Hi !
After setting up a hotspot on my routerboard, clients do not see the login page
hotspot is working cause i see hosts in it
and also every host configured in bypassed mode can connect to internet and those who are not can not.
but the problem is for the hosts not in ip binding, no login page is shown !!
the html files are on the router and that is not the problem
and i should add that they can not even ping their default gateway (which is LAN side of mikrotik, which is selected for hotspot)
they get " destination net unreachable"
Hi !
Found the problem but it makes me another question
the problem was that the port for http was changed in ip services ports
because i do not like people to try passwords on my board using remote dictionary attacks
now here is the question ?
how can i separate these ?
i mean routerboard should be accessed via for example 8090 port http but hotspot should be loaded using the default 80 port
or at least somebody tell me how to redirect clients to the new port to see the login page
thanks
That is what the firewall filter is for.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Router_protection
Thanks
so you mean these ports are the same and we cannot have separate numbers for them ?
if so, ok , i will use firewall rules.
but another question, i may connect to my routers with many different Public IP’s. (outside office)
so what should be the firewall rule
if i say nobody can connect to router from outside with port 80, so i will be out myself
if i change the port then i need clients also to connect to that port for hotspot and i do not know how to do that, cause after setting hotspot the default is port 80
You must be a bit more creative. You can allow public ips in. I do. I limit what ips can get in tho. After this rule, you should add more.
add chain=input src-address=192.168.0.0/24 action=accept in-interface=!ether1
add chain=input src-address=1.2.3.4/27 action=accept
add chain=input src-address=2.3.4.5/24 action=accept
add chain=input action=drop
Dear surferTim
Thanks for your helpful answers, but i really can not tell from which public IP address i will login
surely i can tell some of them but not all.
today i am sitting at home working with my ISP DSL connection and i get some public ip’s but tomorrow at work and behind a wireless connection.
maybe next week in another city for doing a work assignment and using a Wimax connection there.
every where i will get a different public IP and so …
Can i tell mikrotik to accept a specific http header name ?
for example set a dns host for my Router board in my domain (myrb.mydomain.com) and give it the IP of my router
now connect to my router using this address and tell routeros to accept just incoming connections with this name (no other name and also no ip address) ?
(we do something like that in TMG or ISA)
Thanks for your hopeful answers, but i really can not tell from which public IP address i will login
surely i can tell some of them but not all.
Then you must get even more creative. I use port knocking and the address-list feature to allow access from non-trusted ip addresses, but it is not simple to implement.
There are other ways of blocking unauthorized users. You can limit the number of login attempts by time. Take a look at the user wiki for help and examples.
http://wiki.mikrotik.com/wiki/MikroTik_RouterOS
Oh ! Man ! Lovely Feature !! 
http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router#Port_Knocking
it seems easy to implement. i loved it.
I am getting more and more eager to know what we can implement with routerOS and this lovely tiny box (751)
Thanks Tim