hello all,
I am configuring a hotspot: users can login sucesfull and get access to internet. Is possible to change users IP & gateway after sucesfull login?
What I would like to do is to separate users in two groups and "lead" them to internet from different gateways (using different gateways). Is that possible??
Thank you in advance
Re: hotspot: change IP after login
Yes, it is. Look at the PCC wiki, it shows how to mark packets (though you wouldn't be using PCC as such, you'd mark based on some other attribute) and route them out different circuits based on the marks.
One feature of later versions that might work for you is the ability to set an address-list on a Hotspot user profile, or to pass a RADIUS attribute for the same. That way you can easily connection people based on what address-list traffic is sourced from or destined to.
You'll also have to add a rule in the pre-hotspot NAT chain to ensure that HTTP/DNS/whatever else traffic doesn't get redirected through the Hotspot servlets after login as that proxy action would make it impossible to tell what user sourced the connection (the servlet proxies the requests and creates a new connection sourced from the router itself to satisfy the proxy request). That rule would look something like this:
At that point you do lose the ability to insert ads, for example. Anything the servlet is expected to do after login would no longer work.
The user's endpoint IP address would stay the same, but the public IP address they would be NAT'd to would match the circuit they're leaving the router through.
One feature of later versions that might work for you is the ability to set an address-list on a Hotspot user profile, or to pass a RADIUS attribute for the same. That way you can easily connection people based on what address-list traffic is sourced from or destined to.
You'll also have to add a rule in the pre-hotspot NAT chain to ensure that HTTP/DNS/whatever else traffic doesn't get redirected through the Hotspot servlets after login as that proxy action would make it impossible to tell what user sourced the connection (the servlet proxies the requests and creates a new connection sourced from the router itself to satisfy the proxy request). That rule would look something like this:
Code: Select all
/ip firewall nat add chain=pre-hotspot dst-address-type=!local hotspot=auth action=acceptThe user's endpoint IP address would stay the same, but the public IP address they would be NAT'd to would match the circuit they're leaving the router through.
Re: hotspot: change IP after login
Change of plans!! At the moment I am trying to achieve the following configuration:
1. I have configured a static route, with routing mark "GW2". All traffic marked as GW2 is routed correctly through GW2.
2. Then I try to mark packets to Ip --> firewall --> mangle .
I can mark packets correctly using attributes like "Src-Mac" and "dst-address". However, I cant mark packets using src-address as all http connections are originating from mikrotik address (as you said).
3. Adding the rule
ip firewall nat add chain=pre-hotspot dst-address-type=!172.30.50.0/24 hotspot=auth action=accept
or
ip firewall nat add chain=pre-hotspot src-address-type=173.30.50.100 hotspot=auth action=accept
doesnt change anything...
Any idea how to exclude specific IPs from hotspot redirects?
Thank you
Code: Select all
/----> GW1
AP <---> Mikrotik --
\----> GW2
2. Then I try to mark packets to Ip --> firewall --> mangle .
I can mark packets correctly using attributes like "Src-Mac" and "dst-address". However, I cant mark packets using src-address as all http connections are originating from mikrotik address (as you said).
3. Adding the rule
ip firewall nat add chain=pre-hotspot dst-address-type=!172.30.50.0/24 hotspot=auth action=accept
or
ip firewall nat add chain=pre-hotspot src-address-type=173.30.50.100 hotspot=auth action=accept
doesnt change anything...
Any idea how to exclude specific IPs from hotspot redirects?
Thank you
Re: hotspot: change IP after login
Use exactly the rule I posted, don't edit it, don't add a second one. From the manual:
"Before you do anything in the Hotspot NAT chains (pre-hotspot), do not redirect/NAT (action=accept) all authenticated user traffic (hotspot=auth) that doesn't go directly to the router itself (dst-address-type=!local)".
You want to still push traffic directly to the router through the Hotspot servlets so that the status page still works, for example.
I'm a little surprised RouterOS even let you enter the rules with the edits you made. It should have thrown an error.
If you do need to just not redirect one specific IP address through the proxy add 'src-address=10.10.10.10' to the rule and don't replace or emit any of the other parameters.
So my rule means this:dst-address-type (unicast | local | broadcast | multicast; Default: ) Matches destination address type:
unicast - IP address used for point to point transmission
local - if dst-address is assigned to one of router's interfaces
broadcast - packet is sent to all devices in subnet
multicast - packet is forwarded to defined group of devices
Code: Select all
/ip firewall nat add chain=pre-hotspot dst-address-type=!local hotspot=auth action=accept
You want to still push traffic directly to the router through the Hotspot servlets so that the status page still works, for example.
I'm a little surprised RouterOS even let you enter the rules with the edits you made. It should have thrown an error.
If you do need to just not redirect one specific IP address through the proxy add 'src-address=10.10.10.10' to the rule and don't replace or emit any of the other parameters.
Re: hotspot: change IP after login
I found a different solution:
after a user logins, can be applied a different IP using the attribute "address pool" in the group it belongs.
So although the PC is assigned a IP from DHCP, the webserver will show a different IP; that IP can be managed from mikrotik.
Then I created a mangle roule , and everything works.
To clarify:
Clients are assigned IPs: 172.30.50.0/24. DHCP pool is 172.30.50.10-199/24.
Create an address pool: !172.30.50.200-254 (GW2_pool)
Create User gw2_user
Create group gw2_group
Assign gw2_group address pool "GW2_pool". After login each user will be a assigned a secondary IP from GW2_pool range
Dont select transparent proxy.
Create a mangle route
chain: prerouting
advanced --> src_address list --> GW2_pool
action --> mark routing --> GW2_mark & passthrough
Create a route 0.0.0.0/0 --> next hop GW2 , mark: GW2_mark
It works
after a user logins, can be applied a different IP using the attribute "address pool" in the group it belongs.
So although the PC is assigned a IP from DHCP, the webserver will show a different IP; that IP can be managed from mikrotik.
Then I created a mangle roule , and everything works.
To clarify:
Clients are assigned IPs: 172.30.50.0/24. DHCP pool is 172.30.50.10-199/24.
Create an address pool: !172.30.50.200-254 (GW2_pool)
Create User gw2_user
Create group gw2_group
Assign gw2_group address pool "GW2_pool". After login each user will be a assigned a secondary IP from GW2_pool range
Dont select transparent proxy.
Create a mangle route
chain: prerouting
advanced --> src_address list --> GW2_pool
action --> mark routing --> GW2_mark & passthrough
Create a route 0.0.0.0/0 --> next hop GW2 , mark: GW2_mark
It works
Who is online
Users browsing this forum: Amazon [Bot] and 42 guests