Hotspot NAT address.

Ivoshiee · May 8, 2007, 5:10pm

If I look into the connection table then I fail to find what IP-address the Hotspot users are using.
What outgoing address does the Hotspot NAT is using?

usrox · May 9, 2007, 5:34am

If you use masq rule from default config (setup-wizard), hotspot use any public ip on your router.
If you want to specify your hotspot outgoing ip you can change default masq rule with src-nat.

sergejs · May 9, 2007, 6:34am

‘ip hotspot host’ provides clients information about HotSpot address translation. As ‘usrox’ mentioned, masquerade forces to use router public IP address, as well enabled ‘transparent-proxy’ makes the same for HTTP connections (public address of router is used for all customers).

Ivoshiee · May 9, 2007, 5:08pm

The 192.168.200.94 is a hotspot user, but I do not see what “public” IP-address is in use for this client.

[admin@Jeekim] ip hotspot host> print
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed 
 #    MAC-ADDRESS       ADDRESS         TO-ADDRESS      SERVER   IDLE-TIMEOUT
 0  P 00:0C:90:4B:25:35 192.168.29.50   192.168.29.50   hotspot1 5m          
 1  P 00:0C:E5:4C:41:50 192.168.39.12   192.168.39.12   hotspot1 5m          
 2  P 00:0C:E5:4C:41:50 192.168.39.13   192.168.39.13   hotspot1 5m          
 3 HA 00:0C:E5:4D:77:B3 192.168.200.94  192.168.200.94  hotspot1
[admin@Jeekim] ip hotspot host>

Strangest yet is that this client can access the Internet and I see the connection over “ip firewall connection”. As this box isn’t the one with internet connection this connection must show up on the main router connection table upstream, but it does not. I see no connections from behind nor from the box itself.

What I am missing here?

jarosoup · May 10, 2007, 3:25am

If you have more than one public (WAN) IP it seems Mirkotik picks the “highest number” one - at least after a reboot. Not sure if this is always true though. Have you tried using Torch on both the public and private interfaces to trace a given connection? Note that you have to uncheck the port checkbox in torch to see anything other than tcp/udp.

Ivoshiee · May 10, 2007, 11:30am

The MT box with a hotspot has no interface with a public IP-address - all internal.

The “ip firewall nat” has nothing about hotspot NATs.
Where I should look for the hotspot NAT rule?

usrox · May 10, 2007, 3:42pm

Q: are there any default gateway on your hotspot-router (ip-route) ? also check your main router (gateway) are there any NAT rules for your internal-ip (not the hotspot-ip)

Ivoshiee · May 10, 2007, 5:28pm

I can stop the Hotspot user gaining Internet access by selectively disabling handmade NAT rules and that is what I have found out:

Parts of HTTP related traffic and DNS seem to go out with the IP address assigned to gefault gateway of MT Hotspot;
ICMP, Telnet, SSH, … seem to go out with the IP address assigned from the IP-address pool;

At the same time the Mikrotik box making all those NATs does not show any connections/traffic going trough these NAT rules nor the connections list any session (I test with known addresses and there are nothing).

What is going on?