Page 1 of 1

wireless hotspot

Posted: Tue Oct 25, 2011 10:27 pm
by cytec
Hello guys,

I want to put up a mikrotik hotspot and got myself a RB750, but i had a few questions.

is there a way to block the users so that they wont see each other once they connect to the network? i was planning to use some devices on the network that are connected to the wifi but i don't want other computers on the same network (wired and wifi) to be able to see them. I was looking for a way to block intranet traffic but allow traffic to the internet and was wondering if this was possible with the hotspot.

also if it was possible to use the RB750 to do all of this or i need a more powerfull routerboard?

thanks

Re: wireless hotspot

Posted: Tue Oct 25, 2011 10:34 pm
by sadeghrafie
You can block users in e.g network A to access user in network B by simple filter rule in firewall.
how many users do you have? RB750 will satisfy you I think.

Re: wireless hotspot

Posted: Tue Oct 25, 2011 10:45 pm
by cytec
i don't think they are that many, like 100 different users/devices

but they will be all in the same network thats why i was wondering if we could do a rule like ignore all traffic from intranet

Re: wireless hotspot

Posted: Tue Oct 25, 2011 10:47 pm
by cytec
an example would be a security camera, the camera will be connected to the wifi and will connect to the internet to the server but i don't want other users to be able to hit the webserver of the camera and see the content

Re: wireless hotspot

Posted: Tue Oct 25, 2011 10:59 pm
by sadeghrafie
Are IP cam and those certain user in different interface of Mikrotik or in the same? if in the same, are you using a Layer2 switch?

Re: wireless hotspot

Posted: Tue Oct 25, 2011 11:52 pm
by cytec
they would be on the same interface, i would be using an wireless-AP

Re: wireless hotspot

Posted: Wed Oct 26, 2011 12:20 am
by JP_Wireless
Are you using hotspot? if yes, the following is internded to do that but i dont know how effective it is.
hotspot.jpg
see if this solve ur problem.

Re: wireless hotspot

Posted: Wed Oct 26, 2011 11:00 am
by sadeghrafie
They are in the same interface of the router and connect via the same Access point?. All the configuration depends on Wireless AP if it's manageable (I don't think so) and IP cam. IP cam usually have IP filtering in it's own configuration. try that.
You also able to create a secure connection between IP cam and RB with PPTP or something like that if the IP cam support

Re: wireless hotspot

Posted: Wed Oct 26, 2011 11:39 am
by hellweiss
Why not disable Default Forward in the WLAN Interface ?

edit:

http://forum.mikrotik.com/viewtopic.php?f=7&t=23710

Re: wireless hotspot

Posted: Wed Oct 26, 2011 12:19 pm
by sadeghrafie
Why not disable Default Forward in the WLAN Interface ?

edit:

http://forum.mikrotik.com/viewtopic.php?f=7&t=23710
He didn't say he use Mikrotik AP or not. He just say he use RB750. It depends on which AP he use.

Re: wireless hotspot

Posted: Wed Oct 26, 2011 5:55 pm
by bambangs2komputer
Hello guys,

I want to put up a mikrotik hotspot and got myself a RB750, but i had a few questions.

is there a way to block the users so that they wont see each other once they connect to the network? i was planning to use some devices on the network that are connected to the wifi but i don't want other computers on the same network (wired and wifi) to be able to see them. I was looking for a way to block intranet traffic but allow traffic to the internet and was wondering if this was possible with the hotspot.

also if it was possible to use the RB750 to do all of this or i need a more powerfull routerboard?

thanks
check DHCP-server>>>Network,netmask set up to 32. Your user connection can internet but your client can't shared everithing.be carefull, if you have ip camera/cctv you must set destination to ip camera/cctv don't set queue (or in mangle mark ! ip cctvH2,64/ipcamera). sory my englesh :-)

Re: wireless hotspot

Posted: Wed Oct 26, 2011 6:22 pm
by Feklar
check DHCP-server>>>Network,netmask set up to 32. Your user connection can internet but your client can't shared everithing.be carefull, if you have ip camera/cctv you must set destination to ip camera/cctv don't set queue (or in mangle mark ! ip cctvH2,64/ipcamera). sory my englesh :-)
That does squat to prevent clients from being able to "see" each other on the network. That just requires an extra step on their part to get around it at best, giving themselves a static IP with a large enough subnet and they can scan the network again and see the other hosts there. The host can also change their IP address to that of the gateway and mess up the entire network. What you are suggesting offers no real security at all.

If you want to isolate your security system from the guest network, it requires a bit more of a complicated setup. The best way to do this is as was suggested put the security system on a different subnet and routed interface. If they have to all go into the same interface of the router, VLANs are designed specifically for that kind of situation. It allows you to set up logical divisions within the same hardware so they act like separate layer2 networks.

