now we've been looking at the mikrotik brand routers and the full series is available absolutely free at cat5 dot TV slash mikrotik now that our network is up and running let's create a guest Wi-Fi SSID our guest Wi-Fi will have a throttled connection to the Internet and they will not have access to our local resources so that's network shares printers things like that I want to lock that down we're gonna create a truly isolated Wi-Fi connection to allow guests friends customers or visitors to use our internet connection without risking slowing down our connection or without risking the integrity or privacy of our data so this is going to be a complex tutorial today so what I've done is I've actually documented all of the steps that I'm going to go through at cat5 dot TV slash mikrotik so that you can follow along it just makes it a lot easier for you so let's get right into it I am actually going to be going from those notes because this is truly a sophisticated series that we're getting into right here today or at least a aspect of the series so I am going to be working on my pine book here and I want to just bring up my laptop and the screen looks fantastic this week look at that I've made some improvements here at the studio so I think you're gonna find that things are a lot easier to read now thank you for everyone for your patience through this time because it has been difficult for many broadcasters but we've made some improvements this week so thank you for your patience so the first thing I want to do in web fig here is I want to go into my wireless security profiles so understand I don't want those who are gonna be accessing my guest Wi-Fi to use the same password as I use on my main Wi-Fi that's particularly what I don't want to be giving out so let's do that right now let's set up a separate password by clicking on wireless at the left here and then I'm going to click on security profiles at the top now click on add new and you'll see default is actually my my you network so that's the password for my network the Wi-Fi that I've already set up and I'm gonna click add new and we're just going to call this one guest just like that one note is I want to turn off WPA PSK because WPA as you know is very part of me it's very easy to compromise so we don't want to use WPA we only want to use wpa2 because wpa2 is much safer as far as somebody being able to hack into your Wi-Fi network so turn off WPA PSK leave wpa2 PSK enabled and then down here because that is enabled we need to enter a pre-shared key aka the password for our network so I'm gonna use dum-dum one-two-three-four this guest Wi-Fi so this is only for the guest Wi-Fi remember that ok once I've entered my password I'm going to hit ok so I haven't actually created a network yet all I've done is I've created a security profile called guest and that security profile contains the wpa2 shared key for that guest Network and I notice that my default network is in fact using WPA pre shared key so while we're here let's open that one and let's turn off WPA PSK because I do not want someone hacking into my main network and hit OK it only took a moment's time for my pine Book Pro to disconnect from the Wi-Fi and reconnect the password hasn't changed simply the encryption algorithm has changed so now as you can see on the screen neither of my Wi-Fi security keys will allow WPA they only allow wpa2 it's as simple as that now jump into our Wi-Fi interfaces this is where you see my two gigahertz and five gigahertz networks and I want to add a new one for my guest Wi-Fi but I don't have another radio so what are we gonna do we're going to share the radio with one of my w lands so we're not going to add another radio we don't have to buy an access point or any kind of device we're just going to use the same mikrotik router so the only caveat of that is that it means that the guest Wi-Fi is going to be sharing the same channel as our Wi-Fi like our actual Wi-Fi for our network however because it's a different network and it's a different password they're not going to be able to access our things it's just going to be sharing the same the same Channel whether or not that matters I don't think it does alright let's go add new and we're gonna choose virtual because we are not creating a real one now we're creating a virtual network here on our wireless tab in Wi-Fi interfaces so let's create a virtual interface first thing I need to do is always I mean give things a name I'm going to call this one guest - Wi-Fi and you'll notice I'm using guests throughout you might use your last name or your family name or something fun for your guests Wi-Fi you can do that but for the sake of making this tutorial universally accessible and easy to follow I'm using guests because anyone can go through these steps and then retrace and rename things if you want to but you don't have to do that so on this network let's scroll down just a little ways and we're going to see something here called SSID we know that the SSID for our network is basically what you see when you bring up your phone and you access the Wi-Fi and you see a list of the different networks so right now I see cat 5 TV and cat 5 TV - 5g and about a billion other Wi-Fi networks around me but I want to give this one an SSID that designates this the guest Wi-Fi now in our case today I'm going to call this SSID simply guessed again I'm going to refer back to my comment that we're just making this universally accessible but you can call that whatever you want this could be I could call this cat 5 TV - guest which would be very appropriate because if there's some other network called guest because that's pretty generic that could cause a conflict but also it just makes it so that when people come into the studio they can say oh that's the guest Wi-Fi for cat5 TV hey what's the password dum-dum one two three nice and simple right but for today's demonstration we are just gonna go with guest and now the final thing that we need to do of course is set our security profile for the Wi-Fi connection and we're going to change that from default to guest so that's gonna set so that we're using the password dum-dum 1 2 3 as we specified with that security profile and that's literally all there is to adding the interface hit ok now because I am making changes to my Wi-Fi setup and because