Community discussions

MUM Europe 2020
 
rawadkamel
just joined
Topic Author
Posts: 6
Joined: Mon Mar 11, 2019 9:47 am

Hotspot wifi and Lan users

Mon Mar 11, 2019 9:59 am

Dears,
i have Core Router LAN IP 192.168.22.1 255.255.255.0 / WAN IP 172.16.25.2 255.255.255.252
Switch LAN 192.168.22.2 255.255.255.0
Desktop User 1 IP:192.168.22.11 Subnet: 255.255.255.0 Gateway:192.168.22.1
Desktop User 2 IP:192.168.22.12 Subnet: 255.255.255.0 Gateway:192.168.22.1
Hotspot Router WAN port 192.168.22.3 255.255.255.0 192.168.22.1
LAN 10.5.50.1 and Hotspot in same time

The problem is when Hotspot router connected to Lan network , desktop users requires authentication and directed to it.
How can i fix this issue?
Thank you in advance.
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Hotspot wifi and Lan users

Mon Mar 11, 2019 1:28 pm

topology ?
MTCNA MTCTCE UEWA
 
rawadkamel
just joined
Topic Author
Posts: 6
Joined: Mon Mar 11, 2019 9:47 am

Re: Hotspot wifi and Lan users

Mon Mar 11, 2019 2:05 pm

Topology
Drawing1.pdf
You do not have the required permissions to view the files attached to this post.
 
anav
Forum Guru
Forum Guru
Posts: 3150
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Hotspot wifi and Lan users

Mon Mar 11, 2019 2:09 pm

Is that normal?
By that I mean to use a second mikrotik router as a hotspot device solely vice simply doing it on the first main mikrotik router???
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
rawadkamel
just joined
Topic Author
Posts: 6
Joined: Mon Mar 11, 2019 9:47 am

Re: Hotspot wifi and Lan users

Mon Mar 11, 2019 2:24 pm

how can i do it without conflict of LAN user and wifi AP users?
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Hotspot wifi and Lan users

Mon Mar 11, 2019 2:40 pm

Answer: the main router can be a hotspot server. there is no need for the 2nd Mikrotik to be there if that's the only job it does.

create a separate subnet on the ports where th WiFi AP is connected to. use VLAN if you want but it's not a must.
so you will have bridge_lan and bridge_wifi, for example, add port 1, port 2 to bridge_lan and add Port 3, port 4 to bridge_wifi.
then setup firewall rule, so the traffic does not go from wifi to lan bridge but they all have internet.

not sure why currently the lan user is behind hotspot rules now. prorbably the redirect rules in firewall filter included all traffic, instead of just wifi traffic. without seeing the config, that's my best guess.
MTCNA MTCTCE UEWA
 
rawadkamel
just joined
Topic Author
Posts: 6
Joined: Mon Mar 11, 2019 9:47 am

Re: Hotspot wifi and Lan users

Mon Mar 11, 2019 3:06 pm

I have on Main router two network Private Network 192.168.22.0/24 and Customer Network 10.5.51.0
Access points and private network on same network switch
What i want is when customer connect threw WIFI AP to login to Hotspot
and when private network uses the network to connect threw 192.168.22.1 and does not have to login to hotspot
how to configure and connect UTP cables from router to switch?
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Re: Hotspot wifi and Lan users

Mon Mar 11, 2019 7:14 pm

It is very simple. Your topology is totally wrong.
To some wireless clients to get access to the hotspot interface you had to assing uplink ether port on the hotspot device.
So hotspot pool is everywhere in your network
So , first
Move the two cables from the switch to lan ports of Mikrotik Hotspot device
What you have to do on mikrotik hotspot device :
Remove ether x (uplink port) from any bridge
add in one bridge ethernet ports connected to access points
set that bridge as interface in hotspot section

Second : You do not need a separate device for this.
Assuming that your main router has 4 lan ports you can plug everything there, if you need more cables you will need a managed switch or two dumb switches.
create a bridge with it`s own address pool for the two pc
and a second bridge for hotspot with the other two ports assigned
Hope it is clear
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Hotspot wifi and Lan users

Mon Mar 11, 2019 7:43 pm

if both the lan and wifi network are connected to the same layer 2 switch, you will not be able to stop the traffic going between.

can you connect desktop PCs to the rouer so those ports can have the 192.168.22.0/24 only? and wifi on other ports or through swich?

if you cannot physically bring all back to the router, then you will need to use VLAN, and the switch needs to be VLAN aware so it knows which port belongs to which VLAN.
MTCNA MTCTCE UEWA
 
rawadkamel
just joined
Topic Author
Posts: 6
Joined: Mon Mar 11, 2019 9:47 am

Re: Hotspot wifi and Lan users

Tue Mar 12, 2019 2:11 pm

Vlan id = 2 has been created on Switch to differ AP's from LAN users.
Mikrotik router CCR a hotpsot created with dhcp server and pool 10.5.50.0/24 on Ethernet 3
Ethernet 2 Lan users range of 192.168.22.0/24
Ethernet 1 range of Internet modem
wifi users cannot access the hotspot dhcp pool and get ip address.
firewall rules created to drop access from 10.5.50.0/24 to 192.168.22.0/24 and vice versa
is there any thing from preventing wifi users to get dhcp
 
solar77
Member
Member
Posts: 437
Joined: Thu Feb 04, 2016 11:42 am
Location: Scotland

Re: Hotspot wifi and Lan users

Tue Mar 12, 2019 4:56 pm

Vlan id = 2 has been created on Switch to differ AP's from LAN users.
Mikrotik router CCR a hotpsot created with dhcp server and pool 10.5.50.0/24 on Ethernet 3
wifi users cannot access the hotspot dhcp pool and get ip address.
I can see that the hotspot is on ether3 but it needs to be on VLAN2. that's why your wifi users does not get to the hotspot server.
I assume that you have created VLAN2 on the Mikrotik too?
MTCNA MTCTCE UEWA
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 951
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Hotspot wifi and Lan users

Wed Mar 13, 2019 6:50 pm

I'm in the process of setting this up for someone. I prefer the use of a separate device to function as the Hotspot (captive portal) server. I'm using the hEX S for this purpose with an RB4011 as the main router. You need VLANs, of course, such that Guests accessing the Guest SSID are on a VLAN of their own. The main router, and the Hotspot server have a Trunk port connecting the two together.
 
anav
Forum Guru
Forum Guru
Posts: 3150
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Hotspot wifi and Lan users

Wed Mar 13, 2019 8:09 pm

I'm in the process of setting this up for someone. I prefer the use of a separate device to function as the Hotspot (captive portal) server. I'm using the hEX S for this purpose with an RB4011 as the main router. You need VLANs, of course, such that Guests accessing the Guest SSID are on a VLAN of their own. The main router, and the Hotspot server have a Trunk port connecting the two together.
Awesome pcunite when complete and functioning can you post the config of both please!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
pcunite
Forum Veteran
Forum Veteran
Posts: 951
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: Hotspot wifi and Lan users

Fri Mar 15, 2019 3:56 am

Awesome, pcunite when complete and functioning, can you post the config of both please!

Here you go. While creating this example, I also noticed some areas that might be confusing in my other VLAN examples. So, I'll be updating those to better show how the BASE_VLAN should be implemented, as I do here.

Hotspot with a separate router:
When using the Hotspot service (a captive portal), it should be noted that this feature is similar to what a Rogue router might do. You now have two routers on your network to reason about. It adds some tricky rules to both the Firewall and NAT tables. For this reason, I prefer the Hotspot service to be on a separate physical device and safely VLAN'd away. I hope that in the future, the network community comes up with a better way to accomplish showing a website on demand when accessing the network for the first time.

Overview:
There is probably several ways to accomplish this. Here, I illustrate several VLANs. The BLUE vlan is your standard corporate network. The BASE vlan is what I use as a management network and also for device to device communication. The HOTSPOT vlans are what make this method unique. They allow both the Hotspot server itself and clients to be segmented and blocked off from the rest of your network. HOTSPOT_GUEST is where the actual guests live, and HOTSPOT_ROUTE is a way to get packets in and out without touching anything else. Of special note: don't use the address-pool option under the ip hotspot menu. I believe it caused me issues with iPhones.


Main Router:
###############################################################################
# Topic:		Using RouterOS to VLAN your network
# Example:		Hotspot with a separate router
# Web:			https://forum.mikrotik.com/viewtopic.php?t=143620
# RouterOS:		6.43.12
# Date:			Mar 14, 2019
# Notes:		Start with a reset (/system reset-configuration)
# Author:		pcunite
###############################################################################

#######################################
# VLAN Overview
#######################################

# 10 = BLUE (CORP MAIN)
# 20 = HOTSPOT_ROUTE
# 30 = HOTSPOT_GUEST
# 99 = BASE (MGMT) Layer

#######################################
# Naming
#######################################

/system identity set name=Router


#######################################
# Bridge
#######################################

/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1, enable port security features
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether4

# egress behavior
/interface bridge vlan

# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4 vlan-ids=99


#######################################
# IP Addressing & Routing
#######################################

# LAN facing router's IP address on a BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.1/24 interface=BASE_VLAN

# DNS server, set to cache for LAN
/ip dns set allow-remote-requests=yes servers="9.9.9.9"

# Yellow WAN facing port with IP Address provided by ISP
/ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0

# router's gateway provided by ISP
/ip route add distance=1 gateway=b.b.b.b


#######################################
# IP Services
#######################################

# BLUE (CORP MAIN) VLAN interface creation, IP assignment, and DHCP service
/interface vlan add interface=BR1 name=BLUE_VLAN vlan-id=10
/ip address add interface=BLUE_VLAN address=10.0.10.1/24
/ip pool add name=BLUE_POOL ranges=10.0.10.2-10.0.10.254
/ip dhcp-server add address-pool=BLUE_POOL interface=BLUE_VLAN name=BLUE_DHCP disabled=no
/ip dhcp-server network add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1

# HOTSPOT_ROUTE VLAN interface creation, and IP assignment
/interface vlan add interface=BR1 name=HOTSPOT_ROUTE_VLAN vlan-id=20
/ip address add interface=HOTSPOT_ROUTE_VLAN address=10.0.20.1/24

# HOTSPOT_GUEST VLAN interface creation, and IP assignment
/interface vlan add interface=BR1 name=HOTSPOT_GUEST_VLAN vlan-id=30
/ip address add interface=HOTSPOT_GUEST_VLAN address=10.0.30.1/24

# Optional
# Make BASE_VLAN interface IP, and DHCP instance


#######################################
# Firewalling & NAT
# A good firewall for WAN. Up to you
# about how you want LAN to behave.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=WAN
/interface list add name=VLAN
/interface list add name=BASE

/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=BASE
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=HOTSPOT_ROUTE_VLAN list=VLAN
add interface=HOTSPOT_GUEST_VLAN list=VLAN

# VLAN aware firewall. Order is important.
/ip firewall filter

##################
# INPUT CHAIN
##################
add action=accept chain=input comment="Allow Estab & Related" connection-state=established,related

# Allow VLANs to access router DNS services
add action=accept chain=input comment="Allow VLAN DNS Services" dst-port=53 in-interface-list=VLAN protocol=udp

# Allow BASE_VLAN full access router, Winbox, etc.
add action=accept chain=input comment="Allow Base_Vlan Full Access" in-interface=BASE_VLAN

add action=drop chain=input comment=Drop

##################
# FORWARD CHAIN
##################
add action=accept chain=forward comment="Allow Estab & Related" connection-state=established,related

# Allow all VLANs to access the Internet only, NOT each other
add action=accept chain=forward comment="VLAN Internet Access only" connection-state=new in-interface-list=VLAN out-interface-list=WAN

add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN comment="Allow port forwards"
add action=drop chain=forward comment=Drop


##################
# NAT
##################
/ip firewall nat

# Standard masquerade
add action=masquerade chain=srcnat out-interface-list=WAN comment=masquerade

# Force DNS for BLUE_VLAN
add action=dst-nat chain=dstnat dst-port=53 in-interface=BR1 protocol=tcp to-addresses=192.168.2.1 to-ports=53 comment="Force DNS"
add action=dst-nat chain=dstnat dst-port=53 in-interface=BR1 protocol=udp to-addresses=192.168.2.1 to-ports=53

#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, our MGMT layer
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=none


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

Hotspot Router:
###############################################################################
# Topic:		Using RouterOS to VLAN your network
# Example:		Hotspot with a separate router
# Web:			https://forum.mikrotik.com/viewtopic.php?t=143620
# RouterOS:		6.43.12
# Date:			Apr 18, 2019
# Notes:		Start with a reset (/system reset-configuration)
# Author:		pcunite
###############################################################################

#######################################
# VLAN Overview
#######################################

# 10 = BLUE (CORP MAIN)
# 20 = HOTSPOT_ROUTE
# 30 = HOTSPOT_GUEST
# 99 = BASE (MGMT) Layer


#######################################
# Naming
#######################################

/system identity set name=HotspotRouter


#######################################
# Bridge
#######################################

# create one bridge, set VLAN mode off while we configure
/interface bridge add name=BR1 protocol-mode=none vlan-filtering=no


#######################################
#
# -- Trunk Ports --
#
#######################################

# ingress behavior
/interface bridge port

# Purple Trunk. Leave pvid set to default of 1, enable port security features
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1

# egress behavior
/interface bridge vlan

# Purple Trunk. These need IP Services (L3), so add Bridge as member
add bridge=BR1 tagged=BR1,ether1 vlan-ids=10
add bridge=BR1 tagged=BR1,ether1 vlan-ids=20
add bridge=BR1 tagged=BR1,ether1 vlan-ids=30
add bridge=BR1 tagged=BR1,ether1 vlan-ids=99


#######################################
# IP Addressing & Routing
#######################################

# LAN facing Router's IP address on the BASE_VLAN
/interface vlan add interface=BR1 name=BASE_VLAN vlan-id=99
/ip address add address=192.168.0.2/24 interface=BASE_VLAN

# IP address to access HOTSPOT_ROUTE VLAN
/interface vlan add interface=BR1 name=HOTSPOT_ROUTE vlan-id=20
/ip address add address=10.0.20.2/24 interface=HOTSPOT_ROUTE

# IP address for Hotspot user services, DNS, DHCP, etc.
/interface vlan add interface=BR1 name=HOTSPOT_GUEST vlan-id=30
/ip address add address=10.0.30.2/24 interface=HOTSPOT_GUEST

# Routing:
# The Router's IP we use. We route over the HOTSPOT_ROUTE VLAN
/ip route add distance=1 gateway=10.0.20.1


#######################################
# Hotspot Router Settings
#######################################

# Use DNS supplied from HOTSPOT_ROUTE VLAN
/ip dns set allow-remote-requests=yes servers=10.0.20.1

# DHCP settings for the HOTSPOT_GUEST VLAN.
/ip pool add name=Hotspot_POOL ranges=10.0.30.10-10.0.30.254
/ip dhcp-server add address-pool=Hotspot_POOL disabled=no interface=HOTSPOT_GUEST name=Hotspot_DHCP
/ip dhcp-server network add address=10.0.30.0/24 dns-server=10.0.30.2 gateway=10.0.30.2

# We share a single user to over 200. Customize as you see fit
/ip hotspot user add name=userhotspot password=userhotspot
/ip hotspot user profile set [ find default=yes ] shared-users=200

# Other settings. Don't use the HotSpot 'address-pool' option. It is a NAT helper and may cause issues with iPhones.
/ip hotspot profile set [ find default=yes ] dns-name=MyHotspot.lan hotspot-address=10.0.30.2 html-directory=flash/hotspot
/ip hotspot add interface=HOTSPOT_GUEST name=Hotspot1 disabled=no
/ip hotspot service-port set ftp disabled=yes


#######################################
# Firewalling & NAT
# A Hotspot is basically a Rouge
# router. So we are careful with what
# we allow it to do.
#######################################

# Use MikroTik's "list" feature for easy rule matchmaking.

/interface list add name=BASE

/interface list member
add interface=BASE_VLAN list=BASE

# VLAN aware firewall. Order is important.
/ip firewall filter


##################
# INPUT CHAIN
##################
add action=accept chain=input connection-state=established,related comment="Allow Estab & Related"

# Allow BASE_VLAN full access
add action=accept chain=input in-interface=BASE_VLAN comment="Allow Base_Vlan to MikroTik"

# Optional: Allow Winbox from other VLANs. Naturally, you SHOULD make it more granular.
add action=accept chain=input in-interface=HOTSPOT_ROUTE comment="Allow HOTSPOT_ROUTE to MikroTik"

add action=drop chain=input comment=Drop

##################
# FORWARD CHAIN
##################
add action=accept chain=forward connection-state=established,related comment="Allow Estab & Related"

# Allow HOTSPOT_GUEST access the Internet only
add action=accept chain=forward connection-state=new in-interface=HOTSPOT_GUEST out-interface=HOTSPOT_ROUTE comment="Allow VLAN Internet Access"

add action=drop chain=forward comment=Drop

##################
# NAT
##################
/ip firewall nat add action=masquerade chain=srcnat src-address=10.0.30.0/24 comment="masquerade"


#######################################
# MAC Server settings
#######################################

# Ensure only visibility and availability from BASE_VLAN, our MGMT layer
/ip neighbor discovery-settings set discover-interface-list=BASE
/tool mac-server mac-winbox set allowed-interface-list=BASE
/tool mac-server set allowed-interface-list=none


#######################################
# Turn on VLAN mode
#######################################
/interface bridge set BR1 vlan-filtering=yes

Who is online

Users browsing this forum: No registered users and 36 guests