MikroTik

reinerotto

mikrotiks first of all are routers. All other functionalities are addons, usually good enough for average requirements.
However, for (ad-)blocking I use an openwrt-device. Which has many more possibilities.

reinerotto

Does the definition of this canary domain 'use-application-dns.net' for FF really disable DoH ? I have FF 79, connected to non-MT router, running dnsmasq. And I can not see any access to this domain in my logs. May be, FF dropped this option recently ? As a workaround, I block access to many well-kn...

reinerotto

You are bound to the limitations of RoS. In general, it is possible to achieve, what you want, _BUT_ getting a security warning from the browser, first, because of wrong certificate. I do this on openwrt, however. Which is more suited for such tasks. Which are typical for advanced hotspots, requirin...

reinerotto

If you are filtering Facebook, use NAT instead to redirect the Facebook connection to a local server that will serve a page.

Clever. Thanx a lot.

reinerotto

On openwrt, I do it using multiple instances of dnsmasq.

reinerotto

>the browser needs to resolve to check ifs there connection< AFAIK, this is done trying DNS. In standard hotspots, DNS works. You should do detailed analysis, whats going on between browser and router. I.e. using tcp-dump. Be warned, that "Captive Portal Detection" is similar for Andoid and iOS, but...

reinerotto

Because openwrt is open source, coova-chilli can be used as Captive Portal. Like on more expensive comercial hotspot systems. coova-chilli can be configured, first to try MAC-auth, when users device associates. In case of success, user can immediately reach the web. In case of failure, coova-chilli ...

reinerotto

Although this question is not MT-specific, as a general guideline you need to use MAC-based auth on the second login. Which is to be set up both on freeradius, and the hotspot itself.
Sorry, no details for MT, as I only do openwrt-based hotspots. More suited for advanced configs.

reinerotto

OP not asking for radius only. Radius usually is part of any good management system, but only small part.

reinerotto

This is not the right place to make recommendations out of mikrotiks environment.
For openwrt based systems, which includes several mikrotik devices, hotspotsystem.com is a good choice. Or ct-networks.io

I have no connections with both.

reinerotto

Unfortunately, mikrotik is not the best platform for hotspot services, having above-basic requirements. One reason is, that RoS is closed, so no special customization possible. This said, you might take into consideration, that there are a few hotspot+management packages available for openwrt-based ...

reinerotto

I am looking for business-related contacts, regarding filtering services for hotspots, either at home, or public.
Yes, there is openDNS. But there might be a better, and cheaper, alternative.
Pls, mail augustus_meyerATyahoo.de

reinerotto

Using squid: YES.
I did that for "Parental Control" , for a commercial product.

reinerotto

1) This question has nothing to do with Mikrotik, all vendors do it in their own unique way (and also change those ways from time to time). 2) I doubt anyone of this forum will be able to answer this particular question fully. 1) Correct. 2) Wrong. However, because of 1), no further details here. Q...

reinerotto

And how does does it know the hotspot login page to send the user to? Lets say the hotspot is hosted at 1.1.1.1, how does it know to send the user to 1.1.1.1? Back to one of my previous posts: Using openwrt for hotspots will show you, because open source. I.e. check the docs and source code for coo...

reinerotto

What I did do is scour all the walled garden section (there's a bunch) and found *gstatic.com and *akamai* was infact in the wallen garden list. We are using HSNM (lets see if that now fixes the issue and reduces complaints) These were not in the configurable parameters but actually came from a php...

reinerotto

Correct.
But thats not all, as firefox, for example, has a pre-loaded list of HSTS sites. I guess, same for Chrome.

reinerotto

https://support.apple.com/en-jo/HT209144#trusted

reinerotto

When buying a certificate for your website, buy from "trusted" authority.
Otherwise you might face inconvenient issues when using newer IOS clients.

reinerotto

hing I see on the software page that is a bit alarming is the fact that they display YouTube videos when you are not authenticated Yes, this is very, very suspicious, at least. Good indication would be problems with Android phones, as their CP-detection relies on google servers. IOS should not be c...

reinerotto

So the CP-detection is your real issue. I am a bit wondering about this, as I thought, MT-hotspots are quite often used, and I expected MT to have a reasonable solution, at least. Your issue(s) need more detailed discussion, it looks like, as CP-detection also is dependent upon clients device, altho...

reinerotto

As I wrote already, you will _never_ be able to reliably redirect HTTPS (for purpose of Captive Portal CP or anything else), unless you are able to install special certificate on the users device. Which is not possible for a public hotspot. Valid for MT-hotspots, openwrt-based ones etc. No differenc...

reinerotto

If the hotspot server is a mikrotik router, how do you accomplish this?

