I’ve got a Wifi outside of my network for guest and emergency. ( 2 SSIDs)
Then a main Wifi router in my livingroom, one in my workshop/studio and one in the Attic (Electronics Lab)
So three main Wifi AccessPoints. These all have the same SSID’s but on different frequencies. That way i’ve got roaming in and outside my house. Also some virtual accesspoints are configured. I’ve got a main, folkband, IOT, guest-inside all on 2.4Ghz and 5Ghz.
I watched a lot of YT presentations about Mikrotik Wifi.
So I ended up with DFS safe channels 20Mhz for 2.4 and 20/40Mhz Ce for 5Ghz. (subchannels for each after some frequency scanning) (2.4 does a failback to 20Mhz whenever there is even one client detected which connects only on this band. Such as some old IOT stuff) 2.4 in only 1,6 and 11 no overlap, each on another device. 300Mbps is sufficient for my wifi 🙂
I’ve got accesslists in place and i’m going to read into kicking a client when the signal strenght is below -50dB
80386 (DX) Computer
Besides my 8088 and 8086 machines I needed a machine which could run our old demo’s. So I bought a new toy.
It has 8Mb Ram and runs at 40Mhz.
I’ve noticed that many of my VGA register manipulation code, can’t be run on a modern VGA monitor, I need to use a CRT for that .. Another thing to buy
Needed to fix arduino code, due to the TFT_eSPI library issues. And I’ve got a S3 with another resolution, but that was an easy fix. Then needed to reinstall nodejs with another version. Had to modify the code because the tcp server would not start. Weird errors logging, but in the end fixed … very cool
I probably end up designing a 3D printed case that looks like a monitor or tv.
Moving dhcp from isc-dhcp-server to Mikrotik. And playing with theDude and speedtesting.
I got an old linux gateway which only runs a dhcp server. Time to move this to a Mikrotik router.
The config on this isc-dhcp-server is huge! So i was planning to migrate some one by one by hand. Maybe writing a script to do this automatically later on.
I’ve got loads of static configured hosts, so I change these
Change static entry in dhcp to a deny booting entry
The dude is a cool tool which connects to your MT and generates all kinds of cool info. I was trying to get the frequency spectral scan working. But it generates a nice network map also.
Easy to install under linux
Install wine
Download thedude from the MT website
start “wine dude_install.exe”
cd ” /home/$USER/.wine/drive_c/Program Files (x86)/Dude”
But I didn’t like the continuous logins with automated logins.
So below solution is what i’ve implemented for now.
I’ve installed the IOT extra package from Mikrotik, now I can send MQTT messages from my Wifi enabled Mikrotiks to my Mosquitto broker. (Download extra package zip, extract iot-7.x-arm.npk, upload this to your mikrotik files folder, and reboot) The script I’m running on my Mikrotik, sends the active wifi connections with the comments. ( When a comment is set in the Access List, then it’s a know connection )
[admin@RB40111] /iot/mqtt> export
# may/15/2023 21:45:12 by RouterOS 7.9
# software id = xxxx-xxxx
#
# model = RB4011iGS+5HacQ2HnD
# serial number = xxxxxxxxxxxxxxxxx
/iot mqtt brokers
add address=10.1.x.y client-id=rb4011 name=NR
I made the following script on my MT named mqtt
:local broker "NR"
# MQTT topic where the message should be published
:local topic "rb4011/mac"
:foreach i in=[/interface wireless registration-table print proplist=mac-address as-value] do={
:local message "$i"
/iot mqtt publish broker=$broker topic=$topic message=$message
}
A schedule is needed to run this script every 15 minutes
[admin@RB40111] /system/scheduler> export
# may/15/2023 21:48:14 by RouterOS 7.9
# software id = xxxx-xxx
#
# model = RB4011iGS+5HacQ2HnD
# serial number = xxxxxxxxxxx
/system scheduler
add interval=15m name=mqtt on-event=mqtt policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=may/15/2023 start-time=13:30:54
Now all wifi connections will be send to topic rb4011/mac.
# Example
.id=*6a;comment=Mobile Henri wlan2;mac-address=44:46:87:xx:xx:xx
Using NodeRed I can make filters and notifications
Below function: get Mac and Comment from payload, if the comment is empty then it is a unknown connection … so send me a warning using Pushover.
// filter function
var output = msg.payload.split(";");
var comment = (output[1].split("="));
var mac = (output[2].split("="));
msg.payload={};
msg.payload = mac[1];
if (comment[1] == "") {
return msg;
}
// is xx:xx:xx:xx:xx:xx online? example
var output = msg.payload.split(";");
var comment = (output[1].split("="));
var mac = (output[2].split("="));
msg.payload={};
msg.payload = mac[1];
if (mac[1] == "xx:xx:xx:xx:xx:xx") {
return msg;
}
Now i’m getting a notification when an unknown wifi connection is made on my Access Point. ( I going to implement the Access List from MT at a later point. No access when not in the Access List)
My work document for my Mikrotiks (Also for my friend Vincent, with a similar setup.)
I’m going to collect information on this page for below changes.
WIFI
Access list connections only
Default forward – only certain clients
Guest network – better setup. I’ve got a folkband guest network right now and a captive portal AP on my internet router. (Outside my network) This is for colleagues of Coline.
Vlan for certain clients
Zerotier
Network routing
Security
IOT
Move all clients to own vlan New or better VLAN setup
Example network with DMZ part, using VLANs and trunks. Tested in my network, but not my current setup.
VLAN 3 – DMZ VLAN 10 – Homenetwork VLAN 128 – MGT
Modem : fritzbox, is dhcp server for 192.168.1.1 network CRS: is dhcp server for wlan, home network, management, Also a firewall with NAT is configured here. ( No block examples below, only NAT ) RB: (Routerboard 2011) has no IPs except for a management IP (not in config below) Server and Reverse proxy are in the 192.168.1.1 network. (dhcp requests in a dmz vlan (3) get their IP from the modem DHCP pool.
Example ip’s server and PC
server: gets dhcp from modem, 192.168.1.10/24 gateway 192.168.1.1 DNS 192.168.1.1 PC: gets dhcp from CRS, 10.10.0.1/24 gateway 10.10.0.253 DNS 1.1.1.1