Categories

Mikrotik
52
ServerHacks
16
SoftEther VPN
20
Videos
34

  Categories

  Tag Cloud

Mikrotik Network Security Networking Servers VPN

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket

Beginner’s Guide: Setting Up a Guest Wi-Fi Network on MikroTik Print

  • Mikrotik, Networking, Network Security
  • 56

Hello again! Emmanuel Corels here from Emmanuel Corels Creatives, continuing our beginner-friendly MikroTik how-to series. This time, we’ll learn how to create a Guest Wi-Fi network that stays separate from your main LAN. This is perfect if you want to offer internet access to visitors without giving them full access to your personal devices or sensitive data.

What Is a Guest Wi-Fi Network?

A guest network is an isolated wireless (and sometimes wired) subnet that provides internet access but restricts or blocks access to your private LAN resources. Typically, you’ll:

  1. Create a separate VLAN or virtual AP interface for guests.
  2. Assign a different IP range and DHCP server for that guest network.
  3. Add firewall rules that prevent guests from reaching your main LAN.
  4. Permit traffic to the internet (NAT) for normal browsing.

Scenario Overview

  • Main LAN: Using subnet 192.168.88.0/24 (for example) with your existing SSID or wired LAN.
  • Guest Wi-Fi: A new SSID on a separate VLAN/subnet (e.g., 192.168.99.0/24).
  • MikroTik Wireless Interface: We’ll add a virtual AP or set up a second SSID on the same physical radio.
  • Isolation: Guests can get online but not see your main LAN devices.

(If your MikroTik has separate physical wireless interfaces, you could also do it that way, but a Virtual AP is the simplest approach.)

Step 1: Create a VLAN or Virtual AP

There are two common ways:

Method A: Virtual AP (Multiple SSIDs)

  1. WinBox → Wireless → WiFi Interfaces
  2. Click the “+” and select Virtual (or Virtual AP).
  3. Parent Interface: pick your main wireless interface (like wlan1).
  4. Name: guest-wlan.
  5. Mode: ap bridge.
  6. SSID: choose something like GuestNet.
  7. Security Profile: set up a separate password or even open access, depending on your preference.
  8. OK to create the virtual AP.

(This approach creates a second SSID that runs on the same channel as your main Wi-Fi. The guest SSID is effectively a separate interface you can put on its own bridge or IP subnet.)

Method B: VLAN on Bridge

If your wireless interface is bridged with LAN, you might prefer a VLAN approach. Then you’d create a VLAN interface (e.g., vlan99) on top of the wireless/bridge, and tie a virtual AP to that VLAN. For many beginners, the Virtual AP method (Method A) is simpler, so let’s focus on that.

Step 2: Create a New Bridge or Assign IP to the Virtual AP

If you’re doing Virtual AP:

  1. In WinBox → Bridge, create a new bridge (e.g., bridge-guest) or skip this step if you plan to assign an IP directly to the virtual AP interface (though bridging can help if you also want a guest Ethernet port).
  2. Bridge → Ports tab: Add guest-wlan as a port to bridge-guest.

Now, the interface bridge-guest becomes your “guest LAN.” Alternatively, you can assign the IP address directly on guest-wlan, skipping the bridge entirely. Either method works; bridging is convenient if you want to add more ports or interfaces to the guest network later.

Step 3: Assign IP and DHCP to Guest Network

  1. IP → Addresses
    • Add a new IP, for example: 
      /ip address add address=192.168.99.1/24 interface=bridge-guest
      (or guest-wlan if not using a bridge).
  2. IP → DHCP Server → DHCP Setup
    • DHCP Setup on bridge-guest (or guest-wlan).
    • Follow the wizard: it’ll ask for network, gateway (192.168.99.1), pool range, DNS, etc.
    • Finish, and you have a DHCP server handing out, say, 192.168.99.2-192.168.99.254 addresses to guests.

Step 4: NAT for Guest Network

Guests need internet, so create (or confirm) a masquerade rule for the new subnet:

  1. WinBox → IP → Firewall → NAT.
  2. Add a new rule:
    • Chain: srcnat
    • Src. Address: 192.168.99.0/24
    • Out. Interface: ether1 (WAN) or whichever your main internet interface is.
    • Action: masquerade.