Sorry, no idea, but doing this for long time already, on openwrt-based devices.
Which are much better suited for hotspots with "advanced features", like this one.

reinerotto

RouterOS is a configurable router, this puts it in the same category as ubiquiti, cisco, junipter, pfsense, your typical x86 based and linux OS. The mean weakness that mikrotik has is that unlike ubiquiti or any standard OS you cant install anything else onto the router other than what mikrotik dev...

reinerotto

Thanx for confirmation. But what about using MT plus USB-dongle from carrier, where applicable ?
Also the MT-boards need "Certification" ?

reinerotto

For a friend in BR I want to buy a MT with LTE modem.
However, I am advised, that such equipment needs some type of 'Certification' for legal usage in BR.
Are all MTs legal to be used in BR ?

reinerotto

Why so complicated ?
Use MT for "plain and simple" routing/networking.
And an openwrt-box for the missing functions, like wireguard, squid proxy, nginx web server etc.
Or, just use openwrt devices for routing/networking, too.

reinerotto

This you can do yourself, using squid proxy. However, it needs quite some expertise for correct setup.
However: Does forcepoint work with _ALL_ domains ? (facebook, google ...)
Just thinking about pinned certs ...

reinerotto

Dunno. But the MT should be able to determine the MAC itself, from IP and leases of dhcp.

reinerotto

Sorry, but I do this for a living, and on openwrt. Besides, impossible to do the same on MT, because not open, and it needs some software (openwrt-packages; or LINUX, if you want) not available on MT. I often stated several times here that for hotspots with special requirements, MT is _no_ good choi...

reinerotto

Congrats. So you are the second

Works for Android 7, too, I hope ...

reinerotto

>... and they must be explicitly configured to use the proxy - transparent proxying does not work for HTTPS.< This is not absolutely correct, with respect to the requested logging. (Not to mention fiddling aroud with certs, which allows transparent https-proxying to some extent even further.) Transp...

reinerotto

Sorry, but publishing more details about a future commercial product goes too far. Wait, and you'll see. As a good comparison, for hotspots with special requirements, MT also is not properly suited, because closed. No problem to install squid or nginx on openwrt, for eample, if required for special ...

reinerotto

Perfectly within the realms of a MikroTik

Yes, you are correct, to match the basic requirements of the thread starter.
However, in case of more demanding functionality, MT not usable any more
for commercial product.

reinerotto

>I don't think squid can log mac address and hostname right?< First: In general, squid only logs for http/https. mac adrs - only available (for logging) on same network segment (router drops MAC.). So, in case squid runs on same segment, then answer is YES, can be logged. - hostname: Shure, logged. ...

reinerotto

R1CH had the best proposal: Fake a Captive Portal. Implementation details depend upon your network structure, i.e. using DNS-hijack. And might not be so simple, though. However, will work without flaws on http only, but on connecting devices the Captive Portal Detection will be triggered, and you ca...

reinerotto

You might simply wait, to buy a router with your requested features. Time to wait depends upon your location, as I am doing a commercial product based on openwrt
implementing your request

MT is not the best platform for such a device. Because too closed.

reinerotto

No need for appliance. You can use a standard PC running squid as a proxy. And interface MT to it .
_OR_ use a better device, LINUX based, or openwrt, which can do native logging via proxy.

reinerotto

@Isko900: As many sites, like youtube or facbook, use https, which is encrypted, it is not possible any more to block certain (video-) file types, like .avi or .mp4. Simply, because they are not recognizable any more, as when using http. Slowing down the connection per user, i.e. to 128kbit/s, would...

reinerotto

Or use a device, much better suited to hotspot functionality with above-average requirements: openwrt-based device. There we (can) do such tricks. And a few more. _But_ your requirement impossible to fulfill cleanly for https, of course. In best case, you reach the redirected page after some browser...

reinerotto

OpenDNS which is a free service for home or private users.

FYI: For commercial use, OpenDNS asks for subscription payments. So, for a public WISP, I did a simple clone of OpenDNS, to save the $$.
In case of interest, lemme know.

reinerotto

Agree to previous post in general; however, something else must be wrong, too. As practically every client-device with recent OS (iOS, Android, Windows ...) tests the internet connection using _standard_ http, which triggers the captive portal. Or the MT hotspot. At least, it should trigger, _unless...

reinerotto

Use the search function on this forum, and you will find some advice regarding your question. Also some comments from me.

reinerotto

Dump IPFire, install a small/old x86-PC running squid as local proxy within your network. This can do, what you want.
It is always strange, to read some questions, having already a supposed-to-work answer included

reinerotto

Yes: Use a full-featured proxy, like squid.

Your usage case is one more argument against using MT for hotspots
with above-basic requirements.
As in openwrt, I often integrated squid. Also to implement
your requested functionality

reinerotto

MT is not the wright platform for the functionality, you want.
On openwrt-based devices, you can do this either based on
DNS
or by impleneting a full fletched proxy.
Will also work on https, with some browser warnings, though.

reinerotto

Did several commercial systems, like you are asking for. However, MT is not the wright platform for this, because not flexible enough. openwrt is the way to go. I.e. I did a "local hotspot" for on board aircraft, without internet connection, to work as media server, for order processing etc. In case...

reinerotto

No. As you wrote, it also needs an (impossible) https-redir. "Best" you could do is to trigger some error messages from browser, regarding invalid cert. But this frightens the user even more.
So just to ignore https here only viable solution.

reinerotto

There was (still is ?) a function for regular adverts (via REDIRs) available, for MT-hotspots. However, this was/is not a solution for wide production use, as it does a REDIR simply time-based. Which disturbes the rendering of a web page just being requested. (Browser must request multiple objects t...

reinerotto

goggle for "squid cache"

reinerotto

In general, you will _never_ be able to reliably redirect HTTPS (for purpose of Captive Portal CP or anything else), unless you are able to install special certificate on the users device. Which is not possible for a public hotspot. This is just a feature of HTTPS, especially designed to inhibit suc...

