Code: Select all
Access List
Sub-menu: /interface wireless access-list
Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.
Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.
There are the following parameters for access list rules:
client matching parameters:
address - MAC address of the client
interface - optional interface to compare with the interface to which client actually connects to
time - time of day and days when rule matches
signal-range - range in which client signal must fit for the rule to match
allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval
connection parameters:
ap-tx-limit - tx speed limit in direction to client
client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)
private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used
vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).
vlan-id - VLAN ID to use if doing VLAN tagging
I am using this with the classic wireless driver (not wifiwave2) and RouterOS v7.9.
Wireless interface is configured with "vlan-mode: use tag" and "vlan-id: dummy value".
Observation: client that is matched in the access list and gets a valid VLAN assigned, indeed gets connected to that VLAN for directed traffic and broadcast (ARP, DHCP).
But it does NOT receive the multicast traffic on that VLAN, e.g. Chromecast or IPv6 SLAAC.
When I set the vlan-id of the wireless interface to some valid VLAN, all clients connected and matched receive the multicast traffic from THAT VLAN instead of their own.
(resulting in invalid IPv6 address being assigned)
Does anyone else have experience with dynamic VLAN assignment for wireless? I have it in place to reduce the number of WiFi SSIDs / virtual interfaces.
In fact I am not using access-list but instead use MAC authentication via RADIUS and user-manager, with settings like this in a user-manager group:
Code: Select all
/user-manager user group
add attributes="Mikrotik-Wireless-Forward:1,Mikrotik-Wireless-VLANIDtype:0,Mik\
rotik-Wireless-VLANID:10" name=WiFi-Public outer-auths=pap