Hi, experts!
I have a task to build a hotel network in a few secments and need some help. I think that here is the right place for my questions, becuse the main part of eqipment is by Mikrotik.
I plan to use CCR to manage all networks and cAP ac and wAP ac to provide wireless coverage. The other eqipment (switches) is manageable and it is from other manufacturer.
By my opinion I need by several networks for proper menagement:
Wired Staff network
Wireless Staff network
Wired Guest network
Wireless Guest network
CCTV network
TV network
Manage network
I have idea how to do that , but is it the right way?
I plan to create one Bridge to connect my switches to CCR.
On this Bridge I can create several VLAN’s (1-7 networks)which will carry my traffic for different networks
To unite wireless networks 2 and 4 with wired networks 1 and 3 I have to create more two bridges (I need Wired and Wireless Staff networks to be one network and the same for Guest networks) into which I plan to import interfaces from CAPSMAN and VLAN 1 and VLAN 3.
example:
Bridge staff → VLAN for wired staff network + AP wireless staff network by CAPSMAN
Bridge guest → VLAN for wired guest network + AP wireless guest network by CAPSMAN
Then I have to gave addresses to bridges for Staff and Guest networks and for CCTV, TV and Manage VLAN’s.
Create DHCP servers.
Is it right to import VLAN into two bridges for CAPSMAN or there is a other way to unite wired and wirelss networks?
and one more question:
How to build WiFi SSID’s for 2,4 and 5 GHz - with one SSID or to separate band’s. One SSID for 5 GHz band and the other for 2,4 GHz band?
At a later stage I want to manage all my networks by The Dude. Is any one have expirience with none Mikrotik eqipment and The Dude?
I hope that my English is understandable, because it is note my native.
I wonder what is a better idea, client (phone, computer, tablet) to decide which band to choose or the human.
No its not my first config. I have test this configuration and it working in lab circumstances, but maybe someone with bigger expirience will found mistake. Just want to gatter more opinion.
I do not have expirience with The Dude at all. Now I am searching and read information about it. I have some expirience with VLAN’s and CAPSMAN
Since as i understand it is your first big job there is a lot of studying you should do…
The answers to your questions is simple, since you want to use VLANs there is a need of 1 Bridge only… You will create as many VLANs as you need for your WiFi, cameras, TVs etc under that unique Bridge…
Notice, that all devices under the same VLAN can talk to each other, as far as Layer 2 Activity is concerned (VLAN itself is a Layer 2 Protocol) and in case of Layer 3 activity e.g. different subnets (InterVLAN), they can still talk to each other unless blocked by firewall… So, make sure you place under the same VLAN the devices that must have Layer 2 Connectivity and then you will not have to do anything else… Thats why VLANs exist at the first place, to segment your network… My advice is a really carefull planing and network design before you start configuring anything, otherwise you will get lost…
As for the CapsMan and the SSIDs i personnally like to create different SSIDs for 2.4Ghz and 5Ghz bands,
Thank You, Zacharias!
I am using second and third bridges for datapath in CAPSMAN, but now I have seen that I can use VLAN for datapath. I will read and test .
Your post was very helpful.
Thank You again
non-IT users want things to be simple, and most devices choose the best AP from the available ones by both the signal quality and available bandwidth. So if you connect the 2.4 GHz and 5 GHz SSIDs for guests into the same VLAN, vast majority of guests will have at least some connection and won’t complain. Technically it would be possible to have three guest SSIDs in parallel - hotelpetkov, hotelpetkov24 and hotelpetkov5, but then the receptionists would keep answering questions “which one should I choose?”. So if you would like to give the guests a possibility to choose a band manually, the names for the band-specific SSIDs should not resemble the basic one and should bear names different enough from it.
to add more to the subject raised by @Zacharias - if I were to offer the guests a wired network, my first requirement on the switches would be that they support port isolation, so that the guest-facing ports could only talk to the uplink ports but not to each other (OK, if the switch supports really fancy features and you plan more than one Ethernet socket per room, you might allow the ports serving the same room to talk to each other as well). And also where the wireless interfaces meet the wired network, port isolation needs to be done, because setting client-to-client-forwarding=no under /caps-man datapath prevens clients registered to the same AP interface from seeing each other, but not from seeing the wired clients and wireless clients registered to other APs. As you cannot set /interface bridge port horizon individually per VLAN, /interface bridge filter rules matching on vlan-id need to be used for the purpose. Basically, a single rule dropping frames tagged with the guest vlan ID in forward chain should be sufficient if the gateway IP address for the guest VLAN is attached to the local port of that bridge, as frames to/from the local interface of the bridge use input and output chains. And it requires local-forwarding under /caps-man datapath to be set to no as well, so that there would be just a single bridge at which forwarding from one AP to another AP is possible.
Without the client device isolation, the malware from a single guest device could easily infect all the other ones, and you never know what people bring with them. And those infected in the hotel will blame the hotel, not the other guests, let alone themselves.