Community discussions

MikroTik App
 
dpsguard
newbie
Topic Author
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Sun Oct 11, 2020 9:31 pm

Hello All,

Hopefully someone from Mikrotik support or from users who have done something like that already, guide me here.

Assuming a high capacity CCR is used, how many subinterfaces / vlans be added under a bridge interface and then tied to the same login page?

I am trying to put few apartments in a building into separate VLAN so that they remain isolated from other apartments, but requirement is to have the single wireless network / SSID (non-Mikrotik APs). We are not using 802.1x as many of the IOT devices wont support it, and we will instead add the mac addresses of such devices against user account in freeradius so that these devices dont see login page but get placed into required vlan.

Appreciate any guidance please.

Thanks again
 
dpsguard
newbie
Topic Author
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Tue Oct 13, 2020 9:17 pm

Looks like this 10 year old thread may answer my questions, but I will like to know if anyone has successfully implemented this in today's network?

viewtopic.php?t=41263

Thanks
 
dpsguard
newbie
Topic Author
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 4:27 am

Requesting experts @sindy @sob and @anav for any advice here.

Can we have multiple VLANs (for isolation) on a common bridge with a large DHCP pool for supporting a single Wireless SSID with backend freeradius for dynamic VLAN allocation, but still part of the same large subnet?

Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 6076
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 5:23 am

I'm affraid you have too many keywords that are not at all my things (hotspot, freeradius).
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
mkx
Forum Guru
Forum Guru
Posts: 4721
Joined: Thu Mar 03, 2016 10:23 pm

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 8:21 am

If I take from post by @dpsguard out everything I don't really understand (and some more), then what remains is:
Can we have multiple VLANs (for isolation) on a common bridge ... but still part of the same large subnet?

Then this doesn't make much sense to me.
So you're saying that you want to have separate VLANs from rooms to the central router where you actually join all VLANs to single IP network on router's bridge (which is an L2 entity)? Because that largely drops the separation VLANs are offering and you depend on bridge filtering to offer at least some client-to-client separation (and I'd consider such setup to be clearly outside requirements which drove the need for separate VLANs in the first place).
BR,
Metod
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 5:02 pm

Requesting experts @sindy @sob and @anav for any advice here.
I am framing this in Gold on plaque by the way! ;-)

I think its better worded if we look at it a bit more pragmatically,
He wants to be able to use multiple vlans to separate groups of users, but all of them have a common SSID.
Which means I am ASSuming here, no wired connectivity.

So the question becomes can we ensure WIRELESSLY that people with different VLAN all using the same SSID and thus Access Points, CANNOT SEE EACH OTHER.
In other words, ALL vlans are using the same WLAN but wireless users are not allowed to see each other. I believe this was possible on zyxel wifi routers.accesss points many moons ago.
Sounds slightly farfetched though.......
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
dpsguard
newbie
Topic Author
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 5:27 pm

Thank you @sob, @mkx and @anav for looking into this.

This is possible if I wanted to have 60 dhcp scopes and 60 vlan interfaces with dynamic vlan assignments to each apartment with their unique username / password on a 802.1x SSID. And I tested it last year. But issue is management of so many pools and absence of login page. That is why I was thinking to use a bridged interface with common splash page and single large pool.

Here as per the post that I included, someone and rather couple of folks as per that post, have successfully done that. Today with higher capacity CCR and hardware offloaded bridges, I believe I should achieve this. I can order one CCR2004 (that has 4GB of RAM and fiber ports that I can add some copper SFPs to test at my end), but before investing into it, I wanted to check if this is even possible and then I came across this post that I shared.

And yes, I meant not client isolation, which is easily achieved with most Wireless APs, but I need VLAN based isolation (as is the case of Primary upstream VLAN hosting the bridged subnet / dhcp pool and isolated vlans for users). So residents of same apartment can have all their devices see each other ( to be able to control say TV from app on the phone) but no one else can get to their devices.

