Hi there,
I have problem which is related to hotspot, I have Active directory which is not in the same subnet of my client computer. My client computers using hotspot in order to authenticate and use internet.
So I add my server IP to wall garden IP, and let client by pass the hotspot in order to reach the AD, many things like remote desktop, ping from these clients to this server works fine, when it comes to joining and working with AD client is not working well and they cannot contact with AD, so I disabled hotspot, and everything works fine.
even I changed my router os to latest version (5.20) it doesn’t change anything.
Any idea how I can solve this problem?!
Thanks in advance
Deleted because not related.
Thanks dobby I think you get it wrong, I don’t have wireless here, I am using hotspot to auth for those who wanted to use internet.
Here I draw a simple diagram which somehow similar to mine.
the hotspot has been applied to E3 interface which is connected to Client zone.
internet–E1–router–E3-(hotspot)-Client zone
…|
…E2
…|
…Server Zone
and the ip of server zone has been added to walled garden.
Thanks dobby I think you get it wrong, I don’t have wireless here, I am using hotspot to authenticate those who wanted to use internet.
Here I draw a simple diagram which somehow similar to mine.
The hotspot has been applied to E3 interface.
Internet–Eth1----ROUTER—Eth2-(Hotspot)–Client Zone
…|
…Eth3
…|
…Server Zone
Eth2 and Eth3 have different subnet.
A couple things you probably need to do.
Disable the universal NAT in the hotspot.
/ip hotspot
set 0 address-pool=none
Insure the masquerade in “/ip firewall nat” applies only to the “out-interface=ether1”
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1
Remove any other srcnats there.
add: If that doesn’t do it, please post the router model you are using.
I don’t have universal nat, because if i had, by disabling just hostspot server the problem wouldn’t be solve.
By the way the router is 1100AH.
any suggestion?!
Thanks
Deleted because not related.
I don’t have universal nat, because if i had, by disabling just hostspot server the problem wouldn’t be solve.
Yes it would. The hotspot universal nat will arp poison your hotspot localnet. You can see the universal nat at work in “/ip hotspot host”. Disabling the hotspot will disable that nat.
Look in “/ip hotspot”. If there is an entry for address-pool, the nat is active when the hotspot is enabled.
I just use the dhcp server of router, I have several dhcp in this router but in server zone I mean the interface which is connected to server zone, I do not have dhcp in any form, and the ip manualy has been set.
my AD servers ip is something like 192.168.8.8 and my client ip is something like 192.168.1.5 .
I checked where you have point out, and none of them is there I mean there was no host and no address-pool.
Any other idea?!
If you post these
/ip address
/ip route
/ip hotspot
/ip hotspot profile
maybe we can figure out what is happening.
Thanks everyone,
I am going to share how I solve this problem, from the beginning I suspect the whole process of hotspot and I start to check and finding out that the wall garden IP is not working as it should work in some scenario.
In order to narrow down the problem I set up a brand new RB751, and then I setup a hotspot, the two zones, and I added my server IP to walled garden IP List as I have already talked about.
I find out that some packet (related to AD) has been sent to reject part of hotspot dynamic rule in firewall, so I deleted my server IP from the walled garden IP and I made my own rule instead of the dynamic one, in the hs-unauth and hs-unauth-to I added My server IP as accepted (not as return which dynamically generated by walled garden) and I put it before the reject rules of these chain and I added accept nat rule in prehotspot as some document has been mention.
After that job every things work as it expected.
Have fun 
I am going to share how I solve this problem
mth: I have same problem too, can you explain more about your rules. for example if AD server has an IP like 192.168.1.200 on ether2 and Local zone be on ether4 with this subnet 192.168.11.0/24. Which Rule did you use to solve the problem. Beside I have this problem too: “I share a printer on some client on the Local Zone for another client in the same zone, after running hotspot as you said, Clients can not use the printer and when try to access the client, it says logon server is not available to authentication”. please help me…
Well, as far as I remember the problem is related to the rule in firewall which is generated automatically by router OS when you create hotspot.
You should manually add some firewall rule as I already mention above because those rules from auto generated rule block some of your packet you should let them pass and you should manually change their order to put them between correct rules of those auto generated rules.
If:
the hotspot is on Local zone (192.168.11.0/24),
you want the hotspot clients to access the AD server without logging in,
and the AD server is at 192.168.1.200,
then bypass the destination ip in the walled garden.
/ip hotspot walled-garden ip
add dst-address=192.168.1.200 action=accept
@surferTim: I did it, but there is another problem, is it possible to add a subnet in the Walled Garden ip List?! I want to exclude 192.168.11.0/24 for example..
Yes.
/ip hotspot walled-garden ip
add dst-address=192.168.11.0/24 action=accept