i want to start using a pppoe server and i have accomplished the task of setting it up and setting up users (secrets) however when a user opens Internet Explorer they have internet. I dont want that. Without dialing into PPPOE i dont want them to have internet
if the user has NOT signed into PPPOE then NO INTERNET
how do i do that?
right now even though i have pppoe setup i can still get on the internet.
i also want to use DHCP
It sounds like you have a NAT rule that is allowing them to access the internet. You need to remove or restrict that NAT rule to only the ip addresses of your customers who are connected via pppoe.
Without knowing more about your config I won’t be able to give you specific commands to use.
-Gerard
thank you for the quick response.
i am still new to the routeros system.
please tell me what info i need to show you to help do this.
hotspot is giving me headaches and its just awfully slow.
heres my nat printout
Terminal vt102 detected, using multiline input mode
[admin@grnzne-inet] > ip
[admin@grnzne-inet] ip> firewall
[admin@grnzne-inet] ip firewall> nat
[admin@grnzne-inet] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; masquerade hotspot network
chain=srcnat src-address=192.168.0.0/24 action=masquerade
1 X ;;; masquerade hotspot network
chain=srcnat src-address=192.168.0.0/24 action=masquerade
2 X chain=dstnat in-interface=ether2 dst-address=0.0.0.80 protocol
action=redirect to-ports=8080
3 X ;;; ;;; intercept all DNS requests
chain=dstnat protocol=udp dst-port=53 action=dst-nat
to-addresses=192.168.0.1 to-ports=0-65535
4 X ;;; ;;; Transparent Proxy
chain=dstnat dst-address=192.168.0.1 protocol=tcp dst-port=80
action=redirect to-ports=3128
[admin@grnzne-inet] ip firewall nat>
what i also wanted to do is KEEP hotspot enabled and for a small purpose. a small page loads up with instructions on how to setup PPPOE and a link to a dialer called ISPWIZARD which they can download and it’ll setup PPPOE for the user. so a hotspot WITH NO LOGIN. just instructions.
If you disable the first nat rule it will disable the hotspot users from getting to the internet..
What ip’s are you assigning the users who login with pppoe? To keep things simple they should be from a different ip block than the hotspot users.. You’ll need to make a nat rule for whatever ip block the pppoe customers are using so that they can get online. Are you using an address pool for pppoe or setting the ip’s manually for each user?
-Gerard
i wanted to make it dhcp.
well i just made a new pool and i called pppoe-pool.
[admin@grnzne-inet] ip pool> print
# NAME RANGES
0 dhcp-pool-1 192.168.0.100-192.168.0.200
1 webbox 192.168.0.100-192.168.0.200
2 pppoe-pool 192.168.0.200-192.168.0.250
now with that in mind i can tell the pppoe server to pick from that pppoe-pool block. can you help me with the nat rule please?
whats more is i am connected to the server using a switch and i want the server to provide me with an ip through dhcp. should that just be through pppoe? i mean i have to get an ip for the ethernet connected to the switch somehow right? should i make that completely static or .. i am confusing myself …
You don’t need dhcp to use pppoe.. You don’t even need an ip to use pppoe.. If you don’t want to bother with pppoe on your computer you can make a static dhcp entry to assign you an ip in the same range as the pppoe users..
If I were you I’d do like 192.168.0.0/24 for your hotspot and then 192.168.1.0/24 for your pppoe pool..
here is a nat rule to let only the pppoe people online..
add chain=srcnat src-address=192.168.0.200-192.168.0.250 action=masquerade disabled=no
-Gerard
ok. that sounds great. i changed the pppoe pool.
Terminal vt102 detected, using multiline input mode
[admin@grnzne-inet] > ip
[admin@grnzne-inet] ip> poo
[admin@grnzne-inet] ip pool> pr
# NAME RANGES
0 dhcp-pool-1 192.168.0.100-192.168.0.200
1 webbox 192.168.0.100-192.168.0.200
2 pppoe-pool 192.168.1.100-192.168.1.250
[admin@grnzne-inet] ip pool>
however i dont want hotspot users to gain inet access. i want login.html yo be instructions on how to setup PPPOE and a link to a dialer called ISPWIZARD which they can download and it’ll setup PPPOE for the user. so a hotspot WITH NO LOGIN. just instructions.
