This is part 2 of the blog post about automating MikroTik configuration. In part 1 I wrote about:
- why I automate my router configuration;
- how to connect to the router through a terminal;
- how to set up a static IP, subnet mask, and a gateway;
- how to set up security profiles and assign them to wi-fi networks;
- how to add NAT rules pointing to a machine in the local network;
In this blog post, I’ll cover separating the networks into one for guests with access only to the Internet and another with access to the local network (TVs, phones, laptops, etc.).
I want to have a strong random generated long password for my machines and short easy one for guests. This is easy, but when both networks have the same access there’s no much sense in the strong password if there’s network with a weak one and same permissions.
That’s why I want to create one Virtual LAN (VLAN) in another network with another DHCP server for guests and block it’s access to the rest.
First I defined a new bridge for the guest network. The bridge allows hosts from different networks to connect. In my case I want the WAN port to connect to VLAN network.
VLAN is a way to represent a network without the need for physical separation. For my configuration, I need to set interface, name, and id. All interfaces are using id 1 by default, but I always keep some gaps between ids and orders just in case I need to add another in between.
Since I want separate network I need to configure second DHCP server. The demo is using 192.168.2.0/24 network and assumes the main network is using 192.168.1.0/24.
DHCP configuration needs two things:
- IP pool defining the range of IPs available to be assigned to the hosts;
- DHCP Server assigned to an interface and using a defined pool;
In my case the interface is the bridge.
Now it’s time to add the WLAN interface into the guest bridge:
Since I want to have a virtual network I need to assign an IP to the bridge so the bridge can act as a gateway.
The DHCP server has a pool already, but for a working network, I need to specify the bridge as a gateway:
Now the hosts connected to the main network will receive IPs in the 192.168.1.0/24 network and the hosts connected to the guest network will receive IPs from 192.168.2.0/24 network. This is great, but the hosts in the two networks are still accessible from each other and I want to stop that with firewall rule:
The goal is achieved. I have automated configuration and router setup takes only a few seconds. I added everything in a script with placeholders in my GitHub account.
For easy execution, a I wrote simple node.js script for replacing the placeholders with values from JSON file I keep stored in private repo and cloned in
The complete (at least for the router part)
config.json looks like this:
Now I simply run: