In this guide I will explain one possible way to setup a guest network using a bridge and VLANS on Mikrotik RouterOS. I’ll be using a hAP running v6.45.9.

This guide assumes you already have basic configuration knowledge as we will not be covering topics such as NAT, DNS, Wi-Fi adapter settings, basic firewall rules and/or breakout interfaces. It also assumes that a basic LAN network and bridge exists. The default out the box Mikrotik config should work fine for this.

After successfully setting up a guest network on a VLAN you will be able to control all kinds of perimeters such as the upload and download speed guests get, segregate guest network devices from your main network, and many other things very easily. You will also inadvertently be breaking up broadcast domains with layer 3 boundaries which is good for network performance when many devices are present.

To start ensure that your LAN bridge doesn’t currently have VLAN filtering enabled.

interface bridge set vlan-filtering=n0

Now that’s done, lets create our guest network. To do this we first need to create a VLAN interface with an ID of 20 (or whatever ID you like), and make it a child interface of the LAN bridge.

interface vlan add vlan-id=20 interface=LAN_BRIDGE name=GUEST_VLAN comment=VLAN_ID_20

Just like we assigning an IP range to the bridge interface for internal LAN devices, we’re going to do the same for the VLAN interface, but using a different subnet:

ip address add address=10.0.1.1/24 interface=GUEST_VLAN

We also need to setup a DHCP server to hand out IP’s and network info to the guest devices:

ip dhcp-server setup

Select interface to run DHCP server on

dhcp server interface: GUEST_VLAN

Select network for DHCP addresses

dhcp address space: 10.0.1.0/24

Select gateway for given network 

gateway for dhcp network: 10.0.1.1

Select pool of ip addresses given out by DHCP server

addresses to give out: 10.0.1.2-10.0.1.254

Select DNS servers

dns servers: 1.1.1.1

Select lease time

lease time: 10m

Depending on the type of network setup you want, you can have guests connecting via Wi-Fi or ethernet, or both. I’m going to show you the steps to do both, but feel free to skip whichever part you don’t need.

Lets start with setting up a Wi-Fi network that puts connected devices onto the guest VLAN. These settings are not going to be universal and the type of equipment you have will dictate the settings to use. If you’re using a hAP, or something to that effect with the wireless interfaces built in, follow along. If you are using a router that doesn’t have any wireless interfaces built it, and are relying on wireless Access Points, the following settings will need to be done on them (tutorial for Unifi integration coming soon). To begin we’ll first create a security profile a.k.a a Wi-Fi password for the guests. The wpa2-pre-shared-key is the password, make sure to set that to something you want:

interface wireless security-profiles add name=GUEST_PSWD mode=dynamic-keys authentication-types=wpa2-psk wpa2-pre-shared-key=12345678 comment=Guest_Wifi_Password

Or if you don’t want a password, you can set the mode to “none”:

interface wireless security-profiles add name=GUEST_PSWD mode=none comment=Guest_Wifi_Password

Next we’ll create the Wi-Fi SSID that the guests connect to. To do this we need to create a new virtual wireless interface. A virtual wireless interface has to be created as a child interface, with the parent being one of the hardware interfaces. This means that the virtual interface will share the same properties of the physical interface it is attached to, so things like channel and TX power will be inherited.

Note that your wireless interface name might not be “wlan1” like mine in the example below and depending on the hardware there might be more than one, especially if you have a dual band interfaces. To find out you can put this into your terminal:

interface wireless print

Once you know which interface you’re creating a virtual interface from you can go ahead and create the virtual WLAN:

interface wireless add master-interface=wlan1 ssid=Guest mode=ap-bridge security-profile=GUEST_PSWD name=GUEST_WLAN wps-mode=disabled disabled=no

Place the virtual wireless interface into the LAN bridge:

interface bridge port add interface=GUEST_WLAN bridge=LAN_BRIDGE pvid=20 ingress-filtering=yes frame-types=admit-only-untagged-and-priority-tagged

