I live in a two story apartment. I bought ccr2004 to create vlan based network and route them. I do not have proper ethernet infrastucture in my home. I use gigabit powerline adapters to connect rooms. I wanted to create dynamic vlans based on mac id of the devices with user manager. I am currently distributing ip and control wifi network based on mac id of the devices via user manager. I am currently using a flat network with C class network address. I would like separate the network into vlans. I have not seen a vlanid attribute for wired connection in user manager. As a matter of fact, I was not expecting a vlanid attribute specific to wireless clients. ccr2004 is connected a powerline adaptor on a wall in my study room and so all other rooms. Is it possible to give vlan id to wired devices that connects to single port to ccr2004 through powerline adapters. I have seen only attributes for wireless clients. User-manager is on ccr2004. I have currently two rb962ac devices that act as wifi access points on two floors which are connected powerline adaptors. Not all devices connected to rb962. In some rooms, pc’s, tv etc. are directly connected to powerline devices. Since I am using powerline network, I can not use port based vlan other than my room. I would like to use dynamic vlan structure for all devices not just for wireless devices. But mikrotik seems that it can NOT to do it on wired devices or I did not see an attribute to do it.
ccr2004 is running dhcp server and user-manager. It has no way of differentiation wireless vs. wired clients. Can I use Mikrotik-Wireless-VLANID for wired devices as well? According to ccr2004, all connections could be wireless. I am thinking wrong?
Chatgpt provided following:
Official RouterOS + CCR2004 Capabilities (802.1X / MAB)
RouterOS (which CCR2004 runs) does support 802.1X supplicant mode
(meaning: it can authenticate itself to an upstream network like an ISP)
RouterOS does NOT support 802.1X authenticator mode for wired ports
(meaning: it cannot act like a Cisco/Aruba switch to authenticate end devices like PCs on Ethernet ports)
RouterOS can act as RADIUS client for:
Hotspot users
PPPoE users
Wi-Fi clients (CAPsMAN)
DHCP leases (with scripting tricks)
PPP, VPN users
RouterOS cannot act as full 802.1X port-based authenticator to trigger dynamic VLAN assignment for normal wired Ethernet clients.
It cannot:
Initiate EAPOL sessions (Extensible Authentication Protocol over LAN)
Request client authentication per Ethernet port
Dynamically change VLANs per client MAC / username
User Manager can be used as RADIUS server, you can assign those attributes per User Group or per User over there.
Please note that the VLAN assigned will be per port and normally applies to all devices connected to the same port.
After client is successfully authenticated, the interface will accept all received traffic on the port. If the interface is connected to a shared medium with multiple hosts, the traffic will be accepted from all hosts when at least one client is successfully authenticated. However, it is possible to configure dynamic switch rules to accept only the authenticated user source MAC address and drop all other source MAC addresses.
I may be asking some dump question. Please bare with me. I am not a network engineer but a guy with enthusiasm. I am not knowledgeable with these rather new protocols and enterprise setups. Is It truely necessary to active dot1x on a bridge or on a single port that connects ccr2004 to rest of the network with powerline. I have two rb962 for wifi access on two floors and they are connected to ccr2004 via powerline network in their respective location. This means even wireless connections will be affected. According chatgpt, I have to activate dot1x if I want to authenticate wired clients as well. Of course, I do not trust what it says, it is making up based on the questions…
Do I really need to activate dot1x? In my current setup it affects almost all clients on powerline network. In that case, will I be using “Tunnel-Type + Tunnel-Medium-Type + Tunnel-Private-Group-ID” uniformly for all clients (wired or wireless) in user manager instead of wireless client specific Mikrotik-Wireless-VLANID.
I will be needing both wireless WPA2-EAP and WPA2/3 PSK authentication for wireless clients. I want to authenticate smart phones labtops that use wireless with with EAP, but some old or dump iot devices with WPA-PSK. I also want wired clients completely unaware authentication and everything must be done based on mac address.
If currently most of your LAN network is behind the powerline adapter connected to a single ethernet port of the CCR2004 then unfortunately you cannot activate the dot1x server on the CCR2004 on that port, because it will turn that port into an access port of a single VLAN once a device has authenticated. That ethernet port on the CCR2004 must remain a trunk or hybrid port, carrying all your VLANs as tagged.
You can configure the two hAP ac devices to act simultaneously as access point for WiFi and managed smart switch. You can then turn on dot1x on those two RB962 devices, and have per-port dynamic VLAN assignment for each of the remaining 4 ethernet ports, or skip dot1x entirely and configure VLANs statically on those ports (access ports, one VLAN per port).
