Vlan Tagging via MAC

Hi Community, was looking around here and could not find a discussion to this topic which really fits.

My setup is a network with several switches and Wlan-APs. I dont want to seperate the network physical because it is partly impossible without huge efforts. The Main internet Router is openwrt with DHCP-Server

My Goal or Question is now: I want to achieve (but i didnt find an dhcp option for this) that each Device (MAC) which is asking for an IP-Address and is not in a list of "known" MAC must get an VLAN-Tag so that those devices are seperated from the Rest. This can happen to LAN and also Wlan connects.

Is that possible somehow? Or do you have any better Idea for this. A Guest Wlan would bring me a Part but if there is an Computer with physical connection i would need to configure a switch port... i have an dynamic solution in mind :slight_smile:

Thank you very much for any Idea.
br
jens

Yes, and is very common in enterprise networking, especially in secure environments. One organisation I worked at had a policy on its switches whereby any known/approved MAC addresses would be switched to a corporate VLAN and any unknown/unapproved MAC addresses would be switched to the guest "Internet only" VLAN. This allowed staff/visitors to bring in their own devices and use the existing cabling without worrying about which sockets were reserved for the internal network.

Your magic Google search term to get you started is "Network Access Control", or "NAC".

Good luck.

1 Like

However you do it you have to setup vlans.
There are multiple options:

  1. Wpa2 enterprise (incl. Radius)
  2. Wpa2 plus radius
  3. Individual per-passphrase Wifi VLANs using wpa_psk_file (no RADIUS required)

As much as I am still liking that third option, it is very much only suitable for a single AP. "Several APs" is a clear pointer towards a RADIUS server.

But can't you just distribute the psk file or put it on a network share?

Sure, but why have a poor man's RADIUS setup if you can have a RADIUS setup? FreeRADIUS isn't that horrific to set up.

Sure but I would prefer to not carry radius with me in a home setup. (I still have your write-up on my todo list :sweat_smile: :sweat: )

Thanks Thats all great inspirations for Solutions. I will take a look at the NAC and then go further.

1 Like

Some IoT devices might not support WPA2 Enterprise.
Perhaps WPA2 Personal is chosen deliberately to speed up roaming without 802.11r.

Morning Fellows, dont know in your timezone is morning but in Germany :wink:

was thinking and reading how to easily divide the networks. Best way for me is always to tag by mac but...then this would reach my goal also even if it is another way....

I did the trick very easy and with very low effort.
in my Network there is an Wlan-AP with openwrt and an router to got to the internet in between are switches....
Then i thought - try to create the GuestWlan and i did that and the Guest-Wlan is not able to see or access the rest of my Network. Point 1 checked.

  1. would be to do the same on the Lan. So i took an old nanopir2s which i already have and put openwrt on that. Additionally i use a switch i already had and did adapt the config of the wlan-Guest AP to fit it when connectin the nanopi between my Network and the Guest-Lan components. So now i can patch guest Computers to that switch.

Its not the best and dynamic solution but the other way round i would have to change all network devices to get VLAN

When a device is unable to speak proper wpa2 enterprise shizzle then the Mac address of the device is used as username and password. At least that's how I have encountered it in the wild. So dump printers and voip phones can be happily integrated into such a network.

So, i forgot something :wink: i can not access my Guest Lan from the Internal Lan to connect to the web ui of switches.

That will make it again very complex. Maybe go back to the Vlan approach :wink:

Hello Again, was a bit crazy on weekend... but now i have configured all WlanAccess point to be behind an Openwrt router. That works by design very good. Using the LAN for the unsecure Guest-Lan and The WAN Interface to look into the secure LAN.
created firewall rules to restrict traffic allowed from WAN to the Router . All perfect.

But on thing is not Working: For example my secure net is in 192.168.1.0 the Router for the unsecure net is having the ip: 192.168.1.4. i can ping successfull and connect to the Web-interface of the router...al fine...But i can not connect to devices on the LAN interface of the router which is having for example the ip: 192.168.50.0/24. So i set up an statiic route for the 192.168.50.0/24 and as a gateway i defined the 192.168.1.4 also a firewall rule to allow access.

unfortunately ...doesnt work....anyone having an idea? :wink:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.