how to permanently disable hotspot dynamic NAT rule?

RouterOS General
1

I need to permanently disable default (dynamic) NAT rule no. 13, created by hotspot:

13 D chain=hs-auth action=redirect to-ports=64874 protocol=tcp hotspot=http

(this rule is making troubles: we are using external proxy set in web browsers via WPAD - this rule is catching client’s connections to the external proxy and redirecting them to internal webproxy, which is slowing down communications very seriously)

I can disable it, but it is re-created after reboot. How could I solve this? I may use this command:

/ip firewall nat disable [find hotspot="http"]

and run it every minute or so using scheduler, but I don’t like it. Is there an event like “hotspot starting”?

2

If you disable that rule the hotspot stops working. Those rules are what makes it tick.

Instead override it for authenticated connections.

/ip firewall nat add chain=pre-hotspot hotspot=auth action=accept
3

I’ve just realize that I could use hotspot login event - it would be better. Or is there a better idea?

4

No, it is working perfectly - I’m using it few weeks, but only problem was re-enabling after reboot.
I will try your suggested solution.

5

Edited too late - see edited post above. That’s your solution.
Disabling that rule does break things.

6

Could you explain, what exactly does it break?

I don’t understand, why this rule is making me problems - it was few hours of trying and discovering, until I’ve found that that rule is bad for me. I don’t understand why hotspot is using internal transparent proxy (which is disabled) when client is requesting connection to external proxy after authentification - and that’s only in situation when the first unathentificated request is going to the external proxy (was working fine in situation when the first request was going to hotpost login page). Maybe it is some kind of bug?

7

It is not a bug.
http://wiki.mikrotik.com/wiki/Manual:Customizing_Hotspot
That explains what the rules do.

The one I posted keeps authenticated users from going through the internal proxy.

8

Thanks for explanation! :slight_smile:

Yes, now I understand: “This is done so that users that have some proxy settings would use the HotSpot gateway instead of the proxy server users have configured in their computers.” - that’s exactly what I don’t want. I’ve firewall rules that are not allowing direct connections to the internet and using external proxy server is necesarry, so I really need to disable this proxy-detecting feature (because it is extremly degrading performance).

I’m not on the place at this moment so I can’t try your suggestion now, but I will later today - of course, adding another permanent rule is better way than disabling dynamic rule, if it will work. I will let you know.

9

Thanks! This was nearly working - only problem was that after authentification client could not connect to hotspot web for stat or logoff. So I had to modify it like this:

/ip firewall nat add chain=pre-hotspot hotspot=auth,http action=accept

Now it seems that everything is all right :slight_smile:

10

That should work, if you experience any issues there (hotspot=http grabs stuff you don’t want to) you can use the below instead:

/ip firewall nat add action=accept chain=pre-hotspot dst-address-type=!local hotspot=auth

That should have the same effect and keep stats pages etc. running due to ‘dst-address-type=!local’ - authenticated traffic going to the router even before destination NAT would no longer be exempted.

11

Yes, it is working as well and is probably better, thanks again!