But, as you wrote, you have other devices connected to the powerline adapters and not directly to either the two hAP ac devices or the CCR2004. For most of those devices you cannot expect VLANs or dot1x to work, unless you purchase additional managed switches and put them between those client devices and the powerlines adapters. The managed switches will have the trunk link to the CCR2004 (via powerline), and you then distribute the VLANs on their ports statically (access ports, one VLAN per port), or if those devices support 802.1x too, then you can have dynamic VLANs assignment too, but still with the restriction of one VLAN per port once authenticated.
Please note that if the devices are PCs, then you can have them use the VLANs without the need for additional smart switches. The port of the PC’s network adapter can be a trunk port, and inside the operating system you can select the VLAN to use. But if the devices are TV or cameras, then you’ll need the additional managed switches.
@ benibilme2
What real world speed do you get from the powerline adapters?
Older generation devices with only 10/100 ports like - say - the hap lite used (or even new at 20-25 $ each) would maybe come out as fast enough.
Maybe even a hap mini would do, I have seen them from time to time on e-bay for as little as 7-8 $ each, more or less the usual cost of a USB power adapter.
I have first and second generation tplink TL-PA8030P KITs av1200/1300. I have not recently checked the speed. tp link has an application which shows the connections between powerlines and unfortunately, it works on windows. Most pc/labtops at home runs linux. I checked in my sister’s home which has the same devices. The speed was generally around 150-300mb between rooms that are closeby. I live in an apartment and there lots of appartment closeby. Wifi whether 2.4 or 5ghz are all crowded. I better use powerline than wifi. My internet connection is not great, mostly network is accessed for internet. So few family users do not complain much.
I really do not understand why this dynamic vlan assignment is possible in wireless medium with CAPSMAN/radius/user-manager while not possible in wired medium. Is is mikrotik hack specific to wireless? If we think about it, wireless medium is similar to shared wire. A device connects to AP on a frequency, authenticates itself via radius and get its ip, vlanid and still communicate through same medium in different ip network and vlanid. Why can this not be done in wired clients? I really do not understand. Is it lack of current capability in mikrotik RouterOS or general case current level of network technology.
In my case, ccr2004 can not know if a client is wireless or not. Why can we NOT fake and treat all clients as if they are wireless clients on ccr2004. Wired or wireless clients are coming from powerline network. rb962 are not directly attached to the ccr2004. While wireless clients can do this, why wired clients can not do it. I may run freeradius externally if necessary if there is lack of capability in user-manager. I am sure, for you I might be asking dump questions. Please bare with me and kindly tutor me.
Because I live in a rental home, I can not run ethernet cables for each machine between rooms. I do not want to put a small mikrotik device for the sake of injecting vlan in each room as well.
Please let me know if some other device can do this… I can replace ccr2004. I really want a unified approach for any device. Is it possible at least currently level of networking technology. I can replace ccr2004, even though I am accoustomed to mikrotik, like mikrotik.
There is no hack. If a client device is not VLAN aware, then there must be VLAN supports at the edge of the network that device is connected to. All your access points are actually switches, just wireless switches instead of wired ethernet switches. A WiFi client connecting to a SSID is somewhat analog to a wired ethernet client connecting to an ethernet port, only that the port and the wire are invisible and replaced by waves and air. Each WiFi client obtains its own invisible port.
So, your hAP ac access points are actually smart managed switches in the wireless realm, and they can control the “invisible ports” the wifi clients connect to, they can block them (refuse connection), filter by MAC address/add/remove vlan tags, or apply 802.1x authentication (when you use WPA2 Enterprise or WPA3 enterprise).
If your devices are wired and you have capable switches, plugging the wired devices to those switches allows you to do exactly the same thing, per port basis. You can block a port, assign the port to an untagged VLAN, including dynamic VLAN assignment based on MAC address or RADIUS with 802.1x. But those ports and switches have to be at the edge of your network, as last step in front of the devices. Just like the WiFi access points are at the edge of your network, as last step in front of the WiFi client devices.
If you plug ONE device directly to a port of the CCR2004, then the CCR2004 can also do all that on that port. But you cannot expect it to work properly if instead of one device, you plug a whole tree of network devices into that port. Because dot1x will make that port become access port of only a single VLAN after authentication.
If you now buy a cheap TP-Link home access point and plug that device to your network, it would be clear that WiFi clients connected to that TP-Link access point no longer have all those VLAN-related features anymore. Because that TP-Link AP is like a dumb unmanaged switch. Similarly, if at the edge of your wired network are only dumb unmanaged wired switches (those Powerline Adapters are like unmanaged switches) then you cannot expect per port authentication and VLAN assignment with 802.1x to work.
Thank you for clear tutorial. I did understand. Although I really do not want to do this, what will be the cheapest and smallest low power solution that will do job in mikrotik product line to inject vlans and make powerline network a trunk basically. I have seen rb260g as the cheapest solution with swos. It is around 40 bucks. Even though I did not mention, before ccr2004, I bought crs326 to do this job ignorantly. I am not using that now. After buying ccr2004, I did not need that many ports. I have already spend around 700-800buck. I can do, I guess I can spend another 200$ for safety. I have already a backup rb950g. I can use that as well.
