Full series available at https://cat5.tv/mikrotik

Documentation

Creating a guest WiFi SSID that does not have access to private LAN.

In the companion video tutorial, I use WebFig (MikroTik's browser-based interface) to set this up. However I have tried to make these instructions clear for both WebFig and WinBox (the downloadable MikroTik client software).

1. Click Wireless ⮕ Security Profiles.
2. Click Add New (+ in WinBox) to create a security profile we will use for the Guest WiFi. This will be used to setup the WPA2 pre-shared key (WiFi password).
   1. Call the profile Guest
   2. In Authentication Types, uncheck WPA PSK so only WPA2 PSK is selected. We don't want to use WPA since it's insecure.
   3. Enter your desired WPA2 password (Pre-Shared Key).
   4. Hit Ok.
3. In Wireless ⮕ WiFi Interfaces tab, click Add New (+) and choose Virtual to add a new Virtual WiFi interface. It will use the same radio as our main WiFi, so in this example, it will be sharing the same frequency.
   1. In "General" name it guest-wifi
   2. In "Wireless" add an SSID guest (This will be the name of your WiFi for guest access. You can make it whatever you like as long as it's unique.)
   3. Change the Security Profile to the Guest profile we created previously. This ensures your new guest WiFi will use the Guest password, not your default one.
   4. Hit OK.
4. Now we need to create a bridge, so open Bridge.
   1. On the Bridge tab, click Add New (+) to add a new bridge for the Guest WiFi.
      1. Name it bridge-guest
      2. Hit OK.
   2. Open the Ports tab and click Add New (+) to add a new wireless LAN for our guest access.
      1. Change the Interface to guest-wifi. On WebFig this is near the top. In WinBox, it's on the General tab.
      2. Change the Bridge to bridge-guest.
      3. Hit OK.
5. Next, we need to create an IP block for the new guest WiFi bridge.
   1. Click IP ⮕ Addresses.
   2. Click Add New (+).
   3. Assign the Address 10.10.10.1/24
   4. Change Interface to bridge-guest
   5. Hit OK.
6. Now, we need a DHCP server on the Guest WiFi. This is how your Guest WiFi clients will receive IP addresses, DNS settings, and so-on.
   1. Open IP ⮕ DHCP Server.
   2. First, open the DHCP server you already have. This is your local private network's DHCP pool, but it may be named something non-descriptive. So, simply rename it local. This is so you know in future that this network has full local access. Press Ok to save the new name.
   3. Now we'll create our new DHCP server for guest access. We'll use the DHCP Setup wizard instead of manually adding it. Click DHCP Setup to begin the wizard for a new DHCP server.
   1. Change the DHCP Server Interface to bridge-guest
   2. Press Next a bunch of times until setup is complete.
   3. Rename that DHCP server to guest just as we did above for the local DHCP server.
7. Block the Guest WiFi from having access to the LAN resources such as network shares or printers.
   1. Go to IP ⮕ Firewall Rules.
   2. Click Add New (+).
   3. Ensure "Chain" is set to Forward.
   4. Set Src Addres to your guest IP with the subnet. In our case, that's 10.10.10.0/24
   5. Set Dst Addres to your local IP block with the subnet. In our studio this is 10.0.0.0/24 but yours might be, for example, 192.168.0.0/24 or if you're using the MikroTik defaults, 192.168.88.0/24
   6. Under Action, select Drop.
   7. Hit Ok.