Running hotspot on bridge??

kiira · March 20, 2007, 9:01pm

Hi, I have a two ethernet hotspot router and I am trying to get hotspot to run on a 2 ports (ether0 + ether1) bridge. Everything works fine without hotspot enabled, local users get dhcp, dns lookup etc. But when I enable the hotspot the network dies, I cannot even ping in or out! First I tried on our class C and then on a 10.1.0.0/16 . Here are the configs - I’ve tried /system reset and it is runing 2.9.41 . This is my setup:

hotspot

admin@auth2.9.41] ip hotspot> export
/ ip hotspot
add name="hotspot1" interface=bridge1 address-pool=wire-pool profile=hsprof1 idle-timeout=none \
    keepalive-timeout=none addresses-per-mac=1 disabled=no
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile

add name="hsprof1" hotspot-address=10.1.0.3 dns-name="" html-directory=hotspot rate-limit="" \
    http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
    split-user-domain=no use-radius=yes
/ ip hotspot user
add name="admin" password="**********" profile=default comment="" disabled=no
/ ip hotspot user profile
set default name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 \
    transparent-proxy=no

dhcp

admin@auth2.9.41]/ip dhcp-server>export

add name="dhcp1" interface=bridge1 lease-time=1h address-pool=wire-pool bootp-support=static authoritative=yes \    disabled=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
/ ip dhcp-server network
add address=10.1.0.0/16 gateway=10.1.0.3 dns-server=192.168.2.2,10.1.100.10 comment="hotspot network"

dns

[admin@NOCAuth-2.9.41] ip dns> export

/ ip dns
set primary-dns=192.168.2.2 secondary-dns=10.1.100.10 allow-remote-requests=no cache-size=2048KiB \
    cache-max-ttl=1w

dhcp- pool

[admin@NOCAuth-2.9.41] ip pool> export

/ ip pool
add name="wire-pool" ranges=10.1.200.1-10.1.201.254

bridge

[admin@NOCAuth-2.9.41] interface> export

/ interface ethernet
set out-wire name="out-wire" mtu=1500 mac-address=00:08:54:1D:57:0E arp=enabled disable-running-check=yes \
    auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment="" disabled=no
set in-lan name="in-lan" mtu=1500 mac-address=00:14:2A:FE:8C:61 arp=enabled disable-running-check=yes \
    auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps comment="" disabled=no
/ interface bridge
add name="bridge1" mtu=1500 arp=enabled stp=no priority=32768 ageing-time=5m forward-delay=15s \
    garbage-collection-interval=4s hello-time=2s max-message-age=20s comment="" disabled=no
/ interface bridge port
add interface=in-lan bridge=bridge1 priority=128 path-cost=10 comment="" disabled=no
add interface=out-wire bridge=bridge1 priority=128 path-cost=10 comment="" disabled=no

ip address

[admin@NOCAuth-2.9.41] ip address> pr
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   10.1.0.3/16        10.1.0.0        10.1.255.255    bridge1

routes

[admin@NOCAuth-2.9.41] ip route> pr
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf
 #     DST-ADDRESS        PREF-SRC        G GATEWAY         DISTANCE INTERFACE
 0 ADC 10.1.0.0/16        10.1.0.3                                   bridge1
 1 A S 0.0.0.0/0                          r 10.1.0.1                 bridge1

thank you,

Kiira[/code]

tneumann · March 20, 2007, 10:59pm

It appears that your hotspot’s default gateway is on address 10.1.0.1, which is part of the hotspot network itself and thus connected to the interface that the hotspot is active on (bridge1).

That is not a good design. You should have a separate client-facing interface on which you run the hotspot and another separate interface to connect to your upstream gateway. The hotspot should not be active on that upstream interface.

If you need more than one client-facing physical interface for the hotspot then you can bridge ports just like you did (but do NOT include the upstream interface in the bridge) or just connect a transparent layer 2 switch to the router’s hotspot interface.

–Tom

dawam · March 23, 2007, 12:54pm

How can this be made possible Tom, I have difficulty understanding this, But I think this could be the right design,

What I presently have is to define hotspot servers on each interface, ether0,ether1 on my RB532 seems to have very high CPU. 100% most of the time.

I am thinking of having just one Hotspot server and bridge the interface, and hope to lower the cpu

Kirra :: sorry for hijacking the thread..I have been trying to get the right design and going round and round.

Mat

kiira · March 26, 2007, 5:02pm

Yes, 10.1.0.1 is a port on a Cisco 7509.

That is not a good design. You should have a separate client-facing interface on which you run the hotspot and another separate interface to connect to your upstream gateway. The hotspot should not be active on that upstream interface.

OK I see. So there is no way to run the hotspot on bridged interfaces if the default gateway is part of the bridge network.

I had hoped to simplify my network slightly and use the authentication MT machine as a transparent traffic shaper as well as a hotspot. So I will need two machines now I see.

thank you,

Kiira

GWISA · March 26, 2007, 9:56pm

You can run hotspot on a bridged interface, just not in the way you are trying.

You can use the MT as you’d like to, but just don’t bridge the hotspot interface.

Either that, or just try changing the gateway of your DHCP config to be 10.1.0.1, and not the hotspot itself…

kiira · March 27, 2007, 5:56pm

I thought that would work too but it did not. The config I posted was the one I went back to after trying using the Cisco port as the gateway in dhcp.

In fact, nothing would work with the MT as a bridge whenever I turned on the hotspot. I couldn’t even ping in the 10.1.0.0/16 network at all! MT 2.9.41

Kiira