Community discussions

 
hanyassar
newbie
Topic Author
Posts: 33
Joined: Wed Apr 20, 2016 12:31 pm

Different Vlans for every Access Point

Sun Sep 16, 2018 12:52 pm

Hi guys,

We are using Mikrotik RB2011iL as a hotspot in our network. The topology is as follows:
  • ether1 is WAN port
  • ether2 + ether3 + ether4 +ether5 is configured as a bridge
  • Hotspot is configured to distribute via the bridge
at the moment, everything is working fine, and I have more than 20 Access Points working (in the same subnet) with no problems at all.

The new thing, I'm trying to configure a different vlan for every Access Points (for security purposes) using the following steps:
  • From the interface menu I add vlan (from the vlan tab) with different vlans ids (according to the ip address of the AP).
  • And then I select the right ether port which the ap is physically connected to.
  • After that, I add the vlan to the already configured bridge.
After doing that, clients take a lot of time to acquire an IP address, and sometimes they fail.

I was wondering is the above procedure right?

Thanks for your help.
 
mkx
Forum Veteran
Forum Veteran
Posts: 854
Joined: Thu Mar 03, 2016 10:23 pm

Re: Different Vlans for every Access Point

Sun Sep 16, 2018 1:14 pm

If APs are mikrotiks, then you may want to start using CapsMan.

There are 3 steps when configuring VLANs:
  1. create necessary vlan interfaces on 2011's bridge (/interface vlan add interface=bridge vlan-id=xxx ). Avoid using VLAN ID=1 at all costs.
    To these intetfaces bind services that should be available to clients on that VLAN/AP, such as DHCP server with appropriate pool, DNS server, ...
    Add VLANs to the bridge as tagged on both bridge and appropriate ether port(s).
  2. enable bridge VLAN filtering (/interface bridge set vlan-filtering=yes).
    Before doing it enter safe mode just in case management connection fails. After you apply the change connection might hang for a few seconds as bridge reconfiguration might flush ARP caches etc. If it doesn't come back and management connection breaks, last setting will roll back. If everything works with vlan filtering enabled, you can exit safe mode.
  3. reconfigure APs to start using VLANs. If APs are mikrotik, then it's easy: set wireless interface to use VLAN tags (/interface wireless set [ find name="name of wlan interface" ] vlan-id=xxx vlan-mode=use-tag ).
    The management access to AP will remain on untagged interface, only WiFi clients' traffic will get VLAN tagged.
    If APs are not MTs, then follow correct procedure for those.
BR,
Metod
 
hanyassar
newbie
Topic Author
Posts: 33
Joined: Wed Apr 20, 2016 12:31 pm

Re: Different Vlans for every Access Point

Sun Sep 16, 2018 1:33 pm

Thanks for the reply...The Access Points I'm using are TP-Links and and not Mikrotik. Do you suggest me trying your method? Is mine wrong?
If APs are mikrotiks, then you may want to start using CapsMan.

There are 3 steps when configuring VLANs:
  1. create necessary vlan interfaces on 2011's bridge (/interface vlan add interface=bridge vlan-id=xxx ). Avoid using VLAN ID=1 at all costs.
    To these intetfaces bind services that should be available to clients on that VLAN/AP, such as DHCP server with appropriate pool, DNS server, ...
    Add VLANs to the bridge as tagged on both bridge and appropriate ether port(s).
  2. enable bridge VLAN filtering (/interface bridge set vlan-filtering=yes).
    Before doing it enter safe mode just in case management connection fails. After you apply the change connection might hang for a few seconds as bridge reconfiguration might flush ARP caches etc. If it doesn't come back and management connection breaks, last setting will roll back. If everything works with vlan filtering enabled, you can exit safe mode.
  3. reconfigure APs to start using VLANs. If APs are mikrotik, then it's easy: set wireless interface to use VLAN tags (/interface wireless set [ find name="name of wlan interface" ] vlan-id=xxx vlan-mode=use-tag ).
    The management access to AP will remain on untagged interface, only WiFi clients' traffic will get VLAN tagged.
    If APs are not MTs, then follow correct procedure for those.
 
mkx
Forum Veteran
Forum Veteran
Posts: 854
Joined: Thu Mar 03, 2016 10:23 pm

Re: Different Vlans for every Access Point

Sun Sep 16, 2018 1:48 pm

Thanks for the reply...The Access Points I'm using are TP-Links and and not Mikrotik. Do you suggest me trying your method? Is mine wrong?
I'm not sure what you did configure and what might be still missing. If it's not working for you, you can post here the exported configuration from RB2011 (/export hide-sensitive) ... with any sensitive data (such as public IP address or any username and password) obscured. As well as configuration of one of your TP-Links. Remember though that you have to setup VLANs on TP-Links as well and setup has to match settings on RB.

