I’ve been thinking I would really like to hear how people have overcome these situations which I can see occurring on my network. Also I have a few questions about progressing forward.
Current Setup:
RB800 - UM database (central database for all hotspots)
Hotspot - RB450G used with hotspot configured HTTP PAPS login used only (checked against the Central database). Cisco C2950G-48-EI 2950G managed switches - VLAN 1 for clients, VLAN 2 for my AP’s - Client isolation on switch & on my AP’s
Hotspot DHCP gives out ip’s in range of 10.5.50.XXX-10.5.50.XXX
My AP’s work on 192.168.1.XXX-192.168.1.XXX
All clients are NAT’d
All VOIP data is bypassed through the hotspot. I would like to provide public IP’s in the future, to all clients.
Diagram:
The idea behide the network setup:
Basically, the main aim is to get ‘easy access’ for everyone to my service - hence no wireless password or PPPoE.
What currently happens:
At the moment if client connects to;
My AP or a ethernet cable - they get to the login page and user their account - for every device connected to that AP.
If a client plugs in their own AP (i.e. OM1P)- they get to the login page and user their account - for every device connected to that AP.
If a client plugs in their own router (i.e. D-link DIR655) - they get to the login page and user their account - BUT because the hotspot is taking the MAC address of their router, any device behide it (since its running its own DHCP server) can get access for free, once the first user has logged in. Problem
So the problem:
Right now, I cannot find away of protecting what is happening if/when a user plugs in their own router. The only thing I can think of is to bind their MAC address to one machine, but that still not perfect as that MAC could be from their router.
The diagram shows (on the left) the typical way in which a client connects. On the right shows the problem client ‘stealing’ access by using only one login.
So does anyone have any idea how to overcome this problem?
Side issues :
I would like to add a layer of security between my RB’s - and I was thinking PPPoE authorisation; but I’m not sure if it would be worth doing so and really how to go about it as I’ve never used PPPoE.
At the moment, my firewall blocks anything I don’t manually enter in the ‘trusted ip’ - is this enough?
Secondly, I would like to start providing service to households, but for this, the hotspot model doesn’t really work as it would be a post-paid method of billing rather than pre-pay.
b) If possible I would like to still use UM to manage this or would I have to switch to something like http://www.tekradius.com/?
c) Also would this be a case of using PPPoE between the client and my central database or authorise the client?
d) What would be the best of handing these client public IP’s for future usage? (**See below)
e) I need to find a easy way to divert customers that don’t pay to a payment page
I believe there is no current RB product which can isolate clients like the Cisco switch is that correct? Because I’ve heard on here about change the horizion level of each client would be the same effect?
Bring forward another post, xbox live, other than creating a bypass for it, is there any way to get around the http login even using a device between it and my network?
Something that annoys me is the fact that I cannot see my AP’s on my RB. The RB must be giving out DHCP ip’s but I cannot see them on the address pool. Is there anyway to get this to report/show correctly?
I’m thinking about using a Butch Evan’s QoS Script for each RB450G - would this be advisable? I’ve tried to configure QoS rules within the Hotspot, but I simply cannot get it to work correctly, so I’m using queues with priority - The more I think the better it would be to have PDQ type to give each user a equal share, but ideally if 20 users are connected, but 18 user have spare capicity, it shouldn’t be reserved but rather given to users actually need it until.
Public IP’s - I’ve been thinking to solve this issue to use IPv6 on my network but could someone confirm or suggest if this would be using my setup? And are there any guides for using hotspot with ipv6?
Thank you.
Here some short answers. You are asking a LOT of question, and exhaustive answers would take upward of two hours to type up.
NAT (well, PAT) intentionally hides anything behind it. That is how it works. The only workaround I am aware of is using the IP firewall mangle facilities to set the TTL on all packets sent into the network behind the router to 1. Any host that receives it processes the packet as usual. Any router that receives it decrements to 0 and discards the packet. Not entirely perfect as any router could be configured to just increase the TTL, but few people will figure that out (and they will have, in my opinion, earned their right to run a router). I run this on networks where we sell service that in the terms of service rules out customer routers. It works well.
