Problem with Hotspot And Lan PCs

RouterOS Beginner Basics
1

Hello ,

I have an Internet Cafe and I bought RB750GL so I can make a Hotspot with an AP

What I have is a router connected to RB750GL and then to the AP , and another switch connected to numbers of PCs

When I tried to setup the hotspot the hotspot gateway had access to the Lan IPs and made gave them new IPs in the hotspot pool

I have no Idea what I did wrong since I’m new to this






Router Configration are :

Default getway : 192.168.1.1
Subnet : 255.255.255.0

And The Ap
default getway : 192.168.1.254
Subnet : 255.255.255.0

What I want exactly is whenever someone connects to the AP It goes to the hotspot and I don’t want the Lan PCs to get conflicted with the Hotspot

I’ve tried different things but It didn’t work so I have no Idea how to do that

Any help ?

2

What I want to do is to prevent the hotspot on Lan Ports , I just need the hotspot to work on the Ap (Wireless)

However on the interface I got ether1 , ether2 , ether3 , ether4 and ether5

ether1 goes for PoE so I don’t need it

AP is connected to ether2
Lan from the router connected to ether3

but interface the ether2 as if its ether3

I just don’t get it

3

I still need help

Please someone ? :cry:

4

Well first of all, all your LAN ports are slaved together, so they act as one layer 2 interface (Think your standard LinkSys router). Remove the master port option on the port that goes to the PCs, and set up a DHCP server, Subnet, IP Address, NAT rules, and firewall rules on that interface.

5

Those LAN ports where slaved by default so I didn’t change them.

I have DHCP server enabled on the DSL router so If I made a DHCP server on RouterOS will it conflict with the router or I have to shut it down ??

and could you help me do the DHCP , Subnet IP Address , NAT rules and firewall step by step ?

6

The default configuration for a 750 is going to be for your standard home use, that’s why they come like that by default.

A DHCP server is for a layer2 network, it does not travel across layer3 hops, which means that no they will not interfere with each other since your 750 will be handling the routing for your guests and clients.

The first step is to remove the port(s) that you want to go to the LAN PC from the switch chip, this is done by setting their master-port to ‘none’. This makes them a stand alone routed interface that you can do anything that you want to with them.

So the first step after that is going to be to assign an IP address to that interface, lets say you want the subnet there to be 192.168.50.0/24, and you want ether3 to go to the LAN PCs.

/ip address add interface=ether3 address=192.168.50.1/24

Then you will want to have a DHCP server and hand out addresses to those PCs unless you want to do static addresses for each one.

/ip pool add name="LAN PC" ranges=192.168.50.10-192.168.50.254
/ip dhcp-server add address-pool="LAN PC" interface=ether3 lease-time=1d name="DHCP PC"
/ip dhcp-server network add address=192.168.50.0/24 gateway=192.168.50.1 dns-server=4.2.2.2,8.8.4.4

Now you are at the point of the PCs being able to pick up a lease and communicate to the router. The next thing that you will likely want to do is make it possible for the PCs to get out to the internet. This is done with NAT.

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether1

This rule could already be in place with the default configuration, and is the most general and basic rule that is available for that. There is a lot you can do here, but that is outside of the scope of this thread for now.

The last thing you will likely want to do is prevent your LAN PCs from accessing computers on the hotspot interface and the computers on the hotspot interface from talking to the LAN PCs. This is done in the firewall filter. There is a very basic set of rules to accomplish this.

/ip firewall filter 
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=forward connection-state=related disabled=no
add action=drop chain=forward connection-state=invalid disabled=no
add action=accept chain=forward out-interface=ether1
add action=drop chain=forward

These rules are basically allowing traffic to be forwarded through the router out of ether1, your WAN port, but any other traffic being forwarded over the router will be dropped. Once again you can get a lot more fancy with these rules and do a lot of things to fit your needs, but that is the most basic stateful firewall and a good place to start.

7

A small question before trying this

What exactly I want is to prevent Lan PCs to access the Hotspot and run normally as nothing changed on the network cause those PCs are running on An Internet Cafe application

And to run the Hotspot to whoever connects to the AP

Those PCs are connected as the following

ADSL Router → Switch —> 8 PCs

So The PCs will get IP from the DHCP server on the router

and the other thing is like the following

Cable from the ADSL Router —> RB750GL —> Ether2

Another Cable from the AP —> RB750GL → Ether3

So the AP is getting internet from the Ether2 and It has access to Lan PCs from the router It self

If I did exactly As you said does this work as the thing I need ?

8

You can of course bypass the LAN PCs on the network to allow them to get online and not go through the login process. Some of the functions of a hotspot through can interfere with services that you may want to have in place. This could be a network printer, sharing files across the PCs, LAN games, etc. Because of this having them separate from the hotspot on their own routed interface usually is less of a problem, you have more flexibility, and is more secure for the PCs since a random guest using the hotspot will not be able to connect to the PCs over the network, and the same for guests if someone has loaded a virus or other software on the PCs that you are not aware of.

I am just giving general setup advice based off of the limited information that you have provided. If you want more specific answers, then more specific information needs to be given, such as clear current network topology, desired features/functions and design goals, and your current relevant router configuration (/export compact if you are running a recent version).

9

I’ve removed the master ports from all of the ports

And I connected AP to ether2 , It has a DHCP server with the AP so If the clients connected to It , They’ll get IP address from The AP

And I connected A Lan Cable from the router to ether3 so It can provide Internet

I made Hotspot setup on Ether2 and everything was going well but the problem is there’s no Internet Access

Hotspot Login page is working but If I made the ether2 as a master of ether3 It’ll get Internet access but It’ll take all the hosts that are connected by Lan

So Is there’s a Rule On firewall to just to take the Internet from ether3 and not to get the hosts ?

I tried to do this

/ip firewall nat add chain=srcnat action=masquerade out-interface=ether3

But It didn’t work.

10

Please supply this information:
/ip address print detail
/ip route print detail
/ip firewall export

The rule that you specified is wrong, you are specifying that things leaving port ether3 should be masqueraded to the private IP address of that interface. That doesn’t do you any good in getting those PCs online.