HOTSPOT

magnitude · July 25, 2011, 12:20pm

Today i setup hotspot…its working fine..
ether1 - 192.168.1.2
ether2 - 10.10.0.1
Dns ip - 192.168.1.1
Route - dst=0.0.0.0 gateway=192.168.1.1
Users are connected to ether2

My clients are able to ping 10.10.0.1 after logging from browsers…if they logged out 10.10.0.1 says destination net unreachable.

Why my clients cant ping 10.10.0.1 even if they are logged out. ?

Feklar · July 25, 2011, 1:24pm

Because they are on the 192.x.x.x subnet, they need to use a router to talk to a different subnet than they are on. Part of the basic hotspot setup is a firewall to prevent unauthorized users from doing this.

This isn’t really a “security” thing in your setup however, since both subnets are sharing the same layer2 network. Anyone can get a packet sniffer program and see what subnets there are and change their IP to the appropriate subnet to try and access your equipment without having to go through the router.

magnitude · July 25, 2011, 1:59pm

Clients are on 10.10.0.0 network…any solution ?
192.168.1.0 network is a adsl router connected to Mikrotik Etherport1

fewi · July 25, 2011, 2:02pm

If you’re not logged in you can’t ping anything, including the router itself on the interface you’re behind. That’s simply how Hotspots are implemented.

You can permit unauthorized clients to ping the router by adding a walled garden IP rule:

/ip hotspot walled-garden ip
add protocol=icmp dst-address=10.1.0.1 action=accept

magnitude · July 25, 2011, 2:10pm

fewi:

If you’re not logged in you can’t ping anything, including the router itself on the interface you’re behind. That’s simply how Hotspots are implemented.

You can permit unauthorized clients to ping the router by adding a walled garden IP rule:
/ip hotspot walled-garden ip
add protocol=icmp dst-address=10.1.0.1 action=accept

Thanks buddy…now i can ping the router ip…thanks a lot