Hotspot VLANs

webasdf · Wed Sep 16, 2009 4:26 am

I have a question about hotspot module and user VLANing. We want to isolate customers in hotel rooms for security purposes. The image below shows what we need to do. On the Mikrotik we need:

* One hotspot definition
* Hotspot doing DHCP with one DHCP pool
* Hotspot users to be VLANed off for security and isolation reasons
* Each hotel room to have a different VLAN tag

I know it is possible if there is one hotspot defined for each VLAN (along with a separate dhcp server for each), but with hundreds of hotel rooms this is not practical. It would be a management nightmare. I have looked at the forums for many hours and have tried many different things, but I cannot get many VLANs on a single hotspot. Is this possible? Has anybody else done this? If so, how?

fewi · Wed Sep 16, 2009 5:17 am

What Cisco switch platform? Most are able to apply access-lists to switched ports so you could just drop all inbound traffic (from the switch perspective, so everything the customer puts on the network) that goes to the local network, but isn't aimed at the gateway. Recent platforms can do both ways, which would be preferrable, but even filtering one way only will be very effective.

webasdf · Wed Sep 16, 2009 4:24 pm

We have several customers using different switching platforms. Some have Cisco switches and others don't.

Chupaka · Wed Sep 16, 2009 8:59 pm

create bridge, add all vlans to bridge, use bridge interface for hotspot, dhcp, etc., block forwarding between bridge ports in firewall filter

rainmaker · Wed Sep 16, 2009 10:15 pm

Chupaka

Can you give us an example.
l also needed a solution for mine bridge

Chupaka · Thu Sep 17, 2009 11:20 am

an example?..

/interface vlan
add arp=enabled comment="" disabled=no interface=ether1 mtu=1500 name=vlan1 use-service-tag=no vlan-id=1
add arp=enabled comment="" disabled=no interface=ether1 mtu=1500 name=vlan2 use-service-tag=no vlan-id=2

/interface bridge
add arp=enabled disabled=no

/interface bridge port
add bridge=bridge1 disabled=no interface=vlan1
add bridge=bridge1 disabled=no interface=vlan2

/interface bridge settings
set use-ip-firewall=yes

/ip firewall filter
add action=accept chain=forward disabled=no in-interface=ether1 out-interface=bridge1
add action=accept chain=forward disabled=no in-interface=bridge1 out-interface=ether1
add action=reject chain=forward disabled=no

webasdf · Thu Sep 17, 2009 7:38 pm

I attempted this and I got strange results.

My Tik setup:
ether1 = internet connection
ether2 = plugged into an 802.1q trunk port of a Cisco switch
ether3 = unused for now

On my Cisco switch:
eth1 = 802.1q configured trunk port connected to ether2 of the Tik
eth9 = vlan109
eth10 = vlan110
eth11 = vlan111
eth12 = vlan112

With the VLANs on ether2, I put in a different but similar config and added VLANs to a bridge called subscriberBridge:

/interface vlan
add arp=enabled comment="" disabled=no interface=ether2 mtu=1500 name=vlan109 use-service-tag=no vlan-id=109
add arp=enabled comment="" disabled=no interface=ether2 mtu=1500 name=vlan110 use-service-tag=no vlan-id=110
add arp=enabled comment="" disabled=no interface=ether2 mtu=1500 name=vlan111 use-service-tag=no vlan-id=111
add arp=enabled comment="" disabled=no interface=ether2 mtu=1500 name=vlan112 use-service-tag=no vlan-id=112

/interface bridge port
add bridge=subscriberBridge disabled=no interface=vlan109
add bridge=subscriberBridge disabled=no interface=vlan110
add bridge=subscriberBridge disabled=no interface=vlan111
add bridge=subscriberBridge disabled=no interface=vlan112

/interface bridge settings
set use-ip-firewall=yes

/ip firewall filter
add action=accept chain=forward disabled=no in-interface=ether2 out-interface=subscriberBridge
add action=accept chain=forward disabled=no in-interface=subscriberBridge out-interface=ether2
add action=reject chain=forward disabled=no

I then plugged in a DHCP enabled device to eth9 on the cisco switch (which should show up as vlan109 in the tik.) When the device attempted DHCP, in torch I see ALL the VLANs showing up as requesting DHCP. The DHCP server doesn't seem to acknowledge that it received a request because it doesn't even show the DHCP lease was offered. Now, if I remove all the VLANs from the subscriberBridge except vlan109 the device works with vlan109. As soon as I add a new vlan interface to the subscriberBridge, vlan109 stops working and torch shows the same thing (multiple DHCP requests from ALL the VLANs.)

