Mikrotik RB433AH VLAN Q'

[bigdogchris]

I am a RouterBOARD noob, so I hope I explain this OK. I've been thrown into a situation where I am trying to make changes to equipment I did not setup or configure.

I have a RB433AH that I am editing via WINBOX. I believe the version is 4.10.

What I am trying to do is to create a VLAN to give users on a specific AP access to the Internet, without access to the internal network. So far I have configured the RB to have a VLAN interface, VLAN network, DHCP Pool in said network, and assign IP's via DHCP.

The VLAN id passes through my switch and through the AP. All clients are connecting to the AP and get the VLAN DHCP pool I have assigned. So that's working great. The problem is they still can access the other network. The clients are receiving the proper IP, Gateway, and DNS from DHCP.

The default network is 192.168.1.0/24 and the VLAN network is 192.168.2.0/24.

What is the next step via WINBOX to get my 192.168.2.0 network blocked from seeing my 192.168.1.0 network? I understand the routers job is to let subnets see eachother but I was hoping that it would be easier than this

Thanks!