virtual APs - how many?
We have an application where we want to provide several people with wifi access, but we don't want them all on the same SSID or using the same PSK. I looked at the hotspot stuff, but as far as I can tell it runs without a PSK. No good for us, so I didn't look any deeper. Virtual APs look good though. I can add and remove them easily, they can use WPA, they can each have their own subnet, they can each have their own SSID and PSK. Does anyone have an idea how many virtual APs can be set up on (say) an RB951G-2HnD? I've set up ten and they don't seem to have used any resources at all. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
I Don't think it's a real issue, it's the usage of the router/data which is going to matter. PSK is a device auth system, hotspot doesn't care about it but the wireless interface does, whilst I haven't done it I can't imagine why you couldn't do PSK on a hotspot wifi interface, but it would be doubling up kind of.... Regards PAul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Thursday, 17 September 2015 3:23 PM To: MikroTik Public Subject: [MT-AU Public] virtual APs - how many? We have an application where we want to provide several people with wifi access, but we don't want them all on the same SSID or using the same PSK. I looked at the hotspot stuff, but as far as I can tell it runs without a PSK. No good for us, so I didn't look any deeper. Virtual APs look good though. I can add and remove them easily, they can use WPA, they can each have their own subnet, they can each have their own SSID and PSK. Does anyone have an idea how many virtual APs can be set up on (say) an RB951G-2HnD? I've set up ten and they don't seem to have used any resources at all. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Thu, 2015-09-17 at 15:27 +1000, Paul Julian wrote:
PSK is a device auth system, hotspot doesn't care about it but the wireless interface does, whilst I haven't done it I can't imagine why you couldn't do PSK on a hotspot wifi interface, but it would be doubling up kind of....
Doubling up on what? The MikroTik doco says that the connection from user device to the router is not encrypted. Obviously individual users can use VPNs or HTTPS or whatever to encrypt their own traffic, but we want to provide an encrypted channel at least in the air. One PSK for everyone is not good enough. I think that ten or twenty vAPs will be ample for our needs, if that. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
You didn't say anything about requiring encrypted channels for each user in your original question, just the use of a PSK. My "kind of" reference to doubling up was referring to the use of a PSK for authentication and encryption for a user to the wireless interface and authentication using a hotspot login. A PSK will do both ultimately and a hotspot login will only do one, but they will both provide a method of authenticating a device/user. You can specify a separate security profile for every VAP if you want, so what's the issue ? Just setup 10 or 20 VAP's and 10 or 20 Security Profiles with different PSK's. Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Thursday, 17 September 2015 4:44 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] virtual APs - how many? On Thu, 2015-09-17 at 15:27 +1000, Paul Julian wrote:
PSK is a device auth system, hotspot doesn't care about it but the wireless interface does, whilst I haven't done it I can't imagine why you couldn't do PSK on a hotspot wifi interface, but it would be doubling up kind of....
Doubling up on what? The MikroTik doco says that the connection from user device to the router is not encrypted. Obviously individual users can use VPNs or HTTPS or whatever to encrypt their own traffic, but we want to provide an encrypted channel at least in the air. One PSK for everyone is not good enough. I think that ten or twenty vAPs will be ample for our needs, if that. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Thu, 2015-09-17 at 16:54 +1000, Paul Julian wrote:
You didn't say anything about requiring encrypted channels for each user in your original question, just the use of a PSK.
Welll - a PSK is a "pre shared key", kinda thought the crypto was implied. And I said "we want to provide several people with wifi access, but we don't want them all on the same SSID or using the same PSK." OK, maybe I could have been more clear.
My "kind of" reference to doubling up was referring to the use of a PSK for authentication and encryption for a user to the wireless interface and authentication using a hotspot login. A PSK will do both ultimately and a hotspot login will only do one, but they will both provide a method of authenticating a device/user.
PSK doesn't authenticate users at all. It authenticates only the device (as you yourself said). However, but giving each user (or small group of users) their own unique PSK, you can close to authenticating users. The hotspot stuff seems to operate at user level for authentication; I guess the auth can be encrypted, but the resulting access is not (as far as I can tell). All the other hotspot stuff looks very nice, but without encrypted connections its all moot for us :-(
You can specify a separate security profile for every VAP if you want, so what's the issue ? Just setup 10 or 20 VAP's and 10 or 20 Security Profiles with different PSK's.
