DNS on Hotspot and Isolation of Networks.

Hi everyone. This is my first post. I do not see an introduction area, so I will do it briefly before my question(s).

My name is Tom, 53 years old and living in South Africa. I run a small guesthouse and my interest is computers, programming and networking. All self taught, so no great knowledge. Just enough to help myself in most situations. I am linking two sites wirelessly, about a kilometer apart.

I run a wired local lan with 4 PC’s, 3x W7 and 1 x XP. Then I have an IP printer on the lan as well as an IPCorder with a few IP Cameras.

This wired lan network run on 192.168.0.0 network
Then I have my ADSL Modem on 192.168.11.0 network
and my wireless link on 192.168.3.0 network

I have the RB450G and these networks on ether 1, 2, 3 respectively with Ether 4, 5 empty.

I configured the RB450G so that all three networks run and I have internet. Everything runs smooth and no hiccups or delays. I successfully does IPScan on all three networks via Winbox and all devices ping. All devices on the wired lan have static IP, as well as the wireless link and AP’s.

But, I want to run a Hotspot on the 192.168.3.0 network, ether 3.
I also need to isolate the wired lan from the wireless network, as all my private PC’s is on the ether 1 interface and all the wireless stuff and AP’s on ether 3, where my customers will log onto the hotspot. So my guests should not be able to see my PC’s or printer or IP Cameras. (If I allow them to look at the cameras, it will deplete their allocated bandwith very quickly)

I have no idea how to do this isolation, although I suspect it is very easy. I know I can do it on the AP’s, so clients do not see each other, but want to block them from my private network as well with Mikrotik.

As far as the hotspot goes, I have it going and clients can log on with either HTTP or Mac. (Actually I allowed all methods, except Trial) My guests I give username and password and my family logon with their device’s Mac address. So, all good and well, they all have internet access on the hotspot.

However!
The moment I activate this hotspot, I get DNS problems with my IP Corder ((NVR), Network printer and general hiccups and delays on my wired network. I have setup my DNS correctly and allowed remote requests, obviously, otherwise I will not get internet on all networks. DHCP server gives IP’s to devices connecting via access points. Only devices connecting via AP get DHCP IP’s. The DNS on the hotspot server is the culprit.

DNS servers on the hotspot is the same as on my DNS setup and is filled in automatically.
DNS name of local hotspot server I gave as hotspot.dns as apparently this can be anything as long as you have a . in the name.

The problem manifest in the form of browser access. As soon as I go to 192.168.0.222 (IP Corder) I get a message about hotspot.dns in the browser address bar and then a redirect and the IP Corder does weird things like going into setup mode and I can not access the view mode for cameras.

Also, the network printer (192.168.0.15) become unreachable(also with message about hotspot.dns) and Windows network becomes unstable, not reaching all pc’s intermittently.

What I do not understand, is why does the hotspot on ether 3 (192.168.3.0) and a completely different network, interfere with my lan network on ether 1 (192.168.0.0) ?

BTW, I then still have internet on both networks.

So, it is the two problems.

1. Isolation
2. DNS on Hotspot

Thanks for your time,
Tom

I would start by removing the dns-name from the hotspot. It does not need an entry. It will use the ip address of the hotspot interface in your browser address bar instead.

It may help if you post “/ip address” and “/ip route”.
None of the ethernet ports are on a switch or bridge, correct?
/ip bridge
/interface ethernet

 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; Hotspot Interface
     192.168.3.1/24     192.168.3.0     ether3                                   
 1   ;;; ADSL Interface
     192.168.11.25/24   192.168.11.0    ether2                                   
 2   ;;; Lan Interface
     192.168.0.1/24     192.168.0.0     ether1

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; 192.168.11.1 Modem
        0.0.0.0/0                          192.168.11.1              1
 1 ADC  192.168.0.0/24     192.168.0.1     ether1                    0
 2 ADC  192.168.3.0/24     192.168.3.1     ether3                    0
 3 ADC  192.168.11.0/24    192.168.11.25   ether2                    0

#    NAME          MTU MAC-ADDRESS       ARP        MASTER-PORT      SWITCH     
 0 R  ;;; Lan
      ether1       1500 D4:CA:6D:34:48:** enabled    none             switch1    
 1 R  ;;; ADSL Modem
      ether2       1500 D4:CA:6D:34:48:** enabled    none             switch1    
 2 R  ;;; Hotspot
      ether3       1500 D4:CA:6D:34:48:** enabled    none             switch1    
 3    ether4       1500 D4:CA:6D:34:48:** enabled    none             switch1    
 4    ether5       1500 D4:CA:6D:34:48:** enabled    none             switch1

[admin@RB450G] > /ip bridge 
bad command name bridge (line 1 column 5)

All above is the pre hotspot installation.

Following is with Hotspot installed.

