Hello
What’s the best way to separate Access Points from Wi-Fi users? The goal is so that Wi-Fi users don’t know the IP’s of Access Points, and don’t try to tinker with them…
So far the only way I figured out was to assign one more address to the Eth2 Wi-Fi interface, so I have 10.10.1.1 and 10.10.2.1 addresses. .1 is for Wi-Fi users, and the .2 is for AP’s.
Is this correct? The 2 IP’s on a single interface won’t cause any problems for me?
Thanks
I use the firewall filter. If the ip range for the wireless users is 10.10.1.0/24, then
/ip firewall filter
add chain=input action=drop src-address=10.10.1.0/24
Ideally you would use VLANs for this. Create a management VLAN, and a customer VLAN. Run both to the AP. Create an IP address on the management VLAN network on the AP, and bridge the customer VLAN to its radio.
Then filter via the firewall between the two networks like Tim suggested. If you just overload the two IP networks on the same physical interface malicious users can still sniff broadcast traffic and figure out the management IP space used, assign themselves a manual IP address and then talk to the AP. You have to separate the two networks on layer 2 for true separation, and for router side filtering to be effective.
I see. Yes, that’s where I’m slowly heading.. - Vlans. As soon as I figure out all the Queues stuff that you’ve been helping me with 
I’m not too concerned about security of AP’s as they have strong username/passwords, so for now I will probably assign two IP’s to the same physical interface.
I was just worrying that having two IPs on a single physical interface may cause issues of some sort…
Thanks
It doesn’t cause issues as such, but it doesn’t really add any security other than a tiny bit of obscurity that wouldn’t deter anyone looking even a little deeper than just the surface.
Hey fewi,
I tried following your instructions on how to separate Wi-Fi users from AP’s, but can’t get it to work.
I also tried following these instructions, but I have RB450G, so no Wi-FI card inside.
Let’s say ether1 is where you will plug the AP in. Create two VLAN interfaces for VLAN ids 10 and 20, tie them to ether1. Set up the Hotspot on the VLAN 10 interface. This is for users. Set up some IP network on the VLAN 20 interface, this is for management. Add the same VLAN interfaces on the 433. Add an IP address on the same network on the VLAN 20 interface. Bridge the VLAN 10 interface with the WLAN terrace. On the 750 set firewall rules that prevent the IP space on the two VLANs from talking to one another. Now it is impossible for Hotspot users to even see the AP from a management perspective. While optional that’s definitely best practice.
I got WAN on Eth1, Wi-Fi LAN on Eth2.
I set-up the 2 vlans, assign them IP addresses from 2 different subnets, then set-up a DHCP server on vlan 10 (my wifi vlan), and a HotSpot on vlan 10. After that I create Bridge1 and add vlan10 and vlan20 to it (in Ports).
If I plug-in my laptop in Eth2, it doesn’t give out an IP address. The only way I was able to get it to give out IP, is to set-up a DHCP server on Bridge1 instread of vlan10.
Please help. I think I’m either not bridging correctly (do I need to add Eth2 to it, or just 2 vlans?), or missing some other step.
Thank You!
If you bridge the management VLAN and the Hotspot VLAN the entire thing becomes pointless. The whole goal is to NOT have management and users on the same network. Bridging puts things on the same network.
What is your physical layout, and what are you trying to achieve with what hardware?
lol, yes duuh.. i shouldn’t have bridged the wifi and mgr vlans.
My goal is to separate Wi-Fi users from the AP’s.
I got an RB450G. Cable modem is on Eth1 , switch with AP’s is on Eth2.
Wi-Fi subnet is 10.10.15.0/24
AP’s are set-up with 10.10.16.0/24 static IP’s
Also, I have a PC with Dude on it to monitor AP’s. That PC is plugged-in to the “Internet Cafe” LAN which is on Eth3, which means that Eth3 should be able to reach AP’s which are on vlan20.
I got this far:
created vlan10 and vlan20 on Eth2
set-up IP’s for “Wi-Fi” vlan10 (10.10.15.1/24) and “MGR/AP” vlan20 (10.10.16.1/24)
set-up a DHCP server on vlan10 to give out IP’s from 10.10.15.0/24 to Wi-Fi users
set-up Hotspot on vlan10
That’s it so far.
What else do I need to do to make this work? And what do I bridge with what? I haven’t used “bridge” before, so some steps would help a lot.
Thank You
Vlans, Firewal rules, and different subnets. Those 3 can keep customers away from the APs.
