Just when I though I finally had my network all ironed out, with some compromises to avoid a bunch of IOT ssid’s, you make this video. Now I have to reevaluate my layout and decide if I want to spend my weekend on this.
@apalrdsadventures
Жыл бұрын
it's a pretty cool feature, if your APs support it
@georgH
Жыл бұрын
That's quite neat solution. For years, I've had my main network, with the main SSID across all wifi access points (the AP are interconnected using CAT5 1Gbps, I hate wireless bridges) and a second SSID for guests and other devices. The guests SSIDs use a different VLAN on each router, not routable through the main LAN, and with clients isolation. They get internet using SNAT. All of this is configured through ddWRT using really low-end routers released in 2013, but hey, they have been working well enough for many years :)
@irvinekinny
Жыл бұрын
Thank you so much, good sir. You are truly helping the IT world with your videos and manuals. All I could wish for is just that I've found your channel much, much earlier
@robertopontone
Жыл бұрын
Great video # not easy but super interesting # Let me reiterate how you manage with your channel to cover topics not touched by many other tech channels, also you network knowledge is quite impressive.
@ErkinOrdulu
Жыл бұрын
Congratulations, great project! It's inspiring and I'd love to try it myself. However, watching this makes me feel excited and a little overwhelmed at the same time.
@apalrdsadventures
Жыл бұрын
Glad you like it! Thanks!
@nezu_cc
Жыл бұрын
Mikrotik now supports running docker containers directly on arm and arm64 devices. you could probably install the radius server on the Mikrotik itself and then you would have a self-contained system that works even if your proxmox box goes down.
@apalrdsadventures
Жыл бұрын
Mikrotik also has their own built-in user manager which can do the same thing, I did it this way to integrate with other RADIUS-based network stuff I'm working on
@calebjpryor
8 ай бұрын
Oh man this was so refreshingly good. They say if you can explain complicated things simply you know them well. You my sir know them well. Thank you keep it up and I do hope this works with wave2 radios
@apalrdsadventures
8 ай бұрын
As far as I know it does, but I don't have one to test
@phsouzabr
Жыл бұрын
Very thorough tutorial, I'll try it soon! Thanks!
@TheTekkster
8 ай бұрын
Fantastic video. You showed all the things I search on the internet. You're great! Thanks.
@apalrdsadventures
8 ай бұрын
Glad it was helpful!
@mihumono
Жыл бұрын
I started playing with this in openwrt vm with usb wifi card and it works great so far. It wasn't that complicated to setup.
@hoover1335
Жыл бұрын
Not a single legacy IP in sight. It's beautiful! 🤩 Would you say it's secure to just allow any Mac address and completely rely on password based authentication?
@apalrdsadventures
Жыл бұрын
In general password based auth is secure on its own, as long as you aren't giving the password to everyone. With a system like this, you can give the default password to all of your friends, then use different passwords for your own devices, IoT devices, ... without creating multiple SSIDs
@eDoc2020
Жыл бұрын
MAC filtering provides almost no security. Every client which connects will send it out in plaintext. The same applies to hiding the SSID.
@zekicay
Жыл бұрын
It works in OpenWRT 23.05.0-rc1 using wpa_psk_file. Previous versions have bugs.
@deltax-ray6290
Жыл бұрын
Man, I didn't know you could do this. Thank you so much for sharing! Now to work out if unifi / tplink actually supports it. Probably not, maybe time to go AP shopping 😅
@mrakaki
10 ай бұрын
Kinda late I know, but UniFi support this!
@xoredG
8 ай бұрын
Did you ever look back at OpenWRT and whether that’s supported now? I’d love to have this kind of setup for non WPA3 clients without committing to an old radio
@alexaka1
10 ай бұрын
Wireless Access Point was not my first guess on why it was called WAP.
@ziozzot
Жыл бұрын
really cool now i have to figure out how to do this on my AP
@thestreamreader
Жыл бұрын
How are you making sure all this configuration is backed up. My Problem is i got so many things like this running cloud vps projects that I wont remember how to get them back up cause its normally 1 and done and never touch it again.
@apalrdsadventures
Жыл бұрын
On Mikrotik, you can do export the entire configuration to file and save the file. To rebuild, do a factory reset then load the configuration file. For the rest of it, I can do backups in Proxmox for the whole container / VM.
@patrickweggler
Жыл бұрын
Great tutorial! Could you show this with the omada stuff, too?
@apalrdsadventures
Жыл бұрын
The process is nearly the same (although they use the more standard tunnel-* options in the RADIUS reply - see here www.tp-link.com/us/support/faq/3386/ ) however AFAIK it's not fully supported across all of their devices yet, and none of the devices I have do support it.
@Atabascael
Жыл бұрын
3:03 BillWiTheScienceFi 😂
@DanielBeszterda
Жыл бұрын
OnlyFriends was good too.