my pine Book Pro is connected to my Wi-Fi right now remember that Wi-Fi now the router is not rebooting my servers and everything my Internet's not going down however the Wi-Fi is going to hiccup there because the Wi-Fi transmitter is restarting or reloading those configuration settings on its own so now that that's finished reloading those settings you'll see now that under wireless Wi-Fi interfaces I have one called guest Wi-Fi and that is a virtual interface connecting to my Wi-Fi so the next thing we need to do is we need to start routing how the traffic is going to flow and do you get the sense here that hey if you if you follow these steps and if you understand the steps involved in setting up a mikrotik router you can do some really sophisticated stuff at the top of this demonstration I did warn that this is going to be kind of complicated not that it's hard it's not difficult it's not challenging it's just there are a lot of steps so go to cap v dot TV slash micro tech and I've listed those out in a documentation format for you and the entire series is available for you absolutely free so if you want to follow these steps and you're a little worried about maybe fumbling over something that I've said or maybe I'm moving a little bit too quickly hey head over to cap v dot TV slash mikrotik to get yourself set up with those Doc's all right so to create a bridge I'm gonna go over to the left-hand menu and click on bridge we can see there's an active bridge already running there but we want to add one for our guest Wi-Fi because we want this to be separate from our main bridge so I've clicked add new and I'm gonna give this one a name you guessed it bridge - guest let's keep everything simple I want you to follow this verbatim and that's gonna help to make sure that everything makes sense in the end and you can always go back and and rename things if you feel that you need to that's literally all we need to do in order to create a bridge hit okay so now as you can see we now have a bridge called bridge guests sitting there doing absolutely nothing so we need to actually specify how the ports are going to be assigned so click on ports and we need to actually connect that bridge to our new guest Wi-Fi so add new and then change the interface to guest Wi-Fi and the bridge we don't want that using our main bridge we want that to go to bridge - guest and now hit OK and now you can see right at the bottom there guest - Wi-Fi bridge - guest all set ready to go and waiting for us to finish configuring so the next thing that we need to do obviously we haven't told this guest Wi-Fi the bridge what IP block to use and again I'm gonna back up to when I said I want this network to be separate from my private network I do not want the guest Wi-Fi on the same IP block I do not want their IP block to be able to access mine because I have Network shares on my server and I don't want them to have access to deleting my files or worse yet here we live in a world where someone could connect to your guest Wi-Fi from their Windows laptop and they have ransomware that ransomware then goes out on the network and looks for network shares and encrypts all your files so even though you may have anti-virus or you may even have nothing but Linux on your network because they've connected to your Wi-Fi they now have access to encrypting all your files with their malware that they have on their laptop so we're creating a network that protects you entirely against that kind of infiltration as well as the malicious person who would connect to your guests Wi-Fi and try to seek out private information on your network so we're gonna protect you against that let's set up an IP block for this guest Wi-Fi and a go IP and then addresses on the left-hand side here and you can see here that my network is 10.0.0.0 dot zero dot one two three four so on and Counting so I'm gonna create a new IP block by simply clicking add new and we're gonna make this one a little different so we're gonna go with 10.10 dot dot one slash 24 and on the interface guess which interface we're gonna use here folks bridge - guest that's the comment field that I was talking about last week that we didn't really see we don't need that in this case but you can add comments to anything that you add in web thick hit ok so now we have a new network here called ten ten ten dot one and it will assign I well we will inevitably when we setup a DHCP server see there's lots of steps it will assign IP addresses on that IP block so speaking of DHCP server that's our next step so we're gonna jump over here and under IP which is already open already expanded and we're gonna click on DHCP server and here you can see my current running DHCP server but the thing with this is that it's got kind of a weird name out of the box so I first thing I want to do is I want to open that and I'm just gonna rename this one local and the reason I want to do that is I want to always remind myself that that DHCP pool is my local network it has full access to everything on my network you do not want to assign a guest to that so by calling it local it just keeps me a little bit more safe because it stands out as that is definitely my local network now let's add a new DHCP server and you can see that there's all this setup that you can go through but I want to show you a tool that's going to help make this even easier so I just brought that up but cancel and you can see there's actually DHCP setup and that's going to bring up a wizard that is going to make this a lot simpler for us and this is literally easy breezy we're gonna change the DHCP server interface to bridge - guest and then watch this we're gonna hit next next see it r2 automatically assigned it to the correct network next next DNS servers is just pulling from my router that's fine we can change we're gonna actually change those in a future episode when we set up a piehole that's not a bad word that's actually a device that's gonna act as our DNS server in-house and block advertising block pornography all that kind of stuff click Next Next Next Next Next Next just leave everything as is and we're done whoo we've got guest 1 and notice ok well why is it DHCP 1 well my bridge guest I can see that it's bridge guest but notice it I didn't hand her a name for it and so now I I can do the exact same thing