Community discussions

 
User avatar
Madumi
newbie
Topic Author
Posts: 27
Joined: Mon Apr 23, 2018 6:07 pm

8 apartments, separate SSID's for security?

Mon Apr 23, 2018 6:26 pm

Bear with me, as I'm new to RouterOS/Mikrotik.

I currently serve WiFi to a block of 8 apartments. Access Point isolation is in place, so WiFi clients can't talk to each other, but I'm wondering whether I should separate this into 8 VAP's/SSID's to provide a higher level of security to each apartment block. I have two AP's, so it would mean 4 VAP's per AP. I just don't know whether this would be going overboard for security(?). We regularly have geeks staying in the apartments, so the scenario I would like to prevent is a man in the middle attack between apartments because of shared WPA2 credentials... Any thoughts?

Thanks!
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: 8 apartments, separate SSID's for security?

Wed Apr 25, 2018 11:54 am

I'd just use hotspot, each apartment gets its own username and password, you can allow 10 devices per user account. Mikrotik Hotspot server won't allow clients talk to each other. You may also create a VLAN and a hotspot is running on the VLAN. this way they cannot access your core network. Add IP TVs, Xbox or PC to your bypass list so they don't have to authenticate.
MTCNA MTCTCE UEWA
 
gabryb85
just joined
Posts: 3
Joined: Mon Apr 23, 2018 9:54 am

Re: 8 apartments, separate SSID's for security?

Wed Apr 25, 2018 4:23 pm

Hi Madumi,
You can use 8 separate SSID with 8 different subnets. So you can configure rules on firewall to block traffic across the subnets.
 
gabryb85
just joined
Posts: 3
Joined: Mon Apr 23, 2018 9:54 am

Re: 8 apartments, separate SSID's for security?

Wed Apr 25, 2018 4:25 pm

.....
 
anavds
newbie
Posts: 38
Joined: Wed Apr 04, 2018 2:47 pm

Re: 8 apartments, separate SSID's for security?

Wed Apr 25, 2018 5:30 pm

Solar.........
Using Bridges on LANS blocks at layer 2 (via mac addresses and tables) correct?
VLANS block at layer 2/3? (by inserted headers in packet flow) correct?
FW rules block at layer 3 (IP routing) correct?

How does hotspot block???
a. devices on the same account from seeing each other?
i. wired
ii. wifi

How does hotspot block accounts from seeing each other?
 
User avatar
Madumi
newbie
Topic Author
Posts: 27
Joined: Mon Apr 23, 2018 6:07 pm

Re: 8 apartments, separate SSID's for security?

Thu Apr 26, 2018 5:06 am

Hmmm, we're in a situation where (at least currently), we need to monitor all traffic from the apartments (data caps are tight where we live), which would mean I would prefer not to give TV's Xbox's etc a free pass on to the network...
 
eXS
newbie
Posts: 43
Joined: Fri Apr 14, 2017 4:01 am

Re: 8 apartments, separate SSID's for security?

Thu Apr 26, 2018 6:50 am

Charge tenants more for their own dedicated SSID. Profit.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: 8 apartments, separate SSID's for security?

Thu Apr 26, 2018 8:31 am

2.4ghz?? then you need to set your datarates

using many ssid's is mandatory, because when you broadcast an ssid using 1mbit datarate (default setting) you loose 3% of airtime for every ssid in your case 24% only to announce the ssid´s on air, that penalizes your wireless performance

today you can disable all 802.11b data-rates without worry

that is leaving the lowest datarate to be 6mbit/s that way you reduce the airtime used to announce ssid's from 24% to 4%
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: 8 apartments, separate SSID's for security?

Thu Apr 26, 2018 12:46 pm

Solar.........
Using Bridges on LANS blocks at layer 2 (via mac addresses and tables) correct?
VLANS block at layer 2/3? (by inserted headers in packet flow) correct?
FW rules block at layer 3 (IP routing) correct?

to the best of my knowledge, L2 is blocked between bridges and same case for VLANs. FW does not block traffic between bridges / subnets unless there is a drop rule to block it in the Firewall

How does hotspot block???
a. devices on the same account from seeing each other?
i. wired
ii. wifi
Not entirely sure. However I did do an IP scan when authenticated as hotspot user, the only live IP was my own device. but we used Unifi Access Point and the WLAN has guest feature enabled so it blocks access to internal subnets. I guess if the hotspot users were wired, we cannot really block L2 broadcasting therefore MAC scanning will still work. This will have to be blocked at switch level.
if all users are connected to the Mikrotik , then you can enable IP Firewall on that bridge where hotspot is running, and create firewall rule that drops from the subnet to the same subnet, except those to the gateway.
MTCNA MTCTCE UEWA
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: 8 apartments, separate SSID's for security?

Thu Apr 26, 2018 2:23 pm

As for TV, Xbox etc. you can use MAC authentication in hotspot and create user profile for those devices. more control and monitoring when you use hotspot.

what do you use as Access Point in each apartment? there might be more options .
MTCNA MTCTCE UEWA
 
User avatar
Madumi
newbie
Topic Author
Posts: 27
Joined: Mon Apr 23, 2018 6:07 pm

Re: 8 apartments, separate SSID's for security?

