I have having a problem with the configuration of a demo in my lab – one which I’ve spent many hours troubleshooting without resolve. I have followed through near a dozen guides online without any success…
I have tried mucking around with firewall and NAT rules with nearly any permutation I can think of without success – reset and do-over differently. Tried default configuration, guides, even just randomly changing rulesets… See below for my latest (and likely most correct).
THANKS!!!
Use Case:
Implement a simple transparent bridge appliance providing a hotspot service (Radius AAA) to an existing network.
Architecture:
WAN >> Gateway (DHCP/DNS/L7 Filtering) @ 10.0.0.1 >> Transparent RouterOS @ 10.0.0.2 >> Internal LAN 10.0.0.0/24
Appliance is a generic server running:
Mikrotik RouterOS - Version 6.28 (x86)
The Good:
When hotspot is disabled, all traffic works AOK. No problems with browsing.
When hotspot is enabled, cannot browse public internet at all as expected. Pings respond with ‘destination net not authorized’. I can successfully login - however I can only do so if I navigate to the login page manually via IP/DNS-Name.
The Problem:
[]When hotspot is enabled, basic webpage requests (HTTP non-secure) do not redirect to login. I can only get to the login page by direct access to the hotspot IP/URL.
[]Once I successfully login, I am still unable to browse. Cannot ping out and the browser perpetually spins eventually resulting in “Webpage is not available (DNS_PROBE_FINISHED_NO_INTERNET)”.
[*]In no cases am I able to ping the gateway or external hosts past the bridge![/color]
Troubleshooting Notes:
I have tried numerous browsers, several different clients (win7, 8.1, ubuntu, etc.) - They get IP, they just cannot get past the bridge when hotspot is on.
I am thinking it might be related to the firewall configuration but am not sure.
The Configuration:
/export:
/interface ethernet
set [ find default-name=ether1 ] name=ToGW speed=1Gbps
set [ find default-name=ether2 ] name=ToLAN speed=1Gbps
/interface bridge
add name=br-hotspot
/ip hotspot profile
add dns-name=localhotspot.info hotspot-address=10.0.0.2 name=hs-profile \
nas-port-type=ethernet radius-interim-update=5m use-radius=yes
/ip hotspot
add disabled=no interface=br-hotspot name=hotspot1 profile=hs-profile
/ip pool
add name=hs-pool ranges=10.0.0.100-10.0.0.254
/ip dhcp-server
add address-pool=hs-pool disabled=no interface=br-hotspot lease-time=1h name=\
dhcp1
/port
set 0 name=serial0
set 1 name=serial1
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=br-hotspot interface=ToGW
add bridge=br-hotspot interface=ToLAN
/interface bridge settings
set use-ip-firewall=yes
/ip address
add address=10.0.0.2/24 interface=br-hotspot network=10.0.0.0
/ip dhcp-server network
add address=10.0.0.0/24 comment="hotspot network" gateway=10.0.0.2
/ip dns
set servers=10.0.0.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.0.0.0/24
/ip hotspot ip-binding
add address=10.0.0.4 comment=AdminPC type=bypassed
add address=10.0.0.5 comment=FreeRADIUS type=bypassed
/ip hotspot user
add name=admin
/ip route
add distance=1 gateway=10.0.0.1
/radius
add address=10.0.0.5 secret=radius123 service=hotspot
/romon port
add disabled=no
/system identity
set name=localhotspot
/tool user-manager database
set db-path=user-manager
/ip firewall filter print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth log=no log-prefix=""
1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth log=no log-prefix=""
2 D chain=input action=jump jump-target=hs-input hotspot=from-client log=no log-prefix=""
3 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875 log=no log-prefix=""
4 D chain=hs-input action=jump jump-target=pre-hs-input log=no log-prefix=""
5 D chain=hs-input action=accept protocol=udp dst-port=64872 log=no log-prefix=""
6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 log=no log-prefix=""
7 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth log=no log-prefix=""
8 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp log=no log-prefix=""
9 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited log=no log-prefix=""
10 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited log=no log-prefix=""
/ip firewall nat print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth log=no log-prefix=""
1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth log=no log-prefix=""
2 D chain=input action=jump jump-target=hs-input hotspot=from-client log=no log-prefix=""
3 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875 log=no log-prefix=""
4 D chain=hs-input action=jump jump-target=pre-hs-input log=no log-prefix=""
5 D chain=hs-input action=accept protocol=udp dst-port=64872 log=no log-prefix=""
6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 log=no log-prefix=""
7 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth log=no log-prefix=""
8 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp log=no log-prefix=""
9 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited log=no log-prefix=""
10 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited log=no log-prefix=""