How to: Allow Computer Unrestricted Access In Hospot Setup

hotspotsolutions · December 20, 2004, 11:41am

Hi,

I have setup the router as per the dhcp-pool for the hotspot setup, all works a treat, but I have 1 computer that needs unrestricted access to the network.

Currently this pc must login to access any network resources, but because it has a static IP addrss I cannot get it to login.

What I want to do is create a firewall rule to allow this IP address unrestricted access to the network.

I am sure its simple but any help is appreciated.

thankyou

edzix · December 20, 2004, 3:38pm

under ‘/ip firewall mangle’ add such a rule:

/ip firewall mangle add src-mac-address=<MAC here> disabled=no

and move it above the HotSpot service rule with ‘move’ command.

You can use also cookies to accomplish this. See:
http://www.mikrotik.com/docs/ros/2.8/ip/hotspot.content#7.41.9

Edgars[/code]

ilero · January 7, 2005, 5:51am

edzix,

I use the Hotspot enabled method for my users. I also would like to have the ability to select certain customers that can bypass the hotspot login page without using other authentication methods like PPPoE. Just to clarify, I would use the action accept for the above rule? And, I do not have to worry about mark-flow or any other rules? Thanks

in4ni · January 8, 2005, 9:41pm

Hey Hotspotsolutions did you get that mangle rule to work?

I have tried several mangle rules to do an automatic pass-thru to no avail

It has been my experience that most of the documentation examples dont work. I have yet to figure out how to do a simple one-to-one full nat so a hotspot client with a static ip address can accecpt incoming connections from the internet. When i find the person that can make that happen for me he will be rewarded!

Just my 2Cents

jarosoup · January 8, 2005, 11:38pm

Adding just a mangle rule does not work. Instead of a mangle rule, you need to add a destination-nat rule (src-address = the internal static ip, dst-address=0/0, action=accept) and a forward rule (src-address = the internal ip, dst-address = 0/0, action=accept). Make sure both rules are at the top of their list. As for assigning a static, you can also set this client to dhcp, then add their MAC in the dhcp leases table…then that client will always get that static ip.

goldclick · January 9, 2005, 7:52pm

What I do is create a mangle rule with ‘hs-auth’ flow for the static IP I want unrestricted. This works great for me:

ip firewall mangle add src-address=192.168.x.x/32 action=passthrough mark-flow=hs-auth

This assumes the ip you want to bypass the login page is 192.168.x.x

Sonny.

wildbill442 · January 10, 2005, 3:03am

I have yet to figure out how to do a simple one-to-one full nat so a hotspot client with a static ip address can accecpt incoming connections from the internet. When i find the person that can make that happen for me he will be rewarded!

This is done through src-nat and dst-nat. You also have to add the public IP address to the Public interface.

dst-nat rules should look similar to this…

1   ;;; Dan
     dst-address=66.60.xxx.xxx/32 action=nat to-dst-address=10.0.0.18 

 2   ;;; Sales Office
     dst-address=66.60.xxx.xxx/32 action=nat to-dst-address=10.0.0.12 

 3   ;;; Roger
     dst-address=66.60.xxx.xxx/32 action=nat to-dst-address=10.0.0.34

src-nat rules should look like this…

;;; Dan
     src-address=10.0.0.18/32 action=nat to-src-address=66.60.xxx.xxx 

 1   ;;; Sales Office
     src-address=10.0.0.12/32 action=nat to-src-address=66.60.xxx.xxx 

 2   ;;; Roger
     src-address=10.0.0.34/32 action=nat to-src-address=66.60.xxx.xxx

Remember to assign the additional IP addresses to the WAN interface on your MT router. That should be it, unless I’ve forgotten anything…

in4ni · January 11, 2005, 12:32am

Wildbill, i think you have the DST and SRC rules correct but i think my problem is with the mangle rules for the hotspot authenication.

jaytcsd · January 11, 2005, 10:29am

I have a wifi nic in my laptop hard coded for 10.5.50.244/24, gateway 10.5.50.1, with my ISP’s dns numbers. It can access the internet (no login screen) and I can control it using vnc from a public IP address nat-ed to the private address. The 10.5.50.0 network is my hotspot, my AP is 10.5.50.100, hooks into a switch with the other port going to the MT router’s nic at 10.5.50.1.

If I change the nic in the laptop to dhcp I get the hotspot login page before I get internet access.

Is this what you are tying to do?

\

this has to be first
ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Nat Rule to tunnel traffic to laptop
dst-address=xxx.yyy.100.48/32 flow=hs-auth action=nat
to-dst-address=10.5.50.244

standard hotspot rule
1 ;;; redirect unauthorized hotspot clients to hotspot service
in-interface=hotspot protocol=tcp flow=!hs-auth action=redirect
to-dst-port=80

ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; packets for laptop
dst-address=xxx.yyy.100.48/32 action=accept mark-flow=hs-auth

1 ;;; return data from laptop
src-address=10.5.50.244/32 action=accept mark-flow=hs-auth

ip firewall src-nat> print
Flags: X - disabled, I - invalid, D - dynamic
1 src-address=10.5.50.0/24 action=masquerade

Hope this helps.