Hi,
I setup a hotspot network on lan interface (192.168.140.0/23). The ethernet switch on lan has IP 192.168.131.21. Router has IP 192.168.131.1 on lan interface, too. I connect to the router via VPN (remote address 192.168.131.2/local address 192.168.131.1). If I disable the hotspot service everything is fine. I get access to the switch and I can ping the switch from the router. If hotspot is enabled I get no access and no ping from the router. I tried to add switch IP and VPN IP in IP-bindings of hotspot and set it to bypass but it didn’t have any affect. Same behaviour is when I try with portforwarding: hostpot disabled - OK, hotspot enabled - no connection.
Is it possible to add firewall rule to get access to the switch when hotspot is running?
Can anyone help me to get access to the switch?
Thank you!
How does the router perform if you connect directly to it, instead of through the vpn? Can you access the switch from the Mikrotik router? Or is it still “hotspot on-denied, hotspot off-allowed”.
ADD: If the router is remote, and it is possible, ssh into the router and try pinging from the RouterOS prompt.
/ping 192.168.131.21
It seems your VPN is ok. What I am expecting is maybe a hotspot dynamic nat rule is performing a masquerade. That would change the response packets ip. If you are ok on the router, then I would suggest this:
/ip firewall nat print all
It is always: hotspot on - no response, hotspot off - ping ok. Also if I try directly from the router. It must have to do with the hotspot service. In firewall rules there is no rule, where the packet counter raises if I try to ping the router. So I don’t know why it isn’t working.
I think you need to put the switch in the ip range of the hotspot. Remove a few addresses on the low end of the dhcp server and assign the switch one of those (like 192.168.140.4). Then the ip-binding should work. Any reason you can’t do that?
I would recommend giving it a try anyway.
ADD: The reason is the hotspot by default does a one-to-one nat of all ips behind the hotspot that are not within its ip range, to an address that is.
/ip hotspot host print
You might try
/ip dhcp-server lease
print
make-static X
where X is the line number of the one-to-one nat assignment for the switch. Then refer to the switch by the hotspot dynamic ip address in ip-binding, not the actual switch ip.
I have never tried this. Let me know if you do.
Thank you for your answers.
I think the main problem is, that the switch doesn’t appear in Hotspot-Hosts list. The Hotspot don’t know the switch, so IP binding rule doesn’t work and the hotspot doesn’t forward the traffic. I added a static ARP entry for the switch MAC and IP. No success.
I’m hoping Mikrotik Support will find a way…
I will tell if it works …
I’ve found a solution. The problem is that the switch doesn’t send packets if you don’t try to connect its webinterface. So the hotspot isn’t detecting it and it doesn’t appear in hosts list. Because of this it is not possible to connect to it over the mikrotik. So I configured the switch to ask a SNTP Server every 60s for actual time. Because of this packets the hotspot detects it and it appears in hosts list. Now it is possible to connect to the switch.
I’m very disappointed by the Mikrotik support. They always say if the switch has correct IP settings and it is connected to the right interface the hotspot will discover it. Do they think I’m mad and too stupid to check by myself this things? I told them if I disable hotspot everything is ok and if I enable it, it isn’t working. So they suggest the IP settings of the switch are wrong??? Very good help!! And I directly asked them if it could be a problem that the switch doesn’t send packages… but no answer to my suggestion.