Versions Compared

Old Version 32

changes.mady.by.user Guntis G.

Saved on

compared with

New Version 33

changes.mady.by.user Guntis G.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


Access list is used by access point to restrict allowed connections from other devices, and to control connection parameters.

Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.

There are the following parameters for access list rules:

  • client matching parameters:
    • address - MAC address of the client
    • mask - MAC address mask to apply when comparing client address
    • interface - optional interface to compare with the interface to which client actually connects to
    • time - time of day and days when rule matches
    • signal-range - range in which client signal must fit for the rule to match
    • allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval
  • action parameter - specifies action to take when client matches:
    • accept - accept client
    • reject - reject client
    • query-radius - query RADIUS server if particular client is allowed to connect
  • connection parameters:
    • ap-tx-limit - tx speed limit in direction to client
    • client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)
    • client-to-client-forwarding - specifies whether to allow forwarding data received from this client to other clients connected to the same interface
    • private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used
    • radius-accounting - specifies if RADIUS traffic accounting should be used if RADIUS authentication gets done for this client
    • vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).
    • vlan-id - VLAN ID to use if doing VLAN tagging

Operation:

  • Access list rules are checked sequentially.
  • Disabled rules are always ignored.
  • Only the first matching rule is applied.
  • If there are no matching rules for the remote connection, then the default values from the wireless interface configuration are used.
  • If remote device is matched by rule that has authentication=no value, the connection from that remote device is rejected.

...