Community discussions

MikroTik App
 
openair030
just joined
Topic Author
Posts: 23
Joined: Thu Jul 14, 2022 3:35 pm
Location: Berlin

Conceptual question ~300 clients network, caps, limits

Wed Jul 20, 2022 4:36 pm

I've read a bunch of the documentation and made some tests in my Lab. However some things I can't test in the lab and I feel a bit like I'm missing some conceptual insight for designing my network.

Following things are quite fix:

We have a backbone where all APs can see each other on L2.
There are two (adsl modem) gateways also on this backbone. A third adsl could be added for load balancing on the wan side.
We do not serve anything to the wan side (no fixed ip).

There will be three vlans:
vlan101 - internal traffic, cash register, ip phones
vlan201 - employees
vlan301 - freewifi / guests

The APs are spread across the property. (some hAP mini, hAPac3 and Omni5)
I expect 30-40ish clients per AP (will do max. 50) or 300-500 simultaneous clients peak in total.
All APs have L4.

The ethernet ports on the APs will be assigned to vlans, too.
Since I have three hAPac3 (best cpu of all devices) I'd use each of the to be a dhcp server open up the wan side of the ap for dhcp and set up relay entries on each ap for the vlans.
?-> The 200 users limit affects only the hotspot as far as I've read. Will the dhcp server on a hAPac3 serve more than 200 clients?

For static leases in the lower ip range of each dhcp server (/28) there will be static routes (printers on local ports).
?-> Is there any technology that knows/keeps track of which IP is behind which ap?
Expl.: There is one dhcp server. And I can control that devices on local eth ports of an ap do get defined ip ranges so that I can place a static route to them. But I do not know on which ap a dynamic client is. This is a the cash register ipad needs to find a printer problem. The printers unfortunately do not necessarily have fixed ips and might be moving over the property during the day. I don't know how the cash regster does discover the printer.
(I'm not that deep into L2 but could I forward arp from wan to lan and would that solve my problem).

Would some tunnel do a more suitable job on transparently interconnecting these three physical net parts behind a an ap on the backbone together?
This applies only to one vlan since employees and guests are classic web,messenger-wlan clients.

?-> do I need to take further actions in e.g. the firewall to properly propagate broadcasts (*.255) on tcp and udp with my construction.
Expl. I learned that if I want to have vlans on my ssids that I have add the vlan to the bridge.
What happens on the wan side? Is the wan handled like a trunk or are the tags removed?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19125
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Conceptual question ~300 clients network, caps, limits

Wed Jul 20, 2022 4:48 pm

What made you decide to use MT wifi (home wifi) for such numbers. High density designed APs are much better suited for such work.
 
openair030
just joined
Topic Author
Posts: 23
Joined: Thu Jul 14, 2022 3:35 pm
Location: Berlin

Re: Conceptual question ~300 clients network, caps, limits

Wed Jul 20, 2022 6:46 pm

Basically cost/use ratio.
I can guarantee(tm) that there will be max. 20-30 clients on on ap because they're set dense enough.
Our backbone is fx and traffic is moderate as of now. However bandwidth is limited and we won't get more than a 200Mbit on the wan side.
And I liked the management features compared to e.g. dd-wrt.

I'm aware of the limitations and that's why I concepted the stuff to be in local forwarding. Just to get rid of that traffic on the shortest way.
We'll see how traffic increases when the guests can go online over the whole place.

For the company vlan (~25 clients at all) I'm just trying to get the best config. Now these three areas are isolated.

The network just covers a wide area.
typ. there should be ~100 clients altogether in all vlans. So semi-pro/soho stuff is fine.

We always have a peak sunday where we'd need high density aps but we decided not to cater this audience (in front of our door).
 
