One WiFi, Multiple Networks! Segment your WiFi Network with Private Pre-Shared-Keys

preview_player
Показать описание
Do you love segmenting your network into as many subnets and VLANs as possible? Do you have too many Wifi networks for all of your special flower IoT devices that can barely speak IP, let alone fend for themselves on the wild internet? You could use WPA EAP Enterprise Authentication, but good luck getting your smart toaster to log in. The solution I'm playing with is called Private Pre-Shared Keys, where each client can potentially have their own passphrase and VLAN assignment for the same SSID, and the client just has to support normal passphrase authentication.

Using this method, along with a RADIUS server to manage clients, we can individually assign settings per-client such as their own PSK, VLAN ID, and more!

For this video, I'm using a Mikrotik wAP AC with RouterOS 7.8. I'd like to try OpenWRT in the future, but as of the making of this video it's not quite ready.

Copies of my FreeRADIUS and RouterOS configurations can be found on my blog:

Feel free to chat with me more on my Discord server:

Timestamps:
00:00 - Introduction
01:19 - RouterOS WiFi Setup
04:15 - FreeRADIUS and RouterOS
08:28 - RADIUS Acceptance
12:02 - Per Client Settings
15:24 - Match by MAC OUI
17:12 - Privacy MAC Addresses
19:26 - AP Filtering
21:35 - Guest Wifi Client Isolation
22:50 - OpenWRT?

#wifi #security #networking
  1. apalrd's adventures
Рекомендации по теме
One WiFi, Multiple 0:24:42

One WiFi, Multiple Networks! Segment your WiFi Network with Private Pre-Shared-Keys

How to connect 0:01:23

How to connect two different network segments using a switch and a router?

VLAN Explained 0:04:38

VLAN Explained

LAN, WAN, SUBNET 0:04:55

LAN, WAN, SUBNET - EXPLAINED

Configure Additional Network 0:06:08

Configure Additional Network Segments - Step 1

How to Configure 0:12:08

How to Configure LAN Segments in VMware Workstation Pro

Network Devices Explained 0:06:12

Network Devices Explained | Hub, Bridge, Router, Switch

Managed VS Unmanaged 0:14:45

Managed VS Unmanaged Switches and Support For InterVLAN Routing / Layer Three Switch Routing

How to crack 0:11:23

How to crack your Network Security Interview ? - Tips, Questions and More!

Subnet Mask - 0:17:55

Subnet Mask - Explained

Secure IoT Network 0:34:30

Secure IoT Network Configuration

Cisco Tech Talk: 0:03:07

Cisco Tech Talk: How to Segment Your Switch Using Multiple VLANs

what is an 0:18:45

what is an IP Address? // You SUCK at Subnetting // EP 1

Default Gateway Explained 0:06:35

Default Gateway Explained

NAT Explained - 0:04:26

NAT Explained - Network Address Translation

Home Networking 101 0:08:30

Home Networking 101 - How to Hook It All Up!

5 EASY Ways 0:04:45

5 EASY Ways to Secure Your Home WiFi Network (& protect your devices!)

IP addressing and 0:04:03

IP addressing and Subnetting | CIDR | Subnet | TechTerms

Zero Networks Segment 0:02:22

Zero Networks Segment in 2 Minutes

Public vs Private 0:07:11

Public vs Private IP Address

Controlling Access Between 0:36:54

Controlling Access Between Devices in the same Layer 2 Segment (English)

Network Segmentation - 0:05:53

Network Segmentation - CompTIA Network+ N10-007 - 1.3

Ways to connect 0:02:23

Ways to connect two network segments (3 Solutions!!)

UKNOF38 - Segment 0:35:30

UKNOF38 - Segment Routing - Introductory Tutorial

Комментарии
Автор

Just when I though I finally had my network all ironed out, with some compromises to avoid a bunch of IOT ssid’s, you make this video. Now I have to reevaluate my layout and decide if I want to spend my weekend on this.

Techintx
Автор

Thank you so much, good sir. You are truly helping the IT world with your videos and manuals. All I could wish for is just that I've found your channel much, much earlier

irvinekinny
Автор

That's quite neat solution.
For years, I've had my main network, with the main SSID across all wifi access points (the AP are interconnected using CAT5 1Gbps, I hate wireless bridges) and a second SSID for guests and other devices.
The guests SSIDs use a different VLAN on each router, not routable through the main LAN, and with clients isolation. They get internet using SNAT.
All of this is configured through ddWRT using really low-end routers released in 2013, but hey, they have been working well enough for many years :)

georgH
Автор

Great video # not easy but super interesting # Let me reiterate how you manage with your channel to cover topics not touched by many other tech channels, also you network knowledge is quite impressive.

robertopontone
Автор

Congratulations, great project! It's inspiring and I'd love to try it myself. However, watching this makes me feel excited and a little overwhelmed at the same time.

ErkinOrdulu
Автор

Fantastic video. You showed all the things I search on the internet. You're great! Thanks.

TheTekkster
Автор

Mikrotik now supports running docker containers directly on arm and arm64 devices. you could probably install the radius server on the Mikrotik itself and then you would have a self-contained system that works even if your proxmox box goes down.

nezu_cc
Автор

Oh man this was so refreshingly good. They say if you can explain complicated things simply you know them well. You my sir know them well. Thank you keep it up and I do hope this works with wave2 radios

calebjpryor
Автор

Very thorough tutorial, I'll try it soon! Thanks!

phsouzabr
Автор

I started playing with this in openwrt vm with usb wifi card and it works great so far. It wasn't that complicated to setup.

mihumono
Автор

Not a single legacy IP in sight. It's beautiful! 🤩
Would you say it's secure to just allow any Mac address and completely rely on password based authentication?

hoover
Автор

It works in OpenWRT 23.05.0-rc1 using wpa_psk_file. Previous versions have bugs.

zekicay
Автор

Man, I didn't know you could do this. Thank you so much for sharing!

Now to work out if unifi / tplink actually supports it. Probably not, maybe time to go AP shopping 😅

deltax-ray
Автор

really cool now i have to figure out how to do this on my AP

ziozzot
Автор

Did you ever look back at OpenWRT and whether that’s supported now? I’d love to have this kind of setup for non WPA3 clients without committing to an old radio

xoredG
Автор

Great tutorial! Could you show this with the omada stuff, too?

patrickweggler
Автор

How are you making sure all this configuration is backed up. My Problem is i got so many things like this running cloud vps projects that I wont remember how to get them back up cause its normally 1 and done and never touch it again.

thestreamreader
Автор

Wireless Access Point was not my first guess on why it was called WAP.

alexaka
Автор

Can you match clients based on the PSK they supply? For example, use one SSID and allow anyone to connect… but based on the PSK supplied throw them into a certain VLAN? password1 = VLAN1, password2 = VLAN2, no password given = walled off VLAN with client isolation and limited bandwidth?

This seems like a more elegant approach then worrying about max addresses. Is this possible maybe with multiple default rules and fall-through yes arguments?

I guess I should have mentioned I’m coming from a UniFi environment and I guess this is called PPSK and isn’t something that would work with UniFi. Shame.

pcmke
Автор

Why not use buildin Radius server? "User Manager is RADIUS server implementation in RouterOS"

himiko_pl