I’m not sure what your pool webbox is so I’m just going to ignore it..
You’ll need only one nat rule to nat for the pppoe users only.. any other nat rules you should be able to disable..
add chain=srcnat src-address=192.168.1.0/24 action=masquerade disabled=no
The above rule will only allow people who are in the pppoe pool to access the internet, anyone who is not in the 192.168.1.0/24 ip block will not be able to get to the internet. They still should still however see your hotspot login screen.
-Gerard
ok i did what you said to the point however i am having a problem with the hotspot page NOT displaying. all i get is Error 404: Not Found
the nat rule is working. i am not able to see the internet until i dial in through pppoe.
in the hotspot profiles i created a new profile:
4 name="pppoe-must" hotspot-address=0.0.0.0 dns-name="" html-directory=pppoe rate-limit=""
http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap
http-cookie-lifetime=3d split-user-domain=no use-radius=no
with that i created a new html directory called pppoe and in put in a login.html file which only says this:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
You must login through PPPOE to use the internet.
</body>
</html>
i plan on customizing later. i just want it to work
also, in the hotspot servers page the only thing i have enabled is
[admin@grnzne-inet] ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 X hotspot1 ether2 dhcp-pool-1 hsprof2 5m
1 X hotspot2 ether2 pppoe-pool hsprof3 5m
2 pppoe ether2 dhcp-pool-1 pppoe-must none
if i were to double click on pppoe in the servers page i see the following:
Name: pppoe
Interface: ether2 (lan interface)
Address pool: dhcp-pool-1 (this is the 192.168.0.100-200 pool)
Profile: pppoe-must (above)
if i look at the ip in ipconfig for my laptop i can see Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.200
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
so now why isnt the hotspot page loading?
nor am i able to access the winbox.
nevermind. i got it.
what a confusing process but all is well.
i had to set my ip to bypassed under hotspot. i wish there was another way so i can test the hotspot page but i dont see any.
if i dont set to bypassed then i cant connect to winbox.
theres also still one problem:
lets say i dialed in through pppoe then disconnected and loaded Firefox. I am now able to browse the web without dialing in again. its as if theres a invisible link … the only thing thats active is the lan connection with the ip of 192.168.0.200 and NO active pppoe connection.
to see if this problem still occurs when i restart i rebooted the computer and was able to surf the web without dialing in through pppoe.
I am confused as to why this is happening when the only nat rule enabled is the one above.
[update]. nevermind. i figured this part out. it seems that i was logged into hotspot but still the nat rule above should NOT allow hotspot to surf the web. so why was i able to browse the web?
yet again i found a way around this by disabling the hotspot user but my question still stands: with the nat rule above how is it that a hotspot user is able to browse the web?
The src-nat rule with action=masq does not have anything to do with the hotspot users surfing or not. Take a look at the forward and dst-nat chains as these are the ones that control hotspot users.
this is what my nat looks like right now (from memory - i am not at home)
[admin@grnzne-inet] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; masquerade hotspot network
chain=srcnat src-address=192.168.0.0/24 action=masquerade
1 X ;;; masquerade hotspot network
chain=srcnat src-address=192.168.0.0/24 action=masquerade
2 X chain=dstnat in-interface=ether2 dst-address=0.0.0.80 protocol
action=redirect to-ports=8080
3 X ;;; ;;; intercept all DNS requests
chain=dstnat protocol=udp dst-port=53 action=dst-nat
to-addresses=192.168.0.1 to-ports=0-65535
4 ;;; ;;; Transparent Proxy
chain=dstnat dst-address=192.168.0.1 protocol=tcp dst-port=80
action=redirect to-ports=3128
5 ; ; ; pppoe users
chain=srcnat src-address=192.168.1.0/24 action=masquerade disabled=no
[admin@grnzne-inet] ip firewall nat>
with that in mind i am still confused as to why a hotspot user can surf. (enabled account only)
although it doesnt really matter cause i disabled all hotspot users except for myself so this isnt an issue anymore. i am just curious as to why this is happening.
Perhaps you’ve got HTTP cookies enabled in the hotspot and your user has a cookie still in effect? Cookies are enabled by default…