I need to hand out different IPs to specific users. Reason: To allow certain users full access to all websites and to restrict access to only one website for other users
I have created another IP pool and applied it to a test account but once the user logs in he has no access to the internet or even the hotspot status page
I have masq the second IP pool
My config
[me@mikrt] > ip pool print detail
0 name="default-dhcp" ranges=192.168.88.10-192.168.88.254
1 name="hs-pool-13" ranges=10.0.0.2-10.0.0.254
2 name="test" ranges=172.16.16.2-172.16.16.12
[me@mikrt] > ip hotspot pr
profile print
[me@mikrt] > ip hotspot print
append brief count-only detail file follow follow-only from interval where without-paging
[me@mikrt] > ip hotspot print detail
Flags: X - disabled, I - invalid, S - HTTPS
0 name="hotspot1" interface=bridge profile=hsprof1 idle-timeout=5m keepalive-timeout=none login-timeout=none ip-of-dns-name=192.168.88.2 proxy-status="running"
[me@mikrt] > ip hotspot
active cookie host ip-binding profile service-port user walled-garden add disable edit enable export find print remove reset-html set setup
[me@mikrt] > ip hotspot
.. get
[me@mikrt] > ip firewall filter print detail
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth
2 D chain=input action=jump jump-target=hs-input hotspot=from-client
3 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875
4 D chain=hs-input action=jump jump-target=pre-hs-input
5 D chain=hs-input action=accept protocol=udp dst-port=64872
6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875
7 D chain=hs-unauth action=return protocol=tcp dst-port=82
8 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
9 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
10 D chain=hs-unauth-to action=return protocol=tcp src-port=82
11 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
12 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
13 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough log=no log-prefix=""
14 chain=input action=drop connection-state=new protocol=udp in-interface=ether1 dst-port=53 log=no log-prefix=""
15 chain=hs-input action=drop connection-state=new protocol=udp in-interface=ether1 dst-port=53 log=no log-prefix=""
16 chain=input action=drop connection-state=new protocol=tcp in-interface=ether1 dst-port=53 log=no log-prefix=""
17 chain=hs-input action=drop connection-state=new protocol=tcp in-interface=ether1 dst-port=53 log=no log-prefix=""
18 X ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""
19 X ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
20 X ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
21 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
22 X chain=forward action=drop protocol=udp src-address=172.16.16.0/24 log=no log-prefix=""
23 X ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
24 X ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
25 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""
26 X ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""
27 X ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
28 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
29 ;;; block-freedom-maxupgrade
chain=pre-hs-input action=drop layer7-protocol=freedom log=no log-prefix=""
[me@mikrt] > ip firewall nat print detail
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
1 D chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53
4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80
5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443
6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth
7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth
8 D chain=hs-unauth action=return protocol=tcp dst-port=82
9 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80
10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128
11 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
12 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443
13 D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
14 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http
15 D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
16 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
17 X ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=10.0.0.0/24 log=no log-prefix=""
18 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24 log=no log-prefix=""
19 X chain=srcnat action=masquerade dst-address=192.168.111.0/24 log=no log-prefix=""
20 X ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.88.0/24 log=no log-prefix=""
21 chain=dstnat action=redirect to-ports=8080 protocol=tcp src-address-list=payment_reminder dst-port=80
22 chain=dstnat action=redirect to-ports=8080 protocol=tcp connection-mark=payment_reminder
23 X chain=hotspot action=log src-address=172.16.16.0/24 log=no log-prefix=""
24 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=172.16.16.0/24 log=no log-prefix=""
[me@mikrt] >