How to Bypass Hotspot Usage Counters for Specific Subnets
Wireless networks

13 posts   •   Page 1 of 1
ZioN
just joined
 
Posts: 22
Joined: Sun Jun 12, 2011 4:12 pm

How to Bypass Hotspot Usage Counters for Specific Subnets

by ZioN » Wed Sep 07, 2011 4:24 pm

Hi

I'm currently running a hotspot on a bridge (EtherNet_WiFi_EoIP_Bridge in the code below) I created between my Ethernet and Wifi interfaces. On that bridge I'm running a hotspot. There is however a second interface on my MT that I use to connect to a wug (CTWUG_Link interface in the code below)(WUG - Wireless User Group). I've added walled-garden ip rules to allow traffic within the local (192.168.0.0/24) subnet and the wug (172.16.0.0/12) subnet. These rules seem to work perfectly as they should when a user is not authenticated by the hotspot. But traffic across any one of these (mentioned above) subnets, from authenticated users adds to that users' usage. As I understand, that is exactly what the walled-garden should do. Which is great. But I would like for internal (Ie: local and wug subnets) to be completely free. Thus only traffic crossing my internet interface (Vodacom_3G in the code below) should be accounted for and billed to each user. Thereby not counting any internal (local and wug related) data.

The setup is as follows:
Code: Select all
[Jeandre@MikroTik] > interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
 #     NAME                               TYPE               MTU L2MTU  MAX-L2MTU
 0  R  ;;; WiFi Network Interface
       Marshal_Network_Wifi               wlan              1500  2290
 1  R  ;;; Connection Interface to CTWUG
       CTWUG_Link                         wlan              1500  2290
 2  R  ;;; Lan Network Interface
       EtherNet_1                         ether             1500  1526
 3  R  ;;; Bridge Interface - To bridge lan and wifi to one network and ip range
       Ethernet_Wifi_EoIP_Bridge          bridge            1500  1526
 4  R  ;;; WAN Network Interface - Internet - Vodacom 3G via mini-pci-e
       VodaCom_3G                         ppp-out           1500
 5  X  ;;; VPN%0#PPTP Client to Connect to STB - VPN to Jeandre
       JeandreSTB                         pptp-out       
 6  R  ;;; EoIP Tunnel through PPTP to Jeandre STB
       EoIP-JeandreSTB                    eoip-tunnel       1340 65535



[Jeandre@MikroTik] > interface bridge print
Flags: X - disabled, R - running
 0  R ;;; Bridge Interface - To bridge lan and wifi to one network and ip range
      name="Ethernet_Wifi_EoIP_Bridge" mtu=1500 l2mtu=1526 arp=enabled
      mac-address=00:0C:42:49:04:6C protocol-mode=none priority=0x8000
      auto-mac=yes admin-mac=00:0C:42:49:04:6C max-message-age=20s
      forward-delay=15s transmit-hold-count=6 ageing-time=5m



[Jeandre@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE               BRIDGE               PRIORITY  PATH-COST    HORIZON
 0    EtherNet_1              Ethernet_Wifi_EoI...     0x80         10       none
 1    Marshal_Network_Wifi    Ethernet_Wifi_EoI...     0x80         10       none
 2    EoIP-JeandreSTB         Ethernet_Wifi_EoI...     0x80         10       none



[Jeandre@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE                               
 0   ;;; default configuration
     192.168.0.100/24   192.168.0.0     Ethernet_Wifi_EoIP_Bridge               
 1   ;;; CTWUG Config - Note Masquarade 192.168.0.0/24 Range over CTWUG_Link
     172.18.50.38/32    172.18.50.254   CTWUG_Link                               
 2 D x.x.x.x/32         x.x.x.x         VodaCom_3G     


                         
[Jeandre@MikroTik] > ip hotspot walled-garden ip print
Flags: X - disabled, I - invalid
 #   SERVER         PROTOCOL   DST-HOST         DST-ADDRESS     DST-PORT   ACTION
 0   ;;; Access for users to access the internal network - Bypass usage counters
     Marshall-Ne...                             192.168.0.0/24             accept
 1   ;;; Access for users to access CTWUG - Bypass usage counters
     Marshall-Ne...                             172.16.0.0/12              accept



