Greetings !

Finally I decided to make some order into my two networks and to see what can I do to make better single network out of current two.

Currently I have mixture of Mikrotik and consumer-grade equipment spread on two networks (one private and one public) but I would like to migrate fully to Mikrotik and make one single network.

Below is roughly diagram of what I want my network to be:


What I want:
1. Single network
2. Load balancing two internet connections
2. My private computers, smartphones, devices, etc (whatever I decide what's private) to have full access (unlimited bandwidth, traffic, access to NAS, etc.), no matter where I connect (different APs, LAN, etc)
3. Guests devices to have access to internet only (limited bandwidth, daily traffic limit based on MAC address, etc)
4. Use CAPsMAN to manage all access points, to use single SSID on all APs and to successfully roam clients across APs

I know it's a lot but I'm not sure how to start.
I have lot of questions and I would really like if you guys can help me.
Some of the questions are:
- What would be the best way to make private and public parts of network ? Do I want to use multiple SSIDs (one public, one hidden) on APs or some other way ?
- How to limit bandwidth and daily traffic ? Can I make limits based on MAC address ? Example: every MAC address (except MAC addresses from my devices which are excluded) get 2Mbit bandwidth and 1GB traffic in 24 hours. After 24 hours that MAC address get new 1GB limit.
- Is CAPsMAN and same SSID on all APs best solution for my property coverage and client roaming ?
- Since in my are 2.4GHz spectrum is low density, should I stick with it or do I fire up 5GHz radios on APs too ?
- If I use both 2.4 and 5GHz radios, how do I manage it SSID-wise and CAPsMAN-wise ?
- Would RB3011 be best buy solution to carry my network ? I expect no more than 50 guest clients connected on all APs during peak hours. Usually it's around 10-20.

Thanks in advance for any help I get. Also, if you need more details I'll be happy to provide.

It looks like a solid design to me.

I would definitely recommend keeping the guest network as a separate VLAN from the standard LAN. Policy is one of the main reasons to create a separate subnet. If you try to do everything in a single flat network, then you're going to have to worry a lot more about access port security. If the guests are connecting to a network that is simply blocked from reaching the corporate LAN, then it's much easier to keep the LAN safe. One firewall rule in the forward filter chain is enough to block all access.

You'd make virtual APs for the guest network and apply a vlan tag, and put the router's IP on a vlan interface in the 3011.

I think the hardest part is going to be the daily throughput limit, because this is going to require either a lot of scripting or monitoring systems that use APIs, etc - or else you'll need to use a hotspot - I'm not a fan of captive portals because they invariably lead to lots of complaints of people having to log in all the time, etc - but this might be what you need to do.

I'd say that you should get CAPSman running first, then the load balancing, then worry about the per-user data caps last.

Thanks for the quick reply ZeroByte !

It looks like a solid design to me.

I would definitely recommend keeping the guest network as a separate VLAN from the standard LAN. Policy is one of the main reasons to create a separate subnet. If you try to do everything in a single flat network, then you're going to have to worry a lot more about access port security. If the guests are connecting to a network that is simply blocked from reaching the corporate LAN, then it's much easier to keep the LAN safe. One firewall rule in the forward filter chain is enough to block all access.

You'd make virtual APs for the guest network and apply a vlan tag, and put the router's IP on a vlan interface in the 3011.

To go into details further:
- Guests will have access to network only via APs. Hard wire is reserved for my computers only. On the other hand, I would like all my wifi-capable devices which connect to APs to get full network access.
How do I proceed on this matter ? Sorry for asking, but I have zero experience with virtual networks because, until now, I always kept two separate networks. Now I see it's a waste of spectrum to cover same space with 2 networks.

I think the hardest part is going to be the daily throughput limit, because this is going to require either a lot of scripting or monitoring systems that use APIs, etc - or else you'll need to use a hotspot - I'm not a fan of captive portals because they invariably lead to lots of complaints of people having to log in all the time, etc - but this might be what you need to do.

I'd say that you should get CAPSman running first, then the load balancing, then worry about the per-user data caps last.

I used hotspot before and exactly because of complaints about login I shut it down and used queues instead to limit speed.
On the other hand, in hotspot (via IP binding), I've excluded all my devices via MAC addresses and had full access to network without worrying where I connected.
Queues are doing same thing now, but it was much easier to exclude it in hotspot.

To go into details further:
- Guests will have access to network only via APs. Hard wire is reserved for my computers only. On the other hand, I would like all my wifi-capable devices which connect to APs to get full network access.
How do I proceed on this matter ? Sorry for asking, but I have zero experience with virtual networks because, until now, I always kept two separate networks. Now I see it's a waste of spectrum to cover same space with 2 networks.