User avatar
Ca6ko
Member
Member
Posts: 499
Joined: Wed May 04, 2022 10:59 pm
Location: Kharkiv, Ukraine

Re: Conceptual question ~300 clients network, caps, limits

Thu Jul 21, 2022 10:20 am

Draw a diagram of the network so that we can understand your scheme.
1000 dhcp clients will not create a serious load on the server
On the plan of the building, show the locations of the access points.
Regarding the wifi network, you are talking like a network engineer. And here we need to look at it from the point of view of a radio engineer. Just because you divide the network traffic to VLAN does not mean that the radio network traffic will be divided. All clients will be operating on the same radio spectrum and sharing the same frequencies.
I faced a situation where the presence in the room 100-150 people with phones of them only 20-30 are connected to the wifi dramatically reduces bandwidth and online services begin to work intermittently.
Do not use cheap SOHO devices (such as HAP mini). Use special access point devices Wall Access Point (wAP ac) and Ceiling Access Point (cAP ac). Be sure to use dual-band devices
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Conceptual question ~300 clients network, caps, limits

Sat Jul 23, 2022 1:33 am

Yes confusing or not complete the description and purpose of this setup.

And also some strange setup assumptions.

You have limited WAN connections (very common) but are handling this with 2 adsl modem gateways directly on the backbone.

Expected setup is ... choose one of the better AP (hAP ac3) to act as the WAN interconnect. Doing the firewall stuff, NAT and masquerade and WAN load balancing.
Never mind the NAT of the adsl modem, it wll allow you to differentiate between them and isolate the adsl modem settings from the rest of the LAN.
This hAP ac3 would also do the DHCP leases for all the VLANs. Will need a VLAN interface for each VLAN. That hAP ac3 is also the DNS and Gateway address as given per DHCP lease.
(DHCP relay in a L2 network. Don't see the need for this. ????). I would not like to depend on the adsl modem dhcp leases for my LAN !!!
You could think of a second hAP ac3 as failover. Failover is like splitting DHCP lease addresses over the 2 devices. It could also mean using VRRP. But it will complicate things !!
Certainly if you use e.g. scripts to create queue's whith every DHCP lease given out. (avoiding hotspot?)

AP's are inter-connected over ethernet cable, I hope ?
The air-time consumption is always combined air-time for all SSID in the same channel, as already mentioned above.
Carefull planning of not overlapping channels is needed. The air-time sharing goes over a much larger physical area than the usable range of the AP's.
One VLAN (SSID name) is not limited to one channel ! The number of clients is not that important. The number of actively communicating (typically 10%) is consuming airtime in the channel.
For 500 clients you need as much non-interfering wifi channels as you can get here.

Avoid too much multicast/broadcast with large subnets. Client devices tend to overload the subnet with things as "Bonjour" (IOS), Windows netbios, and other mDNS and DLNA kind of things. Not to forget what Skype and Dropbox is doing, finding data and network access via other client devices.

Creating a L2 network in a tree structure (using same bridge-port "horizon" value on the L2 leaf-branches), is what I do when there are many clients, that do not need to talk to each other. (Forwarding=no is only limiting for the same WLAN)
 
openair030
just joined
Topic Author
Posts: 23
Joined: Thu Jul 14, 2022 3:35 pm
Location: Berlin

Re: Conceptual question ~300 clients network, caps, limits

Fri Jul 29, 2022 7:25 pm

Thank you. An answer I understand and took my notes.

One followup question about the WAN side of a hapac3 / dhcp relay / wan side of the bridge.
I have three of them on my table to experiment. Sometimes it's just confusing to read the documentation but not knowing if I want/need that feature.

However, if a client connects to the public ssid on some ap how does this new client discover that the dhcp server is somewhere behind the bride and firewall of that cap it's trying to connect to (without a dhcp relay)? It would be new to me that broadcasts from a client looking for dhcp will get routed out to wan.

That is one of my problems actually: I can get this whole ssid/vlan stuff working with one dhcp and relays on all others but the clients do not get the portal page displayed.
- The ssid/vlan is gets tagged (as cap datapath) or PVID tags it.
- The client looks for dhcp and gets an address of the dhcp server which is running on a vlan interface on that device. So the tagged packet arrives and is processed by the correct dhcp server.
- I've managed only once to see the portal page (the hotspot is on the same device of course) but also on the vlan interface.

I do not find the point where to remove the vlan tag when it's "user data" that goes out over some dsl. Since I need on the same physical interface also tagged packets for the dhcp and portal.

Since I'm still designing the network I also could remove the tag on the outside of a cap and give the vlan interfaces also an outside IP of the network on eth1 (e.g. eth1 192.168.99.10/24, 10.10.0.10/16, 10.11.0.10/16, 10.12.0.10/16 with/out ingress filtering). Then I could untag all packets on the outside and make some static routes.