ScreenHunter_0036.jpg

Chupaka · Thu Sep 17, 2009 7:57 pm

on Torch, you see MikroTik Neighbour Discovery packets, not DHCP Discovery

webasdf · Thu Sep 17, 2009 9:33 pm

Oh, I see. I'm still not getting DHCP on the device though. Tried a computer and that didn't work either. I'm also not seeing DHCP requests coming across ether2 for any incoming VLANs. All I see are the Neighbour Discovery packets.

But when I take off all but one VLAN from the bridge, only the VLAN that was left on the bridge gets access to the DHCP and hotspot. I also start to see traffic from all the VLANs.

ScreenHunter_0038.jpg

ScreenHunter_0037.jpg

These screenshots show the attempts when a computer was connected to vlan110. Now I can see attempts from vlan109. But, if I add vlan109 back to the subscriberBridge, none of the vlans can DHCP.

Chupaka · Thu Sep 17, 2009 10:14 pm

have you tried disabling firewall filter rules? =) who know...

webasdf · Thu Sep 17, 2009 11:00 pm

Disabled all filter rules. Disabled hotspot. Same result.

Chupaka · Thu Sep 17, 2009 11:04 pm

if you setup client's address manually (not via DHCP), can you ping router's address?..

jherrick · Fri Sep 18, 2009 4:36 pm

Its possible, i would start from a fresh install.

Script to make vlans

:for i from 101 to 220 do={/interface vlan add interface=lan vlan-id=$i name=("vlan" . $i) disabled=no}

/interface bridge add

Script to add ports to bridge1

:for i from 101 to 220 do={/interface bridge port add bridge=bridge1 interface=("vlan" . $i) disabled=no}

I also use this rule to isolate the vlan clients from the soft-bridge. EDIT: This rule needs to be put in the bridge filter, and no filters in ip firewall at this point.

/interface bridge filter add chain=forward in-bridge=bridge1 out-bridge=bridge1 action=drop comment="" disabled=no

Configure dns address and allow remote requests:

/ip dns set primary-dns=10.166.26.1 allow-remote-requests=yes

Enable IP Firewall for bridges:

/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

And then setup

/setup

define bridge1 address of 192.168.2.1
define ether2 (wan) address of 10.166.26.50
gateway is 10.166.26.1
ether1 has no address, and is not part of the bridge.

At this point, you should be able to set up your hotspot, since you only want hotspot gateway.

good luck.

webasdf · Fri Sep 18, 2009 9:01 pm

That seems to have worked!

Now to figure out why it wasn't working before. Time to back up that configuration.

Thanks for all the input everyone!

webasdf · Fri Sep 18, 2009 10:25 pm

So after backing up the config that worked and resetting to default, I think I found the trick. I'm not sure why, but this rule is what did the trick:

/interface bridge filter add chain=forward in-bridge=subscriberBridge out-bridge=subscriberBridge action=drop disabled=no

Without this rule, I got the weird results described previously, but when adding this rule things started behaving how we envisioned.

