Hi all, I need some urgent help and would appreciate your feedback.
We are intalling Wi-Fi hotspots in a chain of restaurants and coffee shops. We are using Cisco Aironet 1200 as AP's and RB230 as hotspot gateway and ACU. The scenario we want to implement is as follows:
Coffee shop backoffice (vlan2)
|
|
|
Cisco AP1200 ----------------> RB230 -----------------> Internet
(hotspot clients on vlan1)
This is how we want it to work:
Wi-Fi hotspot clients will connect to the Cisco AP and will get redirected to the RB230 for authentication. All the hotspot clients that connect through the Cisco AP will be on vlan1. The RB230 has 3 Ethernet interfaces. Eth3 connects to the coffee shop backoffice. Eth1 connects to the Internet. And Eth2 connects to the Cisco AP. What we want to do now is VLAN segmentation. We don't want the hotspot clients to be able to access the backoffice, and vice versa. We are testing this scenario in our tech office, and the hotspot gateway features work perfectly. The problem is with VLANs.
Can someone please help? Many thanks.
P.S. Sorry, the diagram is not displayed correctly. The backoffice is connected to the RB230, NOT the Cisco AP.
-
-
postmanerk
just joined
- Posts: 22
- Joined:
- Location: Indiana, USA
- Contact:
No VLANS Needed
Coussa,
Is there a specific reason you are wanting to use VLANs besides security? Some of the reasons you want to use VLANs and VLAN Routing is to separate networks across multiple switches, or even in the same switch. It tags packets as they pass across your network as if they were one big network. That allows several switches to see the many networks that may exist, but separates them via router. You must have switches and routers that support VLANS (Mikrotik does support VLANs).
If you have another network plugged into your Mikrotik, but in a different port, I would just suggest segmenting (two networks separated by subnet mask). You then create firewall rules to block access from the wireless segment or interface. Based on your initial explination, there is no need for this layer of complication.
Where I see VLANs coming into play would be if you were to create a second SSID on the wireless APs and allow the second VLAN across your AP as well (use different SSIDs for your internal network). In this case, create VLAN interface in the Mikrotik and then assign VLAN 1 to your ETH1 interface going to your Cisco AP. Create VLAN 2 and add to the same ETH1 interface. That puts VLAN 1 and VLAN 2 on your ETH1 port going to your AP to push both across. Add IPs to the VLAN interfaces, not ETH1. Now on the Mikrotik, all things that work with an interface (DHCP, PPPoE, etc.) must be assigned to the VLAN instead of the Interface. One thing to keep in mind, don't use VLAN 1 because that is default to most switches.
On the Cisco Device, you can create multiple SSIDs with different forms of encryption and such, along with applying the correct VLAN to the SSIDs. Pretty slick setup.
Eric
Is there a specific reason you are wanting to use VLANs besides security? Some of the reasons you want to use VLANs and VLAN Routing is to separate networks across multiple switches, or even in the same switch. It tags packets as they pass across your network as if they were one big network. That allows several switches to see the many networks that may exist, but separates them via router. You must have switches and routers that support VLANS (Mikrotik does support VLANs).
If you have another network plugged into your Mikrotik, but in a different port, I would just suggest segmenting (two networks separated by subnet mask). You then create firewall rules to block access from the wireless segment or interface. Based on your initial explination, there is no need for this layer of complication.
Where I see VLANs coming into play would be if you were to create a second SSID on the wireless APs and allow the second VLAN across your AP as well (use different SSIDs for your internal network). In this case, create VLAN interface in the Mikrotik and then assign VLAN 1 to your ETH1 interface going to your Cisco AP. Create VLAN 2 and add to the same ETH1 interface. That puts VLAN 1 and VLAN 2 on your ETH1 port going to your AP to push both across. Add IPs to the VLAN interfaces, not ETH1. Now on the Mikrotik, all things that work with an interface (DHCP, PPPoE, etc.) must be assigned to the VLAN instead of the Interface. One thing to keep in mind, don't use VLAN 1 because that is default to most switches.
On the Cisco Device, you can create multiple SSIDs with different forms of encryption and such, along with applying the correct VLAN to the SSIDs. Pretty slick setup.
Eric
How cisco does that is already possible in v2.8, and in 2.9
even more because of different mac addresses for VAP.
In 2.8 version you get cisco behaviour this way:
hw interface ssid is what cisco calls "guest-mode ssid" - this is what
is broadcasted in beacons. VAP interface ssids are additional ssids to
which clients connect. To do what cisco calls "add VLAN to SSID" you
create VLAN interface on ether and bridge VAP interface with VLAN
interface.
Note that this still has troubles with some clients which get confused
when one AP is reporting one ssid in beacon, but reports multiple ssids
when responding to probe-requests. And there is even more trouble when
you want to have different security policies for different ssids - needs
knowledge of this in client (which is not standard based and most likely
properly handled only in cisco clients).
In 2.9 version difference is that every VAP has its own mac address and
beacon, therefore looks like separate AP, so no problems with security
settings, etc (e.g. one VAP can be completely open, no security, other
can be WPA, and so on). SSID to VLAN mapping should be done the same way as in 2.8.
John
even more because of different mac addresses for VAP.
In 2.8 version you get cisco behaviour this way:
hw interface ssid is what cisco calls "guest-mode ssid" - this is what
is broadcasted in beacons. VAP interface ssids are additional ssids to
which clients connect. To do what cisco calls "add VLAN to SSID" you
create VLAN interface on ether and bridge VAP interface with VLAN
interface.
Note that this still has troubles with some clients which get confused
when one AP is reporting one ssid in beacon, but reports multiple ssids
when responding to probe-requests. And there is even more trouble when
you want to have different security policies for different ssids - needs
knowledge of this in client (which is not standard based and most likely
properly handled only in cisco clients).
In 2.9 version difference is that every VAP has its own mac address and
beacon, therefore looks like separate AP, so no problems with security
settings, etc (e.g. one VAP can be completely open, no security, other
can be WPA, and so on). SSID to VLAN mapping should be done the same way as in 2.8.
John
-
-
stephenpatrick
Forum Veteran
- Posts: 702
- Joined:
- Location: UK
- Contact:
...and in 2.9 you can change the MAC address of virtual AP interfaces. As John wrote, the 2.8 virtual AP does create problems with clients (mostly - but not only - Windows), which can't see any of those SSIDs, or only some, ...
Test with 2.9 beta have shown that things work like I'd expect it. (IF you change the MAC addresses of all virtual AP interfaces.)
Test with 2.9 beta have shown that things work like I'd expect it. (IF you change the MAC addresses of all virtual AP interfaces.)
-
-
stephenpatrick
Forum Veteran
- Posts: 702
- Joined:
- Location: UK
- Contact: