Hi Guys,
I am hoping you can jog my memory please....
I have configured many MT hotspots over the years and I am a fairly advanced user of MT and Networking in general.
I had this problem once before and I know I resolved it, I just cannot recall how!
I have configured a new hotspot on a VLAN (VLAN50) running on a CCR. Everything works, but for some reason when you connect to the wireless network on VLAN 50, the browser automatically opens as it should, but instead of going to the hotspot login page it redirects to http://www.msftconnecttest.com/redirect and then immediately on to msn.com.
If I enter the URL of the hotspot I get the login screen and I am able to log in and authenticate against RADIUS so everything works. Just not sure why the redirection is going to the http://www.msftconnecttest.com/redirect URL instead of my login.html?
I have read about using HTTPS and have tried all the suggestions including using a certificate and this makes no difference. I am fairly confident that those posts are relating to "after successful authentication". My issue is different in that that I do not get the authentication page, but like I said, if I manually enter the URL or IP of the hotspot I get the login page, I am able to authenticate and everything works as it should.
I have tried all the obvious.. resetting the HTML pages, clearing the DNS cache and then ensuring that everything resolves as it should etc.
I have put my config in below and removed some of the sensitive / private information. Any help you guys can provide would be much appreciated!
Regards,
Sheldon.
model = CCR1036-8G-2S+
/interface vlan
add interface=bridge1 name="vlan20 - MOBILES" vlan-id=20
add interface=bridge1 name="vlan50 - HOTSPOT" vlan-id=50
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=login.mydomainname.net.au hotspot-address=10.0.50.254
http-cookie-lifetime=1d name=hsprof1 smtp-server=192.168.101.204
use-radius=yes
/ip pool
add name=dhcp_Mobiles ranges=10.0.20.1-10.0.20.253
add name=hs-pool-16 ranges=10.0.50.1-10.0.50.253
add name=PPtP-Pool ranges=10.0.254.1-10.0.254.250
/ip dhcp-server
add address-pool=dhcp_Mobiles disabled=no interface="vlan20 - MOBILES" name=
dhcp2
add address-pool=hs-pool-16 disabled=no interface="vlan50 - HOTSPOT"
lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-16 disabled=no interface="vlan50 - HOTSPOT" name=
hotspot1 profile=hsprof1
/ppp profile
add dns-server=192.168.101.220 local-address=10.0.254.254 name=MYDOMAIN-VPN
remote-address=PPtP-Pool
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/tool user-manager profile
add name=RADIUS name-for-users="" override-shared-users=off owner=admin
price=0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=10024B group-name="" ip-pool="" name=
"Limit 10MB" owner=admin transfer-limit=10024B upload-limit=10024B
uptime-limit=0s
add address-list="" download-limit=20480B group-name="" ip-pool="" name=
"Limit 20MB" owner=admin transfer-limit=10240B upload-limit=20480B
uptime-limit=0s
/user group
add name=ftp policy="ftp,!local,!telnet,!ssh,!reboot,!read,!write,!policy,!tes
t,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/ip settings
set rp-filter=strict
/ip address
add address=192.168.101.254/24 interface=bridge1 network=192.168.101.0
add address=10.0.20.254/24 interface="vlan20 - MOBILES" network=10.0.20.0
add address=10.0.50.254/24 interface="vlan50 - HOTSPOT" network=10.0.50.0
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=10.0.20.254 gateway=10.0.20.254
add address=10.0.50.0/24 comment="hotspot network" dns-server=10.0.50.254
gateway=10.0.50.254
/ip dns
