Page 1 of 1

hotspot public address assignment

Posted: Sat Oct 02, 2010 9:27 pm
by midstatepc
I have been racking my brain on this one and just can't figure it out.
My goal is to have a client get a public IP address from my pool of addresses and it not be masqueraded.
In other words, the hotspot will assign a public ip address to the customer hardware, and that address is their real ip address on the internet, not some other public ip address.

I KNOW I'm missing something, but I think I'm suffering information overload.

Re: hotspot public address assignment

Posted: Sat Oct 02, 2010 10:42 pm
by fewi
There is nothing special whatsoever about public IPs. They are just IPs that don't need to be NATted when being routed out to the Internet. However, just like with any private IPs you would use, they have to be available right on the Hotspot interface. They must be behind the router and routed through the public IP on the WAN interface, and not just be available on the WAN interface itself.

[Internet]-(1.1.1.1)-------(1.1.1.2)-[Router]-(2.2.2.1/24)

In that scenario the ISP's gateway is 1.1.1.1, your WAN IP is 1.1.1.2 and the world knows that 2.2.2.1/24 is reachable via 1.1.1.2. You assign 2.2.2.1/24 on an Interface, run the Hotspot wizard (or set up the pieces manually), and remove any NAT inserted by the wizard if you used it. You also need to remove any IP pools assigned to the Hotspot server profile as they are used for universal NAT (a Hotspot trick to make clients with misconfigured interfaces work) as that would waste a large number of public IPs.

I've done this many times, it works out of the box.

Re: hotspot public address assignment

Posted: Sat Oct 02, 2010 11:18 pm
by SurferTim
Hi fewi. Just so I understand, this requires two separate public subnets, one subnet on the wan interface, and another on the lan/hotspot interface. Just no srcnat/masquerade. And the route for dst-address=2.2.2.0/24 gateway=1.1.1.2 in the wan (isp) router.

Is there a way to use something like proxy-arp for this, and use part of the wan interface on the lan? I think they want to put the 1.1.1.0/24 behind the hotspot and have it on the wan interface too.

Re: hotspot public address assignment

Posted: Sun Oct 03, 2010 12:12 am
by fewi
Yes, two subnets. And a route to the Hotspot subnet via your WAN interface. Could be static on the ISP side, could be propagated by a routing protocol, whatever.

You can use proxy ARP if you own the entire WAN subnet, if you don't you interrupt services for other ISP customers and would probably get in quite a bit of trouble. Also, you would have to properly subnet everything so you can assign a network to the LAN/Hotspot interface, so if you have a /24 on the WAN the best you can do is a /25 on the LAN. If you need to reuse WAN space 1:1 NAT would be a better solution in my opinion.

Re: hotspot public address assignment

Posted: Sun Oct 03, 2010 12:24 am
by midstatepc
There is nothing special whatsoever about public IPs. They are just IPs that don't need to be NATted when being routed out to the Internet. However, just like with any private IPs you would use, they have to be available right on the Hotspot interface. They must be behind the router and routed through the public IP on the WAN interface, and not just be available on the WAN interface itself.

[Internet]-(1.1.1.1)-------(1.1.1.2)-[Router]-(2.2.2.1/24)

In that scenario the ISP's gateway is 1.1.1.1, your WAN IP is 1.1.1.2 and the world knows that 2.2.2.1/24 is reachable via 1.1.1.2. You assign 2.2.2.1/24 on an Interface, run the Hotspot wizard (or set up the pieces manually), and remove any NAT inserted by the wizard if you used it. You also need to remove any IP pools assigned to the Hotspot server profile as they are used for universal NAT (a Hotspot trick to make clients with misconfigured interfaces work) as that would waste a large number of public IPs.

I've done this many times, it works out of the box.

And you are using DHCP to assign IP addresses????

Re: hotspot public address assignment

Posted: Sun Oct 03, 2010 1:16 am
by fewi
Sometimes. Really, DHCP is irrelevant to the question. A DHCP server doesn't care what kind of address it hands out. It doesn't have a concept of private and public IP addresses. It's all just bits. The only thing special about private IP addresses is that most Internet routers are configured to drop them so that they can be used at lots of places at once without clashing with one another.

Hotspots with public IPs really just work out of the box as log as you treat them the same as you would with private IPs - just make sure you really are not using NAT, which the wizard will by default. I don't know what kind of problems you are having that haven't been discussed in this thread yet. Post your actual configuration and a network diagram if you are having further issues.

Re: hotspot public address assignment

Posted: Sun Oct 03, 2010 1:45 am
by midstatepc
Sometimes. Really, DHCP is irrelevant to the question. A DHCP server doesn't care what kind of address it hands out. It doesn't have a concept of private and public IP addresses. It's all just bits. The only thing special about private IP addresses is that most Internet routers are configured to drop them so that they can be used at lots of places at once without clashing with one another.