Thanks
 
Sob
Forum Guru
Forum Guru
Posts: 6076
Joined: Mon Apr 20, 2009 9:11 pm

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 6:17 pm

It's still not completely clear to me how everything is connected. But just the part with bridged vlans, if assigning everything from each apartment in own vlan is already handled, should probably work. Bridge them, set horizon on all ports, happy end (hopefully). But to be honest, I only used horizon few times for testing. Manual also says that "Split horizon is a software feature that disables hardware offloading", and my experience with individual device models is extremely limited, so I can't say anything about performance.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
tdw
Long time Member
Long time Member
Posts: 510
Joined: Sat May 05, 2018 11:55 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 7:11 pm

CCRs don't have any hardware switching so bridge functions which disable hardware don't apply to them. Port isolation / private VLANs can be achieved with hardware switching, but I'm pretty sure there are strange interactions when also using switch chip VLAN filtering - the CRS3xx may be OK, but I haven't got one to test with.

As others have indicated it isn't clear how you intend everything to connect together. 802.1x works, but as you say there are devices which do not support it. MAC-based systems work, but you have to maintain the MAC to VLAN ID data and it is easily spoofed.

I don't see where the hotspot with multiple VLANs comes in if you are using a common SSID / key as unless the AP uses MAC-based VLAN selection they will all be on the same VLAN.
 
dpsguard
newbie
Topic Author
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 7:47 pm

Thank you guys for sharing your experience and knowledge.

If split-horizon is a software feature, then it will cause lots of CPU load. So I am then not sure if this is a good solution. I was hoping that bridging section that shows hardware offloading in the RB493G that I have (though it is not supported in that hardware, but is in the latest firmware that I installed on it), will be available in the CCR2004, but I was not sure if split horizon needs to take a trip to CPU.

I still believe that we can use the same hotspot page, if I simply do something like 60 subinterfaces / vlan interfaces on a physical interface (not bridge interface) and then create 60 subnets (each of say /27) and then under hotspot section, add separate server profile and associate them all to the same external portal server. The only issue is that I need to find a switch that will allow creating 60 dhcp scopes. Most will only support 32 max.
 
dpsguard
newbie
Topic Author
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 8:31 pm

Or if I can create so many dhcp scopes on the CCR itself, that should work.

In such cases, i will also need to see if two CCRs can be clustered together or use VRRP (hopefully they will sync up DHCP lease status at least among themselves).
 
tdw
Long time Member
Long time Member
Posts: 510
Joined: Sat May 05, 2018 11:55 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 8:44 pm

But how do devices get assigned to all of these VLANs if you use the same SSID everywhere. Managing MAC-based VLAN assignment will be time consuming if every single device needs adding.
 
dpsguard
newbie
Topic Author
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 9:28 pm

SSID will use HTTP PAP plus MAC based authentication at the same time. Initially user will get a login page and after that Mac cookie can be set to say a month and then onward, user device wont see the login page for a month. Backend is freeradius and will do the dynamic vlan assignment by pushing the Mikrotik (or IEEE) radius attributes for vlan assignment. each device accordingly get placed into its assigned vlan which is set up at the time of setup of the radius account for the apartment.

So there is no mac addresses to manage. For devices that wont support browser to authenticate, users will have a portal to register their devices in and they will get added to their radius account. Those devices will thus be proxy authenticated using their username bound to that mac address.
 
dpsguard
newbie
Topic Author
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 9:32 pm

Wanted to clarify that SSID at the AP itself can be simple WPA2-PSk, and these HTTP PAP and MAC Auth settings are to be done on the CCR in the hotspot section.
 
tdw
Long time Member
Long time Member
Posts: 510
Joined: Sat May 05, 2018 11:55 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Wed Oct 14, 2020 10:38 pm

