I have working HotSpot site with 2.8 ROS (now not-upgradeable) and want to setup second site with 2.9, but can’t get things right. Everything seems completely changed.
2.8 has special ‘hotpost’ service, and firewall rules to redirect all unauthorized attempts to him. Can’t find similar in 2.9
Do i need to add firewall rules in 2.9 as it was needed in 2.8 manually, or it will be automated by “/ ip hotspot setup”?
Also, i can simply test my 2.8 hotspot box from outside by connecting IE to hotpost port, and login page appears. How to do that in 2.9?
Can it be license restrictions? rb with 2.9 has level3. manual says L3 have one HotSpot connection.
Can someone post me “/ export” from working 2.9 hotspot? Thanks.
You are right, the 2.9 hotspot is completely different
Basically (if you have a working internet/uplink setup on your router) you can just use the provided setup wizard to create a running hotspot in seconds.
Fine-tuning apart (like bandwidth shaping, firewalling, customizing hotspot html pages etc.), that should be all you need to to.
If this doesn’t work for you, please post again and include some more details about what you did and what did not work.
What i want: to setup HS without any NAT or masquerading (with real IPs)
What i did: run a / ip hotspot setup 1-)
What i expected: some way to reach login page to test HS from far outside
What i did later: upgrade to 2.9.12 from 2.9.rc8, added another HS entry for outer interface, playing with options.. now my / ip hotspot entry looks like
/ ip hotspot
add name=“hs-ether1” interface=ether1 profile=hsprof-outer idle-timeout=5m keepalive-timeout=none disabled=yes
add name=“hs-ether2” interface=ether2 profile=hsprof1 idle-timeout=5m keepalive-timeout=none disabled=no
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name=“default” hotspot-address=0.0.0.0 dns-name=“” html-directory=“” rate-limit=“” http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=no
add name=“hsprof1” hotspot-address=[inner-ip] dns-name=“[inner-name]” html-directory=“” rate-limit=“” http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=no
add name=“hsprof-outer” hotspot-address=[outer-ip] dns-name=“[outer-name]” html-directory=“” rate-limit=“” http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=no
/ ip hotspot user
add name=“[user]” password=“[pass]” profile=default comment=“” disabled=no
/ ip hotspot user profile
set default name=“default” idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=yes open-status-page=always
advertise=no
Waitaminute. Ooooooooh dammit. Outer one was disabled. And if we enable it.. Oooh dammit. Lucky me, i setup working user/password pair for hotspot 1-) Now, yeah, it working precisely. Thanks for great change, understanding and keeping all “juggle-and-mangle” stuff in 2.8 was real pain (especially at our “many-many-many VLANed hotspot” configuration).
i got another problem: by testing it from outside, i have RADIUS server outside too. so MT keep saying
07:46:18 hotspot,info,debug ruser ([ip]): trying to log in by http-chap
07:46:20 hotspot,info,debug ruser ([ip]): login failed: RADIUS server is not responding
well, after
/ ip hotspot walled-garden ip
add src-address=[radius-ip] action=accept comment=“” disabled=no
add dst-address=[radius-ip] action=accept comment=“” disabled=no
i got auth-reqs on RADIUS-server, but no logging (same message)
Although running a HotSpot on your outside interface seems kind of “backwards” and “sick” somehow I suppose you should look at the IP bindings feature in the 2.9 hotspot, allowing you to bypass hotspot functionaly for hosts on the “inside” of the hotspot.
In your special case, the RADIUS server on the outside should be “inside” for the hotspot running on the outward interface ?!
If you see the request at the RADIUS server and see that it’s sending out an reply, it almost surely must have to do with some kind of firewalling at your MikroTik.
You could do a network sniff on the MikroTik to see if the reply packets actually get there…
have equal counts, and numbers are exactly right with sniffed by tethereal radius-packets. so Access-Accept packets reached MT..
May be it’s because “hotspot-address” for inner hotspot profile is INNER ip? And Access-Requests that i see on RADIUS are from outer (so accepts sended to outer too).
All the same with 2.9.12 and 2.9.13: access-accepts (and -rejects) successfully reached MT, but hotspot keep saying “RADIUS server not responding”.
As always, there is three Access-Requests and three Access-Accepts. And no reaction from MT. I see that packet by sniffer, I see them by firewall “LOG” rule, I see them counting on “ACCEPT” rule, but hotspot doesn’t.