Thu Apr 26, 2018 5:40 pm

Charge tenants more for their own dedicated SSID. Profit.
Thanks eXS, yes, that's the longer term plan... we're just not currently there yet... by "dedicated SSID" your talking one discreet SSID's for each apartment right... but do you mean all on the one mikrotik solution (I was thinking 2 AP's to take the number of SSID's per AP down to 4)?

that is leaving the lowest datarate to be 6mbit/s that way you reduce the airtime used to announce ssid's from 24% to 4%
Thanks so much chechito. Yes I read that I'd need to change the datarate (it might have been one of your other posts). So, you're agreeing that using discreet SSID's for each apartment is a reasonable idea? (I'm still brainstorming ways to do this... the main part I need to figure out is whether I'm going over the top, or whether it's reasonable for security to ensure each apartment has separate SSID's/WPA2 credentials). Any thoughts on that?

As for TV, Xbox etc. you can use MAC authentication in hotspot and create user profile for those devices. more control and monitoring when you use hotspot.
what do you use as Access Point in each apartment? there might be more options .
I'd prefer not to use MAC authentication... Tenants rotate frequently enough that collecting MAC addresses from them would be a pain.
presently we have two access points, each serving four apartments each (the two access points are placed in a way that is central to those four apartments)
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: 8 apartments, separate SSID's for security?

Thu Apr 26, 2018 8:33 pm

that is leaving the lowest datarate to be 6mbit/s that way you reduce the airtime used to announce ssid's from 24% to 4%
Thanks so much chechito. Yes I read that I'd need to change the datarate (it might have been one of your other posts). So, you're agreeing that using discreet SSID's for each apartment is a reasonable idea? (I'm still brainstorming ways to do this... the main part I need to figure out is whether I'm going over the top, or whether it's reasonable for security to ensure each apartment has separate SSID's/WPA2 credentials). Any thoughts on that?


I think separate SSID's for each apartment its a good idea from viewpoint of practicality to make support tasks easier, for example if a customer has some issue is easier to track them to devices associated to an specific SSID, another advantage, maybe if an access-point is far from certain apartment that access-point don't need to have that apartment SSID configured in fact maybe the best way to go is that specific SSID only be configured on closest access-point to that apartment

if access from public and shared areas is needed you can create a very limited guest ssid to that task

from security viewpoint separate SSID can help to isolate devices from each apartment from sharing traffic, to avoid different apartment devices to share traffic, normally i will suggest to isolate all stations from each other, but in case of apartments today is frequent for people the need of get their own devices communicate between them

the better way to allow communication between wireless devices on same ssid will be isolate them un-cheking default forward option, let the "core" router to manage inter-station communication using local-proxy-arp, that technique has the advantage of make possible to apply traffic control and firewall rules to inter station traffic using rules on the access-point, otherwise any rule makes no effect on inter-station traffic

make sure you have a properly configured and manageable layer 2 infrastructure (wired switches, please use only wired switches to interconnect access-point to the network, anything like mesh or repeaters will get you a very BAD result from performance standpoint) to interconnect access-point to main router

with properly configured i refer to a manageable switch o switches configured with vlan, vlan filtering, dhcp security, arp, security, port isolation, to make the network stable and better in terms of security isolating effectively different SSID traffic across all network

always use only WPA 2 AES security with WPS disable, secure your main router and your accesspoint, very recommended a separate vlan to isolate and filter access to devices management

wireless can be secure, but there are many social engineering hacks to let people to reveal their passwords, so keep that in mind, and encourage your users to use secure VPN services to do sensitive tasks online when connected to the wifi

secure all the network using ACL's, firewall filter or whatever resources equipment have

Do QoS and traffic control on every point of network to manage congestion, that improves performance and service experience a LOT
 
User avatar
Madumi
newbie
Topic Author
Posts: 27
Joined: Mon Apr 23, 2018 6:07 pm

Re: 8 apartments, separate SSID's for security?

Thu Apr 26, 2018 9:15 pm

brilliant, chechito! thanks so very much.

Only part I didn't quite follow was if I set up separate SSID's/WPA2 for each apartment & kept traffic from those SSID's isolated from each other, why would you suggest residents still use a VPN to do sensitive tasks? Is it just to protect them from their own IoT devices using the same SSID?

Network structure is already in place--Cat6 ethernet connecting access points etc... It's just going to be a matter of learning RouterOS. I'll read through https://wiki.mikrotik.com/wiki/Manual:TOC
Any other suggestions for me to get up to speed?

Thanks!
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1743
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: 8 apartments, separate SSID's for security?

Thu Apr 26, 2018 10:09 pm

brilliant, chechito! thanks so very much.

Only part I didn't quite follow was if I set up separate SSID's/WPA2 for each apartment & kept traffic from those SSID's isolated from each other, why would you suggest residents still use a VPN to do sensitive tasks?


attack techniques exist to make a client connect to a rogue AP that way the attacker can perform a man in the middle and other other nasty things
 
User avatar
Madumi
newbie
Topic Author
Posts: 27
Joined: Mon Apr 23, 2018 6:07 pm

Re: 8 apartments, separate SSID's for security?

Fri Apr 27, 2018 12:09 am

attack techniques exist to make a client connect to a rogue AP
Hmmm, interesting... You mean even an access point with unfaimiliar credentials/SSID?

Who is online

Users browsing this forum: No registered users and 39 guests