[Jeandre@MikroTik] > ip firewall filter print all
Flags: X - disabled, I - invalid, D - dynamic
 0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth

 1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth

 2 D chain=input action=jump jump-target=hs-input hotspot=from-client

 3 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875

 4 I chain=hs-input action=jump jump-target=pre-hs-input

 5 D chain=hs-input action=accept protocol=udp dst-port=64872

 6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875

 7 D ;;; Access for users to access the internal network - Bypass usage counters
     chain=hs-unauth action=return dst-address=192.168.0.0/24 in-interface=Ethernet_Wifi_EoIP_Bridge

 8 D ;;; Access for users to access CTWUG - Bypass usage counters
     chain=hs-unauth action=return dst-address=172.16.0.0/12 in-interface=Ethernet_Wifi_EoIP_Bridge

 9 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth

10 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp

11 D ;;; Access for users to access the internal network - Bypass usage counters
     chain=hs-unauth-to action=return src-address=192.168.0.0/24 out-interface=Ethernet_Wifi_EoIP_Bridge

12 D ;;; Access for users to access CTWUG - Bypass usage counters
     chain=hs-unauth-to action=return src-address=172.16.0.0/12 out-interface=Ethernet_Wifi_EoIP_Bridge

13 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited

14 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited

15 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

16 X ;;; VPN-Up#vpn-ul@54345133%7059774
     chain=forward action=accept out-interface=JeandreSTB

17 X ;;; VPN-Down#vpn-dl@49095379%9514034
     chain=forward action=accept in-interface=JeandreSTB

18 X ;;; Jeandre-Upload
     chain=forward action=accept src-address-list=Jeandre out-interface=VodaCom_3G

19 X ;;; Jeandre-Download
     chain=forward action=accept dst-address-list=Jeandre in-interface=VodaCom_3G

20 X ;;; Calvin-Upload
     chain=forward action=accept src-address-list=Calvin out-interface=VodaCom_3G

21 X ;;; Calvin-Download
     chain=forward action=accept dst-address-list=Calvin in-interface=VodaCom_3G

22 X ;;; Elizabeth-Upload
     chain=forward action=accept src-address-list=Elizabeth out-interface=VodaCom_3G

23 X ;;; Elizabeth-Download
     chain=forward action=accept dst-address-list=Elizabeth in-interface=VodaCom_3G

24 X ;;; Anthony-Upload



[Jeandre@MikroTik] > ip firewall nat print all   
Flags: X - disabled, I - invalid, D - dynamic
 0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client

 1 I chain=hotspot action=jump jump-target=pre-hotspot

 2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53

 3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53

 4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80

 5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443

 6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth

 7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth

 8 D ;;; Access for users to access the internal network - Bypass usage counters
     chain=hs-unauth action=return dst-address=192.168.0.0/24 in-interface=Ethernet_Wifi_EoIP_Bridge

 9 D ;;; Access for users to access CTWUG - Bypass usage counters
     chain=hs-unauth action=return dst-address=172.16.0.0/12 in-interface=Ethernet_Wifi_EoIP_Bridge

10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80

11 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128

12 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080

13 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443

14 I chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25

15 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http

16 I chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25

17 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough

18   ;;; DC++ Nat to forward all port 2222 traffic to Media-Center (192.168.0.150)
     chain=dstnat action=dst-nat to-addresses=192.168.0.150 to-ports=2222 protocol=tcp in-interface=CTWUG_Link dst-port=2222

19   ;;; DC++ Nat to forward all port 2222 traffic to Media-Center (192.168.0.150)
     chain=dstnat action=dst-nat to-addresses=192.168.0.150 to-ports=2222 protocol=udp in-interface=CTWUG_Link dst-port=2222

20   ;;; Masquerade for VodaCom_3G Network - Translate private ip range to public ip address
     chain=srcnat action=masquerade out-interface=VodaCom_3G

21   ;;; Masquerade Private IP-Range to CTWUG
     chain=srcnat action=masquerade out-interface=CTWUG_Link


As you might realize, there are some port forwarding rules in the ip>firewall>nat CLI. These are just to allow packets incoming on port 2222 to be forwarded to 192.168.0.150. In fact, this is one of the reasons I would like for the hotspot to ignore all internal packets. As these packets (mentioned above from port 2222) are originating form the wug (172.16.0.0/12) subnet, but are counted as internet packets for the (192.168.0.150) user.

