Assuming a wireless interface is setup and working on the router, we can add a virtual interface, give it it’s own subnet, and isolate that subnet from the existing LAN. Note: these routers don’t seem to like multi-tasking/wi-fi too much
- Using WinBox, login and click the wireless tab on the left.
- Click the Security Profiles tab, create a new profile for your virtual AP – I basically copied my existing profile. Click OK when done (as for all steps).
- Click the blue plus to create a virtual interface, give it a name, probably best to leave the wlan2 part at the start. Click the wireless tab and give it an SSID. Select the new security profile from the dropdown.
- Open the bridge tab on the left and create a new bridge. Click the ports tab, create a new port and select the newly created bridge and virtual interface from the drop down menus.
- Click the IP tab on the left and select addresses. Create a new address, I used 192.168.2.2/24, then select the new bridge for the interface.
- The AP will require DHCP. Click the IP tab and select Pool. Create a new pool, name it and give some addresses, I used 192.168.2.220-192.168.2.240.
- Click the IP tab and select DHCP Server. Create a new DHCP Server, name it and select the new bridge as the interface. Select the newly created Address Pool. OK.
- Click the Networks tab in the DHCP Server window. Create a new network, this is mine:
- If the router already has a masquerade rule for internet traffic, this isn’t needed. I have a second router on my LAN also running this config, in this case I just masquerade traffic from the guest wifi at that router.
Click the IP tab and select Firewall, click the NAT tab, click the blue + for a new rule. Use srcnat then I used 192.168.2.0/24 for the Src. Address. Select the appropriate Out. Interface, I used my original LAN bridge, bridge-local.
- Test the wifi (Yay 🙂 ). You will still have access to the local LAN.
- Create a new firewall rule in the Filter Rules tab for the Firewall window. Chain: forward, Src. Address: 192.168.2.2/24, Dst. Address: Local Lan subnet. Click the Action tab and select reject.
- Yay, I think that’s it.
I used this config on two separate routers on my LAN, using the same config and security profile