HotSpot - margin notes
In this article I will try to describe how to prepare network equipment for organizing a public HotSpota and what equipment at the same time has worked well. I'll tell you what is preferable in certain cases and how to organize the last mile.
A few years ago, the task was set to organize HotSpot in public places of a small city: square, park, squares, stations. Working as an Internet provider, I already had experience working with all kinds of equipment, including wireless. It remained to think over the details. Do not think for advertising at the mention of different companies, I just share the way to solve the problem.
In general, the following picture was seen:
- In the center stands MikroTik with a license L5 allowing 500 online users HotSpota. For a start, the device can be simpler, a 4th level license will limit 200 users;
- From MikroTika to each place we stretch a separate vlan;
- For each vlan with its own interface on MikroTike, a separate HotSpota service is created with its own authorization page, settings and restrictions;
- The same vlan must come to several devices in the same switching point in order to transfer the client between access points (roaming);
- In view of the openness and insecurity of HotSpota, adjust the isolation between clients;
- Management and monitoring of all equipment is carried out in a separate vlane;
- In view of the different conditions of use, it is necessary to use different equipment, as far as possible the complete execution.
Immediately make a reservation: there will not be detailed instructions and instructions for setting up. I will write only recommendations from personal experience and settings, which are not well sanctified in standard instructions and which I personally consider important for providing quality service.
')
Enumerating all the pros and cons, we stopped at the use of MikroTika as the core of HotSpota, and in the form of RouterBOARDa. A rack-mount model was selected with a level 5 license. Not to say that MikroTik OS is a perfected system, it happens that they break the functionality from firmware to firmware, but if it works, it works. The main thing is to look into the list of fixes and not to update immediately after the release of the new software version. Setting up the HotSpota service is standard and described in detail in the official wiki, except that more than one service will work simultaneously with us. I can only say that it is highly desirable to indicate berst when adjusting the cutting speed for comfortable use of the service. Also in the configuration of the firewall, it is necessary to prohibit the passage of traffic between the vlans which will be HotSpot.
Option AP number one - Ubiquiti NanoStation M2 - has established itself as a worthy solution with a good coverage area. The NSM2's integrated antenna gain is 11dBi, the transmitter output power is 630mW (28dBm), and the antenna coverage is 60 degrees. Of course, there is no need to set the transmitter to full power. Given that we will work with low-power devices in the form of phones and tablets and we need them to catch a steady signal at a distance from which we can hear them as clearly as they do us, then we will fix the power at -19dBm. As practice has shown, this is more than enough. Otherwise there will be a situation that the client will see a confident signal from the AP, but it will not be possible to achieve stable operation. NanoStation loco M2 proved to be not the best side, the built-in antenna creates an almost circular pattern, collecting all sorts of interference from all sides. In addition to good performance of the radio path, the equipment meets our initial requirements. There is full support for vlans, if desired, using additional scripts, you can configure VirtualAP. If the creation of a virtual point is personal, then the use of vlans with a separate management vlan is considered mandatory.
In the advanced settings, turn off automatic distance adjustment (ACK) and set the parameter to 0.5 miles (0.8 km). You can also configure unwanted multicast traffic filtering and make sure you activate client isolation. Personally, I think this parameter is the most mandatory in any HotSpote. If desired or necessary, you can prevent clients from connecting with a bad signal by using the Sensitivity Threshold parameter. The setting does not allow to connect if the input from the client is lower than the specified one, but after connecting and degrading the signal does not reset the client, unlike a similar implementation in MikroTike. Important is the inclusion of Ping Watchdoga - this functionality has repeatedly saved from long-distance travel. For centralized monitoring of the number of connected clients and the loading of interfaces, the SNMP agent functionality is used. It is convenient to look in a graphic form in one place the load on all APs.
Option AP number two is RouterBOARD SXT G-2HnD from MikroTik. Although ecompanies are competing and some prefer only one of them, I’ll say that each option is good in its own way and has a right to life. The built-in MIMO 2x2 antenna produces 10dBi in a 60-degree sector with a power of 1600mW (32dBm), while the antenna has minimal side and back lobes of radiation, which allows placing several devices with a relatively small distance with minimal influence on each other. In the conditions of dense urban development, such antenna specificity allows one to more precisely cover a given zone with the exception of unnecessary interference and coverage of excess territories. This device also copes with a large load and shows itself well at any time of the year. Built-in functionality allows you to watch the input voltage of the device, which is important with a sufficient distance from the place of presence of 220V. To set up isolation between clients in the wlan interface settings, disable the Default Forward option. If we need to weed out clients with a weak signal, in the same place we deactivate the Default Authenticate option, which will allow or block clients from connecting according to the Access List. After that it is necessary to create a rule on the basis of which the decision will be made:
/ interface wireless access-list
add forwarding = no signal-range = -86..120
Here we once again prohibit forwarding between clients and indicate the signal at which the client is allowed to connect to the AP. Be careful, the client will be disconnected immediately if the signal deteriorates or the network will be on the air, but will not be able to connect to it.
If there is a need for the location of the AP at a distance from the building, laying a fiber optic link will be a good solution. For power supply, either a fiber-optic cable with a copper pair, or a separate cable with a 48V supply is used. At BS, everything is mounted in a sealed box, where several DC-DC converters are located to turn on the media converter and the AP itself.
I would like to share this publication with some important, in my opinion, moments when setting up a public HotSpota. Recommendations will also be important for those who encounter this equipment. There are few places where you can find the included client isolation functionality, and now almost all home routers and access points support it, not to mention the devices in the class above.
I would be glad to see in comments comments and suggestions, just happy to answer all questions on the topic of HotSpot, equipment and implementation, not consecrated in this publication.
