Community discussions

MikroTik App
 
sopHns
just joined
Topic Author
Posts: 2
Joined: Tue May 10, 2022 3:36 pm

vlans to multiple access points

Tue May 10, 2022 4:27 pm

Hi, first of all, I'm a bit of a noob in the mikrotik world. I've only started a couple of weeks ago to try to solve this problem:
I have to set up a network on a school that would be something like this:
isp1 + isp2 > mikrotik > switch > classrooms ap (14 of them)
I managed to do the load balancing for the two services, and thought about using vlans for the rest, the thing is that the school wants to be able to activate/deactivate and change the passwords (daily) of the access points on the classrooms from one designated pc.
Is it possible to do this? Can someone help me figure out how I should configure the vlans?
I was thinking of a similar scenario as if I was a wisp and the classrooms were my clients, so I can shut down the service "if they don't pay" from a wisp management software, but I don't know if this kind of software allows me to change the passwords of the access points. And said software would have to be free..

TL;DR: can I do something like this: https://wiki.mikrotik.com/wiki/Manual:VLANs_on_Wireless but for 14 access points? i'm planning on using a manageable switch to recieve the vlans and use each one on different access points
- each ap should have different names, ip directions and passwords
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlans to multiple access points

Thu May 12, 2022 4:10 pm

Which Mikrotik device..........
Which make and model of APs?
Which make and model of switch?
 
sopHns
just joined
Topic Author
Posts: 2
Joined: Tue May 10, 2022 3:36 pm

Re: vlans to multiple access points

Mon May 16, 2022 4:26 pm

- MikroTik RouterBOARD hEX RB750Gr3
- Switch I don't have at the moment, I have to get one if this is possible
- the APs are tp-link TL-WR940N. They were in the school before I got this request, so I have to work with that.
 
MikeKulls
Member Candidate
Member Candidate
Posts: 130
Joined: Thu Dec 22, 2016 4:31 am

Re: vlans to multiple access points

Mon May 16, 2022 5:10 pm

Why do you want to use vlans? It's reasonable that you may need them but not essential. For example you could just have the APs connected to the switch and then use 1 port on the router to the switch
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: vlans to multiple access points

Mon May 16, 2022 5:30 pm

Those APs do not have any management APIs, it would be a case of the logging in to each AP and manually changing the settings. You could use WPA2-Enterprise and an external RADIUS server to manage the authentication so it is centralised. This would only work if all of the client devices support it, some may only be capable of WPA2-PSK a.k.a. WPA2-Personal.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlans to multiple access points

Mon May 16, 2022 5:54 pm

Assuming these are for school classrooms and for students, the best course of action is to create a separate VLAN for each classroom so that all the class rooms are isolated from each other and assuming they only need internet access?? It appears you only will be able to have a limited number of channels as well so use the split of 1 - 6 - 12 judiciously such that you have enough separation in classrooms. A layout of the rooms may prove useful (relative to each other and where the AP is located in each room).

As for access yes, the admin would have access one way, to all the APs (all the VLANS) in order to setup and maintain the APs........

Add bridge=bridge-school
Add vlans vlan11, 12, ..... 24 (classrooms 1-14) and VLAN 10 - admin vlan, all with master interface bridge-school

Define for each vlan
IP address
IP pool
DHCP Server
DHCP Sever-Network

Add trunk port from Router to switch
/interface bridge ports
add bridge=bridge-school interface=ether3 ingress filtering=yes frame-types=admit-only-vlan-tagged { to switch }
add bridge=bridge-school interface=ether4 ingress filtering=yes frame-types=admit-priority-and-untagged { to admin PC }
Any other ports requiring setup ????

/interface bridge vlans
add bridge=bridge-school tagged=bridge-school untagged=ether4 vlan-ids=10
add bridge=bridge-school tagged=bridge-school, vlan11,vlan12,vlan13,vlan14,vlan15,vlan16,vlan17,vlan18,vlan19,vlan20,vlan21,vlan22,vlan23,vlan24 vlan-ids=11,12,13,14,15,16,17,18,19,20,21,22,23,24

Etc.........................
Firewall rules probably basic........ With the addition of one accept forward chain rule in-interface=vlan10 out-interface-list=LAN
viewtopic.php?t=180838
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: vlans to multiple access points

Wed May 18, 2022 2:43 pm

Generally with Schools... You want CLIENT ISOLATION between all student devices.

So the Student VLAN doesn't need to be per room or anything like that.

As for load balancing... I am firmly against it. Get a service that binds your ISPs or lines. Then it takes all your traffic over both lines and presents like that to services. I get sick of load balancing timing out connections/authentication not matching.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19106
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: vlans to multiple access points

Wed May 18, 2022 4:13 pm

Sure it would be ideal to use the client isolation aspect of the APs if available, that goes without saying.
However I would use layered security approach and would highly recommend vlans to separate each classroom.

However these are old APs, the best course of action for the OP is ONLY to provide GUEST WIFI.
Using guest WIFI there is an option to allow access to local network, the default is OFF, to not allow access to local network.
This is the closest thing it has to client isolation. I think it means simply it cannot talk to the wired side of things, which is not quite the same.

Who is online

Users browsing this forum: Nullcaller and 23 guests