Manual-Interface-Wireless

1
Manual:Interface/Wireless
RouterOS wireless comply with IEEE 802.11 standards, it provides complete support for
802.11a, 802.11b, 802.11g, 802.11n and 802.11ac as long as additional features like WPA, WEP,
AES encryption, Wireless Distribution System (WDS), Dynamic Frequency selection (DFS),
Virtual Access Point, Nstreme and NV2 proprietary protocols and many more.
Wireless can operate in several modes: client (station), access point, wireless bridge etc.
MANUAL: WIRELESS STATION MODES:-
Wireless interface in any of station modes will search for acceptable access point (AP)
and connect to it. The connection between station and AP will behave in slightly different way
depending on type of station mode used, so correct mode must be chosen for given application
and equipment. We will attempt to describe the differences between available station modes.
Primary difference between station modes is in how L2 addresses are processed and
forwarded across wireless link. This directly affects the ability of wireless link to be part of L2
bridged infrastructure.
If L2 bridging over wireless link is not necessary - as in case of routed or MPLS
(Multiprotocol Layer Switching) switched network, basic mode=station setup is suggested and
will provide highest efficiency.
Availability of particular station mode depends on wireless-protocol that is used in
wireless network. It is possible that connection between station and AP will be established even
if particular mode is not supported for given protocol. Beware that such connection will not
behave as expected with respect to L2 bridging.
802.11 LIMITATIONS FOR L2 BRIDGING
Historically 802.11 AP devices were supposed to be able to bridge frames between wired
network segment and wireless, but station device was not supposed to do L2 bridging.
2
Consider the following network:
[X]---[AP]-( )-[STA]---[Y]
where X-to-AP and STA-to-Y are ethernet links, but AP-to-STA are connected wirelessly.
According to 802.11, AP can transparently bridge traffic between X and STA, but it is not
possible to bridge traffic between AP and Y, or X and Y.
802.11 standard specifies that frames between station and AP device must be transmitted
in so called 3 address frame format, meaning that header of frame contains 3 MAC addresses.
Frame transmitted from AP to station has the following addresses:
? destination address - address of station device, also radio receiver address
? radio transmitter address - address of AP
? source address - address of originator of particular frame
Frame transmitted from station to AP has the following addresses:
? radio receiver address - address of AP
? source address - address of station device, also radio transmitter address
? destination address
Considering that every frame must include radio transmitter and receiver address, it is
clear that 3 address frame format is not suitable for transparent L2 bridging over station, because
station can not send frame with source address different from its address - e.g. frame from Y, and
at the same time AP can not format frame in a way that would include address of Y.
802.11 includes additional frame format, so called 4 address frame format, intended for
"wireless distribution system" (WDS) - a system to interconnect APs wirelessly. In this format
additional address is added, producing header that contains the following addresses:
? radio receiver address
? radio transmitter address
? destination address
3
? source address
This frame format includes all necessary information for transparent L2 bridging over
wireless link. Unluckily 802.11 does not specify how WDS connections should be established
and managed, therefore any usage of 4 address frame format (and WDS) is implementation
specific.
Different station modes attempt to solve shortcomings of standard station mode to
provide support for L2 bridging.
1. Mode station
This is standard mode that does not support L2 bridging on station - attempts to put
wireless interface in bridge will not produce expected results. On the other hand this mode can
be considered the most efficient and therefore should be used if L2 bridging on station is not
necessary - as in case of routed or MPLS switched network. This mode is supported for all
wireless protocols.
2. Mode station-wds
This mode works only with RouterOS APs. As a result of negotiating connection,
separate WDS interface is created on AP for given station. This interface can be thought of
point-to-point connection between AP and given station - whatever is sent out WDS interface is
delivered to station (and only to particular station) and whatever station sends to AP is received
from WDS interface (and not subject to forwarding between AP clients), preserving L2
addresses.
This mode is supported for all wireless protocols except when 802.11 protocol is used in
connection to non-RouterOS device. Mode uses 4 address frame format when used with 802.11
protocol, for other protocols (such as nstreme or nv2), protocol internal means are used.
This mode is safe to use for L2 bridging and gives most administrative control on AP by
means of separate WDS interface, for example use of bridge firewall, RSTP for loop detection
and avoidance, etc.
4
3. Mode station-pseudobridge
From the wireless connection point of view, this mode is the same as standard station
mode. It has limited support for L2 bridging by means of some services implemented in station:
? MAC address translation for IPv4 packets - station maintains IPv4-to-MAC mapping
table and replaces source MAC address with its own address when sending frame to AP
(in order to be able to use 3 address frame format), and replaces destination MAC address
with address from mapping table for frames received from AP. IPv4-to-MAC mappings
are built also for VLAN encapsulated frames.
? single MAC address translation for the rest of protocols - station learns source MAC
address from first forwarded non-IPv4 frame and uses it as default for reverse translation
- this MAC address is used to replace destination MAC address for frames received from
AP if IPv4-to-MAC mapping can not be performed (e.g. - non-IPv4 frame or missing
mapping).