reinerotto

Yes. I did this already several times for various clients, but based on openwrt/LEDE-devices as hotspots.
As I wrote here already:: For more than basic requirements for hotspots, MT is _NOT_ the best platform.
For commercial help, you can contact me: augustus_meyerATyahoo.de

reinerotto

ivicask gave the simplest and most complete solution to the problem. Also works for https-sites, of course.

reinerotto

>Regarding using mac address instead of IP would not solve anything.. .< No. Because it depends upon, how to use the MAC. ALmost 2 years ago I did a commercial parental control device (AP/router) on openwrt, based on MAC-control. And DNS-hijacking. Unknown MACs have everything blocked, so faking the...

reinerotto

>Is there a way to "fool" the CNA to "think" the user has internet access and display "Done" so when Captive window is closed, the device stays connected to our Hotspot?< Yes. _But_ I dunno, how to do it on MT, as it is closed. So, no surprise, you got no other response :-) You gave me one more arg,...

reinerotto

wifibus.com.mx Why to block the path to evolution, by starting too limited ? You might convince the client about alternative hw, and its possibilities. I.e. we also do GPS tracking of busses,of course. And, I do not know cost structure of 3g/4g in your area, but it might be quite expensive. So the u...

reinerotto

Same idea here. Hotspot redirects to a page (without user/pass) and serves the first video that must be seen complete. Then, redirects to free web. We do much more: Local server to serve real movies, music, simple games, local news etc. from web-site within device. For entertainment of user (to sav...

reinerotto

I have more than 1000 routers moving on vehicles serving as hotspot. They're connected to 4G. I need to periodically (say, every hour) read the uptime, traffic consumption, clients connected, know if Did that for public transport system in big Mexican city. Using openwrt-based devices, also deliver...

reinerotto

>and then after login immediately shut down< This happens on new Android devices automatically, because the mini-browser closes the window, as soon as web access granted. Same for Windows-mobile. Some possible workarounds for this behaviour, but not on MT. Needs smarter (or more open) hotspot system...

reinerotto

So sorry, mixed up with this one:
>Forcepoint strips of https certificate, looks at were you go and allow/block session. If it allows session it uses the real cert from the site you are visiting.<

reinerotto

Both methods require to install custom root CA cert on the clients. Again, in case you want to filter/log certain _hostnames_ (_NOT_ complete URLs) or IPs, you do _NOT_ need to install the certificate for https. Exactly, what I did for a special router (openwrt/LEDE) for parental control. Which is ...

reinerotto

The only thing you'll get with HTTPS [edit: if you're explicitly proxying it] is the hostname that the connection was proxied to

I have to disagree here. You can get the same info for transparently proxied https, using squid.
However, configuring "splice/bump" for this is non-trivial.

reinerotto

Not 100% correct.
squid (open source) can do the same. So, in open Linux environments (also on openwrt/LEDE), this can be done without separate product.

reinerotto

>how can i force the devices to open safari, chrome or firefox instead of microbrowsers< You can not. As it is a functionality of the users device. However, you can switch to the philosophy, that user has to _explicitly_ open the browser to connect to the WiFi. _And_ you need to fake the internet co...

reinerotto

@cpctech: Yes, setup is the most suitable, and simplest. @troffasky: "You aren't going to get any caching or a lot of useful info from Squid about HTTPS sites without MITM." No caching effect without MITM, correct. Amd this setup is for (very) advanced users. However, useful info from https-logging ...

reinerotto

To fulfill clients prio #1 simplest and best is to set up an intermediate caching proxy with logging for the whole network. Old PC running LINUX+squid reduces required bandwidth (because of cache) and provides extensive logging of user activities on http and https.Various log analyzers for squid log...

reinerotto

Own DNS-server makes sense. However, BIND is overkill for what you want to achieve.
dnsmasq will do the job; much easier to configure.

reinerotto

The last thing I'll leave you with, you may need to look at DNS based blocking from a provider like OpenDNS if you can't install a device that MITM's SSL.

Agreed. However, you also have the option to do DNS-based blocking yourself.

reinerotto

You have the best solution, possible on mikrotik. However, very best solution can be done on open (openwrt/LEDE) hotspot systems. I.g. it means, to filter (or to fake) the internet-connection probes by iOs, WP, Android. Your issue is one more confirmation for my decision, to drop MT for hotspots wit...

reinerotto

Only correct, when you talk about mikrotik.
I did a (better) clone of openDNS on an average ubuntu server, blocking about 1.2Mio porno sites.
Theoretically, could be done on MT, too. In case, it were open (for mods).

reinerotto

best router for hotspot is based on openwrt/LEDE. As youhave (almost) all possibilities of linux packages available. I.e. you can integrate full featured caching proxy like squid. Or captive portal like coova-chilli. miktotiks have similar functionalities, but closed and more limited. But are easier...

reinerotto

1) How to send PM here ?
2) Some people are willing to compensate for " Best Know-How". Or for better functions/higher quality.
3) Quite a few "leechers" on various forums, to get financial advantages from free high-quality advice.

reinerotto

You can just read this post:
viewtopic.php?f=13&t=125057

Which is for free, too, and much smarter than your contribution.
However, no continous (streaming) solutions.
As you get, what you pay for.

reinerotto

Yes; not a big deal. In case you can use openWRT, at least, as it is much more flexible. In plain words: open in its features. Did it for two clients already; right now for a third one in South America. As I do coding, incl. firmware, for a living. However, there are some limitations to the interpre...

reinerotto

DMA Radius (based on free radius) is not able to do this. I am wondering. The limitations is RoS, I strongly suspect. As Radius can control a lot of various quota policy. You are another example, that RoS is not the best choice for hotspots with special requirements. openwrt/LEDE + freeradius backe...

reinerotto

I wanted to write: Use proxy, like squid. However, in case the user opens https-tunnel, or uses VPN, then ...

reinerotto

Can you give an example, where a porn hosting website would also have family oriented pages on the same domain :) ? The problem is usually not that, but there are indeed cases where some people want to block "part of a site". E.g. some site that offers games (that are seen as unwanted, e.g. timewas...

reinerotto

Because of the costs of openDNS for commecial use, but the necessity of filtering the access to public, open hotspots of a client, I did a "worst case" DNS-server, considering several blocklists, most of all porn, of course, but also gambling etc. So no special consideration of age-ranges, because ...

reinerotto

Because of the costs of openDNS for commecial use, but the necessity of filtering the access to public, open hotspots of a client, I did a "worst case" DNS-server, considering several blocklists, most of all porn, of course, but also gambling etc. So no special consideration of age-ranges, because o...

reinerotto

Doing fb-login with large hotspot provider, haven't heard of this issue. Not using MT, though, but openwrt-based solution. With special backend for auth.
Did you contact fb already, to get the reason for the "temp locked" ?

reinerotto

To use it for business purposes it is formally required to ask them for a quote for a paid account. And it is very expensive (I tried).

And that is the reason, I developed a simple clone of openDNS for a hotspot provider. With custom "Blocked !" page, of course

reinerotto

Hi, Previously Mikrotik had a feature called advertisement in HotSpot, which is obsolete in latest ROS versions. Any suggestions? I remember this RoS-feature. After first usage, few years ago, I recognized the pitfalls, as it was not good enough for real production use. As it might interrupt the re...

reinerotto

This is typical task for a (free-)radius server as backend. Dunno how to interface to RoS, though. openwrt/LEDE is better suited to special hotspot configs, like this one.

reinerotto

CCR-support on openwrt/LEDE looks unreliable to me, far from production stability. However, you hit an interesting feature. Having developed a lot of different firmware for special purpose hotspots/routers (incl. parental control, social login, access logging, local content distribution etc.) on var...

reinerotto

Depending upon number of hotspots required, I might consider some special development using openwrt/LEDE. Which _might_ even run on certain mikrotiks.
Which MTs are you using ?

reinerotto

>several hotspot rules were added dynamically on top of the list!< This is normal for Captive Portals to work. However, sequence of rules depends upon sequence of module activitation (custom rules, rules fom captive portal) Which is obvious in open systems, like openwrt/LEDE; but _NOT_ in RoS, becau...

reinerotto

Dunno on MT. openwrt/LEDE-based hotspots (incl. coova-chilli) do not have your problem. And may solve a few more sophisticated issues (i.e. site/url-logging).

reinerotto

1)It seems that at some point the mikrotik or radius (who releases the ip) after a while seems to end the ip, I increased the time lease but the problem persists as I can do it? Sounds like session terminated by radius. because of inactivity, or session too long 2)Is there a script that allows me to...

reinerotto

Add an external squid Proxy. Or use openwrt/LEDE based router/hotspot, incl. squid.

reinerotto

Agreed.
Thats the reason, I left RoS for development of special purpose WiFi devices (routers), like for integration of parental control or similar.
_OR_ simply better hotspot functionality.

reinerotto

I do not remember, sorry. Although I am on upwork, too, several completed projects are on freelancer.
Allso containing, what you still want to achieve. Both UBT and MT are the wrong tools for that.

reinerotto

Yes.
I have hotspots, delivering local content only. But these are based on openwrt/LEDE.
Which contain such a special feature you are looking for

However, own developed firmware.
MT is too closed for such advanced features.

reinerotto

- Automatic popup/captive window after connect to the HS (each time you connect to this HS) This is standard, but ... - this redirected page has to be opened in native webbrowser (Safari, Chrome,.. ) not on "lightweight login Browser window" Here is the problem: Some OS (certain Android versions) do...

reinerotto

Injection of content into 3rd party pages can help in funding free hotspots. You are correct, that there _might_ be interference, but only in case of extremely dynamic (tricky) sites.. Which need to be blacklisted.
MTs 'interstetials' are much more risky regarding disturbance of 3rd party sites.

reinerotto

In principal, YES, there is. I developed some commercial software to do 'injection of content' into HTML, on-the-fly, using a proxy (http only).
A common usage scenario is the injection of ads, typically overlays, by means of injected JS.
In case of interest, contact me augustus_meyerATyahoo.com

reinerotto

Instead of messing around with this one >...you can disrupt the connection before SSL is fully negotiated. certificate exchange takes place "in cleartext", < on MT on low level, similar can be done in a clean way using squids https interception. Which also allows to block facebook etc. However, this...

reinerotto

You can _not_ detect inline-malware, like injected javascript, using DNS.
You _could_ keep privacy using local intercepting https proxy.
But, privacy (read: protection) of advertisers is the crucial issue here.

reinerotto

There are pros and conns to SSL intercept. I.e. SSL-intercept could be useful to better detect malware. Or to do parental control more refined.
Or to do better ad blocking. Which, I guess, is the main reason, quite a few "browser vendors" try hard to make this impossible.

reinerotto

Yes, that is part of the story.

reinerotto

Nobody tried this or there is no solution for this kind of parental control?

I did a (commercial) clone of openDNS. Which also can be tailored for individual MACs. However, needs private server, and special router (non-MT; but openwrt/LEDE)

reinerotto

>I wouldn't be surprised if Squid supports this.< You are correct in some sense. Using squid, it is possible to determine the target domain/IP of the SSL session, without installation of special certs in the clients. However, a bit tricky. And _NOT_ possible to see the full URL, domain only. Install...

reinerotto

>the Facebook logon page is launched in the mobile phone's browser instead of in the Facebook app. Most people, myself included, don't have my Facebook credentials stored in my mobile phone's browser so people simply click on the "Skip logon" link which defeats the object of the system.< You have to...

reinerotto

This is so called 'Like-Gating'. Which is prohibited since end of 2015 by facebook. Unless fb explicitly grants this right to your app. Which is very unlikely, but you can try. However, it is allowed to ask for a like. But user may refuse. Login via fb I can only setup using special backend server, ...

reinerotto

>why Mikrotik keep holding this option< Marketing argument. It works "in principal". However, not good enough for production with _many_ users, as number of complaints will increase. Better alternative: I have a few, depending upon requirements. However, I make my living from "good knowledge". In ca...

reinerotto

Depends upon the device and what you need. You can squeeze openwrt, for example, just by installing necessary packages (SW).
Then you will need to build your own image, for real downsizing.
Not all MTs run openrwrt, BTW.
openwrt is open, RoS is not.
openwrt the best choice for hotspots, for example.

reinerotto

Worked for me in the past, but then I dropped usage. As not a good solution for production. There are btter alternatives.
Anyway: You need to do active browsing. When the timer for advertisements expires, it will redirect you, when navifating to another URL.
Simple wait will not work

reinerotto

Addendum to my previous post http://forum.mikrotik.com/viewtopic.php?f=7&t=108527
We might offer the WLAN-contract also to foreign partners. A charity org always has low budget

reinerotto

As technical consultant for an international charity org, also active in several refugee camps in Greece, I am looking for contacts with WISPs, which can establish PtP-WAN-connections to the camps or setup WLANs within the camps. However, this will be two separate contracts. For the largest camp we ...

reinerotto

Hi, I have a contact in Mexico, who just did that also for MT. Send me a mail, to augustus_meyer@ahoo.de, so I can forward you. Note: facebook does not allow (any more) "Like-Gating", which means, forcing the user to give a "Like" before receiving some service. However, is is possible to ask for a "...

reinerotto

Don't know pfsense in detail. However, you might also install the squid-box (or pfsense ?) inbetween the MTs.
Then you can use the easy solution for your hotspot users, at least.
squid-box could be old/simple ubuntu-PC (or your netbook) , with lot of RAM (fastest cache

and (fast) HDD, 2 NICs.

reinerotto

In general, installation of HTTP-intercepting squid is simple in any standard LINUX environment, as it only needs an iptables-rule to REDirect http-traffic to squid on same machine. In case, squid runs on another PC (NOT the one with the iptables-rule) it is more difficult. So, in your case, having ...

reinerotto

You are wright, VPN is an alternative.
Did not think about it that time

reinerotto

Yes. For a customer, having very similar problem, I developed a solution using email, to signal "valid IP" to server running squid. In case of interest, consider a project on "freelancer.com". And let me know

reinerotto

>you get opened browser with login page<
Which is triggered by the browser OR OS-dependent activities in case of successful connection to WiFi, like Apple or MS or Android do.

reinerotto

Caching DNS-server (like dnsmasq) and a caching proxy (like squid). There are some solutions around to cache youtube with squid.

reinerotto

Hi, I came across this thread as trying to find a minimum 16mb flash & 64mb RAM router with USB & 2.4ghz wifi we can install WRT on. There are a lot of different devices available, meeting your specs. I have done mods to OM2Ps FW (r481) and programmed different openwrt-devices (various TP-Links, no...

reinerotto

Transp proxy should also work, in case "specific host" has fixed IP, and you only redirect its traffic.
Otherwise, you need to redirect evething to proxy, and then deny access/display message for "specific hosts" domain.

reinerotto

Use a real proxy, like squid, on a separate box.

reinerotto

Using radius-CoA you can command a redirect from the server. Question is, whether client (Mikrotik) supports it.

reinerotto

reinerotto

Sounds like a typical "MAC-auth"-scenario, in which the MAC of the WiFi device is used for AAA. This can be done using plain freeradius on a server; also to take care of bandwidth-control and volume limits. Just searched around here on the forum (serach for mac-auth); looks like MTs hotspot can inte...

reinerotto

You need to modify the hotspot functionality of MT/RoS to do simple redirection, without authorization. Especially to modify the standard "Splash Page". You can hire me

reinerotto

Have a look at the hotspot functionality in RoS. That includes redirection.

