Community discussions

MikroTik App
 
philamonster
just joined
Topic Author
Posts: 13
Joined: Mon Apr 03, 2017 4:08 am

Bridge and virtual AP - vlan filtering or use tag & VLAN ID

Fri Oct 05, 2018 4:41 pm

Question about best practice/security recommendations:

I have recently setup my first Mikrotik wAP that consists of a LAN ap bridge and guest AP bridge (vap) for both 2.4 and 5ghz. All 4 interfaces are connected to single bridge. wlan1 & 2 share same SSID for LAN with LAN sec profile and wlan3 & 4 (vap) share same SSID for guest w/guest sec profile.

wAP is connected to HP Pro-Curve 1810g with (HP language) untagged vlan 10 and tagged vlan 20 (LAN) and tagged vlan 30 (guest). I have configured VLAN mode to 'use tag' and VLAN ID to 20 for LAN interfaces and mode to 'use tag' and VLAN ID to 30 for guest. The AP itself receives a DHCP address for VLAN10 and connected clients receive IP based on SSID connected to accordingly.

My question is, is there a difference between this config in regards to best practice/security as opposed to configuring a second bridge and assigning the vap's to that bridge? In researching my config scenario I came across a couple blog posts/turtorials that demonstrate using multiple bridges in conjunction with vlan filtering. I currently employ Cisco and Meraki AP's using a similar method I described above but was curious if that a) is in fact true and b) if I am at risk in any way or not considering all aspects.

FYI, everything connects back to RB2011 with filters in place to prevent/grant guest access to LAN services as I have designated. The rules seem to still be in affect in my limited testing this morning from the newly configured wAP, same as with existing AP's.

example:
https://www.virtualizationhowto.com/201 ... aps-vlans/



Thanks...
 
mkx
Forum Guru
Forum Guru
Posts: 4317
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge and virtual AP - vlan filtering or use tag & VLAN ID

Fri Oct 05, 2018 6:07 pm

Configuration with multiple bridges in scenarios like yours is "old school", which predates VLAN filtering on (CPU-run) bridge (introduced with ROS 6.41). If you configure things right, then using single bridge with vlan-filtering=yes is as safe as using any other VLAN-aware switch.
BR,
Metod
 
philamonster
just joined
Topic Author
Posts: 13
Joined: Mon Apr 03, 2017 4:08 am

Re: Bridge and virtual AP - vlan filtering or use tag & VLAN ID

Fri Oct 05, 2018 7:40 pm

Thank you for the reply. But just to be sure I understand, per wiki:

https://wiki.mikrotik.com/wiki/Manual:I ... _Filtering

The main VLAN setting is vlan-filtering which globally controls vlan-awareness and VLAN tag processing in the bridge. If vlan-filtering=no, bridge ignores VLAN tags, works in a shared-VLAN-learning (SVL) mode and cannot modify VLAN tags of packets. Turning on vlan-filtering enables all bridge VLAN related functionality and independent-VLAN-learning (IVL) mode. Besides joining the ports for Layer2 forwarding, bridge itself is also an interface therefore it has Port VLAN ID (pvid).

...I currently do not have vlan-filtering enabled on the bridge itself. Is using explicit VLAN mode 'use tag' and setting VLAN ID on interface(s) accomplishing the same thing or am I conflating the two? Things "are working" but I don't want to be in that hapless situation of not understanding the why and how they are working.
 
mkx
Forum Guru
Forum Guru
Posts: 4317
Joined: Thu Mar 03, 2016 10:23 pm

Re: Bridge and virtual AP - vlan filtering or use tag & VLAN ID

Fri Oct 05, 2018 10:33 pm

There are two ways of dealing with VLANs: traditional one (still works and has some benefits over the other one) where you set VLAN stuff strictly on hardware (e.g. /interface ethernet switch config subtree and on /interface wireless) and the new one where you set things on bridge (with vlan-filtering=yes).
In the former scenario bridge can be seen as "dumb" switch and passes frames without regard to VLANs, so all member ports (ethernet, wlan and any other) have to enforce VLAN filtering on both ingress and egress to avoid leaking frames to wrong ports and/or VLANs. In the later scenario bridge actually acts as a VLAN capable switch and setting ingress/egress filtering on member ports is not necessary (if HW offload is enabled and active, filtering is actually done by hardware, else it's done by CPU ... which is case on vast majority of routerboards).

Both, if set correctly, ensure proper inter-VLAN separation. If your wAP is set up in the new manner, but vlan-filtering is set to no, then nothing is enforcing proper VLAN separation. Which may not hurt you if other devices do their jobs. But if you'd connect a "malicious" device to such wAP, it could inject frames to VLANs that are not supposed to be present on particular ether port or it could receive some frames (probably broadcast frames) which are not supposed to be there, etc.

If you're unsure, you can post wAP configuration so we can comment.
BR,
Metod
 
philamonster
just joined
Topic Author
Posts: 13
Joined: Mon Apr 03, 2017 4:08 am

Re: Bridge and virtual AP - vlan filtering or use tag & VLAN ID

Sat Oct 06, 2018 6:30 pm

Thanks. I will look into using vlan-filtering. I also currently have services limited based on network but no fw rules on the wap itself and can only see those services from approved networks. I'm also satisfied with filter rules already in place on rb2011 to prevent access on guest network to LAN and AP.


# oct/06/2018 10:28:09 by RouterOS 6.42.9
# software id = Y8W1-1V2S
#
# model = RouterBOARD wAP G-5HacT2HnD
# serial number = 
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=testing!
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=wlan supplicant-identity="" wpa2-pre-shared-key=xxx
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed mode=dynamic-keys name=guest_prof supplicant-identity="" wpa2-pre-shared-key=xxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n basic-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=2Mbps,5.5Mbps,11Mbps 
channel-width=20/40mhz-Ce disable-running-check=yes disabled=no frequency=auto ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15 mode=ap-bridge rate-set=configured security-profile=wlan ssid=wap_2.4&5g supported-rates-b=2Mbps,5.5Mbps,11Mbps vlan-id=20 vlan-mode=use-tag \
    wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac basic-rates-a/g=18Mbps channel-width=20/40/80mhz-eCee disable-running-check=yes disabled=no frequency=auto mode=ap-bridge rate-set=configured security-profile=wlan ssid=wap_2.4&5g supported-rates-a/g=\
    18Mbps,24Mbps,36Mbps,48Mbps,54Mbps vlan-id=20 vlan-mode=use-tag wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xxx master-interface=wlan1 multicast-buffering=disabled name=wlan3 security-profile=guest_prof ssid=guest_2.4&5g vlan-id=30 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
add disabled=no keepalive-frames=disabled mac-address=xxx master-interface=wlan2 multicast-buffering=disabled name=wlan4 security-profile=guest_prof ssid=guest_2.4&5g vlan-id=30 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 \
    wps-mode=disabled
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=wlan3
add bridge=bridge1 interface=wlan4
/interface list member
add interface=wlan2 list=WAN
add interface=ether1 list=LAN
add interface=wlan1 list=LAN
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge1
/ip service
set telnet address=10.200.64.0/23,10.200.32.13/32
set ftp disabled=yes
set www address=10.200.64.0/23,10.200.32.13/32
set ssh address=10.200.64.0/23,10.200.48.0/23,10.200.32.13/32
set winbox address=10.200.64.0/23,10.200.32.13/32
/system clock
set time-zone-name=America/New_York
/system identity
set name=wap-ac-01
/system package update
set channel=bugfix
/system routerboard settings
set silent-boot=no

Who is online

Users browsing this forum: Bing [Bot] and 79 guests