Re: [OpenWrt-Users] Hardware recommendation for Access Point with WPA Enterprise
Hi Mirko, thanks for sharing your knowledge. I appreciate that. On Fri, Nov 18, 2016 at 08:29:02PM +0100, Mirko Parthey wrote: > On Sun, Nov 13, 2016 at 05:23:06PM +0100, Marc Haber wrote: > > - 802.1q support on the Ethernet > > The switch chips in consumer access points come with some limitations, > you should check if they can meet your requrements: > - They only support a small number of vlans, a typical limit is 15. Does that mean that the VLAN IDs are also limited to the 0..15 range or can I have 15 VLANs with arbitrary IDs? > - Their ports can only be configured to carry either a single untagged > vlan, or a number of tagged vlans, but not both simultaneously. I usually prefer to have the management VLAN untagged, but I can live without that. How would I check whether a given hardware would support that? > > - Support für WPA2 Enterprise with an external RADIUS server > > - Support for RADIUS Attributes allowing the RADIUS server to specify > > which VLAN a certain client should be mapped into after connecting to > > the same SSID. > > These are supported by OpenWrt/LEDE. > https://wiki.openwrt.org/doc/howto/wireless.security.8021x > https://wiki.openwrt.org/doc/uci/wireless#wpa_enterprise_access_point Ok, so the feature name I want is "dynamic VLAN". > > - Support for RADIUS Attributes telling the Accesspoint to disconnect > > a user after a pre-defined amount of time. > > I don't know about this one. The linked documents would be the place to mention this capability if it were present, so I guess not. > > When I tried to build my own OpenWRT for the last time, I failed > > miserably. Therefore, I would like to be able to use a pre-built > > OpenWRT image on the device. I believe this might influence the device > > selection since the image is probably going to be fairly large, > > influencing the need of flash size. > > It is rarely necessary to build from source yourself. > You can use the Image Builder, which will download your choice of pre-built > binary packages (*.ipk) and combine them into a flashable image. > https://wiki.openwrt.org/doc/howto/obtain.firmware.generate > This will give most of the same benefits, such as optimal use of the > flash memory space through filesystem-level compression. That sounds good. > The config interfaces may not be as polished as in commercial offerings, > but they do the job. For me, the advantages of OpenWrt/LEDE more than > make up for some rough edges in the UI. > > For an evaluation of the config frontends, you could also try out > OpenWrt/LEDE on x86 hardware, even on a virtual machine. I would be willing to buy a cheaper accesspoint in the 50-euro-range to try things out. Any recommendations? Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ openwrt-users mailing list openwrt-users@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
Re: [OpenWrt-Users] Hardware recommendation for Access Point with WPA Enterprise
On Tue, Nov 22, 2016 at 10:18:27AM +0100, Marc Haber wrote: > > The switch chips in consumer access points come with some limitations, > > you should check if they can meet your requrements: > > - They only support a small number of vlans, a typical limit is 15. > > Does that mean that the VLAN IDs are also limited to the 0..15 range > or can I have 15 VLANs with arbitrary IDs? 4-bit VLAN IDs (0..15 range) really. But as David Lang said, this seems to be a thing of the past. I can confirm that full 12-bit VLAN IDs work on a router based on the Lantiq VRX268 SoC. It has a limit of 64 VLANs. > > - Their ports can only be configured to carry either a single untagged > > vlan, or a number of tagged vlans, but not both simultaneously. > > I usually prefer to have the management VLAN untagged, but I can live > without that. > > How would I check whether a given hardware would support that? The default network config for your device should come with a single VLAN or two, depending on how the WAN interface is connected, and all VLANs tagged for the CPU port. This is how it is usually wired up: https://wiki.openwrt.org/doc/uci/network/switch First you can modify this config to add more VLANs, untagged towards external ports and tagged towards the CPU. https://wiki.openwrt.org/doc/uci/network/switch#the_configuration I hadn't noticed the 'switch_port' section before, maybe it helps with making untagged VLANs work in combination with tagged VLANs on a port. In the network configuration, the interface ethX.Y can be used as usual, for example to add an IP address and subnet. Then add another VLAN, assign it as tagged to both an external port and the CPU, and check if everything still works. The port numbers and the labels printed on the case usually do not match, but the mapping is documented in the wiki for some devices, or you can just find it out experimentally. Finally a few example commands for setting up VLANs and IP related network config with uci. You can modify this as needed. swconfig list swconfig dev eth0 show uci show network uci set network.vl2=switch_vlan uci set network.vl2.device='switch0' uci set network.vl2.vlan='2' uci set network.vl2.ports='2 5t 6t' # you may have to add a 'switch_port' section here uci set network.net2=interface uci set network.net2.ifname='eth0.2' uci set network.net2.proto='static' uci set network.net2.ipaddr='192.168.2.0' uci set network.net2.netmask='255.255.255.0' /etc/init.d/network reload # try if it works, decide if you want to keep this config uci changes uci commit uci revert network My example uses named switch_vlan sections, which is different from the default. An unnamed section would instead be created like