We seem to have a crossed wire. That's exactly what I'm talking about doing. My actual question was how many such VAPs the MikroTik can support. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
As a thought, you could use WPA2-EAP instead of PSK on a single SSID, which (AFAIK) prevents clients from sniffing each others traffic because you no longer have the same PSK shared across all clients. Downside is that the clients could still see each other (via the AP), so if you want true isolation of groups then virtual AP is the way to go. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Thursday, 17 September 2015 5:27 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] virtual APs - how many? On Thu, 2015-09-17 at 16:54 +1000, Paul Julian wrote:
You didn't say anything about requiring encrypted channels for each user in your original question, just the use of a PSK.
Welll - a PSK is a "pre shared key", kinda thought the crypto was implied. And I said "we want to provide several people with wifi access, but we don't want them all on the same SSID or using the same PSK." OK, maybe I could have been more clear.
My "kind of" reference to doubling up was referring to the use of a PSK for authentication and encryption for a user to the wireless interface and authentication using a hotspot login. A PSK will do both ultimately and a hotspot login will only do one, but they will both provide a method of authenticating a device/user.
PSK doesn't authenticate users at all. It authenticates only the device (as you yourself said). However, but giving each user (or small group of users) their own unique PSK, you can close to authenticating users. The hotspot stuff seems to operate at user level for authentication; I guess the auth can be encrypted, but the resulting access is not (as far as I can tell). All the other hotspot stuff looks very nice, but without encrypted connections its all moot for us :-(
You can specify a separate security profile for every VAP if you want, so what's the issue ? Just setup 10 or 20 VAP's and 10 or 20 Security Profiles with different PSK's.
We seem to have a crossed wire. That's exactly what I'm talking about doing. My actual question was how many such VAPs the MikroTik can support. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
You could use a single ap with WPA2-EAP and have your DHCP server issue /32 addresses. Put an allow forward rule in for the destination address (I'd normally NAT here) to the next hop; and then a block rule for all traffic forwarded on the interface. (this stops the clients from being able to talk directly) I then block all input except ICMP in for the interface address which is presented to the clients as the default route. My setup is a bit more complicated as I drag all the clients back to a central router across multiple sites over EOIP, but you get the point. Clients can't talk over IP to each other. James -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Thomas Jackson Sent: Thursday, 17 September 2015 5:39 PM To: 'MikroTik Australia Public List' Subject: Re: [MT-AU Public] virtual APs - how many? As a thought, you could use WPA2-EAP instead of PSK on a single SSID, which (AFAIK) prevents clients from sniffing each others traffic because you no longer have the same PSK shared across all clients. Downside is that the clients could still see each other (via the AP), so if you want true isolation of groups then virtual AP is the way to go. -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Thursday, 17 September 2015 5:27 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] virtual APs - how many? On Thu, 2015-09-17 at 16:54 +1000, Paul Julian wrote:
You didn't say anything about requiring encrypted channels for each user in your original question, just the use of a PSK.
Welll - a PSK is a "pre shared key", kinda thought the crypto was implied. And I said "we want to provide several people with wifi access, but we don't want them all on the same SSID or using the same PSK." OK, maybe I could have been more clear.
My "kind of" reference to doubling up was referring to the use of a PSK for authentication and encryption for a user to the wireless interface and authentication using a hotspot login. A PSK will do both ultimately and a hotspot login will only do one, but they will both provide a method of authenticating a device/user.
PSK doesn't authenticate users at all. It authenticates only the device (as you yourself said). However, but giving each user (or small group of users) their own unique PSK, you can close to authenticating users. The hotspot stuff seems to operate at user level for authentication; I guess the auth can be encrypted, but the resulting access is not (as far as I can tell). All the other hotspot stuff looks very nice, but without encrypted connections its all moot for us :-(
You can specify a separate security profile for every VAP if you want, so what's the issue ? Just setup 10 or 20 VAP's and 10 or 20 Security Profiles with different PSK's.
We seem to have a crossed wire. That's exactly what I'm talking about doing. My actual question was how many such VAPs the MikroTik can support. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Thu, 2015-09-17 at 07:56 +0000, James Symon wrote:
You could use a single ap with WPA2-EAP and have your DHCP server issue /32 addresses.
