MikroTik RB2011UiAS-2HnD - Segmented Wireless / Guest Wifi with WPA2 Personal

In other posts i have talked about setting up WPA2 Enterprise wireless networks for the regular users of my network. However this setup is not convenient for the following example use cases because of increased overhead or lack of WPA2 Enterprise support:

  • Guest users
  • Non WPA2 Enterprise capable devices (PS3, xbox 360, embedded devices and IoT devices)

If your users are only going to be surfing the Internet via a web browser then take a look at setting up a HotSpot on your MikroTik.

I want devices to freely access the Internet in my case so i have setup up a WPA2 Personal network with the following attributes:

  • Long but easy to remember WPA2 Personal PSK (Pre-Shared Key)
    • Try and avoid a small and or weak WPA2 Pre-Shared Key as it will not take long to crack
    • So many Wifi Access Points in the area hopefully the bear eats one of the other networks first
    • Rotate the PSK often
  • Restricted network access
    • Only allow the clients to access the Internet
    • Firewall rules to block access to other network segments
  • Understand the risk
    • Since access is usually granted to a few mates who want to do small tasks on the Internet then its less of an issue if someone sniffs that traffic.
  • Future wants beyond this article
    • Limited bandwidth for the network (only allow say 2-5G at a certain rate)
    • Blocking specific network traffic
      • No Torrents
      • No access to Tor networks
    • Monitoring
      • Email me when someone accesses the guest network
      • Log the access to the network for review if necessary

Create a Security Profile

Create a Security Profile with the following options. This is the configuration for your WPA2 Wifi network security.

Alt Text

As mentioned above make sure the WPA2 Pre-Shared Key (PSK) is nice and long.

Create a Virtual AP

Create a VirtualAP with the following options. This will create the interface and network SSID required to connect to the wireless access point.

Alt Text

Create DHCP Server Config

Now we are going to create the DHCP Server configuration that will allow people to get an IP address from the MikroTik

From the Menu IP -> DHCP Server -> From the DHCP Tab Click DHCP Setup and use the following options:

  • DHCP Server Interface = \<VirtualAP Name>
    • In my case its GuestWPA2
  • DHCP Address Space = \<192.168.89.0/24>
    • This is the next IP address space up from the MikroTik default but you can make it what ever you need
  • Gateway for DHCP Network = \<192.168.89.1>
    • This should be the first address of the range you have chosen to use
  • DHCP Relay = \<192.168.89.1>
    • Just make this the same as the default gateway
  • Addresses to Give Out = \<192.168.89.2-192.168.89.254>
    • This should already be populated with the address range you have chosen minus the IP address of the default gateway
  • DNS Servers = \<192.168.1.1>
    • This is pre-populated with the IP address of 192.168.1.1 which is the IP address of the default gateway for the MikroTik which has DNS settings from my ISP. If this is not the case for you then use the Google DNS 8.8.8.8 or look up your ISP DNS servers IP addresses.
  • Lease Time = \<3d 00:00:00>
    • You can leave this as the default above

The DHCP Server should now be configured.

Create NAT Rules

Now we need to create NAT rules for this network to access the Internet.

  • Go to IP -> Firewall -> NAT Tab and click Add New
  • Tick Enabled
  • Chain = \<srcnat>
    • This tells the router to translate for traffic coming out of this network
  • Src Address = \<192.168.89.0/24>
    • This should be set to the address range of the network we just configured
  • Out. Interface = \<ether1-gateway>
    • This is the interface that leads to the Internet for me. If this is not the case for you then change it to the interface that is connected to your source of Internet.

Firewall Rules

We now need to setup some firewall rules that prevent access from the Guest WPA2 network to any of the others. This should be enough to stop other networks accessing each other and you can avoid setting up VLANs. We need to create the following Firewall rules:

  • DROP Packets from 192.168.89.0/24 attempting to access 192.168.88.0/24 on the FORWARD chain
  • DROP Packets from 192.168.89.0/24 attempting to access 192.168.88.0/24 on the INPUT chain

Alt Text

Whilst we have few networks rules like this are simple and easy to manage. However if you have more than say three consider changing the way you do your rules to specifically allow traffic. For example if i have 4 networks configured and i do not want any of them to access each other i am maintaining 6 rules per network which is 24 rules and this can get out of control quickly as the networks configured increases. At this point you are better off only allowing certain types of traffic to your networks which will reduce the number of rules you are maintaining.