I’m using MT 2.9.49 as a firewall, using NAT to allow public access to my web servers located on my internal network. This is all setup and works fine. I then decided to add Hotspot to the same router and noticed that Hotspot users cannot access the web servers. Hotspot is running on 1 of my static public IPs (.38) and a servers is on (.34, .35, and .36). The Public NIC of the router has all four addresses configured and all dst_nat and src_nat entries are in place and working.
Is it possible to allow access to the internal servers located on the protected side of the gateway to the hotspot users? As of right now, Hotspot users get a Proxy Error if the www service is on 8081 or show the Webbox main screen if port 80 is used when they try to access any of the hosted domains.
Thanks for any help or advice you guys can come up with… even if it’s that it can’t be done.
If there is nothing else wrong with the setup, normally a local masquerade allows access.
/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.0.0/24
Change 192.168.0.0/24 to the ip/netmask of your private network.
My local network is on 192.168.0.0/24 and my Hotspot network is on 192.168.2.0/24. Both are masqueraded in src_nat. The local network has access to everything internal and on the web. The hotspot network can access everything on the web except the sites being nated to the 192.168.0.0/24 network. All sites are accessible from the Internet.
This is a clean setup and has no extra firewall entries except the src and dst nats, and the two masquerades as mentioned above. I did add a Walled Garden / IP entry to test prior to logging on, and changed the www port to 8081, but the result is the same except I get a proxy error instead of the webbox page when accessed from the 192.168.2.0/24 network.
It seems as though the MT OS is grabbing all the addresses on the public interface and directing them to it’s web server when accessed by a hotspot user. This happens even if I attempt to access the sites directly by IP when attached to the hotspot interface (wireless). It makes me wonder if it might have something to do with the transparent proxy from hotspot. I have the web-proxy package disabled but that shouldn’t affect hotspot.
The only thing I can suggest is to check the dynamic firewall rules.
/ip firewall nat
print all
See if any of those rules affect your setup. They are executed in order. First come, first served.
You might want to run a quick test if you can. Disable the hotspot and see if you can access everything from a computer on the hotspot interface. That should tell you if it is a hotspot rule affecting your connection.
/ip hotspot
disable 0
To enable it again
enable 0
Thanks for the idea!
I disabled Hotspot and the problem was gone. Now I know it’s something in hotspot that is causing the problem but with all of it’s firewall entries dynamic I don’t know how to resolve it.
As a test I setup a 2.7 box I have and it didn’t have this problem. I also have several 2.8 cards but the problem seems like it didn’t start until 2.9. I wonder if it could have something to do with the Universal Proxy that we do not use on our 2.7 and 2.8 boxes, but can’t be turned off in 2.9. I’ll go back and activate it on the 2.7 box and see if the problem shows up.
Do you have any idea of how to alter hotspot or maybe disable Universal Proxy in 2.9?
The challenge used to be in the transparent proxy. Can’t remember now which versions had the problem. To disable:
/ip hotspot user profile
print
set 0 transparent-proxy=no
Repeat if you have multiple profiles. See if that helps.
Thanks a million!
I couldn’t find the place to disable transparent proxy in hotspot being I didn’t expect to find it in the user section. You’d think after doing this for over 5 years I’d know enough to check every sub menu… must be getting lazy in my old age.
That solved the problem for authenticated hotspot users but didn’t allow access to unauthenticated users which is necessary so people can buy time from a store located on a web server behind the MT firewall. To allow the unauthenticated access to the server I had to add a walled garden / IP entry for the actual address of my server on the intenal network, not just it’s public address. Once I did that (and commented it so I remember) everything works fantastic.
If anyone else needs to do this make sure you specify ports 80 and 443 tcp when adding a walled garden entry for an internal server so both http and https will function.
In summary, to allow access to a web server located on the private lan side of a MT 2.9 router for your customers using Hotspot you must do three things…
1.- Create the src and dst nat entries to allow the internal server to be accessed from the Internet.
2.- Disable Transparent Proxy in the Hotspot User Profile
3.- Add a Walled Garden / IP entry for both the Public and Local IP addresses for each of the ports you will require. Usually at least tcp port 80.
Many Thanks to SurferTim for all his input which helped me resolve this problem once and for all.
Hi. Am experiencing the same problem with my router version 2.9.27. I want my hotspot users to access the billing engine to reload their accounts. So i added the ip of my webserver on the lan hosting the billing engine to walled garden / ip entry, but still user have to authenticate to gain access to it. Do i need to add a firewall rule allowing traffic from the hotspot to the webserver to allow access? Thanks.
Did you try setting an entry in:
/ip hotspot walled-garden ip add server=LAN dst-address=x.x.x.x disabled=no
Hotspot Walled garden (and walled garden ip) entries allow access for unauthenticated users. They don’t affect anything once the user is logged in.
Add an entry for you LAN users to access to a certain ip / port and unauthenticated users (not logged in yet) will be able to access that resource.
In order to make this work I had to do 4 things…
1st - Setup the Firewall src and dst nat entries to allow access to the internal web server from the internet. Replace “Server IP Address” with the internal address of the server and “Public IP Address” with the Internet IP you use to access the server from the outside.
;;; Direct Traffic From Internal Server To Internet
chain=srcnat src-address=“Server IP Address” action=src-nat
to-addresses=“Public IP Address” to-ports=0-65535
;;; Direct Traffic to Internal Server From Internet
chain=dstnat dst-address=“Public IP Address” protocol=tcp dst-port=80
action=dst-nat to-addresses=“Server IP Address” to-ports=80
- You might also want ports to use 443 so the server is accessible with https
;;; Direct Traffic to Internal Server From Secure Internet
chain=dstnat dst-address=“Public IP Address” protocol=tcp dst-port=443
action=dst-nat to-addresses=“Server IP Address” to-ports=443
2nd - Under IP/Services change the www service to run on Port 8081 or whatever you want so Port 80 is freed up for access to the Internal Server. You will have to add the :8081 to your Winbox address to connect after you change the Port Number.
3rd - Under IP/Hotspot/Users un-check the Transparent Proxy box at the bottom of the User Profiles you want to have access to the Internal Web Server.
4th - Under IP/Hotspot/Walled Garden, Press the IP List Button and add the following entries…
;;; Allow access to internal servers
hotspot1 tcp “Internal IP” 80 accept
hotspot1 tcp “Internal IP” 443 accept
hotspot1 tcp “Public IP” 80 accept
hotspot1 tcp “Public IP” 443 accept
I’ve added entries for both Port 80 (http) and Port 443 (https) so the unauthorized hotspot users can access my store front (http) and my checkout (https) when they want to purchase time.
Good Luck…