Добрый день, микротик работает как свитч, нужно создать wi-fi но со своим dhcp чтобы клиенты ни как не могли попасть в локалку, только интернет. не могу понять как разделить, если в любом случае приходиться делать сетевой мост. Создал перемычку с 23 на 24-мастер и с ним сделал бридж и на него дал dhcp но клиенты получают ip из локалки, наверное все проще как то. Код: # mar/24/2017 08:33:48 by RouterOS 6.38.5 # software id = 8I1S-0YZG # /interface bridge add name=bridge-wifi /interface ethernet set [ find default-name=ether1 ] name=eth1-wan set [ find default-name=ether2 ] name=eth2-master set [ find default-name=ether3 ] master-port=eth2-master name=\ ether3-slave-local set [ find default-name=ether4 ] master-port=eth2-master name=\ ether4-slave-local set [ find default-name=ether5 ] master-port=eth2-master name=\ ether5-slave-local set [ find default-name=ether6 ] master-port=eth2-master name=\ ether6-slave-local set [ find default-name=ether7 ] master-port=eth2-master name=\ ether7-slave-local set [ find default-name=ether8 ] master-port=eth2-master name=\ ether8-slave-local set [ find default-name=ether9 ] master-port=eth2-master name=\ ether9-slave-local set [ find default-name=ether10 ] master-port=eth2-master name=\ ether10-slave-local set [ find default-name=ether11 ] master-port=eth2-master name=\ ether11-slave-local set [ find default-name=ether12 ] master-port=eth2-master name=\ ether12-slave-local set [ find default-name=ether13 ] master-port=eth2-master name=\ ether13-slave-local set [ find default-name=ether14 ] master-port=eth2-master name=\ ether14-slave-local set [ find default-name=ether15 ] master-port=eth2-master name=\ ether15-slave-local set [ find default-name=ether16 ] master-port=eth2-master name=\ ether16-slave-local set [ find default-name=ether17 ] master-port=eth2-master name=\ ether17-slave-local set [ find default-name=ether18 ] master-port=eth2-master name=\ ether18-slave-local set [ find default-name=ether19 ] master-port=eth2-master name=\ ether19-slave-local set [ find default-name=ether20 ] master-port=eth2-master name=\ ether20-slave-local set [ find default-name=ether21 ] master-port=eth2-master name=\ ether21-slave-local set [ find default-name=ether22 ] master-port=eth2-master name=\ ether22-slave-local set [ find default-name=ether23 ] master-port=eth2-master name=\ ether23-slave-local set [ find default-name=ether24 ] name=ether24-master-local set [ find default-name=sfp1 ] master-port=eth2-master /ip neighbor discovery set eth1-wan discover=no set sfp1 discover=no /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \ group-ciphers=tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \ unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=uuugggmmm \ wpa2-pre-shared-key=uuugggmmm add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\ tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=UGM \ supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\ uuugggmmm wpa2-pre-shared-key=uuugggmmm /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \ mode=ap-bridge name=wifi_port security-profile=UGM ssid=ugm-vip \ wireless-protocol=802.11 /interface wireless nstreme set wifi_port enable-polling=no /ip ipsec proposal set [ find default=yes ] enc-algorithms=3des /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 add name=dhcp-pc-wifi ranges=192.168.10.100-192.168.10.200 /ip dhcp-server add address-pool=dhcp-pc-wifi disabled=no interface=bridge-wifi name=server1 /interface bridge port add bridge=bridge-wifi interface=wifi_port add bridge=bridge-wifi interface=ether24-master-local /interface ethernet switch port set 0 dscp-based-qos-dscp-to-dscp-mapping=no set 1 dscp-based-qos-dscp-to-dscp-mapping=no set 2 dscp-based-qos-dscp-to-dscp-mapping=no set 3 dscp-based-qos-dscp-to-dscp-mapping=no set 4 dscp-based-qos-dscp-to-dscp-mapping=no set 5 dscp-based-qos-dscp-to-dscp-mapping=no set 6 dscp-based-qos-dscp-to-dscp-mapping=no set 7 dscp-based-qos-dscp-to-dscp-mapping=no set 8 dscp-based-qos-dscp-to-dscp-mapping=no set 9 dscp-based-qos-dscp-to-dscp-mapping=no set 10 dscp-based-qos-dscp-to-dscp-mapping=no set 11 dscp-based-qos-dscp-to-dscp-mapping=no set 12 dscp-based-qos-dscp-to-dscp-mapping=no set 13 dscp-based-qos-dscp-to-dscp-mapping=no set 14 dscp-based-qos-dscp-to-dscp-mapping=no set 15 dscp-based-qos-dscp-to-dscp-mapping=no set 16 dscp-based-qos-dscp-to-dscp-mapping=no set 17 dscp-based-qos-dscp-to-dscp-mapping=no set 18 dscp-based-qos-dscp-to-dscp-mapping=no set 19 dscp-based-qos-dscp-to-dscp-mapping=no set 20 