Architectural consideration notes from Joshaven Potter ( one of our on-staff WISP Consultants ).
Client Isolation Recommendations
AP’s should use Client-Isolation. This reduces load and improves reliability. Repeating broadcast messages between subscribers increases network load and can allow for rogue DHCP servers or other broadcast services to exist on the network which are supposed to only work within a LAN.
Switch ports that connect to AP’s should be isolated.
Use a dedicated VLAN per AP
When multiple AP’s are within the same VLAN use Port Isolation on the AP ports (not the router port).
I like to use a convention of map switch ports to specific VLANs to simplify configuration. Using VLAN 101 for switchport 1 and VLAN 102 for switchport 2 makes administration and configuration simpler in my opinion.
Use bridges and bridge horizons on your router.
Use bridge horizons on your router’s bridge with the same horizon on each AP interface (ethernet or VLAN interface). The horizons work like a one way valve just like client-isolation on the AP, blocking broadcasts between interfaces on the same horizon.
Equipment Management Recommendations
I recommend blocking all management access except from the approved sources on all infrastructure.
I prefer management only on the wireless interface and on VLAN 10
Management on VLAN 10
Management on VLAN 10
It can be helpful to configure a ‘tech port’ for VLAN 10 switchport access
Management on VLAN 10
Management on a tech port
Input chain Firewall rules on access routers
Accept ICMP from all (you can limit ICMP per second)
Accept management from management networks
Drop all else
I use numbers above 199 for VLANs that may be passing through a switch or other special use.
It is a personal preference but I don’t prefer to use individual customer access subnets per access point. If you are using an individual router port per AP with individual subnets then the following can be skipped.
I recommend using a customer access bridge on your customer access router (customer’s gateway) even if only intending to use a single router port. If for no other reason then to be able to test the customer access with a tech port. Adding a customer access bridge can be done like: IE: `/interface bridge add name=Customers`.
Unless you need peer-to-peer communication, it is recommended to set the bridge horizons to isolate the customer interfaces on your customer access router. IE: `/interface bridge port add interface=ether1 bridge=Customers horizon=1`. If using VLANs on a PoE switch this may be the VLAN interface on ether1 `ether1-VLAN103`
Note: Bridge horizons should be used on MikroTik routers but VLANs should be used on MikroTik switches for port isolation. Bridge port horizons work well to keep the software bridges from broadcasting between customer access ports on your customer gateway but they require CPU processing of the packet so they are not desirable for MikroTik switches. VLANs should be able to perform port isolation in the switch chip on your MikroTik switches. Also any other manufacturer of managed switches should be able to use VLANS for port isolation.
I encourage using a management VLAN. I recommend that your infrastructure is inaccessible from the internet and from your customers. In my opinion, management should be available by physically plugging into the management interface on your router or using a VPN to login to your management network.
Using a management VLAN can mean losing administrative access to the equipment from the LAN port with some equipment (Cambium manufacturer that has addressed this by using 169.254.1.1 form the LAN for local only administration).
If local administration is not possible for a disconnected device then resetting the device to defaults and re-configuring it may be required.
VLAN tags remain on frames until a switch or router removes them. Network segmentation of your management VLAN is recommended per site. If one router is used to support multiple sites then each site would share the same management broadcast domain. I do not recommend using horizons and port isolation on your management domain because peer-to-peer reachability is advisable for administrative purposes.
When providing private IP’s to your customers, it is recommended to use the IP addresses which are reserved for this purpose. If for no other reason, “smart” routers (which convert into a bridge when LAN IP’s are received on their WAN port) won’t interpret your customer access IP’s as LAN IP’s. See https://en.wikipedia.org/wiki/Carrier-grade_NAT for additional information on CGNAT and the use of 100.64.0.0 - 100.127.255.255.
Configure IP Addresses
- Add the IP addresses on the customer-facing interface that will be used as the gateway IP for active subscribers (probably the bridge named ‘Customers`).
- Address: Ex: 100.64.1.1/24. This is the IP range for active subscribers.
- Optional: Add Subscriber Management IP addresses on the appropriate VLAN interface.
- Address: Ex: 10.2.1.1/24
- It is also best practice to document the subnet with meaningful comments.
DHCP server setup
- Using winbox, navigate to `IP > DHCP Server` on the router where you will control customer access
- In the DHCP Server window, click on the DHCP Setup button and choose the interface in which you want to set up the DHCP server from the DHCP Server Interface drop-down menu, and then click on the Next button.
- Put your LAN network block in the DHCP address space input box, then click the Next button.
- Choose the gateway address for the given network in the DHCP network gateway input box and then click the Next button.
- Provide the IP range for the address pool and click the Next button.
- Provide preferred DNS server IP and click the Next button.
- Now provide IP lease time and click the Next button. The suggested lease time is 10 minutes.
- Once the DHCP setup is complete, set the RADIUS option to “YES”.
- Lastly, rename the DHCP server, and add a “-VISPv4” (case sensitive) suffix to it. IE: “Lastmile-VISPv4”
Critical Note: When using UBNT devices, the radio acts as a DHCP relay when option-82 is enabled. Because of this, we have to set a DHCP relay (255.255.255.255) on the server to process all incoming requests from any radio.
Optional: ARP Payment Enforcement Protection
This will cause the router to only work with clients who have received their IP Address via HyperRADIUS™. Without this setting, it may be possible for a subscriber to circumvent the payment enforcement system.
- Set ARP to Reply-Only on a customer-facing interface (on the general tab of the bridge or physical interface)
- Check the “Add ARP for Leases” checkbox on the customer access DHCP Server.
Navigate to the Firewall/NAT tab and add the Masquerade rule for Active Subscribers
Assuming you are using private IP’s you will need to configure NAT either at the tower or at your core. The example below is to configure NAT at the tower. On the “NAT” tab, add a new rule with the following settings (If using private IP’s):
- General / Chain: srcnat
- General / Src Address: 100.64.1.0/24 (adjust for customers Private IP pool)
- Action / Action: masquerade (or src-nat with specified to-address)
Note: It is more router resource efficient to use src-nat action in place of masquerade if you are able to configure it with a Public IP.
Configure Firewall and Redirection Page for Suspended Subscribers.
- Generate Firewall rules by clicking the button below.
- After downloading the file, upload it to the Mikrotik router by dragging it to the file directory.
- Open the terminal window and run the following command:
/import verbose=yes file-name=firewall.cfg.rsc
- Select the Queue Types tab, and then double-click the default-small queue to open it.
- Change the default-small queue Kind value to ‘sfq’ and leave the default settings.
Configure RADIUS Servers
Follow the instructions on this page to configure the RADIUS servers.
Important Reminder: When using Option82 authentication, the multi-mac option in VISP package should be enabled.