Originally published in Bulgarian at ITpraktika.com
Practical IT tutorials and automation in Bulgarian
Recently, I needed to set up a separate guest network at home. Friends often ask for my WiFi password, but I didn't want to give them access to my personal devices. The solution? VLAN segmentation with MikroTik.
In this article, I'll show you how to create a completely isolated guest network. The process looks complex, but it's actually quite straightforward.
Why Separate Networks?
Imagine this scenario: A guest connects to your WiFi with malware on their phone. Without network separation, that malware can "see" all your devices.
Benefits of network separation:
- Guests can't access your files and printers
- Your smart devices remain protected
- You can limit bandwidth for guests
- Easier security management
What You'll Need
Let's first check the requirements:
- MikroTik router with VLAN support (almost all models)
- Access to the admin panel (Winbox or WebFig)
- Basic networking knowledge (I'll explain everything step-by-step)
- 30-40 minutes of free time
Basic Concepts
Before we start, let's understand what VLAN is.
VLAN (Virtual Local Area Network) is a virtual network within your physical network. Think of it as a separate room in an apartment – everyone's in the same building, but each has their own locked door.
Bridge is a virtual switch connecting different ports together. In MikroTik, everything goes through the bridge interface.
VLAN ID is simply a number marking which virtual network the traffic belongs to. For example, VLAN 10 for home network, VLAN 20 for guest network.
Step 1: Planning and Preparation
First, let's plan the network structure.
My recommended layout:
- VLAN 10: Home network (192.168.10.0/24)
- VLAN 20: Guest network (192.168.20.0/24)
- Management VLAN: Main bridge (192.168.88.0/24)
Write down these parameters. You'll need them in the following steps.
Step 2: Accessing MikroTik
Open Winbox and connect to your router. If using WebFig, navigate to your router's IP address in a browser (usually 192.168.88.1).
Enter your username (usually "admin") and password.
Note: This article shows both approaches – GUI (Winbox/WebFig) and CLI (Terminal/SSH). The CLI is faster for experienced users and facilitates automation.
Step 3: Enabling VLAN Filtering
This is a critical security step.
Via GUI:
Go to Bridge → Bridge and select your main bridge (usually "bridge").
Check VLAN Filtering. Attention! Don't enable this yet – first we need to configure the VLAN interfaces.
Via CLI:
# For now, just check the bridge without enabling filtering
/interface bridge print
We'll enable VLAN Filtering in Step 10, after configuring everything else.
Step 4: Creating VLAN Interfaces
Time to create the virtual networks.
Via GUI:
Go to Interface → VLAN and click + (Add New).
For home network:
- Name: vlan10-home
- VLAN ID: 10
- Interface: bridge
For guest network:
- Name: vlan20-guest
- VLAN ID: 20
- Interface: bridge
Via CLI:
# Create VLAN interface for home network
/interface vlan add name=vlan10-home vlan-id=10 interface=bridge
# Create VLAN interface for guest network
/interface vlan add name=vlan20-guest vlan-id=20 interface=bridge
# Verify created interfaces
/interface vlan print
Step 5: Configuring Bridge VLAN
Here we define which ports belong to which VLANs.
Via CLI:
# Add VLAN 10 to bridge
/interface bridge vlan add bridge=bridge vlan-ids=10 tagged=bridge,ether1
# Add VLAN 20 to bridge
/interface bridge vlan add bridge=bridge vlan-ids=20 tagged=bridge,ether1
# Verify configuration
/interface bridge vlan print
Step 6: IP Addressing
Now we need to assign IP addresses to the VLAN interfaces.
Via CLI:
# Add IP address for home network
/ip address add address=192.168.10.1/24 interface=vlan10-home
# Add IP address for guest network
/ip address add address=192.168.20.1/24 interface=vlan20-guest
# Verify IP addresses
/ip address print
Step 7: DHCP Server for Guest Network
Guests need to receive IP addresses automatically.
