Secure vlan trunk and wisp

Must first admit im totally new to MT and have looked through some documentation, but im still some confused. Have used Cisco Aironet series for bridging, AP and repeater for some years now and with the latest IOS versions many things can be done easily.

If we want to trunk some vlans its done by first creating a native vlan where the AP/Bridge management ip is set. To this vlan we create a infrastructure ssid then encryption for this ssid. After this we must create the vlans we want to bridge in the trunk. Transparent bridging is not an option (?) on Aironet.
Mostly we configure all our Cisco devices as RootBridge-with clients or NonRootBridge with clients. Then we also can broadcast a hotspot vlan with a ssid. If we create a ssid to a vlan in the trunk this will no longer use the native vlans encryption, so you must make a new proper encryption if you want.

I suppose something similar can be done with MT, but how? The term VirtualAP maybe the answer?
Our goal is to secure bridge our corporate vlans but we want to let an ISP to use our infrastructure for private customers also. They will use PPPoe and we have created a vlan for them in our network infrastructure.
We use Witelcom Dragon II (Atheros) 5ghz equipment with MT RouterOS onboard. Some of them has two radiochips with a omni hotspotantenna and flatpanel for point to point. We will also let cusomers use the trunk flatpanels if possile.

How about using EoIP- within IPSec-tunnel?

Actually EoIP was the solution suggested from one source, but do MT support all we need or will we have to have more “boxes”?. Configuration examples for trunks are welcome

I wouldn’t use VLAN-trunks, but directly terminating the IPSec/EoIP-tunnel at the customer, similar to an ATM-PVC. On the AP side it should be possible to group the virtual-AP and the EoIP-tunnel within one particular bridge.

But it depends on the real demands…

I agree that something like EoIP-over-IPsec would be the most secure setup if you really want to run corporate
and external users over one shared infrastructure and need to maintain intra-site Layer 2 connectivity.

What I understand from sorvar’s description of his network there is actually no encryption on the wired (Ethernet)
links in his current setup, just plain 802.1q VLAN trunks. Encryption only happens on the wireless parts of the
network, but the wired links connecting the wireless clouds to each other are not secure?

If you want to keep using this design, it is possible with RouterOS.
You’d have to setup virtual access points (one per SSID, with encryption as needed) and VLAN interfaces on the
ethernet (wired) links, then you can create bridges (one per VLAN/SSID) to bind the virtual accesspoints to
their corresponding ethernet VLANs.

Here are some configuration fragments for a setup using two VLANs (70 and 71).

First, the VLAN interfaces on the ethernet side.

/ interface vlan
add name="ether1-vlan70" mtu=1500 arp=disabled vlan-id=70 interface=ether1 \
    comment="" disabled=no
add name="ether1-vlan71" mtu=1500 arp=disabled vlan-id=71 interface=ether1 \
    comment="" disabled=no

(Physical interface ether1 is the 802.1q trunk).

Now the virtual access points, defined on top of the physical interface wlan1

/ interface wireless
add name="wlan1-vlan70" mtu=1500 mac-address=02:90:4B:DC:06:96 arp=disabled \
    disable-running-check=no master-interface=wlan1 ssid="wlan1-vlan70" area="" \
    max-station-count=2007 wds-mode=disabled wds-default-bridge=none \
    wds-default-cost=100 wds-cost-range=50-150 wds-ignore-ssid=no \
    default-authentication=yes default-forwarding=no default-ap-tx-limit=0 \
    default-client-tx-limit=0 hide-ssid=no security-profile=default comment="" \
    disabled=no
add name="wlan1-vlan71" mtu=1500 mac-address=02:90:4B:DC:06:97 arp=disabled \
    disable-running-check=no master-interface=wlan1 ssid="wlan1-vlan71" area="" \
    max-station-count=2007 wds-mode=disabled wds-default-bridge=none \
    wds-default-cost=100 wds-cost-range=50-150 wds-ignore-ssid=no \
    default-authentication=yes default-forwarding=no default-ap-tx-limit=0 \
    default-client-tx-limit=0 hide-ssid=no security-profile=default comment="" \
    disabled=no

