Extending Router Hotspot Network with TAP100: Difference between revisions

From Teltonika Networks Wiki
No edit summary
No edit summary
Line 53: Line 53:
<li>In pop-up window navigate to firewall settings and choose custom and enter " Management ". This will create new firewall zone.  </li>
<li>In pop-up window navigate to firewall settings and choose custom and enter " Management ". This will create new firewall zone.  </li>
[[File:VLAN MANAGEMENT HOTSPOT5.png|border|class=tlt-border]]
[[File:VLAN MANAGEMENT HOTSPOT5.png|border|class=tlt-border]]
Furthermore, after creating the firewall zone on the LAN interface, please proceed to '''Network -> Firewall -> General Settings'''. It is important to ensure that the "Management" zone you created has the correct policies in place. They should be configured as follows :
<ol>
<li>Input : Accept </li>
<li>Output : Accept </li>
<li>Forward : Accept </li>
<li>Cowered networks : Management </li>
[[File:Management port zone.png|border|class=tlt-border]]
</ol>
</ol>
</ol>
With these configuration changes, we have made a management port on LAN 1. This allows us to access the router through the newly created interface IP (192.168.10.1), even after enabling the hotspot instance on the LAN network.
With these configuration changes, we have made a management port on LAN 1. This allows us to access the router through the newly created interface IP (192.168.10.1), even after enabling the hotspot instance on the LAN network.

Revision as of 11:27, 24 October 2023

The information in this page is updated in accordance with 00.07.05.0 firmware version. .

Introduction

This article contains instructions on how to extend RUT956 router hotspot network using TAP100 access point.

Configuration overview and prerequisites

Before we begin, let's take a look at the configuration that we are attempting to achieve and the prerequisites that make it possible. For this setup we are going to use Teltonika router RUT956 which LAN IP is 192.168.5.1 and access point TAP100 which LAN IP is 192.168.5.2

Prerequisites:

  • Router
  • TAP100
  • End device (PC, Laptop, Smartphone)
  • RMS account with router registered to it for full configurations capabilities

If you're having trouble finding any page or some of the parameters described here on your device's WebUI, you should turn on "Advanced WebUI" mode. You can do that by clicking the "Advanced" button, which is located at the top-right corner of the WebUI.

Router configuration

Configuring router LAN interface


Go to Network -> LAN and press edit button and in pop-up window perform following actions :

  1. Enter IPv4 address.
  2. Disable DHCP server

Router management port configuration

Before proceeding with the configuration of the hotspot interface, it's essential to configure the management port on our router. This is necessary because, after enabling the hotspot on the LAN interface, we will no longer be able to connect to the router using the router's LAN IP address. To create management port on port 1 of the device, firstly we need to navigate on router WebUI to Network -> VLAN -> Port based. While there do the following steps :

  1. Press "ADD" button
  2. On default VLAN ID 1 interface choose off on LAN 1
  3. On newly create VLAN interface on LAN 1 port choose untagged.
  4. Press Save & Apply

After this, navigate to Network -> LAN and add new interface. In pop-up window do the following steps :

  1. Enable
  2. IpV4 address : specify any private IP address. Make sure that this address will not be used for hotspot or any other instances. We are gonna chose 192.168.10.1
  3. Netmask : default can be left (255.255.255.0)
  4. Enable DHCP server
  5. In pop-up window navigate to physical settings and for interface choose eth0.3. If your newly created VLAN ID is left by default as 3, you have to choose eth0.3, but if you specify some other VLAN ID, for example VLAN 55, you will need to choose eth0.55
  6. In pop-up window navigate to firewall settings and choose custom and enter " Management ". This will create new firewall zone.
  7. Furthermore, after creating the firewall zone on the LAN interface, please proceed to Network -> Firewall -> General Settings. It is important to ensure that the "Management" zone you created has the correct policies in place. They should be configured as follows :
    1. Input : Accept
    2. Output : Accept
    3. Forward : Accept
    4. Cowered networks : Management

With these configuration changes, we have made a management port on LAN 1. This allows us to access the router through the newly created interface IP (192.168.10.1), even after enabling the hotspot instance on the LAN network.

Router Hotspot configuration


Creating hotspot local user


To set up a hotspot instance on the RUT956 router, we firstly must download the hotspot package from the device's package manager. You can access the package manager by navigating to the router's WebUI interface to System -> Package Manager -> Packages.

After you have successfully installed the hotspot package, the next step is to access hotspot configuration settings. Navigate to Services -> Hotspot -> Local users as we will be configuring local user authentication for our Hotspot instance. While in this section, please follow these steps :

  1. Enter username that you wish.
  2. Enter password that you wish.
  3. Press add button.

It's crucial to remember and securely store these credentials, as they will be used by users to authenticate themselves on the hotspot network successfully.

