Hi guys, I have problem with my hotspot connection.
My network map is from Internet modem > Mikrotik (192.168.1.0/24) > Router set for dhcp forwarder (192.168.2.0/24)
There are 2-3 devices connected to router through LAN port which IP are outside from hotspot IP pool and some test devices which connect through router wifi (not mikrotik) [router means on 192.168.2.0/24 network].
For bypassed devices, they can browse to the internet. But when it used login method, they can only ping let say ping to google but the google page will never load and it also happen to the other website.
So here is my code for the firewall.
I add two dstnat to forward my cctv and home system which connected to router (within 192.168.2.0/24)
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward
1 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
2 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth
3 D chain=input action=jump jump-target=hs-input hotspot=from-client
4 D chain=input action=drop protocol=tcp hotspot=!from-client
5 D chain=hs-input action=jump jump-target=pre-hs-input
6 D chain=hs-input action=accept protocol=udp
7 D chain=hs-input action=accept protocol=tcp
8 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
9 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
10 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
11 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
12 XI ;;; place hotspot rules here
chain=unused-hs-chain action=drop src-address=192.168.2.100-192.168.2.254
dst-address=!192.168.2.100-192.168.2.254 hotspot=from-client log=no
log-prefix=""
13 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
14 ;;; defconf: accept established,related
chain=input action=accept connection-state=established,related
15 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1
16 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related
17 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related
18 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
19 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1
20 ;;; Hotspot Isolate
chain=forward action=drop src-address=192.168.2.100-192.168.2.254
dst-address=!192.168.2.100-192.168.2.254 hotspot=from-client log=no
log-prefix=""
21 ;;; Block Video content for hotspot
chain=forward action=drop layer7-protocol=video content protocol=tcp
src-address=192.168.2.100-192.168.2.254 packet-mark=all-video log=no
log-prefix=""
22 XI ;;; Block Video content
chain=forward action=reject reject-with=icmp-network-unreachable
layer7-protocol=video content protocol=tcp
src-address=!192.168.1.10-192.168.1.15 packet-mark=all-video log=no
log-prefix=""
23 ;;; Block torrent for hotspot
chain=forward action=drop p2p=all-p2p
src-address=192.168.2.100-192.168.2.254 log=no log-prefix=""
[admin@] > /ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
1 D chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp
4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-ds>
5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-ds>
6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth
7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth
8 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp
9 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp
10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp
11 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp
12 D chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp
13 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http
14 D chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp
15 XI ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
16 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface=ether1
17 ;;; masquerade hotspot network
chain=srcnat action=masquerade src-address=192.168.2.0/24
18 ;;; DVR
chain=dstnat action=dst-nat to-addresses=192.168.2.20 to-ports=9XXX
protocol=tcp dst-port=9XXX log=no log-prefix=""
19 ;;; Crestron
chain=dstnat action=dst-nat to-addresses=192.168.1.199
to-ports=41XXX-41XXX protocol=tcp dst-port=41XXX-41XXX log=no
log-prefix=""
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting
1 D ;;; special dummy rule to show fasttrack counters
chain=forward
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting
3 ;;; Mark Video content
chain=prerouting action=mark-packet new-packet-mark=all-video
passthrough=yes protocol=tcp log=no log-prefix=""
# NAME REGEXP
0 ;;; Block video content
video content \.(mp4|wmv|avi|mpg|mpeg|flv|mov|3gp|...
So anyone could help me to solve this problem? I don’t know which rule block the page load or maybe I made mistake on the other setting.
I’ve tried to disable all the rules I’ve made but nothing work.
Looking forward for your response and thanks in advance