So, for the record I did:
Start w/ an empty bridge

/interface bridge add name=subscriberBridge

Configure bridge to firewall bridgeports and VLANs

/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

Create VLAN(s)

/interface vlan add interface=ether2 vlan-id=101 name="rm201" disabled=no
/interface vlan add interface=ether2 vlan-id=102 name="rm202" disabled=no
/interface vlan add interface=ether2 vlan-id=103 name="rm203" disabled=no
/interface vlan add interface=ether2 vlan-id=104 name="rm204" disabled=no
/interface vlan add interface=ether2 vlan-id=105 name="rm205" disabled=no

Add ports to subscriberBridge

/interface bridge port add bridge=subscriberBridge interface="rm201" disabled=no
/interface bridge port add bridge=subscriberBridge interface="rm202" disabled=no
/interface bridge port add bridge=subscriberBridge interface="rm203" disabled=no
/interface bridge port add bridge=subscriberBridge interface="rm204" disabled=no
/interface bridge port add bridge=subscriberBridge interface="rm205" disabled=no

Set up magic bridge filter rule

/interface bridge filter add chain=forward in-bridge=subscriberBridge out-bridge=subscriberBridge action=drop disabled=no

Then, I set up IP address, firewall NAT, DHCP, hotspot, etc on subscriberBridge.

jherrick · Sat Sep 19, 2009 7:52 am

yes magic bridge filter is the vital piece to this setup. its very busy as you will see.

ether3al · Thu Jun 10, 2010 7:37 am

/interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-vlan=yes

This is slightly off your topic, but you are one of very few using the ip-firewall-for-vlan=yes command.

i would like to use the above to mark packets per vlan for QoS, can some one go into some detail as to the exact operation of this feature? Does this simply enable me to perform firewall operations on bridged vlan interfaces once enabled or wheth this will implicitly peek inside vlan tagged traffic on a bridged physical interface and perform firewall operations without explicitly having to name each vlan?

emsi · Thu Jan 06, 2011 4:29 pm

Hallo,

we run the same setup in our lab in the context of ipv6 preparation. works without problems. We run multiple DOCSIS 1.1 Setups which do not support IPv6 natively in a routing environment. There is a feature called "transparent lan services" on cisco ubr, which basically maps a docsis modem to a tagged vlan and would make it possible to support "ipv6 nd" over docsis 1.1 (l2-vpn).

Has there someone experiences about the scalability and performance of this solution in an isp environment? We run clusters from 100 to 1300 cablemodems, ergo 100 up to 1300 tagged vlan's + bridge ports. I cannot test such a huge setup in a lab realistically and would have to do some tests out in the field. Perhaps there is someone out there sharing his experience before annoying some customers?

thanks
Oliver

emsi · Thu Jan 13, 2011 12:05 pm

Ok Guys,

first problem with this setup in a real environment with 100 tagged vlans. I just emailed this to support:

[...]

Now we discovered a weird problem. Some clients (especially Vista) send DHCP-Discovers with Broadcast-Flag set. The dhcp-server on the bridge interface answers them with an offer to 255.255.255.255 (ff:ff:ff:ff:ff:ff) which is the intended behaviour. But this offer is not spread over all of the vlans on the bridge interface which it should be as a broadcast domain. I put a sniffer on the outgoing ethernet interface and I have seen that it starts sending the offer on vlan 100 goes down each vlan but suddenly stops on vlan 20. It does not send the offer on vlan 20 down to vlan 2, which makes it not possible for dhcp clients on those vlans to receive the offer. These clients stuck in dhcp state "offered".

When I limit the vlan interfaces attached to a bridge interface < 50 everything is fine. I consider this as a bug?! It's probably a timing problem, cause frames to "255.255.255.255" have to be cloned to all vlan interfaces. Or it is just software limited to some value.

thanks!
Oliver

rainmaker · Fri Oct 21, 2011 12:18 am

which ver are u using. had the similar issues on 4.17 and 5.7 with about 120 vlans.
the dhcp and hotspot server stop working with some of the vlans.

blahblah927 · Wed Feb 29, 2012 10:16 am

I run into the same problem with DHCP offering in my setup too. with ROS 5.13
some client just doesn't work...I see the request from client, and DHCP Server offered a lease, but never reached client end.

reverged · Mon Mar 12, 2012 4:13 am

Anyone found a solution to the Vista dhcp problem?

I have been using vlan's with hotspot for some time and never had a problem until recently.
I assign equal horizon to each bridge port to isolate traffic.

The same problem is occurring, Vista clients request a lease with the Broadcast flag set and never get a lease.

