If I have an RB751 with all 5 ethernet ports, and the wifi interface part of the same bridge, so that the entire thing is acting as one switch and wireless access point, can I setup hotspot on it?
Or does hotspot need to be on a router?
It looks like none of the firewall rules that are dynamically created when hotspot is enabled were being hit until I went to Bridge → Settings and set “Use IP Firewall” to on.
Now, it kind of sort of works - it redirects clients to the hotspot login page for some web requests, but not others. Any requests that don’t get redirected seem to just get dropped, rather than making it to the internet.
This also seems to have made connecting to the device with winbox using the MAC address unstable for some reason - it connects, stays connected for a while, disconnects, and won’t be discoverable with winbox until I either reboot the device, or wait a minute.
Is there something I’m missing?
I tried 2 more things:
Under Bridge → Settings, I disabled “Allow Fast Path”. According to this page, “Fast path allows to forward packets without additional processing in the Linux kernel”. Sounds like a way to bypass the firewall rules that make hotspot work, which I probably don’t want.
The other thing I did was allow UDP ports 67 and 68 (DHCP), and UDP port 53 (DNS) in Walled Garden IP List.
The rule that allows DHCP seems to be working great - without it, DHCP between the router and the client was being stopped by the mikrotik in between - now it’s not.
The DNS seems to still be an issue. Wireshark says that when I try to resolve something using 8.8.8.8, the response I get back is: “Server failure A DOMAIN”, where DOMAIN is the domain name I was trying to get an IP for.
I did a packet capture on the Mikrotik, and another one on the client.
It looks like the client is seeing responses from the DNS server (8.8.8.8 in my case) that aren’t actually coming from the DNS server.
The mikrotik packet capture shows proper DNS responses that give answers to the DNS queries the client asked for.
A packet capture on the client shows that the DNS server (also 8.8.8.8 ) is sending nothing but “Server Failure” messages, which the server never sent.
I think hotspot is doing something crazy with DNS to intercept requests, and for some reason it’s not working.
After several hours of messing with it, this is what I found:
- Since we told the bridge to pass all layer 2 traffic through the firewall rules, Winbox traffic, even when it’s using the MAC address to connect will pass through the firewall rules. This means you need firewall rules to allow MNDP and Mac Telnet in order to use Winbox. I couldn’t get this to work for some reason (still need to figure it out), so I cheated and added the IP of the mikrotik to the walled garden IP list. I can’t do this in production as the IP will be dynamically assigned
- If you’re setting hotspot on a bridge, instead of your main router, you need to make sure that you add UDP port 68 to walled garden allowed list, or unauthenticated clients won’t be able to get an IP address from the DHCP server
- You need to explicitly create rules that allow all traffic on the INPUT chain (to the mikrotik), and OUTPUT chain (from the mikrotik)
- You need to somehow fix the FORWARD chain
The biggest problem I have now is that if I add a rule that allows ALL traffic in the FORWARD chain, it works, but unauthenticated clients will have their DNS requests intercepted, their port 80 and 443 requests redirected, but everything else will work just fine. If I set a rule that says it should allow authenticated clients out, and return authenticated traffic back in, the upstream traffic matches my rules fine, but the downstream traffic does not. Downstream traffic for an authenticated client is not matching a rule that says “allow on on FORWARD chain if authenticated”.