It is pitty that I had delibarately bought powerline devices with 3 gigabit interfaces and paid more just incase if I need more than one ethernet port.
Yep, if you want to stay all Mikrotik (though SwOS) I also think that the rb260g is the cheapest suitable device with 1 Gbit ports.
But there are cheaper alternatives of fast enough 5 port managed switches, Tp-link or Zyxel, the Zyxel GS1200-5 should be around 20-25 $/€, it is “limited” to 8 VLANs, but I don’t think you need more, and it has (as I see it) the advantage of a metal case, please read as better heat dissipation (though for the role you intend to use them I don’t think there can be heat issues with the device).
Yes, the RB260GS is the cheapest MikroTik device that allows you to have individual VLAN per port (access port). However, it runs SwOS which means it does not support 802.1x and you won’t be able to assign dynamic VLAN on it ports based on MAC address or username/password/certificates. If you only need static VLAN assignment then managed switches from other manufacturers would be even cheaper.
If you want 802.1x (dot1x) then the most affordable MikroTik device is the old hEX RB750Gr3. It can act as a fully L2 (with Bridge VLAN Filtering) hardware offloaded 5-port wire speed switch and is better as a switch than the hEX refresh (which has only 4 hardware offloaded ports).
Well, but for the same money the hex refresh may be a 4 port switch instead of a 5 port one (but the extra port shouldn’t make a difference in the OP setup) but it is ARM and has 128 Mb storage so it is a device that in the future can be re-used in other roles.
When I was thinking of buying a traditional Hex, more than one year ago (i.e. before the Hex refresh came out) I asked for advice and (for the use I had in mind) the Hap Ax Lite was suggested to me exactly because it was more re-usable in the future than the old Hex model. But still we are in the $/€ 60 range.
I have ccr2004 and it will handle all dynamic thing. I am working on it. I just need vlan capable mini, cheap managed switch with low power consumption, and small that can do what is necessary as edge switch as suggested above comments. Another question comes to my mind that, since powerlines essentially create layer 2 mesh network, and for dot1x, I have to define the powerline network as trunk, the switch that I need buy must be able all vlans defined which is more than 8 as it may receive traffic from any other powerline. I do prefer miktotik/routeros. I have been using miktorik devices for last possibly 7,8 years and nothing else. I do love mikrotik. I have some zyxel unmanaged switches that refuse die that I have been using 14 years or so.
Before making a purchase, I want to understand this. Yes, some or most of these devices that directly connected powerlines are pc’s and labtops. If I can put them in their respective vlan via their network interface card features etc., will it be possible a machine in different vlan communicate with these directly attached pc/labtops through ccr2004 which handles intervlan routing. I am afraid that pc will not get the frames in different vlan since they are still tagged. I am not sure. As you mentioned, whole powerline network will be trunk for dot1x to work.
Powerline network, as far as I know is mesh network at link layer. They can communicate each other if they reach each other.
Even though I do not want to do that, is it possible to install a virtual switch and can these vlan tagging untagging in pc/labtops that are directly connected powerlines. I know that I can do these in linux machines but some of them are windows machines.
If you already have the powerline network up… RouterOS has a virtual machine “CHR” (which has a free edition) to test it before getting real hardware. I’d have to imagine power line presents as a switch on the ethernet side, so RouterOS and Dot1X should be able identify particular/unique MAC address. And, I believe, MAC-based VLAN should work with Dot1X, it’s RADIUS where the VLAN assignment is not possible. I could be wrong, why I suggest using CHR to test.
I do know VLAN should work over powerline - it act like a dumb switch, so should pass tagged/untagged packets - but the exact interaction of Dot1X and you’re use case, IDK. Since you cannot untag on a “remote” powerline adapter (i.e. not one connected to RouterOS), I’m not sure Dot1X help you.
Under Windows If you only need to access one (tagged) VLAN, most of the network adapter drivers have the setting to enter a single VLAN ID (see the screenshot at the top of that article). Many adapters from Realtek and the pro-lines from Intel have additional tools to give access to more tagged VLANs.
Even if your network adapter doesn’t have such feature, if you have a non-Home version of Windows (Pro, Enterprise, etc) that has support for Hyper-V, there is always the ability to setup the Hyper-V virtual switch and add as many virtual adapters as you want, one for each tagged VLAN. The article above also describes how to do that (section Create Multiple VLANs with Windows Hyper-V Role). You don’t need to fully turn on Hyper-V for that, only need to enable the virtual switch.
Official RouterOS + CCR2004 Capabilities (802.1X / MAB)
RouterOS (which CCR2004 runs) does support 802.1X supplicant mode
RouterOS does NOT support 802.1X authenticator mode for wired ports