Hi there,
This is a very basic question, and I don’t have that much experience with RouterOS, so please bear with me.
At the moment, we have a Mikrotik Router with RouterOS version 3 (I think, not exactly sure how to find out). I’m using Winbox 2.9.50 to connect to it. The hotspot is configured, which blocks all HTTP traffic unless the user logs in. I’m wondering if it’s possible to still block all HTTP traffic, but still allow a couple ports through, like 995, or 465?
Thanks!
Seth
Yes, add address adn port to walled garden
I’ve tried adding the port, but I’m not exactly sure what the addresses of the Google servers are (as I assume they change), or do you mean the source address?
And do these changes take effect immediately, or do I need to reboot the router?
Seth
add all google mailserver addresses, you can find them with
nslookup mail.google.com
Thanks mrz. I’ll see if it works.
Seth
MRZ, I’ve found Google’s server IP addresses, but I’m still having trouble getting it to work. Maybe I’m messing up completely with the walled garden entries. I’ve included the blank entry here. Do you mind showing me what I need to put where and what’s not important?
Thank you in advance!
You should be able to use the domain name and the port.
/ip hotspot walled-garden
add dst-host=.gmail.com dst-port=465 action=allow
add dst-host=.gmail.com dst-port=110 action=allow
This only works with outlook and thunderbird, not browser (port 80) email.
EDIT: My bad. The gmail.com email server requires SSL. If that is the case, I found you must enter the server IP in “/ip hotspot walled-garden ip” like this:
/ip hotspot walled-garden ip
add dst-host=pop.gmail.com dst-address=74.125.47.109 dst-port=465 action=accept
add dst-host=smtp.gmail.com dst-address=74.125.47.109 dst-port=995 action=accept
ADD: This comes from my experience with Apache and SSL websites. The only data available on a SSL packet is the ip address and the port. The header, which contains the url, is encrypted. No such thing as Virtual SSL hosting (last time I checked).
Thanks for the help! I’ll be at the office today and I’ll try to see what if it works.
My problem is that I’m sure Google use quite a few IP addresses for their mail servers, and what happens if that IP goes down or changes?
You could use a script to resolve the domain names and change the ip addresses if that concerns you. Then schedule it to run once a day, like early in the morning.
ADD: You could use the ip address in the email client setup instead of the domain names.
.
Ok. I have no idea how to do that, but if you or someone else could help, I’d really appreciate it.
I do realise I should be able to do this on my own, but unfortunately I’ve inherited this system and don’t have much experience with RouterOS.
Thanks.
No problems. Everybody here was new at Mikrotik sometime. 
The script code is below. Enter it in “/system script” like this
/system script
add name=checkdns
edit checkdns source
Then paste this code there. Ctrl-o saves and exits the editor.
:local pop [:resolve pop.gmail.com];
:local smtp [:resolve smtp.gmail.com];
/ip hotspot walled-garden ip;
:local popline [find dst-host=pop.gmail.com];
:local smtpline [find dst-host=smtp.gmail.com];
:if ([:len $pop] > 0) do={set $popline dst-address=$pop;};
:if ([:len $smtp] > 0) do={set $smtpline dst-address=$smtp;};
Then try it.
/system script
run checkdns
Then schedule the script to run once a day in “/system schedule”. If you need more help, let me know.
Thanks SurferTim!
I’ll be in there later today, so I’ll give it a try.
If you have problems with the gmail dns, you can always override it in
/ip dns static
add name=pop.gmail.com address=74.125.47.109
add name=smtp.gmail.com address=74.125.47.109
This will force the router to issue these ips instead of using google’s dns servers.
Dude, you’re a genius!
It worked perfectly. I don’t know why I didn’t try Hotspot > IP.
I haven’t tried the script yet, but I’ll have to get it set up soon.
Thanks!
I’ve finally gotten around to putting the script in there, along with a scheduled task. It seems to be working so far. Thanks for the help!
Seth
Hi SurferTim. I know i"m dragging up an old topic, but I thought this might help someone else in the same situation. I upgraded my RB5xx from 2.9.50 to 3.3, and it broke my Gmail rules. It took me most of this morning to figure out what went wrong. Apparently, the rules in Walled Garden IP now use the hostname to look up the IP address. The problem with my current set up (per your instructions, which worked great with 2.9) is that pop.gmail.com no longer just resolved to the IP address. It resolved to pop-gmail.l.google.com, which then resolved to an IP. I could put the right IP address in there, but as long as pop-gmail.l.google.com was not listed as a destination host, I couldn’t get emails to go through.
Now, I’m just wondering if Google will ever change the alias for pop.gmail.com. I’m guessing they probably will. The problem is, can I find out what the alias is, or will the script just resolve to the IP address? Maybe I should ask this question over in scripting.
Anyway, thanks again for your help. I appreciate it.