isolated wifi using a Mikrotik wireless router

Assuming a wireless interface is setup and working on the router, we can add a virtual interface, give it it’s own subnet, and isolate that subnet from the existing LAN.

  1. Using WinBox, login and click the wireless tab on the left.
  2. Click the Security Profiles tab, create a new profile for your virtual AP – I basically copied my existing profile. Click OK when done (as for all steps).
  3. Click the blue plus to create a virtual interface, give it a name, probably best to leave the wlan2 part at the start. Click the wireless tab and give it an SSID. Select the new security profile from the dropdown.
  4. Open the bridge tab on the left and create a new bridge. Click the ports tab, create a new port and select the newly created bridge and virtual interface from the drop down menus.
  5. Click the IP tab on the left and select addresses. Create a new address, I used 192.168.2.2/24, then select the new bridge for the interface.
  6. The AP will require DHCP. Click the IP tab and select Pool. Create a new pool, name it and give some addresses, I used 192.168.2.220-192.168.2.240.
  7. Click the IP tab and select DHCP Server. Create a new DHCP Server, name it and select the new bridge as the interface. Select the newly created Address Pool. OK.
  8. Click the Networks tab in the DHCP Server window. Create a new network, this is mine:
  9. If the router already has a masquerade rule for internet traffic, this isn’t needed. I have a second router on my LAN also running this config, in this case I just masquerade traffic from the guest wifi at that router.
    Click the IP tab and select Firewall, click the NAT tab, click the blue + for a new rule. Use srcnat then I used 192.168.2.0/24 for the Src. Address. Select the appropriate Out. Interface, I used my original LAN bridge, bridge-local.
  10. Test the wifi (Yay 🙂 ). You will still have access to the local LAN.
  11. Create a new firewall rule in the Filter Rules tab for the Firewall window. Chain: forward, Src. Address: 192.168.2.2/24, Dst. Address: Local Lan subnet. Click the Action tab and select reject.
  12. Yay, I think that’s it.

I used this config on two separate routers on my LAN, using the same config and security profile

Installing Win 7 Fresh (in 2017)

  1. Obtain win 7 installation files.
    This site is a mirror for all the win 7 ISOs (in several languages), includes links to MSDN file hashes (after downloading, I used HashTools to compare hashes). Also there is a tricky possible solution here.
  2. Format a USB as a installation disk using Rufus.
  3. Install OS as Admin user, install critical drivers from hardware vendor website, use these instructions to bring computer up to date.
  4. Install Chrome, firefox, VLC, Microsoft Security Essentials, f.lux, adobe reader, skype, libre office.
  5. My keyboard has a rotary volume encoder so I installed 3RVX from softpedia for onscreen volume display, and I installed MemInfo to show RAM usage in the taskbar
  6. Create default non-admin user for logging in. Add autologin.