I have been racking my brain on this one and just can’t figure it out.
My goal is to have a client get a public IP address from my pool of addresses and it not be masqueraded.
In other words, the hotspot will assign a public ip address to the customer hardware, and that address is their real ip address on the internet, not some other public ip address.
I KNOW I’m missing something, but I think I’m suffering information overload.
There is nothing special whatsoever about public IPs. They are just IPs that don’t need to be NATted when being routed out to the Internet. However, just like with any private IPs you would use, they have to be available right on the Hotspot interface. They must be behind the router and routed through the public IP on the WAN interface, and not just be available on the WAN interface itself.
[Internet]-(1.1.1.1)-------(1.1.1.2)-[Router]-(2.2.2.1/24)
In that scenario the ISP’s gateway is 1.1.1.1, your WAN IP is 1.1.1.2 and the world knows that 2.2.2.1/24 is reachable via 1.1.1.2. You assign 2.2.2.1/24 on an Interface, run the Hotspot wizard (or set up the pieces manually), and remove any NAT inserted by the wizard if you used it. You also need to remove any IP pools assigned to the Hotspot server profile as they are used for universal NAT (a Hotspot trick to make clients with misconfigured interfaces work) as that would waste a large number of public IPs.
I’ve done this many times, it works out of the box.
Hi fewi. Just so I understand, this requires two separate public subnets, one subnet on the wan interface, and another on the lan/hotspot interface. Just no srcnat/masquerade. And the route for dst-address=2.2.2.0/24 gateway=1.1.1.2 in the wan (isp) router.
Is there a way to use something like proxy-arp for this, and use part of the wan interface on the lan? I think they want to put the 1.1.1.0/24 behind the hotspot and have it on the wan interface too.
Yes, two subnets. And a route to the Hotspot subnet via your WAN interface. Could be static on the ISP side, could be propagated by a routing protocol, whatever.
You can use proxy ARP if you own the entire WAN subnet, if you don’t you interrupt services for other ISP customers and would probably get in quite a bit of trouble. Also, you would have to properly subnet everything so you can assign a network to the LAN/Hotspot interface, so if you have a /24 on the WAN the best you can do is a /25 on the LAN. If you need to reuse WAN space 1:1 NAT would be a better solution in my opinion.
And you are using DHCP to assign IP addresses???
Sometimes. Really, DHCP is irrelevant to the question. A DHCP server doesn’t care what kind of address it hands out. It doesn’t have a concept of private and public IP addresses. It’s all just bits. The only thing special about private IP addresses is that most Internet routers are configured to drop them so that they can be used at lots of places at once without clashing with one another.
Hotspots with public IPs really just work out of the box as log as you treat them the same as you would with private IPs - just make sure you really are not using NAT, which the wizard will by default. I don’t know what kind of problems you are having that haven’t been discussed in this thread yet. Post your actual configuration and a network diagram if you are having further issues.
OK, I have to apologize as I think I may have mislead on my original post.
Here’s what’s happening…
The hotspot is handing out an IP address to an unauthorized client via DHCP, then after authentication, it’s handing out another one via DHCP from the same pool. I’ve set it up both ways, with the masquerade option set and not set.
Why does it do this, or how can I get it to stop doing this.
Edit the Hotspot server and set the address pool to ‘none’.
If you are using DHCP, Address Pool to ‘none’ for the hotspot server. This will prevent the hotspot from dealing with any IP’s, and only DHCP will get access to give the client an IP.
fewi, we both posted at the same time!
That makes the advice twice as good. Possibly it even squares its goodness.
I wish there was slightly better documentation on the Universal NAT feature to link people to.
This is just I want to setup into my network: hotspot with public IPs.
My question is now how a user authentificate by mac address and IP in add user and not by ip bindings.
How should I add in hotspot users someone who will authentificate by mac address and ip? (I tried with a username and mac adress but is not working)
You cannot authenticate by IP address outside of IP bindings, that is impossible.
You can authenticate by MAC address only by editing the IP > Hotspot > Profile login methods and checking MAC address. You then need to create users as usual with the MAC address of the user as the username and a blank password. If you’re using RADIUS you can also a MAC password that will be sent to the AAA solution in case it doesn’t like blank passwords.
Here’s my network configuration:
I need for client1 and client2 not need to authentificate if they have the correct ip and mac address (if they are tring to change the ip or the mac address they will be redirect to the hotspot login page), and hotspot clients need to be authentificated on hotspot login page but get public ips also.
Any ideea how to make this happen? I will pay for someone to help me out with this one.
P.S.: Please excuse my bad english and bad drawing 
Add an entry for client1 and client2 in Hotspot → IP Bindings and set type=bypassed.
You see… AP North, East and West are sector antennas and on them I have connected about 50 clients (like client1 and client2).
How do I get download/upload rate limited for each client if I set them on IP bindings? It will work adding them after that as simple queues?
If I set on IP bindings both IP and MAC for an user, the user will be forced to use that IP and MAC or just MAC?
Should I set more subnets on my configuration? (now I have a single subnet /24)
To limit rate for hotspot clients, use /ip hotspot profile set rate-limit=
IP bindings → bypass is only used for clients who do not get handled by hotspot at all (no authenticate and no rate limit).
If depends on which you specify. If you provide both IP and MAC, then client must match both. If you provide only IP, then client must match on IP. If you provide MAC with IP=0.0.0.0/0, the client must only match MAC.
I would think this should be fine. A /24 allows 254 usable client addresses. If you don’t exceed this, you should be ok.\
A lot of questions here, so I hope this makes sense. Also, I would suggest taking a look at this documentation: http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot.
Hope this helps,
Tnx for your reply dssmiktik. It helps alot.
If I need to set up hotspot on bridge1 (ether5-ether12) and leave ether2-ether4 for servers (ip from 80.97.140.2 to 80.97.140.20) how should I set my subnets?
Sorry, but I don’t use hotspot on a bridge. I tried it once and it didn’t seem to work right (could have been me though). I’ve only used hotspot on physical interfaces.