Free WiFi without Hotspot.

KarmaHunter · March 20, 2018, 6:53pm

Hello.

I have a RB133 that I use to give free WiFi to my customers while in my store. I’m not using the Hotspot nor a bridge between ethernet and WiFi. All is working fine.
WiFi is open (no security) and no splash screen (no Hotspot used).
10.5.5.70 - 10.5.5.90 are usable only for DHCP leases and added a Simple Queue for reduced speed.
I added my devices MAC address with static IPs 10.5.5.2 - 10.5.5.20 (Leases) and added a Simple Queue for increased speed.
Here is my situation:
Some people (I suppose employees from neighbor stores) are connecting to my RB. I want to add a firewall rule that on new connections, add the MAC to the Address List and when 1-2 hours limit, the firewall will block those MACs for one day (or can it be done using ARP so they just don’t get another DHCP lease?).
Also, under Simple Queue I’m limiting the bandwidth to the whole range (10.5.5.70 - 10.5.5.90). Is there a way to limit the bandwidth per connection or should I add a Simple Queue for each IP?
Thanks in advance.

sindy · March 22, 2018, 12:00am

The idea is fine but I’m afraid you cannot do it without scripting. The pool of IP addresses you use is probably not large enough so that you could be sure that two different devices (MAC addresses) cannot get the same IP address over time. So by banning an IP address you could prevent your customer from getting access if they would by chance get a banned address. Plus the remaining lease time and “last seen” parameters of the dhcp lease are not really reliable indicators of device activity.

So as the first step I would try to use ****

interface wireless registration-table

or

caps-man registration-table

to identify MAC-addresses of devices which are continuously connected for more than, as an example, 2h15m. To list the MACs of such devices, you can use

foreach mymac in=[/caps-man registration-table find uptime>2h15m] do={put [/caps-man registration-table get $mymac mac-address]}

Now instead of just printing (putting) the address in the ****

do

part of the

foreach

, you would have to do two things:

make the ****

/ip dhcp-server lease

for that MAC address static, thus reserving the currently assigned IP address for the MAC even if the MAC would not currently use it:

/ip dhcp-server lease make-static [find mac-address=$mymac]

add the IP address to an ****

/ip firewall address list

with a

timeout

value of, say,

20h

:

/ip firewall address-list add list=deny-neighbors address=[/ip dhcp-server lease get [find mac-address=$mymac] address] timeout=20h

You would schedule such a script to run every minute; it would have to do the above while making sure that if an address is already on the

/ip firewall address-list

, it resets its timeout to the 20h again instead of attempting to add it, and it would also have to check one by one the static leases in the

/ip dhcp-server lease

list and remove them if they have already disappeared from the

/ip firewall address-list

.

If the coverage is bad (especially for those devices you want to ban) and thus the clients keep disconnecting and reconnecting, you would have to build a more complex mechanism - you would have to set the DHCP lease validity to about 4 hours and the script would have to check for devices which are connected while their dynamic DHCP lease is older than 2h05, and blacklist any such device the way described above.