(4) True Guest WiFi with MikroTik Routers

  • From Category5 Technology TV S13E27
  • May 27, 2020

When customers, friends, or guests arrive, they often ask for the WiFi password. Thing is, by providing it to them, you make your network susceptible to ransomware attack if their device is infected, plus you grant them limitless access to your network resources, such as private shared files, printers, and IoT devices such as your smart surveillance, thermostat or even smart door locks. Let's set up a separate WiFi network--with no additional hardware--using MikroTik. It will be isolated from our main network so users who are connected to it will be unable to access anything on our private network.

This video is provided free of charge. If you enjoy what we do, please consider becoming a Patron so we can continue offering more great content.
Support This Free Content

Full series available at https://cat5.tv/mikrotik


Creating a guest WiFi SSID that does not have access to private LAN.

In the companion video tutorial, I use WebFig (MikroTik's browser-based interface) to set this up. However I have tried to make these instructions clear for both WebFig and WinBox (the downloadable MikroTik client software).

  1. Click WirelessSecurity Profiles.
  2. Click Add New (+ in WinBox) to create a security profile we will use for the Guest WiFi. This will be used to setup the WPA2 pre-shared key (WiFi password).
    1. Call the profile Guest
    2. In Authentication Types, uncheck WPA PSK so only WPA2 PSK is selected. We don't want to use WPA since it's insecure.
    3. Enter your desired WPA2 password (Pre-Shared Key).
    4. Hit Ok.
  3. In WirelessWiFi Interfaces tab, click Add New (+) and choose Virtual to add a new Virtual WiFi interface. It will use the same radio as our main WiFi, so in this example, it will be sharing the same frequency.
    1. In "General" name it guest-wifi
    2. In "Wireless" add an SSID guest (This will be the name of your WiFi for guest access. You can make it whatever you like as long as it's unique.)
    3. Change the Security Profile to the Guest profile we created previously. This ensures your new guest WiFi will use the Guest password, not your default one.
    4. Hit OK.
  4. Now we need to create a bridge, so open Bridge.
    1. On the Bridge tab, click Add New (+) to add a new bridge for the Guest WiFi.
      1. Name it bridge-guest
      2. Hit OK.
    2. Open the Ports tab and click Add New (+) to add a new wireless LAN for our guest access.
      1. Change the Interface to guest-wifi. On WebFig this is near the top. In WinBox, it's on the General tab.
      2. Change the Bridge to bridge-guest.
      3. Hit OK.
  5. Next, we need to create an IP block for the new guest WiFi bridge.
    1. Click IPAddresses.
    2. Click Add New (+).
    3. Assign the Address
    4. Change Interface to bridge-guest
    5. Hit OK.
  6. Now, we need a DHCP server on the Guest WiFi. This is how your Guest WiFi clients will receive IP addresses, DNS settings, and so-on.
    1. Open IPDHCP Server.
    2. First, open the DHCP server you already have. This is your local private network's DHCP pool, but it may be named something non-descriptive. So, simply rename it local. This is so you know in future that this network has full local access. Press Ok to save the new name.
    3. Now we'll create our new DHCP server for guest access. We'll use the DHCP Setup wizard instead of manually adding it. Click DHCP Setup to begin the wizard for a new DHCP server.
      1. Change the DHCP Server Interface to bridge-guest
      2. Press Next a bunch of times until setup is complete.
      3. Rename that DHCP server to guest just as we did above for the local DHCP server.
  7. Block the Guest WiFi from having access to the LAN resources such as network shares or printers.
    1. Go to IPFirewall Rules.
    2. Click Add New (+).
    3. Ensure "Chain" is set to Forward.
    4. Set Src Addres to your guest IP with the subnet. In our case, that's
    5. Set Dst Addres to your local IP block with the subnet. In our studio this is but yours might be, for example, or if you're using the MikroTik defaults,
    6. Under Action, select Drop.
    7. Hit Ok.


Twitter Posts

Login to Category5

Error message here!

Hide Error message here!

Forgot your password?

Register on Category5

Error message here!

Error message here!

Hide Error message here!

Lost your password? Please enter your email address. You will receive a link to create a new password.

Error message here!

Back to log-in