And just a general side-note: if your AP are currently using same SSID to allow clients roam from one AP to another, then this might not work so well after you reconfigure them to different VLANs which means different IP addresses for clients. If you have different SSIDs, then it will be fine after splitting them to VLANs.
Last edited by mkx on Sun Sep 16, 2018 1:54 pm, edited 1 time in total.
BR,
Metod
 
hanyassar
newbie
Topic Author
Posts: 33
Joined: Wed Apr 20, 2016 12:31 pm

Re: Different Vlans for every Access Point

Sun Sep 16, 2018 1:53 pm

I will test your procedure and update you with the results.

Thanks for the reply...The Access Points I'm using are TP-Links and and not Mikrotik. Do you suggest me trying your method? Is mine wrong?
I'm not sure what you did configure and what might be still missing. If it's not working for you, you can post here the exported configuration from RB2011 (/export hide-sensitive) ... with any sensitive data (such as public IP address or any username and password) obscured. As well as configuration of one of your TP-Links. Remember though that you have to setup VLANs on TP-Links as well and setup has to match settings on RB.
 
hanyassar
newbie
Topic Author
Posts: 33
Joined: Wed Apr 20, 2016 12:31 pm

Re: Different Vlans for every Access Point

Sun Sep 16, 2018 2:00 pm

I have tried the suggested procedure, but It didn't work. No internet connection at all + took alot of time to acquire IP

