Community discussions

MikroTik App
 
hagoyi
newbie
Topic Author
Posts: 29
Joined: Wed May 17, 2023 8:36 pm

One SSID multiple LANs config (main/guest)

Wed May 17, 2023 8:45 pm

Hi all. I'm running ac3 with the widely used guest WIFI setup - 2 bridges, 2 SSIDs. Is it possible to have only one SSID for all bridges (lans), and separate users based on the password entered when connecting? It looks like a charm: only one SSID and no one knows that he is currently using the main or guest local network.
 
hagoyi
newbie
Topic Author
Posts: 29
Joined: Wed May 17, 2023 8:36 pm

Re: One SSID multiple LANs config (main/guest)

Mon Jul 03, 2023 3:57 pm

I tried to set the same SSID for the main and guest access points (total: 4 interfaces with the same name). Android phone with the password of the main network tried for a long time to connect alternately to each of the access points (started with guest points), until it finally connected to the main one.

The Windows PC displayed a password error after a while - apparently, the Win did not have the patience to go through all the access points.

Are there better solutions to reduce the timeout or not force clients to connect directly to the correct network (for example, users of the main network are immediately directed to the correct point)?
 
holvoetn
Forum Guru
Forum Guru
Posts: 5405
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: One SSID multiple LANs config (main/guest)

Mon Jul 03, 2023 4:34 pm

Why do you want to use the same SSID with different passwords ?
What is the underlying requirement for this ?

If users are not supposed to know what network they are connecting to, what's the point of separating them ?
Put everyone on guest then.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: One SSID multiple LANs config (main/guest)

Mon Jul 03, 2023 4:44 pm

It looks like a charm: only one SSID and no one knows that he is currently using the main or guest local network.

It may look like it, but doesn't work without some heavy iron features (some might call them enterprise features): RADIUS for customizable passwords and VLANs (so that RADIUS will request to put different stations into different VLANs which translate into different networks).

Or, if you are willing to share same security credentials for everybody, you can go with poor man's solution: MAC-based ACLs with VLAN IDs. This way some "well known" clients will be placed into "main" network, the rest will use guest network. This doesn't work with anonymizing MAC address BS because every time client will connect to your network, it'll have different MAC address.

The way you did it is against standards: when device sees multiple BSSIDs (wireless interface MAC addresses) serving same SSID it rightfully assumes it sees an eSSID and that it can freely roam between constituting BSSIDs (it will be able to use same PSK, it doesn't have to perform any L2/L3 handshake because it'll still be in same L3 subnet ... which means same IP setup including own IP address, gateway IP address, DNS server addresses, etc.).
 
hagoyi
newbie
Topic Author
Posts: 29
Joined: Wed May 17, 2023 8:36 pm

Re: One SSID multiple LANs config (main/guest)

Thu Jul 06, 2023 10:14 pm

Why do you want to use the same SSID with different passwords ?
The main idea: do not allow users to ask questions "What is this second network? There is something more important in it than in the guest network?" A little trick from mom's hackers, if you will.
It may look like it, but doesn't work without some heavy iron features (some might call them enterprise features): RADIUS for customizable passwords and VLANs (so that RADIUS will request to put different stations into different VLANs which translate into different networks).
Maybe you have a not very complicated guide on how to set the radius for my case?
poor man's solution: MAC-based ACLs with VLAN IDs.
Yes, I could just create a few rules for known mac addresses (disable mac randomization for authorized devices) and route the rest (including random macs) to the guest network. But I don't really trust random mac addresses - what if one of them one day matches "authorized" and enters the main network? And I will have to provide a common password for all devices, including unauthorized ones.

Who is online

Users browsing this forum: No registered users and 34 guests