This ensures guests get NAT’ed to your WAN IP when browsing the internet.

(If you already have a single srcnat rule that masquerades everything from LAN, you might not need a new one. But it’s often good practice to specify the source subnet if you’re controlling behavior more precisely.)

Step 5: Firewall Isolation

We must block guests from accessing your main LAN (e.g., 192.168.88.0/24). The simplest approach is a forward chain rule in IP → Firewall → Filter:

  1. Add a rule:
    • Chain: forward
    • Src. Address: 192.168.99.0/24
    • Dst. Address: 192.168.88.0/24
    • Action: drop
    • Comment: “Block Guest to Main LAN”

Move this rule above any general “accept established/related” or final “drop all” rules so it specifically blocks traffic from the guest net to your LAN. If you want to allow only internet, this single rule does the trick.

(Note: If you have multiple LAN subnets, block them all or block !WAN interface if you prefer. But the concept remains—deny guests from internal networks.)

Step 6: Test the Guest SSID

  1. On your phone or laptop, look for the GuestNet SSID.
  2. Connect using the password from the security profile you set (or connect if it’s open).
  3. Check if you get a 192.168.99.x IP from DHCP.
  4. Browse to ensure you have internet.
  5. Try pinging 192.168.88.1 or a device in your main LAN to confirm it’s blocked.

Optional Tweaks

  • Bandwidth Limiting: You can set a simple queue for the guest subnet, capping them to, say, 5 Mbps total.
  • Captive Portal: Integrate with Hotspot if you want a login page for guests.
  • Separate VLAN: For advanced setups, place guest-wlan on a VLAN if bridging with external switches. That ensures consistent tagging across your network.

Common Pitfalls

  • Forgetting NAT: Without the masquerade rule, guests get local IPs but no internet.
  • Bridge Mix-Ups: If you accidentally put guest-wlan in the same bridge as your main LAN, you won’t have isolation.
  • Firewall Order: If your “drop guest to LAN” rule is below a broad “accept all forward” rule, it might never fire. Always check rule order.
  • Security: If you set the guest SSID to open, you might attract unwanted users. At least use WPA2 if possible.

Conclusion

Now you have a neat Guest Wi-Fi network that’s isolated from your primary LAN. This setup keeps your personal devices safe while offering your visitors internet access. If you want more advanced features like splash pages or vouchers, check out MikroTik’s Hotspot or RADIUS. But for a quick, simple guest network, a separate virtual AP and a few firewall rules do the job beautifully.

Enjoy your new secure environment, and let me know if you have any questions! MikroTik’s flexibility means you can adapt these steps to more complex networks or multiple VLANs. Until next time, keep exploring and keep your networks organized.

Authored with a smile by
Emmanuel Corels – Admin, Emmanuel Corels Creatives

Does this help?

Related Resources

Getting Started with MikroTik: An Introduction and Basic Setup for Beginners   Hey there!I’m Emmanuel Corels, the admin over at Emmanuel Corels Creatives, and today we’re... Mastering the MikroTik Firewall: NAT, Port Forwarding, and Basic Security Hey there!I’m Emmanuel Corels, your friendly admin from Emmanuel Corels Creatives, and welcome to... Exploring MikroTik CHR and VPNs: Deploying a Cloud Hosted Router and Setting Up Your First VPN Hey everyone!I’m Emmanuel Corels, your friendly admin from Emmanuel Corels Creatives, and welcome... Leveling Up Your VPN Game with L2TP/IPsec Hey, hey, hey! It’s your favorite MikroTik guru—Emmanuel Corels from Emmanuel Corels... Tunneling with OpenVPN on MikroTik: Another Step to Secure Networking Hello, network ninjas!It’s Emmanuel Corels again, the proud admin of Emmanuel Corels Creatives,...
« Back

  Tag Cloud

Mikrotik Network Security Networking Servers VPN

  Support

My Support Tickets
Announcements
Knowledgebase
Downloads
Network Status
Open Ticket