Hello.
I am new to the forum and beginner on mikrotik routers (from august 2010...).
I installed successfully some RB 450G and RB 1100, and have some virtual machines for tests.

Now I am configuring an RB1100 for a customer who wants to authenticate users to decide who can go to internet and who cannot.

I think that for this operation hotspot is too "large":
1. it is designed for a specific network only for hotspot users, while I need to authenticate users that are in my main network
2. it adds so many firewall rules (filter and nat) that make for me difficult to maintain my logic
3. trying on virtual machines (vmware player) I see tcp reset packet from routeros with hotspot for each connection between hosts on the virtual network, blocking all. Maybe is something caused by vmware network interface (being a hub instead of a switch, I suppose), but now I am configuring an rb1100 for real life environment and don't want that adding a feature can break or slow down normal operations on network

So I ask: is there a manner to have a simple authentication on the web proxy package? even local, maybe is not even necessary to have accounting neither radius: just define who can access internet or not based on session authentication like the "good-old" squid with a login page when you first try to browse internet.

Thank you for any support... and for the great mikrotik products

Davide

PS: for now I am trying another way, I made a metarouter on the rb 1100 (...i forgot to mention: I'm using routeros version 5.2) only for the internet access from users... it seems to me not a polite way, but can function... I'd prefer something on the main router.

You can use any radius server (Freeradius) or user man on the same MT or on another MT. Setup the hotspot and use one central database for authentication.

Thanks Joshiii for your reply, but I already knew that I can use radius with hotspot: my problem is the hotspot itself: it is too complex (as I tried to explain in my previous post) for the simple needing I have.

I would be happy if I can just enable hotspot, have no dynamic rules in firewall and just manage "hotspot" parameter to redirect non authenticated users to hotspot and let authenticated to browse. Dynamic rules are what make me crazy and so I want to get rid of them.

thanks

Again fighting with hotspot: It seems great but something puzzles me: maybe I missed some documentation, but I can't understand:

- Can dynamic rules be managed in some manner?
for example: if I want them before or after something else
or better: can I put them in a specific chain instead of forward, input , to permit specifying my rules in main chains to invoke them only for some ports, or based upon address lists, or so on

- is hotspot linked to a specific interface or is it is for all? in rules I can't find where the incoming interface is checked, but again it seems to me important to have a choice "before" hotspot to make it available only on some conditions (for example: make all hotspot rules match a specific mark, and assign it on mangle)

I hope I explained my doubts... and I hope someone to dissipate them

Don't touch the dynamic rules. They are what makes a Hotspot work. They actually are very simple. Read http://wiki.mikrotik.com/wiki/Manual:Cu ... ng_Hotspot for how they work.

Hotspots are only active on interfaces you specifically activate them on. This is performed via the hotspot=auth etc. checks in the dynamic firewall rules - those never evaluate to true for packets from interfaces that don't have a Hotspot on them, so hosts behind interfaces that don't run Hotspots are not affected by the dynamic rules and your usual rule set works like it normally does.

Hotspots are active on interfaces. They are active for ALL hosts behind an interface, but not for hosts behind other interfaces.

They are also the only realistic solution for what you're trying to achieve. If Hotspots don't match then RouterOS won't work for you.

Thank you fewi !
the link you provided is very interesting and explicating how hotspot works. I think I previously looked at it but read only the fist part, about customizing pages, instead of the rule explication section.... I was absent-minded

I dare asking again a little question, just for understanding: hotspot applies for ALL and ONLY hosts on the interface it was applied, right? So I never should have and interface with a mixed of hotspot clients AND regular hosts.
If I am trying to authenticate only some client in a corporate subnet to make them access internet I should not use hotspot, right? But so I don't know what to use (... it is the origin of this post) those client have to work normally in the corporate network with any corporate user, but I have to make some people, independently from the host on which they log in, able to go to internet.
... so definitely you are saying that hotspot does not suite my needs... any suggestion about what to use?

Are you using a Windows domain? Look into IAS or NPS depending what version of Window server you are running.

Maybe I am becoming redundant or missing something to explain my problem...

I ALREADY know how to use radius authentication and I used successfully Microsoft IAS to authenticate against a domain.

I just want to request authentication (not important if by radius or locally) for web proxy users from my corporate network and I can't find a way to do this.

The digression about hotspot was because I thought I could be an alternative, but your replies (... and thanks for them, fewi) made clear that I should not use hotspot on an interface where I don't want it to manage ALL the traffic with hotspot itself. I have in my corporate network services that I don't want to be in an hotspot network.

The built in proxy does not support authentication.

The built in proxy does not support authentication.

Hi all,

Would we have any chance to have the proxy software support authentication ?
I'm also very interested indeed.

I love RouterOS because it can provide unsupported features via a openwrt metarouter (e.g. squid with basic authentication).
However, getting a fully working openwrt metarouter is a nightmare (the openwrt metarouter stuff seems abandonned for years...) , so no luck either.

Please either make the proxy software provide authentication or improve the openwrt/metarouter support, PLEASE ..........

If useful, I think you can do somethig similar to authentication enabling hotspot on the interface and putting the whole subnet in walled garden. If someone tries to go out he/she will need to authenticate.