So a device connects to an SSID with WPA2-PSK, the traffic to/from it will be placed in a VLAN based upon the AP configuration. When the user successfully authenticates supplying a VLAN ID to the Mikrotik isn't going to move that traffic to another VLAN - it is fixed by the AP.
 
dpsguard
newbie
Topic Author
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Thu Oct 15, 2020 1:40 am

While we can have AP change the VLAN in response to the attribute received from the radius (IEEE) , and Mikrotik will have all the vlans already set up on the interface that goes to the switch towards the AP. So the port on Mikrotik going to switch is a trunk port (and same for the APs). AP simply switches or changes the VLAN for the user after it receives access-accept from radius and along with it, it also receives directions / attributes from radius (and Change of Authorization, COA / DM to disconnect and reconnect client).

But then I run into the same issues. I cannot serve splash page with 802.1x. Back to the drawing board. 802.1x had lots of promises way back in early 2000 when it became popular for wired ports, but with all these IOT devices and wireless only connectivity, with no security set up, and designed for use in your home behind your dedicated Internet service, only thing that works today for requirements like mine will be login splash page plus mac authentication with a multiple vlan set up on the bridge, and map each apartment AP to their vlan ID. Then I do run into issue of what if your device gets connected to the neighbor? You can go to internet, but you will not talk to your other devices. And this device will fall into L2 of neighboring.

Only solution seems to be that each apartment has a separate SSID with their own PSK and then set up 60 or 300 (whatever is the requirement) server profiles / dhcp scopes on each Mikrotik (or rather set up lower like 32 on each router and use multiple routers.

And then add a common Guest SSID on all the APs, so that you can use that to roam around the building and give it out to your guests. That common SSID can be in a common VLAN with no isolation required, or rather implement client isolation on that SSID, which many APs support on per SSID basis.
 
dpsguard
newbie
Topic Author
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Sun Oct 18, 2020 5:41 am

Hello Folks,

I am trying to test setting up this scenario using my router 493G (and will then invest in a CCR).

So doing a single vlan 120 (a subinterface, attached to bridge interface) and then setting up vlan interface IP address (to serve as gateway for vlan) and then adding necessary dhcp scope set to use vlan interface, works and I can get an Ip address and then a splash page thru external hosted page (login.html file, under hotspot directory, directing to external portal) and I can authenticate and all works.

So then I create another vlan 101 (under interfaces, attached to bridge and did my regular tagging on the bridge and the downstream physical interface on the router going to the switch below, just like I did for the first vlan). And this time, I did not assign this vlan interface any IP address since I will like to make it an isolated VLAN, to work off of a dhcp scope with interface set to bridge. Created the required dhcp scope etc for bridge as interface, but I dont get any IP address on my test laptop attached on an untagged vlan 101.

When the router was factory reset, I had all ports ( other than the uplink WAN port) in the same bridge and dhcp scope was on the bridge and that was working. After I now add a vlan interface and scope, I am not able to get IP address from vlan 101 (even if I make one bridge port as access, via PVID 101 and attach test laptop to it).

I have read this excellent post / article by @pcunite and I believe I am doing all I need to do correctly in terms of vlan tagging, so there is no end to end vlan tag missing.

viewtopic.php?f=13&t=143620

If few folks in this old thread are able to achieve this, I am not sure what I could be doing wrong where I am not able to bind multiple vlan interfaces to obtain IP address form a common pool set up on the bridge. Unless ROS firmware no longer supports this feature, I am stumped.

viewtopic.php?t=41263

Any guidance will be very much appreciated. Thanks all.
 
dpsguard
newbie
Topic Author
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Re: Multiple hotspot profiles on multiple VLAN interfaces on a bridge

Sun Oct 18, 2020 6:44 am

here is a solution by @ZiadZone that I don't fully comprehend for sharing a single dhcp pool for multiple VLANs/APs. Requesting @ZiadZone to further clarify.

viewtopic.php?f=7&t=151631&p=823275#p823275

Who is online

Users browsing this forum: joegoldman, nichky and 90 guests