Traffic/management vlans

Why not have a VLAN id assigned by the core router that’s reachable across the OSPF network that the ePMP radios see rather than routing it to the tower router first and have it tag stuff?

I’m digging into a donor Mikrotik today to see if I can get it to do routing, OSPF, AAA and DHCP reasonably, will see what happens. building the whole network on a bench to test end-to-end.

I created an OSPF area 1.1.1.1 on the Juniper, but the MT won’t see it, posted to the MT forum OSPF area 1.1.1.1 won't see Juniper srx 1.1.1.1 - MikroTik

I guess this is where MT probably starts to get weird. IDK whether it’s because I have my int in a bridge, who knows…

Eventually when I get it all working, I’ll post what I have end-to-end here to help the next person working on something similar.

Got it working, had to add an interface on the same subnet as the Juniper, then OSPF would see it.

[admin@MikroTik] > /ip address add address=192.168.30.2/24 interface=ether5
[admin@MikroTik] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   ;;; 172
     172.16.30.1/24     172.16.30.0     ether2-master
 1   192.168.30.2/24    192.168.30.0    ether5    
[admin@MikroTik] /routing ospf network> print
Flags: X - disabled, I - invalid
 #   NETWORK            AREA
 0   192.168.30.0/24    area1      
[admin@MikroTik] /routing ospf> instance print
Flags: X - disabled, * - default 
 0  * name="default" router-id=0.0.0.0 distribute-default=never redistribute-connected=no
      redistribute-static=no redistribute-rip=no redistribute-bgp=no redistribute-other-ospf=no
      metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 metric-bgp=auto
      metric-other-ospf=auto in-filter=ospf-in out-filter=ospf-out
[admin@MikroTik] /routing ospf> /
[admin@MikroTik] > ping 192.168.30.1
  SEQ HOST                                     SIZE TTL TIME  STATUS
    0 192.168.30.1                               56  64 0ms  
    1 192.168.30.1                               56  64 0ms
    2 192.168.30.1                               56  64 0ms
    3 192.168.30.1                               56  64 0ms
    sent=4 received=4 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms

I plan to work on the radius authentication next, will publish the whole thing end-to-end once I get this working, since I feel sorry for a new guy trying to figure all this out without examples.

1 Like

Sorry for the delay, been busy!

The reason you do not want a L2 vlan across your network is Spanning Tree will shut down ports on you and you definitely do not want to disable spanning tree!
By routing to the towers instead of passing a vlan, you gain reliability and automatic fail-over. This is the whole point of using a routing protocol.

To get DHCP to work across a routed network, use the DHCP helper option to point to the DHCP server for your SM management devices. It is a good practice to have your PTP radios and AP radios with static addressing and the SMs with dynamic addresses. If you assign a local DHCP server to each tower, then have each tower provide a separate address range per tower so you can figure out where things are quickly and for internal management DNS, this allows you to append tower ID to each SM name via an automatic CNAME.

I am not a Mikrotik or Juniper guy, I am a Cisco and Linux guy (I also dont do the OSPF thing, Is-Is is our flavor but that is a choice we made). The concepts are the same but how they get implemented is different. StubArea51 (google it) has a lot of information regarding this and they are Mikrotik guys!

Last thing, I know your just bench testing (labing) the configs and getting it ready, but you should use the CGN IP range instead of RFC1918 addresses. The difference is that CGN range is routable without doing anything and it does not have problems with NAT and client networks. Just remember to add an ACL to your gateways and block it in BGP (if your using BPG) so you dont advertise these shared addresses.

1 Like

I will eventually move to CGNAT, maybe in bench-rev-3 or some such after getting it to pass traffic end-to-end. I have the Mikrotik routing OSPF traffic through the Juniper and out to the internet, and have added a route for the Mikrotik to get through the Juniper to another zone with the Radius server I’m building in it, then I’ll figure out how to get the MT to use the Debian Radius server for AAA for subs hitting the tower.

You think I should have the AP provide DHCP instead of the MT? I would think that would mean the AP would be doing the AAA and then responding to the client with a DHCP lease?

I have installed freeradius/apache2/daloradius and have a web interface. I will now try to get it to connect to Miktrotik requests across the OSPF area.

best practice is to have the radios doing as little as possible.
AP should just be an AP, no additional services enabled.
SM can be providing DHCP to your clients if your using NAT mode.
Management IPs should come from a management DHCP server or from your tower router. But also do what makes sense for your application.

Use of the 100.64.x.x addresses now will save you from a renumber to them later. Do not use rfc1918 addresses on your network if at all possible. Your customers use these and you will have problems determining if you have a rouge dhcp server (by default all soho routers give rfc1918 addresses).