These are the configurations done in the mikrotik:
# sep/16/2018 13:56:49 by RouterOS 6.43
# software id = U01F-YTS8
#
# model = 2011iL
# serial number = 52A5049D7B9E
/interface bridge
add fast-forward=no name=LAN_Ports vlan-filtering=yes
add fast-forward=no name=NTP
/interface ethernet
set [ find default-name=ether1 ] comment="WAN Port" speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=\
    "NTP Interface"
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface vlan
add interface=LAN_Ports name=vlan80 vlan-id=80
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=Facebook regexp="^.+(facebook.com).*\$"
add name=Youtube regexp="^.+(youtube.com).*\$"
add name=Instagram regexp="^.+(instagram.com).*\$"
add name=Twitter regexp="^.+(twitter.com).*\$"
add name="Google Plus" regexp="^.+(plus.google.com).*\$"
add name=Whatsapp regexp="^.+(whatsapp.com).*\$"
add name="Facebook ALL" regexp="^.+(www.facebook.com|facebook.com|login.facebo\
    ok.com|www.login.facebook.com|fbcdn.net|www.fbcdn.net|fbcdn.com|www.fbcdn.\
    com|static.ak.fbcdn.net|static.ak.connect.facebook.com|connect.facebook.ne\
    t|www.connect.facebook.net|apps.facebook.com).*\$"
add name="torrent sites" regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|e\
    ntertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|\
    bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|megan\
    ova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$\r\
    \n"
add name=Freedoom regexp="^.+(your-freedom.net|63z.de|2yf.de|1yf.de|freedom.ne\
    t|YF.de|53r.de|8u6.de|f.de|cgi.your-freedom.net|2000.hu|2yf.de|4u.com|1yf.\
    de|53r.de|8u6.de|resolution.de|pgl.yoyo.org|your-freedom.net|49o.de|45q.in\
    |63z.de|xn--mgb2ddes|q1x.be|YeF.Ye|1yf.de|ems01.your-freedom.de ems02.your\
    -freedom.de ems03.your-freedom.de ems04.your-freedom.de ems05.your-freedom\
    .de ems06.your-freedom.de ems07.your-freedom.de ems08.your-freedom.de ems0\
    9.your-freedom.de ems10.your-freedom.de ems11.your-freedom.de ems12.your-f\
    reedom.de ems13.your-freedom.de ems14.your-freedom.de ems15.your-freedom.d\
    e ems16.your-freedom.de ems17.your-freedom.de ems18.your-freedom.de ems19.\
    your-freedom.de ems20.your-freedom.de ems21.your-freedom.de ems22.your-fre\
    edom.de ems23.your-freedom.de ems24.your-freedom.de ems25.your-freedom.de \
    ems26.your-freedom.de ems27.your-freedom.de ems28.your-freedom.de ems29.yo\
    ur-freedom.de ems30.your-freedom.de)\r\
    \n"
/ip hotspot profile
add dns-name=mne.it hotspot-address=10.10.10.1 http-cookie-lifetime=4w2d \
    login-by=cookie,http-pap,mac-cookie name=hsprof1
/ip pool
add name=hs-pool-11 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=hs-pool-11 authoritative=after-2sec-delay disabled=no \
    interface=LAN_Ports lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-11 addresses-per-mac=1 disabled=no interface=\
    LAN_Ports name=hotspot1 profile=hsprof1
/ip hotspot user profile
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=1M rate-limit=\
    1024K/1024K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=2M rate-limit=\
    2048K/2048K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=4M rate-limit=\
    4096K/4096K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=8M rate-limit=\
    8192K/8192K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=12M rate-limit=\
    12288K/12288K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=256K rate-limit=\
    256K/256K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=128K rate-limit=\
    128K/128K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=28K rate-limit=\
    28K/28K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=14M rate-limit=\
    14336K/14336K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=16M rate-limit=\
    16384K/16384K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=18M rate-limit=\
    18432K/18432K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=20M rate-limit=\
    20480K/20480K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=22M rate-limit=\
    22528K/22528K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=24M rate-limit=\
    24576K/24576K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=26M rate-limit=\
    26624K/26624K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=28M rate-limit=\
    28672K/28672K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=30M rate-limit=\
    30720K/30720K transparent-proxy=yes
add address-pool=hs-pool-11 mac-cookie-timeout=1w3d name=3M rate-limit=\
    3072K/3072K transparent-proxy=yes
/queue simple
add disabled=yes max-limit=2M/2M name=2M target=10.10.10.47/32
add disabled=yes max-limit=256k/256k name=256K target=10.10.10.45/32
add disabled=yes max-limit=4M/4M name=4M target=10.10.10.11/32
add max-limit=2M/20M name="All Bandwidth" target=LAN_Ports
/queue tree
add max-limit=15M name="All Bandwidth" parent=global priority=1
add max-limit=15M name=Download packet-mark=client-dw-pk parent=\
    "All Bandwidth" priority=2
add max-limit=1M name=Upload parent="All Bandwidth"
/ip hotspot user profile
add address-pool=hs-pool-11 insert-queue-before=bottom mac-cookie-timeout=\
    1w3d name=512K parent-queue="All Bandwidth" queue-type=\
    pcq-download-default rate-limit=512K/512K transparent-proxy=yes
add address-pool=hs-pool-11 insert-queue-before=bottom mac-cookie-timeout=\
    1w3d name=56K parent-queue="All Bandwidth" queue-type=\
    pcq-download-default rate-limit=56K/56K transparent-proxy=yes
add address-pool=hs-pool-11 insert-queue-before=bottom mac-cookie-timeout=\
    1w3d name=384K parent-queue="All Bandwidth" queue-type=\
    pcq-download-default rate-limit=384K/384K transparent-proxy=yes
add address-pool=hs-pool-11 insert-queue-before=bottom mac-cookie-timeout=\
    1w3d name=1.25M parent-queue="All Bandwidth" queue-type=\
