You could use a single ap with WPA2-EAP and have your DHCP server issue /32 addresses. Put an allow forward rule in for the destination address (I'd normally NAT here) to the next hop; and then a block rule for all traffic forwarded on the interface. (this stops the clients from being able to talk directly) I then block all input except ICMP in for the interface address which is presented to the clients as the default route. My setup is a bit more complicated as I drag all the clients back to a central router across multiple sites over EOIP, but you get the point. Clients can't talk over IP to each other. James -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Thomas Jackson Sent: Thursday, 17 September 2015 5:39 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] virtual APs - how many? As a thought, you could use WPA2-EAP instead of PSK on a single SSID, which (AFAIK) prevents clients from sniffing each others traffic because you no longer have the same PSK shared across all clients. Downside is that the clients could still see each other (via the AP), so if you want true isolation of groups then virtual AP is the way to go. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Thursday, 17 September 2015 5:27 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] virtual APs - how many? On Thu, 2015-09-17 at 16:54 +1000, Paul Julian wrote:
You didn't say anything about requiring encrypted channels for each user in your original question, just the use of a PSK.
Welll - a PSK is a "pre shared key", kinda thought the crypto was implied. And I said "we want to provide several people with wifi access, but we don't want them all on the same SSID or using the same PSK." OK, maybe I could have been more clear.
My "kind of" reference to doubling up was referring to the use of a PSK for authentication and encryption for a user to the wireless interface and authentication using a hotspot login. A PSK will do both ultimately and a hotspot login will only do one, but they will both provide a method of authenticating a device/user.
PSK doesn't authenticate users at all. It authenticates only the device (as you yourself said). However, but giving each user (or small group of users) their own unique PSK, you can close to authenticating users. The hotspot stuff seems to operate at user level for authentication; I guess the auth can be encrypted, but the resulting access is not (as far as I can tell). All the other hotspot stuff looks very nice, but without encrypted connections its all moot for us :-(
You can specify a separate security profile for every VAP if you want, so what's the issue ? Just setup 10 or 20 VAP's and 10 or 20 Security Profiles with different PSK's.
We seem to have a crossed wire. That's exactly what I'm talking about doing. My actual question was how many such VAPs the MikroTik can support. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au