reinerotto

Does not work for me either, of course:
share.earthlinktele.com. 2249 IN A 192.168.1.66

reinerotto

An example (Link !) will make it much more likely to receive a response.

reinerotto

reinerotto yes, you give me price of 5555 USD and other guy 750 for same work.... Just for one coffe bar I still have a small solution, which is not server-based for high volume. But it can only be used together with openWRT running on Mikrotik, as integration in RoS is too difficault, as not Open ...

reinerotto

My question is in some places we are providing free wifi. I want people to login through email or social media profiles to excess our free wifi. For example when you go to barclays bank or subway you need to register with them and you can use wifi for free. Cheers! In case, you need some consulting...

reinerotto

Still open for payed-for offers. As I do it already for years, looks like time is ripe for it, you will get a solid solution.
I am open for cooperation, exclusively for certain contries.
Hm - squid and MT - you might ask on freelancer. Did some bids there, right now.

reinerotto

Interesting. I am using same MC7710 on a real (small) debian based system, with 1GHz CPU. Thruput is almost as good as on your mobile phone. However, I had quite some work to get the newest QMI-driver running the MC7710 on my debian. As the MC7710 can also be used in the (suppose to be) inferior DIP...

reinerotto

In case, no solution directly on the MT: Use a full featured proxy, like squid. You might assign an old PC to this task-

reinerotto

Relevant parts: max-cache-size: 3906250KiB !Set to 64MB max-cache-object-size: 4096KiB !Set to 64kb cache-on-disk: yes !No max-client-connections: 50 !Set to 128 for single user max-server-connections: 50 !Set to 128 for single user These values are "best guesses" for the beginning. Only RAM-cache; ...

reinerotto

>max-cache-size: 3906250KiB
max-cache-object-size: 4096KiB
cache-on-disk: yes<

I would set it to RAM-cache only. As 128MB on the board, there shoud be quite some RAM (>64MB) left for cache.
And set max-cache-object lower, as most objects on the web are rather small. Would suggest 64kb or similar.

reinerotto

Hi, any update on this one ? Looking to buy this RB951Ui-2HnD for openWRT; fortunately I discovered this thread

reinerotto

Pls contact me at my email, to be found in my profile.

reinerotto

For a serious solution, you should - install local PC+squid cache as a proxy - use some type of ad-blocker (DNS-based) to avoid download of adverts to local PC - install remote PC + compression software (ziproxy) - use remote PC as a parent proxy for local squid Works only for http, but might give y...

reinerotto

I use a MC7710 with QMI on a pcengines APU-board, running "voyage", a Debian based LINUX.
Works like a charm.

reinerotto

There are more domains for youtube videos, at least googlevideo.com to add.
As it might depend upon the region, you are located in, you should use firefox+firebug to see, which domains you have to put into walled garden.

reinerotto

Did anybody try/succeed in running OM-FW on a Mikrotik AP/router ?

reinerotto

Hi, sorry for the late reply.

So, to summarize, there is no way to achieve this using our router alone.

Is that correct?

Yes.

reinerotto

you mean - add a static entry, and everyone who queries for that name will get set address? No

Too bad. Then to use a (transparent) proxy, doing DNS with dnsmasq, for example.

reinerotto

1) So I don't think I was doing transparent Proxy since I had the browser config in place. 2) - As you mentinoed, I also considered tinkering with DNS but I am not sure I can make mikrotik send bogus DNS responses like facebook=120.0.0.1 1) Correct 2) You should be able to "poison" MTs DNS :-) You ...

reinerotto

Please explain more about this?

In production already. However, as it seems to be "A Hot Topic", only contact via email. Look at my profile.
And, it is a commercial solution, not bound to MT. Actually being implemented in USA on Open-Mesh equipment, too.

reinerotto

Hi, I want to block access to certain sites in a work environment (mostly facebook and adult sites). Since there is no domain blocking in the firewall I thought I would use the Proxy feature which does have it, but then I´ve found intermittent problems to access https sites that are not blocked, GM...

reinerotto

Hi Thanks for reply. It may be a Captive Portal, Customer Self-Care or any Website- what I was wondering - can any website be automatically opened, after login by a PPPoE dialer ? It is a common practice in Hotspot but can it be applied to PPPoE dialing as well ? Abhishek Actually, it should, assum...

reinerotto

Any alternate way out ? Abhishek May be, you are talking about a "Captive Portal". This means, instead of the users first requested page, he is redirected to another one. Then, depending upon the page, either this redirected one "replaces" the original page requested, OR automatically redirects aft...

reinerotto

Add squid as a proxy.

reinerotto

A typical reason is "Auto negotiate ON". I even had the case, that the Ethernet-link between two NT-routers of same type went up and down, because they could not always agree upon the link speed to be used. So you might try to set both sides of the links affected to 100MBit, half dplx. And see, what...

reinerotto

I can't ask them to carry allso a server with them.

An APU with internal SSD is only marginally larger than a MT-box. And has the advantage, you can install latest modem drivers.
And you can install internal mSATA-SSD-card, for caching, if you want.

reinerotto

Hi,
The firewall rule L7 works.
But is it also possible to redirect it to an other page?
So I can display to the uses why thy are blocked.