We now need to setup the bridge VLAN table on our LAN bridge so that VLAN tagged traffic can get to where it’s meant to go:

interface bridge vlan add bridge=LAN_BRIDGE untagged=GUEST_WLAN tagged=LAN_BRIDGE vlan-ids=20

The VLAN table tells the bridge how to handle VLAN traffic, so in the config above its saying “any traffic coming in via the virtual wireless interface should be untagged VLAN 20, send it out via the bridge interface, in this case destined for the VLAN 20 interface that hosts our DHCP server, etc. By tagging the bridge interface we essentially tell that bridge to allow VLAN 20 traffic to travel through, and tag it as VLAN 20 on egress. Before you start testing this however, we need to enable VLAN filtering on the bridge. If you don’t do this, the bridge VLAN table will not be used. The reason we don’t enable VLAN filtering on the bridge before we create our static VLAN entries on the table is to stop it from trying to dynamically create them for us, and also possible ingress filters blocking our access.

To enable VLAN filtering:

interface bridge set numbers=LAN_BRIDGE vlan-filtering=yes

If you want to assign certain ethernet ports on your router to guests, for example anything plugged into Eth4 goes to the GUEST_VLAN, its very simple. The interface just needs to be in the bridge:

interface bridge port add bridge="LAN_BRIDGE" interface=ether4 pvid=20 hw=yes

We then create a static entry on the bridge VLAN table like we did for the virtual wireless LAN. To do this we need to now edit the bridge VLAN table:

interface bridge vlan edit number=0 value-name=tagged

This CLI command will open up a new terminal window with the current untagged interface in it for VLAN 20. You need to edit this with a comma, and put in the ethernet port you wish to use as a guest port.

Mine looks like this:

GUEST_WLAN,ether4

Once that’s done, hit “Ctrl+o” to save. Now anything plugged into ether4 will go through the guest VLAN. This can be done for any port.

We now have a full functional guest network. If you connect to it and get DHCP, you’ll see that your devices will be on the guest IP range… However it’s basically running like a router on a stick, meaning that anyone on the guest network can still router across to the internal network and communicate with any host they like. To stop this a simple firewall filter can help:

ip firewall filter add chain=forward src-address=10.0.1.0/24 dst-address=10.0.0.0/24 action=drop place-before
=0 comment=Drop_Internal_Forwards_From_Guest_Devices

This simple rule will stop anyone on the guest network from being able to send any traffic over to our internal network. It’s saying to the firewall: Drop any traffic coming from 10.0.1.0/24 going to 10.0.0.0/24.

Next we definitely don’t want guests to be able to access the router, or even attempt to, so we can set this filter rule up to stop that from happening:

ip firewall filter add chain=input src-address=10.0.1.0/24 action=drop place-before=1 comment=Drop_Input_From_Gue
st_Devices

Lets also go ahead and limit all devices connecting to the guest VLAN to 5/5Mbps without putting a limit on the entire subnet. This means that the total amount of bandwidth is unlimited for the guest network, however any devices connecting will not be able to download/upload more than 5Mbps.

First we need to create a new queue type utilizing PCQ addressing the download speed. Notice that the PCQ classifier is “dst-address”:

queue type add name=Guest_Download kind=pcq pcq-rate=5M pcq-classifier=dst-address

We need to setup another queue type, this time addressing the upload speed notice that the PCQ classifier is now addressing the src-address:

queue type add name=Guest_Upload kind=pcq pcq-rate=5M pcq-classifier=src-address

Now that we’ve setup the queue types we can create a simple queue that will use those types we just created to limit device speed.

queue simple add name=Guest_Limit target=GUEST_VLAN queue=Guest_Upload/Guest_Download

As you can see by separating your guest network from your internal network its much easier to deploy subnet wide rules and changes. It also makes tracking network traffic much easier, and increases network security.