CH-NAT is something you move away from as you get IP space, If you are renting enough IP addresses then use 1:1 CG-NAT so you dont have to renumber your network (read renumbering is costly in time and money).

Setup your router to be a pppoe server with radius auth. point the router to the radius server IP. The router must have an IP that can ping the radius server. Make the router authenticate radius and local (this will save you from getting locked out should you not reach the radius server)
Setup in Daloradius a new NAS with the ip of the router, use the same shared secret you set in the router. Do the same in the AP for EAP-TTLS. The AP must also be a NAS in the server.

Setup a SM with the public radius certificate, proper login credentials and copy these to Daloradius when making a new user. If sending VSA make sure you use the +: operator for every vas sent but the last one!

When the sm contacts the AP, it will authenticate the SM and let it join the wireless network, if you are using pppoe on top, then it will search for a pppoe server, first one to respond will handle the connection.
OSPF should handle the rest automatically.

1 Like

So I created a NAS for the MT on Daloradius of 192.168.30.2. The radius server is reachable (10.30.10.5) from the MT.

I want the MT to act as a proxy/client to give customer routers AAA based on MAC along with a DHCP lease, so I’m thinking about doing something on the MT like:

/radius add service=ppp address=10.30.10.5 secret=somepassword

Then I set up a user on Daloradius defined by a MAC address of my laptop hanging off the MT (which has a 172.16.30.100 IP), am I thinking about this right, or missing something?

I assume you mean I should use CGNAT IP’s as my DHCP subnet from the MT, so the customer router WAN sees 100.64.x.x?

the cg-nat range is not actually restricted to cpe use. Use it to number your network devices too. This will keep you from having troubles with RFC 1918 addresses. And yes, a 100.6x.x.x range should be given to customers router wan interfaces.

every device that authenticates will receive an address as per the radius config for that device. We use Mac addresses for SMs but usernames for managed routers on the customers network. If you are using DHCP, then you will need to have a ip-helper-address for the dhcp server on the MT in your diagram. You can, though this creates scaleablity issues, use the MT per tower to give out addresses for that tower. This is set by the VSAs that are sent during authorization from the radius server.

I really do not know MT code, so hopefully someone here can jump in on that.

Looks like you almost have it working.

Sorry for being difficult and not just handing the finished product over, but this isnt a “one script fits all” system and there is a lot to learn thats best taught by actually doing.

Okay, I found someone to help me with the Mikrotik config and it works now :wink: I’ve configured so that customers will each get a 100.64.30.0/24 address so their routers won’t complain.

Very soon I’ll compile all my configs and publish them to a new thread to help others out.

Daloradius is still acting weird, so I have use a mysql query directly to add a user/bandwidth, but that’s tolerable for now, later I’ll figure out why Daloradius doesn’t behave. It still says mysql service isn’t active, but displays results from the db I add manually just fine .

The last thing I have to do is route my ePMP mgmt vlan across to my radios. @Douglas_Generous I think that just means I route it without a VLAN across the OSPF and then have the MT tag it to a VLAN 9?

not quite, routing you management vlans means giving each tower a management subnet and having ospf link them together. The vlan part is simply between the mikrotik and the APs and SMs. Network side you do not add that vlan anywhere but you do give each mikrotik a loopback on that management subnet for that tower/location.

I don’t quite understand why a loopback is needed.

So I just route a mgmt subnet to each tower and then have the MT tag is with a VLAN, no? Maybe you could give a cisco-y example of routing at core/MT?

I think it is a miss wording. He meant a simple address in that subnet for Mikrotik

in a cisco you would have a loopback interface then use an unnumbered interface for the management on the same trunk to the tower switch: (This is not 100% correct as there is a lot of differences between IOS & XE-IOS. There is also the fact that we dont use OSPF but IS-IS is our preference. There is not much difference but the way things are setup does change a bit.)

interface loopback 1
ip address 100.68.1.x 255.255.255.0

interface gigabitethernet0/0
description tower trunk
interface gigabitethernet0/0.10
description client vlan
ip address 100.64.1.1 255.255.255.0
ip route OSPF (if you used routing names, put your client route name here)
interface gigabitethernet0/0.20
description TWR-Name-Management Vlan
ip unnumbered loopback 1
ip route OSPF

interface gigabitethernet0/1
description Backhaul trunk
interface gigabitethernet0/1.100
description backhaul to twr1
ip address 100.69.0.1 255.255.255.248
ip route OSPF
interface gigabitethernet0/1.101
description backhaul to twr3
ip address 100.69.0.8 255.255.255.248
ip route OSPF

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.