Community discussions

MikroTik App
 
zimbofury
newbie
Topic Author
Posts: 48
Joined: Wed Nov 03, 2010 8:10 am

Hotspot Specifics

Thu Nov 15, 2012 9:59 am

hello

I have a scenario at a university where 4 profiles for various users on the lan are needed. I have students, staff, admin and server room.
using hotspot, is there anyway that you can specify, if you log in via a certain profile (eg students), that they will get an ip in a certain range? i want this so that i can add limitations to those ranges via IP firewall. or are there any other suggestions?

many thanks.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: Hotspot Specifics

Thu Nov 15, 2012 3:12 pm

http://wiki.mikrotik.com/wiki/Manual:IP ... er_Profile
Read about 'address-list' property.
Create four hotspot user profiles and set it's 'address-list' property according to your needs (students, staff, admin and server room).
With these settings you'll be able to make limitation based on firewall's address lists, not assigned IP addresses.

HTH,
 
zimbofury
newbie
Topic Author
Posts: 48
Joined: Wed Nov 03, 2010 8:10 am

Re: Hotspot Specifics

Fri Nov 16, 2012 11:49 am

Hi!

Thanks for the response. I did research and was sure it was something to do with that. However i haven't played with address lists too much. I have been tinkering and haven't been able to succeed; below is my config
[admin@MikroTik] /tool user-manager profile limitation> print detail
 0 name="Customers" owner=admin download-limit=0B upload-limit=0B transfer-limit=0B uptime-limit=0s rate-limit-rx=716800B rate-limit-tx=716800B rate-limit-min-rx=716800B 
   rate-limit-min-tx=716800B group-name="Customers" ip-pool="" address-list="Customers"


[admin@MikroTik] > ip hot user profile pri
Flags: * - default 
 0 * name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 
     transparent-proxy=no 

 1   name="Customers" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 
     address-list="Customers" transparent-proxy=yes open-status-page=always advertise=no

 /ip firewall address-list> pri
Flags: X - disabled, D - dynamic 
 #   LIST                                                           ADDRESS                        
 0   Customers                                                      0.0.0.0 

/ip firewall filter> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=forward action=drop src-address-list=Customers connection-mark=facebook

[admin@MikroTik] /ip firewall mangle> pri
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=prerouting action=mark-connection new-connection-mark=facebook passthrough=no dst-address=173.252.96.0/19 

 1   chain=prerouting action=mark-connection new-connection-mark=facebook passthrough=no dst-address=66.220.144.0/20 

 2   chain=prerouting action=mark-connection new-connection-mark=facebook passthrough=no dst-address=69.171.224.0/19
Thanks :)
 
zimbofury
newbie
Topic Author
Posts: 48
Joined: Wed Nov 03, 2010 8:10 am

Re: Hotspot Specifics

Mon Nov 19, 2012 11:05 am

i have managed to get the address lists working without radius.
[admin@MikroTik] /ip hotspot user profile> print
Flags: * - default 
 0 * name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=no 

 1   name="addlist" address-pool=default-dhcp idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 address-list="Customers1" transparent-proxy=yes 
     open-status-page=always advertise=no
upon enabling radius and configuring profiles>limitations, users wont be added to address list.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: Hotspot Specifics

Mon Nov 19, 2012 11:55 am

http://wiki.mikrotik.com/wiki/Manual:RA ... ess-Accept
Read about following 'Access-Accept' attributes:
Framed-Pool
Filter-Id
Mikrotik-Mark-Id

On RADIUS server define user groups (students, staff, admin and server room) with different 'Mikrotik-Mark-Id'.
This gives you ability to mark traffic from/to user belonging to specific group or add user IP address to firewall address list.

HTH,
 
zimbofury
newbie
Topic Author
Posts: 48
Joined: Wed Nov 03, 2010 8:10 am

Re: Hotspot Specifics

Wed Nov 21, 2012 10:30 am

Hi Ditto!

thanks again for the response.

I managed to get the initial idea with radius working. it seems to be something to do with using the same name (eg students) on all the profiles relevant settings/names. (address lists, user profiles and user manager limitations)

however i am still interested on learning about the radius/client. especially since i cant find the sub menu ;). or is it a separate package?

Thanks again.
 
ditonet
Forum Veteran
Forum Veteran
Posts: 835
Joined: Mon Oct 19, 2009 12:52 am
Location: Europe/Poland/Konstancin-Jeziorna
Contact:

Re: Hotspot Specifics

Wed Nov 21, 2012 11:25 am

RouterOS has RADIUS client built-in, you can access it via Winbox menu.
Winbox_menu.JPG
Wiki article mentioned in my previous post has all necessary information about RouterOS RADIUS client configuration and attributes.
As I wrote earlier, create RADIUS user groups with with different 'Mikrotik-Mark-Id' attributes and add hotspot users to specific groups.
Create firewall mangle rules with chain names same as 'Mikrotik-Mark-Id' attributes and use them to mark traffic or add hotspot users to firewall address lists.

HTH,
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], Cloudtechiq [Bot], Kuitz, patrikg, xristostsilis and 70 guests