FinlayDaG33k · FinlayDaG33k · Oct 17, 2025 · Oct 17, 2025 · Oct 17, 2025 · Oct 17, 2025
diff --git a/User Manager, WiFi and VLANs/README.md b/User Manager, WiFi and VLANs/README.md
@@ -0,0 +1,162 @@
+# User Manager, WiFi and VLANs
+
+Setup WiFi access using User Manager and implement VLAN separation.  
+Useful if you want to have specific users' their WiFi going to specific VLANs.
+
+Reasons to use this setup:
+
+- You want to isolate certain users without making 1337666 separate SSIDs.
+- You want to easily see which devices belongs to which person.
+
+Reasons to not use this setup:
+
+- You are the only one using your network.
+- You only want to isolate IoT or guest devices.
+- You run silly consumer electronics that do not support WPA(2)-EAP (eg. a Nintendo Switch or a printer).
+
+**NOTE**: This setup only handles setting up User Manager, your WiFi and assigning VLANs to users.  
+It does not handle setting up WiFi, CAPsMAN or VLANs on routers and switches.
+
+## Installing User Manager
+
+First, we'll need to install the required package for User Manager.  
+At the time of writing, this package is sub-500KiB, so it should fit on nearly all devices.  
+
+Let's update the package cache first:
+```
+/system package update check-for-updates without-paging
+```
+
+It may show the following output:
+``` 
+channel: stable                       
+installed-version: 7.19                         
+status: finding out latest version...
+
+channel: stable                  
+installed-version: 7.19                    
+latest-version: 7.20.2                  
+status: New version is available
+```
+
+I'll be skipping updating the RouterOS version for now, but you can do so yourself if you want to.  
+
+Next, check that the User Manager package gets listed:
+
+``` 
+/system package print
+```
+
+Which should show something like the following output:
+
+``` 
+Flags: X - DISABLED; A - AVAILABLE
+Columns: NAME, VERSION, BUILD-TIME, SIZE
+#    NAME            VERSION  BUILD-TIME           SIZE     
+0    routeros        7.19     2025-05-22 07:53:44  12.4MiB
+1 XA user-manager                                  336.1KiB
+```
+
+If so, we can enable it:
+
+```
+/system package enable user-manager
+```
+
+Then reboot the device and make sure User Manager is installed after it has come back online.  
+
+``` 
+/system reboot
+/system package print
+```
+
+It should now show the following:
+
+``` 
+Flags: X - DISABLED; A - AVAILABLE
+Columns: NAME, VERSION, BUILD-TIME, SIZE
+ #    NAME            VERSION  BUILD-TIME           SIZE     
+ 0    routeros        7.19     2025-05-22 07:53:44  12.4MiB
+ 1    user-manager    7.19     2025-05-22 07:53:44  336.1KiB
+```
+
+If this is the case, then User Manager is installed!
+
+## (Optionally) Move the database to a USB disk
+
+If your RouterOS device has a USB port, you can opt to move the User Manager database there.  
+Doing so saves NAND cycles and while some will argue that it isn't that bad or that they will still last for ages, I personally prefer just using a USB drive (which is why I run my User Manager on an RB5009 instead of my CRS317).  
+This of course also helps if you either re-purpose an older device with limited storage (like a hAP AC) as the database can get to 4MB reasonably fast, which on 16MB of NAND, is a lot!  
+I assume you have already mounted your storage, if not, you'll need to figure that out first.
+
+After that, you can tell User Manager to use a different path for its database.  
+I'll be putting it on `usb1` in a directory `user-manager`.  
+You an put it in the root if you want, I prefer this style of organization as it makes migrations and backups a lot easier.
+
+```
+/user-manager database
+  db-path=usb1/user-manager5
+```
+
+## Adding a User
+
+For this user, we'll assume you're gonna use `VLAN 1000`.  
+If you want to use a different VLAN, change the `Mikrotik-Wireless-VLANID` attribute accordingly.  
+
+```
+/user-manager user
+  add attributes=Mikrotik-Wireless-VLANID:1000 name=someuser shared-users=unlimited
+```
+
+## Updating your WiFi's security settings
+
+First, we need to allow your router to access User Manager.
+```
+/user-manager router
+  add address=127.0.0.1 name="localhost" shared-secret=lamesecret
+```
+
+And then we need to tell our device to use the RADIUS server..
+``` 
+/radius
+  add address=127.0.0.1 require-message-auth=no service=wireless secret=lamesecret
+```
+
+**NOTE**: If you run User Manager on a different device than what handles WiFi authentication, change the addresses accordingly.  
+
+**NOTE**: The secrets must be the same on the User Manager as well as the RADIUS config.  
+You can leave this empty but it's not recommended.
+
+## (Optionally) Remove User Manager Sessions
+
+After a while, old User Manager sessions can start to accumulate.  
+As such, you can add a scheduler that will clean out the old sessions every week.  
+You can do it more often, or less often if you desire by changing the `interval`.
+
+``` 
+/system scheduler
+  add interval=1w name="Userman Session Clean" on-event="/user-manager/session remove [find where active=no]" policy=read,write start-date=1970-01-01 start-time=00:00:0
+```
+
+## (Optionally) Set Auth methods
+
+To make things easier for myself when setting up a new device, you can setup different auth methods.  
+By default, MikroTik has set all `Outer Auths` and all `Inner Auths` to be enabled.  
+This means that, when asked for your credentials, you have to manually select the correct ones, which is annoying and increases chance of mistakes.
+
+However, since we do not use certificate-based authentication, we only really need `EAP TTLS` for the `Outer Auth` and `TTLS PAP` for the `Inner Auth` to be enabled.  
+What this means is that first, the client will create TLS tunnel (but unlike `EAP TLS`, doesn't require a client-side certificate) to the UserManager and then use `PAP` to actually authenticate with the RADIUS server.  
+This _does_ create more steps in authentication but makes it plenty secure for home use.
+
+To do this, we need to update the default profile (you can also create a new one if you prefer that):
+
+```
+/user-manager user group
+  set [ find default-name=default ] inner-auths=ttls-pap outer-auths=eap-ttls
+```
+
+After this, clients will automatically be presented with the right options.
+
+**NOTE**: `EAP TTLS` with `TTLS PAP` should *not* be used in a business or enterprise environment as it sacrifices some security for convenience.
+I only use them here because it does not require a PKI (making it easier to deploy on devices I do not control).  
+Use `EAP TLS` if you can use certificate-based authentication.