Wireless Hotspot bridged interfaces

markrailton · January 13, 2014, 9:36am

Hi guys,

im having an issue when setting up a hotspot on a bridged interface.

bridge1 = eth + wlan

for some reason and i’ve tested this if i set the hotspot interface to bridge1, i lose connectivity on winbox and the hotspot system doesnt work but the wireless with its default routes work fine.

is the hotspot creating a set of firewall rules that block for some reason ?

edit:

upon ping the device, where it worked before i get a ping prohibited.

any thoughts ?

plisken · January 13, 2014, 7:19pm

Try to connect with winbox klik on the three dots and logged in via mac.

markrailton · January 14, 2014, 7:09am

hmm its just wierd though it almost seems like

since the bridging the eth & wlan = bridge1 … and associating that to a hotspot it disconnects and i lose connectivity completely

i suspect a possible arp poisoning & bad routing because of it.

bit stumped on this one.

as for opening mikrotik and connecting on the mac, it wont be possible since im routing to the device and the mac connection is layer2.

markrailton · January 15, 2014, 9:46am

any ideas anyone?

i’ve read that setting up a hotspot on bridge must not include the public interface ( wlan in this case )

any thoughts ?

plisken · January 15, 2014, 9:52am

Have you set IP-address and DHCP-server on the bridge?

markrailton · January 16, 2014, 8:45am

yes i have, im not sure if the firewall rules/NAT rules are causing a problem.

once the bridge and hotspot and pools and interface bridge has been done.

i’m unable to ping it from a device on the same network as the bridge interface.

i get the following from my linuxbox:

From 10.4.10.106 icmp_seq=1 Destination Net Prohibited
From 10.4.10.106 icmp_seq=2 Destination Net Prohibited
From 10.4.10.106 icmp_seq=3 Destination Net Prohibited

since my linux box is on the same network it doesn’t suggest its a routing issue but more likely a firewall of some sort:

i have the default hotspot firewall/nat rules in place from using the hotspot setup option which works perfectly fine if i dont use a bridge interface.

Please help guys, still cant figure this out

plisken · January 16, 2014, 9:05am

By firewall rules, have you the interface set on the bridge?

Try with traceroute what the problem is

markrailton · January 16, 2014, 10:42am

not sure how the hotspot setup feature works,

it seems it creates all the firewall rules for the hotspot feature during which you specify the interface which i did “bridge1”

something in the firewall rules prevents any kind of connectivity to it over LAN, but if i try from my phone wirelessly it shows ( i think still testing that theory )

any thoughts ?

appreciate the help so far!

normis · January 16, 2014, 10:53am

You have to log into the hotspot, then it will allow you in. That’s the purpose of hotspot basically

markrailton · January 16, 2014, 11:04am

Hi Mikrotik Support,

i understand the functionality of the hotspot i’ve managed to get it to work perfectly with radius even & so far everything is great,

i just have an issue trying to run Hotspot feature on top of a bridge.

it appears that the bridge works fine without the hotspot feature setup on it.

if i apply the hotspot feauture select the bridge, i lose connectivity to the LAN side of the bridge, the troubleshooting i’ve done , i’ve isolated the problem to possibly the default firewall rules that are generated by the hotspot setup configuration wizard.

i disable all the firewall rules & hotspot … then im able to connect now problems.

anythoughts ?

normis · January 16, 2014, 11:25am

Did you try opening the browser? Since you put the hotspot on a bridge, it works on all directions. It means you have to log into the captive portal until you can access your router and other things.

markrailton · January 16, 2014, 11:58am

Hi,

the config is correct, its a firewall behavior by looks of things… I’m sure its blocking connectivity

here is a ping of my mikrotik, before and after the hotspot was enabled using the wizard.

Before Hotspot Setup with Wizard
64 bytes from 10.4.10.106: icmp_seq=417 ttl=64 time=0.247 ms
64 bytes from 10.4.10.106: icmp_seq=418 ttl=64 time=0.227 ms
64 bytes from 10.4.10.106: icmp_seq=419 ttl=64 time=0.243 ms
64 bytes from 10.4.10.106: icmp_seq=420 ttl=64 time=0.207 ms
64 bytes from 10.4.10.106: icmp_seq=421 ttl=64 time=0.209 ms
64 bytes from 10.4.10.106: icmp_seq=422 ttl=64 time=8.54 ms
64 bytes from 10.4.10.106: icmp_seq=423 ttl=64 time=0.431 ms
After Hotspot Wizard was used
From 10.4.10.106 icmp_seq=424 Destination Net Prohibited
From 10.4.10.106 icmp_seq=425 Destination Net Prohibited
From 10.4.10.106 icmp_seq=426 Destination Net Prohibited
From 10.4.10.106 icmp_seq=427 Destination Net Prohibited
From 10.4.10.106 icmp_seq=428 Destination Net Prohibited
From 10.4.10.106 icmp_seq=429 Destination Net Prohibited
From 10.4.10.106 icmp_seq=430 Destination Net Prohibited
From 10.4.10.106 icmp_seq=431 Destination Net Prohibited

I attempted to connect to wifi and it works but hotspot doesnt come up, clearly something not right specifically to do with the hotspot setup

uldis · January 16, 2014, 12:11pm

by default hotspot block the icmp protocol, if you want to ping the hotspot interface then you need to add the walled garden accept entry that allows the protocol=icmp
Also after you have logged in the hotspot you should be able to ping the router.

Also reconsider you network structure as currently if you enable the hotspot on the bridge then the default gateway should also be logged into the hotspot as the hotspot is working on all the bridged ports.
I would suggest to move the Hotspot to the default gateway router and leave the wifi bridged routers act only as wireless bridge.

markrailton · January 16, 2014, 2:20pm

Hi Uldis,

sorry to sound like an idiot but can you diagrammatically explain how i would do this.

at the moment this is the design we have:

[swtich_10.4.10.2/24] <--------> [AP_10.4.10.106/24]<------------>[Wifi Device_10.4.10.200/24]

eth1 + wlan1 = bridge1

Pool1 = 10.4.10.201/24-10.4.10.205/24

plisken · January 16, 2014, 2:36pm

Go to “walled garden IP list”
Klik on the blue cross
Do what you see in printscreen (by server stand hotspot you must set to bridge from hotspot)
This will make you can ping to the hotspot.
To login with winbox you will first need to log in to the hotspot

markrailton · January 17, 2014, 6:59am

Hi,

still no luck, i’m not sure if anyone understands the problem i’m experiencing.

topology:

[fortigate port_10.4.10.2/24] <--------> [AP_10.4.10.106/24]<------------>[Wifi Device_10.4.10.200/24]

Once the default hotspot firewall rules were setup then i couldn’t “manage” the mikrotik.

I’ve literally tried everything i dont think this is impossible but more a firewall behavior with the “default hotspot rules” wether it be in the Firewall Filter or Firewall NAT rules.

Absolutely stumped.

plisken · January 20, 2014, 9:06am

Set first the wireless interface and WAN before you begins to the hotspot setup

If you can, login (wireless) into the hotspot

If you logged in can you back use winbox

Try this.

PierreV · June 26, 2014, 5:39am

Hello,

I have exactly the same problem with Groove A-52Hpn.

If i use the “wlan1” interface since the hotspot setup, the hotspot function doesn’t work (but the wifi connection is ok, i have well internet with the wifi).

If i use the “bridge-local” interface :

If i have already connected with wifi before hotspot setup, the login page of the hotspot setup is well displayed.
If i make a new wifi connection, impossible to obtain an IP from access point DHCP server.
Impossible to connect with winbox after hotspot setup and this from ethernet or wifi access (http and Telnet)

Have you solved this problem ?
What is the correct configuration .

Many thanks in advance for your help.

Best regards

PierreV · June 26, 2014, 12:44pm

It’s work well.
Just upgrade the RouterOS to v6.15