G'day folks,

I hope I'm not asking what has already been explained, but I have been reading all sorts of areas and getting confused with this, so I though it best to ask,

I am setting up a hotspot for a school network using an RB450G. The purpose is to account for the student's usage.

Now I must emphasize that I do not have control over this network as it integrated with a private network covering schools nationwide, so I cannot do anything with the main gateway, etc. All the 10.x.x.x IP's are part of this external network.

The solution I am looking at implementing will be a "plug in, plug out" solution, which will only require minimal effort to restore the network to its current state should the need arise. (Basically, to implement this, the DHCP server on the MAC server is turned off, and the clients are served via the RB450, to switch back, unplug the RB450 and turn the Mac Server's DHCP back on, reset switched to force DHCP reload, and all should be back to original).

The Mikrotik will assign the clients with 192.168.x.x addresses via DHCP and these will point at the HotSpot interface (eth2) as the defacto default gateway for these clients. This is a logical separation only as the 10.x.x.x and 192.168.x.x networks share the same physical network.

The school servers will be accessed via the other RB450 ports (eth3 and eth4), statically routed.

Now comes the problem.... The default gateway for the main network is on the same IP range as the servers, and the default route always comes up as reachable on eth3, but I want the hotspot to use eth1 to access the external traffic, and I cannot see how you set an "out" interface for the hotspot.

How can I get the local traffic to use eht3 - eth4 and the external traffic to use eth1 - eth2?

Existing network:



Modified network (changes in yellow):

A much cleaner, secure, and easier solution would be something along these lines. Also you cannot have the same subnet shared on multiple routed interfaces like you have it listed bellow.

1.) Set up a secondary SSID on all access points, and dedicate that SSID to the students, encrypt it or leave it open. I would definitely encrypt the staff SSID.
2.) Separate the secondary SSID with a VLAN tag, use managed switches to get that VLAN to the RB450G.
3.) Set up hotspot services etc on the 450.

What you are proposing to do with your network diagrams, if I am reading them correctly, is not secure and while you may be able to get it to work, is very messy. Just because you have two separate broadcast domains does not make them secure, it would be a matter of seconds for a student to figure out what the other subnet is, and potentially attempt to gain access to those computers. By separating the students with a different VLAN, you are still using the same hardware to connect them, but they have no access to the other subnet. This setup also has the added benefit of you not having to mess around with their current gateway, or DHCP server. You just have to configure the switches and access points appropriately to separate the two.

A much cleaner, secure, and easier solution would be something along these lines. Also you cannot have the same subnet shared on multiple routed interfaces like you have it listed bellow.

1.) Set up a secondary SSID on all access points, and dedicate that SSID to the students, encrypt it or leave it open. I would definitely encrypt the staff SSID.
2.) Separate the secondary SSID with a VLAN tag, use managed switches to get that VLAN to the RB450G.
3.) Set up hotspot services etc on the 450.

What you are proposing to do with your network diagrams, if I am reading them correctly, is not secure and while you may be able to get it to work, is very messy. Just because you have two separate broadcast domains does not make them secure, it would be a matter of seconds for a student to figure out what the other subnet is, and potentially attempt to gain access to those computers. By separating the students with a different VLAN, you are still using the same hardware to connect them, but they have no access to the other subnet. This setup also has the added benefit of you not having to mess around with their current gateway, or DHCP server. You just have to configure the switches and access points appropriately to separate the two.

Thanks for your answer.

Local security is not the issue, we just want to account for external traffic.

Unfortunately, I can't do as you suggested as I do not have access to the switches, just as I don't for the routers. If I had this access, the job would be very simple and I would just use the RB450 as the gateway with the hotspot on it, but this is not the case.

Also, the network is mostly hard wired, not wireless. There is a wifi network, but I also do not have access to it either (it was installed by an external contractor and under a support contract).

I also cannot change much on the servers as they are mostly externally managed with VPN connections and the like... all out of my hands.

(It feels a bit like trying to swim with your hands and feet tied!)

As for access to the schools servers, the students have access to that network. Effectively, it is the "walled garden" of sorts. I am not trying to separate them from it.

What I was attempting to do was allow access to the 10.x.x.x network via eth3 and eth4 but have this path block 10.224.96.1 (the gateway), and on eth1, have the hotspot external interface which only access the gateway, not the 10.x.x.x network. So effectively they are separate, but not able to be subnetted for obvious reasons.

That way the only way they could get to the internet would be via the hotspot, and therefore that traffic would be accounted for in RADIUS.

This would also mean that these ports would only be serving traffic for the local 10.x.x.x network and the internet traffic would be going via eth1 and eth2, effectively lessening the load (which is why I didn't want to bundle everything via on the hotspot interfaces).

I also have the Mac OS X server with a second IP added in the 192.168.x.x network as this serves the clients with their roaming client function. As it already has delays and bottlenecks, I wanted to make sure that it bypassed the rb450 completely.

You are going to have a very messy setup on your hands then if you want to move forward with it.