Are the APs and the switch you have VLAN capable? That’s a requirement - if you don’t have that this will not work at all and you cannot separate traffic via VLANs.
You then plug the switch into ether2 and on the switch create VLANs 10 and 20. You do the same on the switchports the AP plugs into. On the AP, you put an IP address on the management VLAN interface so you can reach it through the management VLAN. You bridge the AP radio to the user VLAN on the AP - the AP is the only place where bridging happens in order to extend the wired user VLAN to the radio on the AP.
On the router you implement firewall rules that block the user VLAN from talking to the management VLAN. You can do that by IP space or by in-interface and out-interface in the forward chain. That’s also where you ensure that whatever network the Dude server is on is permitted to talk to the management VLAN. Because the two VLANs are different networks with the layer 3 hop (the gateway) residing on the router devices on the two VLANs have to pass traffic through the router and have it route between the networks in order to reach the other network, so blocking that traffic from being passed on the router isolates the two networks from one another.
Hope that makes the concept a little clearer.
I see.
The switch I’m using is a Dell managed switch which goes to another Linksys non-managed switch. I’d rather not try to figure out how to deal with vlans on that Dell switch… AP’s that I’m using are Ubiquity Piko
The guy that set it up before me, who was better with Mikrotik, did not have any vlans set-up on the switch or APs. He set-up AP’s on 10.10.16.0/24 and Wi-Fi users on 10.10.15.0/24 , and Wi-Fi users were unable to get to 10.10.16.0 network unless they set-up static IP on their Wi-Fi NIC.
Also, he had set-up Eth3, where I have Dude computer, to be able to communicate with AP 10.10.16.0/24 subnet (Eth2). How is this done?
Since I can’t use vlans on the switch, or AP’s, what’s my next best option in making this “a little bit more” secure?
Thank you
Also, he had set-up Eth3, where I have Dude computer, to be able to communicate with AP 10.10.16.0/24 subnet (Eth2). How is this done?
It’s just routing. Network A to network B through the router.
Without physical or logical separation being an option you’re pretty much as secure as you’re going to be.
Oh ok.
So in order for my Dude computer on Eth3 to be able to communicate to AP’s which are on Eth2, do I just add one more IP address on Eth2?
Would it be:
Eth2:
10.10.15.1 (gw for Wi-Fi users)
10.10.16.1 (gw for AP’s ?)
Eth3: (my dude computer is here)
10.10.17.1 (Internet Cafe subnet)
For some reason, my Dude computer 10.10.17.10 can’t communicate with AP’s on 10.10.16.0
No. Maybe read something like http://www.ipprimer.com/overview.cfm to get a better understanding of how TCP/IP and routing work. They’re two networks directly connected to a router, so it’ll pass traffic between the two unless configured not to. Check firewall filters, check that the devices on the respective networks have routes (probably default gateways), that kind of stuff.
What’s the best way to separate Access Points from Wi-Fi users?
There are many ways to do this :-
If you’re new to all this, better off keeping it as simple as possible.
Yes, have Two networks on your ether2 - no problem, but i guess you just want to keep the WiFi clients from messing with the APs - just change the passwords on the APs…
Set ether2 with 10.16.0.1/24. Set all the APs’s to use 10.10.16.1/24 as their gateway.
Set up a HotSpot on ether2.
When you get to the DHCP part, make sure the DHCP pool is 10.16.0.100-10.16.0.254, so the WiFi clients will not get an address below 10.16.0.100.
Add the MAC addresses of the APs uder HotSpot-Bindings as ‘bypassed’.
This will allow you access to the APs through the HotSpot.
WiFi Clients will hit the HotSpot and Splash Page.
(I’m assuming that the APs are in Bridge Mode and pass the WiFi client’s MAC through correctly.)
Set ether3 (Cafe) port as you like.
Add IP-Firewall-NAT chain:src-nat action:masquerade.
Delete any default Firewall settings before you start any of this.
So long as your RB450 has internet, then it should just magically work, and without much fuss.
Of course, you might want something different altogether.
Add the MAC addresses of the APs uder HotSpot-Bindings as ‘bypassed’.
This will allow you access to the APs through the HotSpot.
Adrian! Thank you so much for solving my problem! I was trying to tackle it for the past 2 days, and the HotSpot was blocking ping from my Dude to the AP’s!!! It’s working now.
Fewi, thank you as well for providing a detailed explanation of what I should study more and the “ideal solution”.
Glad to hear that we helped.
Now slap us with some Karma or you can tickle my tummy.