Page 1 of 1

Hotspot with multiple "isolated" subnets

Posted: Fri Jul 05, 2019 5:12 pm
by aleksanderm
SCENARIO:
We have one physical network (simple switches without ability to create vlans) and two
user categories.
a) students
b) (hotel) guests
the rooms are "shared", so today the room can be occupied by a student and tomorrow the room might be occupied by
guest. Both groups should be isolated and under different set rules (e.g. connection speed, etc.)

Ethernet Interfaces:

Code: Select all

# NAME MTU MAC-ADDRESS ARP
0 R lan 1500 00:15:5D:60:02:07 enabled
1 R wan 1500 00:15:5D:60:02:06 enabled

IP Addresses:

Code: Select all

# ADDRESS NETWORK INTERFACE
0 192.168.69.10/24 192.168.69.0 wan
1 192.168.100.1/24 192.168.100.0 lan
2 192.168.101.1/24 192.168.101.0 lan
3 192.168.102.1/24 192.168.102.0 lan
IP Pools:

Code: Select all

# NAME RANGES
0 DHCP 192.168.100.10-192.168.100.254
1 Student 192.168.101.10-192.168.101.254
2 Guest 192.168.102.10-192.168.102.254

Routes:

Code: Select all

# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 192.168.69.1 1
1 ADC 192.168.69.0/24 192.168.69.10 wan 0
2 ADC 192.168.100.0/24 192.168.100.1 lan 0
3 ADC 192.168.101.0/24 192.168.101.1 lan 0
4 ADC 192.168.102.0/24 192.168.102.1 lan 0

Firewall:
Standard Mikrotik hostspot generated rules + srcnat masquarades on addreses 192.168.101.0/24 and 192.168.102.0/24

The DHCP server listens on the lan interface and leases addresses from the DHCP IP Pools

There are two hotspot user profiles

Code: Select all

0 * name="student" address-pool=Student idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 add-mac-cookie=yes mac-cookie-timeout=52w1d address-list=""
transparent-proxy=no

1 name="hotel" address-pool=Hotel idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 add-mac-cookie=yes mac-cookie-timeout=3d address-list="" transparent-proxy=yes
open-status-page=always advertise=no
The hotspot ip address is 192.168.100.1

To this point everything works as expected: When I log in as a hotel user i get an address (one-to-one) from the Hotel pool. Same thing for student. Of course from the DHCP point of everybody has IP address from the DHCP pool.

My first questions is how to "isolate" users from both subnets. For instance I don't want a STUDENT to be able ping a GUEST computer or share files with her?

My second question is related to the old article: https://mikrotik.com/documentation/manu ... tspot.html. Obviously the hotspot setup was a bit different back then.
The document refers to the dhcp-server hotspot parameter:

Code: Select all

/ip hotspot server add name=hs_dhcp dhcp-server=hs_temp address-pool=hspot \
netmask=255.255.255.0 gateway=10.5.50.1

If client has obtained temporary address, its lease is shown as:

Code: Select all

[admin@HotSpot_GW] > ip dhcp-server lease print
Flags: X - disabled, D - dynamic, H - hotspot
# ADDRESS MAC-ADDRESS EXPIRES-A... SERVER STATUS
0 D 192.168.0.254 00:40:96:13:B3:47 8s hs_temp bound
[admin@HotSpot_GW] >


After successful authentication its DHCP address is changed, and it is listed under active hotspot users:

Code: Select all

[admin@HotSpot_GW] > ip dhcp-server lease print
Flags: X - disabled, D - dynamic, H - hotspot
# ADDRESS MAC-ADDRESS EXPIRES-A... SERVER STATUS
0 DH 10.5.50.2 00:40:96:13:B3:47 56s hs_temp bound
[admin@HotSpot_GW] > ip hotspot active print
# USER ADDRESS UPTIME SESSION-TIMEOUT IDLE-TIMEOUT
0 ax 10.5.50.2 2m25s
[admin@HotSpot_GW] > /ip hotspot active print stats
# USER UPTIME BYTES-IN BYTES-OUT PACKETS-IN PACKETS-OUT
0 ax 13m26s 145268 264282 475 494
[admin@HotSpot_GW] >


So back then it was possible to just "force" the hotspot to smoothly change lease after login. Is it still possible?
Correct me if I'm wrong, but at the first glance it looks like better solution then nat-to-nat translation.