For completeness:
I hear your advice about multicasts.
For the public ssids I can do this. Unfortunately this is something I need for the corporate ssid/lan. It#s three segments (behind hapac3) and we need printer dicovery and that in n:n relation. Wireless clients will "roam" around the caps and will nee to find printer in all three segments. Fixed IPs are for other reasons the least option.

We have several adsl because of different companies sharing the airside. For me it's just a later option to have some more bandwith available to cover load spikes.

Yes, all APs are on one backbone. We have fx L1 network and there are only the adsl modems and all APs direct connected. They can see each other. There is no dhcp server on this backbone - all devices are fixed ip.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Conceptual question ~300 clients network, caps, limits

Sat Jul 30, 2022 12:01 am

OK txs for the info.

I think there is still more complexity in your network, that you are not telling us. Maybe make a little diagram.

For me, the WAN side is only at that home-gateway hAP ac3. All ADSL modems come on the WAN side of this router. There are no VLAN's on the WAN side.
This router also has the "hotspot" function, for the VLAN's where this is needed/wanted. (Some networks, like corporate, have clients with direct internet access, without need for login in to a portal.)
Opening any http://:80 link will open the hotspot page, if hotspot is configured on that interface. HTTPS (443) may not work ! To test just browse the hAP ac3 with http, on it's current VLAN IP address.

Then we have multiple LAN environments. (One per VLAN). Each LAN environment has a DHCP server (can be on the hAP ac3), DNS server and default gateway (both are usually the hAP ac3.)
The hAP ac3 terminates the VLANs, and has the LAN-WAN transition (NAT/masquerade) as per default config, for each of the VLAN.
You assign traffic to ADSL modems in the hAP ac3 as you wish. (Random, per specific VLAN, load based, per kind of traffic (dst port), load balance or fail over, etc etc .... ) The ADSL modem is not connected to the (V)LAN directly. The hAP ac3 will distribute to the correct ADSL modem, based on your rules.
Inter VLAN communication (routing) must be allowed in the hAP ac3 firewall, if needed.
Mikrotik RouterOS has no AVAHI or mDNS reflector. So ,yes, indeed mDNS address search, like DLNA, can be a problem.
[hAP ac3 could run a mDNS reflector in a Docker container, or another computer could deliver the function. It's only used to find the IP address.]

How does a client find the DHCP server? It will send out a broadcast for the whole L2 LAN , with a DHCP request. If the AP is in bridged mode , this request will pass the AP.
The VLAN are all one L2 LAN each. Broadcasts go over the whole VLAN chain. Even if that LAN network has multiple branches/segments it is still only one L2 network (so switches, AP's in bridge mode, MT routerOS in bridge mode, ...) do not break a L2 network. It can be multiple hops away, but must be bridged and uses addresses in the same IP subnet.

Broadcasts do not pass the hAP ac3. DHCP requests are not send to the WAN side. The hAP ac3 fullfills the DHCP server function for all (V)LAN. IP subnets in the VLAN are different from the WAN IP subnets. LAN-WAN transition (NAT/masquerade)
Klembord-2.jpg
You do not have the required permissions to view the files attached to this post.
 
openair030
just joined
Topic Author
Posts: 23
Joined: Thu Jul 14, 2022 3:35 pm
Location: Berlin

Re: Conceptual question ~300 clients network, caps, limits

Sat Jul 30, 2022 10:09 pm

Thank you.
I've just sketched the fibers. (I'm still yED'ing the whole plot)
See every dot as unmanaged L2 switch with 2sfp/4or8eth. They're all din rail and poe.
Connected (typ) to such a switch are a) wired ip phones and b) some cap (lite, hAPac3, Omni5).
The big circle just connects many fibers but is also unmanaged. It should not be considered a root or star point.

