Hotspot authentication for multiple subnet with different VLANs

1. Brief Introduction

In today’s enterprise network environment it is very common that network administrator assign different IP subnet for different VLANs and apply different ACL/firewall settings for security concerns. Therefor it is necessary to make different SSIDs belong to different VLANs to comply with the ACL/firewall settings on your Wi-Fi devices. 

You can enable easy authentication with printed vouchers on your Wi-Fi hotspot for clients. But when the computer installed the controller is in a different VLAN and you want to forbid your clients from accessing the controller, here we will give you some instructions on how to achieve this on TP-Link products.

The goals we will achieve in this article are listed as below:

1. Setup Multi-SSIDs on your EAP device and each SSID has its own VLAN ID and subnet.
2. The clients connected to the SSIDs can surf the Internet after Hotspot Authentication.
3. The clients cannot communicate with each other.
4. Wireless clients can only access the controller via port 8088 for passing through “hotspot authentication”.

2. Topology, IP assignment and port definitions

1) The TL-ER6120 acts as the Internet gateway router and T3700G-28TQ acts as the L3 switch. The below picture depicts the topology:

2) Network address, VLAN and SSID assignment:

3) Port assignment on the switch.

3. Configuration on the gateway router

Step 1

Add Multi-nets NAT entries for 172.16.10.0/24 and 172.16.20.0/24 respectively. Without this setting the router will not NAT for these two subnets.

Step 2

Add Static Route entry for 172.16.10.0/24 and 172.16.20.0/24. The next hop for the two subnets should be VLAN 1’s IP on the switch T3700G-28TQ. Static route can let gateway router TL-ER6120 know where to deliver the packets if the destination network is 172.16.10.0/24 or 172.16.20.0/24.

You can refer to FAQ 887 for more detailed configuration of TL-ER6120.

4. Configuration on T3700G-28TQ

Step 1

Change the interface IP for VLAN 1 as 192.168.0.11.

Step 2

Create VLAN 2 and VLAN 3 on the switch. Set port 5 as Tunk port and assign it to both VLAN 2 and VLAN 3.

Step 3

Set the interface IP for VLAN 2 and VLAN 3 respectively. 172.16.10.1/24 is the IP for VLAN 2 and is the gateway for 172.16.10.0/24. 172.16.20.1/24 is the IP for VLAN 3 and is the gateway for 172.16.20.0/24.

Step 4

Add the default route entry so that all the device can use TL-ER6120 as the Internet gateway.

Step 5

Configure “DHCP Server” for VLAN 2 and VLAN 3. The default gateway for VLAN 2 is 172.16.10.1 and for VLAN 3 is 172.16.20.1. The DNS server for both VLAN 2 and VLAN 3 are 192.168.0.1.

Step 6

Configure “Extend-IP ACL” so that clients in different VLAN can’t communicate with each other and can’t get access to the Controller either. But it requires that all of the clients are able to surf the Internet.

The explanation of the 11 rules are as below:

Rule 1: permit devices in VLAN 2 can get access to Controller port 8088 and pass through “hotspot authentication”.

Rule 2: permit Controller transmit data back to device in VLAN 2 through port 8088.

Rule 3: permit device in VLAN 2 can get access internet through gateway router by port 53.

Rule 4: permit gateway router transmit data back to device in VLAN 2.

Rule 5-8 are almost same as rule 1-4, the different is that rule 5-8 are for VLAN 3 while rule 1-4 are for VLAN 2.

Rule 9: deny device in VLAN 2 get access to 192.168.0.0/24 subnet except the permission in rule 1-4.

Rule 10: deny device in VLAN 3 get access to 192.168.0.0/24 subnet except the permission in rule 5-8.

Rule 11: deny device in VLAN 2 communicate with device in VLAN 3.

Note: 

1. Refer to FAQ 402 for detailed configuration of “Extend-IP ACL”.
2. Don’t forget to save the configuration.

5. Configuration on the EAP Controller

Step 1

Create two SSIDs in VLAN 2 and VLAN 3 separately. All need to enable “SSID Isolation” function. The “SSID Isolation” function could forbid the clients connected the same SSID from communicating with each other.

Step 2

Choose Hotspot as your authentication type. You will be able to generate a bunch of random voucher codes beforehand. There is a unique code for each user to pass authentication. This function requires your Controller to stay running all the time.

Step 3

Enable the “protal” function to make the Hotspot authentication take effect.

Refer to FAQ915 for detailed configuration of Hotspot Authentication.

6. Conclusion

With the topology and all the settings above, the clients connected to different SSID can surf the Internet after pass Hotspot Authentication, but can’t communicate with each other and can’t get access to the Controller either.