Yes - but what I'm looking for really is the ability to host very small groups - possibly as few as one person, but possibly three or four or five. The default filter for this plan will be isolation between the groups, but a simple exception lets two groups talk to each other. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
Hi, You can do it all with EAP and RADIUS - allows you to set WDS password for every individual user if you want to in radius profile, then set connection parameters according to the auth'ed user: IP address, filter chain, packet marks, routing table, vlan-id, and more! So radius profile or radius group will control who gets to talk to each other and who is isolated. May take a little longer to get it all put together, but gives you the ultimate in flexibility in the end ;) Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Thursday, 17 September 2015 9:21 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] virtual APs - how many?
On Thu, 2015-09-17 at 07:56 +0000, James Symon wrote:
You could use a single ap with WPA2-EAP and have your DHCP server issue /32 addresses.
Yes - but what I'm looking for really is the ability to host very small groups - possibly as few as one person, but possibly three or four or five.
The default filter for this plan will be isolation between the groups, but a simple exception lets two groups talk to each other.
Regards, K.
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160
GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Fri, 2015-09-18 at 08:54 +1000, Mike Everest wrote:
You can do it all with EAP and RADIUS - allows you to set WDS password for every individual user if you want to in radius profile, then set connection parameters according to the auth'ed user: IP address, filter chain, packet marks, routing table, vlan-id, and more! So radius profile or radius group will control who gets to talk to each other and who is isolated. May take a little longer to get it all put together, but gives you the ultimate in flexibility in the end ;)
WDS?!? I must have missed a memo, I thought that was basically a method of halving your wifi input while lowering your security level? But the rest sounds very nice, do please point me to some how-tos :-) I got the very definite impression from several third-party articles and from the MikroTik doco that hotspot associations were not encrypted (though the auth exchange is in some circumstances). No amount of whizzbangery is any use to me if the association itself is not encrypted. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F
Duh, WPA!!! :-D Hotspot per sec is not /necessarily/ encrypted, but you can use WPA on the wireless then https on the captive portal to secure everything. BUT, since the usual intent for hotspot is to make access simple and easy and ad-hoc, all that encryption and security is usually left as a user exercise ;) For a few starting points, check these results: https://www.google.com.au/webhp?q=mikrotik%20wiki%20eap%20radius Essentially, enable eap and radius in wireless security profile, install user manger, then start playing! Have fun - expect it to take quite a while to get it all working together! :-D Cheers, Mike. ---------------------------------------------------------------------------- -------- Why Choose DuxTel for all your MikroTik needs? 10 good reasons: http://duxtel.com/why_duxtel ---------------------------------------------------------------------------- -------- Follow our tweets for news and updates: http://twitter.com/duxtel -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Friday, 18 September 2015 5:44 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] virtual APs - how many? On Fri, 2015-09-18 at 08:54 +1000, Mike Everest wrote:
You can do it all with EAP and RADIUS - allows you to set WDS password for every individual user if you want to in radius profile, then set connection parameters according to the auth'ed user: IP address, filter chain, packet marks, routing table, vlan-id, and more! So radius profile or radius group will control who gets to talk to each other and who is isolated. May take a little longer to get it all put together, but gives you the ultimate in flexibility in the end ;)
WDS?!? I must have missed a memo, I thought that was basically a method of halving your wifi input while lowering your security level? But the rest sounds very nice, do please point me to some how-tos :-) I got the very definite impression from several third-party articles and from the MikroTik doco that hotspot associations were not encrypted (though the auth exchange is in some circumstances). No amount of whizzbangery is any use to me if the association itself is not encrypted. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
I have a vague recollection that there is a hard limit of 128 virtual APs per physical radio -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Karl Auer Sent: Thursday, 17 September 2015 3:23 PM To: MikroTik Public <public@talk.mikrotik.com.au> Subject: [MT-AU Public] virtual APs - how many? We have an application where we want to provide several people with wifi access, but we don't want them all on the same SSID or using the same PSK. I looked at the hotspot stuff, but as far as I can tell it runs without a PSK. No good for us, so I didn't look any deeper. Virtual APs look good though. I can add and remove them easily, they can use WPA, they can each have their own subnet, they can each have their own SSID and PSK. Does anyone have an idea how many virtual APs can be set up on (say) an RB951G-2HnD? I've set up ten and they don't seem to have used any resources at all. Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 9DCA 0903 BCBD 0647 BCCC 2FA7 A35C 57A1 ACF9 00BB Old fingerprint: 231A B066 CF91 1216 4F0F F2AC CE25 B8AA 46DC CC4F _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (5)
-
James Symon
-
Karl Auer
-
Mike Everest
-
Paul Julian
-
Thomas Jackson