MikroTik routers with WiFi, like hAP ax³ with wifiwave2 package, can be used to create a “guest WiFi network”.
The guest WiFi gives clients access to the Internet, but isolates them from your main network, so they can’t see and don’t have ability to access any of your devices on it.
For example, to improve the security, you can put all your IoT devices on the guest WiFi network, so if one of them is hacked, the attacker won’t be able to get access to the devices on the main network.
This post shows how to perform a quick setup of the simple guest WiFi network on MikroTik hAP ax³ with wifiwave2 package.
Cool Tip: Minimize risks by using a MikroTik’s safe mode feature! Read more →
MikroTik Guest WiFi Network on hAP ax³ (WifiWave2)
⚠️ Warning: The simple quest WiFi setup that is shown below, does not provide the maximum possible isolation of the guest WiFi network. Although its clients won’t see the devices on the main network, they will still see the MikroTik router itself and will be able to connect to it, so make sure to set a strong password.
Create virtual WiFi interfaces for the guest access:
[admin@MikroTik] > /interface wifiwave2 add configuration.ssid=WiFi-5GHz-Guest \ name=wifi3 \ master-interface=wifi1 [admin@MikroTik] > /interface wifiwave2 add configuration.ssid=WiFi-2.4GHz-Guest \ name=wifi4 \ master-interface=wifi2 [admin@MikroTik] > /interface wifiwave2 print - sample output - Flags: M - MASTER; B - BOUND; R - RUNNING Columns: NAME, MASTER-INTERFACE, CONFIGURATION.MODE, CONFIGURATION.SSID, CHANNEL.WIDTH # NAME MASTER-INTERFACE CONFIGURATION.MODE CONFIGURATION.SSID CHANNEL.WIDTH 0 MBR wifi1 ap WiFi-5GHz 20/40/80mhz 1 MBR wifi2 ap WiFi-2.4GHz 20/40mhz 2 B wifi3 wifi1 ap WiFi-5GHz-Guest 3 B wifi4 wifi2 ap WiFi-2.4GHz-Guest
Group them in the default bridge interface:
[admin@MikroTik] > /interface bridge port add bridge=bridge interface=wifi3 [admin@MikroTik] > /interface bridge port add bridge=bridge interface=wifi4 [admin@MikroTik] > /interface bridge port print - sample output - Flags: I - INACTIVE Columns: INTERFACE, BRIDGE, HW, PVID, PRIORITY, PATH-COST, INTERNAL-PATH-COST, HORIZON # INTERFACE BRIDGE HW PVID PRIORITY PATH-COST INTERNAL-PATH-COST HORIZON ;;; defconf 0 ether2 bridge yes 1 0x80 10 10 none ;;; defconf 1 I ether3 bridge yes 1 0x80 10 10 none ;;; defconf 2 I ether4 bridge yes 1 0x80 10 10 none ;;; defconf 3 I ether5 bridge yes 1 0x80 10 10 none ;;; defconf 4 wifi1 bridge 1 0x80 10 10 none ;;; defconf 5 wifi2 bridge 1 0x80 10 10 none 6 I wifi3 bridge 1 0x80 10 10 none 7 I wifi4 bridge 1 0x80 10 10 none
Block the access from the guest WiFi network to the internal network:
[admin@MikroTik] > /interface bridge filter add action=drop chain=forward in-interface=wifi3 [admin@MikroTik] > /interface bridge filter add action=drop chain=forward out-interface=wifi3 [admin@MikroTik] > /interface bridge filter add action=drop chain=forward in-interface=wifi4 [admin@MikroTik] > /interface bridge filter add action=drop chain=forward out-interface=wifi4 [admin@MikroTik] > /interface bridge filter print - sample output - Flags: X - disabled, I - invalid, D - dynamic 0 chain=forward action=drop in-interface=wifi3 1 chain=forward action=drop out-interface=wifi3 2 chain=forward action=drop in-interface=wifi4 3 chain=forward action=drop out-interface=wifi4
The guest WiFi can also be configure through the “Quick Set” configuration wizard page in WebFig/WinBox:
You have learned how to perform a quick setup of the simple guest WiFi network on MikroTik hAP ax³ with wifiwave2 package.
For the best isolation of the guest WiFi network it is required to setup VLANs, but this is another story 😅.