"LOW data mode wifi" on MAX_BR1_82C1?

We have a MAX_BR1_82C1 as the main Internet/WIFI on our sailboat. It is configured with multiple WAN options like 4G, marinas WIFI and Iridium Pilot satellite system. We only use Iridium on long passages when we cant use 4G and it is super expensive… I would like to minimize our internet usage when we use Iridium as our WAN provider. If possible it would be great control who can connect to wifi and what apps they can use.
Is it possible? What is the best way to implement this on MAX_BR1_82C1?

  • Add a 2nd SSID and vlan/subnet that can only use the Iridium satellite (enforced via iridium).
  • Only allow the first SSID to use Wifi WAN and Cellular. Priority outbound policy with just cell and wifi WAN.
  • Set healthcheck on the wired WAN (satellite) to disabled, set standby state to disconnect (to save bandwidth usage).
  • create firewall rules and outbound policies that then control which applications can be used when the source VLAN/subnet is the one associated with the second SSID.
3 Likes

Thank you @MartinLangmaid for the ideas! My setup is the following:

  • MAX BR1 MK2 as main source of our internet and wifi on board of a sailboat.
  • Rogue Wave DB Pro connected to Pepwave’s WAN port, allows me to connect to any free marina’s/cafe wifi when available
  • One Wilson 4G Wide Band Omni antenna on Spreaders(10m above deck) connected instead of one Pepwave’s antennas, the second 4G antenna is still attached to Pepwave and hopefully helps with MIMO
  • 4G has a Google FI SIM card and allows for 4G internet
  • Iridium Pilot has not been used and I was hoping that I can use my LAN port and configure it as WAN to connect Iridium to. Now it looks like I can not do this …However, I am OK for now manually disconnect my Rogue Wave cable and connecting Iridium to WAN port every time we offshore and using Iridium data … I like the idea of data/device restricted SSID that only one tablet can use while we use it offshore.
    You have mentioned in your reply to create a 2nd SSID and “use the Iridium satellite (enforced via iridium)”. How do I enforce via iridium only?
  1. Create a New VLAN (eg 192.168.51.1)
  2. Create a New SSID, assign it to the VLAN you just made. No anyone connecting to that new SSID gets a 192.168.51.x address
  3. Create an outbound policy that says source network 192.168.51.0 / 24 destination any, enforced via WAN
1 Like

I have a somewhat similar question but different setup… I use a separate AP for LAN WiFi (MK2 WiFi is dedicated to WiFi as WAN). I have 4G LTE, WiFi as WAN 2.4GHz, and WiFi as WAN 5GHz as WAN options. All are currently in priority 1 using the Fastest response Outbound policy. This is on a boat and sometimes all three WANs are connected, sometimes two, sometimes just one depending where the boat is and what signals are available. I would like to accomplish the following:

  • All devices except TVs/security cameras (i.e. computers, cell phones, guest devices, etc) have access to all WANs under fastest response to ensure good connectivity for work, VoIP, WiFi calling/SMS, etc (also fine specifying certain key devices such as certain computers/phones to have this priority in case all devices except TV/security cameras is not possible)
  • All TVs (streaming services) default to WiFi as WAN 2.4 and/or WiFi as WAN 5ghz except when neither WiFi as WAN are available in which case it should fall back to cellular (this is to cut down on bandwidth usage on 4G LTE when WiFi as WAN is available so all traffic is not duplicated on 4G LTE WAN)
  • All security cameras (constant upload) follow similar case to TVs (default to WiFi as WAN except when no WiFi as WAN is available then fall back on 4G LTE)

Can someone possibly please guide me on best way to accomplish the above? I am guessing something will need to be done with MAC addresses? I can easily get all MAC addresses of the TVs and security cameras. I can also get MAC addresses for our most important devices (computers, cell phones) but would like guest devices to follow same rules and we wont know their MAC addresses ahead of time as they connect as needed (but if this complicates things then its fine keeping priority only for known computers, phones).

Thank you!

@mystery, you may try below and let me know whether it works well.

