Hi,
I’m looking for config advice, I have lan with main mikrotik CCR ( lan ip 10.1.0.1), one ISP, multiple switches. Now I need to add two RB2011 in two separate buildings (this is still the same lan), on every of them I need to have two WIFI networks, one with access to private lan (after radius, nps autorization only domain computers and domain login, password) and one with guest WIFI with internet access only. Connected employees to private WIFI should be accessible (RDP, VNC) from my LAN. Output for internet for everyone through CCR ISP.
-Do I need VLAN and tagging between CCR and RB2011, or simply can I choose one IP from my lan let’s say IP 10.1.200.1 and 10.1.200.2 and assign them to RB2011 as WAN addresses and do NAT here?
Or maybe is better to assign ip addresses for private WIFI users from my domain DHCP server (10.1.0.190) ?
.
You need VLAN. Either configured by yourself or you can deploy Capsman on CCR (with 2011s as CAPs) with local forwarding disabled. If you do NAT on 2011s, you have to be extra careful to prevent guests from connecting to you business LAN hosts.
.
.
If you go with VLAN, you’ll have to assign IP subnet for guests only, with DHCP server. I’d go with an instance of DHCP server on CCR, you’ll have to do some configuration on CCR anyway - firewall filters between business and guest LANs, perhaps some changes in SRC-NAT configuration (might be fine as it is though) or introduction of simple queues (to limit available speed for guests) … But do consider also switches configuration, introduction of VLANs might go without issues or perhaps not (depends on how switches treat VLAN tags when not configured accordingly).
If you go with local NAT (I advise against it … among other things AP roaming would not work for guests in this case), you’ll have to run DHCP server on 2011s (both of them), deal with heavy firewall filtering so that guests could not connect to business LAN (much easier to do on CCR with VLAN in place), etc.
My goal is: on endpoint wifi device (RB2011UiAS) have access to my CCR lan 10.1.0.0/16 on ethernet interfaces, and one separated guest wifi.
so using VLAN I do:
1.on CCR lan interface I add vlan16 172.16.0.1/24, on RB2011UiAS eth1 add vlan16 172.16.0.2/24
2. on RB2011UiAS create guest wifi with vlan16 tagging
2.on RB2011UiAS add created guest wifi to bridge and vlan19 to that bridge
3.on RB2011UiAS create DHCP 172.16.0.50-172.16.0.254/24 for guest wifi
4.on CCR create masquerade, filtering etc for that network
it is good? how to achieve network (10.1.0.0/16) access on RB2011UiAS ethernet interfaces?
I have similar setup up in terms of HEX ROUTER wired to CapAC.
Bridge on Hex (homebridge)
vlan created for guest wifi - vlanguestwifi vlan-id=33
DHCP network, server, ip pool, ip address etc (interface bridge) for vlan33 on hex.
eth2 on hex carries vlan (outgoing trunk like port)
Bridge on CapAC (wifibridge)
wlanhome (standard 5ghz for home users)
vwlanguests (created a 5ghz virtual AP for guests)
vlanguestwifi vlan-id=33
eth1 on capAC( incoming “trunk” like port on capAC)
Basically steps are fine, but there are a few catches:
if you decide to create vlan interfaces on ether ports used for interconnection, then you will end up using two bridges on both routers. Which is fine. However, things might behave slightly funny if the same ethernet will carry both tagged and untagged traffic. You can filter out the tagged traffic just fine by creating vlan interface on top of physical interface and bridge vlan interfaces together. However for untagged traffic you can not create an “untagged vlan” interface so you’d have to put physical interface to the bridge … which could allow tagged frames to enter the bridge as well. There are two solutions to this: 1.) tag the “untagged” traffic on both ends by creating another vlan interface on top of physical interface (e.g. with VLAN ID 1000) and add these vlan interfaces to the “untagged” bridge (on both ends of the interconnection, i.e. on RB2011 and on CCR). or 2.) enable vlan-filtering on bridge … but in this case you don’t need separate bridge for each VLAN. Full VLAN configuration on ROS is not a trivial task, so I’d suggest you to go with possibility #1 unless you feel comfortable playing with VLANs.
(number 2): create bridge16 and add guest wifi and vlan16 interfaces to it. In this case, bridge16 actually carries untagged frames and guest wifi should have “vlan mode” set to “no tag”.
(number 3 .. this is an addition): add vlan1000 to default bridge. If you want to have also office wlan, you can create a virtual AP (with office SSID, without tagging as well) and add this wifi interface to default bridge
In your original post you mentioned two RB2011s. I assume your intention is to have them configured similarly. If you don’t care to separate guests on one RB2011 from guests on other RB2011, then you can run DHCP server (and DNS server in case you won’t point guests to external DNS in the DHCP leases) on any of routerboards (bound to bridge16). Personally I’d run it on CCR (being central point and the most powerful of the three). Having single guest network will allow roaming between both APs for guests (I don’t know how important or even feasible is it) and will slightly simplify firewall on CCR (you will only have to deal with single guest network).
Be careful not to have ether1 on RB2011 part of any of bridges (if it’s part of one now, you have to remove it before performing the configuration).
The answer to your final question is in the text about point 2 (number 3).
how can I achieve my setup without bridge RB2011 eth1 with the rest eth2-eth10 while on RB2011 side I have available only one ethernet cable connection to my LAN, so I need to address this eth1 as part of my main network lan IP (10.1.200.1/16) - this lan is untagged (native). If I would have this lan accessible on RB2011 eth2-eth10 interfaces - is there any other way to do that?
I have added vlan16 on CCR lan interface without any bridges-----trunk------RB2011 eth1 -vlan16
On CCR I created DHCP on vlan16 interface and allowed that network to output to internet.
But WIFI clients not getting IP:
Troubleshoot:
On RB2011 on DHCP Cllient when I add there interface “bridge_guest_wlan” it getting 172.16.0.254 address from my CCR.
On RB2011 pings from source interface - vlan16 RN20111 172.16.0.1 on CCR is working I got replies.
strange, I removed from wlan1 interface VLAN tagging, so now are:
vlan-id=1 vlan-mode=no tag
and my guest wifi on vlan16 working now, I get proper subnet from my CCR.
Why it sould’t be there vlan tagging settings, as I use vlan for that wireless network?
That’s fine: vlan interface has tagged side (it connects to underlying interface, in your case ether1) and untagged side (referenced by vlan interface’s name, in your case vlan16). As you bridged unragged side with wlan interface (using bridge_guest_wlan), the wlan interface has to be untagged as well.
The same principle would apply to the untagged office LAN as well: if you take ether1 physical interface out of bridge_lan, create vlan1000 interface on ether1 and add vlan1000 interface to bridge_lan, this would take care of tagging LAN packets (otherwise untagged on ether interfaces of RB2011) when leaving ether1 with VLAN tag .. and untagging on arrival through wire to ether1. If you configured corresponding ether port on CCR in same way, then VLAN1000 would actually bridge untagged ethernet segments on both routers, but tagged frames would live on the UTP cable between both routers.
It is fine to have DHCP server for guest wifi configured directly on vlan16 interface (on top of ether device). But if you want to add the second RB2011 into mix, you’ll end up either with two separate guest wifi networks or you’ll create vlan16 interface on another ether port (used to connect to the other RB2011) and bridge both vlan16 interfaces together … and bind DHCP server to that bridge instead. Both solutions will work, but IMHO second sollution is more sexy.