Isolation of guests (wireless+wired) - MikroTik (2024)

Hi,

I've got the current setup being:
Internet (pppoe) -> (ETH1) Mikrotik (ETH5)-> TPlink TL-sg1016de -> Netgear Orbi (in Access Point mode: guest and normal)

The tp-link has wired clients:
- iptv settop boxes using vlan 4
- normal clients
- guest clients
The Orbi has two SSIDs:
- guest
- normal

the TPlink is on ETH5 of the Mikrotik.

My goal:
- have guests being able to join the network on the Guest SSID and on the TP-Link without accessing the Normal network.
- On the TP-link I just want to connect the Guest without thinking about what port.

I'm a little lost in what would be the best setup.

I thought about forwarding all 16 ports with separate VLAN's and let the mikrotik decide on what to do with the devices with rules. But I'm in doubt.
I also thought of buying mikrotik accesspoints to remove the Orbi...

Anyone willing to help think about a solution?
Thanks!

Dont worry about ports etc..
Thinks about it from the user perspective.
what user(s)/device(s), groups of users/devices do you have.
what traffic should they have.

Then draw a network diagram to illustrate what equipment you have ( no one here knows TP link models off the top of their head what is the device?) etc...
Assuming you are thinking vlans so put notes on the diagram as to what subnets you plan on using............

One last question, for now, when you say isolation, do you mean isolate by vlans for exaample or do you mean wifi clients and wired clients on the same subnet, think home users on pcs wired and then home users using smart phone............ no need to isolate that traffic. so what exactly are you trying to isolate..........

Thank you Anav,

I will try to think about it in another way.

The problem I see now is that I have evrything working, I just want guest wifi users isolated = not reaching my main network. And some pc’s isolated (kids game pc due to virus/hacking etc) from main network.

In the past I had guest wifi isolated and the pc’s in front of my main networks’ router (orbi at that point). Thus all guests were not on the main network.

By moving away from that setup, I now have all guests an my network!

Reason for mentioning the tp-link is that it is a (cheap) managed switch.

When looking at the future, I will buy 3x Cap Ax to replace the orbi, that setup allows at least wifi guests to be isolated (due to more control).

Then I still have the pc’s that are wired.

Is there a way to identify those, allowing me to put hem in a vlan or something else? The issue is that they go through the tplink and thus able to take a shortcut to main network machines.

Ahh cheap managed switches are our salvation. Miracles can happen.

In this case create a separate vlan for wired and wifi guests and a separate vlan for gaming/kids.

Done!

This requirement ;

- have guests being able to join the network on the Guest SSID and on the TP-Link without accessing the Normal network.
- On the TP-link I just want to connect the Guest without thinking about what port.

This cannot be done without 802.1x implementation on the switch-side. Your TP-LINK switch-model does not support this, hence you will never have the (dynamic) option to plug something "without thinking" and have it end up as "Guest" or "Normal" (V)LAN.
For the "any port any service" approach, 802.1x comes into play.

Thank you jvanhambelgium,

That clears that point. Then I'm back to creating a port-based VLAN for the kids machines on dedicated ports
Wireless should be solved by getting CAP AX Access Points, which do support VLAN for (Guest) SSID's, the Orbi really doesn't.

Will look into that