Also, not to be rude, since the servers, routers, and other network equipment are under support contracts, are you sure you're not violating those contracts by messing around with the network? If the school is paying someone to manage and support the network, it's best to go through them for your needs since they are expected to fix anything that could go wrong. I would look into that first before even touching a cable at this point.

If that's all fine, you can still basically accomplish what you want by putting the RB in line between their router and the rest of the network. You can run multiple subnets on a routed interface without an issue, it's just considered bad practice to do so. The tricky part comes in because of the hotspot and allowing access between all devices, you'll also not want to run universal NAT on the routerboard or it will ARP poison the network, making access difficult. Keep in mind that by doing something like that however, you are going to kill remote access to a lot of stuff, and double NATing traffic can cause issues at times.

You are going to have a very messy setup on your hands then if you want to move forward with it.

Also, not to be rude, since the servers, routers, and other network equipment are under support contracts, are you sure you're not violating those contracts by messing around with the network? If the school is paying someone to manage and support the network, it's best to go through them for your needs since they are expected to fix anything that could go wrong. I would look into that first before even touching a cable at this point.

If that's all fine, you can still basically accomplish what you want by putting the RB in line between their router and the rest of the network. You can run multiple subnets on a routed interface without an issue, it's just considered bad practice to do so. The tricky part comes in because of the hotspot and allowing access between all devices, you'll also not want to run universal NAT on the routerboard or it will ARP poison the network, making access difficult. Keep in mind that by doing something like that however, you are going to kill remote access to a lot of stuff, and double NATing traffic can cause issues at times.

Thanks again, Feklar.

The different contracts, etc, have been added along with separate services that the school has obtained over the years, and there are already problems created because of it. (It's either an ARGH! or a ROFL! depending on your sense of humour!)

But they want me to get the accounting going, so I will do it, even though I am adding yet another one LOL! (On a serious note though, that is why I am creating it as a "plug in - plug out" solution so it can easily be restored if required.)

It would all work easily if I were using two separate routers (one for hotspot and one for routing the two networks), as the hotspot only presents 10.x.x.x addresses (created with the 1 -1 NAT), so they appear as local to that network. The second router would be a gateway for the 192.168.x.x network, so there is no clash of routes, etc.

If I could configure the hotspot to use a particular interface for its "virtual interfaces" on the 1-1 NAT, all would be fine, but as far as I can see, you can only specify the inbound interface.

So, I suppose I will have to just use the hotspot with the 10.x.x.x as a walled garden and if I get bottlenecking, I will have to contact the people who manage the switches and get them to create a couple of bonded interfaces so I can bond the router ifaces as pairs, but I really would rather them separated as it would be more robust.

You can set in and out port for NAT rules, they just have to be in the right chain. Like srcnat you can specify and out-interface but not an in one, and the opposite for dstnat. The packet flow diagram might help you with that.

http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram

You can look into 802.3ad (LACP) with the switches and the RB if one 10/100 interface is a concern for not having enough throughput, but I would only worry about that if it becomes an issue. Based off of your picture and what you are looking to do, this is how I would set it up, very messy, but should be possible. This is also very insecure as I mentioned before.

1.) Turn off the DHCP server that you currently have and set static IP addresses for every school computer that you do not want on the hotspot.
2.) Set every subnet that the school computers use on your "uplink" interface.
3.) Set up the hotspot and DHCP server along with the student subnet on your "LAN" interface. Disable the address pool feature under hotspot server so it does not ARP poison the network.

Test it out and keep your fingers crossed that you don't mess anything up along the way. After someone signs into the RB, the router will handle all routing between the subnets, they however will not be able to browse by hostname or URL without some server to translate them for you.

You can set in and out port for NAT rules, they just have to be in the right chain. Like srcnat you can specify and out-interface but not an in one, and the opposite for dstnat. The packet flow diagram might help you with that.

http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram

You can look into 802.3ad (LACP) with the switches and the RB if one 10/100 interface is a concern for not having enough throughput, but I would only worry about that if it becomes an issue. Based off of your picture and what you are looking to do, this is how I would set it up, very messy, but should be possible. This is also very insecure as I mentioned before.

1.) Turn off the DHCP server that you currently have and set static IP addresses for every school computer that you do not want on the hotspot.
2.) Set every subnet that the school computers use on your "uplink" interface.
3.) Set up the hotspot and DHCP server along with the student subnet on your "LAN" interface. Disable the address pool feature under hotspot server so it does not ARP poison the network.

Test it out and keep your fingers crossed that you don't mess anything up along the way. After someone signs into the RB, the router will handle all routing between the subnets, they however will not be able to browse by hostname or URL without some server to translate them for you.

Thanks again, mate.

I actually came across the same thing last night when I re-read what I was written and it was staring me in the face .... "NAT".

Will be testing on my network today (I have duplicated the school's network IP ranges at home for this purpose). All going well, I'll then test it at the school.

I'll post the results.