Not at all - virtual APs use the same channel as the main interface - they just use a different SSID and they attach the clients to a different network than the main interface, so they don't chew up extra spectrum. Basically, you'd set a vlan ID on the guest interfaces (virtual APs) and then on the 3011, you'd create a vlan interface that uses the same VLAN-id tag to talk to those clients. They'll stay completely isolated (logically) from the rest of your network.

I used hotspot before and exactly because of complaints about login I shut it down and used queues instead to limit speed.
On the other hand, in hotspot (via IP binding), I've excluded all my devices via MAC addresses and had full access to network without worrying where I connected.
Queues are doing same thing now, but it was much easier to exclude it in hotspot.

The queue wouldn't be hard to do at all - I'd suggest to just put a single PCQ-type queue on the guests network and limit it to some fraction of your bandwidth that you don't mind letting the guests have, and then bam - done. PCQ makes the bandwidth "shared fairly" between the different users behind it without having to deal with a bunch of single queues. It's good because if you have a decent connection and nobody's using it, then the one who is using it right now can get speedy access, but if more people log in, it forces them to share fairly.

It's the "no more than X megabytes/gigabytes limit that's more challenging to implement.

If this is all new gear, then you could set it up like a lab and when you see that the main LAN / guest LAN thing is working properly, go ahead and hook it up as production.

Thanks m8, I'll have some more questions later on.

Now, onto topic about 2.4/5GHz, same SSID and device roaming:

As I said, my area is not wi-fi polluted and I can use 2.4GHz frequency without interference from other networks. Since I'm in process of buying most of those APs that are in my diagram, I'm still uncertain how to proceed.

Do I go for 2.4GHz-only APs (at least to cover area where mostly guests will connect) ? I will still go for HAP AC/AC Lite where will my private network prevail.
Or do I go for 2.4/5GHz APs, to stress less 2.4GHz radio when peak ? If I go this route, how do I incorporate everything in same network ? Do I need to raise multiple SSIDs on both radios ? If yes, then will both 2.4GHz and 5GHz SSIDs have same name and will guest devices successfully roam between APs and between different radios ?

Example:
- Certain area is covered with two 2.4/5GHz APs. SSID is "123" for public network, "456" for private. Do I set same name on both 2.4GHz and 5GHz radios and do I set same channels on both APs ? How will VLAN work concerning two different radios ?
Basically, I would have 4 SSID with 2 names on one AP (guest 2.4GHz/guest 5GHz - first name, private 2.4GHz/private 5GHz - second name).

I hope I'm making sense.

Yes - you want to use dual-band radios, and broadcast both the main and guest networks on both radios.

I haven't set up Capsman before, so I can't say exactly how the configuration is going to look, but based on the Aruba system we have at my company, I'd say that the 5ghz radio and the 2.4ghz radio are going to show up as if they were two separate devices, while in actuality, they're just two interfaces on the same single device.

The APs are probably going to be configured to have a bridge interface with the wlan1 and wlan2 radios and an ethernet interface connected to the bridge. The virtual APs would be "wlan3"/"wlan4" or (guest2ghz / guest5ghz - whatever names make sense) and they'll be connected to that bridge also, but they'll be configured to put a vlan tag on traffic from the clients attached to the guest aps... so guest traffic will cross the wire back to the router but have vlan tags on them so they are kept in a separate network. On the 3011, you'll put a vlan interface on the etherX-master interface (or LAN bridge if you're using a bridge there) so that the router can talk to the guests.

Just to clarify further:

- if SSID name is, for example, "Internet access", both 5GHz and 2.4GHz SSIDs will be called like that, correct (I won't call them "Internet access 2.4" and "Internet access 5") ?
- furthermore, if private SSID name is "Private access", both 5GHz and 2.4GHz will be called like that, correct ?
- and should I use same channel on all APs, to offer better roaming to devices (and risk interfering) or should I put APs on different channels (no interefering but what is happening with device roaming) ?

Thanks

Virtual ap can have different ssid from main. I don't know if roaming works between 2.4 and 5

Sent from my Lenovo K50-t5 using Tapatalk

In my mind, one of the benefits of a controller-based wifi system is for the controller to be smart and determine the frequency usage based on what it sees in real-time. I haven't delved into capsman to learn whether it will manage the frequencies of all APs to minimize interference, etc, but I would suppose that it does this....

Anyway, all APs should give the same name for the same network they're attached to - so you you have "CorporateLAN" and "GuestLAN" on your network, then this means that you should only ever see two SSIDs when walking around your building with a device. You would not name them CorporateLAN5 and CorporateLAN2. The devices are going to know the difference between the two bands - in fact it's impossible for the device to be confused by the same SSID being on the 2.4 interface and the 5.8 interface - any more so than it is going to be confused by two different APs giving the same SSID on a single band. In fact, I think it would cause more problems if the SSID is different between the two bands. I was helping a guy once who had a Linksys router set up so that the 2ghz and 5ghz bands had different SSIDs. His users were getting "kicked off the internet" constantly. As soon as he made them use the same SSID, the problem cleared up.