and finally the bridges

/ interface bridge
add name="bridge70" mtu=1500 arp=enabled stp=no priority=32768 ageing-time=5m \
    forward-delay=15s garbage-collection-interval=4s hello-time=2s \
    max-message-age=20s comment="" disabled=no
add name="bridge71" mtu=1500 arp=enabled stp=no priority=32768 ageing-time=5m \
    forward-delay=15s garbage-collection-interval=4s hello-time=2s \
    max-message-age=20s comment="" disabled=no
/ interface bridge port
add interface=ether1-vlan70 bridge=bridge70 priority=128 path-cost=10 \
    comment="" disabled=no
add interface=wlan1-vlan70 bridge=bridge70 priority=128 path-cost=10 comment="" \
    disabled=no
add interface=ether1-vlan71 bridge=bridge71 priority=128 path-cost=10 \
    comment="" disabled=no
add interface=wlan1-vlan71 bridge=bridge71 priority=128 path-cost=10 comment="" \
    disabled=no

If you need IP addresses on top of that, put them on the bridge interfaces.


–Tom

i do completely agree. very good explanation.

Our goal is to secure bridge our corporate vlans

leads me to suggesting IPSec. (and i do like tunnels

Many thankx to you guys
Ipsec and Eoip would be preferred but as you mentioned we do not currently use encryption on our wired side of the trunk.
Will try to test some configuration with virtual AP today.

Is it actually needed to create a ssid for each vlan we just want to bridge from wired to wired side? Wouldnt it be enough to have a ssid to the master interface and set encryption on this? In the configuration example i see you must do it this way by using virtual ap for each vlan. What about creating vlan wireless interfaces and bridge form eth vlans to wireless vlans (Cisco method)? The only other vlan we must have a ssid to is to the WISP customers.

Maybe a dumb question but when i create vlans how can i reach the ip on the APs? Is they by default on vlan 1? I need them on another vlan
Suppose i can create a vlan trunk on the wired side and plug my pc in there for connectivity but then i have to drive 40km to do this.. There are some routing to the first radiohop.

If you want your clients to be layer 2 members of that VLAN, then yes, you will need a seperate SSID / Virtual AP to be paired with each VLAN.
If some of the VLANs you’re transporting on the wired links have no connection whatsoever to wireless clients, then of course you do not need to setup a wireless interface / SSID / virtual AP for them. Just define them on the wired ethernet interfaces where they’re needed and that’s it.

The master interface (wlan1 in my examples) is not special in this regard. It’s just the place where you can set the physical 802.11 attributes of the link, like frequencies, power etc. Other than that, the virtual AP interfaces are basically the same.

I think there is no such thing as a “vlan wireless interface”. What would that be? I must admit that I’ve never tried something like your setup on Cisco equipment myself, but even on Cisco I don’t see what a “vlan wireless interface” should be? It might be possible that Cisco can transport an 802.1q VLAN trunk transparently over a radio interface, making it work just like a wired ethernet interface in 802.1q trunk mode - don’t know, but I think that’s not what you’re asking for and not what you’re running now.
Given the fact that a normal wireless client does not know anything about VLANs and will not be able to send/receive 802.1q tagged frames over the radio, I don’t see something like “vlan wireless interfaces” to be possible.
Therefore the SSID (mapped to virtual AP interface) is the only differentiator to separate multiple wireless networks.

See above. If you don’t need to mix wired and wireless clients within one VLAN, then you will not need any wireless setup for that VLAN.

There are no special management addresses or management VLANs on RouterOS by default. You may add as many IP addresses on whichever interfaces you like, and then you’ll be able to connect to you AP on that addresses (but use the RouterOS firewall!)

A word of caution: Always keep in mind that your RouterOS access point is a full-featured router. In a setup like the one we’re discussing, once you begin to configure more than pure layer 2 on your AP and start to add IP addresses to more than one of your interfaces (be they bridge interfaces, VLAN interfaces or wireless interfaces) you’re facing the risk to kind of “short-circuit” the VLAN separation with the routing functionality of the AP, i.e. you might create a setup where two VLANs that are supposed to be strictly seperated can talk to each other via routing!
Always be aware of that and carefully use the RouterOS firewall to prevent this if required (try using in-interface and/or out-interface in filter rules within the forward chain).

