how to allow internet from address-list

moose · November 10, 2011, 2:43pm

Hi all!

I’m trying to make work such scheme:

mikrotik gives ip to LAN by DHCP-server. Let suppose the DHCP pool is 192.168.0.0/24, so I
creating a address-list=CLIENTS with 192.168.0.0/24

and before give them access to the Internet, I send CLIENTS to web-server page where they need to login and they will be sending to address-list=CLIENTS_LOGON, here is a code which redirect them to WEB-server:

ip firewall nat add chain=dstnat action=dst-nat to-addresses=10.0.0.10 to-ports=80 protocol=tcp dst-address=0.0.0.0/0 src-address-list=clients dst-port=80

The problem is that I dont know how to gives them access when they in address-list=CLIENTS_LOGON and there is the rule above.
I’m confused…

masquerade - does not appropriate, because when user wants to logout on the 10.0.0.10 web-page the page will see IP of output mikrotik interface. I will NAT 192.168.0.0/24 on the WEB-server

Could some one suggest me solution of this problem.
Will much appreciated.
Thank you

fewi · November 10, 2011, 3:02pm

Specify an out-interface=[WAN-interface-name] parameter on the masquerade rule so it only fires for traffic to the Internet.

However, it sounds like you’re reinventing a Hotspot. Any particular reason you aren’t just using a Hotspot with an external splash page?

moose · November 10, 2011, 3:43pm

I have such scheme:

USER192.168.0.2---->192.168.1.2Mikrotik(DHCP)10.0.0.1---->10.0.0.10 GATEWAY(NAT,WEB-SERVER)
when user receive 192.168.0.2 on I can ping 0.0.0.0/0 because NAT working on (10.0.0.10 )GATEWAY (it’s NATing 192.168.0.0/24)

I redirect all requests on 0.0.0.0/0:80 to 10.0.0.10:80 to login
it’s working
but ping working too -it’s bad - it’s needed to recover too (deny ping to internet when user redirected to 10.0.0.10:80 )

then when user logon, it will appear on address-list CLIENTS_LOGON . I want them do not redirect to webserver but give them internet. And I don’t understand how to do it.

Sorry for my bad explanation and poor English )

winet · November 10, 2011, 3:58pm

perhaps fewi had to ask him first, “do you know that mikrotik has hotspot feature?” which gives almost exact scheme you’re asking.

francisconeto · November 10, 2011, 4:16pm

Is there any motive for not use hotspot or you don’t know as works hotspot ?

moose · November 10, 2011, 4:17pm

I know about hotspot, I think I got it what is needed, I’ll answer what I’m thinking, but after I check it )

moose · November 11, 2011, 11:34am

I found such solution

the solution is to add such rule above my redirecting rule :

chain=dstnat action=accept src-address-list=CLIENTS_LOGON dst-address-list=global

above this

chain=dstnat action=dst-nat to-addresses=10.0.0.10 to-ports=80 
     protocol=tcp src-address-list=CLIENTS dst-address=0.0.0.0/0 
     dst-port=80

but for many address-lists I will need many such rules it’s not good

I also tried to mark packets and allow them:

chain=forward action=mark-packet new-packet-mark=allow_CLIENTS 
     passthrough=yes src-address-list=CLIENTS_LOGON dst-address=0.0.0.0/0

and then

chain=dstnat action=dst-nat to-addresses=10.0.0.10 to-ports=80 
     protocol=tcp src-address=192.168.6.0/24 dst-address=0.0.0.0/0 
     dst-port=80 packet-mark=!allow_CLIENTS

but it’s does not work (

maybe someone can help me

winet · November 11, 2011, 12:35pm

perhaps the main problem is language here. we don’t know what are you trying to do. we’re just assuming you’re trying to build a hotspot, and we told you that mikrotik has hotspot feature already, you don’t have to set anything else on firewall. i hope you understand what i’m saying now.

check out :

/ip hotspot

when you setup a hotspot to an interface, mikrotik will set the firewall automatically to a redirect page, which mikrotik already has it built-in.
to learn more about it, please open and read:

http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot

moose · November 11, 2011, 2:11pm

thank you for an answer, but I don’t need hotspot. On the GATEWAY (WEBSERVER, NAT) I have Billing system which allows users and counts traffic. I described a situation and what I want to do, I need a suggestion with Firewall rules and nothing else

winet · November 11, 2011, 3:35pm

ah, so do mikrotik. mikrotik also have billing system for its hotspot, it is called, user manager. however, mikrotik hotspot, could also be set to read data from RADIUS server, if your your billing system support this.

moose · November 12, 2011, 7:46am

Thank you about Mikrotik hotspot. But I just need a suggestion with firewall