NAT not working for Hotspot based VLANs

srijit92 · March 31, 2016, 5:39pm

Hi,

I have a network where I have 3 vlans running individual hotspots. The NAS is connected to a L2 switch for distribution.

On ether2
Vlan 101 - 192.168.1.0/24
Vlan 102 - 192.168.2.0/24
Vlan 103 - 192.168.3.0/24

On ether1 (WAN)
IP - 1.1.1.0/30

Public pool received from ISP - 2.2.2.0/24

I want the hotspot users to change from 192.168.X.X to the public IP after login. Generally on NAS without VLANs we would simply assign the first IP from the public pool like 2.2.2.1 in this to the LAN facing interface and Natting would work like charm.

But since VLANs are there I cannot assign the IP on the LAN interface (confirmed by checking). So whenever user logs in, he is shown as active under hotspot but no page is opening in his computer.
Where am I wrong?

pukkita · March 31, 2016, 5:47pm

I’m not sure I got what you want to do, if you’re assigning public IPs, why natting?

However what (I think) you want to achieve can be done by creating a loopback interface (empty bridge) and assigning the public ip to it.

But no need for nat AFAIK…

srijit92 · April 1, 2016, 2:32am

Thanks, I will try it and update. Actually I didn’t want to mean exactly NAT. I have enough public IPs available. So basically I will create a empty bridge interface acting as a loopback interface and assign the first IPs of the available public IP pools there on it. Right?

srijit92 · April 1, 2016, 2:54am

Tried the loopback setup. But it also produced same results. Login ok but no internet.

Attached current configurations here - https://dl.dropboxusercontent.com/u/53681371/note.txt

pukkita · April 1, 2016, 8:29am

Is this the actual working configuration?

You aren’t using DHCP for the HotSpot, how are clients suppossed to get the gateway address?

AFAIK you need to create a DHCP server with the public IP pools, setting the proper gateway (45.121.110.129 and 45.121.109.1) for each DHCP network so that hotspot clients get a gateway address.

/interface bridge
add name=loopback0

/interface ethernet
set [ find default-name=ether1 ] name=ether4-WAN
set [ find default-name=ether2 ] name=ether5-LAN

/interface vlan
add interface=ether5-LAN name=Balipur-101 vlan-id=101
add interface=ether5-LAN name=Deogarh-106 vlan-id=106
add interface=ether5-LAN name=Dhubulia-103 vlan-id=103
add interface=ether5-LAN name=Nabadwip-104 vlan-id=104
add interface=ether5-LAN name=Sahebganj-102 vlan-id=102
add interface=ether5-LAN name=Shyampur-105 vlan-id=105

/ip address
add address=103.41.28.46/30 interface=ether4-WAN network=103.41.28.44
add address=172.17.24.1/24 interface=Nabadwip-104 network=172.17.24.0
add address=172.17.27.1/24 interface=Deogarh-106 network=172.17.27.0
add address=172.17.28.1/24 interface=Sahebganj-102 network=172.17.28.0
add address=172.17.31.1/24 interface=Balipur-101 network=172.17.31.0
add address=172.17.29.1/24 interface=Shyampur-105 network=172.17.29.0
add address=172.17.25.1/24 interface=Dhubulia-103 network=172.17.25.0
add address=172.17.26.1/24 interface=Dhubulia-103 network=172.17.26.0
add address=10.254.254.1/30 disabled=yes interface=ether5-LAN network=\
    10.254.254.0
add address=45.121.110.129/25 interface=loopback0 network=45.121.110.128
add address=45.121.109.1/24 interface=loopback0 network=45.121.109.0

/ip route
add check-gateway=ping distance=1 gateway=103.41.28.45
add disabled=yes distance=1 dst-address=172.17.28.0/24 gateway=10.254.254.2
add disabled=yes distance=1 dst-address=172.17.31.0/24 gateway=10.254.254.2

/ip pool
add name=Default ranges=\
    45.121.109.2-45.121.109.254,45.121.110.130-45.121.110.254
add name=zones ranges=172.17.31.0/24

/ip hotspot
add disabled=no idle-timeout=none interface=Balipur-101 name=Balipur
add disabled=no idle-timeout=none interface=Dhubulia-103 name=Dhubulia
add disabled=no idle-timeout=none interface=Nabadwip-104 name=Nabadwip
add disabled=no idle-timeout=none interface=Sahebganj-102 name=Sahebganj
add disabled=no idle-timeout=none interface=Shyampur-105 name=Shyampur
add disabled=no idle-timeout=none interface=Deogarh-106 name=Deogarh

/ip hotspot profile
set [ find default=yes ] dns-name=speednet.com html-directory=speednet_sb \
    login-by=http-chap,http-pap use-radius=yes

/ip hotspot
add address-pool=zones idle-timeout=none interface=ether5-LAN name=server1

/ppp profile
set *0 dns-server=8.8.8.8,4.2.2.2 local-address=103.41.28.46 remote-address=\
    Default

# >>>>>>>> These are all the firewall rules??? <<<<<<<<<<<
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add chain=forward src-address=172.17.28.0/24

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \

srijit92 · April 1, 2016, 10:01am

We are using static private ip addressing here for customers. After they login successfully then they will be provided a Public IP.

pukkita · April 1, 2016, 1:29pm

How do they set their gateway? Manually?

srijit92 · April 1, 2016, 1:46pm

Yes static.

pukkita · April 1, 2016, 2:13pm

Do they ping to the loopback ip addresses?

srijit92 · April 1, 2016, 3:05pm

Yes. Can ping loopback.

pukkita · April 1, 2016, 6:06pm

I am afraid yours is kind of messy and non practical setup (from management standpoint) I wouldn’t use hotspot but PPPoE, lots of advantages: saving public IPs, neater setup, control over remote clients…

I think right now the problem is router doesn’t know how to reach public ips from its side, can you ping from the router to the static addresses?

Is there any specific reason to use hotspot in your scenario?

srijit92 · April 1, 2016, 6:10pm

Yes planning to migrate to PPoPE. Using hotspot for company branding and giving some info to users like maintenance etc.
Also hotspot for auto login via MAC.

pukkita · April 2, 2016, 7:48am

You can also “intercept” users HTTP traffic and redirect it to a web server to provide info, maintenance warnings, etc while using PPPoE, by using ip > firewall > nat.

Regarding its status, if you user user-manager, you can provide credits, and usage info too: http://wiki.mikrotik.com/wiki/User_Manager/User_page

Back to your actual setup, I’m puzzled clients can ping the loopback but not reaching internet.

What DNS are they using? Can they ping 8.8.8.8 but not www.google.com?

Do they appear on IP > hotspot > Hosts or Active tabs?

Are those all your Ip > firewall > filter rules? Your router is wide open!

srijit92 · April 9, 2016, 3:08pm

No they cannot ping 8.8.8.8 after login…
Yes they appear on active hosts after login.
There is some communication issues with the public IPs after client login.
This is not a production setup, so minimal filter rules.