Hi
I have a hotspot active on a bridged interface (Ethernet + WiFi + Eoip (via PPTP)). The Eoip port is currently disabled. Thus only the Ethernet and Wifi ports are active. The setup is as follows:
[Jeandre@MikroTik] > interface bridge print
Flags: X - disabled, R - running
0 R ;;; Bridge Interface - To bridge lan and wifi to one network and ip range
name="Ethernet_Wifi_EoIP_Bridge" mtu=1500 l2mtu=1526 arp=enabled
mac-address=00:0C:42:49:04:6C protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:0C:42:49:04:6C max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m
[Jeandre@MikroTik] > interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 EtherNet_1 Ethernet_Wifi_EoI... 0x80 10 none
1 Marshal_Network_Wifi Ethernet_Wifi_EoI... 0x80 10 none
2 X EoIP-JeandreSTB Ethernet_Wifi_EoI... 0x80 10 none
[Jeandre@MikroTik] /interface bridge settings> print
use-ip-firewall: yes
use-ip-firewall-for-vlan: no
use-ip-firewall-for-pppoe: no
[Jeandre@MikroTik] /ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 Marshall... Ethernet_Wifi... Marshall-Ne... none
[Jeandre@MikroTik] /ip hotspot> walled-garden ip print
Flags: X - disabled, I - invalid
# SERVER PROTOCOL DST-HOST DST-ADDRESS DST-PORT ACTION
0 X ;;; --BYP-Access for users to accessSymantec Norton update server - Activ...
Marshall-Ne... liveupdate.sy... accept
1 X ;;; --BYP-Access for users to access Symantec Norton update server - Acti...
Marshall-Ne... liveupdate.sy... accept
2 X ;;; --BYP-Access for users to access Mikrotik Wiki & Manuals - Activated ...
Marshall-Ne... wiki.mikrotik... accept
3 X ;;; Access for users to Jeandre-Network
Marshall-Ne... 192.168.2.0/24 accept
4 ;;; Access for users to access the internal network - Bypass usage counters
Marshall-Ne... 192.168.0.0/24 accept
5 ;;; Access for users to Jeandre-Network
Marshall-Ne... 172.16.0.0/12 accept
[Jeandre@MikroTik] /ip> address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; default configuration
192.168.0.100/24 192.168.0.0 Ethernet_Wifi_EoIP_Bridge
1 ;;; CTWUG Config - Note Masquarade 192.168.0.0/24 Range over CTWUG_Link
172.18.50.38/32 172.18.50.254 CTWUG_Link
2 D X.X.X.X/X X.X.X.X/X VodaCom_3G
[Jeandre@MikroTik] /ip firewall filter> print all
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth
2 D chain=input action=jump jump-target=hs-input hotspot=from-client
3 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875
4 I chain=hs-input action=jump jump-target=pre-hs-input
5 D chain=hs-input action=accept protocol=udp dst-port=64872
6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875
7 D ;;; Access for users to access the internal network - Bypass usage counters
chain=hs-unauth action=return src-address=0.0.0.0/0 dst-address=192.168.0.0/24 in-interface=Ethernet_Wifi_EoIP_Bridge
8 D ;;; Access for users to Jeandre-Network
chain=hs-unauth action=return src-address=0.0.0.0/0 dst-address=172.18.0.0/16 in-interface=Ethernet_Wifi_EoIP_Bridge
9 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
10 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
11 D ;;; Access for users to access the internal network - Bypass usage counters
chain=hs-unauth-to action=return src-address=192.168.0.0/24 dst-address=0.0.0.0/0 out-interface=Ethernet_Wifi_EoIP_Bridge
12 D ;;; Access for users to Jeandre-Network
chain=hs-unauth-to action=return src-address=172.18.0.0/16 dst-address=0.0.0.0/0 out-interface=Ethernet_Wifi_EoIP_Bridge
13 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
14 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
15 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
[Jeandre@MikroTik] /ip firewall filter> ..nat print all
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
1 I chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot action=redirect to-ports=64872 protocol=udp dst-port=53
3 D chain=hotspot action=redirect to-ports=64872 protocol=tcp dst-port=53
4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80
5 D chain=hotspot action=redirect to-ports=64875 protocol=tcp hotspot=local-dst dst-port=443
6 D chain=hotspot action=jump jump-target=hs-unauth protocol=tcp hotspot=!auth
7 D chain=hotspot action=jump jump-target=hs-auth protocol=tcp hotspot=auth
8 D ;;; Access for users to access the internal network - Bypass usage counters
chain=hs-unauth action=return src-address=0.0.0.0/0 dst-address=192.168.0.0/24 in-interface=Ethernet_Wifi_EoIP_Bridge
