I have a hotspot on a PC-based RoS-machine, with 2 interfaces: One to the web (PPPoE), the other is WiFi.
Now I want the same hotspot ALSO to be accessible from the internet. It might be a second hotspot, only different user data base, OR an extension of the existing one.
I do not want to have a second internet connection, but to use the existing one.
So I guess, with quite a few firewall rules for incoming connections it should be possible to accomplish this, but I need some help, please.
What do you mean by “accessible from the web”? You want devices behind the Hotspot to be publicly available?
No, the same functionality from the web as from the local WiFi-connection to the hotspot.
The only difference would be, that the local users access a transparent proxy,
so they are “automatically forced” to login thru the login-page of the hotspot,
whereas the users from the web explicitly have to enter the URL into the browser, like
“http://mydomain.com/login” or simply “http://mydomain.com”, whatever is easier to implement.
And “mydomain.com” points to the IP of the Hotspot-PC, of course.
What are you trying to achieve?
Usually a hotspot is used to force users to authenticate before getting internet access, and to rate limit their access once they’re authenticated. It doesn’t really make sense to apply that to incoming internet connections.
Thanx, but that is not very new to me 
You should understand, that because this is a public forum, I only like to say: I have my reasons, or, in other words: Let me keep my business secret
Uhm, OK.
Hotspots work based on MAC addresses, which get re-written by layer 3 hops such as the default WAN gateway of your router. To the Hotspot all WAN connections will seem to come from the same host, once one is authenticated they all are.
So unless you’re trying to authenticate directly connected users on the same ISP network as your router, you can’t use Hotspots for whatever you’re trying to do.
Because you know what you are talking about, do you have any ideas, how I could achieve what I want by other reasonable means ?
I know, in SW almost eveything is possible. Only a question, how much effort to spend
There will only be very few simultaneous user sessions in parallel active on the hotspot, so my vague idea is about a LINUX-frontend, running load balancing SW, distributing just one client session from the web to every internal interface. And these internal interfaces are connected 1:1 to the interfaces of the RoS-Hotspot PC. On every external interface of the hotspot-PC there is one copy of the hotspot-SW running, in fact serving not more than one user session.
In case, I understood your explanation correctly, then my setup could be a bit simpler by installing a HW-switch between the front-end and the RoS-Hotspot box, to switch all traffic from the front-end into the only one “internal” interface of the hotspot-PC, so only one copy of the hotspot-SW is necessary. Is that correct ?
Alternative suggestions welcome !
I’m not giving up, to try to find a solution. Still no ideas ?
I am willing to invest some bucks, so it might also be interesting for a consultant
Usually this is true, however, I did setup an “Internet” facing hotspot and each mac+ip was treated as a unique session. I was able to have multiple people connect (different IPs, but same MAC of my ISP’s gateway), each getting prompted for user/pass and getting a unique “active session” listed in RouterOS. This is running on RouterOS v3.20.
Basically, the reason I do this is for “authentication before access” of network resources. I could use a VPN, but I find this method much easier for users not so technical. Also, since it’s a web interface, I can authenticate virtually anywhere, and the firewall can dynamically assign me needed network resources.
You can do this, but it requires a few extra firewall rules to setup. Since this isn’t the intended use of Hotspot, setup is not going to be “click and go”. Also, since you will have multiple internet connections coming in, it’s best to put the Hotspot on a device other then your gateway to the internet, then setup port 80/443 new connections to forward to your Hotspot device. I also reduced the timeout for unauthenticated users to 5 - 7 seconds so resources aren’t being taken up by multiple incoming connections: /ip hotspot set idle-timeout=00:00:07 Also, note that v3.30 hotspot servers aren’t bound to a specific interface (listen on all interfaces), which means a few extra firewall rules are needed. On a v4.1 setup, if I create a new Hotspot on interface WAN, it creates a new instance listening only on that interface, which means less firewall rules.
Again, this is very technical, and not the intended use for the Hotspot service, but it does work great for me, and provides a nice secure layer of authentication to access network resources.
I’ll update when I can put a list of steps together.
I really would appreciate your help.
Being more a software guy, I have added a few special functions to the MThotspot.
For demonstration purposes, I want to give access to my special hotspot thru the web. I do not see serious security implications, because I will distribute the user/password for the hotspot only to selected users.