Side issues:
I don’t understand what you’re trying to secure
PPPoE works well for this
b) a “grown up” RADIUS server would be a good idea. FreeRADIUS is very powerful, and free. Takes some learning but it is manageable
c) yes
d) just assign them a public IP. The router will have a dynamic connected route to the /32 they get via their PPPoE tunnel interface. Just make sure the pool that you assign the public IP from can be found by other routers on that router (OSPF?) and you’re golden
e) http://wiki.mikrotik.com/wiki/Payment_Reminders
no MT product can do this. Use a dedicated switching platform for advanced switching tasks. Mikrotik makes great routers, their switches are - sorry MT - toys.
no
don’t understand the problem, please give more details
the biggest problem with Hotspots is that they redirect all web traffic (arguably the majority of traffic the normal user consumes) to themselves, so everything is now in the output chain rather than in forward. Read my presentation from the 2010 US MUM to see workarounds. It also discusses how to use queue trees. By default Hotspots use simple queues, which are - well, simple. Queue trees are far more flexible. Do investigate Butch’s stuff, he knows a LOT about QoS. But - I may be mistaken - I don’t think his solution is for Hotspots, so be aware that it may take a bit of work to get it to fit a Hotspot model.
the hotspot fundamentally works by means of NAT. At the very least unauthorized users must be redirected to the login page, this is - at least in MT’s model, and that is the most efficient model by far - achieved by NAT. IPv6 has no concept of NAT. MT has announced that they will come up with an IPv6 Hotspot solution, but nothing is known beyond that statement. No road map or dates. For all intents and purposes IPv6 cannot be intercepted by a Hotspot and packets will just flow. I run IPv6 on my home network where I have a guest Hotspot. Ipv4 is processed as you’d expect (login page), IPv6 doesn’t get affected. If you need IPv6 and authentication use PPPoE, but of course that is not suitable for ad hoc customers.
Thanks for your reply. I do understand a ‘full’ answer would take a long time. I was more so looking for an overall view on it.
Very good idea on the TTL to help remove the router issues - I’ll give that a test. But will that affect wireless users (which are on the same network)?
My idea of using PPPoE on between the RB’s is just to add layer of security between them and also prevent any authorised units added to the network.
On a side note, I was thinking I could actually use this a a stepping stone to have households on the network and authorised by PPPoE.
2b) Can you recommend any mature Radius Servers (ideally windows/OSX based, or one which has a very good UI).
2c) If I use PPPoE would Ipv6 be suitable as it is now on ROS - this would help the NAT issues since I don’t have access to public IP’s
Ok to help explain this one (i’ll refer to the diagram in my first post). At the moment I can connect my AP’s (EAP9950) to either the Cisco switch or in the RB450G. Each AP is configured to work on VLAN2 on the LAN port. On the wireless SSID they have been configure to VLAN1 (so the client get IP address from the hotspot portal.
As of now, I can see each client get an IP from the hotspot DHCP server; but I cannot see the AP on the RB despite it getting an DHCP IP assigned.
I’ll keep reading on the QoS, although I think its currently beyond my skill level to get it working with hotspots.
Since posting I’ve actually running a dual stacked network (ipv4/ipv6) so each client is getting both IP’s. I guess I will have to disable it now if it be passed through by simply disabling the IPv4 DHCP from the client’s end.
I really would nice if MK could come out with ipv6 hotspot - but I guess they’ve got their work cut out for now.
The TTL trick will work fine with wireless clients. It works on a layer 3 and is thus independent of the transport media.
PPPoE is a client access method that provides authentication, and sometimes confidentiality. I guess it could be used to provide router to router security, but I don’t think it makes a good protocol for management links. IP firewall rules are fine. If you don’t trust the media connecting the routers use a real VPN instead.
sorry, I’m more of a CLI guy. I think there’s web interfaces to FreeRADIUS - but as with anything, the more complete and powerful a product is, the more complex the interface is going to be.
2c) it is my impression that it is. I only dabble with PPPoE, I don’t use it at all during my day time job.
