Best control over CPE devices

pospanko · February 22, 2012, 7:22am

Hi all, I have some questions about monitoring and controlling CPE devices.
My network is routed with OSPF and I have lots of EoIP tunnels coming from my AP’s to my central location. On every AP, EoIP is in bridge with wireless interface.
CPE devices are in “station-bridge” mode with wlan and ehternet interface in bridge.
I’m using hotspot (on bridge with all EoIP tunnels bridged) in central location.
Now I don’t have access, except MAC-telnet, to my CPE devices. I want to reconfigure my network so I can access, benchmark and control my CPE’s (so that I have full speed access and users just speed I gave to them) but to keep them simple with as low as possible config on them.
Any suggestions?

vik1988 · February 22, 2012, 9:25am

is this a Routed network or a bridged network.

pospanko · February 22, 2012, 9:27am

Routed. Because of that I use EoIP tunnels.

rodolfo · February 22, 2012, 12:38pm

you must assign an ip to each cpe.
use a dhcp server on every AP (linked to the wlan) and pass to the cpe the ip and the default gateway (the ap itself)

pospanko · February 22, 2012, 2:03pm

I’m not shure how would this help me bacause all my interfaces are in bridge or you suggesting to remove bridges?
I need to “preserve current setup” in way it is working now (All shaping must be on central router where I decide how much concurent users I’ll give to each client, speed limits, etc.)

rodolfo · February 22, 2012, 7:12pm

wlan1 could belong to bridge and be reachable directly if it has an ip

pospanko · February 23, 2012, 7:18am

my edited post:

I already tried that. Added IP to wlan on CPE + default route and IP to wlan on AP. Sometimes it works, sometimes not. Probably because of bridge. With that setup, I can ping CPE, then I get few timeout, then few pings, then timeouts…
Plus that, my CPE gets IP address from my hotspot via EoIP tunnels (which I don’t want) and I can’t set DHCP server on AP to wlan interface, it’s invalid (only to bridge). Beside that, other users on that IP can add same address to their router or NIC or something, and then my setup isn’t working any more. And users are getting IP from DHCP server on AP because it’s on bridge.
This is why I’m trying to reconfigure my network. If that would work, there would be no happier man on world.
I need to have IP access from my network to router but clients must be tunneled to central location.

This is my original post.

So, after some testings, I get this as conclusion. DHCP is not an option because users also can get IP address from IP (is there a way to block this, so only CPE could get IP?). When I use non standard ranges, like 192.168.77.128/25, then I can ping CPE’s all the time. But when I use range, like 192.168.1.0/24, which some user have on their wireless routers at home, then I can be shure which one I ping, CPE or user router.
Is there any suggestions?

pospanko · February 24, 2012, 8:15pm

Anyone?

rodolfo · February 25, 2012, 7:40pm

your custome connect using pppoe?

pospanko · February 26, 2012, 7:17am

No, my costumers use hotspot access. But I want that my users go direct to central server location, not to go trought my routed network. Because of that I use tunneling.

pospanko · February 28, 2012, 8:11am

How do you setup your network? How do you use CPE devices? Do you use tunneling? I’m talking about routed network via private address space.
Thx

rodolfo · February 28, 2012, 6:08pm

my network is routed.
cpe connecting to access point receive in the vlan an ip from the AP pool
the ap bridge the wlan and an eoip tunnel.
the eoip tunnel is terminated to a concentrator with a pppoe server (not an hotspot)
the cpe receive a public ip via the pppoe client then give to the customer internet access via masquerade.
the customer receive a dinamic ip from the ethernet of the cpe
the access point share routing informations of the wlan pool sending connected routes via ospf
i have no problems to reach the private ip of the wlan of the cpe from anywhere of my network.

in some cases the customer have a router with pppoe client (a voip router). in this case I bridge the wlan and the ether1 of the cpe and the wlan mode is setted as station-bridge.
also in this configuration i have no problems to reach the private ip of the wlan of the cpe from anywhere of my network.

pospanko · March 6, 2012, 2:25pm

rodolfo:

my network is routed.
cpe connecting to access point receive in the vlan an ip from the AP pool
the ap bridge the wlan and an eoip tunnel.
the eoip tunnel is terminated to a concentrator with a pppoe server (not an hotspot)
the cpe receive a public ip via the pppoe client then give to the customer internet access via masquerade.
the customer receive a dinamic ip from the ethernet of the cpe
the access point share routing informations of the wlan pool sending connected routes via ospf
i have no problems to reach the private ip of the wlan of the cpe from anywhere of my network.

in some cases the customer have a router with pppoe client (a voip router). in this case I bridge the wlan and the ether1 of the cpe and the wlan mode is setted as station-bridge.
also in this configuration i have no problems to reach the private ip of the wlan of the cpe from anywhere of my network.

Yes. I have similar setup. If I would have same setup as you have, I must install hotspot on every CPE which is not the right way to go… In my opinion.
As you mantioned, you have IP address on every wlan interface. But, how to give IP to wlan on CPE and prevent user to get IP address from same dhcppool on AP instead of hotspot dhcp from central location? Wlan is in bridge with ethernet on CPE so user can be assigned with IP address from AP.