set allow-remote-requests=yes servers=192.168.101.220
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=accept chain=input comment=
"Accept all inboud connections from this routers IP (For the Dude)"
src-address=192.168.101.254
add action=accept chain=input comment="Accept OpenVPN connections" dst-port=
1194 protocol=tcp
NBN-GW1 not ready
add action=accept chain=input dst-port=1723 in-interface=NBN-GW1 protocol=tcp
NBN-GW1 not ready
add action=accept chain=input in-interface=NBN-GW1 protocol=gre
add action=accept chain=input dst-address=192.168.101.0/24 dst-port=8291
protocol=tcp src-address-list=MYDOMAIN-ADMIN
add action=accept chain=forward comment=
"allow all NTP requests from subnet 192.168.101.0/24" dst-port=123
protocol=udp src-address=192.168.101.0/24
add action=accept chain=forward comment="Allow DNS for SUSPENDED CLIENTS"
disabled=yes dst-port=53 protocol=udp src-address-list=SUSPENDED_CLIENTS
add action=accept chain=forward comment=
"Allow return traffic from www.MYDOMAIN.net.au for SUSPENDED CLIENTS"
disabled=yes src-address=154.0.160.114 src-address-list=SUSPENDED_CLIENTS
NBN-GW1 not ready
add action=accept chain=input comment=
"Allow inbound ICMP requests to this gateway" in-interface=NBN-GW1
protocol=icmp
add action=accept chain=forward comment="SUSPENDED CLIENTS" disabled=yes
dst-address-list=SUSPENDED_CLIENTS protocol=udp src-port=53
add action=drop chain=forward comment="SUSPENDED CLIENTS" disabled=yes
src-address-list=SUSPENDED_CLIENTS
NBN-GW1 not ready
add action=drop chain=input comment="Drop all External, inbound DNS queries de
stined specifically for this routers IP's " dst-address-list=!DMZ
dst-port=53 in-interface=NBN-GW1 protocol=udp src-address=0.0.0.0/0
NBN-GW1 not ready
add action=drop chain=forward comment="Drop External, inbound Winbox, Telnet &
_FTP Connections to subnet PUBLIC-IP-REMOVED" dst-address=
PUBLIC-IP-REMOVED dst-port=8291,23,21,80 in-interface=NBN-GW1 protocol=tcp
src-address-list=!MYDOMAIN-ADMIN
NBN-GW1 not ready
add action=drop chain=input comment="Drop inbound Telnet connections destined
specifically for this routers IP " dst-address=PUBLIC-IP-REMOVED dst-port=23
in-interface=NBN-GW1 protocol=tcp src-address-list=!MYDOMAIN-ADMIN
NBN-GW1 not ready
add action=drop chain=input comment=
"Drop all external inbound traffic for local webproxy on port 8081"
dst-port=8081 in-interface=NBN-GW1 protocol=tcp
NBN-GW1 not ready
add action=drop chain=input comment="Drop all unknown traffic destined for thi
s gateway's IP (Protection for this routers Web Proxy running on port 808
1" dst-address=PUBLIC-IP-REMOVED in-interface=NBN-GW1 src-address=
!104.28.1.254
NBN-GW1 not ready
add action=drop chain=input dst-address=PUBLIC-IP-REMOVED in-interface=NBN-GW1
src-address=!8.8.8.8
NBN-GW1 not ready
add action=drop chain=input dst-address=PUBLIC-IP-REMOVED in-interface=NBN-GW1
src-address-list=!MYDOMAIN-ADMIN
add action=drop chain=input comment="Drop all invalid connections"
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment=drop_telnet_brute_forcers dst-port=23
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list
address-list-timeout=1d chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=23
protocol=tcp
add action=drop chain=input comment="Drop FTP Brute Force Attacks" dst-port=
21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist
address-list-timeout=3h chain=output content="530 Login incorrect"
protocol=tcp
add action=drop chain=input comment="Drop SSH Brute Force Attacks" dst-port=
22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input connection-state=new dst-port=22
protocol=tcp