–Tom

Hi again!

Wasnt able to test anything today since every PoE adapters were blown due the weekend An offline UPS isnt enough to protect equipment if longer high or low voltage spikes take place…

When i mention wireless vlans on Cisco bridges they are created when you assign a vlan to the bridge. Bellow is a bit from a Aironet BR1310 config:

interface Dot11Radio0
no ip address
no ip route-cache
!
ssid ap_infrastructure
vlan 999
authentication open
authentication client username wb-181 password xxx
infrastructure-ssid
!
cca 0
concatenation
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
rts threshold 4000
power local cck 20
power local ofdm 20
antenna receive right
antenna transmit right
station-role root-bridge
!
interface Dot11Radio0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
bridge-group 3 spanning-disabled
!
interface Dot11Radio0.4
encapsulation dot1Q 4
no ip route-cache
bridge-group 4
bridge-group 4 spanning-disabled
!
interface Dot11Radio0.999
encapsulation dot1Q 999 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
!
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0.3
encapsulation dot1Q 3
no ip route-cache
bridge-group 3
!
interface FastEthernet0.4
encapsulation dot1Q 4
no ip route-cache
bridge-group 4
!
interface FastEthernet0.999
encapsulation dot1Q 999 native
no ip route-cache
bridge-group 1

The 0.3,0.4 etc interfaces are VLAN interfaces. Currently we have 8 vlans bridged, but i removed them in the example above. Cisco calls this VLAN over Wireless . “This feature defines 802.1q VLANs for wireless LANs, using a VLAN identifier in the Ethernet frame. Up to 16 VLANs, one per SSID, are supported”. Actually you dont have to assign an SSID if you just want to bridge the VLAN.

Unlike Cisco, there isn’t a need (or a way) to designate a VLAN/SSID as “native”, but the rest is easy.

You need to be using Atheros cards, but that is the only “special” requirement.

Just add VLANs to your ethernet interfaces, and VirtualAPs to your wireless cards. Create a number of bridges, and place a VLAN and a VirtualAP in each. When I set stuff like this up, I avoid bridging the “parent” interfaces, since it can get tricky, and just tends to confuse matters when techs look at them.

Each VirtualAP can have it’s own SSID, MAC address, security profile, and WDS configuration. Each can also be subject to seperate firewall and queuing rules, along with all the other MT goodies.

You can setup one with WEP encryption, Radius MAC authentication, PCQ queuing, and a hidden SSID, for fixed customers.

And another with a visable SSID, no MAC authentication, no encryption, and a hotspot interface, for mobile customers.

And another with WPA2 encryption, local MAC authentication, a hidden SSID, an obfuscated MAC address, and fixed WDS, for bridging.

And so on…

–Eric

Many thanx again for many useful tips

Have now tried some configurations but i have another question. We have a topology like this:
LanSwitch - MT AP — MT Bridge - MT AP ---- MT Bridge - LanSwitch

The switches are Cisco catalyst 2950 with ports in trunk mode. In the middle are a tower with two MT APs connected. The trunk traffic passes through without problems, but i need to reach all APs for management on Vlan 40. How to do this? Have tried to create a vlan 40 interface on ethernet1, but cant connect to it. Have also tride to set an ip on this vlan interface and also to a new created bridge 40 without success. Actually i tried to create a vlan 40 interface to wlan1 also for the same bridge 40. Probably im doing something wrong, but what?

Hello Sorvar!
Have you solved this problem?
If not, send me an email to address:
periksson[at]roamingwire.com

/Paul

A mail is sent
Vlans and MT seems to be something complicated if you got special needs in a Cisco infrastructure. Sadly the Aironet 1400 series isnt available in Norway. The 1300 series fits our requiremens, but that supports only 802.11b/g and isnt usable on the distances in this case because of regulatory causes (100mW eirp). On the 5,8ghz band we are allowed to have 4Watts on PtP links.