-
Home
Switchuri SOHO
Conexiuni prin cablu la viteze fulgerătoare
Adaptoare Wi-Fi
Conexiuni mai rapide și stabile pentru dispozitivele tale
Accesorii
Tot ce ai nevoie pentru a fi conectat, în orice situație
-
Casa inteligentă
Camere Wi-Fi
Supraveghează ceea ce contează
Prize inteligente
Controlează dispozitivele de la distanță, trăiește smart
Becuri inteligente
Setează lumina potrivită, stabilește atmosfera perfectă
-
Business
Switchuri JetStream
Switchuri variate de la L3 până la non-managed pentru o rețea cablată super-rapidă
Seria de EAP-uri Omada
Professional business Wi-Fi with centralized management
Omada Cloud SDN
Soluție cloud inteligentă pentru rețeaua ta business
Pharos | Wi-Fi de exterior pentru rețeaua ta business
Ideal pentru o acoperire Wi-Fi mărită
Routere SafeStream
Gateway-uri VPN și Load Balance pentru rețeaua ta business
Supraveghere VIGI
Soluții profesionale pentru supraveghere video
-
Furnizori Servicii
DSL
Stabilitate incredibilă în bandă largă la viteze ultra rapide
LTE/3G
Menține accesul la internet, oriunde te duci
PON
Tehnologia care îți oferă servicii Gigabit
Adaptoare Powerline
Transportă semnalul de rețea prin circuitul electric
Range Extender
Extinde aria de acoperire a semnalului Wi-Fi
Switchuri
Îți aduce rețeaua de la birou la perfomanțe premium
Business Wireless
Duce Wi-Fi-ul companiei tale la noi nivele de performanță
Hotspot authentication for multiple subnet with different VLANs
1. Brief Introduction
In today’s enterprise network environment it is very common that network administrator assign different IP subnet for different VLANs and apply different ACL/firewall settings for security concerns. Therefor it is necessary to make different SSIDs belong to different VLANs to comply with the ACL/firewall settings on your Wi-Fi devices.
You can enable easy authentication with printed vouchers on your Wi-Fi hotspot for clients. But when the computer installed the controller is in a different VLAN and you want to forbid your clients from accessing the controller, here we will give you some instructions on how to achieve this on TP-Link products.
The goals we will achieve in this article are listed as below:
- Setup Multi-SSIDs on your EAP device and each SSID has its own VLAN ID and subnet.
- The clients connected to the SSIDs can surf the Internet after Hotspot Authentication.
- The clients cannot communicate with each other.
- Wireless clients can only access the controller via port 8088 for passing through “hotspot authentication”.
2. Topology, IP assignment and port definitions
1) The TL-ER6120 acts as the Internet gateway router and T3700G-28TQ acts as the L3 switch. The below picture depicts the topology:
2) Network address, VLAN and SSID assignment:
3) Port assignment on the switch.
3. Configuration on the gateway router
Step 1
Add Multi-nets NAT entries for 172.16.10.0/24 and 172.16.20.0/24 respectively. Without this setting the router will not NAT for these two subnets.
Step 2
Add Static Route entry for 172.16.10.0/24 and 172.16.20.0/24. The next hop for the two subnets should be VLAN 1’s IP on the switch T3700G-28TQ. Static route can let gateway router TL-ER6120 know where to deliver the packets if the destination network is 172.16.10.0/24 or 172.16.20.0/24.
You can refer to FAQ 887 for more detailed configuration of TL-ER6120.
4. Configuration on T3700G-28TQ
Step 1
Change the interface IP for VLAN 1 as 192.168.0.11.
Step 2
Create VLAN 2 and VLAN 3 on the switch. Set port 5 as Tunk port and assign it to both VLAN 2 and VLAN 3.
Step 3
Set the interface IP for VLAN 2 and VLAN 3 respectively. 172.16.10.1/24 is the IP for VLAN 2 and is the gateway for 172.16.10.0/24. 172.16.20.1/24 is the IP for VLAN 3 and is the gateway for 172.16.20.0/24.
Step 4
Add the default route entry so that all the device can use TL-ER6120 as the Internet gateway.
Step 5
Configure “DHCP Server” for VLAN 2 and VLAN 3. The default gateway for VLAN 2 is 172.16.10.1 and for VLAN 3 is 172.16.20.1. The DNS server for both VLAN 2 and VLAN 3 are 192.168.0.1.
Step 6
Configure “Extend-IP ACL” so that clients in different VLAN can’t communicate with each other and can’t get access to the Controller either. But it requires that all of the clients are able to surf the Internet.
The explanation of the 11 rules are as below:
Rule 1: permit devices in VLAN 2 can get access to Controller port 8088 and pass through “hotspot authentication”.
Rule 2: permit Controller transmit data back to device in VLAN 2 through port 8088.
Rule 3: permit device in VLAN 2 can get access internet through gateway router by port 53.
Rule 4: permit gateway router transmit data back to device in VLAN 2.
Rule 5-8 are almost same as rule 1-4, the different is that rule 5-8 are for VLAN 3 while rule 1-4 are for VLAN 2.
Rule 9: deny device in VLAN 2 get access to 192.168.0.0/24 subnet except the permission in rule 1-4.
Rule 10: deny device in VLAN 3 get access to 192.168.0.0/24 subnet except the permission in rule 5-8.
Rule 11: deny device in VLAN 2 communicate with device in VLAN 3.
Note:
- Refer to FAQ 402 for detailed configuration of “Extend-IP ACL”.
- Don’t forget to save the configuration.
5. Configuration on the EAP Controller
Step 1
Create two SSIDs in VLAN 2 and VLAN 3 separately. All need to enable “SSID Isolation” function. The “SSID Isolation” function could forbid the clients connected the same SSID from communicating with each other.
Step 2
Choose Hotspot as your authentication type. You will be able to generate a bunch of random voucher codes beforehand. There is a unique code for each user to pass authentication. This function requires your Controller to stay running all the time.
Step 3
Enable the “protal” function to make the Hotspot authentication take effect.
Refer to FAQ915 for detailed configuration of Hotspot Authentication.
6. Conclusion
With the topology and all the settings above, the clients connected to different SSID can surf the Internet after pass Hotspot Authentication, but can’t communicate with each other and can’t get access to the Controller either.
Părerea ta ajută la îmbunătățirea acestui site.