Any help will be greatly appreciated.

Thanks

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by fewi » Wed Sep 07, 2011 5:16 pm

The Hotspot accounts for all packets. It is impossible to exempt some traffic from being accounted for.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

ZioN
just joined
 
Posts: 22
Joined: Sun Jun 12, 2011 4:12 pm

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by ZioN » Wed Sep 07, 2011 5:51 pm

Is there no way I can 'fool' the hotspot so to not account for local traffic. I've tried several rules in the firewall. Is there a rule that could be added in the firewall that would bypass all hotspot rules. I've tried:

Code: Select all
ip firewall filter add chain="forward" dst-address="192.168.0.0/24" src-address="192.168.0.0/24" action="accept"


And placed this rule first in the firewall. It seems to count bytes in/out. But the incoming packet parses through the other (hotspot) rules aswell. Is there a method of stopping packets to parses over the hotspot rules. (ie: in passthrough=no).

Here's just shooting in the air... but couldn't one also place all local packets on an arbitrary port that isn't monitored by the hotspot, and then afterwards return it to the original port it came in on.

Any ideas would be greatly appreciated. As I need local traffic to be accounted for but also need the hotspot..

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by fewi » Wed Sep 07, 2011 5:58 pm

What you're trying to do is not possible.

The Hotspot intentionally processes traffic before anything else so that it can use the Universal NAT feature to connect even clients that shouldn't have connectivity on the network at all because the IP addressing wouldn't work. There are hooks to stop the Hotspot from further processing traffic to itself via the pre-hs-input chain, there's the walled garden functionality for IP level processing hooks, and there's pre-hotspot from NAT - but there's no hooks for traffic before the Hotspot itself, which immediately accounts for packets.

Again: what you're trying to do is not possible. There are no workarounds.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

ZioN
just joined
 
Posts: 22
Joined: Sun Jun 12, 2011 4:12 pm

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by ZioN » Wed Sep 07, 2011 6:11 pm

Hi fewi

Thanks for the reply.

I guess my idea wont work then.

Here's what i want the the hotspot/network to do:
-- account for traffic from users to the internet
-- users are to autheticate at the hotspot via the users mac-address (ie: no login page and detials)
-- no need for the user manager - i have a script running which generates emails a set usage levels
-- allow users to access all local networks (192.168.0.0/24 and 172.16.0.0/12)

So basically I want to keep track of the users internet usage... But they shouldn't have to login at some webpage (i have mac-address login enabled on the hotspot to accomplish this). They should be able to transfer data internaly.

Is there then some other system I could implement to facilitate this? (maybee a pppoe system - but with that users still need to dial in)

Thanks so much for your help.

fewi
Forum Guru
Forum Guru
 
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by fewi » Wed Sep 07, 2011 6:16 pm

I guess you could drop the Hotspot completely and authenticate via ARP as outlined here: http://forum.mikrotik.com/viewtopic.php?f=2&t=54129&hilit=+static+DHCP+ARP

Then use NetFlow (TrafficFlow) with an external connector to collect information on all traffic flowing through interfaces, and configure it to not account traffic between subnets you don't want to account for.

There's no plug and play solution for that, though - you'll have to set up your own NetFlow accounting installation. There are free and for pay packages out there for that purpose. The router only acts as an exporter of flows, the accounting happens on a completely separate external system.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.

ZioN
just joined
 
Posts: 22
Joined: Sun Jun 12, 2011 4:12 pm

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by ZioN » Thu Sep 08, 2011 12:50 am

Hi fewi.

Thanks for the reply. Ill look into that. Sounds like a valid idea.

In the meanwhile, I have a question about the firewall and packet counting.

