W
W
Wuzilla2018-04-26 18:59:51
Mikrotik
Wuzilla, 2018-04-26 18:59:51

How to make a "Guest" port in Mikrotik?

Hello everyone, there is a Mikrotik RouterBOARD 3011UiAS-RM router, the Internet comes into it, the entire local network is tied to it, it also splits Ip and goes to the switches. It is necessary to connect the computer through this router, but whatever it is on the local network, let's say in the "guest" network, I want it to be on a different port. How can this be implemented?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
D
Dmitry, 2018-04-26
@Tabletko

You put the necessary ports in a separate bridge, hang up a dhcp server on it and write a src-nat rule to access the Internet.

W
Wuzilla, 2018-04-28
@Wuzilla

Yes, it is necessary that there be isolation between networks

I
Igor, 2018-06-06
@Lopar

For this task, you need to assign an ip-address to the desired port (bridge, if you need several ports) and throw it out into the world with NAT.

/ip address
add address=10.1.2.1/24 interface=ether2 network=10.1.2.0 comment="DMZ"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2

We configure DHCP for the option when PCs receive settings only through a router. Even if the settings are manually entered in the PC settings, this will not be reflected in the ARP tables and such a device will not work.
/ip dhcp-server
add address-pool=dmz interface=ether2 name=dhcp-dmz add-arp=yes
/ip dhcp-server network
add address=10.1.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.1.2.1 netmask=24
/ip pool
add name=dmz ranges=10.1.2.2-10.1.2.254
/interface ethernet
set [ find default-name=ether2 ] arp=reply-only

If you need reinforced concrete network insulation, go to ip→routes→rules
/ip route rule
add action=unreachable dst-address=10.1.1.0/24 src-address=10.1.2.0/24
add action=unreachable dst-address=10.1.2.0/24 src-address=10.1.1.0/24

The same can be done through ip→firewall→filter , but it is more concrete, because the routes are processed earlier and guarantee that everything will be isolated, even if there is a jamb / hole in the firewall.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question