    pcq-download-default rate-limit=1280K/1280K transparent-proxy=yes
add address-pool=hs-pool-11 insert-queue-before=bottom mac-cookie-timeout=\
    1w3d name=6M parent-queue="All Bandwidth" queue-type=pcq-download-default \
    rate-limit=6144K/6144K transparent-proxy=yes
add address-pool=hs-pool-11 insert-queue-before=bottom mac-cookie-timeout=\
    1w3d name=2.5M parent-queue="All Bandwidth" queue-type=\
    pcq-download-default rate-limit=2560K/2560K transparent-proxy=yes
/queue tree
add max-limit=15M name=http-dw packet-mark=http-dw-pk parent=Download \
    priority=1 queue=pcq-download-default
add max-limit=5M name=other-dw packet-mark=other-dw-pk parent=Download \
    priority=6 queue=pcq-download-default
add max-limit=1M name=http-up packet-mark=http-up-pk parent=Upload priority=1 \
    queue=pcq-upload-default
add max-limit=512k name=other-up packet-mark=other-up-pk parent=Upload \
    priority=6 queue=pcq-upload-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 0 memory-lines=10000
add name=webproxy remote=172.23.101.12 target=remote
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge filter
add action=drop chain=forward disabled=yes dst-port=10001 ip-protocol=udp \
    mac-protocol=ip
add action=drop chain=input disabled=yes dst-port=10001 ip-protocol=udp \
    mac-protocol=ip
add action=drop chain=output disabled=yes dst-port=10001 ip-protocol=udp \
    mac-protocol=ip
add action=drop chain=forward disabled=yes in-interface=*E mac-protocol=arp
add action=drop chain=forward disabled=yes in-interface=*F mac-protocol=arp
add action=accept chain=forward disabled=yes mac-protocol=!arp out-interface=\
    *E
add action=accept chain=forward disabled=yes mac-protocol=!arp out-interface=\
    *F
/interface bridge port
add bridge=LAN_Ports hw=no interface=ether5
add bridge=LAN_Ports hw=no interface=ether4
add bridge=LAN_Ports hw=no interface=ether3
add bridge=LAN_Ports hw=no interface=ether2
add bridge=NTP hw=no interface=ether1
add bridge=NTP hw=no interface=ether7
add bridge=LAN_Ports interface=*E
add bridge=LAN_Ports disabled=yes interface=*F
/ip address
add address=10.10.10.1/24 interface=LAN_Ports network=10.10.10.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
add address=172.23.101.253/24 interface=ether9 network=172.23.101.0
add address=10.11.12.1/24 interface=LAN_Ports network=10.11.12.0
/ip dhcp-server alert
add disabled=no interface=ether9 valid-server=\
    00:0C:29:99:03:5D,00:0C:29:BF:8A:66
/ip dhcp-server network
add address=10.10.10.0/24 comment="hotspot network" gateway=10.10.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.10.10.0/24 list=LAN
add address=www.gmail.com list=gmail
/ip firewall filter
add action=drop chain=forward connection-state=new src-address=10.11.12.83
add action=drop chain=forward connection-state=new src-address=10.11.12.63
add action=drop chain=forward connection-state=new src-address=10.11.12.62
add action=drop chain=forward connection-state=new src-address=10.11.12.61
add action=drop chain=forward connection-state=new src-address=10.11.12.53
add action=drop chain=forward connection-state=new src-address=10.11.12.52
add action=drop chain=forward connection-state=new src-address=10.11.12.51
add action=drop chain=forward connection-state=new src-address=10.11.12.43
add action=drop chain=forward connection-state=new src-address=10.11.12.42
add action=drop chain=forward connection-state=new src-address=10.11.12.41
add action=drop chain=forward connection-state=new src-address=10.11.12.33
add action=drop chain=forward connection-state=new src-address=10.11.12.32
add action=drop chain=forward connection-state=new src-address=10.11.12.31
add action=drop chain=forward connection-state=new src-address=10.11.12.23
add action=drop chain=forward connection-state=new src-address=10.11.12.22
add action=drop chain=forward connection-state=new src-address=10.11.12.21
add action=drop chain=forward connection-state=new src-address=10.11.12.11
add action=drop chain=forward connection-state=new src-address=10.11.12.12
add action=drop chain=forward connection-state=new src-address=10.11.12.112
add action=drop chain=forward connection-state=new src-address=10.11.12.101
add action=drop chain=input comment=STOP-FREEDOM layer7-protocol=Freedoom
add action=drop chain=forward comment=STOP-FREEDOM layer7-protocol=Freedoom
add action=drop chain=pre-hs-input comment=STOP-FREEDOM layer7-protocol=\
    Freedoom
add action=add-src-to-address-list address-list=VIP address-list-timeout=\
    none-dynamic chain=forward comment="Address List Collect" \
    src-mac-address=F0:27:65:20:F8:E2
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=pre-hs-input disabled=yes dst-address-list=facebook \
    src-address-list=whatsapp-only
add action=add-dst-to-address-list address-list=Whatsapp \
    address-list-timeout=none-dynamic chain=forward comment=\
    "Creat Address Lists" disabled=yes src-mac-address=F0:1C:13:45:14:FD
add action=add-dst-to-address-list address-list=Facebook \
    address-list-timeout=none-dynamic chain=forward comment=\
    "Create Facebook Address List" disabled=yes layer7-protocol=Facebook
add action=add-dst-to-address-list address-list=Facebook \
    address-list-timeout=none-dynamic chain=forward comment=\
    "Create Facebook Address List" disabled=yes layer7-protocol=\
    "Facebook ALL"
add action=add-dst-to-address-list address-list=Youtube address-list-timeout=\
    none-dynamic chain=forward comment="Create Youtube Address List" \
    disabled=yes layer7-protocol=Youtube
add action=add-dst-to-address-list address-list=Instagram \
    address-list-timeout=none-dynamic chain=forward comment=\
    "Create Instagram Address List" disabled=yes layer7-protocol=Instagram
add action=add-dst-to-address-list address-list=Twitter address-list-timeout=\
    none-dynamic chain=forward comment="Create Twitter Address List" \
