isolated wifi using a Mikrotik wireless router

Assuming a wireless interface is setup and working on the router, we can add a virtual interface, give it it’s own subnet, and isolate that subnet from the existing LAN. Note: these routers don’t seem to like multi-tasking/wi-fi too much

  1. Using WinBox, login and click the wireless tab on the left.
  2. Click the Security Profiles tab, create a new profile for your virtual AP – I basically copied my existing profile. Click OK when done (as for all steps).
  3. Click the blue plus to create a virtual interface, give it a name, probably best to leave the wlan2 part at the start. Click the wireless tab and give it an SSID. Select the new security profile from the dropdown.
  4. Open the bridge tab on the left and create a new bridge. Click the ports tab, create a new port and select the newly created bridge and virtual interface from the drop down menus.
  5. Click the IP tab on the left and select addresses. Create a new address, I used, then select the new bridge for the interface.
  6. The AP will require DHCP. Click the IP tab and select Pool. Create a new pool, name it and give some addresses, I used
  7. Click the IP tab and select DHCP Server. Create a new DHCP Server, name it and select the new bridge as the interface. Select the newly created Address Pool. OK.
  8. Click the Networks tab in the DHCP Server window. Create a new network, this is mine:
  9. If the router already has a masquerade rule for internet traffic, this isn’t needed. I have a second router on my LAN also running this config, in this case I just masquerade traffic from the guest wifi at that router.
    Click the IP tab and select Firewall, click the NAT tab, click the blue + for a new rule. Use srcnat then I used for the Src. Address. Select the appropriate Out. Interface, I used my original LAN bridge, bridge-local.
  10. Test the wifi (Yay 🙂 ). You will still have access to the local LAN.
  11. Create a new firewall rule in the Filter Rules tab for the Firewall window. Chain: forward, Src. Address:, Dst. Address: Local Lan subnet. Click the Action tab and select reject.
  12. Yay, I think that’s it.

I used this config on two separate routers on my LAN, using the same config and security profile

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.