How to open all ports for a particular hotspot user?

imaljko4 · August 20, 2010, 10:23am

Hello,

Sometimes i need to open all ports for one particular hotspot user(have full internet access TCP/UDP without firewall).
What command should i use to do it, if the users IP address is for example 10.0.0.23 ?

The users on my hotspot have problems when trying to make outgoing VPN connections, so i would like to be able to open all ports for them in order to see if this would solve the problem.

Thank you very much for help

SurferTim · August 20, 2010, 10:34am

Have you tried logging in to the hotspot with your browser before trying other ports besides 80? I must tell some of my customers that about their email when they say the email doesn’t work. Log in with Internet Explorer, minimize the browser window, then open Outlook.

imaljko4 · August 20, 2010, 10:46am

Yes the users are logged in to hotspot, they surf the net and download emails without problems. But when they try to make an outgoing VPN connection it fails.
When i connect the users directly to my local network with a cable(without hotspot), then the VPN works.

SurferTim · August 20, 2010, 11:32am

Are the failing VPN connections to a localnet computer, to a computer on a different interface in the same router, or WAN? I don’t use a VPN on a hotspot, but I have received a few calls about VPN connections from my customers. I explained what I thought was the fix, and none have called back. If they just gave up, I would like to know for my own business.

fewi · August 20, 2010, 12:06pm

After you’re logged into a Hotspot there are literally no firewall filter or NAT rules in the way of traffic to the client. For traffic from the client only DNS and HTTP have a redirect to the servlets in the way, which does not interfere with VPN traffic. I don’t see how the Hotspot can be at fault.

When you move clients, does that also result in them being NAT’d to a different IP address, or do you move them to public IPs directly assigned to the client? That would explain things being fixed.

SurferTim · August 20, 2010, 12:17pm

Hi fewi. I was hoping you would show up here! My only concern about the destination interface was there is one NAT (masquerade) installed by the hotspot IF during the setup you accepted the default on this prompt (I use ‘no’):
masquerade network: yes

fewi · August 20, 2010, 1:00pm

I don’t use the setup wizard, but I am pretty sure that just installs a generic NAT rule you’d have anyway. As in, if your Hotspot network is 192.168.88.0/24 the rule installed reads “/ip firewall nat add chain=srcnat src-address=192.168.88.0/24 action=masquerade”. If your Hotspot router connects directly to the Internet via a public IP you’d have something like that, anyway, so it shouldn’t make a difference.

That is a really good point though if you are either connected to a provider with private IP space and aren’t supposed to NAT yourself because they will do it on their edge, or are passing traffic on to further routers you own yourself and you will NAT later. Several older VPN protocols could break with double NAT (PPTPv3 and IPsec with NAT-T should be able to handle even that fine).

imaljko4 · August 20, 2010, 1:31pm

So maybe this is the problem,
My hotspot network is under “masquerade”, but my mirkotik router is behind another router which is then connected to WAN -Internet.

So if i Understand you correctly in this case i should remove the firewall entry “masquerade hotspot network”?

fewi · August 20, 2010, 1:41pm

Yes. Only NAT where you absolutely HAVE to transition into a zone in which your IP space is no longer usable. I would consider that a generic truth not only for Hotspots, but for all traffic going through routers deeper into your network (and other interfaces on the Hotspot router).

In your case it sounds like that’s on the WAN port of whatever router is facing your ISP. You will have to ensure that transient traffic is NAT’d there, the easiest way is to go by outbound interface:

/ip firewall nat
add chain=srcnat action=masquerade out-interface=WAN-interface

And of course you’ll have to make sure that the other routers have appropriate routes back to the Hotspot network because they will no longer see traffic as sourced from a directly connected IP address.

Beyond that there isn’t much you can do to solve this problem. Like I said, Hotspots only affect HTTP and DNS for authenticated users, neither one should interfere with VPN tunnels.

imaljko4 · August 22, 2010, 1:33pm

When i disable the “masquerade” of my hotspot network, then hotspot doesn’t work anymore.

So what exactly do i need to do?
My Network is as follows:

ip address>> print
Flags: X - disabled, I - invalid, D - dynamic
#   ADDRESS            NETWORK         BROADCAST       INTERFACE                                                                         
0   192.168.3.2/24     192.168.3.0     255.255.255.0   ether1                                                                            
1   10.0.0.1/24          10.0.0.0          255.255.255.0   hotspot_bridge                                                       


/ip route>> print

#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
0 A S    0.0.0.0/0                                  192.168.3.1            1      
1 ADC   10.0.0.0/24          10.0.0.1          hotspot_bridge        0      
2 ADC   192.168.3.0/24     192.168.3.2     ether1                    0

The traffic from hotspot network is being routed to the Gateway 192.168.3.1 (my ADSL/Modem Router- which is the connection to WAN-Internet)
I think my ADSL/Modem/router- 192.168.3.1 is doing the masquarade (NAT) to the WAN-internet.
But my hotspot is on another network (10.0.0.1) and is then being routed to the 192.168.3.1(gateway).

So in my case i still need to masquerade my hotspot network? or not?

Thank you

fewi · August 22, 2010, 5:21pm

Can you masquerade the Hotspot network on the router? It might be a dumb router that will only NAT directly connected networks. In that case you can’t eliminate the double NAT unless you put the ADSL modem into bridge mode and connect to the Internet directly on the RouterOS device. If you can’t do that you’re stuck doing a masquerade on the Hotspot directly and VPN stays broken.

SurferTim · August 22, 2010, 6:36pm

Disable the hotspot masquerade and try this as fewi suggested above:
/ip firewall nat
add chain=srcnat action=masquerade out-interface=ether1

What is the hotspot-bridge interface?

fewi · August 22, 2010, 6:40pm

I think the issue is that the ADSL modem is in routed mode. He would be masquerading the Hotspot network to 192.168.3.2, and the modem would then masquerade that to a public IP. If the ADSL will not NAT anything but a related network for him, the only solution to avoid double NAT is to put it into bridged mode so you can NAT right to the public IP address on the Hotspot router.

But I may be wrong about the ADSL modem in routed mode assumption. The IP he gets from his ISP is private there is no way to avoid double NAT.

SurferTim · August 22, 2010, 6:46pm

Even if the modem is in routed mode, if the hotspot masquerade is disabled, and the masquerade you (meaning fewi) suggested above (different!) is used, it should work ok, shouldn’t it? Single NAT in this router, and one in the modem. Then it won’t masquerade to all the interfaces, just ether1.

And, yes, it will be a double NAT by the time it gets to a public ip, just not in this router.

adrianatkins · August 22, 2010, 9:53pm

If you’ve got a Mikrotik as your gateway, you might try replacing the ADSL router with an ADSL Modem, and using PPPoE on the Mikrotik itself.

ADSL modems are about 10 euros hereabouts.

There will still be some NATing going on (has to be done) but you might at least get some control of how it does it.

Some routers (like your ADSL one) don’t do NAT as wonderfully as it can be done.