Create 3 VLANs below:

  • Guest VLAN - Computers, cell phones, guest devices, etc.
  • Streaming VLAN - TVs
  • Camera VLAN - Cameras

Then create 5 outbound rules below:

1. Guest
Source: Guest VLAN
Destination: Any
Protocol: Any
Algorithm: Fastest Response Time
Connection: Cellular, 2.4GHz Wifi WAN, 5GHz Wifi WAN
When No Connections are Available: Drop the Traffic

2. Streaming
First rule
Source: Streaming VLAN
Destination: Any
Protocol: Any
Algorithm: Fastest Response Time
Connection: 2.4GHz Wifi WAN, 5GHz Wifi WAN
When No Connections are Available: Fall-through to Next Rule

Second rule
Source: Streaming VLAN
Destination: Any
Protocol: Any
Algorithm: Priority
Priority Order: 1) 5GHz Wifi WAN, 2) 2.4GHz Wifi WAN 3) Cellular
When No Connections are Available: Drop the Traffic
Terminate Sessions on Connection Recovery: Enable

3. Camera
First rule
Source: Camera VLAN
Destination: Any
Protocol: Any
Algorithm: Fastest Response Time
Connection: 2.4GHz Wifi WAN, 5GHz Wifi WAN
When No Connections are Available: Fall-through to Next Rule

Second rule
Source: Camera VLAN
Destination: Any
Protocol: Any
Algorithm: Priority
Priority Order: 1) 5GHz Wifi WAN, 2) 2.4GHz Wifi WAN 3) Cellular
When No Connections are Available: Drop the Traffic
Terminate Sessions on Connection Recovery: Enable

3 Likes

thank you! will test but where do i enter the device mac addresses to assign them to the various vlans i am creating? under dhcp reservation? i simply make sure they have an ip address in the newly created vlan ip range? also, when adding the outbound rule, i only see four options for “source”: any, ip address, ip network, mac address. i do not see a vlan option there…

Here’s an example … The VLANs were previously set up like this:

When the clients are connected via wi-fi it’s quite easy. The following image shows all clients connecting via the “Stat1” SSID being assigned to VLAN 102, for example.

Minor note: We inherited this set-up and this is not exactly the way we’d prefer to correlate VLANS with sub-nets number-wise but it works fine for an illustration.

The method @TK_Liew suggested will work well.

2 Likes

I do not use the Peplink device for LAN WiFi so I do not think that creating a SSID on the Peplink and tagging it to a VLAN will do anything? The Peplink device handles WiFi as WAN and a separate AP handles WiFi for LAN…

@mystery. Since you use 3rd AP for LAN WiFi, I believe the AP is connected to LAN port of MK2. Ensure LAN port of MK2 is configured as Trunk Any, the AP supports 3 SSIDs and tie to the respective VLAN.

Hope this helps.

1 Like

Yes, the LAN AP is connected to the LAN port of the MK2. The port settings show that it is already set to trunk any. I did add the MAC addresses for the “high bandwidth” devices under a new LAN but for some reason the DHCP server is not handing out the static IP addresses I assigned by MAC address in the 192.168.3.x series and is still handing out IPs in the 192.168.2.x series from my pre-existing untagged LAN. Is it a DHCP lease issue? If so, is there a way to release dhcp leases on the Peplink? Also, I still do not see any way to create outbound rules mapped to a VLAN…See screenshots attached. The Peplink supporting 3 SSIDs is not usable because I am not using the Peplink for any WiFi/SSID (Peplink WiFi is only WiFi as WAN). Thank you.

anyone? the peplink is still not handing out the 192.168.3.x ip even after setting using the device MAC addresses. thanks!

Outbound rules are mapped to a network not a VLAN, but all VLANs have unique networks so that works great.

What is the LAN AP and what mode is it in? You want it in bridge mode, then you want it to create SSIDS attached to the VLANS the BR1 is presenting via the trunk interface.

2 Likes

What prefix should the IP Network be entered as? 192.168.3.1? And then all 192.168.3.1-255 IPs will follow that rule? If so, my issue is still getting the Peplink to hand out the 192.168.3.x IPs for some reason it is not. Thank you!

You enter the subnet ID and the subnet mask


image

That’s why I want more info on the access point plugged into the LAN of the BR1. That will need to be configured in bridge mode and then be able to ‘talk’ to the BR1 on the same VLAN.

