A few days ago I have set up a hotspot on large distributed vlan with different WiFi hardware in it.
Everything is working fine, except some thing: I want to manage my hardware in that vlan.
But I can’t get to it, not from my mt router, not from remote locations.
Tried to use hs-unauth firewall chain to enable access, but with no luck. Hotspot is making ARP spoofing and replacing MAC addresses of devices located in hotspot vlan.
E.G. I have 10.10.100.0/24 for hotspot, and 10.10.200.0/24 for my devices, how can I write a firewall exception for them, so I can manage them without disabling hotspot?
Or maybe I can make an exception for subnet for hotspot to not replace MAC addresses?
I do know about this possibility, but there is no way to divide them into different vlans.
For example I have some simple home TP-Link routers connected via lan ports, some old D-Link APs, many ubnt hardware.
They all are in this vlan, and I want to manage them.
This is what I do when I have no choice (not proud of it).
So lets say my hotspot vlan ip range is 172.20.1.0/24 and my devices vlan is 192.168.1.0/24.
If i have some AP’s that are not vlan aware and they have to serve only hotspot stuff, i put them on the hotspot vlan with the IP of the the devices vlan (e.g. 192.168.1.20 ).
Then I find that IP in the hosts tab on hotspot, make it binding and make the to-address the same as the actual ip (192.168.1.20 in this case) and make binding.
Once thats done, I add a static route that says dst-address=192.168.1.20 gw=vlan-hotspot.
Thank you very much, friend, its working! I don’t think this is very bad solution.
Now I can see all my devices listed in bindings, and can add/delete from there.