无线多VLAN接入,即根据不同的无线SSID将客户端接入到不同的VLAN中,使不同客户端获取不同的IP地址,根据IP地址创建不同的防火墙规则相互隔离。假设以普通家庭或小型办公区单线上网的hAP ac2为例,需要配置两个不同无线SSID,为不同类型的终端接入上网使用,一个用于内部人员,一个用于访客。
这里配置仅考虑5GHz频率的多VLAN接入(wlan2无线网卡),ether1单线拨号接入上网,ehter2、ether3、ether4和ether5有线以太网网口接入到bridge交换分组,再将wlan2和wlan3(VAP)加入到bridge,并开启vlan-filtering(开启后,hAP ac2下以太网口的HW-Offloading将失效)
配置ether1拨号上网
/interface pppoe-client add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=yus password=yes
创建内外网转换的nat规则
/ip firewall nat add action=masquerade chain=srcnat out-interface=pppoe-out
创建无线加密方式为wpa2,设置不同的密码,并分别取名为vlan111和vlan222
/interface wireless security-profiles add authentication-types=wpa2-psk mode=dynamic-keys name=vlan111 \ wpa2-pre-shared-key=yusvlan111 add authentication-types=wpa2-psk mode=dynamic-keys name=vlan222 \ wpa2-pre-shared-key=yus vlan222
修改wlan2无线网卡模式为ap-bridge,并设置选择vlan111的安全策略和vlan标签参数
/interface wireless set [ find default-name=wlan2 ] disabled=no mode=ap-bridge security-profile=vlan111 ssid=vlan111 vlan-id=111 vlan-mode=use-tag
基于wlan2添加虚拟AP取名wlan3,设置模式为ap-bridge,选择加密策略为vlan222
/interface wireless add disabled=no master-interface=wlan2 name=wlan3 security-profile=vlan222 ssid=vlan222 vlan-id=222 vlan-mode=use-tag
创建bridge1口,并启用vlan-filtering,由于ether2-ether5是以太网口和bridge1,默认所有端口的PVID是1,因此启用vlan-filtering不影响管理
/interface bridge add name=bridge1 vlan-filtering=yes 将ether2,ether3、ether4和ether5,还有wlan2和wlan3加入bridge1
/interface bridge port add bridge=bridge1 interface=ether2 add bridge=bridge1 interface=ether3 add bridge=bridge1 interface=ether4 add bridge=bridge1 interface=ether5 add bridge=bridge1 interface=wlan2 add bridge=bridge1 interface=wlan3
配置wlan2和wlan3的trunk vlan
/interface bridge vlan add bridge=bridge1 tagged=bridge1,wlan2 vlan-ids=111 add bridge=bridge1 tagged=bridge1,wlan3 vlan-ids=222
创建三层vlan接口
/interface vlan add interface= bridge1 name=vlan111 vlan-id=111 add interface= bridge1 name=vlan222 vlan-id=222
配置vlan111和vlan222的IP地址,为bridge1接口配置192.168.88.1/24地址段(pvid 1)
/ip address add address=192.168.1.1/24 interface=vlan111 add address=192.168.2.1/24 interface=vlan222 add address=192.168.88.1/24 interface=bridge1
为vlan111、vlan222和bridge1创建DHCP服务需要的IP地址池
/ip pool add name=vlan111 range=192.168.1.2-192.168.1.254 add name=vlan222 range=192.168.2.2-192.168.2.254 add name=pool1 range=192.168.88.2-192.168.88.254
创建DHCP服务接口,选择对应的地址池
/ip dhcp-server add address-pool=vlan111 interface=vlan111 name=server1 add address-pool=vlan222 interface=vlan222 name=server2 add address-pool=pool1 interface=bridge1 name=server3
创建DHCP网络分配的网关和DNS
/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=223.5.5.5 add address=192.168.2.0/24gateway=192.168.2.1 dns-server=223.5.5.5 add address=192.168.88.0/24gateway=192.168.88.1 dns-server=223.5.5.5
我们不允许vlan222的无线用户访问有线网络的IP地址,即禁止192.168.2.0/24的IP段访问192.168.88.0/24,在/ip firewall filter下配置过滤规则
/ip firewall filter add action=drop chain=forward src-address=192.168.2.0/24 dst-address=192.168.88.0/24
bh1imgbh1img
kvnkvnkvnkvnkvnkvn
quachalaquachala
nickelnickel