If you want to isolate end users from each other as well, set up client isolation on the access points and port isolation on the switch ports the access points connect to. Then no matter what settings someone places on their machine, they will not be able to scan and find other hosts on the network over it or affect anyone else on the network. It doesn't prevent them from sniffing wireless traffic, but it does prevent them from being able to directly access other peoples computers. This requires an investment in hardware that is capable of these functions, an unmanaged switch will not help you, and you need to specifically check if your access points support client isolation, but it is well worth it for management and control.

Re: wireless hotspot

Posted: Thu Oct 27, 2011 10:19 am
by bambangs2komputer
check DHCP-server>>>Network,netmask set up to 32. Your user connection can internet but your client can't shared everithing.be carefull, if you have ip camera/cctv you must set destination to ip camera/cctv don't set queue (or in mangle mark ! ip cctvH2,64/ipcamera). sory my englesh :-)
That does squat to prevent clients from being able to "see" each other on the network. That just requires an extra step on their part to get around it at best, giving themselves a static IP with a large enough subnet and they can scan the network again and see the other hosts there. The host can also change their IP address to that of the gateway and mess up the entire network. What you are suggesting offers no real security at all.

If you want to isolate your security system from the guest network, it requires a bit more of a complicated setup. The best way to do this is as was suggested put the security system on a different subnet and routed interface. If they have to all go into the same interface of the router, VLANs are designed specifically for that kind of situation. It allows you to set up logical divisions within the same hardware so they act like separate layer2 networks.

If you want to isolate end users from each other as well, set up client isolation on the access points and port isolation on the switch ports the access points connect to. Then no matter what settings someone places on their machine, they will not be able to scan and find other hosts on the network over it or affect anyone else on the network. It doesn't prevent them from sniffing wireless traffic, but it does prevent them from being able to directly access other peoples computers. This requires an investment in hardware that is capable of these functions, an unmanaged switch will not help you, and you need to specifically check if your access points support client isolation, but it is well worth it for management and control.
have you tried scan ip with netmask 32?I'm sure all client hotpot with DHCP server-Network_Netmask 32 can't scaning ip/mac address (program ip scanner or netcut).
My mikrotik configurasi
ether 1-4 bridge name bridge=hotspot
/ip address 57.57.57.254/24 interface=hotspot
dhcp server interface hotspot>>>network>>netmask 32
pppoe-client name=speedy interface=5
/ip firewall nat chain:srcnat src-address=57.57.57.1-57.57.57.100 out-interface=speedy action=masquerade
my access point (3 Pcs) ip 77.77.77.254,77.77.77.253,77.77.77.252 (without any encryption or setting anything just mode AP)
I've been setting since 1.5 years & it works fine.
if some people set manual ip,gateway&dns ...if they don't have username-password can't access internet. but in the hotspot host show ip manual setting to addresess (will get ip firewall nat my configuration). If you don't believe just try :-)

Re: wireless hotspot

Posted: Thu Oct 27, 2011 4:22 pm
by Feklar
I agree that it makes it a bit more difficult to scan, but it is trivial to change your IP and your MAC address. At best it prevents accidental or casual users, but nothing to prevent people that are determined to do so.

What if their goal isn't to get onto the internet but to try and access other peoples computers? Or what if their goal is to spoof the MAC address of another user and gain access that way? Your method does nothing to prevent them from scanning the network and doing so, it just puts in one extra trivial step for them to overcome. How about them trying a man in the middle attack? Once again, your method does nothing to prevent them from setting their MAC/IP or even just the IP address of the gateway and causing problems for the rest of the network.

These are things that no router can prevent or mitigate. The router cannot control traffic that doesn't go over it, and hosts "seeing" each other over a layer2 network doesn't require a router. These are things that need to be handled and prevented on the edge of the layer2 network and cannot be offloaded to the layer3 hop.

Re: wireless hotspot

Posted: Fri Oct 28, 2011 6:02 am
by bambangs2komputer
ok, back to cytec.
wireless hotspot have many conficuration, select your neccessary.

and for feklar:
1. if you have done configuration like me. Just testing: login with your username&password. than your friends to change the ip and mac like you belong, check your ip hotspot>>host (what happen?? :-))
2. share folder file in your pc/noteboke & try your friend to take your file (what happens?? :-))

they can not access the Internet / Intranet due to the main gate closed(255.255.255.255). don't forget set l7 in your firewall :-)

Re: wireless hotspot

Posted: Sat Mar 17, 2012 4:13 pm
by MsLrO
Hello..!!

Could you share how hotspot could looks like??

Regards