Via CLI:
# Create IP pool for guest network
/ip pool add name=dhcp_pool_guest ranges=192.168.20.100-192.168.20.200
# Create DHCP server for guest network
/ip dhcp-server add name=dhcp-guest interface=vlan20-guest address-pool=dhcp_pool_guest disabled=no
# Configure DHCP network
/ip dhcp-server network add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=8.8.8.8,8.8.4.4
# Same for home network (VLAN 10)
/ip pool add name=dhcp_pool_home ranges=192.168.10.100-192.168.10.200
/ip dhcp-server add name=dhcp-home interface=vlan10-home address-pool=dhcp_pool_home disabled=no
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 dns-server=8.8.8.8,8.8.4.4
# Verify
/ip dhcp-server print
Step 8: Firewall Rules
Now comes the most important part – network isolation.
Via CLI:
# Rule 1: Allow DNS and DHCP (must be first!)
/ip firewall filter add chain=input src-address=192.168.20.0/24 protocol=udp dst-port=53,67 action=accept comment="Allow DNS and DHCP for guests" place-before=0
# Rule 2: Block access to router
/ip firewall filter add chain=input src-address=192.168.20.0/24 protocol=tcp dst-port=21,22,23,80,443,8291 action=drop comment="Block guest access to router"
# Rule 3: Block access from guest to home network
/ip firewall filter add chain=forward src-address=192.168.20.0/24 dst-address=192.168.10.0/24 action=drop comment="Block guest to home network"
# NAT rule for internet access
/ip firewall nat add chain=srcnat src-address=192.168.20.0/24 out-interface=ether1 action=masquerade comment="NAT for guest network"
# Verify rules
/ip firewall filter print
/ip firewall nat print
Important: The order of firewall rules is critical. Accept rules must always come before drop rules.
Step 9: WiFi Configuration
If you're using MikroTik for WiFi:
Via CLI:
# Create security profile for guests
/interface wireless security-profiles add name=guest-profile mode=dynamic-keys authentication-types=wpa2-psk wpa2-pre-shared-key="YOUR_PASSWORD_HERE"
# Create virtual WiFi interface for guests
/interface wireless add name=wlan-guest master-interface=wlan1 ssid="Guest-WiFi" security-profile=guest-profile mode=ap-bridge disabled=no
# Configure VLAN tagging
/interface wireless set wlan-guest vlan-mode=use-tag vlan-id=20
# Verify
/interface wireless print detail
Note: Replace wlan1 with your actual WiFi interface name and YOUR_PASSWORD_HERE with the real WiFi password.
Step 10: Enabling VLAN Filtering
Time for the final step.
Via CLI:
# Enable VLAN filtering
/interface bridge set bridge vlan-filtering=yes
# Check status
/interface bridge print
Warning! If you're connected through the network you're modifying, you may lose connection. Make sure you have physical access to the router.
Step 11: Testing
Connect to the guest WiFi network with a phone or laptop.
Check:
- Are you getting an IP address from the 192.168.20.x range?
- Do you have internet access?
- Can you ping devices on the home network? (you shouldn't be able to)
- Can you access the router through a browser? (you shouldn't be able to)
If everything works as expected, the configuration is complete!
Additional Settings
Bandwidth Limiting for Guests
# Limit bandwidth for guest network
/queue simple add name=guest-bandwidth target=192.168.20.0/24 max-limit=10M/10M
# Verify
/queue simple print
Scheduling Guest WiFi
You can disable the guest network at certain hours.
# Disable guest WiFi at 11 PM daily
/system scheduler add name=guest-wifi-off start-time=23:00:00 interval=1d on-event="/interface wireless disable wlan-guest"
# Enable guest WiFi at 7 AM daily
/system scheduler add name=guest-wifi-on start-time=07:00:00 interval=1d on-event="/interface wireless enable wlan-guest"
# Verify schedulers
/system scheduler print
Common Mistakes and How to Avoid Them
Mistake 1: Enabling VLAN Filtering before configuration
This is the most common mistake. Always configure VLAN interfaces BEFORE enabling filtering.
Mistake 2: Forgetting Management VLAN
If you don't properly configure management access, you may lose connection to the router. Always leave one port or VLAN for administration.
Mistake 3: Wrong firewall rule order
Firewall rules are processed top-down. Permit rules must come before deny rules.
