Will it hurt any to disable the hotspot one to one nat via not choosing a hotspot address table in the server profile, i see no reason to waste ip addresses and also makes it hard to manage what user has what ip addresss

does not have any one to one NAT settings.

They are in, for unauthorized clients for authorized clients.

You can disable them, if HotSpot clients connected to the network with "correct" IP addresses.

all i would need to disable the 1 to 1 without problems would be to make sure all the users have dhcp client on correct and have the dhcp server on the hotspot and then i could disable the 1 to one right?

yes, you can disable one to one NAT without any problems.

ty for the reply

I need to disable the one-to-one nat on a RB450 Mikrotik HotSpot, because I have a sub-net in the same wiring and the HotSpot requires authenticate to all devices that belong to other sub-nets.

I would like the HotSpot only respond to requests from the subnet that belongs to him (10.10.2.1).

How can I do this? when disabling nat rules that capture the requests on port 80 or 443 from ANY sub-net, HotSpot stops working on 10.10.2.1.

Appreciate your help, thank you very much.

For the one-to-one NAT. to disable One-to-One NAT for authorized clients. to disable One-to-One NAT for unauthorized clients.



To block any user except from the specific subnet,
use ip-binding,

- add first rule to accept correct user addresses,
/ip hotspot ip-binding add address=clients_network_address type=regular
- second rule to block other users,
/ip hotspot ip-binding add type=blocked

This is what I needed, I swear that I had tried before and for some reason this had not worked.

Thank you very much for your help.


--
An Uruguayan user of Mikrotik routerboards.

Hello,

Is it possible to set the one to one nat pool for authorised clients *outside* of the hotspot user profiles?

I ask this because I have multiple hotspots running over different VLANs, each of which requires their own subnet HOWEVER the users themselves are able to login via all hotspots.

To clarify, I have users bound to particular profiles however do not want the profile to control the IP addressing as this can vary from hotspot to hotspot.

If this is not possible, Can I request this as a feature?

I've hopefully explained myself well enough, if not please just ask.

The simplest explanation of what I desire to do would be for the following options in ip hotspot user profile:

address-pool (name | none | inherit from hotspot; default: none)

Hello,

Is this what the new dynamic address-list in 4.1 does? If so how do I use it?

Hello,

Is this what the new dynamic address-list in 4.1 does? If so how do I use it?

http://forum.mikrotik.com/viewtopic.php?f=2&t=35844

I saw this, but I do not see address-list in hotspot profiles.

Or anywhere apart from adding static leases!

For the one-to-one NAT.

Code: Select all

/ip hotspot user profile set <used_profile> address-pool=none

to disable One-to-One NAT for authorized clients.

Code: Select all

/ip hotspot set <used_server> address-pool=none

to disable One-to-One NAT for unauthorized clients.



To block any user except from the specific subnet,
use ip-binding,

- add first rule to accept correct user addresses,
/ip hotspot ip-binding add address=clients_network_address type=regular
- second rule to block other users,
/ip hotspot ip-binding add type=blocked

My hotspot is successfully running an my access controller with a 192.168.244.0/24 pivat network. The hotspot setup wizard added a masquerading rule into my firewall nat configuration. This works fine.

Problem:
When I assign a user a public IP address in the /hotspot user ... settings (field: 'address') this user cannot communicate when the user is successfully authorized on the hotspot. Even the communication to the hotspot is not possible anymore. It seems that there is not one-to-one NAT is working.

Questions:
a) Do you have any idea how i can solve this problem?
b) Should normally the hotspot set a dynamic one-to-one NAT entry for every such user?

Thanks
Dirk

LambdaMaxWELL,

what is the IP address configured on HotSpot interface?
What is the IP address configured at /ip hotspot user?

LambdaMaxWELL,

what is the IP address configured on HotSpot interface?
What is the IP address configured at /ip hotspot user?

Thanks for coming back to my issue.

I configured a private address for the hotspot interface (192.168.244.1) via the hotspot setup and I also configured a static ip (the same one) to the bridge where the hotspot interface is running.

