Community discussions

MikroTik App
 
rafin
just joined
Topic Author
Posts: 15
Joined: Tue Aug 08, 2017 9:43 pm

One SSID and multiple VLANs with hardware acceleration

Sat Mar 20, 2021 8:02 pm

Hi Guys,

I'm trying to figured out the how to configure following maybe somebody can help

I need users connect to one SSID.but I do not want to use hotspot package
After user is connected I will add him to access list manually but unti than user cannot connect to internet.
After user is added to access list I need to isolate the traffic through two different vlans
In addition to that I need this to be performance focused so I need to use HW acceleration (no CPU)

Doe anyone has any examples how correctly configure this?

Thanks,
Rafal
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: One SSID and multiple VLANs with hardware acceleration

Sat Mar 20, 2021 9:35 pm

If you want to do it in hardware, then you'll have to tell which hardware. BTW anything passing wireless can't be HW offloaded, only traffic between ethernet ports (managed by same switch chip) can be handled in hardware.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: One SSID and multiple VLANs with hardware acceleration

Thu Mar 25, 2021 12:51 pm

You are going to add them manually?

Have a default VLAN and a Manually added VLAN.

In caps man you can add a tag to a MAC in the ACL.

This let's 2 devices on the same SSIDs be in separate networks.
 
rafin
just joined
Topic Author
Posts: 15
Joined: Tue Aug 08, 2017 9:43 pm

Re: One SSID and multiple VLANs with hardware acceleration

Tue Jan 11, 2022 2:57 pm

The whole point here is to have following:
- One SSID name
- multiple vlans each assigned to dedicated bridge
So here is the scenario:
- Client connect's to SSID and by default it will be assigned to vlan 1 with forwarding disabled and authentication disabled
- for now I will manually authenticate clients by they mac under access list
- Once client is connected and authenticated it will have proper vlan assigned
- Clients from each vlan must be fully isolated and it can only access default gateway

What would be best approach here?
Can someone share some configuration example?
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: One SSID and multiple VLANs with hardware acceleration

Tue Jan 11, 2022 4:03 pm

The whole point here is to have following:
- One SSID name
- multiple vlans each assigned to dedicated bridge
So here is the scenario:
- Client connect's to SSID and by default it will be assigned to vlan 1 with forwarding disabled and authentication disabled
- for now I will manually authenticate clients by they mac under access list
- Once client is connected and authenticated it will have proper vlan assigned
- Clients from each vlan must be fully isolated and it can only access default gateway

What would be best approach here?
Can someone share some configuration example?
caps-man with ACL will do that.

but you have to make sure that the client device is set to use IT'S MAC ADDRESS, rather than random or private.
 
rafin
just joined
Topic Author
Posts: 15
Joined: Tue Aug 08, 2017 9:43 pm

Re: One SSID and multiple VLANs with hardware acceleration

Tue Jan 11, 2022 4:43 pm

by any chance do you have any configuration example for caps-man with ACL
What about manual configuration without caps-man? any examples?
Currently I'm trying to implement something like VLAN on a bridge in a bridge
https://wiki.mikrotik.com/wiki/Manual:L ... figuration
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: One SSID and multiple VLANs with hardware acceleration

Wed Jan 12, 2022 3:22 am

 
Technie
just joined
Posts: 2
Joined: Wed Jan 12, 2022 11:20 am

Re: One SSID and multiple VLANs with hardware acceleration

Wed Jan 12, 2022 11:23 am

But what if I want to use User Manager and WifiWave2 instead of using CAPSMAN?
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: One SSID and multiple VLANs with hardware acceleration

Thu Jan 13, 2022 1:12 am

But what if I want to use User Manager and WifiWave2 instead of using CAPSMAN?
NO SOUP FOR YOU!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19101
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: One SSID and multiple VLANs with hardware acceleration

Thu Jan 13, 2022 1:26 am

Only a complete psycho paths want to use capsman, i avoid it like covid lol.
The only time is if you have so many capacs they are untenable otherwise but then i would have to chastise you for getting so many of what most consider a sub standard wifi device.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2983
Joined: Mon Apr 08, 2019 1:16 am

Re: One SSID and multiple VLANs with hardware acceleration

Thu Jan 13, 2022 11:34 am

caps-man with ACL will do that.
Standalone will do that as well with the access-list, even if it is not DPSK (Ruckus way).
Other possibility is using EAP-Enterprise RADIUS authentication for another centralised VLAN allocation database.
RADIUS authentication can be MAC based or username (PEAP/MSCHAPv2) based, so that will work for "local administered MAC addresses" as well.
Usermanager 5 (ROS 7) does support EAP/PEAP/MSCHAPv2 for wifi authentication.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2102
Joined: Mon May 14, 2012 9:30 pm

Re: One SSID and multiple VLANs with hardware acceleration

Thu Jan 13, 2022 12:50 pm

The Engenius crap I was subjected to yesterday has a myPSK option. You assign different passwords on the same SSID. Then those break out to different VLAN tags.

The service is part of their Pro license, and requires you to pay $50 per access point on your network per year.

The access points really were the brains of the system. With a pretty serious"control panel" interface. Sure had some pretty graphics and slick GUI...

The switches were the problem at yesterday's deployment. Seems Engenius absolutely lied in their marketing (no F--king surprise there), that with their pro licence... You get topology maps that INCLUDE non Engenius devices. Yeah... That didn't actually work. Support said they would need to get back to me, about why it didn't work as advertised and promised. It even shows in their online document and demonstration.

You can't even open a hosts table on the switches. Leaving you completely lost when you are trying to figure out where something is plugged into.

(And if you think I give Mikrotik S--t about the wifi drivers... Just wait and see what I am gonna do to the project manager for this crap.)

Cambium on the other hand... Using EPSK does what it promised. You can either use a password with no Mac address and define a VLAN. Or tie a Mac address to a password too pick a VLAN.

The radio performance of their WiFi 6 gear is closer to the Ruckus gear I have relied on for years.

But the outdoor wap from them, is up to my knee.

Who is online

Users browsing this forum: No registered users and 25 guests