WLAN Client isolation in dynamic VLAN assignment
Posted: Wed Sep 19, 2018 1:26 am
Hi,
I have testing network with pfSense, little managed switch and wAP ac (RBwAPG-5HacT2HnD) and i want to use dynamic VLAN assignment on WLAN clients using FreeRADIUS on pfSense.
I have it almost working but i have problem with unwanted WLAN client isolation. Clients on same dynamically assigned VLAN are able to get IP from DHCP on this VLAN (pfSense), they have Internet access and they can ping gateway but they can't ping each other. I don't have this problem if i remove Mikrotik-Wireless-VLANID from RADIUS so they get assigned to default VLAN for interface.
Any ideas ?
Default VLANid for wireless interfaces is 104
VLANid assigned for testing clients is 100
I'm pretty sure that RADIUS config is fine, but ended with something like that
and config export from wAP ac
I have testing network with pfSense, little managed switch and wAP ac (RBwAPG-5HacT2HnD) and i want to use dynamic VLAN assignment on WLAN clients using FreeRADIUS on pfSense.
I have it almost working but i have problem with unwanted WLAN client isolation. Clients on same dynamically assigned VLAN are able to get IP from DHCP on this VLAN (pfSense), they have Internet access and they can ping gateway but they can't ping each other. I don't have this problem if i remove Mikrotik-Wireless-VLANID from RADIUS so they get assigned to default VLAN for interface.
Any ideas ?
Default VLANid for wireless interfaces is 104
VLANid assigned for testing clients is 100
I'm pretty sure that RADIUS config is fine, but ended with something like that
Code: Select all
"testuser" Cleartext-Password := "edited"
Mikrotik-Wireless-VLANID := 100,
Mikrotik-Wireless-Comment = "User Test 1",
Mikrotik-Wireless-Forward := 1,
Mikrotik-Wireless-VLANID-type := 0
Code: Select all
interface bridge
add fast-forward=no name=bridge1 vlan-filtering=yes
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys radius-eap-accounting=yes radius-mac-accounting=yes supplicant-identity=MikroTik wpa2-pre-shared-key=editededited
add authentication-types=wpa2-eap management-protection=allowed mode=dynamic-keys name=eap1 radius-eap-accounting=yes supplicant-identity="" wpa2-pre-shared-key=editededited
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n comment=2.4GHz disabled=no frequency=2437 mode=ap-bridge security-profile=eap1 ssid=kaw-slow vlan-id=104 vlan-mode=use-tag wds-ignore-ssid=yes wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee comment=5Ghz country=poland disabled=no mode=ap-bridge security-profile=eap1 ssid=kaw-5G vlan-id=104 vlan-mode=use-tag wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan1 comment=2.4GHz
set wlan2 comment=5Ghz
/interface wireless nstreme
set wlan1 comment=2.4GHz
set wlan2 comment=5Ghz
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether1 trusted=yes
add bridge=bridge1 interface=wlan2 trusted=yes
add bridge=bridge1 interface=wlan1 trusted=yes
/interface bridge vlan
add bridge=bridge1 tagged=ether1,wlan1,wlan2 vlan-ids=100
add bridge=bridge1 tagged=ether1,wlan1,wlan2 vlan-ids=104
/ip dhcp-client
add disabled=no interface=bridge1
/radius
add address=172.16.16.1 secret=editededited service=wireless
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=AP01-wAP
/system logging
set 2 disabled=yes
add prefix=info topics=radius
add prefix=debug topics=wireless
add prefix=debug topics=interface
/system routerboard settings
set silent-boot=no
/tool sniffer
set filter-interface=all
as try to set up dynamic VLAN assignments based on used Private-PSK.