The dsl modem is business grade modem with internal pbx. Other people let it manage their whole business network. (DTAG/Elmeg/Zyxel)
The routing throughput can be said to be sufficent.
EE443CC6-B282-4921-B9E4-6B1C7C9A2D9E.jpeg
For me it's a dumb backbone where I can reach out from the network side to all my devices (webinterfaces). Everything has fixed ip's.
Prohibiting access to these webinterfaces from vlans is firewall or switch settings.
I tend to make this also a vlan, so that if someone plugs in (dj aka script kiddies) nothing happens in first place.
But note since they're all on the same L2 network I can (and want to) give out the dsl as gateway in dhcp since all caps can reach it. This is where some basic load balancing should happen by sending the Omni5 traffic (public only) to a different gw then the rest of the shop.

For now I'll have my dhcp servers somewhere on a cap and dns depends on the vlan.
In future I'll put at least one Ubuntu Server also onto this network to serve internal web and dav to the corporate vlan and all the dhcp servers and a radius. But for now a cap will do fine.

However, what I do not understand:
Why should I put all the traffic onto one hAPac3 cap, process it there and then pump it back through the same fiber to a dsl-gateway/router?
Especially if the throughput of the box is made for business.

With local forwarding, access control/filter between the vlans the user data can go out directly to the dsl.
It travels only in one time over the fiber and from all routers/caps there is only one hop to the gw or to the wan side of another cap.

All networks exist happy on the lan side of a cap router/switch and there is nothing on the wan side of any device that a normal user must access.
Only in the corporate vlan it will be necessary to reach clients in other segments (aka behind some router on that backbone).

I do not see the necessity for a centralized router on one ac3 when the same result can be achieved without.
You do not have the required permissions to view the files attached to this post.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: Conceptual question ~300 clients network, caps, limits

Sun Jul 31, 2022 1:53 am

Thanks for all your effort to document your setup.

Not surprised, Because I used to builld this kind of things in 1977.

This is a hardwired solution fixed solution. OK some virtual VLAN, kind of network, but managed by external DSL operators. The DSL modem managers are in control.

How you combine those external networks in your own multi-VLAN LAN network, is your job. It can be done with Mikrotik. Used to do this with less flexible equipment, but not interested today.
Well, honestly I do not like to see "business", in the text. Now I'm 45 years older, so not as keen for this kind of mix and match networks. After surviving multiple virus attacks, on a business that costs 280.000$ /hr downtime. The ransonware attack , causing 6 weeks out, came after I left the business. Redundancy and control is a must!

You can do all this. Have your VLAN's live their own internet life, based on those "business grade DSL modems" as gateways. But you have no redundancy, no failover, that is worth mentioning. If DSL1 is not giving you internet access (DSL modem is OK, but ISP has a misconfig or disconnect from its higher tear internet provicer) for the business, in how few seconds will DSL2 take over, without your intervention?

Not interested? Your fullest right to work that way There is indeed no need then for a controlled WAN/LAN transition. Forget the centralising hAP ac3. It will work, work even well, untill it fails. Maybe not important, depends on the "business" you are in.
 
openair030
just joined
Topic Author
Posts: 23
Joined: Thu Jul 14, 2022 3:35 pm
Location: Berlin

Re: Conceptual question ~300 clients network, caps, limits

Mon Aug 01, 2022 6:51 pm

Thanks for all your explanation.

I hear you well and it could be me.
I'm only 35yrs on the road (of event technology) and meanwhile even this industry started to use ethernet. Besides all that streaming that came up in the last two years. We wouldn't use wireless as long as we can lay a cable. We cashed up customers more money without this internet...

Anyhow, of course you're right with the sop-design with wan on one side and lan on the other side.
This is simply not possible because I'll never be able to lay that extra wan-cable (through walls and roofs). I only could plug that cable in the same unmanaged ethernet switch again.

No network pro lost a job because of this, since these guys never could pay pro services being more or less just a stall market.

For me it's charity. I like them and do them a favor. Since the sop-design for the network will not work I took the challenge to build an alternative that has most possible security. That's why I don't need to think of the sop-design as an option.

However, understading what happens where in such an ap and how are vlans handled is new to me.
The only thing I know is: I cant reach the optimal sop-design. Let's see how close I can come.

For now I still would have the fallback to leave the wan open and let all traffic run on 4 addresses of 4 vlans with full filtering, tagged only, on the lan side of an ap.

Who is online

Users browsing this forum: Bing [Bot], cddaraa, yosmithy and 23 guests