9 D ;;; Access for users to Jeandre-Network
chain=hs-unauth action=return src-address=0.0.0.0/0 dst-address=172.18.0.0/16 in-interface=Ethernet_Wifi_EoIP_Bridge
10 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=80
11 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=3128
12 D chain=hs-unauth action=redirect to-ports=64874 protocol=tcp dst-port=8080
13 D chain=hs-unauth action=redirect to-ports=64875 protocol=tcp dst-port=443
14 I chain=hs-unauth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
15 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http
16 I chain=hs-auth action=jump jump-target=hs-smtp protocol=tcp dst-port=25
17 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
18 ;;; Masquerade for VodaCom_3G Network - Translate private ip range to public ip address
chain=srcnat action=masquerade out-interface=VodaCom_3G
19 ;;; Masquerade Private IP-Range to CTWUG
chain=srcnat action=masquerade out-interface=CTWUG_Link
20 ;;; DC++ Nat to forward all port 2222 traffic to Media-Center (192.168.0.140)
chain=dstnat action=dst-nat to-addresses=192.168.0.140 to-ports=2222 protocol=tcp in-interface=CTWUG_Link dst-port=2222
[Jeandre@MikroTik] /ip firewall filter>
[Jeandre@MikroTik] /ip hotspot host> print
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER IDLE-TIMEOUT
0 A 00:1D:7D:7D:4F:46 192.168.0.140 192.168.0.199 Marshall-Network HP 20m
1 A 00:02:6F:4F:74:AD 192.168.0.115 192.168.0.184 Marshall-Network HP 20m
2 H 00:10:75:07:45:8D 192.168.0.145 192.168.0.145 Marshall-Network HP
3 A 98:03:D8:E5:4C:EC 192.168.0.112 192.168.0.191 Marshall-Network HP 20m
4 A 40:30:04:74:23:D4 192.168.0.122 192.168.0.198 Marshall-Network HP 20m
5 A 40:30:04:81:16:74 192.168.0.113 192.168.0.187 Marshall-Network HP 20m
I cant seem to access local nodes from a local address.
I then did a traceroute to one address: 192.168.0.140 from my pc’s ip address: 192.168.0.110:
[Jeandre@MikroTik] /tool> traceroute address=192.168.0.140 src-address=192.168.0.110
# ADDRESS RT1 RT2 RT3 STATUS
1 192.168.0.199 2ms 1ms 1ms
And in windows cmd the response of traceroute to 192.168.0.140 or 192.168.0.145 from my pc (192.168.0.110):
C:\Users\Jeandre>tracert 192.168.0.140
Tracing route to Media-Center [192.168.0.140]
over a maximum of 30 hops:
1 * * * Request timed out.
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * ^C
C:\Users\Jeandre>tracert 192.168.0.145
Tracing route to 192.168.0.145 over a maximum of 30 hops
1 * * * Request timed out.
2 * * * Request timed out.
3 ^C
C:\Users\Jeandre>
As you can see in the above CLI I have added walled-garden rules to allow internal traffic (on the 192.168.0.0/24) range. The strangest thing is that I can still access the 192.168.0.140 pc over windows’ network by using the computer name (ie: Media-Center). However, that pc (192.168.0.140) has a login for the hotspot (via its mac address). Thus it is logged in when I access it over windows’ network. On the other hand my NAS (which is 192.168.0.145) has no login on the hotspot and therefore I cant seem to access it in any form (even over windows’ network).
I guess I would like to know:
- Why is it that when I disable the ‘use ip firewall’ setting in the bridge that everything work and local traffic is allowed, but with this setting on, no local traffic may pass?
- If this ‘use ip firewall’ setting is active and I can seem to access my media-center (192.168.0.140) over windows’ network by using its computer name, does that register on the hotspot as internet usage for that (media-center) pc. ie: will local traffic to the media-center then run up its usage counters?
- Should I add some filter rule to the bridge filter to correct the whole problem?
- How can I get the hotspot not to translate/transfer users’ ip addresses to some other address. If you look at the active hotspot hosts you will see that the ip addresses I reserved for all of them change to some other address in the the local range. Why is that? and how do I stop it?
Just a note, you might realise that the address-pool of the hotspot is empty. This was because I was running 2 hotspot on the same range (the other on another mt that connected via the eoip - which is disabled now). But even if I allocate the proper local range (192.168.0.0/24) to the address-pool of the hotspot the problem still persists.
Any help will be great, as I’m all out of ideas. Thanks so much. 