I have installed a Mikrotik hAP and have given guest wifi access to the internet. The network is 192.168.9.0 (different from the local LAN). It is working great. However, guests can still access local LAN resources because the MikroTik is routing traffic to them.

Is the correct way to keep these two networks from accessing each other the following Firewall rule? Set this on the WiFi AP or on the edge router?
What is the best way to do this (without uing vLAN)?

I'd say to just take an interface from the main router and remove it from your LAN bridge/switch settings (convert it to a standalone interface) and put 192.168.9.1/24 on that interface and dhcp server, etc.

Then cconvert the hap-lite to being a simple bridged AP and connect it to the new LAN2 interface you created on the main router.

Then the firewall rules you mentioned will work perfectly. (blending two IP networks on the same LAN can still let things slip through the cracks, plus it's a less standard way of doing things.

Thank you. The way I have it now, there is双natin place. Your suggestion will work.

For the sake of discussion, what if I don't want to change settings on the main (edge) router? I'm very familiar with MikroTik, so you don't need to show me commands, just give me the high level view.

Discussion:
How can I setup a Wi-Fi AP (a RB951Ui-2nD in this example) without using srcnat on it, so that it's clients can access the internet but not the LAN without double NAT? This means they all need to route traffic out to 192.168.0.1 only.

I know that by asking I'm showing my lack of knowledge. And your point about protocol leakage is a concern which may make this discussion moot. Is double nat so bad?

This is what I'm presently doing:

Summary:
I want a guest Wi-Fi AP on a separate subnet from the LAN. Each subnet needs to be routed to the internet, but not to each other. It seems I have to virtually separate each subnet by placing them on different VLAN. This requires two devices; a router/firewall that supports VLAN and an AP that supports VLAN. Since we only use MikroTik hardware - I'm good. I was trying to avoid changing routers (if working in other customer's environments). But that introduces double nat?

How do I do this?

You can not make the guest subnet reach internet without srcnat or masquerade. The setup will be like this :
1. Create two vlans on router assigned to the interface connected to ap This will be a trunk port.. For example vlan 100 will be your vlan and vlan 200 will be guest vlan.Make a dhcp server for vlan 100 with a pool-vlan100 10.10.10.0/24 for example and another server with pool-vlan200 10.10.9.0/24 for example. Add two srcnat rules one for subnet 10.10.10./24 and onother for 10.10.9.0/24
2.Then create a bridge-vlan-100 and add port to it vlan100 and a ether connected to others clients. This will be an access port. On others ethrers set master interface the access port you created.
3. On ap add vlan 100 and vlan200 to the port connected to the router.
4. Add bridge-vlan100 adding ports vlan100, wlan1 and others ethers if there are. Or add only vlan100 and ethrer2 and on others ethers set master interface ether2.
5.Add bridge-vlan200 then add Wlan2-guest and vlan200.
6. on router drop traffic comming from bridge-vlan200 to bridge-vlan100.
Hope i was not forgetting anything.

Hope i was not forgetting anything.

Kiaunel,

Thank you for the help. I'm starting to understand. I'll do some study. I get what you're saying overall. If I setup the ports (interfaces) on the edge device, then the Wifi AP can really do whatever it wants because the 802.1q trunk port is going to segmented and control what it does anyway. So, why setup VLANs on the AP? I guess if you had two networks running on the AP. In my case, it will only be used for Guests. There is another AP in the building for internal LAN Wifi, I guess that makes things simpler.

Oh, my bad. Then forget about trunk and set access port coonected to ap with vlan 200 . And on ap there is nothing to do.

Without VLAN, like this
http://weblance.com.ua/blog/226-guest-w ... teros.html

Create new bridge and put your ETH into new Bridge. Then add Rules in IP-Routers to isolate guest network.

Use Simple Queue to control max. upload/download speed.

Why not make a route to the gateway of the Edge Router. Then set up an exclude for the rest of the subnet in the firewall?

Why not make a route to the gateway of the Edge Router. Then set up an exclude for the rest of the subnet in the firewall?

As long as the gateway can also make a route to the guest AP, this will work. (the request was for no double-nat)

After reading how this thread has progressed, I still stand by my original recommendation - create a "guest network" interface on the main router - either as a vlan or as a stand-alone ethernet interface - logically this doesn't matter to IP - it only matters that the router has 3 IP interfaces: wan, lan, guest and that these are on different broadcast domains (i.e. not multi-IP in the same LAN). If simple bridge-only APs are connected, then they will broadcast the LAN if connected to a LAN interface of the router, and they will broadcast GUEST if connected to a guest interface of the router. (by this, I don't mean the SSID, but the actual network that associated stations will be connected to). It's very easy.

In a network you control, this is the best solution. The second-best is to route a guest IP range at a wireless router which will have a firewall rule blocking guest->lan IP range packets.

Using vlans instead of physical interfaces does have one advantage - a single AP could be configured with both SSIDs, using the vlan tag to keep 'em separated from each other on the wire.

Somewhere in this thread, I think I recall seeing someone mention a portable guest AP that you can just plug into anything -

If you want a portable "plug it in anywhere" guest AP, then the AP needs to operate as a NAT router with the ethernet interface as its WAN - yes this will introduce double NAT, but double nat isn't really harmful for most applications - VoIP, some gaming, and possibly FTP could be affected (usually, it's applications that require NAT helpers anyway) but the standard stuff you want to offer a guest network for (web, email) will work through double NAT without any problems at all.

The real tricky part of the "portable" guest AP is in restricting access to the immediate IP range of whatever the WAN is connected to. If the wan IP of the portable AP is dynamic, then you're either forced to use scripts to update a filter list with whatever range of IP is currently on the WAN, or just block dst-address-list=private_ip where private_ip = 192.168.0.0/16, 10.0.0.0/8, and 172.16.0.0/12. I recommend the second method because this would work for any arbitrary private IP topology upstream from the portable AP. Also, I would recommend that such an AP should use DNS proxy, with the AP itself using whatever DNS server is assigned by the host network - because you never know what policy a network will have. If you tried to just use 8.8.8.8 or some other well-known public DNS server for guest clients, this would break if connecting the portable AP to a network that blocks outbound DNS requests and requires you to use a local DNS server with a private IP....

如果你真的想要可爱的tha和保证t your LAN IP of the portable guest router AP would never conflict with any LAN you'd connect it to - then try using an obscure LAN such as the documentation prefix (i.e. 192.0.2.x/24) - which is a bit of a breach of standards, but you're going to NAT that out anyway, right? Sure, 192.168.174.x is rare, but if that's the guest AP's lan range, and you plug it into something using that subnet, it would fail - and you want mega-portability for this thing, right?

Why not make a route to the gateway of the Edge Router. Then set up an exclude for the rest of the subnet in the firewall?

You need use second DHCP Server and block unused IP on router. See my manual above.
If you use static rules, you dont have guarantee that guest IP is from DHCP. Guest can set static IP from different network and get access to LAN.

I need a block diagram at this point.