If I implement a filter rule as follows:
Code: Select all
[Jeandre@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=prerouting action=passthrough src-address-list=Media-Center dst-address-list=Local

 1   chain=prerouting action=passthrough src-address-list=Local dst-address-list=Media-Center

[Jeandre@MikroTik] > ip firewall address-list print
Flags: X - disabled, D - dynamic
 #   LIST                                                                                                                                                 ADDRESS                       
 1   Media-Center                                                                                                                                         192.168.0.150                       
 8   Local                                                                                                                                                192.168.0.0/24                 
 9   Local                                                                                                                                                172.16.0.0/16                 
[Jeandre@MikroTik] >


It does not seem to count all the data. I tested it by copying a 350MB file from one of my pc's on the network (192.168.0.157) to Media-Center (192.168.0.150). It did count the data but was fractional compared to the actual amount transferred (it counted an order of bytes vs 350MB). Is there some reason for this? Does it perhaps only count a portion of the data, or only the headers. Has it got to do with the connections? The hotspot usage for this example counted the data perfectly. I observed this in the hotspot>active list for this (media-center) user.

Is there some way I could implement a similar rule to count such (internal) data. For the purposes of calculating the actual internet usage of the node (in this example - media-center) by means of subtracting that from the total hotspot usage.

Thanks so much

:)

ADD: yet when I add a firewall similar to the one in the code above, but instead of src/dst address i specify out interaface as EtherNet_Wifi_EoIP_Bride (my local bridge) it counts the data perfectly.. Is that correct?

icepicknz
just joined
 
Posts: 13
Joined: Thu Jul 29, 2010 1:39 am

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by icepicknz » Thu Mar 22, 2012 10:43 pm

Heya,

Did you ever get this to work? I use hotspot to manage an apartment block where people buy internet from us for 30 days and chose how much data they want. The issue comes when someone wants a phone service and I add a ATA device behind their router, if they aren't authenticated everything is fine, it hits the walled garden IP's and the user has free data to our SIP server, however as soon as they authenticate it charges for this data.

Users with a small data plan of say 1Gb are complaining that they havent done much web browsing and their usage gets used up pretty quickly, this is because of the REGISTER, UPDATE & RTP traffic coming from the SPA/ATA device used for phone calls.

Has anyone come up with a solution to ignore subnets or specific IP's from authenticated hotspot users?

many thanks
Barry

Devil
Member Candidate
Member Candidate
 
Posts: 156
Joined: Thu Jul 21, 2011 9:13 am

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by Devil » Fri Apr 27, 2012 12:27 pm

I believe fewi response is still valid. it rarely happens that there would be no workaround for a problem, but in this case, whatever you do, it happens after the packets already marked and counted by hotspot. look at the Packet Flow Diagram. it would be good to have such option however. and you could contact the support with your suggestion.

However, i think you should be able to create a firewall rule to disallow any traffic you want, from an authenticated hotspot user. so basically what happens is that for example if a user wants to use the phone service, he/she has to log out first or the service wouldn't work. and logging out, means the traffic won't be counted for the user.
Best Regards

sathishsa
Member Candidate
Member Candidate
 
Posts: 114
Joined: Fri Sep 04, 2009 12:08 am

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by sathishsa » Wed Aug 14, 2013 4:32 pm

Zion ,

Do u got any solution , as we are suffering with the same issue please post if you find one

Accounting the local resources are really waste ...

Fewi we believe you , you can do some workaround and got a solution

Please help.........

Thanks,
Varma

swissiws
Frequent Visitor
Frequent Visitor
 
Posts: 85
Joined: Sat Apr 04, 2009 12:42 am

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by swissiws » Tue Sep 16, 2014 10:42 pm

is this still valid?

ROS 6.19 -

Devil
Member Candidate
Member Candidate
 
Posts: 156
Joined: Thu Jul 21, 2011 9:13 am

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by Devil » Wed Sep 17, 2014 6:46 am

swissiws wrote:is this still valid?
ROS 6.19 -

Unfortunately, after years of asking the support, they still doesn't seem to be interested in adding this important feature. even though they know very well that a lot of their users are asking for it.
Best Regards

swissiws
Frequent Visitor
Frequent Visitor
 
Posts: 85
Joined: Sat Apr 04, 2009 12:42 am

Re: How to Bypass Hotspot Usage Counters for Specific Subnet

by swissiws » Wed Sep 17, 2014 11:59 am

Mikrotik go for it in ROS 6


did I ever mentioned that who developed Dude can stay in my house for free ! With sea view ;-) Amazing /product/ for free!

13 posts   •   Page 1 of 1

Who is online

Users browsing this forum: No registered users and 5 guests

It is currently Sun Dec 21, 2014 6:18 am