11/18/2017 by h
Mikrotik + Unifi Access Point – Guest network isolation
This is just a quick guide on how to separate a network using Mikrotik, Ubiquity Unifi AP, VLAN, and Guest Policies.
What we want to accomplish:
- 2 SSID, one for corporate users and one for guests
- 1 Management network where all the WAPs will be
- Guest policies applied to guest network
- NOTE: I’m missing the firewall configuration to truly isolate the traffic, this will have to wait until I can get access to the hardware again. Shouldn’t be to hard to accomplish, just allow the Guest network to go out to the internet and nothing else (some forward and input chains rules should do it)
Part 1: Setting up Mikrotik
a. Name your interfaces:
b. Create 2 new VLAN interfaces:
In my case I have ecorp-vlan that will be the corporate network, and ecorp-guest-vlan for guests only. We’ll point a DHCP server to each vlan later on. This VLANs will be on port 5 which is the one I’m connecting the only WAP I have. This is the port I would use if I had a managed switch with a trunk port setup on it. Having a managed switch that provides PoE (802.3af I think it’s the standard) for all our WAPs will be the ideal scenario.
c. Create 2 bridges for those vlans, and 1 bridge for ether5.
Management-Bridge contains only ether5-TRUNK as its port, ecorp-Bridge contains ecorp-vlan and ether2-LAN (this is our corporate network), and ecorp-guest-bridge contains the guest vlan and ether4-GUESTS. I think this can be done slightly different without sacrificing ether4 just for running a DHCP server on but I got this done and working in about 15 minutes so I’m ok with it for now…
d. Standard Network settings.
Next, you need to assign an IP address to each bridge, create a pool of addresses for each DHCP server, create a DHCP server for each Bridge. All kind of standard setting as you would do with a brand new Mikrotik routerboard, only that this time we’ll do times 3.
This is the interface list I currently have:
In this test scenario, my WAP is connected to ether5 on the Mikrotik, my Unifi Controller lives outside of the network, on the 172.16.0.0/24 range (which is how I simulate a wan connection with a second RB) and is accessible by all networks (management 10.10.10.0/24, Corporate Lan 192.168.88.0/24, and Guest Network 10.0.0.0/24). In a scenario with more planning and time I would probably allow access to the controller only from the management network, there’s no need for guest or even the local lan to access the controller but we can easily add rules later on if we need to.
The VLANs on the mikrotik control the flow of traffic, anything on vlan 100 can be seen on the corporate network, anything on vlan 200 is guest traffic.
2 – Configurin the WAPs
On my unifi controller I created a new test site, added two SSID for corporate and guests and setup their respective VLAN tags on them.
You can see here that each SSID is on its own VLAN, and the access point takes its initial IP address from the management dhcp server, which I guess it’ll be considered “untagged”.
The following image is of the controller displaying the WAP on the management network:
This one shows the two clients connected to ecorp and ecorp-guest with their respective IP addresses given by the two DHCP servers:
So this is it for this quick & dirty guide on setting up a separate network for your guests using a Unifi controller and some Unifi Access Points. Is this the best way to do it? Maybe not, does it get the job done in around 15 minutes? yes it does… When I have the chance to sit down, plan, and test a similar setup I will definitely document everything and update this post but for now feel free to send any questions/comments/rants over to the contact details found here.
Thanks for checking out the blog!