Using Mikrotik web proxy in hotspot setup

wilburt · December 2, 2010, 8:07am

Hi MT experts,

I am trying to setup a simple web proxy using the in built web proxy feature of the MikroTik. I have been able to setup it up using the information from http://wiki.mikrotik.com/wiki/How_to_Block_Websites_%26_Stop_Downloading_Using_Proxy

and for the most part it succesfully blocks the sites as listed in the proxy. However I can’t access any other sites. All I get is the following message

“There is a loop in network for HTTP traffic…”

In my HS server profile I have setup the HTTP proxy as my HS gateway and the proxy port as 8080 and in my web proxy I have followed the steps in the link above.

What should I do?

Thanks in advance

fewi · December 2, 2010, 2:27pm

The Hotspot itself is already a proxy, so you’re looping to yourself. To bypass the automatic proxy for authenticated users, insert the following NAT rule:

/ip nat firewall
add chain=pre-hotspot dst-address=!local hotspot=auth action=accept

That has other side effects. If it does not work well for you you can try rewriting your proxy rules to work in the ‘output’ rather than the ‘forward’ chain, but that will also have side effects.

Overall the cleanest solution would be to use a third party proxy.

wilburt · December 2, 2010, 11:37pm

Thanks for the information. Is it possible to use the out of the box hotspot proxy to deny certain website after users have authenticated or for trial users?

fewi · December 3, 2010, 2:42am

Walled garden rules are only evaluated before authentication - at least according to the documentation. Try it out - just configure “/ip hotspot walled-garden” like you would the proxy. Worth a shot. I don’t think it will work, though.

wilburt · December 3, 2010, 4:08am

Yeah… tried it and it doesn’t work after authentication. Looks like a third party webproxy might be the only answer.

Thanks for your insight and knowledge!

Feklar · December 3, 2010, 4:15am

Yes you can, but you need to force guests to use the proxy after they sign in. This can be done with a simple NAT rule or you can check to enable “use transparent proxy” in the user profile. The transparent proxy only works for HTTP, not HTTPS.
http://wiki.mikrotik.com/wiki/Manual:IP/Proxy

With the NAT rule it looks something like this and needs to come before the hotspot rules in the firewall, you can also put it on the pre-hotspot chain:

/ip firewall nat
add chain=dst-nat action=redirect to-port=8080 dst-port=80 protocol=tcp hotspot=auth src-address=192.168.1.0/24

If you want to do this for only certain profiles then you need to use it at the profile level, or use a dynamic address list that a guest is going to be added to upon signing in, another option in the user profiles, or done with a Radius attribute.

fewi · December 3, 2010, 4:47am

Nice! That’s a neat workaround.

Using the pre-hotspot chain would be more reliable since that hooks directly into the provided customization, and the hotspot NAT rules are dynamic and may change position. I’d also add “dst-address-type=!local” so that the servlets (such as status) continue to make it through and continue to work.

dunga · December 14, 2013, 8:17am

Hello Fewi,
You said add the rule before pre-hotspot chain,

I dont understand you very well. how is it done

I need your help.

Thanks