Does anyone have an updated Ip/Packet flow diagram that includes the hotspot rules packet flow. The one in the manual is ancient and looks to be missing some stuff.
I’ve been trying to setup some policy routing for web/dns traffic that runs on the same MT box as a hotspot server. Problem I’m finding is that my redirect rules and the hotspot rules are stepping on each other and causing the traffic to die. If anyone has any ideas how to tweak the rules better i would appreciate it, see below for current mangle set.
Here are the Nat rules including hotspot stuff
0 D chain=dstnat hotspot=from-client action=jump jump-target=hotspot
1 D chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot protocol=udp dst-port=53 action=redirect to-ports=64872
3 D chain=hotspot protocol=tcp dst-port=53 action=redirect to-ports=64872
4 D chain=hotspot protocol=tcp dst-port=80 hotspot=local-dst action=redirect
to-ports=64873
5 D chain=hotspot protocol=tcp dst-port=443 hotspot=local-dst action=redirect
to-ports=64875
6 D chain=hotspot protocol=tcp hotspot=!auth action=jump jump-target=hs-unaut>
7 D chain=hotspot protocol=tcp hotspot=auth action=jump jump-target=hs-auth
8 D chain=hs-unauth protocol=tcp dst-port=80 action=redirect to-ports=64874
9 D chain=hs-unauth protocol=tcp dst-port=3128 action=redirect to-ports=64874
10 D chain=hs-unauth protocol=tcp dst-port=8080 action=redirect to-ports=64874
11 D chain=hs-unauth protocol=tcp dst-port=443 action=redirect to-ports=64875
12 D chain=hs-unauth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp
13 D chain=hs-auth protocol=tcp hotspot=http action=redirect to-ports=64874
14 D chain=hs-auth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp
15 ;;; masquerade hotspot network
chain=srcnat src-address=10.250.253.0/24 action=masquerade
These are my mangle rules here:
/ ip firewall mangle
add chain=prerouting in-interface=wlan1 protocol=tcp dst-port=0-1030 \
connection-state=new hotspot=auth action=mark-connection \
new-connection-mark=main-c1 passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=main-c1 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=udp dst-port=0-1030 \
connection-state=new hotspot=auth action=mark-packet \
new-packet-mark=main-p2 passthrough=yes comment="" disabled=no
add chain=prerouting packet-mark=main-p2 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting packet-mark=main-p2 action=log log-prefix="c2:" \
comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=tcp dst-port=1812-1813 \
action=mark-connection new-connection-mark=main-c3 passthrough=yes \
comment="" disabled=no
add chain=prerouting connection-mark=main-c3 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=udp dst-port=1812-1813 \
action=mark-connection new-connection-mark=main-c4 passthrough=yes \
comment="" disabled=no
add chain=prerouting connection-mark=main-c4 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=icmp action=mark-connection \
new-connection-mark=main-c5 passthrough=yes comment="" disabled=yes
add chain=output src-address=10.250.253.0/24 dst-address=!10.250.253.0/24 \
protocol=tcp dst-port=0-1030 connection-state=new src-address-list=local \
hotspot=!local-dst action=mark-connection new-connection-mark=main-c1a \
passthrough=yes comment="" disabled=no
add chain=output connection-mark=main-c1a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=output protocol=udp dst-port=0-1030 src-address-list=local \
action=mark-packet new-packet-mark=main-p2a passthrough=yes comment="" \
disabled=no
add chain=output packet-mark=main-p2a action=mark-routing \
new-routing-mark=main-r passthrough=yes comment="" disabled=no
add chain=output packet-mark=main-p2a action=log log-prefix="c2a:" comment="" \
disabled=no
add chain=output protocol=tcp dst-port=1812-1813 action=mark-connection \
new-connection-mark=main-c3a passthrough=yes comment="" disabled=no
add chain=output connection-mark=main-c3a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=output protocol=udp dst-port=1812-1813 action=mark-connection \
new-connection-mark=main-c4a passthrough=yes comment="" disabled=no
add chain=output connection-mark=main-c4a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=output protocol=icmp action=mark-connection \
new-connection-mark=main-c5a passthrough=yes comment="" disabled=yes
add chain=output connection-mark=main-c5a action=mark-packet \
new-packet-mark=main-p5a passthrough=yes comment="" disabled=yes
add chain=output packet-mark=main-p5a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=yes
The ultimate goal of this is to push web/dns/hotspot/ftp/telnet/etc… traffic through one gateway and let all other traffic (p2p) go out the default gteway.
There are two internet connections coming in on ether1 and ether2 that this box connects to. Whenever the hotspot is enabled i see sporatic traffic going out one and in the other or if the ‘default’ connection dies going nowhere when it should be using the alternate gateway