The request reaches MT and a response is sent back using the broadcast address (255.255.255.255) and appears to go to all vlans (using Torch), but a packet capture at the client end shows the response packet never arrives.

This is happening with both a wired client and wireless client.

It has become a bothersome problem.
The number of Vista clients seems to come in groups, like when 20 people from the same company check into a hotel and they all have the issue.

rapnics21 · Tue Aug 11, 2015 7:35 pm

on the vlan setup above, do i add DHCP servers to vlans or only to the bridge? or also on ether2 ? thanks

ultimus247 · Fri Apr 21, 2017 12:29 am

I have my Hotspot setup exactly the same as Webasdf found with the magic bridge filter rule. What Im having issues with is that the Vlans can talk to one another. I cannot seem to find a bridge filter or firewall filter rule to prevent these vlans from talking to one another. Any tips on this?

I am using a CRS to tag devices that stay in the guest rooms with a Vlan by mac address, in order to overcome hotspot I am using ip bindings to passthrough the in room devices. This part is working I can verify the vlans are taking just fine as I can go to
/interface bridge host print
and I can see the vlan has taken effect. Turn the mac vlan rule off and it goes to the default vlan. I can also access the devices, my problem is I can access the in room devices from any vlan on the bridge, not just the one its assigned to.
My bridge is on a CCR1009 with 6.38.5 on it.

My requirement involves all guests in a room, including our in room devices to be in one vlan and able to talk to one another but nothing outside their room.

Thank you for any help you might be able to give me.

asadullah1145 · Wed Aug 16, 2017 11:00 pm

i want to run hotspot over vlan and routing switch lan
Can I do this?

Chupaka · Thu Aug 17, 2017 2:36 pm

Sure you can. Just add Hotspots to those interfaces.

asadullah1145 · Thu Aug 17, 2017 4:36 pm

What are your interfaces?
I have set up on Vlan5 and users are able to see the login screen, but after logging in, they go back to the 192.168.5.253 network. Why? What ip should I specify when I configure it?
How can I set up this item?
Can you configure the configuration?

Chupaka · Thu Aug 17, 2017 5:10 pm

but after logging in, they go back to the 192.168.5.253 network.

what does it mean? what does http://google.com says after login?

asadullah1145 · Thu Aug 17, 2017 9:49 pm

I mean the Hot Spot login, and it does not open the Google site and is not connected to the Internet. I want to be different without having to configure this topology.
I will install the same topology on the vlan2 router and put hotspot on vlan2. This client connects to the internet and it's not a problem, but since I have 70 vlans I want to run the hotspot for all of them.
Thanks .

Chupaka · Fri Aug 18, 2017 4:03 pm

You need 1 hotspot per 1 interface. If you have 70 vlans - you either create 70 Hotspots or put Hotspot router behind the router that aggregates those 70 VLANs and routes them up to the Hotspot via single interface

asadullah1145 · Sun Jun 10, 2018 7:59 am

I have a lot of traffic on my LAN for users like accessing cameras, accessing large files in server storage, and I will put this traffic on a mikrotik router if I bridge the interfaces and gateway ip the user into a mikrotik router. And since my users are high and I can not write a specific route manual for each pc or user route that they route over from the core router cisco , is there a better solution to this?

My users are now in separate networks and their gateway is core cisco switch, and HotSpot is not roaming, which means when the user enters another network from another network, he has to log in again. And Session on the other online network.

asadullah1145 · Sun Nov 18, 2018 2:47 pm

an example?..

/interface vlan
add arp=enabled comment="" disabled=no interface=ether1 mtu=1500 name=vlan1 use-service-tag=no vlan-id=1
add arp=enabled comment="" disabled=no interface=ether1 mtu=1500 name=vlan2 use-service-tag=no vlan-id=2

/interface bridge
add arp=enabled disabled=no

/interface bridge port
add bridge=bridge1 disabled=no interface=vlan1
add bridge=bridge1 disabled=no interface=vlan2

/interface bridge settings
set use-ip-firewall=yes

/ip firewall filter
add action=accept chain=forward disabled=no in-interface=ether1 out-interface=bridge1
add action=accept chain=forward disabled=no in-interface=bridge1 out-interface=ether1
add action=reject chain=forward disabled=no

I put this code line in the firewall rules.
add action=reject chain=forward disabled=no
The HotSpot screen brings up the login page, but the internet does not connect. Every time I disable this rules, the problem is fixed. How should I prevent the connection between vlan ?