add action=add-src-to-address-list address-list=1-day-blacklist
address-list-timeout=1d chain="MYDOMAIN DMZ" comment="Port Scan Defence"
protocol=tcp psd=21,3s,3,1 src-address-list=!DMZ
add action=reject chain="MYDOMAIN DMZ" comment="Reject blacklisted IPs"
reject-with=icmp-network-unreachable src-address-list=1-day-blacklist
add action=jump chain=forward comment="Jump to MYDOMAIN DMZ chain"
dst-address-list=DMZ jump-target="MYDOMAIN DMZ"
add action=accept chain="MYDOMAIN DMZ" comment="Allow ICMP messages" protocol=
icmp
add action=accept chain="MYDOMAIN DMZ" comment="Allow DNS" packet-mark=dns
add action=accept chain="MYDOMAIN DMZ" comment=
"Allow Altaro Offsite Backup from Internal subnet" packet-mark=
altaro-offsite
add action=accept chain="MYDOMAIN DMZ" comment=
"Allow RDP from internal Subnets" packet-mark=rdp
add action=accept chain="MYDOMAIN DMZ" comment=
"Allow HTTP, HTTPS, WorldClient, WebAdmin & Winbox loader" packet-mark=
browsing
add action=accept chain="MYDOMAIN DMZ" comment=
"Allow MikroTik Protocols from internal Subnets" packet-mark=mikrotik
add action=accept chain="MYDOMAIN DMZ" comment=
"Allow FTP from internal Subnets" packet-mark=ftp src-address-list=
MYDOMAIN-ADMIN
add action=accept chain="MYDOMAIN DMZ" comment=
"Allow SNMP from internal Subnets" packet-mark=snmp src-address-list=
MYDOMAIN-ADMIN
add action=accept chain="MYDOMAIN DMZ" comment="Allow WSUS" packet-mark=wsus
add action=accept chain="MYDOMAIN DMZ" comment="Allow LDAP" packet-mark=ldap
add action=accept chain="MYDOMAIN DMZ" comment="Allow NTP" packet-mark=ntp
add action=accept chain="MYDOMAIN DMZ" comment="Allow RADIUS" packet-mark=
radius
add action=accept chain="MYDOMAIN DMZ" comment=
"Allow ZIMBRA from internal Subnets" packet-mark=zimbra src-address-list=
MYDOMAIN-ADMIN
add action=accept chain="MYDOMAIN DMZ" comment=
"Allow Webmin from internal Subnets" packet-mark=webmin
src-address-list=MYDOMAIN-ADMIN
add action=accept chain="MYDOMAIN DMZ" comment="Allow VPN" packet-mark=vpn
add action=accept chain="MYDOMAIN DMZ" comment=
"Allow NTOP from internal Subnets" packet-mark=ntop src-address-list=
MYDOMAIN-ADMIN
add action=accept chain="MYDOMAIN DMZ" comment="Allow Mail" packet-mark=mail
add action=accept chain="MYDOMAIN DMZ" comment=
"Allow KASEYA from internal Subnets" packet-mark=kaseya src-address-list=
MYDOMAIN-ADMIN
add action=accept chain="MYDOMAIN DMZ" comment=
"Allow Shell from Internal Subnets" packet-mark=shell src-address-list=
MYDOMAIN-ADMIN
add action=log chain="MYDOMAIN DMZ" comment="Log everything else" log-prefix=
DMZ:
add action=drop chain="MYDOMAIN DMZ" comment="Deny all unmatched"
/ip firewall mangle
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=
"4:1 1024k" passthrough=no src-address-list="4:1 1024k"
add action=mark-packet chain=prerouting disabled=yes dst-address-list=
"4:1 1024k" new-packet-mark="4:1 1024k" passthrough=no
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=
"4:1 512k" passthrough=no src-address-list="4:1 512k"
add action=mark-packet chain=prerouting disabled=yes dst-address-list=
"4:1 512k" new-packet-mark="4:1 512k" passthrough=no
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=
"20:1 384k" passthrough=no src-address-list="20:1 384k"
add action=mark-packet chain=prerouting disabled=yes dst-address-list=
"20:1 384k" new-packet-mark="20:1 384k" passthrough=no
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=
"4:1 256k" passthrough=no src-address-list="4:1 256k"
add action=mark-packet chain=prerouting disabled=yes dst-address-list=
"4:1 256k" new-packet-mark="4:1 256k" passthrough=no
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=