Use a real proxy, like squid. Caching on large disk would be an advantage, anyway.
Which means, not to use MT, but an embedded LINUX box, like ALIX or APU.

reinerotto

www.pcengines.ch
The APU or ALIX boards are very solid. Although better to be run using some kind of LINUX.

reinerotto

I am using
hotspotsystems.com
services for AAA via SMS.
The simplest for a start.

reinerotto

that there is something that Mikrotik cannot do Has nothing to do with MT. In case, there is no DNS entry in browsers or clients PC DNS-cache, the proposed solution will work, as there has to be a DNS request, immediately going to your no-connection-page. In case, user just navigates to another pag...

reinerotto

the browser tries to browse anything on first attemtp it gets page not found 404 error and on the second it gets the "Sorry internet not available" So it looks like it can be done, please give me a suggestion on how to get it on the first try to browse. Do not believe, this can be done reliably: Th...

reinerotto

AFAIK, a sequence is optional, but has to be "signalled" in GRE-header: S, Sequence Number present. 1 bit. If set then the Sequence Number field is present and contains valid information. Otherwise, sequencing is also done on the TCP/IP-layer, wrapping GRE. So within GRE, is seems to be redundant, u...

reinerotto

I have a special proxy in USA, to allow access for German users to blocked videos on youtube. Access for Germans only, as the proxy is sponsored by injected ads, targeted to Germany only. In case, you have multiple clients, you can set up such a solution yourself. Or pay me :-) In case of many users...

reinerotto

You might consider implementing a dedicated cache machine, running squid, for example. Might even cache videos.

reinerotto

squid

reinerotto

Hello!
Is there a way I could somehow inject a html overlay at the bottom of browser/page,
Matej

Yes; inject into every page visited. This principle is used for ads more often; but will work for your ideaa, too.In case of interest, email to my adrs in profile.

reinerotto

will be costly compare to routerboard

The you should better say: APU has too much power for my requirements

reinerotto

will be costly compare to routerboard

Hm, to which routerboard do you compare, CPU-wise ?

reinerotto

pcengines.ch, APU: 3 ports, SIM slot.

reinerotto

I'm not authorised to send private messages.

How can I get permission?

Thanks

You might vote up this issue here
http://forum.mikrotik.com/viewtopic.php?f=2&t=75436

Alternative: Publish a special email-adrs in your profile. Like I do.

reinerotto

Hi,
How can I do that in Squid, could you please let me know any instructions do you have?
thank you,
ven

Sorry, this is a MT forum.

reinerotto

YES, but only to be started with. This URL will be redirected according to your location/requested resolution into something much more complicated. And this will contain "...id=..." specifying the resolution. You should use firebug in firefox to observe. As this is a MT-forum, no more info on this t...

reinerotto

I do not see any "hd" tag in youtube video url
It seems really impossible

Then I give you a hint to do the impossible: Examine "id"

reinerotto

I was wondering if there's a way to block high definition videos such as youtube hd or other websites that offer hd streaming videos. any proxy/firewall rule? No problem regarding youtube-videos when using squid, as yt identifies HD-videos within URL. Only need to set up proper ACL & regex for bloc...

reinerotto

Hi,

I am using Squid Proxy in transparent mode , is that possible to redirect users?

thank you,

ven

Yes.

reinerotto

>On the second case
/ip proxy access
add action=deny dst-host=* redirect-to=www.pay.it<

Same you can do with squid, too, with so-called "ACL", access-control-list.
Assuming, you have edited a "customer_needs_to_pay.lst" text file, containing some kinf of ID, like username, IP, or similar.

reinerotto

You're talking about users redirection? I always thought to use squid as caching server...so it could solve traffic logging & saving I guess First of all caching server, that is correct. But a lot of features besides, like configurable details of traffic logging, and various options to allow redire...

reinerotto

Simplest solution for logging all stuff would be the use of squid as an upstream proxy. will also solve your question regarding "redirection" with "url_rewrite" or "session_control".

reinerotto

You can use opendns to block porn sites and add /ip firewall nat add chain=dstnat protocol=udp dst-port=53 dst-address-type=!local action=redirect to-ports=53 to redirect DNS queries. Is not sufficent. What will be sufficient in this scenario, assuming, access via http(s)+IP is already blocked, too.

reinerotto

Hi, as there is no PM allowed,

, pls email me at my adrs from profile. Subject: Financing.

reinerotto

The HW-config is not clear to me: You want the MT-box to be used as a hotspot, and to have the squid-machine as upstream proxy ?

reinerotto

AFAIK a web-server on MT is not possible. You are not the first one to ask for it, though :-) Why don't you do it the opposite way, set up a hotspot, and within the login-page you check the IP. In case, no auth/logon necessary to be done by the client, then do an automatic and silent (hidden) auth t...

reinerotto

Btw. is it possible to create a new html file something.html and access it somehow?