    disabled=yes layer7-protocol=Twitter
add action=add-dst-to-address-list address-list="Google Plus" \
    address-list-timeout=none-dynamic chain=forward comment=\
    "Create Google Plus Address List" disabled=yes layer7-protocol=\
    "Google Plus"
add action=add-dst-to-address-list address-list=Whatsapp \
    address-list-timeout=none-dynamic chain=forward comment=\
    "Create Whatsapp Address List" disabled=yes layer7-protocol=Whatsapp
add action=drop chain=forward comment="Deny Youtube 101" disabled=yes \
    layer7-protocol=Youtube src-address=10.10.10.101
add action=accept chain=pre-hs-input disabled=yes dst-address-list=whatsapp \
    src-address-list=whatsapp-only
add action=drop chain=pre-hs-input disabled=yes src-address-list=\
    whatsapp-only
add action=accept chain=forward comment=Twitter disabled=yes \
    dst-address-list=Twitter src-address-list=VIP
add action=drop chain=forward comment="Deny Twitter" disabled=yes \
    dst-address-list=Twitter src-address-list=!VIP
add action=accept chain=forward comment=Instagram disabled=yes \
    dst-address-list=Instagram src-address-list=VIP
add action=drop chain=forward comment="Deny Instagram" disabled=yes \
    dst-address-list=Instagram src-address-list=!VIP
add action=accept chain=forward comment=Whatsapp disabled=yes \
    dst-address-list=whatsapp_ip src-address-list=VIP
add action=drop chain=forward comment="Deny Whatsapp" disabled=yes \
    dst-address-list=whatsapp_ip src-address-list=!VIP
add action=accept chain=forward comment=Facebook disabled=yes \
    dst-address-list=facebook_ips src-address-list=VIP
add action=drop chain=forward comment="Deny Facebook" disabled=yes \
    dst-address-list=facebook_ips src-address-list=!VIP
add action=reject chain=forward comment="Deny Facebook before 13:30" \
    disabled=yes layer7-protocol="Facebook ALL" protocol=tcp reject-with=\
    tcp-reset src-mac-address=4C:BB:58:C5:0A:5D
add action=drop chain=forward comment="Deny Facebook before 13:30" disabled=\
    yes layer7-protocol="Facebook ALL" src-mac-address=4C:BB:58:C5:0A:2E
/ip firewall mangle
add action=mark-connection chain=forward comment=client-dw-conn in-interface=\
    NTP new-connection-mark=client-dw-conn passthrough=yes
add action=mark-packet chain=forward comment=client-dw-conn connection-mark=\
    client-dw-conn new-packet-mark=client-dw-pk passthrough=yes
add action=mark-connection chain=prerouting comment=client-up-conn \
    in-interface=LAN_Ports new-connection-mark=client-up-conn passthrough=yes
add action=mark-packet chain=prerouting comment=client-up-pk connection-mark=\
    client-up-conn new-packet-mark=client-up-pk passthrough=yes
add action=mark-packet chain=forward comment=http-dw-pk new-packet-mark=\
    http-dw-pk packet-mark=client-dw-pk passthrough=no port=80,443 protocol=\
    tcp
add action=mark-packet chain=forward comment=http-up-pk new-packet-mark=\
    http-up-pk packet-mark=client-up-pk passthrough=no port=80,443 protocol=\
    tcp
add action=mark-packet chain=forward comment=other-dw-pk new-packet-mark=\
    other-dw-pk packet-mark=client-dw-pk passthrough=no
add action=mark-packet chain=forward comment=other-up-pk new-packet-mark=\
    other-up-pk packet-mark=client-up-pk passthrough=no
/ip firewall nat
add action=redirect chain=dstnat comment="redirect to 8080" disabled=yes \
    dst-port=80,8080,3128 protocol=tcp to-ports=8080
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat out-interface=LAN_Ports
add action=masquerade chain=srcnat src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.10.10.0/24
add action=redirect chain=dstnat comment=DNS disabled=yes dst-port=53 \
    protocol=tcp to-ports=53
add action=redirect chain=dstnat disabled=yes dst-port=53 protocol=udp \
    to-ports=53
/ip hotspot ip-binding
add address=10.11.12.33 comment="AP - 3rd C" mac-address=A0:F3:C1:A5:5E:D9 \
    type=bypassed
add address=10.11.12.83 comment="AP - 8th" mac-address=D4:6E:0E:22:9D:A2 \
    type=bypassed
add address=10.11.12.31 comment="AP - 3rd A" mac-address=C4:E9:84:62:D9:D9 \
    type=bypassed
add address=10.11.12.62 comment="AP - 6th B" mac-address=C4:E9:84:62:D8:40 \
    type=bypassed
add address=10.11.12.23 comment="AP - 2nd C" mac-address=C4:E9:84:62:D9:42 \
    type=bypassed
add address=10.11.12.52 comment="AP - 5th B" mac-address=C4:6E:1F:E0:33:46 \
    type=bypassed
add address=10.11.12.22 comment="AP - 2nd B" mac-address=30:B5:C2:52:E1:CC \
    type=bypassed
add address=10.11.12.21 comment="AP - 2nd A" mac-address=30:B5:C2:3B:9F:89 \
    type=bypassed
add address=10.11.12.32 comment="AP - 3rd B" mac-address=4C:4E:35:56:E6:98 \
    type=bypassed
add address=10.11.12.101 comment="AP - 10th A" mac-address=C4:E9:84:62:D9:12 \
    type=bypassed
add address=10.11.12.11 comment="AP - 1st A" mac-address=C4:E9:84:62:D2:3F \
    type=bypassed
add address=10.11.12.51 comment="AP - 5th A" mac-address=C4:E9:84:62:D9:CF \
    type=bypassed
add address=10.11.12.61 comment="AP - 6th A" mac-address=C4:E9:84:62:D8:07 \
    type=bypassed
add address=10.11.12.112 comment="AP - 11th B" mac-address=A0:F3:C1:A5:5D:66 \
    type=bypassed
add address=10.11.12.43 comment="AP - 4th C" mac-address=A0:F3:C1:A5:7B:E8 \
    type=bypassed
add address=10.11.12.12 comment="AP - 1st B" mac-address=30:B5:C2:42:7E:8C \
    type=bypassed
add address=10.11.12.63 comment="AP - 6th C" mac-address=30:B5:C2:42:65:6D \
    type=bypassed
add address=10.11.12.53 comment="AP - 5th C" mac-address=30:B5:C2:C3:28:5E \
    type=bypassed
add address=10.11.12.41 comment="AP - 4th A" mac-address=A0:F3:C1:A5:5E:B0 \
    type=bypassed
add address=10.11.12.42 comment="AP - 4th B" mac-address=C4:E9:84:83:1B:00 \
    type=bypassed
add address=10.11.12.80 mac-address=58:F3:9C:62:DC:08 type=bypassed
/ip hotspot user
add disabled=yes name=admin