"10:1 1024k" passthrough=no src-address-list="10:1 1024k"
add action=mark-packet chain=prerouting disabled=yes dst-address-list=
"10:1 1024k" new-packet-mark="10:1 1024k" passthrough=no
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=
"10:1 512k" passthrough=no src-address-list="10:1 512k"
add action=mark-packet chain=prerouting disabled=yes dst-address-list=
"10:1 512k" new-packet-mark="10:1 512k" passthrough=no
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=
"10:1 256k" passthrough=no src-address-list="10:1 256k"
add action=mark-packet chain=prerouting disabled=yes dst-address-list=
"10:1 256k" new-packet-mark="10:1 256k" passthrough=no
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=
"20:1 1024k" passthrough=no src-address-list="20:1 1024k"
add action=mark-packet chain=prerouting disabled=yes dst-address-list=
"20:1 1024k" new-packet-mark="20:1 1024k" passthrough=no
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=
"20:1 512k" passthrough=no src-address-list="20:1 512k"
add action=mark-packet chain=prerouting disabled=yes dst-address-list=
"20:1 512k" new-packet-mark="20:1 512k" passthrough=no
add action=mark-packet chain=prerouting disabled=yes new-packet-mark=
"20:1 256k" passthrough=no src-address-list="20:1 256k"
add action=mark-packet chain=prerouting disabled=yes dst-address-list=
"20:1 256k" new-packet-mark="20:1 256k" passthrough=no
add action=mark-connection chain=prerouting comment=DMZ new-connection-mark=
conn-dmz passthrough=yes src-address-list=DMZ
add action=mark-connection chain=prerouting dst-address-list=DMZ
new-connection-mark=conn-dmz passthrough=yes
add action=mark-packet chain=prerouting connection-mark=conn-dmz
new-packet-mark=dmz passthrough=no
add action=mark-connection chain=forward comment=DNS dst-port=53
new-connection-mark=conn-dns passthrough=yes protocol=udp
add action=mark-connection chain=forward new-connection-mark=conn-dns
passthrough=yes protocol=udp src-port=53
add action=mark-connection chain=forward dst-port=953 new-connection-mark=
conn-dns passthrough=yes protocol=udp
add action=mark-connection chain=forward dst-port=953 new-connection-mark=
conn-dns passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=conn-dns
new-packet-mark=dns passthrough=no
add action=mark-connection chain=forward comment="ALTARO OFFSITE BACKUP"
dst-port=35101-35105,35109-35118 new-connection-mark=conn-altaro-offsite
passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=conn-altaro-offsite
new-packet-mark=altaro-offsite passthrough=no
add action=mark-connection chain=forward comment=RDP dst-port=3389
new-connection-mark=conn-rdp passthrough=yes protocol=tcp
add action=mark-connection chain=forward dst-port=3390 new-connection-mark=
conn-rdp passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=conn-rdp
new-packet-mark=rdp passthrough=no
add action=mark-connection chain=forward comment=Mail dst-port=25
new-connection-mark=conn-mail passthrough=yes protocol=tcp
add action=mark-connection chain=forward comment=Mail dst-port=587
new-connection-mark=conn-mail passthrough=yes protocol=tcp
add action=mark-connection chain=forward new-connection-mark=conn-mail
passthrough=yes protocol=tcp src-port=587
add action=mark-connection chain=forward new-connection-mark=conn-mail
passthrough=yes protocol=tcp src-port=25
add action=mark-connection chain=forward dst-port=110 new-connection-mark=
conn-mail passthrough=yes protocol=tcp
add action=mark-connection chain=forward new-connection-mark=conn-mail
passthrough=yes protocol=tcp src-port=110
add action=mark-connection chain=forward dst-port=993 new-connection-mark=
