Manual:Interface/Wireless

Similar documents
Configuring Wireless Distribution System (WDS) on the WAP131 and WAP351

MikroTik RouterOS v3. New Obvious and Obscure Mikrotik RouterOS v3.0 features

Chapter 4 Advanced Settings and Features

Configuring a VAP on the WAP351, WAP131, and WAP371

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Wireless Router at Home

Add a Wireless Network to an Existing Wired Network using a Wireless Access Point (WAP)

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

MikroTik RouterOS v3. New Obvious and Obscure Mikrotik RouterOS v3.0 features

Manual:Interface/Bridge - MikroTik Wiki

Basic processes in IEEE networks

CSCD 433/533 Advanced Networking

Security SSID Selection: Broadcast SSID:

Configuring Cipher Suites and WEP

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

Configuring VLANs CHAPTER

LevelOne. User Manual. WAP Mbps PoE Wireless AP V3.0.0

AWAP02O-1W Installation Guide

Security Setup CHAPTER

Configuring WEP and WEP Features

Configure Wireless Distribution System (WDS) on the WAP131, WAP351, WAP150, or WAP361 Access Point

Basic Wireless Settings on the CVR100W VPN Router

Routing / Bridging. Lecturer: Carlos Rey-Moreno

Wireless Network Security

WIDS Technology White Paper

WAP3205 v2. User s Guide. Quick Start Guide. Wireless N300 Access Point. Default Login Details. Version 1.00 Edition 2, 12/2012

Network Encryption 3 4/20/17

Configuring Layer2 Security

Chapter 1 Introduction

Wireless 300N Access Point 300 Mbps, MIMO, Bridge, Repeater, Multiple SSIDs and VLANs Part No.:

Procedure: You can find the problem sheet on the Desktop of the lab PCs.

Configuring VLANs CHAPTER

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

Standard For IIUM Wireless Networking

Configuring Repeater and Standby Access Points

Wireless Attacks and Countermeasures

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

Wireless Access Point

802.11a/n Long Range Wireless Outdoor CB/A P

Wireless Access Point

Best Connectivity. 500Mbps PowerLine Starter Kit. Give your home network from the power outlet. Plug it in and get started!

Release Notes for Avaya WLAN 9100 Access Point Operating System (AOS) Release

Internetwork Expert s CCNP Bootcamp. Wireless LANs. WLANs replace Physical (layer 1) and Data Link (layer 2) transports with wireless

Configuring Authentication Types

WAP6405. User s Guide. Quick Start Guide. 5GHz AC1750 Gigabit Wireless Bridge. Default Login Details. Version 1.00 Edition 1, 06/2016

Monitoring the Network (CPE and WBS)

Securing Wireless Networks by By Joe Klemencic Mon. Apr

Wednesday, May 16, 2018

Premiertek AP Mbps Wireless-N Broadband Router Quick Installation Guide

Content. Chapter 1 Product Introduction Package Contents Product Features Product Usage... 2

ENH900EXT N Dual Radio Concurrent AP. 2.4GHz/5GHz 900Mbps a/b/g/n Flexible Application

: Building Cisco Multilayer Switched Networks

5 Tips to Fortify your Wireless Network

MikroTik RouterOS Training. Routing. Schedule. Instructors. Housekeeping. Introduce Yourself. Course Objective 7/4/ :00 10:30 Morning Session I

TORNADO M100 CELLNODE USER MANUAL

CSNT 180 Wireless Networking. Chapter 7 WLAN Terminology and Technology

WF-2402 Quick Installation Guide

Multi-Layered Security Framework for Metro-Scale Wi-Fi Networks

802.11b/g Access Point WL-8000AP

300Mbps Wireless N Mini Router

Key Features. EnGenius Outdoor CPE design High Power, High Sensitivity and Strong Reliability Solutions under Harsh Environment.

150Mbps WLAN Access Point

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

Wireless LAN USB Super G 108 Mbit. Manual

Configuring Management Frame Protection

Viewing Status and Statistics

5GHz. Overview. Spotlight. Hardened IP65 Outdoor Wireless Bridge Subscriber Unit. PtP ITS

Wireless KRACK attack client side workaround and detection

CWNP PW Certified Wireless Analysis Professional. Download Full Version :

Chapter 1: Introduction

WL-5420AP. User s Guide

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 8

Error and Event Messages

Configuring RADIUS Servers

Learn How to Configure EnGenius Wi-Fi Products for Popular Applications

Configuring the Client Adapter

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

WRE6505 v2. User s Guide. Quick Start Guide. Wireless AC750 Range Extender. Default Login Details. Version 1.00 Edition 1, 10/2016

New Features and Updates in RouterOS

Wireless AC1200 Concurrent Dual Band PoE Access Point

Firewalls, Tunnels, and Network Intrusion Detection

Wireless technology Principles of Security

TRENDnet User s Guide. Cover Page

Institute of Electrical and Electronics Engineers (IEEE) IEEE standards

User Guide. 450Mbps/300Mbps Wireless N Access Point TL-WA901ND/TL-WA801ND REV

WAP551 Wireless-N Access Point with PoE

Networking Basics. Crystal Printer Network Installation Guidelines

Configuring Repeater and Standby Access Points and Workgroup Bridge Mode

WISNETWORKS. WisOS 11ac V /3/21. Software version WisOS 11ac

Configuring the Wireless Parameters (CPE and WBS)

Redundancy and Performance on Point to Point link

Guide to Networking Essentials, 6 th Edition. Chapter 7: Network Hardware in Depth

Chapter 1 Introduction

Key Features. Multiple Operation Modes ENS500EXT can operate into four different modes with Access Point, Client Bridge, Client Router and WDS Mode.