Prehistory
A few years ago, the task was set to organize HotSpot in public places of a small city: square, park, squares, stations. Working as an Internet provider, I already had experience working with all kinds of equipment, including wireless. It remained to think over the details. Do not think for advertising at the mention of different companies, I just share the way to solve the problem.
In general, the following picture was seen:
- In the center stands MikroTik with a license L5 allowing 500 online users HotSpota. For a start, the device can be simpler, a 4th level license will limit 200 users;
- From MikroTika to each place we stretch a separate vlan;
- For each vlan with its own interface on MikroTike, a separate HotSpota service is created with its own authorization page, settings and restrictions;
- The same vlan must come to several devices in the same switching point in order to transfer the client between access points (roaming);
- In view of the openness and insecurity of HotSpota, adjust the isolation between clients;
- Management and monitoring of all equipment is carried out in a separate vlane;
- In view of the different conditions of use, it is necessary to use different equipment, as far as possible the complete execution.
Used equipment and functionality
Immediately make a reservation: there will not be detailed instructions and instructions for setting up. I will write only recommendations from personal experience and settings, which are not well sanctified in standard instructions and which I personally consider important for providing quality service.
')
Enumerating all the pros and cons, we stopped at the use of MikroTika as the core of HotSpota, and in the form of RouterBOARDa. A rack-mount model was selected with a level 5 license. Not to say that MikroTik OS is a perfected system, it happens that they break the functionality from firmware to firmware, but if it works, it works. The main thing is to look into the list of fixes and not to update immediately after the release of the new software version. Setting up the HotSpota service is standard and described in detail in the official wiki, except that more than one service will work simultaneously with us. I can only say that it is highly desirable to indicate berst when adjusting the cutting speed for comfortable use of the service. Also in the configuration of the firewall, it is necessary to prohibit the passage of traffic between the vlans which will be HotSpot.
Option AP number one - Ubiquiti NanoStation M2 - has established itself as a worthy solution with a good coverage area. The NSM2's integrated antenna gain is 11dBi, the transmitter output power is 630mW (28dBm), and the antenna coverage is 60 degrees. Of course, there is no need to set the transmitter to full power. Given that we will work with low-power devices in the form of phones and tablets and we need them to catch a steady signal at a distance from which we can hear them as clearly as they do us, then we will fix the power at -19dBm. As practice has shown, this is more than enough. Otherwise there will be a situation that the client will see a confident signal from the AP, but it will not be possible to achieve stable operation. NanoStation loco M2 proved to be not the best side, the built-in antenna creates an almost circular pattern, collecting all sorts of interference from all sides. In addition to good performance of the radio path, the equipment meets our initial requirements. There is full support for vlans, if desired, using additional scripts, you can configure VirtualAP. If the creation of a virtual point is personal, then the use of vlans with a separate management vlan is considered mandatory.
In the advanced settings, turn off automatic distance adjustment (ACK) and set the parameter to 0.5 miles (0.8 km). You can also configure unwanted multicast traffic filtering and make sure you activate client isolation. Personally, I think this parameter is the most mandatory in any HotSpote. If desired or necessary, you can prevent clients from connecting with a bad signal by using the Sensitivity Threshold parameter. The setting does not allow to connect if the input from the client is lower than the specified one, but after connecting and degrading the signal does not reset the client, unlike a similar implementation in MikroTike. Important is the inclusion of Ping Watchdoga - this functionality has repeatedly saved from long-distance travel. For centralized monitoring of the number of connected clients and the loading of interfaces, the SNMP agent functionality is used. It is convenient to look in a graphic form in one place the load on all APs.
Option AP number two is RouterBOARD SXT G-2HnD from MikroTik. Although ecompanies are competing and some prefer only one of them, I’ll say that each option is good in its own way and has a right to life. The built-in MIMO 2x2 antenna produces 10dBi in a 60-degree sector with a power of 1600mW (32dBm), while the antenna has minimal side and back lobes of radiation, which allows placing several devices with a relatively small distance with minimal influence on each other. In the conditions of dense urban development, such antenna specificity allows one to more precisely cover a given zone with the exception of unnecessary interference and coverage of excess territories. This device also copes with a large load and shows itself well at any time of the year. Built-in functionality allows you to watch the input voltage of the device, which is important with a sufficient distance from the place of presence of 220V. To set up isolation between clients in the wlan interface settings, disable the Default Forward option. If we need to weed out clients with a weak signal, in the same place we deactivate the Default Authenticate option, which will allow or block clients from connecting according to the Access List. After that it is necessary to create a rule on the basis of which the decision will be made:
/ interface wireless access-list
add forwarding = no signal-range = -86..120
Here we once again prohibit forwarding between clients and indicate the signal at which the client is allowed to connect to the AP. Be careful, the client will be disconnected immediately if the signal deteriorates or the network will be on the air, but will not be able to connect to it.
If there is a need for the location of the AP at a distance from the building, laying a fiber optic link will be a good solution. For power supply, either a fiber-optic cable with a copper pair, or a separate cable with a 48V supply is used. At BS, everything is mounted in a sealed box, where several DC-DC converters are located to turn on the media converter and the AP itself.
Conclusion
I would like to share this publication with some important, in my opinion, moments when setting up a public HotSpota. Recommendations will also be important for those who encounter this equipment. There are few places where you can find the included client isolation functionality, and now almost all home routers and access points support it, not to mention the devices in the class above.
I would be glad to see in comments comments and suggestions, just happy to answer all questions on the topic of HotSpot, equipment and implementation, not consecrated in this publication.
Source: https://habr.com/ru/post/250237/
All Articles