Community discussions

MikroTik App
 
travisnj
just joined
Topic Author
Posts: 13
Joined: Wed Nov 25, 2009 10:30 pm

Newbie Question - RB450G - Hotspot Question

Wed Nov 25, 2009 10:37 pm

Thank you for your assistance in advance; I have read the Hotspot documentation and have tried to find the answer on my own before posting.

I have the 450G setup as a bandwidth shaper and for this purpose it is working great however, I need to use two different DNS servers for different user profiles.. Meaning:

I have a large home, many adults and several children..

I wish to have the adults with a profile or rules that would allow them to use regular DNS server; i.e. 4.2.2.1
I then wish to have the children's profile or rules that would make sure their DNS requests were forwarded to OpenDNS; i.e. 208.67.222.222

OpenDNS offers filtered queries while the adults use unfiltered...

Could someone please help me with a configuration that would solve two different profiles for two groups of users.

Thank you again for your assistance.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Newbie Question - RB450G - Hotspot Question

Wed Nov 25, 2009 10:59 pm

Under the Hotspot User Profiles you can set a value for an address list - users that log into the profile get dynamically added to that address list, and removed when they log out.

Use that to write mangle rules that mark DNS packets accordingly and dst-nat them to the desired DNS servers.
 
travisnj
just joined
Topic Author
Posts: 13
Joined: Wed Nov 25, 2009 10:30 pm

Re: Newbie Question - RB450G - Hotspot Question

Wed Nov 25, 2009 11:26 pm

Use that to write mangle rules that mark DNS packets accordingly and dst-nat them to the desired DNS servers.
Could someone give me an example of how to write the Mangled rule to send them to dst-nat to the DNS server.. I have no idea of how to customize rules in the firewall.. I will take time to learn however, could someone with experience help me with a "example" of what it would look like?

Regards
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Newbie Question - RB450G - Hotspot Question

Wed Nov 25, 2009 11:38 pm

Thinking about it you don't really need to mangle.

Set up the first user profile on the router to add to the address-list 'adult', and the second one to add to 'child':
/ip hotspot user profile
set 0 address-list="adult"
set 1 address-list="child"
Dst-nat DNS accordingly, adult goes to 4.2.2.1, child goes to 208.67.222.222:
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 src-address-list=adult to-addresses=4.2.2.2
add chain=dstnat protocol=udp dst-port=53 src-address-list=childto-addresses=208.67.222.222
Hope that works for you.
 
travisnj
just joined
Topic Author
Posts: 13
Joined: Wed Nov 25, 2009 10:30 pm

Re: Newbie Question - RB450G - Hotspot Question

Thu Nov 26, 2009 1:24 am

Okay, update...

All packets are being sent according to the "list" they are in...

Child or Adult....

However, the correct DNS server is not being requested of.. Meaning...

From profile 1, with adult list does go through the rule that matches.. However, the user is getting the default DNS server response regardless of what is specified in the rule..

I have the RB450G configured to use OpenDNS by default.. So even if there is a dst-nat rule that says that the adult profile will be dst-nat to 4.2.2.1 port 53.. the response to the user is default...

I hope this is clear enough.. The packets are going through the rules.. but the dns response is almost like it is transparently redirected to the RB450g default dns servers...

Any way around this?
Last edited by travisnj on Thu Nov 26, 2009 2:27 am, edited 1 time in total.
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Newbie Question - RB450G - Hotspot Question

Thu Nov 26, 2009 2:09 am

To send all traffic to a specific DNS server delete one rule and remove 'src-address-list' from the other.

Does "/ip firewall address-list" show entries being added when you login with a user profile that has one set?
 
travisnj
just joined
Topic Author
Posts: 13
Joined: Wed Nov 25, 2009 10:30 pm

Re: Newbie Question - RB450G - Hotspot Question

Thu Nov 26, 2009 6:12 am

yes, the address-list is populated with "child or adult" entries.. I see the rules with packets being counted..

The weird issues is that I have both the rules pointing towards different DNS servers..

The user is getting the system default response.. it is like the rule is 1. being ignored 2. being redirected

the reason I say this is that OpenDNS responses to a porn domain is always back to a "blocked" ip.. Filtered.. If that same query is to 4.2.2.1 it gets a normal recursive lookup and IP address reply.. The client regardless of what URL that is typed in and regardless of what address-list is is on and regardless of the rules for the address-list.. the response is always from the system default dns..

My config is:

Default System DNS ip address is OpenDNS (Filtered)

There are 2 rules; one for each of the address-list's... Adult Child (filtered and non-filtered)

The user always gets response from Default system DNS server configured.. I tested by using 4.2.2.1 as system default too and same happens.. it is as if it gets redirected or ignored.


This is where the issue is: 4 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53

I have to find some how to return the packet back to the user.. I see the user listed in the address-list, I see the counter counting packets, but the DNS is being intercepted and handled by the default DNS of the RouterBoard.. It is not returning the packet's response.

Thank you for your time and help on this!
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Newbie Question - RB450G - Hotspot Question

Thu Nov 26, 2009 6:51 am

Ah, that's true. Try inserting a rule before that dynamic one hits. There's a jump to pre-hotspot higher up, so maybe instead of the rules I posted earlier, try
/ip firewall nat
add chain=pre-hotspot protocol=udp dst-port=53 src-address-list=adult to-addresses=4.2.2.2 hotspot=auth
add chain=pre-hotspot protocol=udp dst-port=53 src-address-list=child to-addresses=208.67.222.222 hotspot=auth
That should hopefully fire for authenticated users before the Hotspot has a chance to intercept the DNS request itself.
 
travisnj
just joined
Topic Author
Posts: 13
Joined: Wed Nov 25, 2009 10:30 pm

Re: Newbie Question - RB450G - Hotspot Question

Thu Nov 26, 2009 4:14 pm

Same happens, I can see the address-list filled, see packets being counted via the appropriate rule, all dns requests are still being answered by the Hotspot itself

Who is online

Users browsing this forum: No registered users and 35 guests