P.S. How is your MTU setup on PPPoE? Did you tried VPLS? Thx

rodolfo · March 6, 2012, 6:05pm

i do not have an hotspot in each cpe
my cpe are routed: wlan in station, and nat-masquerade.
in this mode users cannot access to the dhcp server of the ap

my mtu is 1472

yes, i plan to use vpls infew weeks

pospanko · March 6, 2012, 6:51pm

Thx for response. Yes, I understand the way your network is designed. I must get rid of hotspot and all of my problems would be solved. Just please send info about vpls when you implement it. I’m curios how it works. Thx

che · March 7, 2012, 3:31am

Is there any reason why your CPEs are set to bridge besides “simplicity” of doing so? It horrifies me when I imagine that you connected all clients’ ethernets to your concentrator.

My suggestion would be removing bridge on CPEs, and puting them in NAT mode with DHCP server on ethernet and DHCP/PPPoE client on WAN depending on what you send from your concentrator to APs. This is somewhat standard configuration, and it is very simple to set up (you can make generic backup file with mentioned configuration and load it easily into new devices). You would gain control over CPE and distinguish customer’s network from yours.

pospanko · March 7, 2012, 7:17am

che:

pospanko:

I want to reconfigure my network so I can access, benchmark and control my CPE’s (so that I have full speed access and users just speed I gave to them) but to keep them simple with as low as possible config on them.
Any suggestions?

Is there any reason why your CPEs are set to bridge besides “simplicity” of doing so? It horrifies me when I imagine that you connected all clients’ ethernets to your concentrator.

My suggestion would be removing bridge on CPEs, and puting them in NAT mode with DHCP server on ethernet and DHCP/PPPoE client on WAN depending on what you send from your concentrator to APs. This is somewhat standard configuration, and it is very simple to set up (you can make generic backup file with mentioned configuration and load it easily into new devices). You would gain control over CPE and distinguish customer’s network from yours.

Hi and thx for comment.
Yes, I have reason for this setup. I give my clients one simultaneous user account. If they want more devices to be connected in same time then I create new hotspot profile for them and all simultaneous users share one speed via address list, mangle and queue (this is billed separetly). Because of that I bridge ether and wlan on CPE. If I go with NAT on CPE then I can’t limit number of clients accessing network. Maybe you have idea how to do this on CPE without creating hotspot on each of them? I hope that you understend how my hotspot is setuup
Thx

che · March 7, 2012, 5:51pm

Ok, if you want to keep exactly the same billing system you would have to isolate CPE monitoring IPs and client bridge. First thing that comes to mind is creating separate VLANs or EoIP tunnels. I’m guessing VLANs would be easier solution since you wouldn’t have to add IP addresses for EoIP termination on every client device and think about tunnel ID’s etc.

So basically you need only 2 VLANs on both AP and client wireless interfaces, where one is dedicated only for monitoring CPE addresses and another one for bridging the client traffic. Lets say vlan11 is for monitoring and vlan12 is for clients to utilize in a way you are doing it now with physical interfaces. Only thing you would need to do is change bridge ports:

on AP instead of EoIP+WLAN it should be EoIP+vlan12
on all CPEs instead of WLAN+ether should be vlan12+ether
With vlan11 you can do whatever you want - for example create separate DHCP that has no internet access but you have access to it from your NOC.

I would like to add disclaimer that I don’t have same setup in my networks. Hope this idea helps.

pospanko · March 8, 2012, 10:24am

che:

Ok, if you want to keep exactly the same billing system you would have to isolate CPE monitoring IPs and client bridge. First thing that comes to mind is creating separate VLANs or EoIP tunnels. I’m guessing VLANs would be easier solution since you wouldn’t have to add IP addresses for EoIP termination on every client device and think about tunnel ID’s etc.

So basically you need only 2 VLANs on both AP and client wireless interfaces, where one is dedicated only for monitoring CPE addresses and another one for bridging the client traffic. Lets say vlan11 is for monitoring and vlan12 is for clients to utilize in a way you are doing it now with physical interfaces. Only thing you would need to do is change bridge ports:

on AP instead of EoIP+WLAN it should be EoIP+vlan12

on all CPEs instead of WLAN+ether should be vlan12+ether
With vlan11 you can do whatever you want - for example create separate DHCP that has no internet access but you have access to it from your NOC.

I would like to add disclaimer that I don’t have same setup in my networks. Hope this idea helps.

Thx for idea. I’ll try that and inform you about resoults.

pospanko · March 8, 2012, 11:40pm

pospanko:

che:

Ok, if you want to keep exactly the same billing system you would have to isolate CPE monitoring IPs and client bridge. First thing that comes to mind is creating separate VLANs or EoIP tunnels. I’m guessing VLANs would be easier solution since you wouldn’t have to add IP addresses for EoIP termination on every client device and think about tunnel ID’s etc.

So basically you need only 2 VLANs on both AP and client wireless interfaces, where one is dedicated only for monitoring CPE addresses and another one for bridging the client traffic. Lets say vlan11 is for monitoring and vlan12 is for clients to utilize in a way you are doing it now with physical interfaces. Only thing you would need to do is change bridge ports:

on AP instead of EoIP+WLAN it should be EoIP+vlan12

on all CPEs instead of WLAN+ether should be vlan12+ether
With vlan11 you can do whatever you want - for example create separate DHCP that has no internet access but you have access to it from your NOC.

I would like to add disclaimer that I don’t have same setup in my networks. Hope this idea helps.

Thx for idea. I’ll try that and inform you about resoults.

I tried this setup, but no success. I must use WDS but I’m not shure that this is a good choice and way to go also…