Hotspots with public IPs really just work out of the box as log as you treat them the same as you would with private IPs - just make sure you really are not using NAT, which the wizard will by default. I don't know what kind of problems you are having that haven't been discussed in this thread yet. Post your actual configuration and a network diagram if you are having further issues.
OK, I have to apologize as I think I may have mislead on my original post.

Here's what's happening.....

The hotspot is handing out an IP address to an unauthorized client via DHCP, then after authentication, it's handing out another one via DHCP from the same pool. I've set it up both ways, with the masquerade option set and not set.
Why does it do this, or how can I get it to stop doing this.

Re: hotspot public address assignment

Posted: Sun Oct 03, 2010 2:47 am
by fewi
Edit the Hotspot server and set the address pool to 'none'.

Re: hotspot public address assignment

Posted: Sun Oct 03, 2010 2:55 am
by dssmiktik
If you are using DHCP, Address Pool to 'none' for the hotspot server. This will prevent the hotspot from dealing with any IP's, and only DHCP will get access to give the client an IP.

Re: hotspot public address assignment

Posted: Sun Oct 03, 2010 2:56 am
by dssmiktik
fewi, we both posted at the same time!

Re: hotspot public address assignment

Posted: Sun Oct 03, 2010 3:17 am
by fewi
That makes the advice twice as good. Possibly it even squares its goodness.

I wish there was slightly better documentation on the Universal NAT feature to link people to.

Re: hotspot public address assignment

Posted: Sun Oct 03, 2010 8:17 pm
by macosoft
This is just I want to setup into my network: hotspot with public IPs.
My question is now how a user authentificate by mac address and IP in add user and not by ip bindings.
How should I add in hotspot users someone who will authentificate by mac address and ip? (I tried with a username and mac adress but is not working)

Re: hotspot public address assignment

Posted: Sun Oct 03, 2010 8:50 pm
by fewi
You cannot authenticate by IP address outside of IP bindings, that is impossible.

You can authenticate by MAC address only by editing the IP > Hotspot > Profile login methods and checking MAC address. You then need to create users as usual with the MAC address of the user as the username and a blank password. If you're using RADIUS you can also a MAC password that will be sent to the AAA solution in case it doesn't like blank passwords.

Re: hotspot public address assignment

Posted: Sun Oct 03, 2010 11:27 pm
by macosoft
Here's my network configuration:

Image

I need for client1 and client2 not need to authentificate if they have the correct ip and mac address (if they are tring to change the ip or the mac address they will be redirect to the hotspot login page), and hotspot clients need to be authentificated on hotspot login page but get public ips also.

Any ideea how to make this happen? I will pay for someone to help me out with this one.

P.S.: Please excuse my bad english and bad drawing :)

Re: hotspot public address assignment

Posted: Mon Oct 04, 2010 6:58 am
by dssmiktik
Add an entry for client1 and client2 in Hotspot -> IP Bindings and set type=bypassed.

Re: hotspot public address assignment

Posted: Mon Oct 04, 2010 8:47 am
by macosoft
You see... AP North, East and West are sector antennas and on them I have connected about 50 clients (like client1 and client2).

1. How do I get download/upload rate limited for each client if I set them on IP bindings? It will work adding them after that as simple queues?

2. If I set on IP bindings both IP and MAC for an user, the user will be forced to use that IP and MAC or just MAC?

3. Should I set more subnets on my configuration? (now I have a single subnet /24)

Re: hotspot public address assignment

Posted: Mon Oct 04, 2010 9:03 pm
by dssmiktik
1. How do I get download/upload rate limited for each client if I set them on IP bindings? It will work adding them after that as simple queues?
To limit rate for hotspot clients, use /ip hotspot profile set <profile> rate-limit=
IP bindings -> bypass is only used for clients who do not get handled by hotspot at all (no authenticate and no rate limit).
2. If I set on IP bindings both IP and MAC for an user, the user will be forced to use that IP and MAC or just MAC?
If depends on which you specify. If you provide both IP and MAC, then client must match both. If you provide only IP, then client must match on IP. If you provide MAC with IP=0.0.0.0/0, the client must only match MAC.
3. Should I set more subnets on my configuration? (now I have a single subnet /24)
I would think this should be fine. A /24 allows 254 usable client addresses. If you don't exceed this, you should be ok.\

A lot of questions here, so I hope this makes sense. Also, I would suggest taking a look at this documentation: http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot.

Hope this helps,

Re: hotspot public address assignment

Posted: Tue Oct 05, 2010 12:40 am
by macosoft
Tnx for your reply dssmiktik. It helps alot.
If I need to set up hotspot on bridge1 (ether5-ether12) and leave ether2-ether4 for servers (ip from 80.97.140.2 to 80.97.140.20) how should I set my subnets?

Re: hotspot public address assignment

Posted: Tue Oct 05, 2010 5:22 am
by dssmiktik
Sorry, but I don't use hotspot on a bridge. I tried it once and it didn't seem to work right (could have been me though). I've only used hotspot on physical interfaces.