conn-mail passthrough=yes protocol=tcp
add action=mark-connection chain=forward new-connection-mark=conn-mail
passthrough=yes protocol=tcp src-port=993
add action=mark-connection chain=forward dst-port=143 new-connection-mark=
conn-mail passthrough=yes protocol=tcp
add action=mark-connection chain=forward new-connection-mark=conn-mail
passthrough=yes protocol=tcp src-port=143
add action=mark-connection chain=forward dst-port=4069 new-connection-mark=
conn-mail passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark=conn-mail
new-packet-mark=mail passthrough=no
add action=mark-connection chain=forward comment=Browsing dst-port=80
new-connection-mark=conn-browsing passthrough=yes protocol=tcp
add action=mark-connection chain=forward new-connection-mark=conn-browsing
passthrough=yes protocol=tcp src-port=80
add action=mark-connection chain=forward dst-port=81 new-connection-mark=
conn-browsing passthrough=yes protocol=tcp
add action=mark-connection chain=forward dst-port=443 new-connection-mark=
conn-browsing passthrough=yes protocol=tcp
add action=mark-connection chain=forward new-connection-mark=conn-browsing
passthrough=yes protocol=tcp src-port=443
add action=mark-connection chain=forward dst-port=1000 new-connection-mark=
conn-browsing passthrough=yes protocol=tcp
add action=mark-connection chain=forward dst-port=3000 new-connection-mark=
conn-browsing passthrough=yes protocol=tcp
add action=mark-connection chain=forward dst-port=8080 new-connection-mark=
conn-browsing passthrough=yes protocol=tcp
add action=mark-connection chain=forward dst-port=3128 new-connection-mark=
conn-browsing passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=conn-browsing
new-packet-mark=browsing passthrough=no
add action=mark-connection chain=forward comment=Webmin dst-port=10000
new-connection-mark=conn-webmin passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=conn-webmin
new-packet-mark=webmin passthrough=no
add action=mark-connection chain=forward comment=FTP dst-port=20-21
new-connection-mark=conn-ftp passthrough=yes protocol=tcp
add action=mark-connection chain=forward dst-port=5000-6000
new-connection-mark=conn-ftp passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=conn-ftp
new-packet-mark=ftp passthrough=no
add action=mark-connection chain=forward comment=Mikrotik dst-port=8291
new-connection-mark=conn-mikrotik passthrough=yes protocol=tcp
add action=mark-connection chain=forward new-connection-mark=conn-mikrotik
passthrough=yes protocol=tcp src-port=8291
add action=mark-connection chain=forward dst-port=2210-2211
new-connection-mark=conn-mikrotik passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=conn-mikrotik
new-packet-mark=mikrotik passthrough=no
add action=mark-connection chain=forward comment=Shell dst-port=22-23
new-connection-mark=conn-shell passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=conn-shell
new-packet-mark=shell passthrough=no
add action=mark-connection chain=forward comment=SNMP dst-port=161
new-connection-mark=conn-snmp passthrough=yes protocol=udp
add action=mark-connection chain=forward new-connection-mark=conn-snmp
passthrough=yes protocol=udp src-port=161
add action=mark-packet chain=forward connection-mark=conn-snmp
new-packet-mark=snmp passthrough=no
add action=mark-connection chain=forward comment=WSUS dst-port=8530-8531
new-connection-mark=conn-wsus passthrough=yes protocol=tcp
add action=mark-packet chain=forward connection-mark=conn-wsus
new-packet-mark=wsus passthrough=no
add action=mark-connection chain=forward comment=LDAP dst-port=389