I can open that up and call this guest easy peasy right ok so now I'm at the point where I should be able to see the guest Wi-Fi network on my phone so let's do a quick refresh of Wi-Fi here and sure enough there's cat 5 TV 5 gigahertz cat 5 TV and one called guest so let's click it actually before I do that I'm gonna bring up a local network resource unconnected to cat 5 TV I want you to see that I am in fact able to access local resources so let's just bring up my VirtualBox login there it is so once I switch over to the guest Wi-Fi I'm gonna use that as a demonstration to show whether or not we're able to access those resources so back in my Wi-Fi let's connect to guest enter my password from the security profile dum-dum 1 2 3 connect obtaining IP address and we're in what options do we have here let's look at the IP address 10 see the Gateway 10 10 10 one all right so let's let's look at our browser again now that I'm connected to that Network and let's try to access PHP VirtualBox and you'll notice yes I am indeed still able to access PHP VirtualBox I've clicked on the address bar and I've clicked on the link and it is loading and that is simply because I have yet to create a firewall rule to basically and it trap that Wi-Fi the guest access and make it so that it's not allowed to communicate back with my local area network or my Wi-Fi devices on my actual Wi-Fi so the way that we're gonna do that is back on our mikrotik web the Figg I'm going to click I've opened IP and then we're gonna go to firewall we've already seen this on previous episodes of cat5 TV slash mikrotik you can see I've added a couple of new things since the last time we were here but what I want to do this time is I want to create a rule to be able to make it so that the Wi-Fi for the guest network is not able to get access to ten dot 0 dot 0 dot on add new to create a new firewall rule and you're gonna laugh at how easy this is you'll notice the chain is defaulting to forward that is what we want so leave that as is and we're gonna set the source address so this is if the IP address is coming from this then do this so watch what I'm gonna do here 10.10 dot dot 0 slash 24 so anyone who is on the guest Wi-Fi IP block is going to fall into this the source address destination address this is my network 10.0.0.0 slash 24 if anyone from this network attempts to access this network what do you want to do scroll down action drop so what we're saying is any source from the guest Wi-Fi IP block trying to access my actual LAN we are going to drop those packets I want to point out that this is unidirectional so there may be cases where you want devices to access your your wireless network but not have access to your internal resources however you do want your internal resources to be able to access them think about perhaps an IP camera that uses Wi-Fi to connect well you want it to be able to connect to the internet you want it to be able to access the network and you from your computer on your land want to be able to access that camera but you don't want that camera to have the rights to access your things on your network it's just an example but I mean you can probably think of devices that you'd want to have kind of separate from your network so that if somebody grabs it if somebody steals that let's say you've got a Raspberry Pi sitting in the roof somewhere connected to your Wi-Fi well if someone steals that you don't want them having access to your network so putting it on a separate network but allowing you to be able to connect to it so we understand that we're doing this unidirectional e this is only going to affect the guest Wi-Fi this is not reducing it's not eliminating my ability to connect to the devices on the guest Wi-Fi let's hit OK and now we have that route set up however you've noticed it has placed it at the bottom and we've already talked about this we want to make sure that our forward rules happen before some of the mikrotik stuff and I certainly want to make sure that this happens before the rules that I've created if they involve internal infrastructure I want this one to happen after this no I don't I want it to happen before this because if they're going to access ten dot 0 dot 0 dot through the internet through the port that we've allowed so if this was below it they would actually have access to 10.0.0.0 category 5 TV so I'm gonna drop as the first thing so now without having to restart without having to do anything else I'm gonna bring back up my phone here which is connected to the guest Wi-Fi and let's jump back to my browser and let's click on PHP VirtualBox which you see that progress indicator up at the top it's hung up now I mean I know that I can still see PHP VirtualBox because I've previously loaded it let's go home and let's go there again so 10.0 PHP VirtualBox watch this I've clicked on it where is it it's not working because I am connected to the guest Wi-Fi this site can't be reached however is the internet working let's just go category 5 TV yeah the internet works a treat let's try to go back to wrong IP 10.00 10 which is my VirtualBox server and let's because we know that's going to timeout I'm going to change to my cat 5 TV 5 gigahertz Wi-Fi there we go connected and bring it up and boom I'm instantly in so as you can see we have successfully created a guest Wi-Fi that is separate from our network they cannot access resources on 10.0.0.0 they can't gain access to that from our guest Wi-Fi we're also going to learn in coming weeks how we can throttle that I mentioned that that we're going to be looking at throttling but we're out of time for this week segment so I will move that into a future episode as well so make sure you watch for that we're gonna learn how to throttle the connection for our guest Wi-Fi to make sure that even you know if I give the kids access to it on their tablets are their friends and then the friends are down the road downloading videos through my Wi-Fi I don't want them milking all my bandwidth so we're gonna cover that on a coming show as well cap five dot TV slash mikrotik is where you want to go to get the entire series absolutely free please post your comments and make sure you subscribe to us at Linux tech show calm which is where I'm posting all these as well which reroutes to our youtube channel called the next tech show