1to1 NAT Hotspot

davsharyan · November 5, 2010, 12:28pm

Hey all,

RouterOS version: 4.11

We are breaking our brains to get working this. Found few posts in Forum/Google but there is no final solution.

I want to setup Hotspot and give to clients Public IP addresses, but only after authorization. I don’t want to waste all my public address pool, cause of this before authorization I want to give addresses from private pool ( e.g. 172.16.0.0/24 ) and only after authorization do 1 to 1 NAT on Hotspot.

What I’ve tried and didn’t work:

Client <—>wlan1 MIKROTIK ether1<—> Core Router

Mikrotik configuration

User authorization is local

1/ wlan1 - 172.16.0.1
2/ ether1 - 10.10.0.2 - Lets assume this is a public subnet

IP Addresses

/ip address
add address=10.10.0.2/24 broadcast=10.10.0.255 comment="" disabled=no interface=ether1 network=10.10.0.0
add address=172.16.0.1/24 broadcast=172.16.0.255 comment="" disabled=no interface=wlan1 network=172.16.0.0

IP Pools

/ip pool
add name=dhcp_pool1 ranges=172.16.0.2-172.16.0.254
add name=hotspot_public ranges=10.10.0.100-10.10.0.200

Hotspot configuration

/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 \
    login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
add dns-name=hotspot.domain.am hotspot-address=172.16.0.1 html-directory=hotspot http-proxy=0.0.0.0:0 login-by=http-chap \
    name=hsprof1 rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot
add address-pool=dhcp_pool1 addresses-per-mac=2 disabled=no idle-timeout=5m interface=wlan1 keepalive-timeout=none name=\
    hotspot1 profile=hsprof1
/ip hotspot user profile
set default address-pool=hotspot_public keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m \
    transparent-proxy=no
/ip hotspot ip-binding
add address=172.16.0.0/24 comment="" disabled=no
add address=0.0.0.0/0 comment="" disabled=no type=blocked

/ip hotspot user
add comment="" disabled=no name=test password=test profile=default

NAT Rules

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=172.16.0.0/24

Problem:
Client connects to AP ( wlan1 interface ) and gets IP address from DHCP Server private pool ( 172.16.0.0/24 ). When open Login page, input credentials and press OK button it loops and doesn’t get any reply from Hotspot side. But at the same time on Mikrotik I see that user loged in.

[root@MikroTik] > /ip hotspot active print 
Flags: R - radius, B - blocked 
 #    USER                                                         ADDRESS         UPTIME       SESSION-TIME-LEFT IDLE-TIMEOUT
 0    test                                                         10.10.0.100     19m14s                         5m

[root@MikroTik] > /ip hotspot host print 
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed 
 #    MAC-ADDRESS       ADDRESS         TO-ADDRESS      SERVER                                                    IDLE-TIMEOUT
 0  A 40:61:86:42:AF:61 172.16.0.254    10.10.0.100     hotspot1                                                  5m

Updated:
It works fine when I assign public address/net (10.10.0.0/24) on wlan1 interface, but in this case I must have one extra IP/subnet on ether1 ( will be from another private address range, don’t want to waste some extra Public addresses ).

Feklar · November 5, 2010, 2:31pm

Try adding this rule:

/ip firewall nat
add action=accept chain=pre-hotspot comment="" disabled=no hotspot=auth \
    src-address=10.10.0.0/24

I’ve been playing around with something similar, and this seems to get it working. I just haven’t had a chance to really test it anywhere other than the lab.

davsharyan · November 5, 2010, 7:41pm

Thanks for fast reply.
I’ll check and write about results. Today is Friday already ((((

Feklar · November 5, 2010, 7:55pm

Friday is not a sad day, Friday is a happy day . Good luck. If it doesn’t work you may need to place the public subnet on a one-to-one NAT with the a private subnet on your LAN.

davsharyan · November 6, 2010, 2:11pm

nop…
It didn’t help (((
Cannot understand what’s the problem. Normal not does the same the only difference is it uses 1 IP address. Translate all subnet to 1 public IP and it works on different interfaces.

Feklar · November 8, 2010, 2:23pm

I’m not sure what your exact setup is, but the main problem is routing those public IP addresses to your clients.

As I mentioned, you will probably need to put your public subnet on a one-to-one NAT with a set of private addresses, this can be done with netmap, specifying a range of addresses with src-nat, or setting up all of the one-to-one NATs yourself. With netmap you need to feed it a complete subnet, you cannot specify a range, and for src-nat it seems to be a little random what IP address connections will use, but you can feed it whatever size range you want to.

You can also try the proxy-arp method mentioned in this post:
http://forum.mikrotik.com/t/public-ips-for-client-not-bridging/34246/1
I’ve played with it some, but not much.

There is another method that I have seen work with a different piece of hardware, so I have no clue at all if it will work here. You basically assign the full subnet to the LAN, then you assign a subnet of that that will contain the default gateway and whatever IP address(es) you want to assign to the WAN of the box. Something like this:

/ip address
add interface=LAN address=10.10.10.8/24
add interface=WAN address=10.10.10.2/29

I might give this one a try later on today or this week if I have time. 10.10.10.1 would still be the gateway for any IPs on the LAN.

fewi · November 8, 2010, 2:38pm

If it doesn’t have to be an absolutely unique public IP in all situations (as in, it is OK if a few people share the same IP) it might be possible to just use a profile that assigns people to an address list, and then use netmap with a mask before any other source NAT on that address list. The mikrotik manual isn’t very verbose in regards to netmap but in stock iptables you can feed it an address with a mask instead of a range. NAT then takes bits from the to-address on the masked portion, and fills bits on the unmasked portion from the original IP. That way you can have a /24 of private IPs use a /29 of public IPs and share them relatively evenly if you’re lucky. Maybe uneven ranges do the same thing.

Otherwise I think you’d be stuck playing with an external server and API calls to reserve DHCP leases and use IP bindings or normal 1:1 NAT entries via the API, which would seem like a pain.

I am curious what you guys come up with, though.