new-connection-mark=conn-ldap passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark=conn-ldap
new-packet-mark=ldap passthrough=no
add action=mark-connection chain=forward comment=NTP dst-port=123
new-connection-mark=conn-ntp passthrough=yes protocol=udp
add action=mark-packet chain=forward connection-mark=conn-ntp
new-packet-mark=ntp passthrough=no
add action=mark-connection chain=forward comment=RADIUS dst-port=1812-1813
new-connection-mark=conn-radius passthrough=yes protocol=udp
add action=mark-connection chain=forward dst-port=1812-1813
new-connection-mark=conn-radius passthrough=yes protocol=tcp
add action=mark-connection chain=forward dst-port=1645-1646
new-connection-mark=conn-radius passthrough=yes protocol=udp
add action=mark-connection chain=forward dst-port=1645-1646
new-connection-mark=conn-radius passthrough=yes protocol=tcp
add action=mark-connection chain=forward dst-port=3306 new-connection-mark=
conn-radius passthrough=yes protocol=tcp src-address=41.193.75.0/24
add action=mark-packet chain=forward connection-mark=conn-radius
new-packet-mark=radius passthrough=no
add action=mark-connection chain=forward comment=VPN dst-port=1723
new-connection-mark=conn-vpn passthrough=yes protocol=tcp
add action=mark-connection chain=forward new-connection-mark=conn-vpn
passthrough=yes protocol=gre
add action=mark-packet chain=forward connection-mark=conn-vpn
new-packet-mark=vpn passthrough=no
add action=mark-connection chain=forward comment=KASEYA dst-port=5721
new-connection-mark=conn-Kaseya passthrough=yes protocol=tcp
add action=mark-connection chain=forward new-connection-mark=conn-Kaseya
passthrough=yes protocol=tcp src-port=5721
add action=mark-packet chain=forward connection-mark=conn-Kaseya
new-packet-mark=kaseya passthrough=no
add action=mark-connection chain=forward comment="NTOP TRAFFIC FLOW"
dst-port=9996 new-connection-mark=conn-ntop-trafficflow passthrough=yes
protocol=udp
add action=mark-connection chain=forward new-connection-mark=
conn-ntop-trafficflow passthrough=yes protocol=udp src-port=9996
add action=mark-connection chain=forward dst-port=3000 new-connection-mark=
conn-ntop-trafficflow passthrough=yes protocol=tcp
add action=mark-connection chain=forward new-connection-mark=
conn-ntop-trafficflow passthrough=yes protocol=tcp src-port=3000
add action=mark-packet chain=forward connection-mark=conn-ntop-trafficflow
new-packet-mark=ntop passthrough=no
add action=mark-connection chain=forward comment=ZIMBRA dst-port=7071
new-connection-mark=conn-Zimbra passthrough=yes protocol=tcp
add action=mark-connection chain=forward new-connection-mark=conn-Zimbra
passthrough=yes protocol=tcp src-port=7071
add action=mark-packet chain=forward connection-mark=conn-Zimbra
new-packet-mark=zimbra passthrough=no
NBN-GW1 not ready
add action=mark-packet chain=postrouting log=yes new-packet-mark=
remaining_out out-interface=NBN-GW1 passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment=
"Masquerade MYDOMAIN LAN subnet 192.168.101.0/24" src-address=
192.168.101.0/24
add action=masquerade chain=srcnat comment=
"Masquerade MYDOMAIN VPN subnet 10.0.254.0/24" src-address=10.0.254.0/24
add action=masquerade chain=srcnat comment=
"Masquerade XCEPTION LAN subnet 192.168.13.0/24" src-address=
192.168.13.0/24
add action=masquerade chain=srcnat comment=
"Masquerade KATCO LAN subnet 192.168.110.0/24" src-address=
192.168.110.0/24
add action=redirect chain=dstnat comment=
"Redirect SUSPENDED CLIENTS to SUSPENDED PAGE proxy" disabled=yes
dst-port=80,443 protocol=tcp src-address-list=SUSPENDED_CLIENTS to-ports=
8082
add action=dst-nat chain=dstnat comment="Katco 121 NAT to Katco Cyberoam"