This mode is limited to complete L2 bridging of data to single device connected to station
(by means of single MAC address translation) and some support for IPv4 frame bridging -
bridging of non-IP protocols to more than one device will not work. Also MAC address
translation limits access to station device from AP side to IPv4 based access - the rest of
protocols will be translated by single MAC address translation and will not be received by
station itself.
This mode is available for all protocols except nv2 and should be avoided when possible.
The usage of this mode can only be justified if AP does not support better mode for L2 bridging
(e.g. when non-RouterOS AP is used) or if only one end-user device must be connected to
network by means of station device.
4. Mode station-pseudobridge-clone
This mode is the same as station-pseudobridge mode, except that it connects to AP using
"cloned" MAC address - that is either address configured in station-bridge-clone-mac parameter
(if configured) or source address of first forwarded frame. This essentially appears on AP as if
end-user device connected to station connected to AP.
5
5. Mode station-bridge
This mode works only with RouterOS APs and provides support for transparent protocolindependent
L2 bridging on station device. RouterOS AP accepts clients in station-bridge mode
when enabled using bridge-mode parameter. In this mode AP maintains forwarding table with
information on what MAC addresses are reachable over which station device.
This mode is MikroTik proprietary and can t be used to connect other brand devices. This
mode is safe to use for L2 bridging and should be used whenever there are sufficient reasons to
not use station-wds mode.
INTERFACE WIRELESS ACCESS-LIST
Access list is used by access point to restrict allowed connections from other devices, and
to control connection parameters.
Operation:
? Access list rules are checked sequentially.
? Disabled rules are always ignored.
? Only the first matching rule is applied.
? If there are no matching rules for the remote connection, then the default values from the
wireless interface configuration are used.
? If remote device is matched by rule that has authentication=no value, the connection
from that remote device is rejected.
INTERFACE WIRELESS CONNECT-LIST
connect-list is used to assign priority and security settings to connections with remote
access points, and to restrict allowed connections. connect-list is an ordered list of rules. Each
rule in connect-list is attached to specific wireless interface, specified in the interface property of
6
that rule (this is unlike access-list, where rules can apply to all interfaces). Rule can match MAC
address of remote access point, it s signal strength and many other parameters.
Operation:
? connect-list rules are always checked sequentially, starting from the first.
? disabled rules are always ignored.
? Only the first matching rule is applied.
? If connect-list does not have any rule that matches remote access point, then the default
values from the wireless interface configuration are used.
? If access point is matched by rule that has connect=no value, connection with this access
point will not be attempted.
? If access point is matched by rule that has connect=yes value, connection with this access
point will be attempted.
o In station mode, if several remote access points are matched by connect list rules
with connect=yes value, connection will be attempted with access point that is
matched by rule higher in the connect-list.
o If no remote access points are matched by connect-list rules with connect=yes
value, then value of default-authentication interface property determines
whether station will attempt to connect to any access point. If defaultauthentication=
yes, station will choose access point with best signal and
compatible security.
? In access point mode, connect-list is checked before establishing WDS link with remote
device. If access point is not matched by any rule in the connect list, then the value of
default-authentication determines whether WDS link will be established.
INTERFACE WIRELESS SECURITY-PROFILES
Basic properties
mode (one of none, static-keys-optional, static-keys-required or dynamic-keys; default value:
none) :
7
? none - Encryption is not used. Encrypted frames are not accepted.
? static-keys-required - WEP mode. Do not accept and do not send unencrypted
frames.
Station in static-keys-required mode will not connect to an access point in statickeys-
optional mode.
? static-keys-optional - WEP mode. Support encryption and decryption, but allow
also to receive and send unencrypted frames. Device will send unencrypted
frames if encryption algorithm is specified as none. Station in static-keys-optional
mode will not connect to an access point in static-keys-required mode.
See also: static-sta-private-algo, static-transmit-key
? dynamic-keys - WPA mode.
MANAGEMENT FRAME PROTECTION
Used for: Deauthentication attack prevention, MAC address cloning issue.
RouterOS implements proprietary management frame protection algorithm based on
shared secret. Management frame protection means that RouterOS wireless device is able to
verify source of management frame and confirm that particular frame is not malicious. This
feature allows to withstand deauthentication and disassociation attacks on RouterOS based
wireless devices.
Management protection mode is configured in security-profile with managementprotection
setting. Possible values are: disabled - management protection is disabled (default),
allowed - use management protection if supported by remote party (for AP - allow both, nonmanagement
protection and management protection clients, for client - connect both to APs with
and without management protection), required - establish association only with remote devices
that support management protection (for AP - accept only clients that support management
protection, for client - connect only to APs that support management protection).
8
Management protection shared secret is configured with security-profile managementprotection-
key setting.
When interface is in AP mode, default management protection key (configured in
security-profile) can be overridded by key specified in access-list or RADIUS attribute.