this: uci add network switch_vlan and the resulting identifier used instead of 'vl2'. If you set the options through uci and don't commit them to flash yet, it is possible to recover from mistakes by power-cycling the device. Otherwise, you can always boot to the failsafe mode: https://wiki.openwrt.org/doc/howto/generic.failsafe > I would be willing to buy a cheaper accesspoint in the 50-euro-range > to try things out. Any recommendations? The TP-Link TL-WR841ND is cheap, but it has only 4 MB flash, which is very limiting if you want to add software packages. The only recent device I own is the TP-Link TD-W8980. It is within your budget, but I hesitate to recommend it to you: - installing OpenWrt/LEDE is more difficult than on other devices - the 5 GHz WLAN radio is not supported The more expensive "TP-Link Archer C7 v2" (90€) could be an option. From what I read, it should be well supported at least in the development snapshots of OpenWrt and LEDE. To get more hardware recommendations, perhaps also from other vendors, you could try the web forums: https://forum.openwrt.org/ https://forum.lede-project.org/ Regards, Mirko ___ openwrt-users mailing list openwrt-users@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
Re: [OpenWrt-Users] Hardware recommendation for Access Point with WPA Enterprise
On Tue, Nov 22, 2016 at 06:44:33AM -0800, David Lang wrote: > On Tue, 22 Nov 2016, Marc Haber wrote: > >On Fri, Nov 18, 2016 at 11:34:48AM -0800, David Lang wrote: > >>On Fri, 18 Nov 2016, Mirko Parthey wrote: > >>>- Their ports can only be configured to carry either a single untagged > >>> vlan, or a number of tagged vlans, but not both simultaneously. > >> > >>I'll argue that doing both is a bad idea in any case (just from the > >>confusion point of view :-) > > > >I usually configure the VLAN used to manage the device as "untagged" > >so that I can plug my notebook into a trunk port and manage the > >device. This has proven extremely handy in outage situations where the > >normal management methods don't work. > > it's handy, but it's not that hard to create a VLAN on your laptop > interface. I am not talking about myself. I can configure VLANS with my hands tied behind behind my back, but I also have been forced to talk not-so savvy remote hands people through that kind of configuration on the phone in the middle of the night with their windows notebooks. ;-) Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ openwrt-users mailing list openwrt-users@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
Re: [OpenWrt-Users] Hardware recommendation for Access Point with WPA Enterprise
On Tue, 22 Nov 2016, Marc Haber wrote: On Fri, Nov 18, 2016 at 11:34:48AM -0800, David Lang wrote: On Fri, 18 Nov 2016, Mirko Parthey wrote: >- Their ports can only be configured to carry either a single untagged > vlan, or a number of tagged vlans, but not both simultaneously. I'll argue that doing both is a bad idea in any case (just from the confusion point of view :-) I usually configure the VLAN used to manage the device as "untagged" so that I can plug my notebook into a trunk port and manage the device. This has proven extremely handy in outage situations where the normal management methods don't work. it's handy, but it's not that hard to create a VLAN on your laptop interface. I agree this is one of the places where it's useful to mix the two, but I would not have this be the normal management interface on the AP, but a secondary 'back-door' interface (similar to the way I will frequently create a hidden admin SSID that doesn't route outside the router) David Lang This needs to be documented cleanly though. Greetings Marc -- - Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany| lose things."Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 ___ openwrt-users mailing list openwrt-users@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users ___ openwrt-users mailing list openwrt-users@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users
Re: [OpenWrt-Users] Hardware recommendation for Access Point with WPA Enterprise
On Tue, 22 Nov 2016, Marc Haber wrote: On Tue, Nov 22, 2016 at 06:50:35AM -0800, David Lang wrote: On Tue, 22 Nov 2016, Marc Haber wrote: As I noted earlier, most current switches don't have this limit. But older switches (and many current switches in their default startup mode) have a limit. On some of them it's 0..15, on others it's 0..31, etc. This was common even on commercial switches 5-10 years ago, but the advance of technology means that in most cases it's a matter of flipping a toggle in the config to support all 4K VLANS. Commercial Switches (for example the HP 25**, 28** devices) had a limit on number of VLANs (I think it was 32 out of the box, I increased that first thing after unpacking), but never a limit on the range of VLAN IDs. You could have VLANs 1, 250, 100, 3847, but not more than 32 of them in the default settings. it depends on how far back you go :-) Take a look at the WNDR3800, it's getting old, but that means it's cheap on e-bay :-) It's cheap if you Ebay it in the US. In Europe, it most likely was never on the market, Ebay Germany does only have a single offer with a price of well over 80 Euros. That's interesting, the last time I ordered a batch, a good number of them that I received were the CH model (china), which needed a different firmware image, but otherwise worked identically <$25 with free shipping http://www.ebay.com/itm/NETGEAR-WIRELESS-N-ROUTER-N600-WNDR3800-DUALBAND-PREMIUM-EDITION-/272438727238?hash=item3f6e9d1246:g:JJ8AAOSwl9BWLeAG David Lang ___ openwrt-users mailing list openwrt-users@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-users