I have setup like this:
2 AP’s with 2 wlan and one ethernet interface for clinets (defaoul forward is off on wlan interfaces).
All this interfaces on AP are bridged together with eoip tunnel which goes to my office location where i setup hotspot on bridge with two eoip tunnels comming from my AP’s.
On AP’s I put horizon=1 to all AP interfaces and horizon=2 to eoip tunnle.
In Office I put horizon=1 to both eoip tunnels.
Is this setup good or should I add some firewall rules or something else?
The Horizon option only works locally on the router, it does not translate over to another router. On your APs you shouldn’t have to worry about placing a horizon since you have wireless interface bridged with a EoIP tunnel, as long as the bridge itself does not have an IP assigned to it, the guest should not be able to talk to the AP. Be sure to turn off “default forwarding” as well so clients can’t talk to each other over the AP itself.
Where the EoIP tunnel terminates is where you want your horizon option for the bridge since this is in theory where clients can talk to each other, and you said both of those interfaces had an option set to 1, so that’s all you should need to worry about.
If you wanted to you could create a failver/load balancing setup on another router and have them both running, but since the router is capable of it, why not have both of those things running on the same router? As long as you have enough free CPU time there’s no performance hit to do so. Search the forums for PPC with Hotspot, we have a similar setup on on over 50 routers running fine.
Khm, with that setup users were able to see each other, when I added filter rule to drop traffic between bridge, then I stop sharing and seeing each other.
Yes, I have now all setup on one router, but what happens if this router fails? This is why I need failover and load balancing setup. So no or minnimum downtime is what users get.
Maybe I misunderstood your setup then. If you could post a diagram that would be more helpful in visualizing your setup.
For active failover, you can try out VRRP, however I’m not sure how well it will work with hotspot. With VRRP routers do not share state information. So if the main router fails and the other one kicks in, people are going to have to sign in again and reestablish any sessions they had open, etc. You’ll also want to make sure you have a big enough DHCP pool (address space is free so this is no problem) because may or may not decide to dynamically NAT them to another IP on switch over as well.
As long as you have enough free CPU time there’s no performance hit to do so. Search the forums for PPC with Hotspot, we have a similar setup on on over 50 routers running fine.