/ip route
add distance=1 gateway=192.168.1.1
/radius
add address=127.0.0.1 disabled=yes service=hotspot
/radius incoming
set accept=yes
/system clock
set time-zone-autodetect=no time-zone-name=Asia/Tel_Aviv
/system clock manual
set time-zone=+02:00
/system identity
set name=Wireless_Network
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set LAN_Ports disabled=yes display-time=5s
set NTP disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether3 disabled=yes display-time=5s
set ether4 disabled=yes display-time=5s
set ether5 disabled=yes display-time=5s
set ether6 disabled=yes display-time=5s
set ether7 disabled=yes display-time=5s
set ether8 disabled=yes display-time=5s
set ether9 disabled=yes display-time=5s
set ether10 disabled=yes display-time=5s
set vlan80 disabled=yes display-time=5s
/system logging
add action=webproxy disabled=yes prefix=Proxy topics=web-proxy
/system ntp client
set enabled=yes primary-ntp=64.113.32.5 secondary-ntp=212.26.18.43
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/system routerboard settings
set silent-boot=no
/system scheduler
add disabled=yes interval=1d name="Disable Users Before 13:30" on-event=\
    "/ip hotspot user disable [find comment~\"emp\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/16/2017 start-time=08:00:00
add disabled=yes interval=1d name="Enable Users After 13:30" on-event=\
    "/ip hotspot user enable [find comment~\"emp\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/16/2017 start-time=13:30:00
add disabled=yes interval=1d name="Disable Users Before 13:30 - 2" on-event=\
    "/ip hotspot user disable [find comment~\"emp\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/16/2017 start-time=08:05:00
add disabled=yes interval=1d name="Disable Users Before 13:30 - 3" on-event=\
    "/ip hotspot user disable [find comment~\"emp\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/16/2017 start-time=08:10:00
add disabled=yes interval=1d name="Disable Users Before 13:30 - 4" on-event=\
    "/ip hotspot user disable [find comment~\"emp\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/16/2017 start-time=08:15:00
add disabled=yes interval=1d name="Disable Users Before 13:30 - 5" on-event=\
    "/ip hotspot user disable [find comment~\"emp\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/16/2017 start-time=08:20:00
add interval=1d name="rst-hspot-cnt - 1" on-event=\
    "/ip hotspot user reset-counters" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/06/2016 start-time=08:00:00
add interval=1d name="rst-hspot-cnt - 2" on-event=\
    "/ip hotspot user reset-counters" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/06/2016 start-time=08:05:00
add interval=1d name="rst-hspot-cnt - 3" on-event=\
    "/ip hotspot user reset-counters" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/06/2016 start-time=08:10:00
add interval=1d name="rst-hspot-cnt - 4" on-event=\
    "/ip hotspot user reset-counters" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/06/2016 start-time=08:15:00
add interval=1d name="rst-hspot-cnt - 5" on-event=\
    "/ip hotspot user reset-counters" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=dec/06/2016 start-time=08:20:00
add disabled=yes interval=1d name="Deny Facebook Before 13:30 - 0" on-event="/\
    ip firewall filter enable [find comment=\"Deny Facebook before 13:30\"]" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/05/2017 start-time=08:00:00
add disabled=yes interval=1d name="Deny Facebook Before 13:30 - 1" on-event="/\
    ip firewall filter enable [find comment=\"Deny Facebook before 13:30\"]" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/05/2017 start-time=08:05:00
add disabled=yes interval=1d name="Deny Facebook Before 13:30 - 2" on-event="/\
    ip firewall filter enable [find comment=\"Deny Facebook before 13:30\"]" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/05/2017 start-time=08:10:00
add disabled=yes interval=1d name="Deny Facebook Before 13:30 - 3" on-event="/\
    ip firewall filter enable [find comment=\"Deny Facebook before 13:30\"]" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/05/2017 start-time=08:15:00
add disabled=yes interval=1d name="Deny Facebook Before 13:30 - 4" on-event="/\
    ip firewall filter enable [find comment=\"Deny Facebook before 13:30\"]" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/05/2017 start-time=08:20:00
add disabled=yes interval=1d name="Enable Facebook Before 13:30" on-event="/ip\
    \_firewall filter disable [find comment=\"Deny Facebook before 13:30\"]" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=apr/05/2017 start-time=13:30:00
add disabled=yes interval=1d name="rmatar & isaman allow after 13:00" \
    on-event="/ip hotspot user set limit-bytes-total=0 [find comment ~\"RMATAR\
    \_Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=0 [find comment ~\"ISAMAN Mobile\
    \"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=13:00:00
add disabled=yes interval=1d name="rmatar & isaman deny before 13:00" \
    on-event="/ip hotspot user set limit-bytes-total=26214400 [find comment ~\
    \"RMATAR Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=26214400 [find comment ~\"ISAMAN \
    Mobile\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=08:00:00
add disabled=yes interval=1d name="rmatar & isaman deny before 13:00 - 0" \
    on-event="/ip hotspot user set limit-bytes-total=26214400 [find comment ~\
    \"RMATAR Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=26214400 [find comment ~\"ISAMAN \
    Mobile\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=08:05:00
add disabled=yes interval=1d name="rmatar & isaman deny before 13:00 - 1" \