@pcm1ke
Жыл бұрын
Can you match clients based on the PSK they supply? For example, use one SSID and allow anyone to connect… but based on the PSK supplied throw them into a certain VLAN? password1 = VLAN1, password2 = VLAN2, no password given = walled off VLAN with client isolation and limited bandwidth? This seems like a more elegant approach then worrying about max addresses. Is this possible maybe with multiple default rules and fall-through yes arguments? I guess I should have mentioned I’m coming from a UniFi environment and I guess this is called PPSK and isn’t something that would work with UniFi. Shame.
@apalrdsadventures
Жыл бұрын
The WPA2 4-way handshake is designed so both sides need to mutually know the PSK for them to be able to exchange their pairwise keys. So no, there is no knowledge of which PSK was entered, and this is by design in WPA2. A few vendors 'hack' this by keeping a (short) list of all of the possible PSKs at the AP and trying to calculate all of the possible key versions from this list (and seeing if it can decrypt the client message using any of them) but this doesn't scale and WPA3 has better cryptography which prevents this.
@MrDudunorris
Жыл бұрын
Eu nem sabia que isso era possível! Parabéns!
@apalrdsadventures
Жыл бұрын
Thanks!
@himiko_pl
Жыл бұрын
Why not use buildin Radius server? "User Manager is RADIUS server implementation in RouterOS"
@apalrdsadventures
Жыл бұрын
It would work just fine with the Mikrotik radius server. In my case, I'm trying a few different types of services that need RADIUS authentication (WiFi and 802.1X) and playing with both Mikrotik and OpenWRT, so putting it in one place makes sense to me.
@arvid4138
Жыл бұрын
@@apalrdsadventures Guess its the same answer for OPNsense as well?
@apalrdsadventures
Жыл бұрын
OPNsense can also run a RADIUS server as a plugin and auth to RADIUS for some of its services (such as OpenVPN), although in this case I'd prefer to learn the basics of how it works before deciding which server platform to use. I am still open to finding a better RADIUS server / GUI, but it's not all that hard to write an authorize file at the small scale I'm working with.
@Christos9
Жыл бұрын
Fantastic
@apalrdsadventures
Жыл бұрын
Thanks
@lucianbuzatu4602
Жыл бұрын
Hello, great project, thanks. How can I get the dictionary for TP-link Omada controller?
@teneightypl
Жыл бұрын
Very inspiring.
3 ай бұрын
I have one question about mobile devices (with generated MAC addresses) Solution you used is for every phones (every devices with dynamic MAC adrs) Is there a way to connect differently phones which are from family members so that only visitors has different vlan ? I hope that I describe what I want to do, my English is not so good :-)
@apalrdsadventures
3 ай бұрын
The mobile devices generate a random MAC, but it does not change over time for the same network. So you can initially log them in with the 'default' password, find the MAC they are using, and then change the password for that MAC specifically. Visitors get the default password / vlan.
3 ай бұрын
@@apalrdsadventures WoW I did not realized that. Thank you a lot.
3 ай бұрын
@@apalrdsadventures I have microtik as main router. So I tried to figureout how to setup this only with UserManager as a Radius server. But I did not find out how to do something as you did with mobile generated MAC adrs. So I thing, that I have to setup Radius server as you did. Thank you a lot for this video.
@apalrdsadventures
3 ай бұрын
I'm guessing their UserManager has an implicit default deny if there is no user. Instead, I have default accept with a default password.
@NetBandit70
Жыл бұрын
Are devices on the same collision (and broadcast) domain? IoT (internet of trash) devices are getting more and more sneaky about finding ways to phone home.
@apalrdsadventures
Жыл бұрын
The VLAN option will segregate them (assuming your switches support VLAN tagging), so they will be on the same broadcast domain as the VLAN ID. The forwarding option will prevent packets from forwarding across the AP, but not across other devices on the wired broadcast domain (including devices on other APs). The PSK option has no affect on packet forwarding, just authentication.
@jeremiahbullfrog9288
Жыл бұрын
You lost me before the 2-minute mark ... is RouterOS something i can install in place of dd-wrt, or do i need that particular hardware... what is winbox ... etc.
@apalrdsadventures
Жыл бұрын
RouterOS is the software platform for Mikrotik's hardware, and Winbox is their management tool. I'd like to do this in OpenWRT (which you can install on other off-the-shelf wifi routers), but it's not quite there yet.
@pawelgrad
Жыл бұрын
Hi, I have 2 questions not directly connected to topic of the video. Have you tested outdoor range of wap ac? Does it support wifiwave2? I’m looking for outdoor ap which can cover around 100m and I see 2 options wap ac or tp link eap225 outdoor. Ubiquiti ap mesh is not available for months. All Wi-Fi 6 options are out of my budget.
@apalrdsadventures
Жыл бұрын
I have the older wAP AC (which has a different radio chip than the 'new' version, and only one Ethernet port), so it wouldn't help you a ton. It doesn't support WifiWave2. I do have an EAP225-Outdoor and it works well though.
@pawelgrad
Жыл бұрын
@@apalrdsadventures thanks! I’ll buy eap225 outdoor, it has antennas with higher gain included.