Chupaka · Sun Nov 18, 2018 3:00 pm

/interface list add name=vlans
/interface list member
add list=vlans interface=vlan1
...
add list=vlans interface=vlanN
/ip firewall filter add chain=forward in-interface-list=vlans out-interface-list=vlans action=reject

asadullah1145 · Mon Nov 19, 2018 4:53 pm

/interface list add name=vlans
/interface list member
add list=vlans interface=vlan1
...
add list=vlans interface=vlanN
/ip firewall filter add chain=forward in-interface-list=vlans out-interface-list=vlans action=reject

When I enable this firewall rule
/ip firewall filter add chain=forward in-interface-list=vlans out-interface-list=vlans action=reject
and my vlans are enable, the Cisco switch to the mikrotik trunk device the following error and blocks the port and this roll does not work What do you think of it ?
Description: Blocking GigabitEthernet1/0/38 on VLAN0086. Inconsistent peer vlan.
Description: Blocking GigabitEthernet1/0/38 on VLAN0087. Inconsistent local vlan.

asadullah1145 · Mon Nov 19, 2018 5:07 pm

Code: Select all
/interface list add name=vlans
/interface list member
add list=vlans interface=vlan1
...
add list=vlans interface=vlanN
/ip firewall filter add chain=forward in-interface-list=vlans out-interface-list=vlans action=reject
When I enable this firewall rule
/ip firewall filter add chain=forward in-interface-list=vlans out-interface-list=vlans action=reject
and my vlans are enable, the Cisco switch to the mikrotik trunk device the following error and blocks the port and this roll does not work What do you think of it ?
Description: Blocking GigabitEthernet1/0/38 on VLAN0086. Inconsistent peer vlan.
Description: Blocking GigabitEthernet1/0/38 on VLAN0087. Inconsistent local vlan.

my config

********************************************************************
/interface bridge
add fast-forward=no name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=combo1 ] name=combo1-WAN
set [ find default-name=ether1 ] name=ether1-Trunk
/interface vlan
add interface=ether1-Trunk name=vlan-Radius-100 vlan-id=100
add interface=ether1-Trunk loop-protect=off name=vlan86 vlan-id=86
add interface=ether1-Trunk loop-protect=off name=vlan87 vlan-id=87
/interface list
add name=vlans
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=net.net hotspot-address=172.16.87.254 login-by=\
http-chap,https name=hsprof-Hotspot radius-interim-update=1m \
ssl-certificate=private.key_0 use-radius=yes
/ip pool
add name=hs-pool-Hotspot ranges=172.16.80.2-172.16.87.253
/ip hotspot
add address-pool=hs-pool-Hotspot disabled=no interface=bridge1 name=hotspot1 \
profile=hsprof-Hotspot
/ip hotspot user profile
set [ find default=yes ] add-mac-cookie=no address-pool=hs-pool-Hotspot \
idle-timeout=25m name=User-Profile-Hotspot shared-users=10 \
status-autorefresh=5m
/interface bridge port
add bridge=bridge1 interface=vlan86
add bridge=bridge1 interface=vlan87 pvid=87
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface list member
add interface=vlan86 list=vlans
add interface=vlan87 list=vlans
/ip address
add address=1.1.1.15/24 interface=combo1-WAN network=1.1.1.0
add address=172.16.87.254/21 interface=bridge1 network=172.16.80.0
add address=192.168.100.6/24 interface=vlan-Radius-100 network=192.168.100.0
/ip dns
set servers=1.1.1.220,8.8.8.8
/ip dns static
add address=172.16.87.254 name=net.net ttl=5m
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=reject chain=forward in-interface-list=vlans out-interface-list=\
vlans reject-with=icmp-network-unreachable
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes

add action=masquerade chain=srcnat comment="masquerade hotspot network-VLAN-86" \
out-interface=combo1-WAN src-address=172.16.80.0/21
/ip hotspot user
add name=admin password=aaaaaa
/ip route
add distance=1 gateway=1.1.1.1

**************************************************************************

Chupaka · Mon Nov 19, 2018 9:55 pm

Do not add those vlans to the bridge. Why have you done that?

asadullah1145 · Mon Nov 19, 2018 10:01 pm

Do not add those vlans to the bridge. Why have you done that?

