Hi

I have now a network, with 1 central point and 5 remote AP's connected by wifi to central point. All the equipment and the DHCP server are in the same subnet (10.1.1.0/24). There is a hotspot in the central point, and all work OK, except that there is a lot of windows stupid broadcast stuff flying from ap to ap by central point.

Now I'm updating the network with more AP's, and a dedicated new transport backbone to join all the AP's with central point. Also buy a new RB2011iL to traslade the hotspot to it, instead of the RB wifi central point.

In my new setup I want that each remote AP have it's own DHCP server, with different IP nets, routing to central point, go to RB2011iL, pass the hotspot, and then go to internet.

The setup is this:

(Internet)<-wan/eth1->RB2011iL<-Eth2--Eth1->RB433AH<-Wifi->Remote_AP1<->Clients

In this case, the RB2011iL with hotspot will have eth2 IP (ex, 192.168.10.1/24), but the remote clients will arrive with IP's like (10.1.1.x for AP1, 10.1.2.x for AP2, and so on).

After a lot of reading, my conclusions are:
- The hotspot will only see 1 MAC for all the remote ip's (the mac from the RB433AH or the other wifi ap), then need to use the setting "Addresses per MAC", but it's limited to 254 (for the beging can be sufficient).
- Need to use the 1-to-1 NAT from hotspot feature (Address Pool setting), with a range 10.1.0.0/16
- Need to configure static routing for each remote network throught the apropiate gateway.


Questions:
- Can this setup work?
- The 1-to-1 NAT it's really necesary? Or maybe must be setup with 192.168.10.1/24 instead 10.1.0.0/16?
- There is some way to pass the limit of 254 ip's on the same MAC to control the access to hotspot? Maybe access control than mac? (I think that in 6.x ROS there is no limit)


Thanks in advance!!

Anyone?

If each AP has its own DHCP server with masquerade, each AP will act as a client for the hotspot. So your hotspot will "see" as many MAC addresses as APs, and two Wifi clients connected to the same AP will be treated as the same MAC address and IP.
Maybe you can switch hotspot authentification to "cookie" only, and not MAC address, not sure if ot works, try it.

If you just want to get rid of windows broadcast traffic, you can keep your existing bridged network and add some firewall rules on the AP to block all traffic except the ports you really want: TCP 80, 443 etc. To be tested also..

In this case the remote AP's will have DHCP but will not do NAT, just routing to the central point. The central point will see the real client IP (but comming from the same MAC, that it's the gateway to the central point).