    on-event="/ip hotspot user set limit-bytes-total=26214400 [find comment ~\
    \"RMATAR Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=26214400 [find comment ~\"ISAMAN \
    Mobile\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=08:10:00
add disabled=yes interval=1d name="rmatar & isaman deny before 13:00 - 2" \
    on-event="/ip hotspot user set limit-bytes-total=26214400 [find comment ~\
    \"RMATAR Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=26214400 [find comment ~\"ISAMAN \
    Mobile\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=08:15:00
add disabled=yes interval=1d name="rmatar & isaman deny before 13:00 - 3" \
    on-event="/ip hotspot user set limit-bytes-total=26214400 [find comment ~\
    \"RMATAR Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=26214400 [find comment ~\"ISAMAN \
    Mobile\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=08:20:00
add disabled=yes interval=1d name="rmatar & isaman deny before 13:00 - 4" \
    on-event="/ip hotspot user set limit-bytes-total=26214400 [find comment ~\
    \"RMATAR Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=26214400 [find comment ~\"ISAMAN \
    Mobile\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=08:25:00
add disabled=yes interval=1d name="rmatar & isaman deny before 13:00 - 5" \
    on-event="/ip hotspot user set limit-bytes-total=26214400 [find comment ~\
    \"RMATAR Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=26214400 [find comment ~\"ISAMAN \
    Mobile\"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=08:30:00
add disabled=yes interval=1d name="rmatar & isaman allow after 13:00 - 0" \
    on-event="/ip hotspot user set limit-bytes-total=0 [find comment ~\"RMATAR\
    \_Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=0 [find comment ~\"ISAMAN Mobile\
    \"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=13:05:00
add disabled=yes interval=1d name="rmatar & isaman allow after 13:00 - 1" \
    on-event="/ip hotspot user set limit-bytes-total=0 [find comment ~\"RMATAR\
    \_Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=0 [find comment ~\"ISAMAN Mobile\
    \"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=13:10:00
add disabled=yes interval=1d name="rmatar & isaman allow after 13:00 - 2" \
    on-event="/ip hotspot user set limit-bytes-total=0 [find comment ~\"RMATAR\
    \_Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=0 [find comment ~\"ISAMAN Mobile\
    \"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=13:15:00
add disabled=yes interval=1d name="rmatar & isaman allow after 13:00 - 3" \
    on-event="/ip hotspot user set limit-bytes-total=0 [find comment ~\"RMATAR\
    \_Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=0 [find comment ~\"ISAMAN Mobile\
    \"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=13:20:00
add disabled=yes interval=1d name="rmatar & isaman allow after 13:00 - 4" \
    on-event="/ip hotspot user set limit-bytes-total=0 [find comment ~\"RMATAR\
    \_Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=0 [find comment ~\"ISAMAN Mobile\
    \"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=13:25:00
add disabled=yes interval=1d name="rmatar & isaman allow after 13:00 - 5" \
    on-event="/ip hotspot user set limit-bytes-total=0 [find comment ~\"RMATAR\
    \_Mobile\"]\r\
    \n\r\
    \n/ip hotspot user set limit-bytes-total=0 [find comment ~\"ISAMAN Mobile\
    \"]" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/25/2018 start-time=13:30:00
add comment="Backup then send to e-mail" disabled=yes interval=1d name=\
    "Backup Configuration" on-event=e-mail policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/22/2018 start-time=10:00:00
add interval=1d name=autolog on-event=autolog policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/22/2018 start-time=13:20:00
add interval=1d name=backup on-event=autobackup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2018 start-time=09:30:00
add interval=1d name=uploadbackup on-event=uploadbackup policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2018 start-time=09:31:00
add interval=1d name=uploadscript on-event=uploadscript policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/27/2018 start-time=09:32:00
add interval=1d name=uploadlogs on-event=uploadlogs policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/22/2018 start-time=13:21:00
add interval=1d name="rst-hspot-cnt - 0" on-event=\
    "/ip hotspot user reset-counters" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add disabled=yes interval=1d name="Deny Facebook Before 13:30" on-event="/ip f\
    irewall filter enable [find comment=\"Deny Facebook before 13:30\"]" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
add disabled=yes name=limit_quota on-event=limit_quota policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jul/24/2018 start-time=14:15:00
add interval=30s name=remove_unuthorised_users on-event=remove_unauthorised \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=no name=remove_unauthorised owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "/ip hotspot host remove [find authorized=no and bypassed=no ]"
/tool e-mail
set address=74.125.141.108 from=mne.backup18@gmail.com port=587 start-tls=yes \
    user=mne.backup18@gmail.com
/tool graphing interface
add interface=ether1
add interface=LAN_Ports
/tool user-manager database
set db-path=user-manager
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1 log=\
    auth-ok,auth-fail,acct-ok,acct-fail name=MNE_Wireless use-coa=no
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 558
Joined: Sat Dec 24, 2016 11:17 am

