Last active
October 23, 2020 01:07
-
-
Save tobiasmcnulty/d545d2ce5ce41aef954de6a2a0f5cb61 to your computer and use it in GitHub Desktop.
If you have a neighbor with a different internet service provider (ISP) and you want to share guest wifi networks for when those ISPs inevitably go down (hopefully at different times), you can fairly easily use a single Mikrotik device to share your internet connection with them, and bring their connection into the house.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Configure a bridge with vlan-filtering enabled (might want to enable VLAN filtering at the end, on a new device) | |
| /interface bridge | |
| add ingress-filtering=yes name=bridge vlan-filtering=yes | |
| # Configure interface lists for firewall rules | |
| /interface list | |
| add name=WAN | |
| add name=LAN | |
| # Configure wireless security profiles (these have passwords stripped; be sure to add some) | |
| /interface wireless security-profiles | |
| set [ find default=yes ] supplicant-identity=MikroTik | |
| add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=Neighbor-Wifi supplicant-identity=MikroTik | |
| add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=My-Outside-Wifi supplicant-identity=MikroTik | |
| add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=MikroTik-Mgmt supplicant-identity=MikroTik | |
| /interface wireless | |
| # Configure 2G station (client of neighbor's wifi); MUST be the primary config for wlan1 since all other virtual wireless interfaces will use the same frequency | |
| set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no frequency=auto name=wlan-2g security-profile=Neighbor-Wifi ssid=Neighbor-Wifi | |
| # Configure 2G AP (share my wifi with neighbor) | |
| add disabled=no master-interface=wlan-2g name=wlan-2g-ap security-profile=My-Outside-Wifi ssid=My-Outside-Wifi-2G wds-default-bridge=bridge \ | |
| wps-mode=disabled | |
| # Configure 5G station (client of neighbor's wifi); MUST be the primary config for wlan1 since all other virtual wireless interfaces will use the same frequency | |
| set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no frequency=auto name=wlan-5g security-profile=Neighbor-Wifi ssid=\ | |
| Neighbor-Wifi-5G | |
| # Configure 5G AP (share my wifi with neighbor) | |
| add disabled=no master-interface=wlan-5g name=wlan-5g-ap security-profile=My-Outside-Wifi ssid=My-Outside-Wifi-5G wds-default-bridge=bridge \ | |
| wps-mode=disabled | |
| # Add a dedicated AP I can use to login if I lock myself out through other means | |
| add disabled=no master-interface=wlan-5g name=wlan-5g-ap-mgmt security-profile=MikroTik-Mgmt ssid=MikroTik-Mgmt wds-default-bridge=\ | |
| bridge wps-mode=disabled | |
| # Configuration for local network | |
| /ip pool | |
| add name=default-dhcp ranges=192.168.88.10-192.168.88.254 | |
| /ip dhcp-server | |
| add address-pool=default-dhcp disabled=no interface=bridge name=lan | |
| /interface bridge port | |
| add bridge=bridge ingress-filtering=yes interface=ether1 | |
| # 2G and 5G APs get a VLAN ID of 999 (assumes you have a separate router for your primary internet connection that connects this VLAN to your guest network to provide DHCP, etc.) | |
| add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-2g-ap pvid=999 | |
| add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-5g-ap pvid=999 | |
| # The Management network traffic goes directly to the bridge (PVID=1) | |
| add bridge=bridge interface=wlan-5g-ap-mgmt | |
| /ip neighbor discovery-settings | |
| set discover-interface-list=LAN | |
| # Configure VLANs on the bridge for VLAN filtering | |
| /interface bridge vlan | |
| add bridge=bridge untagged=bridge,ether1,wlan-5g-ap-mgmt vlan-ids=1 | |
| add bridge=bridge tagged=ether1 untagged=wlan-2g-ap,wlan-5g-ap vlan-ids=999 | |
| /interface list member | |
| # bridge and ether1 are on the LAN side | |
| add interface=bridge list=LAN | |
| add interface=ether1 list=LAN | |
| # Station (clients of neighbor's wifi) are WAN interfaces | |
| add interface=wlan-2g list=WAN | |
| add interface=wlan-5g list=WAN | |
| # LAN IP | |
| /ip address | |
| add address=192.168.88.1/24 interface=bridge network=192.168.88.0 | |
| # WAN DHCP clients | |
| /ip dhcp-client | |
| # 2G client gets a larger route distance so packets will prefer the 5G network | |
| add default-route-distance=100 disabled=no interface=wlan-2g use-peer-dns=no | |
| add disabled=no interface=wlan-5g use-peer-dns=no | |
| # DHCP server for local network | |
| /ip dhcp-server network | |
| add address=192.168.88.0/24 gateway=192.168.88.1 | |
| # Configure some DNS settings | |
| /ip dns | |
| set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1 | |
| /ip dns static | |
| add address=192.168.88.1 comment=defconf name=router.lan | |
| # Default firewall config that comes with RouterOS these days | |
| /ip firewall filter | |
| add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
| add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid | |
| add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp | |
| add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 | |
| add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN | |
| add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec | |
| add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec | |
| add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related | |
| add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked | |
| add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid | |
| add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN | |
| /ip firewall nat | |
| add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN | |
| # Disable services we don't use | |
| /ip service | |
| set telnet disabled=yes | |
| set ftp disabled=yes | |
| set api disabled=yes | |
| set winbox disabled=yes | |
| set api-ssl disabled=yes | |
| # Configure a few system settings | |
| /system clock | |
| set time-zone-name=America/New_York | |
| /system package update | |
| set channel=long-term | |
| /system routerboard settings | |
| set auto-upgrade=yes | |
| /tool mac-server | |
| set allowed-interface-list=LAN | |
| /tool mac-server mac-winbox | |
| set allowed-interface-list=LAN |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment