Goal
Provide internet access for employees' personal devices without providing access to the internal network.
Equipment
- Netgear WNDR4500v2: Wireless router intended for the guest network (has wireless isolation feature)
- MikroTik RB2011Ui AS-RM: The primary router for this network. Attached to it are a few switches that comprise the wired internal lan. Upstream of this a Juniper fiber device that I have no administrative access to.
Connections
Juniper -> MikroTik -> Cisco Switches -> Clients, Printers, Etc
The Netgear is currently connected to a port of the MikroTik that is a slaveport to the same masterport used by the Cisco Switches. Changing this might be part of the solution, but I'm not sure.
Where I'm at
I configured the Netgear to use wireless isolation and set its internal ip range to match the office network then connected it to the MikroTik router. My intent was to have requests for office resources fail to escape the Netgear's range (e.g. a request for 192.168.1.1 would return the netgear admin panel rather than the mikrotik) but it did some autoconfiguration when I connected it and switched to a different range, so now I can access the MikroTik and ping office devices. Not what I'm looking for.
This seemed like the hack way to do it anyway, considering the MikroTik is probably capable of something more elegant. What is the correct way to isolate my wireless router with this equipment?