@egokhanturk
7 ай бұрын
I am using an Asus router but it does not support VLAN. I want to use vlan. What can I do?
@apalrdsadventures
7 ай бұрын
Get a new router? Or maybe use OpenWRT on it?
@egokhanturk
7 ай бұрын
@@apalrdsadventures The router I bought is new anyway. When I bought it, I didn't even think that it wouldn't have vlan support because it is an expensive router with wifi6 support. Maybe I can set up a virtual server in my proxmox and use it as openwrt or pfsense and use asus only as access point. Do you think this makes sense?
@flintthuang
Жыл бұрын
Does this method only work with Mikrotik devices? I noticed that the return parameters of radius are Mikrotik related
@apalrdsadventures
Жыл бұрын
There are other companies that offer this, although in general not on the lower end of WiFi gear. TP-Link has started to add the feature to Omada (at least the per-MAC VLANs bit), although as far as I know it hasn't rolled out to the firmware on all of the AP models yet.
@Mr.Leeroy
Жыл бұрын
I just use plain HostAPd on Debian, works great with Mikrotik miniPCIe interfaces passed to a VM and no need to touch this horrible Router OS. Even without Radius, you could get by with a main network for guest AP (isolated stations, even bridged to VPN) and two hidden additional SSIDs for separate VLAN nets of IoT that should not be allowed Internet and your private WLAN net for known devices.
@apalrdsadventures
Жыл бұрын
RouterOS really isn't that bad once you get over the fact that the interface looks old. It's extremely functional. hostapd itself should support this if the hardware does, it's just OpenWRT that is currently lacking the ability to configure hostapd for this.
@Mr.Leeroy
Жыл бұрын
@@apalrdsadventures I do not have a problem with UI itself, but the fact that it is a proprietary appliance. Moreover with WinBox being their main effort as a management tool, windows app FFS.. And licenses.. ugh, it all smell corporate BS similar to anything legacy MS related.. Hardware is good, no problems with that.
@apalrdsadventures
Жыл бұрын
As far as proprietary software goes, it's one of the better ones. No recurring licensing fees, all software fully unlocked when you buy any of their hardware, perpetual updates for a very long time including new enhancements, ...
@sheerun
Жыл бұрын
It's admirable you managed to do this, but licensing of microtik is quite strict. I'm not even sure I can use one router and few access points for home use
@Ender_Wiggin
Жыл бұрын
Man do you know if there is away to do this with Unifi AP?
@apalrdsadventures
Жыл бұрын
They can do VLAN assignment but not individual PSKs
@user-zr7kz4vs7c
Жыл бұрын
Will this work on unifi ap?
@apalrdsadventures
Жыл бұрын
No, Unifi's software doesn't support this.
@user-zr7kz4vs7c
Жыл бұрын
@@apalrdsadventures i see, thanks for your video, I really want to try out WPA3 PPSK, but sadly i use unifi AP with OPNSense, But do you know does wpa3 supports ppsk, i heard some people said it's supported but some said it's not supported.
@apalrdsadventures
Жыл бұрын
Some systems (like TP-link Omada) will basically keep a small list of possible PSKs and try all of them during the WPA2 handshake so you don't have to manually associate MACs with PSKs. That method is not possible with WPA3. However, as far as I know, you can still do PPSK based on MAC in WPA3.
@MyronMGains
Жыл бұрын
Is there any way to do VLAN assignment based on the passwords they use? ie. you have 1 SSID, and 20 passwords, and depending on which password they use, they go to a specific VLAN? (edit - you don't know their MAC address beforehand. In my scenario it would be a 20-room Hotel, and each room is on it's own VLAN)
@apalrdsadventures
Жыл бұрын
No. In WiFi authentication, the AP's MAC (the BSSID) is always broadcast and the client initiates the connection with only their MAC address in the clear, so all we have to go on (at least without EAP) is the MACs. The two sides need to go through the 4-way handshake to determine the session key for that specific client, and both sides must mutually prove to each other that they know the PSK. If all of your clients are modern phones and tablets you can use WPA2-EAP, where the client provides a username and password instead of a PSK. In that mode, both the username and password are passed to the RADIUS server for it to accept/reject the client. But a lot of lesser clients don't support EAP. In your case, a more traditional captive portal method would probably be best.
@eDoc2020
Жыл бұрын
@@apalrdsadventures I'm pretty sure the TP-Link Omada setup can do this so it must be possible. They might be faking it, though. They might test one PSK with the first handshake, and if that fails they'll test another PSK when the client retries.
@apalrdsadventures
Жыл бұрын
It's definitely not possible without violating the standards. The two sides exchange random values with each other, and independently compute the pairwise key based on their MAC addresses, exchanged random values, and mutually known PSK. Neither side ever transmits the PSK. If either side has the wrong key, they will fail to communicate and will only know that the key did not match (no information about the key itself is actually exchanged). Since some devices will try again a few times maybe TP-Link is relying on that, then at best they can have 2 or 3 keys before clients start to give up entirely.
Пікірлер: 85