I’ve asked this before here and from support, but still no answer (or understanding) for this problem.
When you create a Hotspot and enabled it, it creates dynamic firewall rules. If you add a new static rule, say a dst-nat rule that port-forwards to an internal device, all works fine until you reboot the router. When rebooted (or if you disable and enable the hotspot) the dynamic firewall rules for the hotspot become the first rules in the list, so you static rules never get executed as the hotspot rules hit first (and ultimately block the port-forward request from ever happening).
Please note, this is not about bypassing user IP addresses from the hotspot. These are port forward nat rules for outside requests to internal devices. For example, I’ve got an AP bridge on the inside of a hotspot network and want to remotely SSH to it. If a create a destination-nat rule the accepts a dst-port of 12345 and nat-to 192.168.1.10 port 22. Then I set my local SSH client to connect to the hotspot IP, port 12345.
Has anyone run into this? Is there something I can do to let a bunch of static dst-nat rules to internal devices through without the hotspot firewall rules breaking our entire outside network monitoring? In all of 2.8, the firewall rules never changed order. Why does this happen on 2.9?
Also and I have the same problem with the new Mikrotik 2.9.x version. I can write rules how much I want, MT always do like Hotspot Dynamic Rules say… Anyone know the solvation of this problem ???
Someone said me that I need to not use pool. And also I try and with static addresses… Result was always same = stupis Dynamic Hotspot Rule… The best question for Mikrotik support people is: How to disable that rules, I will write my own…
And risk it not working for an hour until the script is executed ? Could’nt we detect when the sh*t happens and make the script execute on that moment?
Yes, running a script would work. It’s easier to just login immediately after the reboot and shift rules around if it’s a planned reboot and we are on a network to do this.
Our biggest problem with this is that we monitor the up/down state and poll snmp from more than 40 devices behind it. When the rules change order after a reboot, we’ll get almost 100 alerts that everything is down and again once we change the rules around that everything is back up. We have a few other networks with fewer devices but the same problem.
Perhaps to help Mikrotik, I suggest that instead of the dynamic rules being inserted at the top of the list, that they are inserted last after all static rules. Ideally the placement (both before and after) of static rules should stay the same - ie, the hotspot knows where in the list they existed. But, rarely do we need to place firewall rules after the dynamic hotspot ones. Having those dynamic rules always at the bottom of the list would work for us for now.
I will try with writing script later tonight… Becouse I found that dynamic jump rules made by Hotspot are not good for my configuration (they catch all interfaces with all addresses)… I will try do remove them and to write my own rules… That’s must be solvation of this problem…
What’s the point? You CAN run a script just once after each reboot. So put the script in there, and you should be set.
The point is, after all of the time I’ve spent in the last 2 years dealing with the Hotspot module (since 2.7) and having Mikrotik unwilling to fix the last final bug that existed in the 2.8 branch because 2.9 was finally released (even though they were aware of this and had the golden supout file to prove what the problem was). I’ve finally taken the time to start upgrading out 2.8 hotspots to 2.9, only to find a serious design issue that breaks the functionality of what we’ve got in the field (the dynamic firewall issue).
The behavior of the dynamic firewall rules seems odd…maybe it’s just me, but it seems like have any type of dynamic firewall inserting rules at the top of this list is a bad idea. Yes, a script would resolve this to some degree, but IMO is not a solution. Overall, we’ve been happy with what Mikrotik has done and would like to continue using them for Hotspots - we have certainly purchased enough licenses to show our dedication to using this product.
It would be nice to at least get some feedback from Mikrotik on this issue - it would be nice to at least know if there are any plans to change this behavior.
I will try do remove them and to write my own rules… That’s must be solvation of this problem…
I don’t think this is going to work…If you delete these rules, the next time you reboot they will all come back. I guess you could take the script approach and have it manually delete these…still doesn’t seem like a proper solution though.
The next query that pops into my ‘devil’s workshop’ is how do we trigger it on EACH reboot? Is there a way of determining that the SYSTEM has rebooted and then have the script run, like a AUTOEXEC.BAT ??
Dynamic hotspot firewall rules catch only hotspot clients. Bypassed
devices will not match those rules. All AP’s inside hotspot should be set
as bypassed hosts, thus allowing full access to them from outside.
Does anyone want to monitor some regular hotspot client? No problem -
just add IP of your SNMP server to “/ip hotspot walled-garden ip” list.
Are there some cases, which I have not covered here?
I must rewrite my problem again… Nobody give me answer or possibility for my problem
→ I will explain my configuration shortly and some problems →
I’m using cisco router for frame-raley and for givinig acces for public-addresses.
I’m using Mikrtoik for home users (private addresses) and to control the speed of Public addresses (via queue)
I have 3 LAN ports on MT
LAN 1 > outgoing interface (connected on cisco router)
LAN 2 > incoming interface for users with private addresses (they going out thrue LAN 1 like one public address)
LAN 3 > incoming interface for users with public addresses (they going out thrue LAN 1 like they are)
All traffic come in one switch and going in MT with two cables in LAN2 and LAN3
In version 2.8.28 everything works good… but in 2.9.14 I have next problems:
Half of public addresses doesn’t want to work ??? Hotspot takes them in hosts and translate them in private addresses witch don’t want to work !!!
some of users with private addresses have
I make firewall rules witch reject all trafic of public addresses on LAN2 and all traffic from private addresses on LAN3… But in arp table I can see some (few) of private addresses, and also in hotspot/hosts I can see some of public addresses…
Why I put hotspot server and all that on LAN2 if he take addresses from LAN3 ..
Thank you for responding Normis. I will try this and see what happens. My immediate reaction to this solution is that we have to add an extra rule for every device (to add to the bypass list) but if it does what we need, we’ll be happy. I’ll post back once we’ve tried this on a live network.