How To: Hotspot + routed internet on Eth_2

reinerotto · August 26, 2010, 8:47am

I have a RB433 running RoS 4.11 and completely configured a working HotSpot using standard MT-setup, plus a few more firewall-rules to secure the remote access to the RB.

Now I want to add another (switched) network on another Ethernet-Interface with NAT, to access the Internet for gaming.
How to modify the existing firewall-rules ?

My config:

[admin@Sebastian] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=10.10.0.1/24 network=10.10.0.0 broadcast=10.10.0.255 
     interface=Routed-Ether2 actual-interface=Routed-Ether2 
 1   address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 
     interface=Support-Ether3 actual-interface=Support-Ether3 
 2   address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 
     interface=WiFi actual-interface=WiFi 
 3 D address=88.78.161.148/32 network=88.78.160.1 broadcast=0.0.0.0 
     interface=DSL actual-interface=DSL 
[admin@Sebastian] > 

[admin@Sebastian] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=88.78.160.1 
        gateway-status=88.78.160.1 reachable DSL distance=1 scope=30 
        target-scope=10 
 1 ADC  dst-address=10.10.0.0/24 pref-src=10.10.0.1 gateway=Routed-Ether2 
        gateway-status=Routed-Ether2 unreachable distance=0 scope=200 
 2 ADC  dst-address=88.78.160.1/32 pref-src=88.78.161.148 gateway=DSL 
        gateway-status=DSL reachable distance=0 scope=10 
 3 ADC  dst-address=192.168.0.0/24 pref-src=192.168.0.1 gateway=WiFi 
        gateway-status=WiFi reachable distance=0 scope=10 
 4 ADC  dst-address=192.168.2.0/24 pref-src=192.168.2.1 gateway=Support-Ether3 
        gateway-status=Support-Ether3 unreachable distance=0 scope=200 
[admin@Sebastian] > 

[admin@Sebastian] > /ip dns export
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 servers=195.50.140.246,195.50.140.252
[admin@Sebastian] > 

[admin@Sebastian] > /ip firewall export
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d \
    tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
    tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=drop chain=input comment="drop ssh brute forcers" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input comment="" connection-state=new \
    disabled=no dst-port=22 protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="" content="530 Login incorrect" \
    disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output comment="" content=\
    "530 Login incorrect" disabled=no protocol=tcp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="" disabled=no out-interface=DSL
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@Sebastian] > 

[admin@Sebastian] > /ip hotspot export
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
    http-proxy=0.0.0.0:0 login-by=http-pap name=default nas-port-type=\
    wireless-802.11 radius-accounting=yes radius-default-domain="" \
    radius-interim-update=received radius-location-id="" \
    radius-location-name="" radius-mac-format=XX:XX:XX:XX:XX:XX rate-limit="" \
    smtp-server=0.0.0.0 split-user-domain=no use-radius=yes
/ip hotspot
add disabled=no idle-timeout=none interface=WiFi keepalive-timeout=none name=\
    Sebastian profile=default
/ip hotspot user profile
set default advertise=yes advertise-interval=5m advertise-timeout=1m \
    advertise-url=advertisement_01.html,advertisement_02.html idle-timeout=\
    none keepalive-timeout=2m name=default open-status-page=always \
    shared-users=20 status-autorefresh=1m transparent-proxy=yes
add advertise=no idle-timeout=none keepalive-timeout=2m name=admin \
    open-status-page=always shared-users=2 status-autorefresh=1m \
    transparent-proxy=yes
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add comment="" disabled=no name=admin password=xxxxxx profile=admin
[admin@Sebastian] > 

[admin@Sebastian] > /ip pool export
/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.54
add name=dhcp_pool2 ranges=10.10.0.2-10.10.0.9
[admin@Sebastian] > 

[admin@Sebastian] > /ip dhcp-server export
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay \
    disabled=no interface=WiFi lease-time=3d name=dhcp1
add add-arp=yes address-pool=dhcp_pool2 authoritative=after-2sec-delay \
    bootp-support=static disabled=no interface=Routed-Ether2 lease-time=3d \
    name=dhcp_routed
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server lease
add address=192.168.0.55 comment="" disabled=no mac-address=00:19:7D:6F:CF:39
/ip dhcp-server network
add address=10.10.0.0/24 comment="" dns-server=10.10.0.1 gateway=10.10.0.1 \
    netmask=24 ntp-server=10.10.0.1
add address=192.168.0.0/24 comment="" dns-server=192.168.0.1 gateway=\
    192.168.0.1 netmask=24 ntp-server=192.168.0.1
[admin@Sebastian] >

Thanx in advance !

reinerotto · August 26, 2010, 9:19am

Sorry, looks like it works like stated. HW-problem

Ibersystems · August 26, 2010, 10:44am

blake · August 26, 2010, 11:11am

I looked at this post earlier and thought your config looked good. I declined to respond because of the late hour here…I figured I was tired & surely overlooking something from this ‘broken’ config.