MikroTik Multiple SSID with Separate LAN and DHCP Server

One of the most amazing features of MikroTik Wireless Router is creating Multiple SSID (Virtual AP) on a physical wireless interface. So, creating a Guest WiFi AP with separate LAN block, SSID and DHCP Server is so easy using MikroTik WiFi AP Router. In the previous article, I discussed how to configure MikroTik WiFi Access Point on physical wireless interface with DHCP Server using hAP Lite (RB941-2nD) Wireless Router. In this article I will discuss how to configure a Virtual WiFi AP on the physical interface with another SSID, LAN block and DHCP Server for guest wireless devices.


Network Diagram


The following network diagram is being followed for this article configuration.


MikroTik Virtual AP Configuration

MikroTik Virtual AP Configuration

In this network diagram, hAP lite MikroTik Wireless Router is being used as a WiFi AP and LAN gateway. This wireless router has one WLAN interface and four Ethernet interfaces. WiFi AP has been created on WLAN interface so that wireless devices can be connected. We will now create another Virtual WiFi AP with separate SSID on this WLAN interface creating a virtual WLAN interface. The virtual WiFi AP will be used as Guest WiFi AP so that guest user can be connected with this different SSID and security key.


Among four Ethernet interfaces, ether1 port is being used as WAN connection with IP network 192.168.70.0/30. A bridge interface (named LAN_Bridge) has been created and a DHCP Server (with IP block 10.10.70.0/24) has also been configured on this bridge interface. The WLAN interface and ether2 to ether4 interfaces are now under this bridge and WiFi users and LAN users get IP address, default gateway and other network parameters from this DHCP Server automatically.


We will now create another bridge interface (named Guest_LAN) and add created virtual WLAN interface to this bridge. We also setup DHCP Server (with IP Block: 172.16.16.1/24) on the new bridge interface so that guest devices get IP address, default gateway and other network parameters automatically and can get internet access.


MikroTik Virtual AP Configuration with DHCP Server

We will now configure Virtual WiFi AP with separate SSID, password and LAN in MikroTik hAP light Wireless Router. Complete Virtual Wireless AP Setup can be divided into the following four steps.


Virtual WiFi AP Setup on Virtual WLAN Interface

Creating Bridge Interface and Adding Virtual WLAN Interface

Assigning Guest Block Gateway IP and NATing Configuration

DHCP Server Configuration on Guest Bridge Interface

Step 1: Virtual WiFi AP Setup on Virtual WLAN Interface

MikroTik hAP lite wireless router has a WLAN interface where WiFi AP has to be setup. MikroTik Wireless Router also supports creating virtual WLAN interface on a physical WLAN interface and Virtual WiFi can also setup on this virtual WLAN interface. Like WiFi setup on physical WLAN interface, we have to first create Security Profile and then create SSID on virtual WLAN interface to connect guest wireless devices.


Creating Security Profiles for Guest WiFi Access Point


To connect a wireless device with MikroTik Virtual WiFi AP, guest wireless devices must provide security key (password).  MikroTik wireless supports both WPA PSK and WPA2 PSK authentication type. The following steps will show how to create passkey for MikroTik Virtual WiFi AP with Security Profile.


From Winbox, click on Wireless menu item. Wireless Tables window will appear.

Click on Security Profiles tab and then click on PLUS SIGN (+). New Security Profile window will appear.

Put a meaningful profile name (Guest Profile) in Name input field.

Choose dynamic keys from Mode drop down menu.

Check WPA PSK and WPA2 PSK checkbox from Authentication Types panel.

Now provide strong password in WPA Pre-Shared Key and WPA2 Pre-Shared Key password box.

Click Apply and OK button.

Guest WiFi Security Profile

Guest WiFi Security Profile

Creating Separate SSID for MikroTik Virtual WiFi AP


After creating Security Profile for Virtual WiFi AP, we have to first create virtual WLAN Interface and then set SSID (Service Set Identifier) on virtual WLAN interface so that guest or desired wireless devices can find MikroTik Virtual Access Point with created SSID. The following steps will show how to create virtual WLAN interface and set SSID in hAP lite MikroTik Wireless Router.


Click on WiFi Interfaces tab and you will find physical WLAN interface (by default: wlan1) here.

Click on PLUS SIGN (+) dropdown and then click on Virtual option. New Interface window will appear.

From General tab you can set WiFi interface name from Name input box or you can keep it default (wlan2).

Click on Wireless tab and choose ap bridge from Mode dropdown menu.

Put SSID name (MikroTik Guest AP) in SSID input box.

Choose physical WLAN interface from Master Interface dropdown menu.

Choose created security profile (Guest Profile) from Security Profile drop down menu.

Make sure Default Authenticate and Default Forward checkbox is checked. Otherwise devices will not be connected until MAC authentication.

Click Apply and OK button.

You will find Virtual WLAN interface (wlan2) will be created under physical WLAN interface.

