topic Re: Mikrotik Hotspot + Zone Director in Access Points - Indoor and Outdoor

Mikrotik Hotspot + Zone Director

highspeed_syste — Tue, 10 May 2016 18:18:04 GMT

I have an installation that consists of the following.

1 Mikrotik Gateway
3 Mikrotik Point to Multipoint Antennas
10 Mikrotik Bridges connected to the PTMP antennas
1 Zone Director
22 AP's distribuited through 10 buildings.

Problem: When I enable captive portal (hotspot) on the Mikrotik - Guests connected to the Ruckus AP's do not get redirected (get a no internet browser error). When a guest connects directly to the main inside switch or the ethernet port of a bridge antenna right away they get the splash page.

We even tried putting a ZoneFlex AP directly behind the main inside switch, plugging into one of it's spare ports, only to find the same error. The browser tries to go to the splash page but can not. If we have an autonomous AP, the user gets the splash page right away so it seems to be a problem with the ZoneDirector.

Does anyone have any experience with Mikrotik Hotspot + Zone Director, any help would be appreciated.

Regards,

Derek

Re: Mikrotik Hotspot + Zone Director

andrea_coppini — Tue, 10 May 2016 18:46:12 GMT

I've done that several times and works perfectly!

What is probably happening is that you are running the hotspot and the AP management on the same VLAN (or no VLANs at all). That is generally a bad idea since it means the hotspot clients will be on the same network as the AP and controller management and can attempt a brute force attack.

Besides, MikroTik Hotspot does ARP proxying on the interface, so the APs are being sucked into Mikrotik's captive portal when they try to reach the controller. This results in the APs not being able to reach the controller and therefore not being able to allow clients to connect.

Solution: leave the AP management on the native VLAN (VLAN 1 on ruckus, physical interface on MikroTik) and create a separate VLAN for your guest network, enable hotspot on the VLAN only, and set the SSID to the same VLAN.

Re: Mikrotik Hotspot + Zone Director

highspeed_syste — Tue, 10 May 2016 19:33:36 GMT

Thanks for the quick reply Andrea, in our trial and error, it seems enabling option 82 on the WLAN on the ZD worked (we were able to get the login page) The only problem is that it only works when full client isolation is disabled (local is enabled), even after taking your suggestion to move the users to a VLAN not on the AP management subnet.

Any suggestions (Just having local client isolation isn't sufficient for this installation)

Regards and thanks for your help!

Re: Mikrotik Hotspot + Zone Director

andrea_coppini — Tue, 10 May 2016 19:40:25 GMT

I think Option 82 was pure coincidence. Enabling Option 82 merely adds the AP's name or MAC (don't remember which one) to the client's DHCP request. I don't think it's related in your case. MikroTik's DHCP server simply ignores it

.. but now you mentioned Client Isolation, which could be your root cause. Simply turning on Full Client Isolation without creating a whitelist will block ALL traffic, even traffic going from the clients to the default gateway (the MikroTik)! Go to the Access Control section on the ZD and create a Client Isolation Whitelist. In it, specify the MAC and/or the IP of the gateway and apply it to the SSID via the drop down box. This will block ALL traffic except what you specify in the whitelist.

Re: Mikrotik Hotspot + Zone Director

highspeed_syste — Tue, 10 May 2016 19:55:56 GMT

Thanks, I don't see a Client Isolation whitelist.. do I use the L3/4/IP address Access Controler and put the IP of MikroTik in here? Also, under configure--WLAN-- Access Control the L3/4/IP is greyed out... should I just enter the MAC in ACL and if so should I enter Mikrotik Bridge MAC or a specific port MAC, sorry for the questions, you're a great help!

Re: Mikrotik Hotspot + Zone Director

andrea_coppini — Tue, 10 May 2016 20:01:40 GMT

Close, but no, not the L3/4 Access Control, that's something else altogether.

Which ZD version are you running? On 9.7 onwards you should be seeing this ....

Re: Mikrotik Hotspot + Zone Director

highspeed_syste — Tue, 10 May 2016 20:05:16 GMT

Ah I see, no we don't have that option (running 9.5.2.0 - 15) Will adding the MAC's to the L2/MAC Access Control and applying that ACL to the WLAN help or do we need to upgrade the ZD.

Thanks

Re: Mikrotik Hotspot + Zone Director

andrea_coppini — Tue, 10 May 2016 20:10:26 GMT

Then you will have to use Local Client Isolation which will block traffic between two devices on the same APs, but won't block traffic between two devices on different APs... not ideal, but at least it's something.

I remember we used to have a 'Full' Client Isolation option on the pre-9.7 ZDs, but to be honest I don't remember how it worked exactly... check the User Guide.

L2/MAC ACL is to block/allow specific WiFi devices to connect to the SSID, not what you want.

Re: Mikrotik Hotspot + Zone Director

highspeed_syste — Tue, 10 May 2016 20:19:04 GMT

Thanks, that's great information! We'll upgrade a ZD/test this in the lab and will post back if we have any more issues.

Thanks for all your help!

Derek

Re: Mikrotik Hotspot + Zone Director

mitchell_axtell — Thu, 12 May 2016 04:17:57 GMT

Full client isolation in pre-9.7 blocked on L3 (IPs, not MACs). Enabling it without a whitelist allowed certain traffic through, but wasn't enough for a captive portal. Ruckus support couldn't tell me which ports were allowed.

9.7's full client isolation works a lot better, and forces you to define a whitelist.

Also, a note about local- it's per RADIO, not per AP. I'm not sure if it has been fixed recently, but in 9.7 and earlier it will only isolate you from the clients on the radio itself. If you are connected to the 2.4, you can see all clients on the 5, and vice-versa.

For this reason alone we have been moving to full client isolation.

Re: Mikrotik Hotspot + Zone Director

mitchell_axtell — Thu, 12 May 2016 04:17:57 GMT

9.7's full client isolation works a lot better, and forces you to define a whitelist.

For this reason alone we have been moving to full client isolation.