Routing is working correctly and I’m able to connect to clients and APs fine without the hotspot enabled. When it’s enabled it does an autoconfig of the NAT and Firewall and I loose access.
I would like to know what rules need to be setup when enabling the Hotspot feature to allow access to me when in-front of router 2.
Tried:
Removing the auto-generated NAT settings and firewall rules from router 2 with no success
I was able to ping devices on router 2’s net when removing the icmp rules but I have to do this everytime I disable and then re-enable the hotspot.
Thoughts:
Must NAT be enabled when using the Hotspot feature and if so how would I setup a reverse NAT to gain access
If NAT is not required then what am I missing? Can I modify the auto-generated rules then it’s enabled?
Let’s have some more information about your setup - ip addresses, routes, nat, bridges etc. I’m not sure why you want nat/masq in a separate router, but all the same it’s definitely doable.
Those auto-generated NAT and firewall rules are what actually makes the Hotspot work. If you disable them the Hotspot will not work and you might as well not run it. Those NAT rules do NOT have to perform source NAT and masquerading - the wizard doe add that, but the rule will not be marked ‘D’ for dynamic in the list. That is the only rule that is OK to remove. You can source NAT on any router later on. All the other NAT rules actually enforce the Hotspot policy and redirect traffic to the login pages - among other things - and removing renders the Hotspot useless.
The proper solution to reaching APs is to run the APs on trunks with two VLANs, one for the Hotspot guests and one for management IPs. The Hotspot is then run in the guest VLAN interface. Not only does this make the APs available to you for management, it also makes them unavailable to the guests.
To enable bi-directional communication between hosts on the subnet and you a hop removed would be to use the pre-hotspot NAT chain to accept all traffic between the two subnets involved, and to add rules in the Hotspot IP walled garden so Hotspot users can pass traffic between the two even when not authenticated. Assuming a Hotspot network of 10.0.0.0/24 and a management network of 10.1.0.0/24 behind the other router that would look something like this:
