Community discussions

MikroTik App
 
midstatepc
just joined
Topic Author
Posts: 3
Joined: Sat Oct 17, 2009 6:48 pm

hotspot public address assignment

Sat Oct 02, 2010 9:27 pm

I have been racking my brain on this one and just can't figure it out.
My goal is to have a client get a public IP address from my pool of addresses and it not be masqueraded.
In other words, the hotspot will assign a public ip address to the customer hardware, and that address is their real ip address on the internet, not some other public ip address.

I KNOW I'm missing something, but I think I'm suffering information overload.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: hotspot public address assignment

Sat Oct 02, 2010 10:42 pm

There is nothing special whatsoever about public IPs. They are just IPs that don't need to be NATted when being routed out to the Internet. However, just like with any private IPs you would use, they have to be available right on the Hotspot interface. They must be behind the router and routed through the public IP on the WAN interface, and not just be available on the WAN interface itself.

[Internet]-(1.1.1.1)-------(1.1.1.2)-[Router]-(2.2.2.1/24)

In that scenario the ISP's gateway is 1.1.1.1, your WAN IP is 1.1.1.2 and the world knows that 2.2.2.1/24 is reachable via 1.1.1.2. You assign 2.2.2.1/24 on an Interface, run the Hotspot wizard (or set up the pieces manually), and remove any NAT inserted by the wizard if you used it. You also need to remove any IP pools assigned to the Hotspot server profile as they are used for universal NAT (a Hotspot trick to make clients with misconfigured interfaces work) as that would waste a large number of public IPs.

I've done this many times, it works out of the box.
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: hotspot public address assignment

Sat Oct 02, 2010 11:18 pm

Hi fewi. Just so I understand, this requires two separate public subnets, one subnet on the wan interface, and another on the lan/hotspot interface. Just no srcnat/masquerade. And the route for dst-address=2.2.2.0/24 gateway=1.1.1.2 in the wan (isp) router.

Is there a way to use something like proxy-arp for this, and use part of the wan interface on the lan? I think they want to put the 1.1.1.0/24 behind the hotspot and have it on the wan interface too.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: hotspot public address assignment

Sun Oct 03, 2010 12:12 am

Yes, two subnets. And a route to the Hotspot subnet via your WAN interface. Could be static on the ISP side, could be propagated by a routing protocol, whatever.

You can use proxy ARP if you own the entire WAN subnet, if you don't you interrupt services for other ISP customers and would probably get in quite a bit of trouble. Also, you would have to properly subnet everything so you can assign a network to the LAN/Hotspot interface, so if you have a /24 on the WAN the best you can do is a /25 on the LAN. If you need to reuse WAN space 1:1 NAT would be a better solution in my opinion.
 
midstatepc
just joined
Topic Author
Posts: 3
Joined: Sat Oct 17, 2009 6:48 pm

Re: hotspot public address assignment

Sun Oct 03, 2010 12:24 am

There is nothing special whatsoever about public IPs. They are just IPs that don't need to be NATted when being routed out to the Internet. However, just like with any private IPs you would use, they have to be available right on the Hotspot interface. They must be behind the router and routed through the public IP on the WAN interface, and not just be available on the WAN interface itself.

[Internet]-(1.1.1.1)-------(1.1.1.2)-[Router]-(2.2.2.1/24)

In that scenario the ISP's gateway is 1.1.1.1, your WAN IP is 1.1.1.2 and the world knows that 2.2.2.1/24 is reachable via 1.1.1.2. You assign 2.2.2.1/24 on an Interface, run the Hotspot wizard (or set up the pieces manually), and remove any NAT inserted by the wizard if you used it. You also need to remove any IP pools assigned to the Hotspot server profile as they are used for universal NAT (a Hotspot trick to make clients with misconfigured interfaces work) as that would waste a large number of public IPs.

I've done this many times, it works out of the box.

And you are using DHCP to assign IP addresses????
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: hotspot public address assignment

Sun Oct 03, 2010 1:16 am

Sometimes. Really, DHCP is irrelevant to the question. A DHCP server doesn't care what kind of address it hands out. It doesn't have a concept of private and public IP addresses. It's all just bits. The only thing special about private IP addresses is that most Internet routers are configured to drop them so that they can be used at lots of places at once without clashing with one another.

Hotspots with public IPs really just work out of the box as log as you treat them the same as you would with private IPs - just make sure you really are not using NAT, which the wizard will by default. I don't know what kind of problems you are having that haven't been discussed in this thread yet. Post your actual configuration and a network diagram if you are having further issues.
 
midstatepc
just joined
Topic Author
Posts: 3
Joined: Sat Oct 17, 2009 6:48 pm

Re: hotspot public address assignment

Sun Oct 03, 2010 1:45 am

Sometimes. Really, DHCP is irrelevant to the question. A DHCP server doesn't care what kind of address it hands out. It doesn't have a concept of private and public IP addresses. It's all just bits. The only thing special about private IP addresses is that most Internet routers are configured to drop them so that they can be used at lots of places at once without clashing with one another.

Hotspots with public IPs really just work out of the box as log as you treat them the same as you would with private IPs - just make sure you really are not using NAT, which the wizard will by default. I don't know what kind of problems you are having that haven't been discussed in this thread yet. Post your actual configuration and a network diagram if you are having further issues.
OK, I have to apologize as I think I may have mislead on my original post.

Here's what's happening.....

The hotspot is handing out an IP address to an unauthorized client via DHCP, then after authentication, it's handing out another one via DHCP from the same pool. I've set it up both ways, with the masquerade option set and not set.
Why does it do this, or how can I get it to stop doing this.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: hotspot public address assignment

Sun Oct 03, 2010 2:47 am

Edit the Hotspot server and set the address pool to 'none'.
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: hotspot public address assignment

Sun Oct 03, 2010 2:55 am

If you are using DHCP, Address Pool to 'none' for the hotspot server. This will prevent the hotspot from dealing with any IP's, and only DHCP will get access to give the client an IP.
Doug
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: hotspot public address assignment

Sun Oct 03, 2010 2:56 am

fewi, we both posted at the same time!
Doug
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: hotspot public address assignment

Sun Oct 03, 2010 3:17 am

That makes the advice twice as good. Possibly it even squares its goodness.

I wish there was slightly better documentation on the Universal NAT feature to link people to.
 
macosoft
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Tue Jul 20, 2010 1:42 am

Re: hotspot public address assignment

Sun Oct 03, 2010 8:17 pm

This is just I want to setup into my network: hotspot with public IPs.
My question is now how a user authentificate by mac address and IP in add user and not by ip bindings.
How should I add in hotspot users someone who will authentificate by mac address and ip? (I tried with a username and mac adress but is not working)
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: hotspot public address assignment

Sun Oct 03, 2010 8:50 pm

You cannot authenticate by IP address outside of IP bindings, that is impossible.

You can authenticate by MAC address only by editing the IP > Hotspot > Profile login methods and checking MAC address. You then need to create users as usual with the MAC address of the user as the username and a blank password. If you're using RADIUS you can also a MAC password that will be sent to the AAA solution in case it doesn't like blank passwords.
 
macosoft
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Tue Jul 20, 2010 1:42 am

Re: hotspot public address assignment

Sun Oct 03, 2010 11:27 pm

Here's my network configuration:

Image

I need for client1 and client2 not need to authentificate if they have the correct ip and mac address (if they are tring to change the ip or the mac address they will be redirect to the hotspot login page), and hotspot clients need to be authentificated on hotspot login page but get public ips also.

Any ideea how to make this happen? I will pay for someone to help me out with this one.

P.S.: Please excuse my bad english and bad drawing :)
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: hotspot public address assignment

Mon Oct 04, 2010 6:58 am

Add an entry for client1 and client2 in Hotspot -> IP Bindings and set type=bypassed.
Doug
 
macosoft
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Tue Jul 20, 2010 1:42 am

Re: hotspot public address assignment

Mon Oct 04, 2010 8:47 am

You see... AP North, East and West are sector antennas and on them I have connected about 50 clients (like client1 and client2).

1. How do I get download/upload rate limited for each client if I set them on IP bindings? It will work adding them after that as simple queues?

2. If I set on IP bindings both IP and MAC for an user, the user will be forced to use that IP and MAC or just MAC?

3. Should I set more subnets on my configuration? (now I have a single subnet /24)
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: hotspot public address assignment

Mon Oct 04, 2010 9:03 pm

1. How do I get download/upload rate limited for each client if I set them on IP bindings? It will work adding them after that as simple queues?
To limit rate for hotspot clients, use /ip hotspot profile set <profile> rate-limit=
IP bindings -> bypass is only used for clients who do not get handled by hotspot at all (no authenticate and no rate limit).
2. If I set on IP bindings both IP and MAC for an user, the user will be forced to use that IP and MAC or just MAC?
If depends on which you specify. If you provide both IP and MAC, then client must match both. If you provide only IP, then client must match on IP. If you provide MAC with IP=0.0.0.0/0, the client must only match MAC.
3. Should I set more subnets on my configuration? (now I have a single subnet /24)
I would think this should be fine. A /24 allows 254 usable client addresses. If you don't exceed this, you should be ok.\

A lot of questions here, so I hope this makes sense. Also, I would suggest taking a look at this documentation: http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot.

Hope this helps,
Doug
 
macosoft
Frequent Visitor
Frequent Visitor
Posts: 70
Joined: Tue Jul 20, 2010 1:42 am

Re: hotspot public address assignment

Tue Oct 05, 2010 12:40 am

Tnx for your reply dssmiktik. It helps alot.
If I need to set up hotspot on bridge1 (ether5-ether12) and leave ether2-ether4 for servers (ip from 80.97.140.2 to 80.97.140.20) how should I set my subnets?
 
dssmiktik
Forum Veteran
Forum Veteran
Posts: 732
Joined: Fri Aug 17, 2007 8:42 am

Re: hotspot public address assignment

Tue Oct 05, 2010 5:22 am

Sorry, but I don't use hotspot on a bridge. I tried it once and it didn't seem to work right (could have been me though). I've only used hotspot on physical interfaces.
Doug

Who is online

Users browsing this forum: dawe4444 and 34 guests