Please help..hotspot and walled garden

crashz · May 8, 2007, 9:35am

Helllo people. I have problem. I want create hotspot on mikrotik.Everything is fine bat i want block all http page except http://www.onet.pl. i want create two group..Full permision to surf in net and restricted permision..Full permision is work fine bat how work restricted??..To surf only one page..www.onet.pl..rest is blocked

please answer me ..thanks

sergejs · May 8, 2007, 1:53pm

As you know HotSpot provides authentication methods, e.g. login/password method for authorization.
You may issue login/passwords for first group (full access), second group will be redirected to HotSpot login page, but http://www.onet.pl will be accessible for any user, other pages only for authorized users.
Walled-garden entries configuration is available at
‘ip hotspot walled-garden add dst-host=’, to specify specific domain that will be accessible.

crashz · May 8, 2007, 2:14pm

Oki..bat all user in my network must logon on hotspot.and i want some group have been restricted..that group must have only permision to http://www.onet.pl site…other site is blocked…how to do it??

sergejs · May 8, 2007, 2:19pm

One of the way how you can achieve this create different HotSpot user profiles and specify firewall chains,
one for full access users,
second for restricted users.
Second user’s firewall chain should contain rule that allows traffic to this webpage and drop other traffic.

crashz · May 8, 2007, 4:09pm

Ok..did you show me how to write this procedure?? exemple?

usrox · May 9, 2007, 9:16am

Hello, you can use incoming/outgoing-filter on user-profile to put your own filter-rules on your user-profiles, so you can make different access type for you user.

sergejs · May 9, 2007, 9:52am

Note, do not forget to add one ‘jump’ rule to ‘chain=forward’ ‘jump-target=hotspot’, that redirects traffic from ‘forward’ chain to ‘hostpot’ chain. Traffic from HotSpot chain will be redirected correct to incoming/outgoing filter specified chains.

crashz · May 9, 2007, 11:06am

don’t know how to doit.Do you be show me step by step how to doit restricted group?? I have full acces..is very simple..block acces but i dont have restricted…Only one page must be open..rest is block..please help…step by step…procedure..

thanks

sergejs · May 9, 2007, 12:07pm

Procedure were described at the previous topics.

Create two ‘ip hotspot user profiles’, one for normal user and second for one-page allowed users.
Specify ‘Incoming Filter’ and ‘Outgoing Filter’ for second groups.
Add firewall rule that allows specific page and second rule to block any other traffic.
Add another firewall rule that will redirect traffic from chain=forward to chain=hotspot.

crashz · May 9, 2007, 1:44pm

What put to Icoming Filter and what put to odgoing filter to restricted group. ?? Do you can put some screenshot how to do it?? step by step…becose im newbie…big thanks

FASSIA · May 16, 2007, 3:12pm

Hi people,

I try to do the same thing ( http://forum.mikrotik.com/t/hotspot-firewall-rules/13405/1 )

MMM
If I can make I will post with results.

Thanks Sergejs for the procedure, I will try it.

Regards!

FASSIA · May 16, 2007, 3:36pm

Okey, it do not work. =(

- Create two ‘ip hotspot user profiles’, one for normal user and second for one-page allowed users.
I do it, but how can assignate a profile to a specific user via radius?

- Specify ‘Incoming Filter’ and ‘Outgoing Filter’ for second groups.
I do it, but also I reply with radius a filter-id mark, named “nopago”

- Add firewall rule that allows specific page and second rule to block any other traffic.
I add two in “nopago” chain. One return the request with dst-address 10.1.2.27 (web server). The another one reject all tcp traffic.

- Add another firewall rule that will redirect traffic from chain=forward to chain=hotspot.
I add in foward chain a rule to make it jump to hotspot.

I do not know what I doing wrong, but it doesn’t work.

Regards.

FASSIA · May 16, 2007, 8:50pm

Hi,

I did some test this afternoon and I couldn’t reach to any result.

I try to use the pre-hs-input but nothing happend.

Here are my filter reules, check it out:

(10.1.2.27 is my webserver)

 0   chain=pre-hs-input packet-mark=!Account_Disabled action=return 

 1   chain=pre-hs-input dst-address=!10.1.2.27 packet-mark=Account_Disabled 
     action=reject reject-with=icmp-net-prohibited

FASSIA · May 16, 2007, 10:23pm

“OH I SOLVE IT”

well, I have a bit help of my boss jeje

You have to do as following if you want that certain users surf only the walled garden:

Create 2 forward chain rules.

/ ip firewall filter 
add chain=forward packet-mark=Account_Disabled hotspot=from-client action=jump \
jump-target=hs-unauth comment="" disabled=no 
add chain=forward packet-mark=Account_Disabled hotspot=to-client action=jump \
    jump-target=hs-unauth-to comment="" disabled=no

This do that all the traffic marked with “Account_Disabled” will be redirected to hs-unauth chain. So the user only surf the walled garden.

ONE MORE THING:

Disable Transparent proxy in the user profile you are using, because it won’t work.

HOPE this help someone!
Regards!