As long I do not have set a IP out of another network in /ip hotspot user this works fine. But if I configure a public IP like 89.19.xxx.xxx out of my public IP range it works only until the user is authenticated.

I also do not understand to issues:
a) As long the user is not authenticated I can ping the hotspot address (192.168.244.1) from the client. After a successfully authentication and if I have a public IP setting in the user IP address field I cannot ping the hotspot ip anymore.

b) From the access controller where is the hotspot is running I also cannot locally ping the hotspot address / ip address of the bridge. And I cannot ping this bridge even if I shut down the hotspot and all dynamic NAT and filter rules will be removed.

My guess is that I do have a routing problem. PPPoE servers set dynamic routing rules to the Ip address of the remote client. But hotspot server will not configure dynamically such a rule into the routing table that the public ip address is available via the hotspot IP. I also cannot put in a static route because the ip address of the bridge of the hotspot will be shown as unreachable in the winbox.

Any Idea what I am doing wrong?
Thanks a lot and best regards
Dirk

Universal client purpose to translate "wrong" IP address of the client to "correct" (working) IP address of HotSpot client.
You are doing opposite, client gets "correct" IP address and your are translating it to "wrong" one.

As there is no 89.19.xxx.xxx IP address configured on the local interface, you are not able to set it for /ip hotspot user.
There should be address from 192.168.244.1 network in /ip hotspot user.

As there is no 89.19.xxx.xxx IP address configured on the local interface, you are not able to set it for /ip hotspot user.
There should be address from 192.168.244.1 network in /ip hotspot user.

Thanks again for your support!

Will this mean that for example in case that I assign to the bridge where the hotspot is running a 89.19.xxx.1 address and the same 89.19.xxx.1 address I put in the "hotspot address" settings of the hotspot profile than I could assign 89.19.xxx.x addresses out of my IP range to the user and then it will work?

In this case the internet address of the user which will be used to access the internet will be the 89.19.xxx.x address I have assigned to the user?

Thanks
Dirk

LambdaMaxWELL, have you tried this?

Universal client purpose to translate "wrong" IP address of the client to "correct" (working) IP address of HotSpot client.
You are doing opposite, client gets "correct" IP address and your are translating it to "wrong" one.

As there is no 89.19.xxx.xxx IP address configured on the local interface, you are not able to set it for /ip hotspot user.
There should be address from 192.168.244.1 network in /ip hotspot user.

sergejs, this feature would be very usefull to distribute public IP's from shared pool, just like with PPPoE.

I played with this a litle bit and here are some conclusions:

- After user login on hotspot, there is correct D entry in /ip arp (with public IP distributed by RADIUS server using Framed-IP-Address attribute)
- User doesn't get connection unless you set route: /ip route add dst-address=same-public-ip gateway=hotspot-interface. After that everything works because this static route is advertised further by OSPF.

My question is if it is possible to implement this feature automatically? Just to add connected route to hotspot interface with public IP got from RADIUS.

I tried even to send Framed-Route attribute, but it's syntax doesn't allow to use interfaces as gateways and it doesn't get A (active) flag (Framed-Route="same-public-ip/32 same-public-ip 1"). It also isn't distributed by OSPF this way.

I have one more idea and it is to use on-login in /ip hotspot user profile to run a script which will add the correct route. Of course, there should be a script on logout to remove the route also.

I finally made this working

The only changes from previous setup are:

/routing ospf instance set 0 redistribute-static=as-type-1 (was none)
Set arp=enabled (was reply-only) on hotspot_interface
Made "/ip hotspot user profile" on-login script to add route dst-address=public_ip/32 gateway=hotspot_interface
Make "/ip hotspot user profile" on-logout script to remove previous route

That's all. The only problem is that user have to wait few seconds while OSPF redistributes the route. There should be some sleep in login script (/file hotspot/login.html) to amuse the user while OSPF propagates. Otherwise error page is display (not found or something like that).

Because of arp=enabled, maybe this should be done (like sergejs suggested):

/ip hotspot set hotspot_server address-pool=none
/ip hotspot ip-binding add address=private-pool type=regular
/ip hotspot ip-binding add type=blocked

to force users to use our temporary private pool.