrase /interface wireless add disabled=no l2mtu=2290 mac-address=D6:CA:6D:8E:45:18 master-interface=wlan1 name=wlan2 security-profile=guest ssid="My Guest SSID" wds-default-bridge=bridge-guest /interface bridge port add bridge=bridge-guest interface=wlan2
After that we’re going to setup another dhcp-server which will be handing out ip-addresses to devices connected to the guest bridge. As my primary network is using 10.0.0.0/24 I chose 172.16.0.0/24 for my guest network;
/ip address add address=172.16.0.1/24 interface=bridge-guest network=172.16.0.0 /ip pool add name=guest ranges=172.16.0.100-172.16.0.254 /ip dhcp-server add address-pool=guest disabled=no interface=bridge-guest name=guest /ip dhcp-server network add address=172.16.0.0/24 dns-server=172.16.0.1 gateway=172.16.0.1
Your guest network will be active now, however, devices connected to it yet can’t connect to the internet and they can still connect to devices on you other bridges. The MikroTik will simply route your traffic to the other bridge and 172.x devices can connect to 10.x devices without any problems.
First, making a nat rule for routing traffic to the internet.
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1-gateway src-address=172.16.0.0/24
Keep in mind that there is a default masquerade rule for src-address=0.0.0.0/0, I had already changed this to src-address=10.0.0.0/24. If the rule for 0.0.0.0/0 is already in place, you do not have to add this.
And last but not least make sure the guest network cannot connect to your bridge-local;
/ip firewall filter add action=drop chain=forward in-interface=bridge-guest out-interface=!ether1-gateway
What this rule essentially does is just simply drop all traffic coming from bridge-guest, NOT going to ether1-gateway.
Now, I’m not saying this is necessarily the best way to do this, it is however one that works.