I have a spare Cisco Aironet 3702i but I do not have Cisco Wireless Controller to manage it. But I do like its wireless capability and I want it to replace ASUS RT-AC68U as home main wireless access point.
I also have a Mikrotik hex POE 960PGS router to provide both connectivity and power to surveillance camera.
I want to fully utilize the gears I have and just use a cost effective solution to achieve secure home wireless network.
- Multiple SSIDs with different VLANs, different encryption and authentication methods
- Each SSID network needs to be segregated with others
- One SSID needs to be in the same subnet of local wired network
- Mikrotik hex POE router
- Cisco Aironet 3702i AP
- Mikrotik hex POE router act as main Internet edge router
- One interface connect to Internet
- One interface connect to Cisco Aironet AP as trunk interface
- The rest interfaces of Mikrotik as local LAN network
Difficulty and known issues:
- Mikrotik hex POE supports PoE input and passive or 802.3af/at PoE output but requires 48-57 input voltage to power at/af mode B (4,5+)(7,8-) compatible devices.
- Although Mikrotik hex POE supports 802.3at/af mode B, it is still not compatible enough to power up Cisco Aironet 3702i AP with full power (only works at low power mode, wireless only on 3×3 MIMO) which requires POE+ and LLDP negotiation.
- Mikrotik RouterOS native CAPSMAN wireless controller solution does not work for non-Mikrotik wireless devices. So to manage Cisco wireless AP using RouterOS needs customize configuration.
- RouterOS has different bridge and VLAN configuration concept with Cisco network switch. It is a challenge to make two difficult makes devices work together.
On the Cisco AP side, first convert the AP into autonomous mode. Then follow the instruction as reference https://www.cisco.com/c/en/us/support/docs/wireless-mobility/service-set-identifier-ssid/210516-SSIDs-and-VLANs-configuration-on-Autonom.html.
Just needs to pay attention, put the SSID that requires in the same subnet with local LAN into ‘native VLAN’ and put sub-radio interface and sub-Gig interface into bridge-group 1 so that this SSID network can be within the same broadcasting domain with BVI1 management interface and local LAN network. (To be secure, it is recommended to put BVI1 into standalone management VLAN)
As Cisco Aironet 3702i has two radio interfaces, the multiple SSIDs with VLANs can be configured at either interface. If there’s only one SSID on the radio interface, it can be set to guest-mode directly to broadcast SSID. Otherwise, mbssid guest-mode will be required.
It is quite straight forward for the configuration on Cisco AP side as the documentation is good. I just focus on Mikrotik Router side configuration.
For example, you have already configured VLAN10 as native and VLAN20 on the Cisco AP which leads to two SSIDs (one is localwirelss, one is publicwireless). VLAN10 needs to be within the same subnet of Router LAN network 192.168.10.0/24, VLAN20 needs to be isolated into network 192.168.20.0/24. VLAN20 can only access Internet no local access to 192.168.10.0 network.
- Create a VLAN interface under ethernet 2 (connect to AP) with VLAN ID: 20
- no need to create vlan interface for vlan10 as it is native vlan (untagged), we can just use ethernet 2 to communicate with it
- create new address for vlan20 (192.168.20.1/24, network 192.168.20.0)
- create dhcp pool for vlan20 and assign the pool to interface vlan20 (do not need to create bridge for vlan20)
- add ethernet 2 into default local LAN bridge with other interfaces
- check the source nat to cover the new vlan20 network for the oubound Internet access
- create firewall rules to block the interVLAN communication with VLAN20 to the default bridge. VLAN20 may require INPUT access to router to obtain DNS resolving.
Now connect ethernet 2 to Cisco AP ethernet port, it should works properly.
You can leave comments if you occur any issue when trying to do the similar task.