Hi. A friend of mine (a previous Cambium employee) offered us a cnPilot e410 WAP for use at our local golf club. It is the only WAP in the entire club (it’s just a small town golf course). The WAP itself is cabled into a Mikrotik router board – specifically into ETH5. Previously, a Unifi Ubiquiti device was in use but it’s a piece of junk and actually hadn’t been working for months. Hence, our transition to this much better Cambium device.
My friend and I spent some time doing the basic setup (registration, onboarding, etc.) through cnMaestro (absolutely love it!) and got it functional.
At this time, I have created 2 WLAN’s on this device: xxxx_Guest and xxxx_Staff.
I have set up xxxx_Guest to be broadcast and have set the Isolation Level on that WLAN to “Network wide”. It is my understanding that this is best practice as it prevents any clients on xxxx_Guest from seeing one another or communicating with one another.
I have set up xxxx_Staff to be a hidden network (not broadcasted by the AP). It is intended to be used by the kitchen/bar staff only. It is secured with a WPA2 Pre-Shared Key and it works exactly as desired in that regard. We also intend to have a wireless printer connected to this same WLAN/SSID for the staff’s needs.
Here are my requirements:
I want to make sure that no one connected to the xxxx_Guest WLAN can see anything but the internet. They should not be able to see one another or communicate with one another or see anyone or any device on the xxxx_Staff WLAN. I’m pretty sure that having the isolation level set to “Network wide” as I do accomplishes this objective. Can someone please confirm this?
I want to make sure that anyone connected to the xxxx_Staff WLAN can also access the internet, of course, but they should also be able to access (print to) the wireless printer we will be hanging on that same WLAN. BUT, I really don’t see a need for anyone on that WLAN to be directly communicating with other users (as opposed to the printer which I’ll call a ‘device’) on that WLAN or on the xxxx_Guest WLAN, for that matter.
So, my question is this: What isolation setting should I have for the xxxx_Staff WLAN/SSID?
On the TIK… set 2 VLANs.
Of those VLANs… give them different IP scopes.
In Firewall filter… set a FORARDING rule to DROP packets from Guest Destined to Staff.
I want to thank you guys for the responses but, while your responses are interesting, neither of them addresses my question about the cnMaestro “isolation level” settings for the 2 WLANs/SSIDs. Can either of you respond to that?
And for Springs, I have these clarification questions: @Springs — thanks for that suggestion. Sorry to sound like a 6-year old needing further guidance but I’ll be the first to admit that I’m not super-knowledgable on the Mikrotik administration, either (I’m basically just offering my help to the folks at the golf course since I had 30+ years of IT work background… albeit, like I said, in non-network engineering capacities).
In any case, let me see if I can recap what you’re suggesting that I do.
Using Winbox (I presume??) to administer the Mikrotik…
On ETH5 of the Mikrotik (which is where the Ethernet cable to the WAP is connected), configure 2 VLANs under it.
Give each of those VLANs a different IP scope (so the IP addresses assigned to each cannot overlap, I presume. Do you have an example to offer?)
In the Firewall Filter (also on Mikrotik??), set a FORWARDING rule to DROP any packets that originated on the “xxxx_Guest” WLAN and were destined for (trying to get to) the “xxxx-Staff” WLAN. Where would I find “forwarding rules” in Winbox?
I’m not sure where the “tag your ports and set the VLANs in the SSIDs” action is to be carried out. That sounds like a cnMaestro thing but I’m not sure.
Feel free to talk to me like a 6-year old – I’d rather have things explained fully versus trying to muddle my way through things and possibly locking up the Mikrotik which would be catastrophic for the golf course. THANKS.
If you have the AP connected directly to the Tik with a POE injector…
You need to add a VLAN to the BRIDGE.
Once you add that VLAN… You need to add an IP address to it (172.16.69.1.1/24)
Then use the DHCP server wizard to add an IP scope, dhcp server, and Pool.
Then you need to do the firewall rules I listed.
Then in CNMeastro… you need to tag the guest network SSID with the same VLAN you set in the Tik.
Then you need to set the ethernet port to pass both VLAN tags.