dscp-based-qos-dscp-to-dscp-mapping=no set 21 dscp-based-qos-dscp-to-dscp-mapping=no set 22 dscp-based-qos-dscp-to-dscp-mapping=no set 23 dscp-based-qos-dscp-to-dscp-mapping=no set 24 dscp-based-qos-dscp-to-dscp-mapping=no set 25 dscp-based-qos-dscp-to-dscp-mapping=no /ip accounting set account-local-traffic=yes enabled=yes /ip address add address=192.168.10.1/24 comment="default configuration" interface=\ wifi_port network=192.168.10.0 add address=10.0.0.213/24 interface=eth2-master network=10.0.0.0 /ip dhcp-client add comment="default configuration" dhcp-options=hostname,clientid interface=\ eth1-wan add comment="default configuration" dhcp-options=hostname,clientid interface=\ sfp1 /ip dhcp-server network add address=10.0.0.0/24 gateway=10.0.0.215 netmask=24 add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.8.8 gateway=\ 192.168.10.1 netmask=24 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.88.1 name=router /ip firewall filter add action=drop chain=forward dst-address=192.168.10.0/24 src-address=\ 192.168.45.0/24 add action=drop chain=forward dst-address=192.168.45.0/24 src-address=\ 192.168.10.0/24 add action=accept chain=input comment="default configuration" protocol=icmp add action=accept chain=input comment="default configuration" \ connection-state=established add action=accept chain=input comment="default configuration" \ connection-state=related add action=accept chain=input comment="default configuration" in-interface=\ eth1-wan # in/out-interface matcher not possible when interface (sfp1) is slave - use master instead (eth2-master) add action=drop chain=input comment="default configuration" in-interface=sfp1 add action=accept chain=forward comment="default configuration" \ connection-state=established add action=accept chain=forward comment="default configuration" \ connection-state=related add action=drop chain=forward comment="default configuration" \ connection-state=invalid /ip firewall nat add action=masquerade chain=srcnat out-interface=eth2-master # in/out-interface matcher not possible when interface (wifi_port) is slave - use master instead (bridge-wifi) add action=masquerade chain=srcnat out-interface=wifi_port /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes /ip proxy set cache-path=web-proxy1 port=8080,80 /ip route add distance=1 gateway=192.168.45.1 /ip service set telnet disabled=yes set ftp disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /lcd set default-screen=interfaces /lcd interface pages set 0 interfaces=wifi_port /system clock set time-zone-name=Europe/Moscow /system identity set name=ugm_mikrotik /system leds set 0 interface=wifi_port /tool mac-server set [ find default=yes ] disabled=yes add interface=eth2-master add interface=ether3-slave-local add interface=ether4-slave-local add interface=ether5-slave-local add interface=ether6-slave-local add interface=ether7-slave-local add interface=ether8-slave-local add interface=ether9-slave-local add interface=ether20-slave-local add interface=ether21-slave-local add interface=ether22-slave-local add interface=ether23-slave-local add interface=ether24-master-local add interface=wifi_port add /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=eth2-master add interface=ether3-slave-local add interface=ether4-slave-local add interface=ether5-slave-local add interface=ether6-slave-local add interface=ether7-slave-local add interface=ether8-slave-local add interface=ether9-slave-local add interface=ether20-slave-local add interface=ether21-slave-local add interface=ether22-slave-local add interface=ether23-slave-local add interface=ether24-master-local add interface=wifi_port add /tool traffic-monitor add interface=ether18-slave-local name=tmon1 threshold=0 traffic=received
У вас две подсети. Соотвтесвенно в файрволл что-то типа /ip firewall filter add chain=forward in-interface=WiFi out-interface=LAN action=drop
Таким способом дропал 2 подсети соединенные по L3. Не мое IP - routes - rules; Нажмите "красный плюсик"; В поле Src. Address укажите офисную подсеть 192.168.88.0/24; В поле Dst. Address укажите гостевую подсеть 192.168.10.0/24; В списке Action выберите unreachable; OK. Добавляем второе правило аналогичным образом, только меняем местами подсети. Нажмите "красный плюсик"; В поле Src. Address укажите офисную подсеть 192.168.10.0/24; В поле Dst. Address укажите гостевую подсеть 192.168.88.0/24; В списке Action выберите unreachable; OK.
Так тоже можно, да. Но тут нюанс. Если вам таки надо из рабочей ходить в гостевую, то такой способ не работает.