Mistake 4: Forgetting DNS and DHCP
Guests need access to the router's DNS and DHCP services. Don't completely block them from the input chain.
Troubleshooting
Guests have no internet
Check NAT rules in IP → Firewall → NAT. Ensure there's a masquerade rule for the guest subnet.
Can't access router after changes
If you've lost access, restart the router. Hold the Reset button for 5 seconds to enter safe mode.
WiFi doesn't appear
Check if the wireless interface is active. Verify the status is "running".
Devices not receiving IP addresses
Check the DHCP server status. Make sure it's active and has available addresses.
Conclusion
Separating guest from home network is an important security step. With MikroTik VLAN configuration, it looks complex, but once you've done it, you'll appreciate the results.
Now your guests have internet, but can't access your personal devices. You have complete control and peace of mind.
Don't forget to backup your configuration after each change.
Via CLI:
# Create backup
/system backup save name=vlan-config
# Export configuration in text format
/export file=vlan-config
Full Automation Script
For advanced users, here's a complete script that performs the entire setup with one command:
# Change these parameters according to your configuration
:local bridgeName "bridge"
:local wanInterface "ether1"
:local homeVlanID 10
:local guestVlanID 20
:local homeNetwork "192.168.10.0/24"
:local guestNetwork "192.168.20.0/24"
:local homeGateway "192.168.10.1"
:local guestGateway "192.168.20.1"
# Create VLAN interfaces
/interface vlan add name=vlan10-home vlan-id=$homeVlanID interface=$bridgeName
/interface vlan add name=vlan20-guest vlan-id=$guestVlanID interface=$bridgeName
# Bridge VLAN configuration
/interface bridge vlan add bridge=$bridgeName vlan-ids=$homeVlanID tagged=$bridgeName,$wanInterface
/interface bridge vlan add bridge=$bridgeName vlan-ids=$guestVlanID tagged=$bridgeName,$wanInterface
# IP addressing
/ip address add address=$homeGateway/24 interface=vlan10-home
/ip address add address=$guestGateway/24 interface=vlan20-guest
# DHCP pools
/ip pool add name=dhcp_pool_home ranges=192.168.10.100-192.168.10.200
/ip pool add name=dhcp_pool_guest ranges=192.168.20.100-192.168.20.200
# DHCP servers
/ip dhcp-server add name=dhcp-home interface=vlan10-home address-pool=dhcp_pool_home disabled=no
/ip dhcp-server add name=dhcp-guest interface=vlan20-guest address-pool=dhcp_pool_guest disabled=no
# DHCP networks
/ip dhcp-server network add address=$homeNetwork gateway=$homeGateway dns-server=8.8.8.8,8.8.4.4
/ip dhcp-server network add address=$guestNetwork gateway=$guestGateway dns-server=8.8.8.8,8.8.4.4
# Firewall rules
/ip firewall filter add chain=input src-address=$guestNetwork protocol=udp dst-port=53,67 action=accept comment="Allow DNS and DHCP for guests" place-before=0
/ip firewall filter add chain=input src-address=$guestNetwork protocol=tcp dst-port=21,22,23,80,443,8291 action=drop comment="Block guest access to router"
/ip firewall filter add chain=forward src-address=$guestNetwork dst-address=$homeNetwork action=drop comment="Block guest to home network"
# NAT
/ip firewall nat add chain=srcnat src-address=$guestNetwork out-interface=$wanInterface action=masquerade comment="NAT for guest network"
# Enable VLAN filtering (warning: may disconnect!)
/interface bridge set $bridgeName vlan-filtering=yes
:put "VLAN configuration completed!"
Warning: The script automatically enables VLAN filtering at the end. Make sure you have physical access to the router!
About the Author
This article was originally written by Fedya Serafiev and published on ITpraktika.com – a platform dedicated to practical IT solutions and automation in Bulgarian.
Read the full Bulgarian version: https://itpraktika.com/kak-da-razdelim-mrezhata-za-gosti/
More resources:
- ITpraktika.com – Practical IT tutorials in Bulgarian
- Topics: Linux, Docker, DevOps, Python, Networking
If you found this article helpful, consider visiting the original source for more networking and DevOps tutorials.
Top comments (0)