Hotspot interface configuration


Now that we've successfully created a hotspot local user, the next step is to configure the hotspot interface. To achieve this, let's navigate to the router's WebUI and access Services -> Hotspot -> General. Once there, please follow these steps:

  1. Choose LAN interface.
  2. Press "ADD" button.

Next, in the pop-up window, please click the "Enable" button. You can choose to either leave all other settings at their default values or make adjustments as per your preferences. For the purpose of this configuration, we'll maintain the default settings.

With this configuration in place, the hotspot will be enabled on the LAN interface, allowing it to function both as a wired and wireless network simultaneously.

IMPORTANT : After enabling this hotspot interface, it's important to note that you won't be able to access the router through its IP address, unless you have previously made management port. Another way to access router without management port configurations is through our Teltonika RMS. You can find instructions on how to generate WebUI access link on RMS here


Access point (TAP100) configuration

From the router's perspective, we've successfully configured all the necessary settings. Now, let's proceed to configure the TAP100.

To begin, we'll have to access TAP100's WebUI. Instructions on how to access the TAP100 WebUI can be found in another article on our Wiki here

After successfully establishing a connection to the TAP100 WebUI, the next step is to navigate to Network -> IP settings. Within this section, update the IPv4 address field to match the LAN network of your router. For instance, if your router's LAN belongs to the network 192.168.5.0/24 with a LAN IP address of 192.168.5.1, then configure your TAP100 with an IP address of 192.168.5.2 and a netmask of 255.255.255.0. This ensures that both devices are on the same network.

That concludes the necessary configuration steps for the TAP100. Now, let's establish the connection between your router and the TAP100. To do this, you can simply connect one end of an Ethernet cable to the router's LAN port and the other end to the TAP100's Ethernet IN port on the PoE injector. For more detailed installation instructions, please refer to the installation guide which can be found here


Access router through hotspot

With the current configuration, clients have access to the TAP100 WebUI but cannot reach the router's WebUI. This section outlines additional steps to enable hotspot clients to access the router's WebUI.

To achieve this, we only need to create one firewall rule on the router. Here's how to do it:

To do this, navigate on router WebUI to Network -> Firewall -> Traffic Rules.

Once there, we need to create new rule with the following details :

  1. Type  : Add new forward rule
  2. Name : Enter any desired name for this rule
  3. Source Zone : hotspot
  4. Destination Zone : lan (we will modify this later)
  5. Press "ADD" button

After completing these steps, a pop-up window will appear, where you need to enter the following details:

  1. Protocol: TCP
  2. Destination Zone  : Device (input)
  3. Destination Port  : HTTP (80), HTTPS(443)
  4. Don't forget to enable and save it

With this firewall rule in place, all clients connected to the hotspot will have access to the router's WebUI using the router LAN address (in our case, 192.168.5.1) and can reach the TAP100 WebUI via the tap100.rutos.net address.

Disabling wired hotspot capabilities on the router

With the initial setup, our router is capable of providing both a wired and wireless hotspot network. If you wish to disable the wired hotspot capabilities on the router, you can do so by accessing the router's WebUI and navigating to Network -> VLAN -> Port Based. In this section, simply select the "OFF" option for the ports you want to disable. It's important to keep in mind that you cannot disable all LAN ports since one of them is necessary for connecting to the TAP100. For example, if you have configured the management port on LAN 1 port, your TAP100 is connected to LAN 3 port, and you want to disable the wired hotspot capabilities on LAN 2, your VLAN configuration page should look like this :


Isolating hotspot clients communication

In our default setup, hotspot clients have the ability to communicate with each other. To restrict this communication, we'll need to make an adjustment on both your TAP100 device and your router.

  1. Access your TAP100 WebUI.
  2. Navigate to Network -> Wireless and click on the "Edit" button for your interface.
  3. In the configuration window, go to the Advanced Settings section and enable the "Isolate Clients" option by clicking the "ON" button.

To further ensure that clients connected to the router's Wi-Fi interface cannot communicate with hotspot clients, I recommend enabling the "Isolate Clients" option on your router wi-fi interface as well.

By implementing these adjustments, you'll effectively prevent communication between all hotspot clients regardless of whether they are connected to the Routers Hotspot Network directly or through TAP 100 AP.

Authenticating to the Hotspot network

After client connects to hotspot network, the authentication page should automatically open up on your default browser.

After entering the required details, clients will have internet connection. The credentials you need to use are the ones you specified when creating the local user earlier.