I tried setting up a guest network on my MikroTik RB2011UiAS-2HnD-IN but a simple task as it may sound, it is not. My first attempt was to make sure the guest network could not connect to my primary network using vlans but I kept failing at getting this right. Eventually I found a way to do this using bridges. Every port on the MikroTik is by default connected to bridge-local, not only the physical ports on the router but also your default wlan device (wlan1).

First off I started adding a new bridge for my guest network, aptly named “bridge-guest”;

/interface bridge
add name=bridge-guest

Once your new bridge is created you have to define a new VirtualAP, create a security profile for it and attach it to your new guest bridge.

/interface wireless security-profiles
add authentication-types=wpa2-psk mode=dynamic-keys name=guest wpa2-pre-shared-key=somepassphrase

/interface wireless
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:8E:45:18 master-interface=wlan1 name=wlan2 security-profile=guest ssid="My Guest SSID" wds-default-bridge=bridge-guest

/interface bridge port
add bridge=bridge-guest interface=wlan2

After that we’re going to setup another dhcp-server which will be handing out ip-addresses to devices connected to the guest bridge. As my primary network is using I chose for my guest network;

/ip address
add address= interface=bridge-guest network=
/ip pool
add name=guest ranges=
/ip dhcp-server
add address-pool=guest disabled=no interface=bridge-guest name=guest
/ip dhcp-server network
add address= dns-server= gateway=

Your guest network will be active now, however, devices connected to it yet can’t connect to the internet and they can still connect to devices on you other bridges. The MikroTik will simply route your traffic to the other bridge and 172.x devices can connect to 10.x devices without any problems.

First, making a nat rule for routing traffic to the internet.

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway src-address=

Keep in mind that there is a default masquerade rule for src-address=, I had already changed this to src-address= If the rule for is already in place, you do not have to add this.

And last but not least make sure the guest network cannot connect to your bridge-local;

/ip firewall filter
add action=drop chain=forward in-interface=bridge-guest out-interface=!ether1-gateway

What this rule essentially does is just simply drop all traffic coming from bridge-guest, NOT going to ether1-gateway.

Now, I’m not saying this is necessarily the best way to do this, it is however one that works.

MikroTik wireless guest network