I have mikrotik router in company, normal dhcp pool for workers which need access to local lan and internet is 10.0.0.1-10.0.0.250, (I assign them manually by mac) (lets say its workers pool)
but i have also separate pool for guests which are no on static dhcp list, default pool for them is 172.16.0.0 – 172.16.0.250. guests pool.
Guests pool have only limited access to internet, max 10mbps ques, traffic through porn filtering dns.
sfp port is for internet access on pppoe, all other ports are in bridge, on bridge is dhcp server.
Workers pool is filtered from guests pool on firewall, blocked access on forward chain.
When there is new person connecting default pool is for this person 172, if this is worker i go to dhcp leases and assign for him address from workers pool.
If this is not new worker, he stays on guests pool.
How to make it more secure so every guest is additionally in separate vlan space?
And if this is possible:
how to make someone, who is guest and have address in pool 172, when he will launch wireshark, how to make him to not see others mac's?
How to separate this every guest on 172 pool so everyone with 172. address will be totally isolated even on sniffing, pcap, level?