Is it possible in mikrotik to allow clients on the wlan only Internet, and those who are in the access list and still access the local network + DHCP from the domain controller?

Welcome!

Actually, the SUBJECT)

can the same WiFi network (no additional guest) arrange the following pattern: a client connected to it, by default, gets the address from DHCP Mikrotik and the only access to the Internet, but if it is in accesslist, it gets the address from the domain controller and access to local network?
September 18th 19 at 23:48
3 answers
September 18th 19 at 23:50
If no "foolproof", then:
1) prohibit the dhcp packets between lan and wlan;
2) hang on wlan separate DHCP server with a separate sub-mesh
3) the rules of Faeroe prohibit communication between different subnets
(you can also use vlan and subnet)
4) I don't need to add static lease in the main draw ( the one that has access to a main)
already emerges some picture, will try
thanks for the reply - Roxane_Jacobs commented on September 18th 19 at 23:53
September 18th 19 at 23:52
And what's the point?
There is a network of "Guest" with a simple password for the guests and SMARTS employees
And network "Firm" with a complex password, which except admin no one knows the access to the corporate network.

No idea how the subject should work. Client latched on to WiFi - roughly speaking, Ethernet wire in the socket stuck. Network card has sent a request to DHCP, got an address. All. This address from the domain DHCP, or from the guest - who first answered, and the address of the client.
well, the point is that the object is far away, to explain to each user what networks to connect to and which of the devices is not possible, but to add it remotely to accesslist I and such cases are not many, when you need user to put in the LAN.
the area is large, people wishing to obtain raw footage - a lot.
but if you do with the guest network, you will have to connect the user to the local:
first- somehow to contact him and say that we should not connect to "that" and "this" network
secondly, he will have to say the password from the network, isn't it?
on account of cables in the socket - extremely unlikely, anyway, to make it so that no one can see will not succeed. - Roxane_Jacobs commented on September 18th 19 at 23:55
for example, if a user is connected and he is not in accesslist, to create a vlan, and if he is in accesslist, then in the usual way... or something like that...
maybe stuff you wouldn't believe, but that's why I ask, I don't know - Roxane_Jacobs commented on September 18th 19 at 23:58
: wire in the socket is not the solution, and the analogy. For network pofik - wifi the user has connected via WiFi, or wired connected to the outlet. Then everything happens the same way. Solve for wire - solve and Wi-Fi.
About 2 years of networking - Yes, I have to say the password of the user you MAC your device. Or what is meant by accesslists? The List Of MACs. admitted to the corporate network. - Roxane_Jacobs commented on September 19th 19 at 00:01
: Yes, under accesslists means the list of MACs
which of the poppies to add to accesslist I understand on a machine name in the DHCP server Mikrotik, i.e. I do not have contact with the user - Elody_Padberg76 commented on September 19th 19 at 00:04
September 18th 19 at 23:54
And if to clean from Mikrotik DHCP server, create bridge WiFi and Ethernet? In a filter bridge for the WiFi interface to ban everything except DHCP. To add the filter rules to allow specific MAC addresses connecting to the internal network.
hmm... you should try that I haven't thought
thank you) - Roxane_Jacobs commented on September 18th 19 at 23:57
although... a lot of points and they are controlled via CAPsMAN... within each point there is a bridge, which includes the wlan1 and ether1 where ether1 - LAN already
it will be necessary then to raise everywhere vlani on ether1 and put these vlani bridge, then on the main router to combine these vlani bridge and on this bridge to put the filter on Mac to create another DHCP server in which to include a relay or something... right? - Roxane_Jacobs commented on September 19th 19 at 00:00
: it turns out you need to connect DHCP one common domain for all. And router for Mac let me or not let into the LAN. - Roxane_Jacobs commented on September 19th 19 at 00:03
remove all the CAP in a separate VLAN (on the switch LAN), add interface CAPsMAN in this VLAN. The address for this subnet to give any one server (a domain via a DHCP relay or Mikrotik). And filter the traffic on the CAPsMAN. - Elody_Padberg76 commented on September 19th 19 at 00:06
: but about CAPsMAN only know in theory - Roxane_Jacobs commented on September 19th 19 at 00:09
according to the file.accesspoint.hu/pdf/uldis.pdf CAPsMAN can put clients in a specific VLAN by MAC address. You can try to look in this direction. - Roxane_Jacobs commented on September 19th 19 at 00:12
: Yes, on the weekend dig deeper, I will unsubscribe about results - Roxane_Jacobs commented on September 19th 19 at 00:15
no. the fact of the matter is that DHCP from the domain controller needs to give the address only to those who have access to the intranet and who is not admitted, he gets an address with DHCP Mikrotik, there is just wlanapi it is necessary to conjure - Elody_Padberg76 commented on September 19th 19 at 00:18
: I understand. Another similar problem. Came to the conclusion that it is better on Microtera deploy 3 networks - 1 for SMARTS employees with a simple password, 2 for guests without a password access to certain sites and add simple authorization to access the Internet, and 3-I to access the corporate network with a complex password. I have a similarly - simple password for the guests and SMARTS of employees, complex corporate network, the second year running.
You have specifics: this crap is supposed to work without the personal presence of the administrator on the enterprise. - Melissa.O commented on September 19th 19 at 00:21
:
>You have specifics: this crap is supposed to work without the personal presence of the administrator on the enterprise.
Yes, this is the main problem...
your way the most simple and transparent, I would in a normal situation, but in this case, the situation is forcing me to find another option :-/ - Melissa.O commented on September 19th 19 at 00:24

Find more questions by tags Network administrationMikrotik