Community discussions

MikroTik App
  4. RouterOS
  5. General

WLAN Client isolation in dynamic VLAN assignment

Post Reply
 
kaweksl
just joined
Topic Author
Posts: 4
Joined: Mon Sep 17, 2018 11:28 pm

WLAN Client isolation in dynamic VLAN assignment

Wed Sep 19, 2018 1:26 am

Hi,

I have testing network with pfSense, little managed switch and wAP ac (RBwAPG-5HacT2HnD) and i want to use dynamic VLAN assignment on WLAN clients using FreeRADIUS on pfSense.

I have it almost working but i have problem with unwanted WLAN client isolation. Clients on same dynamically assigned VLAN are able to get IP from DHCP on this VLAN (pfSense), they have Internet access and they can ping gateway but they can't ping each other. I don't have this problem if i remove Mikrotik-Wireless-VLANID from RADIUS so they get assigned to default VLAN for interface.

Any ideas ?

Default VLANid for wireless interfaces is 104
VLANid assigned for testing clients is 100

I'm pretty sure that RADIUS config is fine, but ended with something like that
Code: Select all
"testuser" Cleartext-Password := "edited"

	Mikrotik-Wireless-VLANID := 100,
	Mikrotik-Wireless-Comment = "User Test 1",
	Mikrotik-Wireless-Forward := 1,
	Mikrotik-Wireless-VLANID-type := 0
and config export from wAP ac
Code: Select all
interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys radius-eap-accounting=yes radius-mac-accounting=yes supplicant-identity=MikroTik wpa2-pre-shared-key=editededited
add authentication-types=wpa2-eap management-protection=allowed mode=dynamic-keys name=eap1 radius-eap-accounting=yes supplicant-identity="" wpa2-pre-shared-key=editededited
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n comment=2.4GHz disabled=no frequency=2437 mode=ap-bridge security-profile=eap1 ssid=kaw-slow vlan-id=104 vlan-mode=use-tag wds-ignore-ssid=yes wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee comment=5Ghz country=poland disabled=no mode=ap-bridge security-profile=eap1 ssid=kaw-5G vlan-id=104 vlan-mode=use-tag wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan1 comment=2.4GHz
set wlan2 comment=5Ghz
/interface wireless nstreme
set wlan1 comment=2.4GHz
set wlan2 comment=5Ghz
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=wlan2 trusted=yes
add bridge=bridge1 interface=wlan1 trusted=yes
/interface bridge vlan
add bridge=bridge1 tagged=ether1,wlan1,wlan2 vlan-ids=100
add bridge=bridge1 tagged=ether1,wlan1,wlan2 vlan-ids=104
/ip dhcp-client
add disabled=no interface=bridge1
/radius
add address=172.16.16.1 secret=editededited service=wireless
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=AP01-wAP
/system logging
set 2 disabled=yes
add prefix=info topics=radius
add prefix=debug topics=wireless
add prefix=debug topics=interface
/system routerboard settings
set silent-boot=no
/tool sniffer
set filter-interface=all
Top
 
kaweksl
just joined
Topic Author
Posts: 4
Joined: Mon Sep 17, 2018 11:28 pm

Re: WLAN Client isolation in dynamic VLAN assignment

Fri Sep 21, 2018 9:18 pm

Today I tried using not recommended "separate bridges" method (https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless) and i have same result, clients on WLAN can't ping each other.

Is there is someone that use Dynamic VLAN assignment and can confirm that clients on VLANs assigned by RADIUS can ping each other ?

Also i tried using second AP (hAP Lite) and have same result but also clients can't ping each other if they are connected between access points.
Top
 
kaweksl
just joined
Topic Author
Posts: 4
Joined: Mon Sep 17, 2018 11:28 pm

Re: WLAN Client isolation in dynamic VLAN assignment

Sat Sep 22, 2018 3:51 pm

Thankfully I found solution.


What helped is setting Multicast helper in Wireless Interface properties to full
Code: Select all
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no frequency=auto mode=ap-bridge multicast-helper=full security-profile=eap1 ssid=kaw-test2 vlan-id=100 wps-mode=disabled
I have no idea what it does, but it helped and now clients can ping each other.

Also problem exist in VLANs assigned by Access List based on MAC, and multicast helper fixes that too.
Top
 
PackElend
Member Candidate
Member Candidate
Posts: 272
Joined: Tue Sep 29, 2020 6:05 pm

Re: WLAN Client isolation in dynamic VLAN assignment

Sat Jan 01, 2022 11:41 pm

Code: Select all
interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys radius-eap-accounting=yes radius-mac-accounting=yes supplicant-identity=MikroTik wpa2-pre-shared-key=editededited
add authentication-types=wpa2-eap management-protection=allowed mode=dynamic-keys name=eap1 radius-eap-accounting=yes supplicant-identity="" wpa2-pre-shared-key=editededited
/interface wireless
....

Hi,
do you use WPA2-PSK or WPA-EAP as you allow both in your configuration?

I hope for the first :) as try to set up dynamic VLAN assignments based on used Private-PSK.
There is this RADIUS attributes
Code: Select all
Mikrotik-Wireless-PSK
which could be used but I cannot find any tutorial or topic using it, so I'm wondering if this is feasible?
Top
Post Reply

Who is online

Users browsing this forum: ShindigNZ and 120 guests
  4. RouterOS
  5. General