Almost all of my new equipment has arrived and I was fiddling with it for the past few days. I've went from top (APs) to bottom (RB3011). I've managed to raise private network and guest network. Guest network is successfully VLAN-ed and RB3011 is handing out addresses.

This is the story so far in short:
vDSL modem (25Mbit/2Mbit) - in router mode (because of IPTV), IP address 192.168.2.1, RB3011 IP address is put in modem's DMZ (192.168.2.2), connected to ether1 on RB3011
ADSL modem (15Mbit/768kbit) - in router mode, IP address 192.168.1.1, RB3011 IP address is put in modem's DMZ (192.168.1.2), all other services shut down, connected to ether2 on RB3011

Mikrotik RB3011:
- Ether1 is WAN port for vDSL connection (IP=192.168.2.2)
- Ether2 is WAN port for ADSL connection (IP=192.168.1.2)
- Further down the line, I plan to add LTE USB stick on USB port for aditional internet connection (but we will discuss about that when it comes to it)
- Ether3-10 are switched (Ether 3 and Ether6 master ports)
- 192.168.0.0 is my private network (for all private SSIDs and all physical LAN connections)
- 192.168.4.0 is guest network (only for VLAN through public SSIDs)
- Fasttrack is enabled


Mikrotik WaP, HAP AC, RB2011, HaP AC Lite - multiple pieces:
- All are working as pure APs, fixed IP addresses (on both private LAN and VLAN), DHCP server off, 2.4GHz only for now, same SSID, different channels.

I don't know if you need any other info, please feel free to ask and I will provide.



1. I want vDSL connection (ether1) (and later USB LTE) bandwidth to be available for both private (192.168.0.0) and public (192.168.4.0) subnet but ADSL connection (ether2) to be available only for my private (192.168.0.0) subnet. Is that possible and how do I proceed ? I have zero knowledge about this.

2. I want VLAN to have per user bandwith limit. When Fasttrack is disabled simple queue is working perfectly. However, I don't know how to exclude it from Fasttrack.
Is it posible to exclude or do I need to disable Fattrack for the time being in order for queues to work ?

Thank you all in advance !

Read some wiki articles about load balancing, and there were also two MUM USA 2012 presentations about load balancing.

I would suggest that you use the VDSL as the main routing table since you want the vlan to use it only. Then you only need to do route marking on connections that come from the main vlan and from the two WAN circuits.

I'm trying to get it working butsomething is not right. This is firewall rules dump:

/ip firewall address-list
add address=192.168.4.101-192.168.4.254 list=forced_ether1-VDSL
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add chain=forward comment="defconf: accept establieshed,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether2-ADSL
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface=ether1-VDSL
add chain=input comment="defconf: accept established,related" \
connection-state=established
add chain=input connection-state=related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether2-ADSL
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes \
in-interface=ether1-VDSL
add action=drop chain=forward in-interface=guest-vlan out-interface=\
!ether2-ADSL
add action=drop chain=forward disabled=yes in-interface=guest-vlan \
out-interface=!ether1-VDSL
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=ether2-ADSL new-connection-mark=\
ether2-ADSL_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=ether1-VDSL new-connection-mark=\
ether1-VDSL_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=local new-connection-mark=ether1-VDSL_conn \
src-address-list=forced_ether1-VDSL
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=local in-interface=all-ethernet new-connection-mark=\
ether2-ADSL_conn per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=local in-interface=all-ethernet new-connection-mark=\
ether1-VDSL_conn per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=output connection-mark=ether2-ADSL_conn \
new-routing-mark=to_ether2-ADSL out-interface=!all-ethernet
add action=mark-routing chain=output connection-mark=ether1-VDSL_conn \
new-routing-mark=to_ether1-VDSL out-interface=!all-ethernet
add action=mark-routing chain=prerouting connection-mark=ether2-ADSL_conn \
in-interface=all-ethernet new-routing-mark=to_ether2-ADSL
add action=mark-routing chain=prerouting connection-mark=ether1-VDSL_conn \
in-interface=all-ethernet new-routing-mark=to_ether1-VDSL
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether2-ADSL
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1-VDSL

And what about traffic limit queue and fasttrack ?

Thanks !

Fasttrack and queues are mutually exclusive features - you can have one or the other but not both - fasttrack will warp right past the queues.
Turning off fasttrack is the only way to use queues - but of course you've sacrificed performance for this. I think they're trying to allow simple queues in fastpath (which is what fasttrack uses) but I'm not sure if/when that will happen.