I have got my hotspot set up with public ips for our WISP, i am just doing some bench testing right now and have a /24 of pulbic ips i try to assign a /27 and a /26 to two different ports with 2 hotspot servers but it will not work if i use the /24 it works just fine on onr port only.. anythoughts??? and also with the hotspot working i try to remote in to my computer from another internet source and it will not allow me to remote in or ping that computer but i can surf the web just fine on that computer any way to solve this?

update. i have got 2 hotspot servers working correctly, one is a /26 and the other is a /27 when i try to add my third one that is a /26 it takes my range of ips down to the second hotspot server for example... hotspot 2 is 66-94 with the gate way of 65 when i try to add hotspot 3 starting at 96- 159 with my default gateway of 95 it will take my default gateway automaticaly and make it 65 which will not allow anything else to work right. any thoughts? also i still have not figured out how to allow remote desktop or pings through i am using all public ips and need to allow these through

Is your /24 routed to you, or does it only exist on the LAN of the ISPs router?

If the /24 is routed to you, you can easily set up different subnets on whatever interfaces you want (though with a hotspot setup this isn't generally what is done because it's not designed for it).

If however that /24 only exists on the LAN of the ISPs router, then things get very messy and complicated if you want to divide that /24 among other ports. You can play around with proxy-arp, but that is an ugly hack. The better solution would be to contact your ISP, get another /30 and ask them to route your /24 to you via the /30.

Hey Feklar... The /24 is route to me and i was able to get 2 ports to shrink down the only trouble i had if i did 3 was i have to do both /26's before i do the /27 if i did one /26 then a /27 it was still okay but soon as i tried to do a /26 again it for some reason made the default gateway the same as the /27 im not 100% sure why it did that. So i got that to work out okay for now.. I am running in to trouble thought pinging through and remote desktoping in through the hotspot. is there anyway to allow everything through the hotspot the only reason i want the hotspot is for authenication purposes and so my customers can take their computers from one AP to another in town and log in and have internet. I am route all public ips no private ones so no nating is being done. each AP will have a hotspot. Do you guys see anything wrong with this? if so please suggest a better way for me. I have also added in the ip binding to allow ICmp

[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=167.142.XXX.129
gateway-status=167.142.XXX.129 reachable ether13 distance=1 scope=30
target-scope=10

1 ADC dst-address=67.55.XXX.0/26 pref-src=67.55.XXX.1 gateway=ether6
gateway-status=ether6 unreachable distance=0 scope=200

2 ADC dst-address=67.55.XXX.64/27 pref-src=67.55.XXX.67 gateway=ether7
gateway-status=ether7 reachable distance=0 scope=10

3 ADC dst-address=167.142.XXX.129/32 pref-src=167.142.XXX.132 gateway=ether13
gateway-status=ether13 reachable distance=0 scope=10

[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=167.142.XXX.132/32 network=167.142.XXX.129 interface=ether13
actual-interface=ether13

1 address=67.55.XXX.1/26 network=67.55.XXX.0 interface=ether6
actual-interface=ether6

2 address=67.55.XXX.67/27 network=67.55.XXX.64 interface=ether7
actual-interface=ether7

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

.....when i try to add hotspot 3 starting at 96- 159 with my default gateway of 95 it will take my default gateway automaticaly and make it 65 ....

Hotspot 3 looks like a invalid subnet.

In a /27, .96 is a network address with .97~.126
In a /26, .96 falls in .64 (.65~.126), so perhaps the reason the gateway was forced to .65

.....when i try to add hotspot 3 starting at 96- 159 with my default gateway of 95 it will take my default gateway automaticaly and make it 65 ....

Hotspot 3 looks like a invalid subnet.

In a /27, .96 is a network address with .97~.126
In a /26, .96 falls in .64 (.65~.126), so perhaps the reason the gateway was forced to .65

good point I missed that one just have been getting over worked and fursturated trying to get this upgrade done at work and learn this device at the same time and having 20 trouble calls a day because the guy before me left everything a mess. Thank you for your advice.. Do you have any for my other question about allowing all trafic through the hotspot and not stopping pings or remote desktop for users like it is doing right now?

Do you have any for my other question about allowing all trafic through the hotspot and not stopping pings or remote desktop for users like it is doing right now?

I'm not sure what you are asking for. You want some users to bypass the hotspot? In that case, put their mac address in the hotspot bypass.

If they are not able to ping/RD after authentication, does your firewall allow inbound forwards?
NAT is off, yes?

I have several "hotspots" in buildings using publics and users are able to accept incoming connections, although I do it using 1:1 nat and an address list they have to opt in. I don't want to be the one exposing a client to attack without fair warning.

Log firewall drops when the ping is running.

Are the clients Windows 7?

I know how to bypass the log in by the binding, my main question is how come incoming pings and request are getting stopped at my router and not going through. And yes some of them are windows 7

By default inbound traffic is allowed once a user is authenticated. Unless you turned that off specifically the most likely issue is a host firewall. Windows 7 and Vista have that concept of areas (private, public, domain) where the host firewall may only permit ICMP an RDP on private and domain networks. A new hotspot network would be considered public by default.

By default inbound traffic is allowed once a user is authenticated. Unless you turned that off specifically the most likely issue is a host firewall. Windows 7 and Vista have that concept of areas (private, public, domain) where the host firewall may only permit ICMP an RDP on private and domain networks. A new hotspot network would be considered public by default.

Thank you very much i should have known that one. here lately i have just been over thinking things way to much instead of looking at the simple things that would could answer my questions.