hi,

how do i allow hotspot user to access https server without login to hotspot?

The following is what i had done,

Configure mikrotik version 2.8.18 as a hotspot gateway(10.5.6.44) using dhcp-pool method.

I had tried (refer to doc - walled garden) but not working.

/ip firewall mangle add dst-address=10.5.6.25/32 mark-flow=hs-auth


Testing
client XP obtaining hs-temp ip from mikrotik
IE6.0 URL : https://10.5.6.25/index.php
Result : Back to mikrotik hotspot login page when i should be looking at the index page of https://10.5.6.25


Can someone help me pls or tell me if there is other way of doing this?

can you post what walled-garden rule did tou try?

Edgars

I didn’t use any rules in walled garden.
I just used

/ip firewall mangle add dst-address=10.5.6.25/32 mark-flow=hs-auth

with this rule you are just marking packets going to that host. You should add that IP in walled garden configuration.

Edgars

Well, thanks for replying.

I tried this but still failed

[admin@MPPPP] ip hotspot walled-garden> print
Flags: X - disabled

DST-HOST DST-PORT PATH ACTION

0 ^www\.redtone\.com$ allow
1 10.5.6.25 allow

Testing with
Before login to hotspot

1. IE6 – http://10.5.6.25/index.php – Good
2. IE6 – https://10.5.6.25/index.php – “The page cannot be displayed”

Can you please give an example ? That would be most helpful.

You can’t use secure sites in the walled garden I fought this for a long time before realizing that it doesn’t work. From the Walled Garden section of the Hotspot manual:

Notes
Currently you can not place HTTPS servers inside the Walled Garden. However, there is a workaround on this. You can add a mangle rule that allows you to pass traffic to an IP address of secure web server, exempli gratia:

/ip firewall mangle add dst-address=159.148.108.1/32 mark-flow=hs-auth

Just add holes for the IP addresses to the firewall to make it work…

Mikrotik, is there any plan to make this work in the future? I’m sure there are many others (including myself) that need this feature.

Hmm… Then my question would be… Can anyone tell me how to make use of that ‘hole’ we added just now?

You need to add 2 firewall rules that both contain the IP of the secure server as well as the port (443): 1 rule for destination-nat with the server IP as the destination IP as well as dst-port, and the other rule in the forward chain with the same info. Source address can be just your network, or 0/0 as well as interface settings etc. This should get you there

Thanks Jorosoup. Saviour of the day!

Now this is the summary of what all this is about.

Target : Allow new register user to assess a https webserver(10.5.6.25) to do update and activation on their own by clicking a link on the hotspot login page.

Mikrotik : local:10.5.48.1/24 public:10.5.6.44/24
Webserver : 10.5.6.25/24

Then, we open a ‘hole’ in the firewall by using mangle.

Notes
Currently you can not place HTTPS servers inside the Walled Garden. However, there is a workaround on this. You can add a mangle rule that allows you to pass traffic to an IP address of secure web server, exempli gratia:

/ip firewall mangle add dst-address=10.5.6.25/32 mark-flow=hs-auth

Then, we direct the traffic through that hole by the following 2 rules:

1. ip firewall rule forward dst-address=10.5.6.25/32:443 protocol=tcp action=accept
2. ip firewall dst-nat dst-address=10.5.6.25/32:443 protocol=tcp action=accept

Testing :
Click on the link to https server on the mikrotik login page (without logging in) – https://10.5.6.25/index.php loaded. GREAT.

PS : Can somebody in MK include the last step in the documentation.This would save somebody out there a lot of time.

Glad to help. Actually, you don’t even need that mangle rule…I did leave out one detail: make sure those 2 firewall rules you add are at the top if each chain list.