2 Likes

thank you 192.168.3.0 makes sense now with the subnet

i still cannot get the peplink to assign the proper ip addresses. i thought there was a conflict with the prior lease (24 hour lease time) so i removed a device for a few days, went back and its still getting the random ip in the original/untagged network range even though i entered the MAC address into the new network i created and mapped it to a different ip. the AP is set to AP mode, bridge mode does something completely different, and its been working fine in AP mode. the peplink handles dhcp so its something with the peplink acting weird.

Just a thought:
Assumed (LAN) setup:

  • MK2 <— LAN —> (3rd party) AP <-- WIFI --> [YOUR DEVICES]
  • The LAN port on the MK2 is a trunk port
  • The MK2 is the DHCP server for the whole LAN
  • The AP is not configured to provide multiple VLANs (though it may provide multiple SSIDs)
  • The MK2 is configured with multiple VLANS (say, untagged, VLAN1, VLAN2)

Desired outcome:
Categories are assigned VLAN/IP address based on what kind of device they are for proper outbound rule handling. This is mapped from which SSID the device connects to.

Possible diagnosis for the observed behavior:

  • DHCP services are defined per VLAN. I.e., the MAC address assigned to a particular IP address on one VLAN has no bearing on what IP address that MAC address would be assigned when connecting to some other VLAN.
    Specifically, an IP address assignment set up on VLAN 1 has no bearing on what will be assigned to the device if it connects as untagged.
  • If the AP does not tag a connection from a device (call it “D”) with a particular VLAN then all communications from that device will be untagged.
  • In that case D will be assigned an IP address by the MK2 from the untagged VLAN no matter what IP address is assigned to D in some other VLAN.

Is that what you are experiencing - all devices connecting via the third party AP are assigned IP addresses on the untagged VLAN?

If so, then you have to change your architecture to ensure that all devices connecting via WiFi get properly tagged. There are three obvious approaches:

  1. Let the AP do the tagging, and e.g., on a per SSID basis. Keep the port on the MK2 as trunk, and the IP address assignments can be based on which VLAN (tag) the device is assigned by the AP when connecting to it (i.e., the particular SSID). The outbound rules as per @TK_Liew et al. above. This approach is a natural if you are employing Pepwave or other VLAN-savvy APs.

  2. The MK2 does the tagging by defining the ethernet ports as access ports, each assigned the appropriate VLAN. Then use separate APs for each VLAN. That’s messy.

  3. Don’t use VLANs. Simply partition your IP address space on the untagged LAN, and assign MAC addresses to the address segment they should belong to, and then create outbound rules accordingly. One SSID will do (and if you create more than one SSID then they’ll have no semantic significance w.r.t. IP address assignments). Messy and bureaucratic.

Go with (1) and get a proper AP device.

Cheers,

Z

3 Likes

thank you that explanation is very helpful. the LAN AP currently does not support SSID <-> VLAN tagging. here is my thinking, what if i use the untagged network, 192.168.2.1, use the DHCP reservation function to assign 192.168.2.5-192.168.2.10 to the high bandwidth devices using their MAC addresses, can I create the Outbound rules using IP network 192.168.2.0 subnet 255.255.255.240 and it will only cover the IPs up to 192.168.2.14 ? Then I can set the DHCP IP Range to start at 192.168.2.20 so all other devices are excluded from that specific Outbound rule? The only things that would be in the range 192.168.2.1-192.168.2.14 would be the Peplink MK2 (.1), the LAN AP (.2) (and I may add another WAN device as .3 in the future), and five high bandwidth devices .5-.9. Do the Peplink .1, AP .2, etc, somehow need to be excluded from the Outbound rule? Can I instead of saying IP network 192.168.2.0 for the Outbound rule say IP Network 192.168.2.5 and that will cover only 192.168.2.5 to 192.168.2.19 or it would not work? I am trying to avoid making two rules for each high bandwidth device MAC address or IP address which would mean 10 rules versus just 2 rules if I can somehow segment these five high bandwidth devices. Thank you so much!

Segmenting your untagged IP address space is a workable strategy (see #3 above). For segment definitions (for IP address assignments and the corresponding outbound policies) you may find a subnet calculator useful, e.g. http://www.subnet-calculator.com/.

1 Like

TK, when creating Outbound rules by MAC address, the “Terminate Sessions on Connection Recovery” option disappears. Any idea why? Thanks