src-address=PUBLIC-IP-REMOVED to-addresses=192.168.110.20
add action=masquerade chain=srcnat comment=
"Masquerade MYDOMAIN HOTSPOT subnet" src-address=10.0.50.0/24
add action=masquerade chain=srcnat comment=
"Masquerade MYDOMAIN MOBILES subnet" src-address=10.0.20.0/24
add action=dst-nat chain=dstnat comment="MYDOMAIN 3CX Management" dst-port=
5001 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=192.168.101.31
to-ports=5001
add action=dst-nat chain=dstnat comment="MYDOMAIN EXCH HTTP - EISSRVEXCH01"
dst-port=80 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.204 to-ports=80
add action=dst-nat chain=dstnat comment="MYDOMAIN UDP - ALTARO SERVER"
dst-port=35101-35121 protocol=udp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.30 to-ports=35101-35121
add action=dst-nat chain=dstnat comment="MYDOMAIN EXCH HTTPS - EISSRVEXCH01"
dst-port=443 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.204 to-ports=443
add action=dst-nat chain=dstnat comment="MYDOMAIN EXCH SMTP - EISSRVEXCH01"
dst-port=25 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.204 to-ports=25
add action=dst-nat chain=dstnat comment="MYDOMAIN EXCH SMTPS - EISSRVEXCH01"
dst-port=587 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.204 to-ports=587
add action=dst-nat chain=dstnat comment="MYDOMAIN RDP - JIMSERVER" dst-port=
3398 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=192.168.101.210
to-ports=3398
add action=dst-nat chain=dstnat comment="MYDOMAIN MAIL HTTP - MAILSERVER"
dst-port=80 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.25 to-ports=80
add action=dst-nat chain=dstnat comment="MYDOMAIN MAIL IMAP - MAILSERVER"
dst-port=443 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.25 to-ports=443
add action=dst-nat chain=dstnat comment="MYDOMAIN MAIL POP3 - MAILSERVER"
dst-port=110 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.25 to-ports=110
add action=dst-nat chain=dstnat comment="MYDOMAIN MAIL SMTP - MAILSERVER"
dst-port=25 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.25 to-ports=25
add action=dst-nat chain=dstnat comment="MYDOMAIN MAIL SMTPS - MAILSERVER"
dst-port=587 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.25 to-ports=587
add action=dst-nat chain=dstnat comment="MYDOMAIN MAIL SURGEMAIL - MAILSERVER"
dst-port=7025 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.25 to-ports=7025
add action=dst-nat chain=dstnat comment="MYDOMAIN TREND LDAP - EISSRVDC01"
dst-port=389 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.220 to-ports=389
add action=dst-nat chain=dstnat comment="MYDOMAIN Workshop RDP - " dst-port=
9191 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=192.168.101.79
to-ports=3389
add action=dst-nat chain=dstnat comment="MYDOMAIN MAIL HTTPS - MAILSERVER"
dst-port=143 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.25 to-ports=143
add action=dst-nat chain=dstnat comment="MYDOMAIN 3CX TunnelProxy TCP"
dst-port=5090 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.31 to-ports=5090
add action=dst-nat chain=dstnat comment="MYDOMAIN 3CX TunnelProxy UDP"
dst-port=5090 protocol=udp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.31 to-ports=5090
add action=dst-nat chain=dstnat comment="MYDOMAIN NAT to Altaro Server"
dst-port=35101-35121 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.30 to-ports=35101-35121
add action=dst-nat chain=dstnat comment="MYDOMAIN ERU" dst-port=8181 protocol=
tcp src-address=PUBLIC-IP-REMOVED to-addresses=192.168.101.60 to-ports=3389
add action=dst-nat chain=dstnat comment="MYDOMAIN 3CX SIP TCP" dst-port=5060
protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=192.168.101.31
to-ports=5060
add action=dst-nat chain=dstnat comment="MYDOMAIN 3CX SIP UDP" dst-port=
5060-5061 protocol=udp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.31 to-ports=5060-5061
add action=dst-nat chain=dstnat comment="MYDOMAIN 3CX MediaServer Range1"
dst-port=9000-9398 protocol=udp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.31 to-ports=9000-9398
add action=dst-nat chain=dstnat comment="MYDOMAIN 3CX MediaServer Range2"
dst-port=10600-10998 protocol=udp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.101.31 to-ports=10600-10998
add action=dst-nat chain=dstnat comment="Xception - NAT 443 - MAINSERVER"
dst-port=443 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.13.200 to-ports=443
add action=dst-nat chain=dstnat comment="Xception - SMTP - MAINSERVER"
dst-port=25 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=
192.168.13.200 to-ports=25
add action=dst-nat chain=dstnat comment="Xception - RDP - TSERVER" dst-port=
3390 protocol=tcp src-address=PUBLIC-IP-REMOVED to-addresses=192.168.13.205
to-ports=3389
/ip firewall service-port
set sip disabled=yes
/ip hotspot user
add name=admin password=admin
/ip proxy
set cache-path=web-proxy1 port=8082
/ip proxy access
add comment="allow CONNECT only to MYDOMAIN website - SUSPENDED CLIENTS"
dst-address=154.0.160.114
add action=deny comment="deny browsing access to SUSPENDED clients and redirec
t to MYDOMAIN Suspended clients page" redirect-to=
www.MYDOMAIN.co.za/index-30.html
add action=deny comment="block telnet & spam e-mail relaying" disabled=yes
dst-port=23-25
add action=deny comment="deny everything else" disabled=yes
add comment="allow CONNECT only to SSL ports 443 [https] and 563 [snews]"
disabled=yes dst-port=443 method=CONNECT
add comment="allow CONNECT only to SSL ports 443 [https] and 563 [snews]"
disabled=yes dst-port=563 method=CONNECT
add action=deny comment=
"allow CONNECT only to SSL ports 443 [https] and 563 [snews]" disabled=
yes method=CONNECT
/ip route
add distance=1 gateway=192.168.101.1
add comment="Default Gateway - NBN" distance=10 gateway=NBN-GW1
/lcd
set backlight-timeout=never color-scheme=dark default-screen=stats
/lcd pin
set pin-number=1978
/lcd interface
add interface=bridge1 timeout=1s
/lcd interface pages
add interfaces=bridge1
add interfaces=ether1
/ppp aaa
set use-radius=yes
/radius
add address=127.0.0.1 secret=654321 service=hotspot timeout=3s
/radius incoming
set accept=yes
/system clock
set time-zone-name=Australia/Brisbane
/system identity
set name=MYDOMAIN-CCR
/system ntp client
set enabled=yes primary-ntp=168.1.23.122 secondary-ntp=116.66.161.7
/system ntp server
set enabled=yes
/system scheduler
add interval=1d name=e-mail-backup on-event=e-mail-backup policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/08/2019 start-time=11:21:04
/system script
add dont-require-permissions=no name=e-mail-backup owner=MYDOMAIN policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/
system backup save name=email;
\n/tool e-mail send to="sheldon@staff.MYDOMAIN.net.au" subject=([/system
identity get name]." backup") file=email.backup;
\n:log info "Backup e-mail sent.";"
/tool e-mail
set address=192.168.101.204 from=CCR@staff.MYDOMAIN.net.au
/tool user-manager database
set db-path=user-manager
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1 log=
auth-ok,auth-fail name=RADIUS shared-secret=654321 use-coa=yes
/tool user-manager user
add customer=admin disabled=no password="p@$$guest" shared-users=unlimited
username=guest wireless-enc-algo=none wireless-enc-key="" wireless-psk=""