[admin@RB450G] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; Hotspot Interface
     192.168.3.1/24     192.168.3.0     ether3                                   
 1   ;;; ADSL Interface
     192.168.11.25/24   192.168.11.0    ether2                                   
 2   ;;; Lan Interface
     192.168.0.1/24     192.168.0.0     ether1 
                                  
[admin@RB450G] > /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  ;;; 192.168.11.1 Modem
        0.0.0.0/0                          192.168.11.1              1
 1 ADC  192.168.0.0/24     192.168.0.1     ether1                    0
 2 ADC  192.168.3.0/24     192.168.3.1     ether3                    0
 3 ADC  192.168.11.0/24    192.168.11.25   ether2                    0

[admin@RB450G] > /ip bridge
bad command name bridge (line 1 column 5)

[admin@RB450G] > /interface ethernet print
Flags: X - disabled, R - running, S - slave 
 #    NAME          MTU MAC-ADDRESS       ARP        MASTER-PORT      SW
 0 R  ;;; Lan
      ether1       1500 D4:CA:6D:34:48:** enabled    none             sw
 1 R  ;;; ADSL Modem
      ether2       1500 D4:CA:6D:34:48:** enabled    none             sw
 2 R  ;;; Hotspot
      ether3       1500 D4:CA:6D:34:48:** enabled    none             sw
 3    ether4       1500 D4:CA:6D:34:48:** enabled    none             sw
 4    ether5       1500 D4:CA:6D:34:48:** enabled    none             sw

For good measure, I include this.

[admin@RB450G] /ip hotspot profile> print
Flags: * - default 
 0 * name="default" hotspot-address=0.0.0.0 dns-name="" 
     html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 
     smtp-server=0.0.0.0 login-by=mac,cookie,http-chap,https,http-pap 
     mac-auth-password="" http-cookie-lifetime=3d ssl-certificate=none 
     split-user-domain=no use-radius=no 

 1   name="hsprof1" hotspot-address=192.168.3.1 dns-name="hotspot.dns" 
     html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 
     smtp-server=0.0.0.0 login-by=mac,cookie,http-chap,https,http-pap 
     mac-auth-password="" http-cookie-lifetime=3d ssl-certificate=none 
     split-user-domain=no use-radius=no

Thanks for looking into my problem.

I would start by removing the dns-name from the hotspot.

I have no idea how to do that.

So all does pretty much ok as long as you don’t access localnet addresses?

You know you must be logged in (add: or put the localnet ip in the walled garden) to go anywhere outside the hotspot localnet, and you will have trouble with other devices on that localnet unless you disable the hotspot universal nat.

All that looks ok at first glance, so maybe it is in the firewall. How about these?
/ip firewall filter
/ip firewall nat

edit: Also try this:

/ip hotspot profile
set 1 login-by=http-chap

[admin@RB450G] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

[admin@RB450G] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 1   ;;; Masquerade LAN Interface
     chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=0.0.0.0/0 

 2   ;;; masquerade hotspot network
     chain=srcnat action=masquerade to-addresses=0.0.0.0 src-address=192.168.3.0/24

I would use a srcnat (masquerade) for the WAN interface only. Add this, then remove the other two srcnats.

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether2

ether2 is the WAN interface, correct?

Did you try logging in by going to www.google.com or somewhere like that, then try the 192.168.0.222 address.

OK, done that. Just before I done it, I tested 192.168.0.222 and it worked, but irritatingly slow and two IP cameras could not connect. I am finding that the problem is intermittent and I am not surprised that it did find the IP device.

Then I added the rule and removed the other two.
Now I can not connect and get
http://hotspot.dns/login?dst=http%3A%2F%2F192.168.0.222%2F
in the browser address bar with “Could not locate remote server”

I do not think it has to do with the change. If I tested a second time, the same would probably have happened. (From experience)

Latest nat print.

[admin@RB450G] /ip firewall> nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough 

 1   chain=srcnat action=masquerade out-interface=ether2

ether2 is the WAN interface, correct?

Yes

Did you try logging in by going to > www.google.com > or somewhere like that, then try the 192.168.0.222 address.

Yes, makes no diff.

ARP is converting all my IP’s to the 192.168.3.0 network. (I think it is ARP?)
For instance 192.168.0.222 to 192.168.3.3

I do not want my 192.168.0.0 network IP’s converted to the .3.0 network.

Take a look at “/ip hotspot host”. That is where the results of the hotspot universal nat is displayed. Is that showing those translations?

Look at the address (the actual address of the device) and the to-address (address seen outside the hotspot interface).

Any questions about it, then post that part.