To enable Hotspot on vlans

Chupaka · Mon Nov 19, 2018 11:45 pm

So make one big vlan

Why do you need many of them if you bridge them anyway?

Or create one Hotspot per VLAN.

Well, as a "workaround", you may set the same Horizon value while adding VLANs as Bridge ports...

anav · Tue Nov 20, 2018 12:58 am

I would not use the magical firewall rule here because I dont know what it does or how it works LOL.
I would simply, in my forward chain drop all else. Then all VLANS are separated automatically
I would associate vlans with the bridge.

It would look like
Start w/ an empty bridge
/interface bridge add name=subscriberBridge

Create VLAN(s)
/interface vlan add=subscriberBridge vlan-id=101 name="rm201" disabled=no
/interface vlan add=subscriberBridge vlan-id=102 name="rm202" disabled=no
/interface vlan add=subscriberBridge vlan-id=103 name="rm203" disabled=no
/interface vlan add=subscriberBridge vlan-id=104 name="rm204" disabled=no
/interface vlan add=subscriberBridge vlan-id=105 name="rm205" disabled=no

Add ports to subscriberBridge
/interface bridge port eth2 add bridge=subscriberBridge

I think I can figure out how to add DHCP info to the bridge but
a. how does one add hotspot to the bridge
b. how does one tie the hotspot to the vlans?

/interface bridge vlans
bridge=subscriberbridge, tagged=subscriberbridge, eth2, Vlan-ids=101,103,105 etc............
(where is hotspot, how does it fit??)

asadullah1145 · Tue Nov 20, 2018 1:04 am

So make one big vlan Why do you need many of them if you bridge them anyway?

Or create one Hotspot per VLAN.

Well, as a "workaround", you may set the same Horizon value while adding VLANs as Bridge ports...

My network has matured over 100 vlan For wlan lan
I want to have a separate network
I want to have a stable connection. When they go from one network to another, I want to create them as a hotspot.
Is this possible?

Chupaka · Tue Nov 20, 2018 5:56 pm

Try Horizon

m4t7e0 · Tue Nov 20, 2018 6:28 pm

I think is better to add a new hotspot for each vlans... of trunk port to cisco switch!

Chupaka · Tue Nov 20, 2018 6:44 pm

Why better? Could you explain?

m4t7e0 · Tue Nov 20, 2018 7:23 pm

Why better? Could you explain?

vlan is a way for isolate different networks, bridge is the opposit situation, why you would to brigdge if your scope is isolate every network?

Chupaka · Wed Nov 21, 2018 9:02 am

Why did you skip my comment about Horizon?

nieltechsolution · Sun Jul 16, 2023 10:58 am

This might be too late but, my knowledge of Mikrotik is very limited. my problem was this, the hotspot is working with all VLANs, but the bridge-port in the hotspot host is unknown, but when I enable the bridge use-ip-firewall, I can't access the hotspot gateway. I have tried the bridge filter nothing happens, also in the firewall filter rules as indicated in the replies above still no reaction, anyone could help me? I need to get the bridge-port which is very important in my custom hotspot portal to detect which VLAN is user connected.

anav · Sun Jul 16, 2023 3:18 pm

Chupuka, you kill me. I have no use for hotspots personally but the topic is a good one, so I will revisit it when not so busy to ask more pertinent questions.
Just wanted to point out two posts ( by the way, have a walled garden that says, if your a vista user EFF OFF )

Chupuka 1 ==> create bridge, add all vlans to bridge, use bridge interface for hotspot, dhcp, etc., block forwarding between bridge ports in firewall filter

Chupuka 2 ==> Do not add those vlans to the bridge. Why have you done that?