Hi Community, was looking around here and could not find a discussion to this topic which really fits.
My setup is a network with several switches and Wlan-APs. I dont want to seperate the network physical because it is partly impossible without huge efforts. The Main internet Router is openwrt with DHCP-Server
My Goal or Question is now: I want to achieve (but i didnt find an dhcp option for this) that each Device (MAC) which is asking for an IP-Address and is not in a list of "known" MAC must get an VLAN-Tag so that those devices are seperated from the Rest. This can happen to LAN and also Wlan connects.
Is that possible somehow? Or do you have any better Idea for this. A Guest Wlan would bring me a Part but if there is an Computer with physical connection i would need to configure a switch port... i have an dynamic solution in mind
Yes, and is very common in enterprise networking, especially in secure environments. One organisation I worked at had a policy on its switches whereby any known/approved MAC addresses would be switched to a corporate VLAN and any unknown/unapproved MAC addresses would be switched to the guest "Internet only" VLAN. This allowed staff/visitors to bring in their own devices and use the existing cabling without worrying about which sockets were reserved for the internal network.
Your magic Google search term to get you started is "Network Access Control", or "NAC".
As much as I am still liking that third option, it is very much only suitable for a single AP. "Several APs" is a clear pointer towards a RADIUS server.
Morning Fellows, dont know in your timezone is morning but in Germany
was thinking and reading how to easily divide the networks. Best way for me is always to tag by mac but...then this would reach my goal also even if it is another way....
I did the trick very easy and with very low effort.
in my Network there is an Wlan-AP with openwrt and an router to got to the internet in between are switches....
Then i thought - try to create the GuestWlan and i did that and the Guest-Wlan is not able to see or access the rest of my Network. Point 1 checked.
would be to do the same on the Lan. So i took an old nanopir2s which i already have and put openwrt on that. Additionally i use a switch i already had and did adapt the config of the wlan-Guest AP to fit it when connectin the nanopi between my Network and the Guest-Lan components. So now i can patch guest Computers to that switch.
Its not the best and dynamic solution but the other way round i would have to change all network devices to get VLAN
When a device is unable to speak proper wpa2 enterprise shizzle then the Mac address of the device is used as username and password. At least that's how I have encountered it in the wild. So dump printers and voip phones can be happily integrated into such a network.
Hello Again, was a bit crazy on weekend... but now i have configured all WlanAccess point to be behind an Openwrt router. That works by design very good. Using the LAN for the unsecure Guest-Lan and The WAN Interface to look into the secure LAN.
created firewall rules to restrict traffic allowed from WAN to the Router . All perfect.
But on thing is not Working: For example my secure net is in 192.168.1.0 the Router for the unsecure net is having the ip: 192.168.1.4. i can ping successfull and connect to the Web-interface of the router...al fine...But i can not connect to devices on the LAN interface of the router which is having for example the ip: 192.168.50.0/24. So i set up an statiic route for the 192.168.50.0/24 and as a gateway i defined the 192.168.1.4 also a firewall rule to allow access.
unfortunately ...doesnt work....anyone having an idea?
)