Document Number: rev D Intuitive Surgical, Inc. OnSite Overview. for the da Vinci Xi and da Vinci Si Surgical System.

3.1 Setting Up a Wireless Connection Using the WPS Button Manually Setting Up a Wireless Connection

802.11ac 3x3 Dual Band High-Powered Wireless Access Point/Client Bridge

User Module. WiFi SSID Switch APPLICATION NOTE

Configuring the Radio Network

ENH1750 EXT ENH1750 EXT

Transcription:

Manual:Interface/Wireless RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for 802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP, AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS), Virtual Access Point, Nstreme and NV2 proprietary protocols and many more. Wireless can operate in several modes: client (station), access point, wireless bridge etc. MANUAL: WIRELESS STATION MODES:- Wireless interface in any of station modes will search for acceptable access point (AP) and connect to it. The connection between station and AP will behave in slightly different way depending on type of station mode used, so correct mode must be chosen for given application and equipment. We will attempt to describe the differences between available station modes. Primary difference between station modes is in how L2 addresses are processed and forwarded across wireless link. This directly affects the ability of wireless link to be part of L2 bridged infrastructure. If L2 bridging over wireless link is not necessary - as in case of routed or MPLS (Multiprotocol Layer Switching) switched network, basic mode=station setup is suggested and will provide highest efficiency. Availability of particular station mode depends on wireless-protocol that is used in wireless network. It is possible that connection between station and AP will be established even if particular mode is not supported for given protocol. Beware that such connection will not behave as expected with respect to L2 bridging. 802.11 LIMITATIONS FOR L2 BRIDGING Historically 802.11 AP devices were supposed to be able to bridge frames between wired network segment and wireless, but station device was not supposed to do L2 bridging. 1

Consider the following network: [X]---[AP]-( )-[STA]---[Y] where X-to-AP and STA-to-Y are ethernet links, but AP-to-STA are connected wirelessly. According to 802.11, AP can transparently bridge traffic between X and STA, but it is not possible to bridge traffic between AP and Y, or X and Y. 802.11 standard specifies that frames between station and AP device must be transmitted in so called 3 address frame format, meaning that header of frame contains 3 MAC addresses. Frame transmitted from AP to station has the following addresses: destination address - address of station device, also radio receiver address radio transmitter address - address of AP source address - address of originator of particular frame Frame transmitted from station to AP has the following addresses: radio receiver address - address of AP source address - address of station device, also radio transmitter address destination address Considering that every frame must include radio transmitter and receiver address, it is clear that 3 address frame format is not suitable for transparent L2 bridging over station, because station can not send frame with source address different from its address - e.g. frame from Y, and at the same time AP can not format frame in a way that would include address of Y. 802.11 includes additional frame format, so called 4 address frame format, intended for "wireless distribution system" (WDS) - a system to interconnect APs wirelessly. In this format additional address is added, producing header that contains the following addresses: radio receiver address radio transmitter address destination address 2

source address This frame format includes all necessary information for transparent L2 bridging over wireless link. Unluckily 802.11 does not specify how WDS connections should be established and managed, therefore any usage of 4 address frame format (and WDS) is implementation specific. Different station modes attempt to solve shortcomings of standard station mode to provide support for L2 bridging. 1. Mode station This is standard mode that does not support L2 bridging on station - attempts to put wireless interface in bridge will not produce expected results. On the other hand this mode can be considered the most efficient and therefore should be used if L2 bridging on station is not necessary - as in case of routed or MPLS switched network. This mode is supported for all wireless protocols. 2. Mode station-wds This mode works only with RouterOS APs. As a result of negotiating connection, separate WDS interface is created on AP for given station. This interface can be thought of point-to-point connection between AP and given station - whatever is sent out WDS interface is delivered to station (and only to particular station) and whatever station sends to AP is received from WDS interface (and not subject to forwarding between AP clients), preserving L2 addresses. This mode is supported for all wireless protocols except when 802.11 protocol is used in connection to non-routeros device. Mode uses 4 address frame format when used with 802.11 protocol, for other protocols (such as nstreme or nv2), protocol internal means are used. This mode is safe to use for L2 bridging and gives most administrative control on AP by means of separate WDS interface, for example use of bridge firewall, RSTP for loop detection and avoidance, etc. 3

