collision between static NAT Rules and dynamic NAT rules

brychtak · February 21, 2007, 9:06am

Hello,

I have a problem with collision between static NAT Rules and dynamic NAT rules in hotspot mode. I need for example static rule for DNS questions to intranet (internal DNS server) and a lot of other rules. But there is a problem If I make static rules and the client connects to hotspot authentication proccess isn’t succesfull because of collision between rules. If I remove the static rules auth. on Radius server is OK but DNS questions for intranet servers doesn’t work.
Could you help me how to solve it? Is it possilbe i one rule match to continue other rules or?

Thank you

Radek

sergejs · February 21, 2007, 9:13am

Radek,
specify local intranet ‘dns’ servers in ‘ip dns’, as well you can specify dns servers for clients during HotSpot setup.
You can add static NAT rule before HotSpot, however after reboot it will be moved down.
Dynamicaly created NAT rules adre described here,
http://www.mikrotik.com/testdocs/ros/2.9/ip/hotspot_content.php#7.41.14

brychtak · February 21, 2007, 11:15am

Thank you. I know where to specify DNS server (ip - dns). I have dhcp server for hotspot users. Hotspot user has DNS 192.168.4.4 192.168.8.226. there is the problem. I need for autheticated clients working DNS, working intranet, working TCP connetion for example with exchange 192.168.x.y, proxy etc… Hotspot rules are dynamicaly added. and I need a lots od static rules for DNS, exchange, intranet, VNC… for passing through mirkrotik. But if I make static rules, user is not authenticated (no auth. form screened in the browser)because my rule is on the top. If I move it down the user is autheticated but DNS doesn’t work, VNC, proxy, connection to exchange (outlook) etc.
I know that the rule must be on the top, I have script to move it up after reboot. Thats not a problem.
any soulution how to solve it?

brychtak · February 23, 2007, 8:28am

brychtak:

Thank you. I know where to specify DNS server (ip - dns). I have dhcp server for hotspot users. Hotspot user has DNS 192.168.4.4 192.168.8.226. there is the problem. I need for autheticated clients working DNS, working intranet, working TCP connetion for example with exchange 192.168.x.y, proxy etc… Hotspot rules are dynamicaly added. and I need a lots od static rules for DNS, exchange, intranet, VNC… for passing through mirkrotik. But if I make static rules, user is not authenticated (no auth. form screened in the browser)because my rule is on the top. If I move it down the user is autheticated but DNS doesn’t work, VNC, proxy, connection to exchange (outlook) etc.
I know that the rule must be on the top, I have script to move it up after reboot. Thats not a problem.
any soulution how to solve it?

no solution??

janisk · February 23, 2007, 8:40am

you can try to simply create hotspot as it is, and that will unauthorised users to access any internet resources, if you want to allow them something add that to wallet garden

brychtak · March 5, 2007, 11:48am

Yes i know but i want for AUTHORIZED users own static rules and with no collision betwwen static and dynamic rules which is probably impossible.

ziadmelhem · December 30, 2007, 1:53pm

hello brychtak,
i have a mikrotik hotspot 2.9.x, i have some problems with NAT firewall rules of
web-proxy, dynamic rules is always on top and the web-proxy doesn’t work
please i need the script to move up static rules after reboot.

thanks.