Mikrotik proxy Access over WAN Using Hotspot Authentication

elaiho · July 4, 2009, 1:44pm

From the Mikrotik Ref Manual
" The Hotspot system is targeted to provide authentication within a local network…, but may as well be used to authorize access from outer networks to access local resources."

how can this be achieved pls?

Scenario
Some services we subscribe to only allows us connect only from our networks IP range and invalidates our users when we try to use it from another internet connection.
I am trying to give our staff access to our proxy server/mikrotik box from their home or mobile internet access, so that they can use the same hotspot accounts they use at the office lan to still login if they need to use the proxy server from the internet side of the network or create another hotspot server on the same machine for remote logins on the wan.

many thanks

dssmiktik · July 4, 2009, 7:44pm

Yes you can. This is what I do to authenticate users before gaining access to any of my network resources (connecting from the Internet). You would turn on Hotspot for WAN interface (this will give users a login screen when they go to your public IP), then you need to setup some Walled-Garden-IP rules (if local net is behind NAT) otherwise ALL connections comming from the internet will be redirected through the Hotspot and asked to authenticate.

Here is my Walled-Garden-IP rules:

/ip hotspot walled-garden ip> print detail

 0   ;;; SMTP
     server=WAN-Auth-Hotspot protocol=tcp dst-port=25 action=accept

 1   ;;; WAN -> LAN
     server=WAN-Auth-Hotspot dst-address=192.168.101.0/24 action=accept

 2   ;;; L2TP
     server=WAN-Auth-Hotspot protocol=udp dst-port=1701 action=accept

 3   ;;; PPTP
     server=WAN-Auth-Hotspot protocol=tcp dst-port=1723 action=accept

This will allow any SMTP, VPN and WAN to LAN traffic to pass through the Hotspot without authentication. The WAN to LAN is like saying “allow established connections from WAN to LAN” because NAT protects new WAN traffic from reaching LAN by default.

Hope this makes sense,

elaiho · July 31, 2009, 9:25am

many thanks for your response and sorry for my late reply.
Actually i only want my internal mikrotiksquid proxy to be available to users on the wan side of the network (internet) and want users to be authinticated via hotspot.
My hopspot runs on my lan interface, but i want staff who are accessing the internet from offsite locations to use the mikrotik server as thier proxy server, but they must be authenticated on the hotpot/userman before they can use the service.
my squid runs on port 7070 and listening on all the interfaces.
thanks

dssmiktik · July 31, 2009, 2:01pm

You should be able to do that using Hotspot on WAN interface. You could use a transparent proxy for users authenticating from the WAN so that no settings need to be changed in the client’s browser (if those machines aren’t managed by you).

It seems a bit tricky at first, but you can get your desired results in the end without too much hassle.