Not sure, what you are looking for exactly, but this might help you:
http://wiki.mikrotik.com/index.php?oldid=20225

reinerotto

@levak:
As PMs are disabled now, pls contact me using my email from profile. Subject: "Financing".

reinerotto

We already have enough spam in the public forum, we wouldn't be able to delete all the spammers if we would enable PM

To enable sending of PM for members with a minimum no. of posts should be safeguard.
Reconsider, pls.

reinerotto

It works blocking youtube by using L7 protocol using regexp : "www.youtube.com",

At least in Germany and USA, youtube videos are delivered from "*.\.googlevideos\.com" since a few months already.
So try to block this one, too.

reinerotto

It might also be an alternative, to backport bug-fixes to older versions of RoS, to the last mayor versions, at least, if possible. As a very dumb MT-user, I only use MTs hotspot features, so I am happy with RoS 4.x, or even 3.x And I am hesitating to do any upgrade, although there are some glitches...

reinerotto

Use your own DNS-server on a separate LINUX box, with transparent squid cache. Then you convert host.txt to named.conf.local (there is a script to do that) and feed it into your bind9. Your resulting named.conf.local will contain lines like this one: zone "ad-srv.net" { type master; notify no; file ...

reinerotto

New issue regarding NAT during close of connection: Pls, refere to this thread.
http://forum.mikrotik.com/viewtopic.php ... 34#p418434

reinerotto

In normal situations this packet bypassing will not affect network operation, but this is not my case: The WAN port of my mikrotik is connected to a Netgear Prosafe SRX5308 router that is load balancing 4 ADSL lines. These frames are confusing this router causing FIN frames to be sent to the wrong ...

reinerotto

I want to install an AP in a large room, about 5mx8m, just to be mounted to one wall, to cover only this room. Is the RB951-2n good enough, regarding its relatively low TX/RX-power ?
(Looking at the low-power RB951-2n, because not to interfere with my neighbours)

reinerotto

Actually I am using RoS-proxy to forward all traffic to a PC, injecting ads to finance my open hotspots. Although my SW on the PC can handle (simply ignore) all the traffic, into which the injection of ads makes no sense, like into .png, .mpg etc., it would lessen the burden onto that PC, and it wou...

reinerotto

Pls, be a bit more specific about config: Is MT used ? If YES: How/where ? Or just a PC+squid, with 5 interfaces (LAN + 4 WAN), as an upstream proxy to a MT box ? Standard http/https-proxy only ? (Which means, https is tunneled/not cached) How strict are the requirements regarding equal balacing ? T...

reinerotto

If you don`t know what the settings really do (like most starters) you might now be dissapointed in a product just because some ill default configs point you in the wrong direction... Applause, applause, applause. Unfortunately, as RoS is more or less LINUX based AFAIK, you are asking for an absolu...

reinerotto

16GB: More is better. Squid stores some info about every cached object in memory. The more RAM available, the more objects squid can handle efficiently. However, there is a max no of objects squid can manage for one cache directory, it uses. Independent upon size of objects. Which then determines th...

reinerotto

In the MT you have to use the Proxy (transparent), and for this MT then to define the squid(SuSE, routing) as parent/upstream proxy. And the squid(Suse) as default gateway. SusE is fine, I have also 11.4 running. No problem. You can generate squid from source, or use a package, which is easier, as i...

reinerotto

1. inserting the squid before the Mikrotik; would it still be able to perform the full capability of caching and full speed delivery of cached objects to users? 2. would i still be able to monitor the squid network with the tail command? Thank you. 1.)Sure. squid will do only the caching of port80-...

reinerotto

Like this (explicit upstream proxy for MT). Or to let squid run on your gateway, transparent.

reinerotto

Is it really impossible to have a simpler setup: To install the squid-box 172.16.11.2 just in-between the MT-hotspot 10.5.50.1 and gateway. And then use the squid-box as an upstream-proxy for MT-hotspot, which can be explicitly defined there. No need to define proxy in hotspot-clients, though.

reinerotto

In case, MTs DNS is flexible enough, and you are happy with "brutal" blockage of ads, you can create something like this: ...... zone "pagead2.googleadservices.com" { type master; notify no; file "/etc/null_zone"; }; zone "www.google-analytics.com" { type master; notify no; file "/etc/null_zone"; };...

reinerotto

Instead of youtube.com you must use "googlevideo.com" to handle the videos, at least in my geogr. area. In case, you do not succeed with your MT-setup, consider to route all traffic to your 1'st squid, and then use special ACLs to forward (youtube.com|googlevideo.com) to 2'nd squid, acting as upstre...

reinerotto

Using MT or squid will also depend upon - number of clients: squid can be easily configured for high loads/many users - user preferences: In case of mostly caching html etc. MT might be good enough. In case of caching large files (videos) squid is much more capable to do that Expecting inceasing num...

reinerotto

Just because of curiosity: I have a running proxy, which I set up a couple of years ago to speed up my internet access via fixed lines, when working abroad. Speed up is accomplished using 3 methods, reducing necessary bandwidth drastically: Removal of ads in the proxy, reduction of graphics quality ...

reinerotto

Yes, there is. However, I really doubt, that anybody, who spent quite some time in adapting it to the varying protocols of youtube, would make it available to the public free of charge. Which would also mean, that the chance of a new change at youtube would become much higher, for the one, having a ...

reinerotto

Only being an amateur regarding MT, but having several complicated squids up and running as (caching-)proxies, I would keep your config as simple as possible. Reason is, that squid should work as a transparent proxy in your config. The setup for this, which is not the standard, is different between ...

reinerotto

Should be possible using an intermediate squid-proxy.
And setting up correct ACLs, to forward all youtube traffic to specific interface.

reinerotto

Bump ...

reinerotto

Not free of charge, because a lot of work (German engineering). I am looking for commercial international partners ; not MT-specific.

Search found 444 matches