Hello MikroTik forums,
I would like a captive portal set up on a bridge interface to be presented to users in the 192.168.16.1/20 range, but not users in the 192.168.1.1/24 range. Attached is a diagram of my current set-up. Note how all of the users connect to one port.
Here is my hotspot (currenlty disabled), hotspot server, routing table, address pool and ip address pool configuration. Let me know if any other info is required and I will provide them.
[admin@MikroTik] > ip hotspot print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 X hotspot1 bridge1 hsprof1 5m
[admin@MikroTik] > ip hotspot profile print
Flags: * - default
0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no
use-radius=no
1 name="hsprof1" hotspot-address=192.168.16.1 dns-name=""
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d
split-user-domain=no use-radius=no
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.16.1/20 192.168.16.0 bridge1
1 192.168.90.1/24 192.168.90.0 ether1
2 192.168.1.7/24 192.168.1.0 ether2
[admin@MikroTik] > ip pool print
# NAME RANGES
0 hs-pool-14 192.168.16.2-192.168.31.254
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.20.1 1
1 ADC 192.168.1.0/24 192.168.1.7 bridge1 0
2 ADC 192.168.16.0/20 192.168.16.1 bridge1 0
3 ADC 192.168.90.0/24 192.168.90.1 bridge1 0
At this point, whenever I enable the captive portal, the router can no longer find the DNS servers and as a result, blocks all traffic trying to pass through the bridge (thank god for console ports!). It keeps making ARP requests for them and they are replying, but the ARP requests don’t get logged (I assume). Actually, the router can’t even ping the firewall’s interface that is in it’s own subnet. It’s like the captive portal cuts off all connections to the outside world.
Do I have to add something to the captive portal configuration so that it let’s traffic to and from the DNS servers through? In all the tutorials that I keep reading, it doesn’t show that. Is there a tutorial that someone could point me towards that describes the steps for a captive portal between two bridge interfaces?
What I am actually trying to accomplish
Alternatively, if you can propose another way to get a selective Captive Portal with selective PAT translation up and running, it would be greatly appreciated. However, there are some restrictions to my situation.
What cannot be used:
-The RouterBoard cannot be placed in routed mode. All ports must be bridged.
-I cannot use VLANs since DD-WRT does not support VLANs on my radios.
-I cannot perform DHCP from the RouterBoard as only the server can provide DHCP and route.
I had this set-up with pfSense in router mode, but I heard that MikroTik lets you set up a Captive Portal while in bridged mode, which pfSense does not support.
tl;dr
I am having problems setting up a captive portal on a bridge and am starting to doubt if it is possible at all.