3. Mode station-pseudobridge From the wireless connection point of view, this mode is the same as standard station mode. It has limited support for L2 bridging by means of some services implemented in station: MAC address translation for IPv4 packets - station maintains IPv4-to-MAC mapping table and replaces source MAC address with its own address when sending frame to AP (in order to be able to use 3 address frame format), and replaces destination MAC address with address from mapping table for frames received from AP. IPv4-to-MAC mappings are built also for VLAN encapsulated frames. single MAC address translation for the rest of protocols - station learns source MAC address from first forwarded non-ipv4 frame and uses it as default for reverse translation - this MAC address is used to replace destination MAC address for frames received from AP if IPv4-to-MAC mapping can not be performed (e.g. - non-ipv4 frame or missing mapping). This mode is limited to complete L2 bridging of data to single device connected to station (by means of single MAC address translation) and some support for IPv4 frame bridging - bridging of non-ip protocols to more than one device will not work. Also MAC address translation limits access to station device from AP side to IPv4 based access - the rest of protocols will be translated by single MAC address translation and will not be received by station itself. This mode is available for all protocols except nv2 and should be avoided when possible. The usage of this mode can only be justified if AP does not support better mode for L2 bridging (e.g. when non-routeros AP is used) or if only one end-user device must be connected to network by means of station device. 4. Mode station-pseudobridge-clone This mode is the same as station-pseudobridge mode, except that it connects to AP using "cloned" MAC address - that is either address configured in station-bridge-clone-mac parameter (if configured) or source address of first forwarded frame. This essentially appears on AP as if end-user device connected to station connected to AP. 4

5. Mode station-bridge This mode works only with RouterOS APs and provides support for transparent protocolindependent L2 bridging on station device. RouterOS AP accepts clients in station-bridge mode when enabled using bridge-mode parameter. In this mode AP maintains forwarding table with information on what MAC addresses are reachable over which station device. This mode is MikroTik proprietary and can't be used to connect other brand devices. This mode is safe to use for L2 bridging and should be used whenever there are sufficient reasons to not use station-wds mode. INTERFACE WIRELESS ACCESS-LIST Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters. Operation: Access list rules are checked sequentially. Disabled rules are always ignored. Only the first matching rule is applied. If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used. If remote device is matched by rule that has authentication=no value, the connection from that remote device is rejected. INTERFACE WIRELESS CONNECT-LIST connect-list is used to assign priority and security settings to connections with remote access points, and to restrict allowed connections. connect-list is an ordered list of rules. Each rule in connect-list is attached to specific wireless interface, specified in the interface property of 5

that rule (this is unlike access-list, where rules can apply to all interfaces). Rule can match MAC address of remote access point, it's signal strength and many other parameters. Operation: connect-list rules are always checked sequentially, starting from the first. disabled rules are always ignored. Only the first matching rule is applied. If connect-list does not have any rule that matches remote access point, then the default values from the wireless interface configuration are used. If access point is matched by rule that has connect=no value, connection with this access point will not be attempted. If access point is matched by rule that has connect=yes value, connection with this access point will be attempted. o In station mode, if several remote access points are matched by connect list rules with connect=yes value, connection will be attempted with access point that is matched by rule higher in the connect-list. o If no remote access points are matched by connect-list rules with connect=yes value, then value of default-authentication interface property determines whether station will attempt to connect to any access point. If defaultauthentication=yes, station will choose access point with best signal and compatible security. In access point mode, connect-list is checked before establishing WDS link with remote device. If access point is not matched by any rule in the connect list, then the value of default-authentication determines whether WDS link will be established. INTERFACE WIRELESS SECURITY-PROFILES Basic properties mode (one of none, static-keys-optional, static-keys-required or dynamic-keys; default value: none) : 6

none - Encryption is not used. Encrypted frames are not accepted. static-keys-required - WEP mode. Do not accept and do not send unencrypted frames. Station in static-keys-required mode will not connect to an access point in statickeys-optional mode. static-keys-optional - WEP mode. Support encryption and decryption, but allow also to receive and send unencrypted frames. Device will send unencrypted frames if encryption algorithm is specified as none. Station in static-keys-optional mode will not connect to an access point in static-keys-required mode. See also: static-sta-private-algo, static-transmit-key dynamic-keys - WPA mode. MANAGEMENT FRAME PROTECTION Used for: Deauthentication attack prevention, MAC address cloning issue. RouterOS implements proprietary management frame protection algorithm based on shared secret. Management frame protection means that RouterOS wireless device is able to verify source of management frame and confirm that particular frame is not malicious. This feature allows to withstand deauthentication and disassociation attacks on RouterOS based wireless devices. Management protection mode is configured in security-profile with managementprotection setting. Possible values are: disabled - management protection is disabled (default), allowed - use management protection if supported by remote party (for AP - allow both, nonmanagement protection and management protection clients, for client - connect both to APs with and without management protection), required - establish association only with remote devices that support management protection (for AP - accept only clients that support management protection, for client - connect only to APs that support management protection). 7

Management protection shared secret is configured with security-profile managementprotection-key setting. When interface is in AP mode, default management protection key (configured in security-profile) can be overridded by key specified in access-list or RADIUS attribute. 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback