hi all,
i add ip and mac of AP devices in IP Bindings (type bypassed) and in ARP list as static . is that correct or cause problems ?
any one can help me ?
I used to use a second IP range for APs and just created a bypass binding for the entire range
e.g. 192.168.100.x/24 = APs. I’d add a bypassed binding for 192.168.100.0/24
Of course a user could probably learn of this and static-assign a 100.x address to their device, but if you also set ARP = reply-only, and static build the APs into the ARP table as you’re doing, this will prevent this behavior.
Another option would be to just let APs be DHCP clients too, and do bypass bindings via their MAC addresses.
The best solution would be to put the management IPs of the APs into one VLAN, and the clients into another VLAN, so that the APs don’t even live behind the hotspot at all.
Yes, i put ip&mac of APs in binding list bypassed type , and i made ip&mac of APs in ARP list as static .
But
i have two switch
the first switch connect to ether6 port , and there is 5 Vlans under ether6 , for 5 APs(1 2 3 4 5)
the second switch connect to ether7 port, and there is 5 Vlans under ether7 , for 6 APs( 6 7 8 9 10 11), there is one AP without vlan.(is that okay to make one without vlan or i have to put it in ether8 alone and create vlan for it ??)
in dhcp server , i enabled (add arp for leases)
in interface, i made just ether6 and ether 7 as reply-only , but not vlans. all vlans are arp enable .
so
is all that right , or wrong ?
and thank you much for all helps
It sounds like you’re doing client isolation with switches that don’t have port isolation functionality…
There’s nothing wrong with what you’ve done - if all of the vlan interfaces are hotspot interfaces, it could be a bit annoying to manage that many different networks. You could bridge all of the vlan interfaces into a “hotspot bridge” and set horizon=1 on all vlan interfaces - which would let you use a single hotspot network, but a different VLAN for each AP… just something to think about.
Again - the best strategy would be to make the AP put the WLAN on a VLAN, but put its management IP on the un-tagged vlan, so that you can have one network for management of devices that isn’t part of the hotspot.
reallly thanks , there is one point if you don’t mind , i noticed that in Interface Queue , all Vlans has no queue type( no-queue) like other interface which is (only-hardware-queue), Should i make type of vlans as (only-hardware-queue), and what about bridge interface , also has no queue ?
and
Deep thanks to you for all the help
like this
This is correct for hardware queueing - the vlan interface is just a virtual thing - it’s not a real interface. The physical interface is the one which needs to have a functioning output queue. The same goes for the bridge interface - whichever physical interface actually transmits a frame is going to be the one where the packet gets queued.