Re: Different Vlans for every Access Point

Sun Sep 16, 2018 2:50 pm

If the goal is to make sure wifi client does not talk to each other, then I would use this:
/interface wireless set wlan1 default-forwarding=no
 
hanyassar
newbie
Topic Author
Posts: 33
Joined: Wed Apr 20, 2016 12:31 pm

Re: Different Vlans for every Access Point

Sun Sep 16, 2018 3:21 pm

The main goal is to be more secure. In other words, to prevent users with rooted mobile devices to scan the network for mac addresses and try to bypass the hotspot.
If the goal is to make sure wifi client does not talk to each other, then I would use this:
/interface wireless set wlan1 default-forwarding=no
 
mkx
Forum Veteran
Forum Veteran
Posts: 854
Joined: Thu Mar 03, 2016 10:23 pm

Re: Different Vlans for every Access Point

Sun Sep 16, 2018 3:31 pm

@hanyassar: your configuration is quite complex and I don't feel comfortable dissecting it ... there are things that I don't like (such as addresses set on ether ports that are members of bridge) and would do differently (I'm not saying they're wrong as they are now).

If I were facing the same task, I'd try to do configuration from scratch ... specially the part with VLANs as this is basis for all other, higher level config (such as firewall etc.). You can use any cheap RB device, e.g. hAP ac lite, you will be able to configure it in (almost) same way as RB2011. After you'll feel comfortable with "laboratory setup", proceed with reconfiguring your production network.

Perhaps some more knowledgeable forum member will pass by and give some valuable input.
BR,
Metod
 
hanyassar
newbie
Topic Author
Posts: 33
Joined: Wed Apr 20, 2016 12:31 pm

Re: Different Vlans for every Access Point

Sun Sep 16, 2018 3:42 pm

It is complex. You are talking about more than 5 years of updated configurations due to several networks situations. One of the required updates is the vlan configuration.

At the moment all I did is enabling the AP isolation from the Access Points to make sure that clients can't connect with each other. I believe that is enough for now.It is enough, but I am not satisfied.

I hope I manage to get this vlan thing working soon.

Very thanks for your time sir.
@hanyassar: your configuration is quite complex and I don't feel comfortable dissecting it ... there are things that I don't like (such as addresses set on ether ports that are members of bridge) and would do differently (I'm not saying they're wrong as they are now).

If I were facing the same task, I'd try to do configuration from scratch ... specially the part with VLANs as this is basis for all other, higher level config (such as firewall etc.). You can use any cheap RB device, e.g. hAP ac lite, you will be able to configure it in (almost) same way as RB2011. After you'll feel comfortable with "laboratory setup", proceed with reconfiguring your production network.

Perhaps some more knowledgeable forum member will pass by and give some valuable input.
 
User avatar
Jotne
Long time Member
Long time Member
Posts: 558
Joined: Sat Dec 24, 2016 11:17 am

Re: Different Vlans for every Access Point

Sun Sep 16, 2018 5:14 pm

@hanyassar

When you reply to a post, click the Post Reply button at the bottom of the post..
No need to quote everything. (only part of post you need to specify in an answer)
 
hanyassar
newbie
Topic Author
Posts: 33
Joined: Wed Apr 20, 2016 12:31 pm

Re: Different Vlans for every Access Point

Sun Sep 16, 2018 6:42 pm

Oh, thanks for the notice.

Who is online

Users browsing this forum: anav, Google [Bot] and 4 guests