Virtual WLAN Interface in MikroTik Wireless Router

Virtual WLAN Interface in MikroTik Wireless Router

    Now created SSID will be found in wireless devices and wireless device can be connected providing password.  MikroTik ap bridge mode allows 2007 wireless device connections. Theoretically you can create 2007 Virtual WiFi AP also. But in real network it is not good to create more than 25-30 Virtual APs. If you create more virtual AP, Wireless performance will be degraded.

You will find connected devices in Registration tab. But connection is not enough to get internet. IP address, default gateway and other network parameters have to provide to get internet to the connected devices. So, we will now assign separate LAN gateway creating new bridge interface. We will also configure another DHCP Server on bridge interface from where assign IP address, default gateway and other network parameters will be assigned automatically to guest wireless devices.


Step 2: Creating New Bridge Interface and Adding Virtual WLAN Interface

We will now create a new bridge interface and add virtual WLAN interface to this bridge. The following steps will show how to create bridge interface and add virtual WLAN interface to it.


Click on Bridge menu item. Bridge window will appear.

Click on Bridge tab and then click on PLUS SIGN (+). New Interface window will appear.

Put bridge interface name (Guest_LAN) in Name input field.

Click Apply and OK button.

Now click on Ports tab and click on PLUS SIGN (+). New Bridge Port window will appear.

Choose wlan2 interface from Interface dropdown menu.

Choose created bridge interface (Guest_LAN) from Bridge dropdown menu.

Click Apply and OK button.

New bridge interface has been created and virtual WLAN interface is also added to this bridge. So, any configuration will be done on bridge interface will be applied to Virtual WLAN interface and Virtual WiFi AP.


Step 3: Assigning Guest Block Gateway IP and NATing Configuration 

We will now assign guest block Gateway IP on new bridge interface and configure NATing. The following steps will show how to assign LAN gateway IP and do NATing in MikroTik Wireless Router.


Go to IP > Address menu item. Address List window will appear.

Click on PLUS SIGN (+) and put guest block LAN Gateway IP (172.16.16.1/24) in Address input field and choose new bridge interface (Guest_LAN) from Interface dropdown menu and click Apply and OK button.

Go to IP > Firewall menu item. Firewall window will appear. Click on NAT tab and then click on PLUS SIGN (+). New NAT Rule window will appear. From General tab choose srcnat from Chain drop down menu and put guest LAN Block (172.16.16.0/24) in Src. Address input field. Click on Action tab and choose masquerade from Action drop down menu and then click Apply and OK button.

Assigning LAN gateway IP and NATing configuration has been completed. We will now setup another DHCP Server on new bridge interface so that connected guest wireless devices can get IP address, default gateway and other network parameters automatically from this new DHCP Server.


Step 4: DHCP Server Configuration on New Bridge Interface

We will now setup another DHCP Server on new bridge interface so that Guest WiFi users can get IP address, default gateway and other network parameters automatically. The following steps will show how to setup DHCP Server on new bridge interface in MikroTik Wireless RouterOS.


Go to IP > DHCP Server menu item. DHCP Server window will appear.

Click on DHCP Setup button. DHCP Setup window will appear.

Choose new bridge interface (Guest_LAN) from DHCP Server Interface drop down menu and then click Next button.

LAN Block (172.16.16.0/24) will be automatically assigned in DHCP Address Space input field. So, nothing to do. Just click Next button.

LAN Gateway IP (172.16.16.1) will automatically be assigned in Gateway for DHCP Network input field. So, just click Next button.

IP Pool from where IP address will be assigned to Guest Wireless devices will be automatically assigned from Guest LAN Block (172.16.16.2-172.16.16.254) in Addresses to Give Out input field. So, just click Next button.

Your assigned DNS Server IP will automatically be assigned in DNS Server input filed. So, click Next button.

Default DHCP lease time is 10 minute. So, 10 minute will keep assigned in Lease Time input filed. If you want, you can increase lease time for guest users as much you want. Click Next button.

Now you will find DHCP Setup successful message window. Just click OK button.

Separate DHCP Server with Separate LAN

Separate DHCP Server with Separate LAN

MikroTik Guest WiFi AP with DHCP Server is now ready. Now connect any guest or any wireless device. The device will get IP address, default gateway and other network parameters automatically and be able to get internet access.



With this MikroTik WiFi AP configuration any wireless user who knows WiFi password can connect with SSID and can able to get access to DHCP Server and DHCP Server will be happy to provide him/her IP address, default gateway and other network parameters because there is no filter rule to block unauthorized access. MikroTik Wireless or WiFi AP is smart enough granting access based on MAC address. But must configure MAC address filtering WiFi AP which will be discussed in my next article.


If you face any confusion to follow the above steps properly, watch the following video about MikroTik Virtual AP Configuration with separate LAN and DHCP Server. I hope it will reduce your any confusion.