[admin@RB450G] >> ip hotspot host print   
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed 
 #    MAC-ADDRESS       ADDRESS         TO-ADDRESS      SERVER     IDLE-TIMEOUT
 0 D  00:27:22:7A:D5:6F 192.168.3.201   192.168.3.15    hotspot1   5m          
 1 DA 50:CC:F8:20:CA:83 41.14.219.146   192.168.3.18    hotspot1  
 2  A 50:CC:F8:20:CA:83 192.168.3.19    192.168.3.17    hotspot1  
 3 D  00:27:22:EC:6F:81 192.168.0.5     192.168.3.16    hotspot1   5m          
 4 D  00:27:22:EC:6F:81 192.168.0.222   192.168.3.20    hotspot1   5m   
       
[admin@RB450G] >> /ip hotspot active print 
Flags: R - radius, B - blocked 
 #    USER          ADDRESS         UPTIME       SESSION-TIME-LEFT IDLE-TIMEOUT
 0    50:CC:F8:2... 192.168.3.17    55s         
 1    50:CC:F8:2... 192.168.3.18    56s

That is what I am referring to.
50:CC:F8:20:CA:83 is my cellphone
00:27:22:EC:6F:81 is the IP Corder 192.168.0.222 converted to 192.168.3.20

192.168.3.201 AP
192.168.0.5 PC on 192.168.0.0 network converted to 192.168.3.16

Why is my cell getting two IP’s?

The cameras is recorded by the IP Corder(NVR) all the time, yet only the IP of the NVR shows up and no IP Camera?

This indicates this device is connected to the hotspot interface (ether3), not the localnet (ether1).

4 D 00:27:22:EC:6F:81 192.168.0.222 192.168.3.20 hotspot1 5m

But why? Cabling is going to ether1
ether 1 is on 192.168.0.0 network
and the ip is 192.168.0.222

So how is it ending up on the ether3 hotspot?

Take a look at “/ip hotspot”. Insure your hotspot is assigned to ether3, and not ether1.

I am looking at it in Winbox. Do not know the command for terminal. It is defenately on ether3.

Servers-hotspot1-ether3-hotpool-hsprof1

I can use Winbox.
As long as you are in Winbox, check the “Bridge” tab. No bridges assigned?
There must be a reason your 192.168.0.222 ip is showing in “/ip hotspot host”. A bridge or switch setting?

LOL, I did not imply you can not use Winbox! I meant I do not know how to show it to you. Upload .jpg? Lots of hassle. I also meant, is there a way to show you the result from Terminal, as I do not know all the commands.

OK. ARP shows all IP’s on correct ether.
Definately no Bridge.
Switch I do not know.

[admin@RB450G] >> /ip arp print     
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic 
 #   ADDRESS         MAC-ADDRESS       INTERFACE                                                                       
 0 D 192.168.3.4     00:27:22:EC:6F:81 ether3                                                                          
 1 D 192.168.0.170   00:10:75:06:C1:80 ether1                                                                          
 2 D 192.168.11.1    00:24:A5:BD:5F:E6 ether2                                                                          
 3 D 192.168.3.15    00:27:22:7A:D5:6F ether3                                                                          
 4 D 192.168.3.2     00:27:22:EC:6F:81 ether3                                                                          
 5 D 192.168.0.164   00:27:22:72:C7:65 ether1                                                                          
 6 D 192.168.3.3     00:27:22:EC:6F:81 ether3                                                                          
 7 D 192.168.3.17    50:CC:F8:20:CA:83 ether3                                                                          
 8 D 192.168.0.222   00:90:0B:10:91:48 ether1                                                                          
 9 D 192.168.3.20    00:27:22:EC:6F:81 ether3                                                                          
10 D 192.168.0.5     1C:6F:65:DB:2B:18 ether1                                                                          
11 D 192.168.0.3     00:21:91:91:1E:99 ether1                                                                          
12 D 192.168.0.159   00:27:22:72:C7:65 ether1                                                                          
13 D 192.168.0.6     00:24:8C:22:C8:9B ether1

What does this switch1 mean?

[admin@RB450G] >> /interface ethernet print     
Flags: X - disabled, R - running, S - slave 
 #    NAME                      MTU MAC-ADDRESS       ARP        MASTER-PORT                   SWITCH                  
 0 R  ;;; Lan
      ether1                   1500 D4:CA:6D:34:48:BB enabled    none                          switch1                 
 1 R  ;;; ADSL Modem
      ether2                   1500 D4:CA:6D:34:48:BC enabled    none                          switch1                 
 2 R  ;;; Hotspot
      ether3                   1500 D4:CA:6D:34:48:BD enabled    none                          switch1                 
 3    ether4                   1500 D4:CA:6D:34:48:BE enabled    none                          switch1                 
 4    ether5                   1500 D4:CA:6D:34:48:BF enabled    none                          switch1

aah, I found a switch in Winbox
Switch-Name,switch1-Type,Atheros 8316

Under port it shows as a switch on all ethers, 1 to 5 and then
name,switch1 cpu
VLAN Mode fallback

I do not know and can not find in ? on terminal a way to print the Switch info.

/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1 switch-all-ports=yes

/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=fallback
set 1 vlan-header=leave-as-is vlan-mode=fallback
set 2 vlan-header=leave-as-is vlan-mode=fallback
set 3 vlan-header=leave-as-is vlan-mode=fallback
set 4 vlan-header=leave-as-is vlan-mode=fallback
set 5 vlan-header=leave-as-is vlan-mode=fallback